Please note - EditShare Engineers use a two-factor authentication when using Simple Help
Network ports and routing requirements for the SimpleHelp server
By default the SimpleHelp server will attach to port 80 and 443 if they are available. If these ports are in use the SimpleHelp server will attempt to use a number of different ports instead. The port that is chosen during setup is dependent on what ports are available on your server. You can check and change the ports used by your SimpleHelp server in the Admin tab of the technician client.
SimpleHelp can be configured to run on any free port. The server on which SimpleHelp is installed and any relevant routers will need to open inbound TCP and UDP connections on all server ports. Forwarding HTTP access or using another web server as a reverse proxy will not be sufficient.
If you are already running a web server on the same machine as your SimpleHelp server then it is likely that ports 443 and 80 are taken by the web server. In this case you can configure SimpleHelp to use an alternative port however there are advantages to being able to run SimpleHelp on port 80 or 443 since these ports are often open on proxies your customers might be connecting through.
SimpleHelp can be configured to run on any free port. The server on which SimpleHelp is installed and any relevant routers will need to open inbound TCP and UDP connections on all server ports. Forwarding HTTP access or using another web server as a reverse proxy will not be sufficient.
If you are already running a web server on the same machine as your SimpleHelp server then it is likely that ports 443 and 80 are taken by the web server. In this case you can configure SimpleHelp to use an alternative port however there are advantages to being able to run SimpleHelp on port 80 or 443 since these ports are often open on proxies your customers might be connecting through.
Basic Security Overview
All sessions and remote machine interactions in SimpleHelp are securely encrypted.
Your server uses high end industry standard encryption algorithms to protect your data whether you are in a session transferring screen updates and files or just accessing a remote machine's files and CPU usage charts via the Access tab.
The primary algorithms used are 4096-bit RSA and 256-bit AES. These are widely regarded as more than sufficient to protect data.
Your server uses high end industry standard encryption algorithms to protect your data whether you are in a session transferring screen updates and files or just accessing a remote machine's files and CPU usage charts via the Access tab.
The primary algorithms used are 4096-bit RSA and 256-bit AES. These are widely regarded as more than sufficient to protect data.
In-Depth Security Explanation
SimpleHelp converges on one mechanism to secure data transferred between technicians and customers or technicians and remote access services. In doing this we focus on one secure implementation that is then used across multiple apps and multiple forms of encapsulation.
SimpleHelp implements a protocol closely based on DTLS using AES-256, RSA-4096, and a combined 256-bit SHA-512/SHA3 (Keccak) authentication hash. Since SimpleHelp always retains control over both ends of the connection (app + server) it does not negotiate these algorithms and thus all sessions and established communications between a remote access service and your server will always use AES-256 and RSA-4096.
Whether you are connected in a session using HTTP, TCP or UDP as an underlying transport or accessing a remote machine's stats or filesystem, all communications are encrypted using this protocol and these mechanisms.
Although SimpleHelp does support and can use SSL, SimpleHelp does not rely on SSL connections to provide security except in the case of browser sessions such as the mobile client (/mobile page on your server) and secure presentations being viewed in a browser. SSL can be configured to be used in a session but this is not necessary for the data transferred to be encrypted and in practice SimpleHelp will be performing a higher level of encryption than the underlying SSL connection. Instead SimpleHelp will always use its DTLS based protocol with its own encryption algorithms (RSA-4096 / AES-256) and will treat the base level connection purely as a transport, much in the same way that SSL will treat TCP/IP as a transport.
As such even when connected to the remote machine over SSL SimpleHelp will still encrypt all information transferred with its standard high security algorithms and will not simply rely on SSL to provide a secure layer. This approach allows SimpleHelp to establish connections via a variety of mechanisms including plain HTTP, TCP, SSL and UDP while retaining high security across both.
Established connections therefore may appear to use plain HTTP or TCP but this is a result of encapsulating the secure DTLS implementation on top of these.
SimpleHelp implements a protocol closely based on DTLS using AES-256, RSA-4096, and a combined 256-bit SHA-512/SHA3 (Keccak) authentication hash. Since SimpleHelp always retains control over both ends of the connection (app + server) it does not negotiate these algorithms and thus all sessions and established communications between a remote access service and your server will always use AES-256 and RSA-4096.
Whether you are connected in a session using HTTP, TCP or UDP as an underlying transport or accessing a remote machine's stats or filesystem, all communications are encrypted using this protocol and these mechanisms.
Although SimpleHelp does support and can use SSL, SimpleHelp does not rely on SSL connections to provide security except in the case of browser sessions such as the mobile client (/mobile page on your server) and secure presentations being viewed in a browser. SSL can be configured to be used in a session but this is not necessary for the data transferred to be encrypted and in practice SimpleHelp will be performing a higher level of encryption than the underlying SSL connection. Instead SimpleHelp will always use its DTLS based protocol with its own encryption algorithms (RSA-4096 / AES-256) and will treat the base level connection purely as a transport, much in the same way that SSL will treat TCP/IP as a transport.
As such even when connected to the remote machine over SSL SimpleHelp will still encrypt all information transferred with its standard high security algorithms and will not simply rely on SSL to provide a secure layer. This approach allows SimpleHelp to establish connections via a variety of mechanisms including plain HTTP, TCP, SSL and UDP while retaining high security across both.
Established connections therefore may appear to use plain HTTP or TCP but this is a result of encapsulating the secure DTLS implementation on top of these.
SimpleHelp Security - Server ID and Authenticity
When you first install your SimpleHelp server it will generated a unique ID. This ID is used by our applications to verify the server's authenticity. If the ID changes then it is possible that a malicious attacker has taken control of the SimpleHelp server address. For security reasons, SimpleHelp applications will not communicate with a SimpleHelp server that has an ID that differs from the expected one.
Your SimpleHelp Server ID
The server ID is stored in the following location in your SimpleHelp installation folder:
configuration/serverkeys.dat
You can see the ID that your server is advertising by querying the /publickeys page of your SimpleHelp server.
NOTE: As of SimpleHelp v4.4 the server will automatically reload any changes to the server ID file. In earlier versions of SimpleHelp make sure to restart SimpleHelp in order for it to update it's ID.
NOTE: As of SimpleHelp v4.4 the server will automatically reload any changes to the server ID file. In earlier versions of SimpleHelp make sure to restart SimpleHelp in order for it to update it's ID.
The 'Unable to Verify Server Authenticity' Error
If the server ID changes the technician console will show the following error message:
Remote access services that are registering with a SimpleHelp server will fail to upload new information about the machine, and will also not allow remote access sessions to the machine. Typically, remote access services that do not trust the SimpleHelp server will be listed using their service ID (of the form SG_XXX). Additionally, when selected, SimpleHelp will display a warning with information about why the services are not showing their assigned name.
For more information on remote access services and server ID authenticity see this guide.
For more information on remote access services and server ID authenticity see this guide.
Restoring your Server ID
To restore your server ID from a previous installation, or from a backup, simply copy the serverkeys.dat file from the original server's configuration folder to the new server's configuration folder. Restart SimpleHelp in order for it to use the newly provided server ID.
If you do not have a server ID backup then you will need to manually update each of the SimpleHelp applications in order for it to trust the SimpleHelp server with a new ID:
If you do not have a server ID backup then you will need to manually update each of the SimpleHelp applications in order for it to trust the SimpleHelp server with a new ID:
- Technician Console: The technician console will need to be uninstalled, and then installed from a new download from the SimpleHelp server.
- Remote Access Service: To instruct a service to trust a SimpleHelp server, remove the server's URL from the remote access service configuration UI, save the configuration, and then add it back again. Finally, save the configuration, and the service should register with the SimpleHelp server.
- Remote Support: Your customers will need to download a new remote support application binary from your SimpleHelp server.
Comments
0 comments
Please sign in to leave a comment.