Installing Ehorus on Mac Os 17

Before installing agents, check your access credentials in the user portal. You can introduce your username and password at: https://switch.ehorus.com

You can download Windows and Linux agents from the official eHorus website: http://ehorus.com/agent-download

SECURITY ON EHORUS 5

INSTALLING EHORUS ON WINDOWS 6

Optional: Installing the Mirror driver 13

Unattended install on Windows 13

Updating the Windows agent 14

INSTALLING EHORUS ON MAC OS 17

Uninstalling eHorus on Mac OS: 21

INSTALLING EHORUS MANUALLY ON MAC OS 21

INSTALLING EHORUS ON LINUX (CENTOS/RHEL) 22

INSTALLING EHORUS ON LINUX (UBUNTU 16.X) 23

INSTALLING EHORUS ON LINUX (TARBALL) 23

EHORUS INTERFACE AND BASIC USE 24

SHARING A SESSION WITH A THIRD PARTY 28

ADVANCED CONFIGURATIONS 30

Agent password 30

Session Timeout 31

Agent connectivity settings 31

Sending information on the remote system 32

Use of proxies 32

Local connection against the agent 32

Configuring file transfers 35

Registry files 36

Agent re-provisioning 36

Activate/deactivate delete file 36

Hide application icon 37

Desktop pop-up alerts and access requests 37

Dual screen 39

How does eHorus work?

Ehorus is a device management system (meant for Windows, Linux and Mac OS) which will allow users to access their devices, wherever they may be, using only a web browser, even if it doesn’t have a direct connection to such devices.

Before being able to remotely access a device, you’ll first need to install the agent and provision it on eHorus’ main server. To be able to provision an agent and make it accessible, you’ll need to have a valid eHorus user account. Once the agent is paired with a user, when booted, it’ll perform the provisioning and it’ll keep running, ready to be accessed from the outside.

Once provisioned, the agent will be shown in the user portal, along with its EKID (eHorus Key ID). It’s a unique ID on the system that is meant to single out your device, since it can have agents with the same hostname, and even the same IP address. Use this identifier to collaborate with other users that want to access that same device, or for your internal inventory systems.

For stronger security, each agent, when configured, can have an individual password that isn’t stored on the main eHorus servers. Instead, each time the user needs to access a specific device (agent) he or she will have to enter interactively (with username and password). The password for this is specified during the installation, or it can be configured afterwards.

The agent will then connect to an Internet server. If the agent cannot connect directly to the Internet, and needs a proxy, users will be able to configure it afterward (see the advanced configuration section).

Security on eHorus eHorus is a tool meant for system administrators. This implies that it’s a very powerful tool that will allow you to access, with administration privileges, on to any of your registered devices. The basic security mechanism is the access to the portal. This means that once the portal is accessed, the user will be able to access all devices under his or her control. Once the password is configured, it’s stored as a hash, which means it’s really complicated to know which one it is, even having physical access to the file.

For additional security, you should consider establishing an individual password for each agent. This password will not be stored in any centralized location, and the communication will be cyphered from your end (customer) to the agent, which means no one can intercept it. It’s the safest way to avoid third parties accessing your systems.

All the traffic between you and your devices, or between you and the portal, is encrypted using standard SSL.

The agent connects to the eHorus server using port 1080/tcp. If you happen to have a very restrictive outgoing connection policy, add this port to the registered outgoing connections. You can also use an HTTP proxy in order to set outgoing connections.

Apart from conventional security measures, such as the portal entry password, and the agent access password, you can use a double authentication protocol (based on Google Auth) which will install an app (Android and iOS) on your mobile device and will request a code every time you wish to access the portal.

Installing eHorus on Windows

Download the Windows agent (32 or 64 bit) from our webpage:

http://ehorus.com/agent-download/

You’ll need to provide administrator permissions in order to install the eHorus agent. Once downloaded, run the installer. This agent has been tested on all available versions of Windows (from Windows XP to Windows 10). Since the installer is unsigned, you may get an installation warning. It’s normal, ignore it and proceed with the installation.

Accept the prompted dialogue box and proceed with the installation. The installation will be available in a variety of language. As of now you may choose to install in English or Spanish, although new languages will be included in the near future.

On this screen you’ll need to introduce the username that you have on the eHorus platform (in the screenshot it says ‘User’ but you’ll need to replace this for the user so that the agent can provision and be used correctly.

Optionally you can insert a group (only if the group has been previously created, if not, leave it blank. It can be set up later).

More importantly, you can set an agent password for this installation. This password can be added or modified afterwards. To establish a password at this point, introduce it on the textbox at the end of the page.

The installation is almost complete. You’ll be asked if you’d like to start up the eHorus agent on that device and add an icon to the desktop. If you’ve correctly configured the agent (by inserting the provisioning user) and the agent has an Internet connection, you can now boot and begin to use eHorus.

When launching the agent for the first time, it’ll take a few seconds to load. Internally the agent will launch some command line windows (black screens) which will close by themselves in a matter of seconds. When this is over, you can see it on the installer itself.

You should be able to see the eHorus status icon on the Windows notification deck:

The green icon means that the agent is running and is provisioned. If it's red it means that it could not be provisioned. Right click on the icon to view some options:

You will only be able to stop/reset eHorus subcomponents if you’ve launched the eHorus manager (Ehorus Agent Menu) with Administrator privileges. A user without these privileges will NOT be able to stop eHorus or change its configuration. If “show EKID” is pressed, you’ll be able to see the EKID corresponding to that device. The EKID is a unique number for each host managed by eHorus.

This device, already provisioned and connected, has to be visible on your eHorus portal, ready to be externally managed.

The eHorus agent has been installed as a service. This means that the device, even if reset, will pull up eHorus’ services again, and will continue to remain available.

Optional: Installing the Mirror driver

The mirror driver is a third party software application that can be installed on the host to accelerate data viewing. It improves performance by approximately 25%.

It isn’t installed with eHorus by default because it is a third party tool, although its use is free and open. To use it, you only need to install it and reset the device. You can download it here: http://www.demoforge.com/dfmirage.htm

This driver is compatible with the following versions of Windows:

• Windows 2008 R2 • Windows 7 • Windows 2008 • Windows Vista • Windows 2003 • Windows XP • Windows 2000

Other untested versions (windows 10) http://www.driverscape.com/download/vnc-mirror-driver

Unattended install on Windows

You need to execute the installer as administrator from the command line:

ehorus_installer.exe /S --user --password --eh_key /D=''

Where:

• user: Mandatory, it refers to provisioning user. If it’s not provided, the agent will not start. • password: Optional. Local password protecting the agent access. • eh_key: If empty, the provision system assigns one automatically in the provisioning process. You can provide one manually if you have an alternative provisioning system. • path: Full pathname where you want to install eHorus agent. By default is placed in 'C:/Program FIles/ehorus_agent'. Updating the Windows agent

Just like with the rest of platforms (Mac OS/Linux), the Windows agent can be updated in a centrally from the WEB console, but if you wish to update it manually, you can do so with the same installation package. The system will detect that you’re updating the software and won’t overwrite configuration files, automatically updating only the code.

Unattended install on Windows (.MSI)

There are various optional parameters, e.g.

msiexec /i ehorus_agent_installer.msi EHUSER="userXXX" EHKEY="`d877cb3c-82de-4b27-8dbf-1761f3345e7c`" EHPASSWORD="5555" DIRECTORY="C:\path\to\install"

Where: • EHUSER: eHorus user • EHKEY: unique key • EHPASSWORD: agent password • DIRECTORY: the file where the agent will be installed (by default: C\Program Files\ehorus_agent

Remember:

Hyphens and dashes are special characters reserved for MSI installers, and must be escaped. In the example EHKEY they are escaped, because in order to run the string literally it is necessary to include double quotation marks.

DIRECTORY should not include single quotation marks except the ones already there. The spaces should only be respected in regards to double quotation marks, which are always necessary.

Update Windows agent

As with other platforms (Linux, Mac) the Windows agent can be updated centrally from the WEB console. If you wish to update it manually it can be done with the installation package. The system detects the software update and won't overwrite the configuration files, automatically updating only the code.

Using agents in stand-alone mode in Windows

Windows supports a mode that does not require you to install any software in order to control the Windows system in question. Using stand-alone mode you can control the client's machine by simply following these steps:

1. Download the stand-alone agent for Windows (32 or 64) at ehorus.com. It is a .ZIP file containing an executable and a directory.

2. Execute the "eHorus Standalone".

3. Introduce the "username" of the user who has access to eHorus and is going to connect to your computer (you).

The program won't be installed, only executed. It generates an individual EKID (an IDfor each execution and a randomly generated password. These two steps (ID and password) give you access to your computer:

Click on "Disconnect" when you finish and the agent will stop and no-one else can connect. The agent is not installed on the system and can be deleted from the file. No data will be saved.

Installing eHorus on Mac OS

Support for eHorus is native on OSX 10.8 or higher. It hasn’t been tested on prior versions but it should work on 10.7 as well. This installer has a complete framework, and once the process is over, it’ll be registered and your device will continue to run (no restart needed).

On this version we still don’t have the small program that allows us to know the agent’s status (connection status, password changes, etc.) available, although in future versions we’ll have something very similar to what Windows has.

Download the installer for Mac OS in DMG format and follow the steps shown in the following screenshots:

Double click on the “ehorus_agent.pkg” icon

You now have the agent installed (and presumably running) on your Mac OS system.

Uninstalling eHorus on Mac OS:

Simply head over to your “Applications” folder and run the eHorus uninstaller which has the following icon:

Installing eHorus manually on Mac OS

Download the latest agent package (.tgz) from: http://ehorus.com/agent-download/

Open a Mac terminal and run the following command:

sudo -s

Supposing that you’ve downloaded the Mac agent into the “downloads” directory on your computer, run the following commands: cd /Users//Downloads tar xvzf ehorus_agent_installer-darwin-0.6.xxxxx.tgz cd ehorus_agent ./ehorus_agent_installer --install

Edit the /etc/ehorus/ehorus.conf file and replace the “eh_user” token for your eHorus user.

To start the service up run: launchctl load -w com.ehorus.ehorus_agent.plist

To reset or run the service again if it’s already installed, run: launchctl start com.ehorus.ehorus_agent

Installing eHorus on Linux (Centos/RHEL)

You’ll have various RPM depending on the version of RHEL/CentOS (6.x or 7.x) and its architecture (32 or 64 bit). The installation on any version/architecture is similar. Run the following command with administrator permits: yum install ehorus_agent_redhat-centosX-xXXX.rpm

Due to the fact that the remote desktop feature is optional, if you want to access it, you’ll have to manually install some dependencies. If you already have a desktop environment it is possible that these dependencies are already solved. If it doesn’t work for you, try installing them, restart the eHorus agent and verify if they work. Run the following commands to install the necessary dependencies:

Centos 6.x yum install tigervnc-server gnome-core yum groupinstall Desktop

Remember to manually configure the provision user on the file /etc/ehorus/ehorus_agent.conf and restart the service:

/etc/init.d/ehorus_agent_daemon start

Centos 7.x yum install tigervnc-server gnome-core gnome-classic-session gnome- terminal nautilus-open-terminal control-center liberation-mono-fonts metacity Remember to manually configure the provision user on the file /etc/ehorus/ehorus_agent.conf and restart the service:

systemctl start ehorus_agent_daemon

Installing eHorus on Linux (Ubuntu 16.x)

You’ll have various DEB packages depending on your architecture (32 or 64 bit). Installing on any (superior) version or architecture is similar. Run the following command with administrator permits: dpkg -i ehorus_agent_installer-x64-0.7.2.deb

Due to the fact that the remote desktop feature is optional, if you wish to have it available, you’ll have to manually install a series of dependencies. It’s possible that if you already have a desktop environment these dependencies are already solved. If at first it doesn’t work, install them, restart the eHorus agent and try again. Run the following command to install all necessary dependencies: apt-get install vnc4server gnome-core gnome-panel gnome-settings- daemon metacity nautilus gnome-terminal

Remember to manually configure the provision user on the file /etc/ehorus/ehorus_agent.conf and restart the service:

/etc/init.d/ehorus_agent_daemon start

Installing eHorus on Linux (TARBALL)

Download the latest agent package from: http://ehorus.com/agent-download/

In order to know your processor’s architecture, run the following command:

uname -r

If it shows x86_64 it is 64 bit, otherwise it’s 32 bit

Copy the tarball file on a temporary directory. Switch to root mode (using su or sudo commands)

sudo -s

Or su -

After run, on the same directory where the tarball containing the eHorus agent has been stored (*.tgz): tar xvzf ehorus_agent_installer-centos7-x64-0.6.1-160311.tgz cd ehorus_agent ./ehorus_agent_installer --install

Edit the file fichero /etc/ehorus/ehorus.conf and replace the token "eh_user" for an eHorus username.

To launch the service, run:

On CentOS: service ehorus_agent_daemon start

In other linux distributions:

/etc/init.d/ehorus_agent_daemon start

Ehorus interface and basic use

To use eHorus as a client the minimum prerequisites are a modern browser (Internet Explorer 10, Chrome 8, Firefox 28, Safari 6) and a computer with 1GB of RAM minimum and a 256kbit minimum internet connection.

Type switch.ehorus.com in the URL bar

Click Yes!

Introduce your username and password to log in. A list of machines where agents have been installed and connected to the platform will appear. If none are shown in the list it means none have been provisioned or there has been a problem provisioning them. You can't connect to a machine until it appears in the list.

Once the systems are connected you’ll see that agents can have different statuses, shown with colors:

Green. Everything is OK. The agent is accessible.

Red. Agent is down or inaccessible, and has been like this for some time.

Yellow. The agent doesn’t respond, but was ok not too long ago. Unreliable.

Active red. The device is being used at the time and we cannot connect until it’s free.

I’ll only be able to connect to those agents that are active and in green. When doing this it’ll show a screen like the following:

To use the remote screen, click on “Display” and then on the button that connects the display:

Once connected, you can find a floating button bar on the top part of the remote display.

These options allow you to minimize the button bar, take a screenshot, access the remote clipboard and copy/paste remotely, send a key combination (CTRL-ALT- DEL, and others) or activate the full screen mode.

Sharing a session with a third party

One of the most relevant features on eHorus is the possibility to temporarily share access to a device with another person and without the need to share any credentials, only a URL.

Once connected to an agent you can, from the “share” option, create a temporary link to a device in order to share this with a third party. This person only has to use this link on their browser and it’ll give them complete access to that device. If the device has a local password, it won’t be used for the shared connection. Once the session times out, the link will be rendered useless.

Remember that there can only be a single active session running simultaneously per device, so, after generating the URL you’ll need to disconnect from the device so the person who receives the URL can connect.

Advanced Configurations

Any configuration change in the agent will require a reboot for it to have effect.

On Linux

/etc/init.d/ehorus_agent_daemon

On Windows

Control panel->Services->eHorus Agent-> restart

On Mac launchctl start com.ehorus.ehorus_agent

The eHorus configuration file can be found under the following directory:

Linux

/etc/ehorus/ehorus_agent.conf

Mac

/us/local/ehorus_agent/ehorus_agent.conf

Windows

C:\Program Files\ehorus_agent\ehorus_agent.conf

In order to modify this, you’ll need administrator privileges (root on Linux) and on Windows, by running a Shell/Notepad/Explorer as an administrator (right click- >run as administrator).

Agent password

Optionally you can specify an agent connection password, which can also differ for each device. This password is specified –clearly— in the configuration file for the agent, with the following configuration token:

password xxxx

Once the agent is reset, the password will hash and be blurred so that it’s not visible in plain sight, being replaced by a string like the one below: password [[db6f086273f8c93e57808dafef45eae6ae67ae639eb34b6a6]]

This behavior is normal and similar for other configuration tokens that can include sensitive information (user and password for proxy access, etc.).

Session Timeout

The eHorus WEB client will stay connected to the agent as long as the browser session remains open and connection is available. If you leave the session open and forget it (in a tab), the session connecting to that device will be blocked until it’s closed. In order to avoid this, the agent has an automatic idle disconnect action which is set to 5 minutes by default (after 5 minutes of being idle, the session will disconnect). This action can be changed by modifying the following configuration token:

session timeout 300

Agent connectivity settings

The design goal for eHorus is for the agent to be accessible, wherever it may be, even in complex network topologies with faulty connections. For this there are some configuration tokens that regulate how the agent connects to the server. The agent periodically performs a test to see that the connection is still alive (even if it appears to be connected). This is known as keep alive. The timespan in seconds for how often this is performed can be modified if you believe it’ll improve the behavior of your agent in case of power outages, Internet drops, IP changes, etc.

ping_interval 300

Furthermore, you can modify the general network timeout, to raise or lower it according to your specific needs. The default setting is 5 seconds.

timeout 5

Lastly, there are two advanced parameters –which we do not recommend that you modify if you do not know exactly what you’re doing— that regulate the maximum payload size and the maximum block size. Both are specified in bytes.

max_payload_size 131072 block_size 16384

Sending information on the remote system

By default, the eHorus agent sends a small summary of the device on which it’s installed (HDD, RAM, CPU, OS version, etc.). If you do not wish to send this information for security reasons, it can be disabled with the following configuration token:

disable_info 1

Use of proxies

The eHorus agent can connect to an eHorus server on the Internet by reaching out to port 18080. If you cannot connect here, optionally we can indicate the agent to try to connect using a proxy. For this it’s necessary to first edit the agent configuration file (in administrator mode) and then use the following configuration tokens, specifying the IP and the HTTP proxy port the agent is meant to use. The proxy must support the CONNECT method.

proxy_address 127.0.0.1 proxy_port 3186

Local connection against the agent

There is an optional way that allows the agent to listen in on a Local port/IP and allows incoming connections directly from the eHorus client. Despite the connection being local, the eHorus agent will always contact the eHorus server online to validate the client connection (user/password) and give it access, apart from the local agent authentication if there is one.

For this we must enable at least the following token on the agent configuration file:

eh_local_port 41118

The agent will try to find out which is the most appropriate IP to listen to. This will be the one to be “published” on the portal in order for the client to connect. Generally this will be the IP to which the server connects. If detected incorrectly or if you would rather do this manually, the following configuration token can be used:

eh_local_address 192.168.50.2

Bear in mind that when using this connection mode, a significant upgrade in speed can be noticed on the remote desktop and file transfer processes. On the other hand this will require the communication between the client and the remote client to be cleared of obstacles such as corporate or local firewalls. In the case of Windows or Linux systems, generally nowadays there are personal firewalls that prevent incoming external connections. We must disable these.

When an agent has the local connection mode enabled, we can access the device directly, using a modification of the interface that allows choosing between a remote or a direct connection:

Due to safety restrictions on the Web Socket protocol, in order to perform a local connection, it must be done exclusively from a Chrome, Firefox or Microsoft Edge browser. This connection mode won’t offer support for either Safari or Internet Explorer.

SSL certificate connection

In order for the local connection to be safe and reliable, it’s possible to give the agent a valid SSL certificate file (from a CA that’s recognized by the browser we’ll be using. This has to be manually set up using the following configuration tokens:

eh_local_cert /full_path/to_public_ssl_cert eh_local_key /full_path/to_private_ssl_key

Files must be in PEM format (OpenSSL)

Connecting without SSL certificates: Chrome

Right click and a dialogue will be prompted, where we will be informed that we’re trying to load unauthorized sequences. Click on “Load unsafe command sequences”.

Connecting without SSL certificates: Firefox

For Firefox you’ll need to modify the browser settings. In a new tab write: ‘about:config’. You’ll be prompted with a warning that this configuration is meant for advanced users. Click on “I’ll be careful, I promise!”

Search for the token named network.websocket.allowInsecureFromHTTPS. Right click and select Modify to change the value to true.

This change is permanent. There's no need to change the configuration in latter browser sessions. Configuring file transfers

The agent allows specifying a directory from which files can be up/downloaded. This base directory is specified on the configuration file using the following configuration token:

storage_dir /home/ehorus

On Windows if you wish to access all system units, you can establish this parameter with the ‘/’ value. Registry files

The agent can optionally store on a text registry (file log) the information on its status, incoming connections, issues, etc. For this you must activate the configuration token that the log file specifies:

log_file 'C:\ProgramData\ehorus_agent\ehorus_agent.log'

You can also modify how much information to dump onto said log file with the following configuration token:

verbose x

Where X can be a numeric value from 0-9. A value of 0 is minimum information, and 9 would be purging information (maximum amount of information). The agent doesn’t control the size of the log, which means that if it’s configured to retrieve the maximum amount of information, a very large log can be generated.

verbose 4

Agent re-provisioning

If for whatever reason the agent would need to be re provisioned, follow the steps numbered here:

1. Stop the agent 2. Delete the “eh_hash” and “eh_key” configuration tokens from the configuration file and restart the agent. It should be re provisioned with a different EKID.

Activate/deactivate delete file

The delete file feature can be deactivated (default status is active) from the remote file manager. Use the following configuration token:

enable_file_delete 0

Hide application icon

The launch application icon can be deactivated (default status is active). The application icon is visible in the notification area. Use the following configuration token:

hide_tray 1

The value 1 means the application won't launch and the icon is not visible. Default value is 0.

Desktop pop-up alerts and access requests

An optional feature allows the user to receive an external access alert and/or an external access confirmation request. This is to comply with legal regulations regarding remote computer access. Default status is deactivated, but it can be activated by configuration tokens.

The feature can be configured on an individual basis to regulate access to specific services (file transfer, process management, service management, remote shell, remote desktop, share access), and also to disable any of the same services.

The possible values for these configuration elements are: Request, Inform, Always or Disable.

Request: this value will ask the user to accept the incoming request, via a pop-up window. The window is on timeout, and access will be denied unless the request is actively accepted.

Inform: will only inform the user. If the user does not see it, or confirms that they have seen it, the remote user will gain access.

Always: the remote user can enter without the local user authorizing or receiving any pop-up. The default setting.

Disable: the service will be unavailable

To configure the timeout on the pop-up window, go to:

access_dialog_timeout 30

The default value is 30 seconds and can't be more than the client's keepalive refresh rate (60 seconds).

To use the custom pop-ups system, load the following external DDL:

access_method 'C:\path\to\dll'

The "Information" screen should look like this:

When the configuration "forces" the local user to confirm the connection, the following information is displayed:

This function is not enabled on Linux.

Dual screen

On Windows systems with multiple monitors the agent will automatically detect the principal screen. If you want to use another screen, or various at the same time, you have to modify the agent configuration file: display_selected -1 | 0 | 1 | 2

Value -1: display all monitors. Value 0 (default): displays the principal screen. Value 1: displays screen #1 (usually the second one) Value 2 to ∞: displays screens 2, 3, 4, etc if there are any .