Sometimes, configuration changes need to be carried out unexpectedly. It can be necessary to gain access to G Data ManagementServer’s configuration from a machine without configuration tool G Data Administrator, or while on the road. G Data offers full configuration possibilities through the browser, as well as a selection of the most-used options for mobile devices (such as smartphones and tablets).
During the installation of G Data ManagementServer, the configuration tool G Data Administrator will be installed on the same machine. G Data ManagementServer can then be configured by physically using the server machine or by logging in to it using Windows’ Remote Desktop Protocol, or any third-party remote control solution.
Additionally, G Data Administrator can be run from other machines without the need to open a session on the server, by installing it on any machine with network access to the server.
As an optional part of the deployment process, the configuration capabilities of the G Data solution can be made remotely accessible. G Data Administrator can be installed and configured to be accessed from outside the network, but if installing the Administrator software is not an option, G Data WebAdministrator offers a browser-based interface that provides access to all settings and modules. For mobile users, G Data MobileAdministrator is the perfect interface, offering the most commonly executed tasks, such as client and security management, and checking reports. For ManagementServer to be administered remotely, TCP port 7182 needs to be accessible (see chapter 2.2).
5.1. Desktop application
The default deployment of G Data ManagementServer installs G Data Administrator on the same machine. With physical or remote desktop access to the server, administrators can log in to G Data Administrator to get access to all modules. In cases where desktop application access to the server is not possible or not practical, G Data Administrator can be installed on any other Windows client, as long as it can reach the ManagementServer.
Image 21: G Data Administrator, Login
Use the G Data installation medium to install G Data Administrator on the PC from which configuration tasks will be carried out. When logging in, enter the IP address or (if resolvable) the name of the ManagementServer machine as SERVER address. Make sure that the server port (default: TCP 7182) is not being blocked by the firewall,
5. Remote administration
and forward it on router level if necessary.
5.2. Browser
Taking the time to install G Data Administrator on a machine is not always an option. Local policies can prevent software from being installed, or an urgent issue requires immediate attention and leaves no time for a software installation. In these cases, it is very practical to be able to configure G Data ManagementServer using only a browser. The web-based module G Data WebAdministrator offers this possibility. Most commonly,
WebAdministrator is deployed to an existing web server in the enterprise network, but it can be installed to any Windows machine that is running Microsoft Internet Information Services (IIS). The following versions of IIS are supported, with their respective operating systems:
IIS version Operating system
5.1 Windows XP Professional 6.0 Windows Server 2003
7.0 Windows Server 2008, Windows Vista 7.5 Windows Server 2008 R2, Windows 7
8.0 Windows Server 2012 R2, Windows Server 2012, Windows 8.1, Windows 8
Microsoft IIS needs to be installed before WebAdministrator can be deployed. Each Windows version listed above includes the IIS component, but often it needs to be enabled manually. For Windows Vista, Windows 7 and Windows 8, open the WINDOWS FEATURES panel (found under Control Panel > Programs and Features). Select INTERNET INFORMATION SERVICES to install the complete web server package, or pick individual components. Also enable IIS6 MANAGEMENT COMPATIBILITY > IISMETABASE AND IIS6 CONFIGURATION COMPATIBILITY, as WebAdministrator depends on it. Click OK to install IIS and restart the machine if prompted to do so.
Image 22; 23: Windows 7, Windows Features; Windows Server 2008 R2, Add Roles Wizard
Using Windows Server 2003, start the Manage Your Server application from the Start menu. In Windows Server 2008 and 2012, this function has been renamed Server Manager. Both applications feature the possibility to add Roles to the current server configuration. In Windows Server 2003, the appropriate role is called APPLICATION SERVER (IIS,ASP.NET); in Windows Server 2008 and 2012, WEB SERVER (IIS). For the latter two, IIS6METABASE COMPATIBILITY needs to be selected on the ROLE SERVICES panel. After installing the web server role (and possibly restarting the server), verify that the web server is accessible by opening http://localhost in the local browser.
As with any website, accessing G Data WebAdministrator through the browser can expose HTTP traffic to attackers
with network access. Especially in scenarios where G Data WebAdministrator will be accessed from outside the enterprise network, securing the traffic is recommended. This can be done using an SSL certificate. Certificates are available for purchase from Certificate Authorities (CAs) or can be generated locally for free and be self-signed. The former option is recommended for cases where WebAdministrator will be accessed from outside the enterprise network, but will incur additional costs if the enterprise does not already own one or more certificates. The latter option can be configured easily, and will protect against casual eavesdropping on the HTTP traffic, but is more vulnerable to a man-in-the-middle attack.
Using Windows XP Professional or Windows Server 2003, an SSL certificate can be added by using the free Microsoft tool SelfSSL, available from the Microsoft website as part of the IIS 6.0 Resource Kit Tools6. After
installation, open the SelfSSL command prompt through Start > Programs > IIS Resources > SelfSSL. A self-signed certificate can be assigned to the local website by entering a single command: selfssl /N:CN=localhost /K:2048 /V:365 /S:1 /T. Confirm the certificate creation by pressing Y. This will create a certificate for the default IIS site on the local server, and add localhost to the list of trusted certificates. The key length will be 2048 and the certificate will be valid for 365 days. If the site is not the default site of IIS, look up its IDENTIFIER in Start > Administrative Tools
> Internet Information Services (IIS) Manager and change the parameter /S:1 accordingly.
Image 24: Internet Information Service (IIS) Manager, Add Site Binding
Using Windows Vista, Windows 7, Windows 8, Windows Server 2008/R2, or Windows Server 2012, open Internet Information Services (IIS) Manager by clicking Start > Run (or, alternatively, by holding Windows-key + R) and entering the command inetmgr. Select the local web server in the Connections panel. In the middle of the screen, navigate to the IIS category and double click on SERVER CERTIFICATES. On the ACTIONS panel, click CREATE SELF-SIGNED CERTIFICATE. After entering a friendly name for the certificate, it will be created and listed in the SERVER CERTIFICATES
panel. Note that the default expiration date of the certificate is exactly one year ahead of the date of creation. To apply the certificate to site communication, select the appropriate site in the CONNECTIONS panel. On the ACTIONS
panel on the right, choose BINDINGS. Click Add to add a new binding. Select https as type and select the new certificate in the SSL CERTIFICATE dropdown. Click OK to add the binding.
With IIS configured, G Data WebAdministrator can now be installed. Use the setup wizard on the G Data
installation medium to install WebAdministrator. Microsoft .NET Framework will automatically be installed if the server does not yet have the required version. After installation, WebAdministrator will be accessible in the browser by opening the subfolder /GDAdmin, such as https://10.0.2.150/GDAdmin (or http:// if no SSL certificate has been installed on the web server). The folder will be different if the installation folder has been altered.
Because of the self-signed certificate, browsers may issue a warning before opening WebAdministrator. The communication, however, will still be fully encrypted. If the Silverlight browser plugin has not yet been installed, the user will be prompted to do so upon the first visit.
G Data WebAdministrator can be used to log in to any ManagementServer. Its login authentication methods,
6 See www.microsoft.com/en-us/download/details.aspx?id=17275.
5. Remote administration
interface and functions are identical to those of G Data Administrator. Any configuration and management tasks can be carried out through the web interface.
5.3. Mobile
For configuration tasks that need to be carried out right away, G Data Administrator and G Data WebAdministrator are not always the perfect solution. For cases where no software or desktop browser access is possible, G Data has developed MobileAdministrator. It offers access to the most commonly used functions of G Data Administrator in a mobile-optimized web interface. MobileAdministrator can be used on all smartphone platforms and on all tablets and does not require the Silverlight plugin, unlike WebAdministrator. The web application can be used to manage clients and to stay up to date with the latest reports about malware infections, PolicyManager requests and more.
It offers effective client management and reports. The web application does not just provide passive reporting capabilities, but supports direct responses. Malware infections can be checked and directly acted upon. Files can be quarantined or moved back and PolicyManager reports used to directly edit white- or blacklists. The web application can also be used to quickly gain an overview of the status of all network clients. Reports can be defined and previewed using the mobile ReportManager module.
Image 25: G Data MobileAdministrator, Dashboard
MobileAdministrator is, like WebAdministrator, a web application. It can be installed from the G Data installation medium, on top of Microsoft Internet Information Services (IIS). MobileAdministrator requires at least Windows 7 or Windows Server 2008 R2. For more information about configuring IIS, including an SSL certificate, see chapter 5.2.
5.4. MasterAdmin
Although G Data Administrator, WebAdministrator and MobileAdministrator can be used to log in to any ManagementServer, effective management of very large networks should be carried out with MasterAdmin. This version of G Data Administrator allows management of multiple ManagementServers within the same interface, streamlining configuration and deployment. To manage multiple servers, MasterAdmin functionality can be enabled in G Data Administrator. ManagedSservice partners, as well as end customers who are managing a large
network with multiple ManagementServer installations, can request a MasterAdmin activation code from G Data.
On the regular login screen, select MANAGE MULTIPLE SERVERS to enable the appropriate login options. Enter the activation code and a username and password of choice. After successfully logging in, the MASTERADMIN WIZARD will be started automatically. Using the wizard, the management servers that will be administered remotely can be added. Enter the server’s domain name or IP address and its user name and password. To tell multiple servers apart in the MasterAdmin interface, enter an alias name. Click NEXT to add a new server or FINISH to close the wizard.
The MasterAdmin wizard can be opened at any time from the ADMIN menu.
Image 26: G Data MasterAdmin
After adding servers, MasterAdmin’s options are virtually indistinguishable from G Data Administrator’s regular functionality. Each ManagementServer and its clients can be managed by selecting it in the client management area. Depending on the selected server’s license, the appropriate modules will be shown on the right.