Ekran System v.6.

0
Getting Started
Table of Contents

About .............................................................................................................................. 4
System Requirements ................................................................................................... 5
Program Structure ......................................................................................................... 8
Getting Started ............................................................................................................ 10
Server and Database ................................................................................................... 11
Installing the Server ................................................................................................................11
Database Types Comparison ................................................................................................15
Management Tool ........................................................................................................ 15
Management Tool Installation Prerequisites .......................................................................15
Turning on Internet Information Service (IIS) ..................................................................16
Turning on IIS for Windows 8 and Windows 7 .............................................................16
Turning on IIS for Windows Server 2008 R2 ................................................................17
Turning on IIS for Windows Server 2012 ......................................................................18
Installing .NET Framework .................................................................................................20
Configuring Internet Information Service (IIS) .................................................................20
Using Certificates .................................................................................................................25
Generating Self-Signed Certificate ................................................................................25
Exporting Self-Signed Certificate ...................................................................................26
Importing Trusted Certificate...........................................................................................28
Adding Certificate to Trusted Root Certification Authorities.......................................29
Setting HTTPS Binding for a Default Web-Site ...............................................................36
Installing the Management Tool ............................................................................................38
Adjusting Computer for Remote Access ..............................................................................40
Licensing...................................................................................................................... 43
Activating Serial Keys Online ................................................................................................43
Adding Activated Serial Keys Offline ....................................................................................43
Installing Windows Clients ......................................................................................... 45
Windows Client Installation Prerequisites............................................................................45
Installing Windows Clients Remotely via the Management Tool .....................................46
About ......................................................................................................................................46
Selecting Computers ...........................................................................................................46
Remote Windows Client Installation Process ..................................................................48
Remote Installation from an Existing .INI File..................................................................49
 Installing Windows Clients Locally ........................................................................................50
Installing macOS Clients ............................................................................................ 51
About .........................................................................................................................................51
Downloading macOS Client Installation File .......................................................................51
Installing macOS Clients ........................................................................................................51
Installing Linux Clients ............................................................................................... 53
About .........................................................................................................................................53
Downloading Linux Client Installation File ...........................................................................53
Installing Linux Clients ............................................................................................................53
Alerts ............................................................................................................................ 55
Adding Alerts ............................................................................................................................55
Users and Permissions ............................................................................................... 58
About .........................................................................................................................................58
Adding Users ............................................................................................................................58
Permissions ..............................................................................................................................62
Management Tool Log ............................................................................................................62
Viewing Monitoring Results ....................................................................................... 63
Playing Sessions .....................................................................................................................63
Playing Windows Sessions ....................................................................................................64
Viewing Keystrokes..............................................................................................................64
Viewing Clipboard Text Data ..............................................................................................66
Viewing USB Device Info ....................................................................................................67
Viewing URLs .......................................................................................................................67
Playing macOS Sessions .......................................................................................................68
Viewing URLs .......................................................................................................................68
Playing Linux Sessions ...........................................................................................................69
Filtering EXEC Commands .................................................................................................69
Dashboards ..............................................................................................................................69
More Information ......................................................................................................... 69
About
Welcome to Ekran System!
Ekran System is an application that allows you to record the activity of the target computers
with installed Clients and to view the screen captures from these computers in the form of
video.
This guide will help you in managing Ekran components (installing, uninstalling, updating, etc.)
and controlling their interaction.
System Requirements
Ekran System claims different system requirements for each of its components. Make sure your
hardware and software meet the following system requirements to avoid possible component
malfunctions.

Server requirements:
 2 GHz or higher CPU
 1024 MB or more RAM
 Enterprise-level Ethernet card
 Minimum 1 Gbit/s network adapter
 Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 (x64
platform)
 .Net Framework 4.5.2 or higher
NOTE: If the Server and the Management Tool are to be installed on the same
computer, make sure you turn on the Internet Information Service before the
installation of .Net Framework 4.5.2.
 [When using MS SQL Database]: Full edition of MS SQL Server 2008R2 SP1 or higher.
Standard license or higher is required.
NOTE: If you want to deploy the Ekran System in the High Availability mode, enabled
Message Queueing and configured NLB cluster are required. Please refer to the High
Availability Deployment Guide for more information.

Management Tool requirements:

 2 GHz or higher CPU
 1024 MB or more RAM
 100 Mbit/s network adapter
 Windows 10, Windows 8.1, Windows 8, Windows 7 (any edition except Home);
[recommended] Windows Server 2016, Windows Server 2012, and Windows Server
2008 R2 (starting from SP1 version). Both x86 and x64 platforms are supported.
 .Net Framework 4.5.2 or higher
 IIS 7.5 or higher with enabled ASP.NET 3.5 and 4.5 support (4.6 for Windows Server
2016)
 [For accessing the Management Tool locally or remotely] One of the following browsers:
 Google Chrome 37 or higher
 Mozilla Firefox 32 or higher
 Internet Explorer 10 or higher
 Safari S6 and Safari S5
 Opera 15 or higher
NOTE: The Management Tool might be opened in other browsers, but its compatibility with
other browsers is not guaranteed.
Windows Client requirements:
 1 GHz or higher CPU
 512 MB or more RAM
 100 Mbit/s network adapter
 Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP
SP3; Windows Server 2016, Windows Server 2012, Windows Server 2008, and
Windows Server 2003 SP1. Both x86 and x64 platforms are supported.
NOTE: Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows
Server 2008 R2 SP1, the Microsoft Security Advisory update 3033929 needs to be
installed: https://technet.microsoft.com/en-us/library/security/3033929.aspx.
 Citrix XenDesktop; Citrix XenApp; Citrix XenDesktop/XenApp with Citrix Provisioning
Services (PVS).
 It is recommended to have not less than 500MB of free space on the disk where the
Client is installed to save data during the offline session.

macOS Client requirements:

 2.26GHz Intel Core 2 Duo or higher CPU
 2GB RAM
 100 Mbit/s network adapter
 macOS 10.9 and later
 It is recommended to have not less than 500MB of free space on the disk where the
Client is installed to save data during the offline session.

Linux Client requirements:

 1 GHz or higher CPU
 512 MB or more RAM
 100 Mbit/s network adapter
 It is recommended to have not less than 500MB of free space on the disk where the
Client is installed to save data during the offline session.
 Linux Kernel 2.6.32 and higher

Distributor Base OS Versions Supported

Debian Debian 8.0, 7.0

Ubuntu 16.0, 15.0, 14.0, 12.0
Linux Mint 17.xx - 13

RedHat RedHat 7.0, 6.0

CentOS 7.x , 6.x
Oracle Linux 7.x - 5.6
 Sun Microsystems Solaris 11.x – 10.0

NOTE: When the Client is installed to the terminal server, hardware requirements depend on
the number of active user sessions and may increase drastically. For example, hardware
requirements for the Client deployed on the terminal server hosting 10 active user sessions
will be as follows:
 Intel Core i3 or similar AMD CPU
 2048 MB RAM
Program Structure
Ekran System is an application specially designed to control user activity remotely.

Ekran System includes the following components:

 Ekran System Server (further referred to as Server): It is the main part of the Ekran
System used for storing the screenshots and associated information received from the
Clients. The work of the Server can be started or stopped via Server Tray.

 Ekran System Management Tool (further referred to as Management Tool): It is a

central administrative unit that allows you to control and manage Clients, Users, USB
Monitoring Rules, Alerts, Server database, and Serial Keys. You can have access to the
Management Tool from any computer in the network without having to install it on this
computer.
Ekran System Session Viewer provides a usable interface for quick review of the
monitored data received from the Windows, macOS, and Linux Clients.

 Ekran System Windows Clients (further referred to as Windows Clients): Being hosted
on the remote computers, Windows Clients create screenshots with the defined
frequency and send them to the Server along with metadata information such as user
name, host name, activity time, active window titles, application names, URL addresses,
clipboard text data, keystrokes, etc. Managing the remote Windows Clients
configuration and settings is performed via the Management Tool.

 Ekran System macOS Clients (further referred to as macOS Clients): Being hosted on
the remote computers, macOS Clients create screenshots with the defined frequency
and send them to the Server along with metadata information such as user name, host
name, activity time, active window titles, application names, URL addresses, etc.
Managing the remote macOS Clients configuration and settings is performed via the
Management Tool.

 Ekran System Linux/Unix Clients (further referred to as Linux Clients): Being

hosted on the remote computers, Linux Clients capture input/output terminal data
(including all executed commands) and send this interactive data to the Server.

 Ekran System Tray Notifications application (further referred to as Tray

Notifications application): This application allows receiving notifications on alert
events on Clients.
Getting Started

Getting Started
The Ekran System installation consists of the following steps:
1. Install the Server.
2. Make sure the Management Tool installation prerequisites are met.
3. Install the Management Tool.
4. Purchase serial keys and activate them online (or add them offline).
5. Set up the network environment on the computers where the Clients will be installed.
6. Install the Windows Clients, macOS, or Linux Clients.
7. Define monitoring settings for Clients.
8. Add Alerts in case needed.
9. Add users to the system and define their permissions.
10. Start monitoring the captured data from the investigated computers.

10
Server and Database

Server and Database

Installing the Server
To install the Server, do the following:
1. Run the EkranSystem_Components.exe installation file.
2. Click Next on the Welcome page.
3. Carefully read the terms of the End-User License Agreement and click I Agree.
4. On the Choose Components page, do one of the following and click Next:
 In the drop-down list, select Ekran System Server.
 Select Ekran System Server in the box.

5. On the Choose Install Location page, enter the installation path or click Browse to
navigate to the Server installation folder. Click Next.

11
Server and Database

6. On the Database Type page, select the type of database you want to use for storing
data. Click Next. See the Database Types Comparison chapter, to see the difference
and choose the proper type of the database.

7. If you have selected MS SQL Server, on the MS SQL Server Database Configuration
page, define the connection parameters and then click Next.
 Define the MS SQL Server instance name, which is the instance name assigned
to the TCP/IP port.
 Define the Database name for the database.
 Define the User name and Password of a user account via which the
connection to the Server will be established.

12
Server and Database

NOTE: You have to define either the SA credentials or the credentials of the
user with the dbcreator permission.

8. If you have selected Firebird database, on the Database Location page, enter the
database path or click Browse to navigate to the database installation folder. Click
Next.

9. If you already have a database created during the usage of previous versions of the
program, you will be offered to re-use it. If you want to use the existing database, click
Yes. In other case, click No and the new database will be created.
NOTE: If you click No, the existing database will be deleted.
10. On the Administrator password page, define the password for the administrator (the
default user of Ekran System with login admin and full permissions). Click Next.

13
Server and Database

11. On the Ekran System Client Uninstallation Key page, enter the key that will be used
during the Client local uninstallation and click Next. By default, the Uninstallation key
is allowed. You will be able to change this key via the Management Tool any time
later.

12. Click Install.

13. The process of installation starts. Its progress is displayed on the Installing page.
14. If the installation finishes successfully, you will see the last page of the wizard. Click
Finish to exit the wizard.
15. If you are installing the Server for the first time, back up EkranMasterCertificate (For
more details, see the Backing up Ekran Master Certificate chapter in the Ekran System

14
Management Tool

Deployment Guide). The backed up certificate might be required for Server recovery
or during updates. Commented [TW1]:

16. If you already have a backed up master certificate and re-using the database, delete
the master certificate and import the backed up one instead of it.
17. In Windows Firewall, you must allow the Server executable to accept TCP connections
via port 9447 and 9449 (for the connection between the Server and the Clients) and
22713 (for the connection between the Server and the Management Tool).

Database Types Comparison

When installing the Server, you can choose between the two types of databases (MS SQL
database and Firebird database). These databases have the following differences:

Feature MS SQL Database Firebird Database

Free ✘ (has a limited free version) ✔ Commented [TW2]:

NOTE: Using MS SQL Express

does not guarantee the stable
work of the Server.

Processing speed High Low

Remote access to database ✔ ✘

Requires additional software ✔ ✘

installation

Security High Low

Management Tool
Management Tool Installation Prerequisites
The following prerequisites are necessary for successful installation of the Management Tool.
For Windows 7, it is important that you follow these steps in correct order.

To be able to install the Management Tool, you need to:

1. Turn on the Internet Information Service.
2. Install .NET Framework 4.5.2.

15
Management Tool

3. Configure the Internet Information Service.

4. Generate a self-signed certificate or import a purchased SSL certificate issued for the
computer, on which the Management Tool will be installed.
5. Add the certificate to the Trusted Root Certification Authorities on the computer, on which
the Management Tool will be installed. Otherwise a certificate error will be displayed in
your browser when opening the Management Tool.
6. Set HTTPS binding for a default web site (or any other IIS site).
NOTE: If you already have a certificate generated for the computer on which the
Management Tool will be installed, you can skip certificate generation step and use an
existing certificate.

Turning on Internet Information Service (IIS)

Turning on IIS for Windows 8 and Windows 7
To turn on the Internet Information Service for Windows 8 and Windows 7, do the following:
1. Select Control Panel > Programs and Features (Program uninstallation).

2. Click the Turn Windows features on or off navigation link.

3. The Windows Features window opens.
4. In the features tree-view, select the Internet Information Services check box.

16
Management Tool

5. Click OK.

Turning on IIS for Windows Server 2008 R2

To turn on the Internet Information Service for Windows Server 2008 R2, do the following:
1. In the Start menu, select All Programs > Administrative Tools > Server Manager.
2. In the navigation pane, select Roles, and then click Add Roles.

3. The Add Roles Wizard opens.

4. On the Before You Begin page, click Next.
5. On the Server Roles page, select Web Server (IIS), click Next, and then go to the Role
Services page to start configuring Web Server (IIS).

17
Management Tool

Turning on IIS for Windows Server 2012

The Internet Information Service can be turned on using the Windows PowerShell or Windows
Server 2012 Server Manager.

To turn on the Internet Information Service for Windows Server 2012 using Windows
PowerShell, do the following:
1. In the Start menu, select Windows PowerShell.
2. Enter the following command and click Enter:
Install-WindowsFeature -Name Web-Server, Web-Mgmt-Tools

To turn on the Internet Information Service for Windows Server 2012, do the following:
1. In the Start menu, select Server Manager.
2. In the navigation pane, select Dashboard, then click Manage > Add roles and features.

3. The Add Roles and Features Wizard opens.

4. On the Before You Begin page, click Next.
5. On the Installation type page, select Role-based or feature-based installation, and then
click Next.

18
Management Tool

6. On the Server Selection page, select Select a server from the server pool, select your server
from Server Pool list, and then click Next.

7. On the Server Roles page, select Web Server (IIS), click Next and then click Add Features to
start configuring Web Server (IIS).

19
Management Tool

Installing .NET Framework

Windows 10 and Windows Server 2016 usually have .NET Framework 4.6 installed.
If you are using Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012,
Windows Server 2008, or if there is no .NET Framework 4.5.2 on other Windows versions, you
can download it from the Microsoft official https://www.microsoft.com/en-
us/download/details.aspx?id=42642 and run the installation file on your computer.
Alternatively, on Windows Server 2012, you can install .NET Framework 4.5.2 using Windows
PowerShell.
To install .NET Framework 4.5.2 and configure Internet Information Service (IIS) for Windows
Server 2012 using Windows PowerShell, do the following:
1. In the Start menu, select Windows PowerShell.
2. Enter the following command and click Enter:
Install-WindowsFeature -Name NET-Framework-Core, Name NET-Framework-45-
ASPNET, Name Web-Asp-Net45, Name Web-ISAPI-Ext, Name Web-ISAPI-Filter

Configuring Internet Information Service (IIS)

Windows 8 Make sure that all the following check boxes are selected in

20
Management Tool

the Windows Features window and then click OK:

 .NET Framework 3.5 and .NET Framework 4.5
Advanced Services;

 Internet Information Services > Web Management

Tools > IIS Management Console;

 Internet Information Services > World Wide Web

Services > Application Development Features >
ASP.NET 3.5 and ASP.NET 4.5;

 Internet Information Services > World Wide Web

Services > Common HTTP Features > Static Content.

Windows 7 Make sure that all the following check boxes are selected in
the Windows Features window and then click OK:
 Internet Information Services > Web Management
Tools > IIS Management Console;

21
Management Tool

 Internet Information Services > World Wide Web

Services > Application Development Features >
ASP.NET;

 Internet Information Services > World Wide Web

Services > Common HTTP Features > Static Content.

Windows Server 2008 3. In the Add Roles Wizard window, on the Role Services
page, make sure that the following check boxes are
selected:
 Common HTTP Features > Static Content;
 Application Development > ASP.NET.

4. Click Next and then click Add Required Role Services.

5. On the Role Services page, make sure that the following
check boxes are selected:
 Management Tools > IIS Management Console.

22
Management Tool

6. Click Next and then click Install.

7. After the end of installation, click Close.

Windows Server 2012 1. In the Add Roles and Features Wizard window, on the
Server Roles page, make sure that the Web Server (IIS)
check box is selected and then click Next.

2. On the Features page, make sure that the following

check boxes are selected:
 .NET Framework 3.5 Features (Installed) > .NET
Framework 3.5;
 .NET Framework 4.5 (Installed) > ASP.NET 4.5.

3. Click Next.
4. On the Web Server Role IIS page, click Next.
5. On the Role Services page, select the ASP.NET 4.5 check
box (under Application Development).

6. Click Next and then click Add Features.

7. On the Role Services page, make sure that the following
check boxes are selected:
 Application Development > .NET Extensibility 4.5 >
ASP > NET 4.5 > ISAPI Extensions > ISAPI Filters.

23
Management Tool

8. Click Next and then click Install.

9. After the end of installation, click Close.

24
Management Tool

Using Certificates
Generating Self-Signed Certificate
To generate a self-signed certificate on the machine, on which you will install the
Management Tool, do the following:
1. Open the Internet Information Service Manager:
 For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications >
Internet Information Services (IIS) Manager.
 For Windows Server 2012 or Windows Server 2008: Press Windows+R, enter inetmgr
in the Run window and then press Enter.
NOTE: Using the inetmgr command is a common way of opening the Internet Information
Service Manager for any version of the Windows operating system.
2. Click the main node in the Connections tree-view and then double-click the Server
Certificates item under the IIS category.

3. The Server Certificates pane opens.

4. On the Actions pane (to the right), click Create Self-Signed Certificate.

25
Management Tool

5. The Create Self-Signed Certificate window opens.

6. Enter the name for a certificate in the Specify a friendly name for the certificate box and
select Personal in the Select a certificate store for the new certificate drop-down list. Click
OK.
7. The certificate is created.

Exporting Self-Signed Certificate

To export self-signed certificate, do the following:
1. In the Internet Information Service Manager, on the Server Certificates pane, select the
generated certificate and click Export on the Actions pane or in the certificate right-click
menu.
2. In the Export Certificate window, define the location and password for the certificate. Click
OK.

26
Management Tool

3. The certificate is exported and can be added to the Trusted Root Certification Authorities.

27
Management Tool

Importing Trusted Certificate

To import a purchased certificate issued for the computer, do the following:
1. Open the Internet Information Service Manager:
 For Windows 8 or Windows 7 Open Computer > Manage > Services and Applications
> Internet Information Services (IIS) Manager.
 For Windows Server 2012 or Windows Server 2008: Press Windows+R, enter
inetmgr in the Run window and then press Enter.
NOTE: Using the inetmgr command is a common way of opening the Internet
Information Service Manager for any version of the Windows operating system.
2. Click the main node in the Connections tree-view and then double-click the Server
Certificates item under the IIS category.
3. The Server Certificates pane opens.
4. On the Actions pane (to the right), click Import.

5. In the Import Certificate window, click the dots (…) to browse for the file of the purchased
certificate and enter its password in the Password field.

6. Click OK.

28
Management Tool

7. The certificate is imported and displayed on the Server Certificates pane of the Internet
Information Services (IIS) Manager.

Adding Certificate to Trusted Root Certification Authorities

Before adding the self-signed certificate to the Trusted Root Certification Authorities, it should
be exported. For purchased certificates that were issued for your computer this procedure is
not needed.

To add the certificate to the Trusted Root Certification Authorities, do the following:
1. Press Windows+R, type mmc in the Run text box and press Enter.
2. In the opened User Account Control window, click Yes.
3. In the Console window, select File > Add/Remove Snap-in.

4. In the opened Add or Remove Snap-ins window, select Certificates > Add.

5. In the opened Certificates snap-in window, select Computer account and click Next.

29
Management Tool

6. In the opened Select Computer window, select Local computer: (the computer this console
is running on) and click Finish.

7. In the Add or Remove Snap-ins window, click OK.

30
Management Tool

8. In the Console window, expand the Certificates (Local computer) node.

9. In the Certificates (Local computer) tree-view, find the Trusted Root Certification
Authorities node.

10. In the right-click menu of the Trusted Root Certification Authorities node, select All Tasks >
Import.

11. The Certificate Import Wizard opens.

12. On the Certificate Import Wizard Welcome page, click Next.
13. On the File to Import page, click Browse to find the certificate to be imported and then click
Next.

31
Management Tool

32
Management Tool

14. On the Private key protection page, enter the certificate password and then click Next.

15. On the Certificate Store page, click Next.

33
Management Tool

34
Management Tool

16. On the last page of the Certificate Import Wizard, click Finish.
17. In the confirmation message, click OK.

18. The certificate is imported and is displayed in the Console window in the Certificates node.
Please note that the Issued To field contains the name of the computer, on which the
Management Tool will be installed in the format that will be used when opening the
Management Tool.

19. Close the Console window.

35
Management Tool

Setting HTTPS Binding for a Default Web-Site

To set HTTPS binding for a default web-site, do the following:
1. Open the Internet Information Service Manager:
 For Windows 8 or Windows 7: Open Computer > Manage > Services and
Applications > Internet Information Services (IIS) Manager.
 For Windows Server 2012 or Windows Server 2008: Press Windows+R, enter
inetmgr in the Run window and then press Enter.
NOTE: Using the inetmgr command is a common way of opening the Internet
Information Service Manager for any version of the Windows operating system.
2. Expand the node with the name of the target computer in the central pane.
3. Expand the Sites node.
4. Select the Default Web Site.
NOTE: If there is no such site in the Internet Information Services (IIS) Manager of your
computer, you can select any other site (the name of the site does not matter).

36
Management Tool

5. Click the Bindings navigation link on the right.

6. The Site Bindings window opens.

7. If there is no binding of HTTPS type in the Site Bindings window, click Add.
8. The Edit Site Binding window opens.
9. In the Type box, select https.

37
Management Tool

10. Next to the SSL certificate drop-down list, click Select.

11. The Select Certificate window opens, where the list of existing certificates is displayed.
12. In the Select Certificate window, select the certificate generated for the Management Tool
and then click OK.

13. In the Add Site Binding window, click OK.

14. In the Site Bindings window, click Close.
15. Now the Internet Information Service is fully adjusted and you can start installing the
Management Tool.

Installing the Management Tool

To install the Management Tool, do the following:
1. Run the EkranSystem_ManagementTool.exe installation file.
2. On the Welcome page, click Next.
3. Carefully read the terms of the End-User License Agreement and click I Agree.
4. On the Connection Settings page, do the following and then click Next:
 In the Server address box, enter the name or IP address of the computer on which
the Server is installed.
 In the URL address field enter the folder where the Management Tool will be
located within IIS. This URL will be used when opening the Management Tool.

38
Management Tool

5. On the Choose Install Location page, enter the destination folder in the corresponding
field or click Browse and in the Browse For Folder window, define the destination
folder. Click Install.

6. The process of installation starts. Its progress is displayed on the Installing page.
7. After the end of the installation process, click Close to exit the wizard
8. The Management Tool is displayed as an application of a default web site or any other
site with https connection in the Internet Information Services (IIS) Manager.

39
Management Tool

9. Now you can open the Management Tool via your browser from the same computer
or a remote one.

Adjusting Computer for Remote Access

If you want to open the Management Tool from the computer different from the one where
the Management Tool is installed, you need to adjust Firewall settings to be able to access this
computer.
If the users access Management Tool only from computers where it is installed, there is no
need to configure Firewall.

To adjust Firewall on the computer where the Management Tool is installed, do the
following:
1. In the Control Panel, select System and Security > Windows Firewall.
2. In the Windows Firewall window, click Advanced settings.
3. In the Windows Firewall with Advanced Security window, right click Inbound Rules
and select New rule.
4. The New Inbound Rule Wizard opens.
5. On the Rule Type page, select Predefined and then select Secure World Wide Web
Services (HTTPS) in the list. Click Next.

40
Management Tool

6. On the Predefined Rules page, select the World Wide Web Services (HTTPS Traffic-In)
check box. Click Next.

41
Management Tool

7. On the Action page, select Allow the connection. Click Finish.

8. The new inbound rule for Firewall is created.

42
Licensing

Licensing
Activating Serial Keys Online
To activate purchased serial keys online, do the following:
1. Make sure you have an active Internet connection on the computer with the installed
Server.
2. Log in to the Management Tool as a user with the administrative Serial keys management
permission.
3. Click the Serial Key Management navigation link on the left.
4. On the Serial Key Management page, click Activate keys online.
5. In the Serial Key Activation window, enter serial keys to be activated separating them with
semicolons or paragraphs and click Activate.

6. The activated keys will appear on the Serial Key Management page
7. The number of available licenses and the update & support period end date change.

Adding Activated Serial Keys Offline

If you have no Internet connection on a computer on which the serial keys are to be activated,
you can activate them on the license site and then add the activated serial keys offline. For
more information, send an email to info@ekransystem.com
NOTE: Update and Support serial keys cannot be activated offline.

To activate serial keys offline on the license site, do the following:

1. On the computer with the installed Server, start the UniqueIdentifierGenerator.exe file,
which you can download at
https://www.ekransystem.com/sites/default/files/ekransystem/UniqueIdentifierGenerator.
exe

43
Licensing

2. The Unique Identifier Generator window opens.

3. Click Generate to generate a unique identifier for your computer.
4. When a unique identifier for your computer is generated, it will appear in a text box under
the Unique Identifier group of options.
5. Copy the unique identifier from the text box to a text file on a removable drive.
6. Go to the Ekran System license site.
7. Enter the generated unique identifier in the Unique Identifier box.
8. Copy and paste the purchased serial keys to the Serial Keys box separating them with
paragraphs or spaces.
9. Enter the CAPTCHA text in a text box near the CAPTCHA image.
10. Click Activate.
11. The activatedKeys.txt file will be generated. Save the file on a removable drive.
12. Copy the file to the computer on which you will open the Management Tool.
NOTE: Please do not edit the generated file activatedKeys.txt.

To add activated serial keys in offline mode, do the following:

1. Log in to the Management Tool as a user with the administrative Serial keys management
permission.
2. Click the Serial Key Management navigation link on the left.
3. On the Serial Key Management page, click Add activated keys.
4. On the Activated Serial Key Adding page, click Choose File and navigate to the
activatedKeys.txt file with activated serial keys.
5. Click Add.
6. The newly added serial keys appear on the Serial Key Management page.
7. The number of available licenses and the update & support period end date change.
8. If there are both licensed and unlicensed Clients in your network and you want to license
the rest of Clients with a purchased key, you will have to assign the license to the remaining
unlicensed Clients manually.

44
Installing Windows Clients

Installing Windows Clients

Windows Client Installation Prerequisites
The majority of Windows Client installation/uninstallation issues are caused by incorrect
system or network settings.

The following conditions have to be met for successful Client installation:

 The remote computer has to be online and accessible via network.
 Shared folders have to be accessible on the remote computer. Simple file sharing
(Sharing Wizard) has to be disabled if the computer is in a workgroup (for domain
computers this requirement can be skipped).
 You need to know the domain administrator or local administrator account credentials
for the remote computer.
 The Server and the Remote Procedure Call (RPC) system services have to be running on
the remote computer.
 Windows Vista and Windows XP Firewall has to be properly set up on the remote
computer during the Clients remote installation.
 In Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 Firewall,
inbound connections have to be allowed in the Remote Service Management (RPC) rule
for the remote computers and the File and Printer Sharing option has to be enabled (in
this case it is not necessary to disable Windows Firewall).
 Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2
SP1, the Microsoft Security Advisory update 3033929 needs to be installed:
https://technet.microsoft.com/en-us/library/security/3033929.aspx.

In Windows Firewall on the Server side, allow the Server executable to accept TCP connections
via ports 9447 and 9449 (for the connection between the Server and the Clients).
NOTE: These rules will be added to Windows Firewall automatically, if Windows Firewall is
enabled during the Server installation.

Make sure the conditions mentioned above are met to avoid possible problems with Client
remote installation.

45
Installing Windows Clients

Installing Windows Clients Remotely via the

Management Tool
About
You can install the Windows Clients remotely via the Management Tool. This way of installation
is very convenient if all computers in your network have the same domain administrator
credentials.
Remote Client Installation is performed by a user who has the Client installation and
management permission in two steps:
1. Selecting computers on which Clients will be installed.
2. Installation parameters definition and installation process.

Selecting Computers
To select the computers for Client installation, do the following:
1. Log in to the Management Tool as a user with the Client installation and management
permission.
2. Click the Client Management navigation link on the left.
3. On the Clients page, click Install Clients.

4. The Computers without Clients page opens. On this page, you can see the computers, for
which the previous installations failed.

5. Select how you would like to search for computers where the Windows Clients will be
installed:
 To select computers from the list of all computers in your network, Deploy via
network scan.
 To select computers by IP range (IPv4 or IPv6 addresses), click Deploy via IP range.

46
Installing Windows Clients

 To select computers by their names, click Deploy on specific computers.

6. In the Choose search results window:
 Click Start new search to look for computers with defined parameters.
 Click Previous search results to choose the computers found in the previous search.
If you haven’t performed any searches yet, this button will be absent.

7. If you have selected the Deploy via IP range option, the Computers Scan page opens. In the
From Address and To Address boxes, enter the IP range (either IPv4 or IPv6), for which the
network should be scanned. To find only one computer, enter the same IP address in both
boxes. Click Scan.

8. If you have selected the Deploy on specific computers option, the Adding Computers page
opens. Enter the names of computers on which Windows Clients must be installed in the
box Name and click Scan. Use semicolon to separate computer names.
Please note that you should enter the full name of the computer.

9. The scanning process starts. The list of found computers will be updated automatically. If it
is not updated, click Refresh. To stop the scanning process, click Stop.
10. When the scanning process finishes, select check boxes next to the computers that you
want to install the Clients on. Click Next.
47
Installing Windows Clients

11. The selected computers are added to the list on the Computers without Clients page.

12. If you want to delete some computers from this list, click Remove from list next to the
selected computer.

Remote Windows Client Installation Process

When all computers for Windows Client installation are selected, you are ready to start
installation. Please make sure that all selected computers are correctly adjusted.

To install the Windows Clients remotely, do the following:

1. On the Computers without Clients page, click Install.
2. On the Client Configuration page, define the name/IP of the Server, to which the Windows
Clients will be connecting, and define the Client configuration for the Clients you are
installing. Click Next.
NOTE: The Server IP address has to be static for Clients to connect to it successfully.
Unique external IP addresses should be used for cloud-based Servers.
3. On the Installation credentials page, enter the credentials of a user with administrator
permissions on the target computers for Client installation and then click Next.

48
Installing Windows Clients

 If the computers are in a domain, enter the domain name and domain administrator
account credentials.
 If the computers are in workgroup, enter the credentials of a local administrator for
target computers.
If you leave the Domain box empty, the entered credentials will be used as the credentials
of a local user of a target computer and the Client will be installed under the <target PC
name>\<user name> account.
NOTE: All workgroup computers must have the same administrator account credentials.
Otherwise use installation via installation package method to deploy Ekran System
Clients.

4. The installation process starts. The progress of installation will be updated automatically on
the Client installation page. If it is not updated, click Refresh.

5. After the end of the installation, the installed Clients will appear on the Clients page in All
Clients group. If the installation of some Clients fails, these computers will remain in the
Computers without Clients list and you can click Retry to start the installation again.

Remote Installation from an Existing .INI File

If you already have an .ini file with defined settings generated in the Management Tool and
saved to your computer, you can use it for installing the Clients.
To install the Windows Clients remotely, using an existing .ini file do the following:

49
Installing Windows Clients

1. On the Computers without Clients page, click Install using existing .ini file.
2. On the INI file selection page, click Choose file to select the .ini file that will be used for
configuration of new Clients.
Please note, if any parameter except RemoteHost is absent or not valid, its value will be set
to default. The RemoteHost parameter is ignored, in this type of installation. The Client will
connect to the Server to which the Management Tool is connected.

3. Once the .ini file is chosen, click Next and continue the installation the same way as when
installing the Clients remotely in a common way.

Installing Windows Clients Locally

You can install the Windows Clients locally using the Client installation file generated in the
Management Tool. You have two options for downloading the Client installation file from the
Management Tool:
 Generate the installation package and set the Windows Client configuration during
generation.
 Use Client installation file (.exe) to install the Client with default parameters.
NOTE: Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2
SP1, the Microsoft Security Advisory update 3033929 needs to be installed:
https://technet.microsoft.com/en-us/library/security/3033929.aspx.

50
Installing macOS Clients

Installing macOS Clients

About
You can install the macOS Clients locally using the Client installation file generated in the
Management Tool.

Downloading macOS Client Installation File

To download the file for macOS Client installation, do the following:
1. Log in to the Management Tool as a user with the Client installation and
management permission.
2. Click the Client Management navigation link to the left.
3. On the Clients page, click Install Clients.
4. On the Computers without Clients page, click Download installation file.
5. On the Installation File Download page, click Download macOS x64 Client
Installation (.tar.gz).
6. File downloading starts. The download settings depend upon the settings of your
browser.

Installing macOS Clients

This type of installation allows you to install the macOS Clients locally using the downloaded
EkranSystemmacOSClientx64.tar.gz package.

To install the macOS Client on the target computer with a macOS operating system from the
command line:
1. Make sure that you log out of all active users except the current one.
2. Copy the installation package to any folder.
3. Run the Terminal.
4. Navigate to the folder with the installation package by entering the following command:
cd path/to/folder
5. Unpack the installation package using the following command:
tar xvfz <installation package name>

6. Navigate to the unpacked EkranClient folder using the following command:

cd EkranClient

51
Installing macOS Clients

The EkranClient folder contains the install.sh script used to install the Client.
7. Run the macOS Client installation script specifying the Server name or Server IP address
and the port used for connection to the Server (9447 is recommended):
./install.sh <server_name/IP> <Agent_port>.
8. After the end of the installation, macOS Client will appear in the list on the Clients page in
the Management Tool.

52
Installing Linux Clients

Installing Linux Clients

About
You can install the Linux Clients locally from the command line using the
EkranSystemLinuxClient.tar.gz package, respectively:
 EkranSystemLinuxClientx64.tar.gz for the 64-bit system
 EkranSystemLinuxClientx86.tar.gz for the 32-bit system

Downloading Linux Client Installation File

To download the file for Linux Client installation, do the following:
1. Log in to the Management Tool as a user with the Client installation and management
permission.
2. Click the Client Management navigation link on the left.
3. On the Clients page, click Install Clients.
4. On the Computers without Clients page, click Download installation file.
5. On the Installation File Download page, click Download Linux x86 Client Installation
(.tar.gz) or Download Linux x64 Client Installation (.tar.gz).
6. File downloading starts. The download settings depend upon the settings of your
browser.

Installing Linux Clients

To install the Linux Client on the target computer with the Linux operating system from the
command line:
1. Copy the installation package to any folder. Make sure you use the correct installation
package (x64 or x86).
2. Run the command-line terminal.
3. Using the terminal, go to the folder with the installation package by entering the
following command:
$ cd path/to/folder
4. Unpack the installation package using the following command:
$ tar xvfz <installation package name>

53
Installing Linux Clients

5. Go to the unpacked EkranClient folder using the following command:

$ cd EkranClient.
6. The EkranClient folder contains the install.sh script used to install the Client.
7. Run the Linux Client installation script specifying the Server name or Server IP address
and the port used for connection to the Server (9447 is recommended):
$ sudo ./install.sh <server_name/IP> <Agent_port>.

8. After the Client is installed, it starts monitoring the new terminal sessions. If you want
to monitor the older terminal sessions, restart them.
9. The installed Linux Client appears in the list on the Client Management page in the
Management Tool.

54
Alerts

Alerts
Adding Alerts
To add an alert, do the following:
1. Log in to the Management Tool as a user with the administrative Client installation
and management permission.
2. Click the Alert Management navigation link to the left and click Add Alert.

3. On the Add Alert page, on the Alert Properties tab, define the following alert
properties and then click Next:
 Enter a unique name for an alert.
 Optionally, enter the alert description.
 Select the Enabled option to enable an alert.
 Select the alert risk level. It can be Critical, Normal, or High.
4. On the Alert Rules tab, define the rules to be applied and then click Next:
 Select the Parameter of the rule.
 Select the Comparison operator.
 Enter the Value to which Parameter will be compared.
 Click Add Rule to create one more rule.
 To delete a rule, clear its Value box or click Delete.

55
Alerts

5. On the Assigned Clients tab, select the Clients/Client Groups to which the alert will be
assigned and click Next. To find specific Clients/Client Groups, enter their names in the
search box.

6. On the Actions tab, select how you would like to receive the alert notifications:
 Select the Send emails to option and then enter the email address to which the
notifications will be sent. You can enter several email addresses separating them with
semicolon.
NOTE: To receive email notifications correctly, make sure that Email Sending
Settings contain correct parameters for email sending.
 Select the Show warnings in Tray Notifications application option to activate the tray
notifications. The alert notifications will then pop up from the tray.
Select the Show warning message to user option if you want a warning message to be
displayed when the alert is triggered.
In the Additional actions box, select the Block user on all computers option if you want to
block the user from the session, or the Kill application option if you want to forcedly stop
the corresponding application.

56
Alerts

7. Click Finish to save the created alert.

8. The alert is added

57
Users and Permissions

Users and Permissions

About
By default there is one administrator in the system, whose login is admin and whose password
is defined during the Server installation. The administrator has all the rights for work in the
system.
In order to grant others access to the system, you can add users and define their permissions.
There are two types of users:
 Internal users
 Active Directory Users (Windows domain users and Windows domain user groups)

Adding Users
To add a new user, do the following:
1. Log in to the Management Tool as a user with the administrative User management
permission.
2. Click the User Management navigation link on the left.
3. On the Users page, click Add User.

4. On the User Type tab, select the type of user you want to add:
 Click Add an Internal user to create an internal application user.
 Click Add an Active Directory user/user group to add an existing Windows user/user
group.

58
Users and Permissions

On the User Details tab, do one of the following and click Next:
 For an internal user, define user credentials and additional information about the
user.
NOTE: Login and password are required. The password must be at least 6 characters
long. The maximum length of the first name, last name and description is 200
characters.

 For an Active Directory user/user group, select the domain in the Domain list and then
enter at least two characters into the User/User group box to search for the required
user/user group.

59
Users and Permissions

NOTE: The Active Directory user/user group cannot be added if there is no LDAP target added
for the required domain on the Configuration page or if the connection with the domain is
lost (the domain is unavailable).
5. On the User Groups tab, select the user groups to which the user will belong. To find a
specific group, enter its name in the Contains box and click Apply Filters. Click Next.
NOTE: The user is automatically added to the default All Users group and can’t be
removed from it.

6. On the Administrative Permissions tab, select administrative permissions that will be given
to the user. Click Next.
NOTE: If the user has inherited some permissions from user groups, you can only add new
permissions. To remove permissions inherited from user groups, you need to remove the
user from these groups.

60
Users and Permissions

7. On the Client Permissions tab, define permissions on user work with Clients/Client Groups:
 To find a specific Client/Client Group, enter its name in the Contains box and click
Apply Filters.
 Click Edit Permissions and then, in the Client Permissions/Client Group Permissions
window, define the client permissions which will be given to a user for the
corresponding Client/Client Group.
 When the permissions are defined, click Save to close the Client Permissions/Client
Group Permissions window.

8. Click Finish.
9. The user is added and displayed on the Users page.

61
Users and Permissions

NOTE: For an Active Directory user, the first name and last name properties will be
automatically filled after the user’s first login to the system.

Permissions
The permissions allow you to define which functions a user will be able to perform with the
system and Clients. There are two types of permissions: administrative permissions and Client
permissions.
Administrative permissions define actions that a user can perform with the whole system.
Client permissions define actions that a user can perform with selected Clients.
The permissions can be defined during user and user group adding/editing.
If you define permissions for the group, any user belonging to this group inherits these
permissions. To remove permissions inherited by the user from a group, you need to remove
the user from a group. Apart from permissions inherited from the group, you can assign a user
his/her own permissions.

Management Tool Log

The Management Tool Log is an Ekran System component that contains information on all the
user actions performed in the Management Tool. Such information might be useful for the
administrator to manage and monitor the actions of all users in the system.
To view the log, log into the Management Tool as a user with the administrative User
management permission and click the Management Tool Log navigation link to the left.

62
Viewing Monitoring Results

Viewing Monitoring Results

Monitored data received from Windows and Linux Clients is organized in the session.
The Windows Client session includes recorded user activity (screenshots, application names,
activity titles, captured keystrokes, clipboard text data, and URLs).
The Linux Client session contains the list of executed commands, their parameters, and
functions.
To view monitored sessions, click the Monitoring Results navigation link to the left and then
open the Client Sessions tab.

Playing Sessions
The Session Viewer is a part of the Management Tool that provides the possibility to view
monitored data within one selected session.
To open the Session Viewer, select one of the sessions in the Sessions grid on the Monitoring
Results page and click on it.

63
Viewing Monitoring Results

Playing Windows Sessions

A user starts playing Windows Session by clicking the required in the Client Sessions list. The
session is opened in the new tab or new window depending on your browser settings. While
playing Windows sessions, you can view screenshots in the Player pane and associated
metadata (Application name, Activity title, URL and keystrokes) in the Metadata grid. If a record
containing keystrokes is selected in the Metadata grid, the detailed information on keystrokes
is displayed in the Details pane.

Viewing Keystrokes
The captured keystrokes are displayed in the Text data column in the Metadata grid. When you
select a row in the Metadata grid, the keystrokes associated with it are displayed in the Details
pane below the Player pane. By default, only text characters are displayed. You can enable
displaying all keystrokes logged (e.g., navigation keys, functions keys, etc.) by clearing the Show
only text characters check box. Then any other keys and key combinations will be displayed in
square brackets. If a key was pressed repeatedly, it will be displayed with an "x" sign and the
number of reiterations (e.g., [F12 x 24]).
If the user types the text, using arrows (left/right) and Backspace or Delete keys, these keys are
processed by the system to edit the logged keystrokes. When the keystrokes are edited, only
the end result of text that was meant to be typed by the user is displayed in the Details pane.
To see this result, you must select Show only text characters.
For example:
If the user types “Helo” and then uses the left arrow to go back and correct the word by typing
another “l”, the word “Hello” will be displayed in the Details pane, with “Helol”.

Presentation of keystrokes with the selected Show only text characters check box.

64
Viewing Monitoring Results

Presentation of keystrokes with the unselected Show only text characters check box.

Please note that if the SmoothMode parameter (user activity recording on each event without
timeout) is enabled for the Client, the keystrokes are not edited.
If the user corrects the word using a mouse, the keystrokes are not edited.
For example:
If the user types “Fried” and then uses the mouse to go back and correct the word by typing
letter “n”, the word “Friedn” will be displayed in the Details pane, instead of “Friend”.

If the user types the text in different applications, the logged keystrokes are split according to
screenshots.
For example:
If the user types “Hello” in Skype and then opens Word and types “Ok”, the word “Hello” will be
displayed next to the screenshot associated with Skype, and the word “Ok” will be displayed
next to the screenshot associated with Word, instead of “HelloOk”.
NOTE: If the Enter key was pressed during input, the log will be split in metadata grid. Though
to maintain text integrity, in the keystrokes box, the keystrokes lines having the same Title-
Application pair will be put together.

65
Viewing Monitoring Results

Viewing Clipboard Text Data

The captured clipboard text data includes the text, which has been copied or cut and then
pasted into documents, files, applications, browser address line, etc. on the Client computer.
The Ekran Client monitors the Copy, Cut, and Paste operations performed by using either the
context menu commands or such key combinations as Ctrl+C, Ctrl+Ins, Ctrl+X, Shift+Del, etc.
The captured clipboard text data is displayed in the Text data column in the Metadata grid. It
has a label specific to the performed action:
 [Clipboard (Copy)]
 [Clipboard (Paste)]
When you select a row in the Metadata grid, the clipboard text data associated with it is
displayed in the Details pane below the Player pane.
Metadata grid

Text copied to the clipboard

Text pasted from the clipboard

66
Viewing Monitoring Results

Viewing USB Device Info

During the monitoring process, a screen capture is created every time the mass storage USB
device is plugged in. Along with the screen capture, the information on the plugged in device is
displayed in the Metadata grid as follows:
 Activity title: USBStorage - <device details>
 Application name: [Monitoring event]

If you are using rules for kernel-level USB monitoring according to which the devices are
detected or blocked, each time the alert event occurs, a screen capture is created. In the
Metadata grid, this is indicated by highlighting the activity in the grid.
NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of this Client
will contain no screenshots.
When you select a USB-device-related screen capture or a row in the Metadata grid, the USB
device info associated with it is displayed in the Details pane below the Player pane.
If the device was blocked, it is marked as BLOCKED in the parentheses.

Viewing URLs

67
Viewing Monitoring Results

If the URL monitoring option is enabled for the Windows Client, then each time the screen
capture is created while the user is working in the browser, the URL address is saved and
displayed in the URL column in the Metadata grid. If there are several screenshots created
while the user is viewing one page on a certain website, then all of them contain the same URL
information.
NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of this Client
will contain no screenshots.
The URL column contains only top and second-level domain names even if the parameter is not
selected in the URL monitoring settings for the Windows Client. The full URL address is
displayed in the Details pane.

NOTE: As getting a URL address to be monitored may take about 600 milliseconds, there is a
possibility that the screen capture and its activity title along with URL address may be not
properly synchronized in the Session Viewer (e.g., the user may see a screen capture with a
URL address that belongs to the previous one).

Playing macOS Sessions

A user starts playing macOS Session by clicking the required Session in the Client Sessions list.
The session is opened in the new tab or new window depending on the browser settings. While
playing macOS sessions, you can view screenshots in the Player pane and associated metadata
(Application name, Activity title, URL, etc.) in the Metadata grid.

Viewing URLs
If the URL monitoring option is enabled for the macOS Client, then each time the user activity is
captured while the user is working in the browser, the URL address is saved and displayed in
the URL column in the Metadata grid. If there are several records made while the user is
viewing one page on a certain website, then all of them contain the same URL information.
The URL column contains only top and second-level domain names even if the parameter is not
selected in the URL monitoring settings for the Windows Client. The full URL address is
displayed in the Details pane.
NOTE: As getting a URL address to be monitored may take about 600 milliseconds, there
is a possibility that the screenshot and its activity title along with URL address may be

68
More Information

not properly synchronized in the Session Viewer (e.g., the user may see a screenshot
with a URL address that belongs to the previous one).

Playing Linux Sessions

A user starts playing Linux Session by clicking on the required session in the Client Sessions list.
The session is opened in the new tab or new window depending on your browser settings.
While playing Linux sessions, you can view all visually recreated interactive data in a form of a
video in the Player pane and function and system calls, as well as the executed commands with
parameters in the metadata grid.

Filtering EXEC Commands

By default, the commands are filtered by ‘exec’ function to display only the command executed
after user input.
To display the list of all commands, including system ones, discard the filtering by clearing the
Show only execution commands checkbox.

Dashboards
Ekran System allows viewing certain types of information using dashboards displayed on the
Home page. Dashboards provide you with convenient real-time view of the most important
data. The following dashboards are available:
 Licenses
 Clients
 Database Storage Usage
 Recent Alerts
 Latest Live Sessions
 Sessions out of Work Hours
 Rarely Used Computers
 Rarely Used Logins
You can choose which dashboards to display, rearrange the dashboards on the screen, add
several dashboards of the same type to see the same data in different variations, and more.

More Information
For more detailed information, please see the Ekran System Help.

69