Ekran System Deployment Guide

Ekran System v.6.
7
Deployment Guide
Table of Contents
About ........................................................................................................................................7
System Requirements ...........................................................................................................8
Program Structure ...............................................................................................................11
Deployment Process ...........................................................................................................13
Server and Database ...........................................................................................................14
About ....................................................................................................................................14
Database Types Comparison ............................................................................................ 14
High Availability Mode ........................................................................................................16
About .................................................................................................................................16
Standard and High Availability Modes Comparison ..................................................... 16
Installing Remote PostgreSQL Database Server ............................................................ 17
Installing/Uninstalling/Updating the Server .......................................................................18
Installing the Server ......................................................................................................... 18
Backing up Ekran Master Certificate.............................................................................. 23
Deleting Ekran Master Certificate .................................................................................. 27
Importing Ekran Master Certificate................................................................................. 27
Installing the Server in the Cloud ................................................................................... 28
Adding Server Executable to Windows Firewall ........................................................... 28
Using an External/Cloud-Based Server Computer ....................................................... 31
Updating the Server......................................................................................................... 32
Uninstalling the Server ....................................................................................................33
Changing Server Port for Client Connection ............................................................... 34
Moving Binary Data to Shared or Local Folder ................................................................ 34
Validating Monitoring Data .................................................................................................36
About .................................................................................................................................36
Validating Monitoring Data Using Hash Codes............................................................. 37
Signing Monitoring Data with Certificate........................................................................37
Editing Database Parameters ............................................................................................ 41
Management Tool.................................................................................................................42
About ....................................................................................................................................42
Management Tool Installation Prerequisites ....................................................................42
Prerequisites Overview ...................................................................................................42
Turning on Internet Information Service (IIS) ................................................................ 42
2
Turning on IIS for Windows 8 and Windows 7 ........................................................... 42
Turning on IIS for Windows Server 2008 R2 ............................................................. 43
Turning on IIS for Windows Server 2012 ...................................................................44
Installing .NET Framework.............................................................................................. 47
Configuring Internet Information Service (IIS)............................................................... 47
Using Certificates............................................................................................................. 51
Generating Self-Signed Certificate ............................................................................. 51
Exporting Self-Signed Certificate ................................................................................ 54
Importing Trusted Certificate ....................................................................................... 54
Adding Certificate to Trusted Root Certification Authorities .....................................55
Setting HTTPS Binding for a Default Web-Site ............................................................ 61
Installing/Uninstalling/Updating the Management Tool ................................................... 62
Installing the Management Tool ..................................................................................... 62
Adjusting Computer for Remote Access........................................................................64
Updating Management Tool ........................................................................................... 66
Uninstalling Management Tool ....................................................................................... 67
Opening Management Tool ............................................................................................... 67
Licensing ...............................................................................................................................68
General Licensing Information ........................................................................................... 68
About Serial Keys................................................................................................................ 68
About Update & Support Period ........................................................................................ 69
Viewing License State ........................................................................................................70
Activating Serial Keys Online ............................................................................................. 71
Adding Activated Serial Keys Offline................................................................................. 71
Deactivating Serial Keys ....................................................................................................73
Client License Management .............................................................................................. 74
Windows Clients...................................................................................................................76
About ....................................................................................................................................76
Monitoring via Windows Clients......................................................................................... 76
Installing Windows Clients .................................................................................................77
About .................................................................................................................................77
Setting up Environment for Remote Installation ........................................................... 77
Windows Client Installation Prerequisites ..................................................................77
Disabling Simple File Sharing in Windows XP .......................................................... 78
Disabling Sharing Wizard in Windows 8.1, Windows 8 and Windows 7 ................. 79
Checking System Services .......................................................................................... 80
3
Setting up Windows Vista, Windows XP, Windows Server 2003 Firewall .............. 81
Setting up Firewall for Windows 10, Windows 8.1, Windows 8, Windows 7,
Windows Server 2012, Windows Server 2008 .......................................................... 83
Installing Windows Clients Remotely via the Management Tool ................................ 86
About.............................................................................................................................. 86
Selecting Computers ....................................................................................................86
Remote Windows Client Installation Process ............................................................ 88
Remote Installation from an Existing .INI File ............................................................ 89
Installing Windows Clients Locally ................................................................................. 89
About.............................................................................................................................. 89
Windows Client Installation Package.......................................................................... 90
Generating Windows Client Installation Package...................................................... 97
Installing Windows Clients Locally with Custom Monitoring Parameters ................ 98
Downloading Windows Client Installation File (.exe) ................................................ 98
Installing Windows Clients Locally without .ini File ................................................... 98
Installation via Third Party Software .............................................................................. 99
Installing Windows Client on Amazon WorkSpace ....................................................... 99
Installing Windows Client Remotely Using PsExec ...................................................... 99
Cloning a Virtual Machine with Installed Client ........................................................... 100
Unassigning License on Virtual Machine Shutdown .................................................. 101
Golden Image Mode for the Server .......................................................................... 101
Unassigning License via the Script on the Client Side ........................................... 101
Updating Windows Clients ............................................................................................... 102
About ............................................................................................................................... 102
Windows Client Status after Server Update ................................................................ 103
Updating Windows Clients Automatically .................................................................... 103
Updating Windows Client Manually ............................................................................. 103
Reconnecting Windows Clients to Another Server ........................................................ 104
Uninstalling Windows Clients ........................................................................................... 104
About ............................................................................................................................... 104
Client Uninstallation Key ............................................................................................... 104
Uninstalling Windows Clients Remotely ...................................................................... 105
Uninstalling Windows Clients Locally .......................................................................... 105
Viewing Windows Clients ................................................................................................. 106
macOS Clients .................................................................................................................... 107
About .................................................................................................................................. 107
4
Monitoring via macOS Clients ......................................................................................... 107
Installing macOS Client .................................................................................................... 108
About ............................................................................................................................... 108
Downloading macOS Client Installation File ............................................................... 108
Installing macOS Clients ............................................................................................... 108
Uninstalling macOS Clients ............................................................................................. 109
About ............................................................................................................................... 109
Uninstalling macOS Clients Remotely ......................................................................... 109
Uninstalling macOS Clients Locally ............................................................................. 110
Viewing macOS Clients .................................................................................................... 110
Linux Clients ....................................................................................................................... 111
About .................................................................................................................................. 111
Monitoring via Linux Clients ............................................................................................. 111
Remote SSH Session Monitoring................................................................................. 111
Local Sessions Monitoring (for X Window System) .................................................... 111
Installing Linux Client ........................................................................................................ 112
About ............................................................................................................................... 112
Downloading Linux Client Installation File ................................................................... 112
Installing Linux Clients................................................................................................... 112
Updating Linux Clients...................................................................................................... 114
About ............................................................................................................................... 114
Linux Client Status after Server Update ...................................................................... 114
Updating Linux Clients Automatically .......................................................................... 114
Updating Linux Client Manually .................................................................................... 115
Uninstalling Linux Clients ................................................................................................. 115
Viewing Linux Clients........................................................................................................ 115
Tray Notifications Application ......................................................................................... 117
About .................................................................................................................................. 117
Installing/Uninstalling the Tray Notifications Application ............................................... 117
Installing the Tray Notifications Application................................................................. 117
Uninstalling the Tray Notifications Application ............................................................ 118
Troubleshooting ................................................................................................................. 119
Quick Access to Log Files ................................................................................................ 119
Database/Server ............................................................................................................... 119
Database/Server Related Issues ................................................................................. 119
Database/Server Related Error Messages ................................................................. 121
5
Management Tool ............................................................................................................. 123
Management Tool Related Issues ............................................................................... 123
Management Tool Error Messages.............................................................................. 125
Windows Client.................................................................................................................. 127
Checking that the Client Is Installed............................................................................. 127
Clients Installation/Uninstallation Issues and Error Messages .................................. 129
Linux Client ........................................................................................................................ 134
Checking the State of the Linux Client......................................................................... 134
Restarting Linux Client .................................................................................................. 134
6
About
Welcome to Ekran System!

Ekran System is an application that allows you to record the activity of the target computers
with installed Clients and to view the screen captures from these computers in the form of
video.
This guide will help you in managing Ekran System components (installing, uninstalling,
updating, etc.) and controlling their interaction.
7
System Requirements
Ekran System claims different system requirements for each of its components. Make sure your
hardware and software meet the following system requirements to avoid possible component
malfunctions.
Ekran System Server requirements:

 2-core 2 GHz or higher CPU
 4 GB or more RAM
 Enterprise-level Ethernet card
 Minimum 1 Gbit/s network adapter
 Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 (x64
platform)
 Universal C Runtime and Visual C++ Runtime (starting with Ekran System 5.5). Both can
be installed via the Microsoft Visual C++ 2015 Redistributable:
https://www.microsoft.com/en-gb/download/details.aspx?id=48145
NOTE: The Universal C Runtime needs to be initially installed via update KB2999226:
https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-
windows
 .Net Framework 4.5.2 or higher
NOTE: If the Server and the Management Tool are to be installed on the same
computer, make sure you turn on the Internet Information Service before the
installation of .Net Framework 4.5.2.
 [When using MS SQL Database]: Full edition of MS SQL Server 2008R2 SP1 or higher.
Standard license or higher is required.
 [When using PostgreSQL Database]: PostgreSQL 10 or higher.
NOTE: If you want to deploy the Ekran System in the High Availability mode, enabled
Message Queueing and configured NLB cluster are required. Please refer to the High
Availability Deployment Guide for more information.
Management Tool requirements:

 2-core 2 GHz or higher CPU
 4 GB or more RAM
 100 Mbit/s network adapter
 Windows 10, Windows 8.1, Windows 8, Windows 7 (any edition except Home);
[recommended] Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2
(starting from SP1 version). Both x86 and x64 platforms are supported.
 .Net Framework 4.5.2 or higher
 IIS 7.5 or higher with enabled ASP.NET 3.5 and 4.5 support (4.6 for Windows Server
2016)
8
 [For accessing the Management Tool locally or remotely] One of the following browsers:
 Google Chrome 37 or higher
 Mozilla Firefox 32 or higher
 Internet Explorer 10 or higher
 Safari S6 and Safari S5
 Opera 15 or higher
NOTE: The Management Tool might be opened in other browsers, but its compatibility with
other browsers is not guaranteed.
Windows Client requirements:

 1 GHz or higher CPU
 512 MB or more RAM
 Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP
SP3; Windows Server 2016, Windows Server 2012, Windows Server 2008, and
Windows Server 2003 SP1. Both x86 and x64 platforms are supported.
NOTE: Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows
Server 2008 R2 SP1, the Microsoft Security Advisory update 3033929 needs to be
installed:
https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929
 Citrix XenDesktop; Citrix XenApp; Citrix XenDesktop/XenApp with Citrix Provisioning
Services (PVS).
 It is recommended to have not less than 500MB of free space on the disk where the
Client is installed to save data during the offline session.
macOS Client requirements:

 2.26GHz Intel Core 2 Duo or higher CPU
 2GB RAM
 macOS 10.9 and later
Linux Client requirements:

 1 GHz or higher CPU
 512 MB or more RAM
 Linux Kernel 2.6.32 and higher
9
Distributor Base OS Versions Supported
Debian Debian 9.0, 8.0, 7.0

Ubuntu 18.04, 16.0, 15.0, 14.0, 12.0
Linux Mint 17.xx - 13
openSUSE Suse Linux Enterprise Server 12(SP1, SP2, SP3), 11(SP2, SP3,
SP4)
RedHat RedHat 7.0, 6.0

CentOS 7.x , 6.x
Oracle Linux 7.x - 5.6
Sun Microsystems Solaris 10.0
IBM AIX 7.2, 7.1
The monitoring of graphical interface for X Window System is supported on the following
operating systems:
OS Versions Supported
Ubuntu Ubuntu 18.04.1 LTS, Ubuntu 16.04.5 LTS, Ubuntu 16.04.2,

Ubuntu 14.04.5 LTS, Ubuntu 14.04.2, Ubuntu 12.04.1, Ubuntu
14.04 LTS
Red Hat Red Hat 7.0 – 7.6, Red Hat 6.0 – 6.10
CentOS CentOS 7.1 – 7.5, CentOS 6.1 – 6.9
Suse Linux Enterprise 12(SP1, SP2, SP3)

Server
NOTE: When the Client is installed to the terminal server, hardware requirements depend on
the number of active user sessions and may increase drastically. For example, hardware
requirements for the Client deployed on the terminal server hosting 10 active user sessions
will be as follows:
 Intel Core i3 or similar AMD CPU
 2048 MB RAM
10
Program Structure
Ekran System is an application specially designed to control user activity remotely.
Ekran System includes the following components:
 Ekran System Server (further referred to as Server): It is the main part of the Ekran
System used for storing the screenshots and associated information received from the
Clients. The work of the Server can be started or stopped via Server Tray.
 Ekran System Management Tool (further referred to as Management Tool): It is a

central administrative unit that allows you to control and manage Clients, Users, USB
Monitoring Rules, Alerts, Server database, and Serial Keys. You can have access to the
Management Tool from any computer in the network without having to install it on this
computer.
Ekran System Session Viewer provides a usable interface for quick review of the
monitored data received from the Ekran System Clients.
 Ekran System Windows Clients (further referred to as Windows Clients): Being hosted
on the remote computers, Windows Clients create screenshots with the defined
frequency and send them to the Server along with metadata information such as user
name, host name, activity time, active window titles, application names, URL addresses,
clipboard text data, keystrokes, etc. Managing the remote Windows Clients
configuration and settings is performed via the Management Tool.
 Ekran System macOS Clients (further referred to as macOS Clients): Being hosted on
the remote computers, macOS Clients create screenshots with the defined frequency
and send them to the Server along with metadata information such as user name, host
name, activity time, active window titles, application names, URL addresses, etc.
Managing the remote macOS Clients configuration and settings is performed via the
Management Tool.
 Ekran System Linux/Unix Clients (further referred to as Linux Clients): Being

hosted on the remote computers, Linux Clients capture input/output terminal data
(including all executed commands) and send this interactive data to the Server.
 Ekran System Tray Notifications application (further referred to as Tray

Notifications application): This application allows receiving notifications on alert
events on Clients.
11
12
Deployment Process
The Ekran System installation consists of several steps:
1. Installing the Server: To deploy the system, first of all you need to install the Server. The
Server is used to store and process all records sent by the Clients hosted on the remote
computers. During the Server installation you can select the type of the database and define
administrator credentials.
NOTE: You can deploy the Ekran System in the High Availability mode, which allows you
to work with multiple Server instances in the Network Load Balancer cluster. This would
provide a high level of operational performance, which allows minimizing downtime and
service interruptions. Please refer to the High Availability Deployment Guide for more
information.
2. Completing Management Tool installation prerequisites: To install and run the Management
Tool, you need to turn on the Internet Information Service on your computer, add the self-
signed or trusted certificate to the Trusted Root Certification Authorities and set HTTPS
binding for a default web site (or any other IIS site).
3. Installing the Management Tool: The Management Tool is used to manage Users, Clients,
Alerts, and Database, as well as to view the monitored data received from Clients.
Connection with the Server is required for the Management Tool to operate.
4. Activating serial keys (adding activated serial keys): To be able to receive data from the
Clients, you need to license the Clients by activating purchased serial keys. You can also
activate an Enterprise serial key to get an access to the enterprise features of the Ekran
System during the unlimited period of time.
5. Installing Clients:
 Installing Windows Clients: The Windows Clients are usually installed remotely via the
Management Tool. A Windows Client can be installed on any computer in the network.
Please note that several conditions have to be met for successful remote Client
installation.
 Installing macOS Clients: The macOS Clients are installed locally.
 Installing Linux Clients: The Linux Clients are installed locally.
6. Installing the Tray Notifications application: The Tray Notifications application can be
installed on any computer and as long as there is connection to the Server; the Tray
Notifications application displays notifications on all alert events received from Clients.
For more information, see the Tray Notifications application help file.
After installing all the system components, Ekran System is considered deployed and all its
features become available.
13
Server and Database
About
The Server is the main component of the system, which provides interaction between other
components. The Server stores all monitored data, user accounts, and system settings in the
database.
Database Types Comparison

When installing the Server, you can choose between two types of databases (MS SQL database
and PostgreSQL database). These databases have the following differences:
Feature MS SQL Database PostgreSQL Database
General
Commercial/ Commercial database from Open source product

open-source Microsoft
Free ✘ (has a limited free version) ✔
NOTE: Using MS SQL Express does
not guarantee the stable work of
the Server.
Requires ✔ ✔
additional
software
installation
Scalability
Remote ✔ ✔
access to
(a separate database engine that (a separate database engine that
database
can be deployed on a separate can be deployed on a separate
server) server)
Clustering ✔ ✔
support
(Primary-Standby)
Network ✔ ✔
drives (if mount as drive)
support
14
Performance
Processing High High

speed
Efficient ✔ ✔
caching
algorithms
Index Automatic Manual
statistics
update
Memory/proc A separate process, more efficient A separate process, more efficient
ess usage memory usage, quotas can be memory usage, quotas can be
applied applied
Additional o Maintenance tasks can be o Cross-platform. It can be run on

features executed by the engine variety of systems and platforms
independently (Windows, Linux, macOS, BSD,
o Complex execution plans Solaris)
optimizations o A lot of third-party solutions for
replications and clustering
Requires ✔ ✔
additional
software
installation
Safety and security
Security High. Keystroke encryption is High. Keystroke encryption is
supported supported
Safety o Database corruption is unlikely o Database corruption is unlikely
o Replications o Replications
o Сan be managed via Microsoft
native tools
o Support scheduled
maintenance: reindexing, shrinking
etc.
Backup Flexible backup logic Flexible backup logic

(to learn more about the MS SQL (to learn more about the
database backup, visit the PostgreSQL database backup, visit
15
Microsoft website at the PostgreSQL website at

https://docs.microsoft.com/en- https://www.postgresql.org/docs/9.1/sta
us/sql/relational-databases/backup- tic/backup.html )
restore/full-database-backups-sql-
server?view=sql-server-2017 )
High Availability Mode

About
The High Availability mode allows you to configure and deploy Ekran System in such a way that
it can work with multiple Server instances in the Network Load Balancer cluster. This would
allow balancing the load of data sent to the servers by Ekran Clients and ensure data integrity
in case any of the instances goes offline for any number of reasons.
NOTE: The High Availability mode is available only if you have an activated Enterprise serial
key.
Standard and High Availability Modes Comparison

The Standard and High Availability modes have the following differences:
Feature Standard Mode High Availability Mode
Serial key types One of the following Enterprise serial key and one of the
serial keys: following keys:
 Permanent  Permanent
 Trial  Trial
 Update and  Update and support
support
Database type MS SQL or PostgreSQL MS SQL or PostgreSQL
Number of Servers One Multiple
System requirements Standard system Standard system requirements,

requirements. enabled Message Queueing, and
configured NLB cluster.
16
Additional Software None NLB cluster
NOTE: We recommend using
Windows NLB. We cannot
guarantee the High Availability
Mode to function with other load
balancers correctly.
Component Physical IP address Logical IP address

connection
Recommended for Average number of Large number of Client computers.

Client computers.
Installing Remote PostgreSQL Database Server

When using the remote PostgreSQL database server, you need to open the ports to ensure the
connection between the Ekran Server and PostgreSQL database.
To install the remote PostgreSQL database server, do the following:
1. Download PostgreSQL 9.5 or higher. You can download it from the PostgreSQL official
website at https://www.postgresql.org/download/
2. Run the installation file on the computer.
3. On the machine with the installed PostgreSQL database, navigate to the folder with the
postgresql.conf file. By default, C:\Program Files\PostgreSQL\<version number>\data.
4. Open the postgresql.conf file.
5. In the postgresql.conf file, define the listen_addresses parameter as ‘*’ or type the
external IP address.
6. Save the changes.
7. In the same folder, open the pg_hba.conf file.
8. To allow non-local connections, add the host record in the IPv4 local connections group:
 Type: host
 Database: all
 User: all
 Address: IP address of the Ekran Server/subnet mask. Please note, if you use NAT in
your network, you should define the external IP address.
 Method: md5
9. Save the changes.
10. Restart the PostgreSQL service.
11. On the Ekran Server and PostgreSQL machines, in the Windows Firewall, allow the TCP
connection to port 5432.
17
Installing/Uninstalling/Updating the Server
Installing the Server
To install the Server, do the following:
1. Run the EkranSystem_Server.exe installation file.
2. Click Next on the Welcome page.
3. Carefully read the terms of the End-User License Agreement and click I Agree.
4. On the Choose Components page, do one of the following and click Next:
 In the drop-down list, select Ekran System Server.
 Select Ekran System Server in the box.
5. On the Choose Install Location page, enter the installation path or click Browse to
navigate to the Server installation folder. Click Next.
18
6. On the Database Type page, select the type of database you want to use for storing
data. Click Next. See the Database Types Comparison chapter, to see the difference
and choose the proper type of the database.
NOTE: If you have already created database, select its type, and then define the
connection parameters for this database.
7. If you have selected the PostgreSQL database, on the PostgreSQL Server Database
Configuration page, define the connection parameters and then click Next.
19
 Define the PostgreSQL Server instance name, which is the instance name
assigned to the TCP/IP port. Optionally, you can define the custom PostgreSQL
database port by entering it after the Server instance name and separating
with colon (e.g.,<server_instance_name>:<port>).
NOTE: If the default instance of the PostgreSQL is used, enter localhost in the
Server instance field.
 Define the Database name for the database.
 Define the User name and Password of a user account via which the
connection to the Server will be established.
NOTE: By default, it is a user with the login postgres and the password
defined during the PostgreSQL installation.
8. If you have selected MS SQL Server, on the MS SQL Server Database Configuration
page, define the connection parameters and then click Next.
 Define the MS SQL Server instance name, which is the instance name assigned
to the TCP/IP port. Optionally, you can define the custom MS SQL database
port by entering it after the Server instance name and separating with comma
(e.g.,<server_instance_name>,<port>).
 Define the Database name for the database.
 Define the User name and Password of a user account via which the
connection to the Server will be established.
NOTE: You have to define either the SA credentials or the credentials of the
user with the dbcreator permission.
20
9. If you already have a database created manually or during the usage of previous
program versions, you will be offered to use it. If you want to use the existing
database, click Yes. In other case, click No and the new database will be created.
NOTE: If you click No, the existing database will be deleted.
10. On the Administrator password page, define the password for the administrator (the
default user of Ekran System with login admin and full permissions). Click Next.
21
11. On the Ekran System Client Uninstallation Key page, enter the key that will be used
during the Client local uninstallation and click Next. By default, the Uninstallation key
is allowed. You will be able to change this key via the Management Tool any time
later.
12. Click Install.

13. The process of installation starts. Its progress is displayed on the Installing page.
14. After the end of the installation process, click Finish to exit the wizard.
22
15. If you are installing the Server for the first time, back up EkranMasterCertificate. The
backed up certificate might be required for Server recovery or during updates.
16. If you already have a backed up master certificate and are re-using the database,
delete the master certificate and import the backed up one instead of it.
17. In Windows Firewall, you must allow the Server executable to accept TCP connections
via ports 9447 (for the connection between the Server and the Clients), 22712, 22713,
and 22714 (for the connection between the Server and the Management Tool). These
rules will be added to Windows Firewall automatically, if Windows Firewall is enabled
during the Server installation.
Backing up Ekran Master Certificate

To back up Ekran Master Certificate, do the following:
1. On the Ekran Server computer with the certificate you want to back up, press
Windows+R, type mmc in the Run text box and press Enter.
2. In the opened User Account Control window, click Yes.

3. In the Console window, select File > Add/Remove Snap-in.
4. In the Add or Remove Snap-ins window, select Certificates and click Add.
23
5. In the Certificates Snap-in window, select the Computer account option and click Next.
6. In the Select Computer window, select the Local computer option and click Finish.
24
7. In the Add or Remove Snap-ins window, click OK.
8. In the Certificates (Local computer) tree-view, select Personal > Certificates.
9. Select EkranMasterCertificate and in its context menu select All Tasks > Export.
10. The Certificate Export Wizard opens.

11. On the Certificate Export Wizard Welcome page, click Next.
12. On the Export Private Key page, select the Yes, export the private key option and click
Next.
13. On the Export File Format page, select the following options :
 Personal Information Exchange
 Include all certificates in the certification path if possible
 Export all extended properties
14. Click Next.
25
15. On the Security page, select the Password option and enter the password in the Password
and the Confirm password fields. Click Next.
NOTE: Make sure that you remember the password since you will need it when restoring
the certificate or transferring it to another server.
16. On the File to Export page, specify the location to store the certificate and the certificate
name manually or click Browse, and click Next.
17. On the Completing the Certificate Export Wizard page, click Finish.
NOTE: You will need the certificate for reinstalling the Server, moving it to another
computer, or creating the High Availability cluster.
26
Deleting Ekran Master Certificate
To delete Ekran Master Certificate, do the following:
1. On the Ekran Server computer, press Windows+R, type mmc in the Run text box and press
Enter.
9. Select EkranMasterCertificate and in its context menu select Delete.
10. Click Yes in the confirmation message.
Importing Ekran Master Certificate

To import Ekran Master Certificate, do the following:
1. On the Ekran Server computer, press Windows+R, type mmc in the Run text box and press
Enter.
9. In the Console window, select Actions > All Tasks > Import.
10. The Certificate Import Wizard opens.
11. On the Certificate Import Wizard Welcome page, click Next.
12. On the File to Import page, click Browse and select the file with the backed up certificate.
Click Next.
13. On the Private key protection page, enter the password and click Next.
14. On the Certificate Store page, select the Place all certificates in the following folder option,
click Browse, and select the Personal node. Click Next.
15. On the Completing the Certificate Export Wizard page, click Finish.
27
Installing the Server in the Cloud
To install the server in the cloud, do the following:
1. In the cloud, install the Server in a usual way.
2. In the cloud management console, allow the Server executable to accept TCP connections
via ports 9447 (for the connection between the Server and the Clients), 22712, 22713,
and 22714 (for the connection between the Server and the Management Tool).
NOTE: It is recommended to install the Server and Management Tool on the same
computer.
Adding Server Executable to Windows Firewall

Please note that Windows Firewall will be adjusted automatically, if it is enabled during the
Server installation. If you use any other Firewall, it should be adjusted as well.
To add the Server executable to the Windows Firewall, do the following:

1. In the Control Panel, select System and Security > Windows Firewall.
2. In the Windows Firewall window, click Advanced settings.
3. In the Windows Firewall with Advanced Security window, right-click Inbound Rules
and select New rule.
28
4. The New Inbound Rule Wizard opens.
5. On the Rule Type page, select Program and click Next.
6. On the Program page, select This program path, then click Browse and navigate to
the Server executable. The default path is "C:\Program Files\Ekran System\Ekran
System\Server\EkranServer.exe ". Click Next.
7. On the Action page, select Allow the connection and then click Next.
29
8. On the Profile page, select the profile of the network used for connecting remote
computers and the Server. Click Next.
9. On the Name page, define the Name of the rule. Click Finish.
10. The rule is created for the Server application. By default, the rule allows any
connections via all ports.
11. To define the protocol and ports, double-click the created rule. The Ekran Properties
window opens.
30
In the Protocols and Ports tab, do the following:
 In the Protocol Type list, select TCP.
 In the Local port list, select Specific Ports. Type the following port numbers in
the box below:
o 9447 (for the connection between the Server and the Clients)
o 22713 and 22714 (for the connection between the Server and the
Management Tool)
o 22712 (for the connection between the Server and the Tray Notification
Application)
12. Click Apply to save changes. Click OK.
13. Close the Windows Firewall window.
Using an External/Cloud-Based Server Computer

If your Server is not in the same network as Clients or the Management Tool, do the
following:
1. Make sure your Server has a unique external IP address.
2. Specify this address when installing the Management Tool and installing the Client.
31
Updating the Server
The updating of the Server is performed via the installation file of a newer version. During an
update you may select to update the existing database to a newer version or simply reinstall it.
To update the Server, do the following:

1. Run the EkranSystem_Server.exe installation file.
2. On the Welcome page, click Next.
3. On the Already Installed page, select Update/Add/Remove components and click Next.
4. On the Choose Components page, select Ekran System Server and click Next.
5. On the Database Update page, if you want to keep the existing database, select Update
database to a new version, otherwise select Reinstall the database. Click Next.
NOTE: To change the type of a database, you need to reinstall the whole system.
6. On the Administrator password page, define the password for the administrator (the
default user of Ekran System with login admin and full permissions). Click Next.
7. The update process starts.
8. After the end of the update process, click Finish to exit the wizard.
9. If you are updating Server from version lower than 5.5, back up EkranMasterCertificate .
10. If you are updating Server from version 5.5 and higher, make sure that the master
certificate is correct. If necessary import it from the backed up copy.
32
Uninstalling the Server
The Server uninstallation is an irreversible operation, during which the database is removed
without any user confirmations.
NOTE: Before uninstalling the Server, make sure you have uninstalled all the Clients from the
remote computers. If you don't uninstall the Clients, they will remain installed on the remote
computers and collect the data locally. It will be impossible to remove them in a common
way.
To uninstall the Server from the local computer, do the following:
1. Run the EkranSystem_Server.exe installation file or click Uninstall/Change on the
Ekran System application in the Programs and Features window of the Windows
Control Panel.
2. The setup wizard opens.
4. On the Already Installed page, select Uninstall and click Next.
5. On the Uninstall Ekran System page, click Uninstall.
33
6. If you want to delete the database, click Yes in the confirmation message. In other
case, click No and you will be able to use the saved database during the next
installation of the program.
7. Wait for the uninstallation process to complete.
Changing Server Port for Client Connection

Ekran System allows you to define the Ekran Server port via which the Clients connect to the
Server. By default, it is set to 9447
To define the custom port, change the PortSecure value in the Server registry
(HKEY_LOCAL_MACHINE\SOFTWARE\Ekran System), and then define the same value in the
RemotePort parameter.
Moving Binary Data to Shared or Local Folder

If necessary, you can store binary data received from Clients in the shared or local folder on
your computer. This might be necessary for storing large amounts of data.
This feature has the following limitations:
34
 Shared Folders on mapped and mounted disks cannot be used for storing binary data.
 After you select to store binary data in the shared folder instead of MS SQL database, the
already existing screenshots will no longer be displayed (only metadata will be available for
them). The newly received screenshots will be displayed.
To move binary data to the shared folder, do the following:

1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification
area or find the EkranServer service in the Task Manager and click Stop.
2. For the Firebird database, do the following (for the MS SQL database, skip this step):
 Open the Windows Registry Editor.
 In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem
key.
 Find the Database value and check where the Database files are located on your computer.
 Move the Cache folder with binary file to a new location.
3. In the Registry Editor window, click Edit > New > String value and add a new value:
 Value type: String
 Value name: StorageDirectory
 Value data: Shared Folder location as \\<computer IP>\<folder path> or \\<computer
name>\<folder path>
4. To access binary data in the shared folder on a different computer from your Server, it is
recommended to do the following:
 Open Computer Management.
 In the Computer Management window, open Services and Applications > Services.
 In the Services pane, find the EkranServer service and select Properties in the context
menu.
 In the EkranServer Properties window navigate to the Log On tab.
 In the Log On tab, select the This account option, specify the credentials for the
EkranServer service to start under, and click Apply. Make sure the user with the specified
credentials has administrator permissions on your Server computer and full access to the
shared folder on the different computer.
 Restart the service.
35
5. Start the EkranServer service to continue working with the program.
Validating Monitoring Data

About
If necessary, you can enable the validation of monitoring data of Windows Clients, which allows
checking that data integrity in the database has not been altered. It can be enabled for Firebird,
PostgreSQL, and MS SQL databases.
Two types of monitoring data validation are available:
 Calculating hash codes for monitoring data: in this case, the hash codes will be
calculated for each screenshot and metadata record received from Windows Clients.
 Signing monitoring data with certificate: in this case, each screenshot and
metadata record received from Windows Clients will be signed with the trusted
certificate.
NOTE: If both types of validation are enabled, only signing monitoring data with certificate
will be used.
After validation of monitoring data is enabled or validation type is changed, all previously
recorded sessions of Windows Clients will be considered as invalid.
With enabled validation of the monitoring data, the integrity of monitoring data within a
Windows Client session is checked on the session opening via the Session Player. If some
screenshots or metadata records have been deleted or modified, the warning message
“Session data is not valid!” will be displayed in the Session Player.
NOTE: When the validation of monitoring data is enabled, the CPU usage will rise while
viewing the Client sessions in the Session Player.
NOTE: After the enabling validation of monitoring data, for existing sessions, that were not
viewed before, screenshots will not be shown.
36
Validating Monitoring Data Using Hash Codes
To enable calculating of hash codes for monitoring data, do the following:
1. Stop the Server by clicking Stop in the context menu of the Server icon in the
notification area or find the EkranServer service in the Task Manager and click Stop.
2. Open the Windows Registry Editor.
3. In the Registry Editor window, select the
HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key.
4. Select Edit > New > DWORD (32-bit) Value and define the following:
 Value name: SignMonitoredData
 Value data: 1
Signing Monitoring Data with Certificate

To enable signing of monitoring data with certificate, you have to do the following on
the Ekran Server computer:
Step 1. Import the trusted purchased certificate or the self-signed one.
Step 2. Create a special string value in the Windows Registry.
Step 1. Importing Trusted Certificate
1. On the Ekran Server computer, press Windows+R, type mmc in the Run text box and
press Enter.
37
6. In the Select Computer window, select the Local computer: (the computer this console
is running on) option and click Finish.
8. In the Certificates (Local computer) tree-view, find the Personal node.
9. In the context menu of the Personal node, select All Tasks > Import.

12. On the File to Import page, specify the location and name of the certificate to be
imported manually or click Browse, and then click Next.
38
13. If required, on the Private key protection page, enter the password for the private key
and then click Next.
14. On the Certificate Store page, click Next.
39
15. On the last page of the Certificate Import Wizard, click Finish, and then click OK in the
confirmation message.
16. Select Certificates (Local Computer) > Personal > Certificate and double-click the
imported certificate.
17. In the Certificate window, select Details > Thumbprint and then copy the Thumbprint
value.
40
Step 2. Enabling Monitoring Data Signing with Certificate
1. Stop the Server by clicking Stop in the context menu of the Server icon in the
notification area or find the EkranServer service in the Task Manager and click Stop.
3. In the Registry Editor window, select the
HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key.
4. Select Edit > New > String Value > and add a new value:
 Value name: SignMonitoredDataCert
 Value data: <copied Thumbprint value of the imported certificate
(without spaces)>
Editing Database Parameters

Database parameters defined during the Ekran System Server installation can be changed via
the Server Tray application.
To change the database parameters, do the following:
1. Right-click the Server Tray icon in the notification area and select Database Parameters.
2. In the Database Parameters window, in the Metadata Storage group, define the
following parameters:
 Select the type of database you want to use for storing data.
NOTE: The already existing data will not be migrated.
 Define the Host Name or IP address of the SQL server.
 Define the SQL Server user name and password in the corresponding fields.
3. In the Binary Data Storage group, select one of the following:
 For small deployments, select the SQL Database option to store binary data
received from Clients in the SQL database. In this case, all data received during the
monitoring will be stored on the computer with the installed SQL Server.
 For medium and large deployments, select the File System option to store binary data
received from Clients in the shared or local folders, and then define the path to the
required folder:
o The shared folder location must be defined as \\<computer IP>\<folder path> or
\\<computer name>\<folder path> (e.g., \\admin-pc\SharedFolder).
o The local folder location must be defined as <folder path> (e.g.,
C:\BinaryDataFolder).
4. Click OK.
5. Restart the Ekran System Server service.
41
Management Tool
About
The Management Tool is the component for managing the whole system and viewing
monitored data received from Clients. It can be installed on any computer, but a network
connection to the Server is required for the Management Tool to operate. There can be several
computers with the installed Management Tool in the system. The work with the Management
Tool is performed via your browser.
Management Tool Installation Prerequisites

Prerequisites Overview
The following prerequisites are necessary for successful installation of the Management Tool.
For Windows 7, it is important that you follow these steps in correct order.
To be able to install the Management Tool, you need to:

1. Turn on the Internet Information Service.
2. Install .NET Framework.
3. Configure the Internet Information Service.
4. Generate a self-signed certificate or import a purchased SSL certificate issued for the
computer, on which the Management Tool will be installed.
5. Add the certificate to the Trusted Root Certification Authorities on the computer, on which
the Management Tool will be installed. Otherwise a certificate error will be displayed in
your browser when opening the Management Tool.
6. Set HTTPS binding for a default web site (or any other IIS site).
NOTE: If you already have a certificate generated for the computer on which the
Management Tool will be installed, you can skip certificate generation step and use an
existing certificate.
Turning on Internet Information Service (IIS)

Turning on IIS for Windows 8 and Windows 7
To turn on the Internet Information Service for Windows 8 and Windows 7, do the following:
1. Select Control Panel > Programs and Features (Program uninstallation).
42
2. Click the Turn Windows features on or off navigation link.
3. The Windows Features window opens.
4. In the features tree-view, select the Internet Information Services option.
5. Click OK.
Turning on IIS for Windows Server 2008 R2

To turn on the Internet Information Service for Windows Server 2008 R2, do the following:
1. In the Start menu, select All Programs > Administrative Tools > Server Manager.
2. In the navigation pane, select Roles, and then click Add Roles.
43
3. The Add Roles Wizard opens.
4. On the Before You Begin page, click Next.
5. On the Server Roles page, select Web Server (IIS), click Next, and then go to the Role
Services page to start configuring Web Server (IIS).
Turning on IIS for Windows Server 2012

The Internet Information Service can be turned on using the Windows PowerShell or Windows
Server 2012 Server Manager.
To turn on the Internet Information Service for Windows Server 2012 using Windows
PowerShell, do the following:
1. In the Start menu, select Windows PowerShell.
2. Enter the following command and click Enter:
Install-WindowsFeature -Name Web-Server, Web-Mgmt-Tools
44
To turn on the Internet Information Service for Windows Server 2012 using Server Manager,
do the following:
1. In the Start menu, select Server Manager.
2. In the navigation pane, select Dashboard, then click Manage > Add roles and features.
3. The Add Roles and Features Wizard opens.

4. On the Before You Begin page, click Next.
5. On the Installation type page, select Role-based or feature-based installation, and then
click Next.
6. On the Server Selection page, select Select a server from the server pool, select your server
from the Server Pool list, and then click Next.
45
7. On the Server Roles page, select Web Server (IIS), click Next and then click Add Features to
start configuring Web Server (IIS).
46
Installing .NET Framework
Windows 10 and Windows Server 2016 usually have .NET Framework 4.6 installed.
If you are using Windows 8.1, Windows 8, Windows 7, Windows Server 2012, Windows Server
2008, or if there is no .NET Framework 4.5.2 on other Windows versions, you can download it
from the Microsoft official https://www.microsoft.com/en-us/download/details.aspx?id=42642
and run the installation file on your computer.
Alternatively, on Windows Server 2012, you can install .NET Framework 4.5.2 using Windows
PowerShell.
To install .NET Framework 4.5.2 and configure Internet Information Service (IIS) for Windows
Server 2012 using Windows PowerShell, do the following:
1. In the Start menu, select Windows PowerShell.
2. Enter the following command and click Enter:
Install-WindowsFeature - NET-Framework-Core, NET-Framework-45-ASPNET, Web-
Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter
Configuring Internet Information Service (IIS)

Windows 10 Make sure that all the following options are selected in the Windows
Features window and then click OK:
 .NET Framework 4.6 Advanced Services;
 Internet Information Services > Web Management Tools > IIS

Management Console;
 Internet Information Services > World Wide Web Services >

Application Development Features > ASP.NET 3.5, ASP.NET 4.6, and
WebSocket Protocol.

Common HTTP Features > Static Content.
47
 .NET Framework 4.5 Advanced Services;

Management Console;

Application Development Features > ASP.NET 3.5, ASP.NET 4.5, and
WebSocket Protocol;

Management Console;
48
Application Development Features > ASP.NET;

Windows 1. In the Add Roles and Features Wizard window, on the Server
Server 2016 Roles page, make sure that the Web Server (IIS) option is selected
2. On the Features page, make sure that the following option is
selected:
3. .NET Framework 4.6 Features > .NET Framework 4.6 and ASP.NET
4.6
4. Click Next.
5. On the Web Server Role IIS page, click Next.
6. On the Role Services page, select the ASP.NET 4.6 option (under
Application Development).
7. Click Next and then click Add Features.

8. On the Role Services page, make sure that the following options
are selected:
 Application Development >
 .NET Extensibility 4.6
 ASP.NET 4.6
 ISAPI Extensions
 ISAPI Filters
 WebSocket Protocol
49
9. Click Next and then click Install.
10. After the end of installation, click Close.
Windows 1. In the Add Roles and Features Wizard window, on the Server
Server 2012 Roles page, make sure that the Web Server (IIS) option is selected
2. On the Features page, make sure that the following option is

selected:
 .NET Framework 4.5 (Installed) > ASP.NET 4.5
3. Click Next.
4. On the Web Server Role IIS page, click Next.
5. On the Role Services page, select the ASP.NET 4.5 option (under
Application Development).
6. Click Next and then click Add Features.

7. On the Role Services page, expand Application Development, and
make sure that the following options are selected:
 .NET Extensibility 4.5
 ISAPI Extensions
 ISAPI Filters
 WebSocket Protocol
Windows 1. In the Add Roles Wizard window, on the Role Services page, make
Server 2008 sure that the following options are selected:
 Common HTTP Features > Static Content;
50
 Application Development > ASP.NET and WebSocket
Protocol.
2. Click Next and then click Add Required Role Services.
3. On the Role Services page, make sure that the following options
are selected:
 Management Tools > IIS Management Console.

Using Certificates
Generating Self-Signed Certificate
To generate a self-signed certificate on the machine, on which you will install the
Management Tool, do the following:
1. Open the Internet Information Service Manager:
 For Windows 8 or Windows 7: Open Computer > Manage > Services and
Applications > Internet Information Services (IIS) Manager.
 For Windows Server 2012 or Windows Server 2008: Press Windows+R, enter
inetmgr in the Run window and then press Enter.
NOTE: Using the inetmgr command is a common way of opening the Internet Information
Service Manager for any version of the Windows operating system.
2. Click the main node in the Connections tree-view and then double-click the Server
Certificates item under the IIS category.
51
3. The Server Certificates pane opens.
4. On the Actions pane (to the right), click Create Self-Signed Certificate.
5. The Create Self-Signed Certificate window opens.

6. Enter the name for a certificate in the Specify a friendly name for the certificate box and
select Personal in the Select a certificate store for the new certificate drop-down list. Click
OK.
52
7. The certificate is created.
53
Exporting Self-Signed Certificate
To export self-signed certificate, do the following:
1. In the Internet Information Service Manager, on the Server Certificates pane, select the
generated certificate and click Export on the Actions pane or in the certificate right-click
menu.
2. In the Export Certificate window, define the location and password for the certificate. Click
OK.
3. The certificate is exported and can be added to the Trusted Root Certification Authorities.
Importing Trusted Certificate

To import a purchased certificate issued for the computer, do the following:
NOTE: Using the inetmgr command is a common way of opening the Internet
Information Service Manager for any version of the Windows operating system.
2. Click the main node in the Connections tree-view and then double-click the Server
Certificates item under the IIS category.
3. The Server Certificates pane opens.
4. On the Actions pane (to the right), click Import.
54
5. In the Import Certificate window, click the Browse button to browse for the file of the
purchased certificate and enter its password in the Password field.
6. Click OK.
7. The certificate is imported and displayed on the Server Certificates pane of the Internet
Information Services (IIS) Manager.
Adding Certificate to Trusted Root Certification Authorities

Before adding the self-signed certificate to the Trusted Root Certification Authorities, it should
be exported. For purchased certificates that were issued for your computer this procedure is
not needed.
To add the certificate to the Trusted Root Certification Authorities, do the following:
1. Press Windows+R, type mmc in the Run text box and press Enter.
55
4. In the opened Add or Remove Snap-ins window, select Certificates > Add.
5. In the opened Certificates snap-in window, select Computer account and click Next.
6. In the opened Select Computer window, select Local computer: (the computer this console
is running on) and click Finish.
56
8. In the Console window, expand the Certificates (Local computer) node.
9. In the Certificates (Local computer) tree-view, find the Trusted Root Certification
Authorities node.
10. In the right-click menu of the Trusted Root Certification Authorities node, select All Tasks >
Import.

57
13. On the File to Import page, click Browse to find the certificate to be imported and then click
Next.
14. On the Private key protection page, enter the certificate password and then click Next.
58
15. On the Certificate Store page, click Next.
16. On the last page of the Certificate Import Wizard, click Finish.
17. In the confirmation message, click OK.
59
18. The certificate is imported and is displayed in the Console window in the Certificates node.
Please note that the Issued To field contains the name of the computer, on which the
Management Tool will be installed in the format that will be used when opening the
Management Tool.
19. Close the Console window.
60
Setting HTTPS Binding for a Default Web-Site
To set HTTPS binding for a default web-site, do the following:
NOTE: Using the inetmgr command is a common way of opening the Internet
Information Service Manager for any version of the Windows operating system.
2. Expand the node with the name of the target computer in the central pane.
3. Expand the Sites node.
4. Select the Default Web Site.
NOTE: If there is no such site in the Internet Information Services (IIS) Manager of your
computer, you can select any other site (the name of the site does not matter).
5. Click the Bindings navigation link on the right.

6. The Site Bindings window opens.
7. If there is no binding of HTTPS type in the Site Bindings window, click Add.
8. The Edit Site Binding window opens.
61
9. In the Type box, select https.
10. Next to the SSL certificate drop-down list, click Select.

11. The Select Certificate window opens, where the list of existing certificates is displayed.
12. In the Select Certificate window, select the certificate generated for the Management Tool
and then click OK.
13. In the Add Site Binding window, click OK.

14. In the Site Bindings window, click Close.
15. Now the Internet Information Service is fully adjusted and you can start installing the
Management Tool.
Installing/Uninstalling/Updating the Management Tool

Installing the Management Tool
To install the Management Tool, do the following:
1. Run the EkranSystem_ManagementTool.exe installation file.
2. On the Welcome page, click Next.
3. Carefully read the terms of the End-User License Agreement and click I Agree.
4. On the Connection Settings page, do the following and then click Next:
 In the Server address box, enter the name or IP address of the computer on which
the Server is installed.
62
 In the URL address field enter the folder where the Management Tool will be
located within IIS. This URL will be used when opening the Management Tool.
5. On the Choose Install Location page, enter the destination folder in the corresponding
field or click Browse and in the Browse For Folder window, define the destination
folder. Click Install.
6. The process of installation starts. Its progress is displayed on the Installing page.
7. After the end of the installation process, click Close to exit the wizard.
8. The Management Tool is displayed as an application of a default web site or any other
site with https connection in the Internet Information Services (IIS) Manager.
63
9. Now you can open the Management Tool via your browser from the same computer
or a remote one.
Adjusting Computer for Remote Access

If you want to open the Management Tool from the computer different from the one where
the Management Tool is installed, you need to adjust Firewall settings to be able to access this
computer.
If the users access Management Tool only from computers where it is installed, there is no
need to configure Firewall.
To adjust Firewall on the computer where the Management Tool is installed, do the
following:
1. In the Control Panel, select System and Security > Windows Firewall.
3. In the Windows Firewall with Advanced Security window, right click Inbound Rules
and select New rule.
4. The New Inbound Rule Wizard opens.
5. On the Rule Type page, select Predefined and then select Secure World Wide Web
Services (HTTPS) in the list. Click Next.
64
6. On the Predefined Rules page, select the World Wide Web Services (HTTPS Traffic-In)
check box. Click Next.
65
7. On the Action page, select Allow the connection. Click Finish.
8. The new inbound rule for Firewall is created.
Updating Management Tool

To update the Management Tool, do the following:
1. Run the Management Tool installation file (EkranSystem_ManagementTool.exe) of a newer
version.
2. On the The program is already installed page, select Update and then click Next.
3. Follow the installation instructions.

4. The Management Tool will be updated to the new version.
66
Uninstalling Management Tool
To uninstall the Management Tool, do the following:
1. Open the Programs and Features window of the Windows Control Panel.
2. In the Programs and Features window, find the Ekran System Management Tool
application.
3. In the right-click menu of the application, select Uninstall.
4. The setup wizard opens and starts the uninstallation process.
5. When the process is completed, click Close, to exit the setup wizard.
6. The Management Tool is uninstalled and removed from the Internet Information Service
(IIS).
Opening Management Tool

To open the Management Tool, do the following:
1. Open the browser and enter https://<name of the computer or IP on which the
Management Tool is installed>/<URL address that has been specified during the
Management Tool installation> in the address line.
For example, https://john-pc/MyMonitoringSystem.
NOTE: If the certificate is not added to the Trusted Root Certification Authorities or
the name of the computer entered in the browser address doesn’t match the
subject (Issued To field) of the certificate, your browser will display a certificate
error when opening the Management Tool.
2. The Management Tool opens.
3. Enter the credentials of the existing user, added to the system:
 For an internal user, enter login and password, defined during user creation.
NOTE: When you open the Management Tool for the first time, enter the
login admin and the password defined during the Server installation.
 For a Windows user, enter the login in the form <domain name>\<user name>
and Windows authentication password.
Please note, if the Active Directory user group has been added to the system, the users
belonging to it can login using their Windows credentials.
4. The Management Tool Home page opens.
Please note, the Management Tool may take a while to launch on first connection, since
IIS is not used constantly and its processes are stopped and restarted on the connection.
If you encounter any problems when opening the Management tool, see the
Troubleshooting chapter.
67
Licensing
General Licensing Information
To start receiving information from the Clients, you have to assign licenses to them. Four
types of licenses are available:
Required additional Number of recorded

License OS
configuration concurrent sessions
Windows desktop
OS, Windows
Workstation
desktop in - 1
Client
Amazon or Azure
Cloud, macOS
Infrastructure
- 2
Server Client
installed
Remote Desktop
Services/Terminal Services
or
Citrix Server
Windows Server
Terminal or
Published App Server unlimited
Server Client
or
deployed on
Microsoft Azure
or
Amazon Web Services
Linux/UNIX Linux, Oracle

- unlimited
Server Client Solaris, IBM AIX
NOTE: Licenses of the workstation type cannot be assigned to a computer with Server OS.
Each Client can have only one license assigned. During the first connection to the Server, the
license corresponding to the Client computer operating system is automatically assigned to a
Client. If the license has not been automatically assigned, then you will have to assign the
license to the Client manually.
About Serial Keys

When you log into the Management Tool for the first time, you can request a trial serial key
which allows you to use 3 Workstation Client licenses, 3 Linux/UNIX Server Client licenses, and
68
1 Terminal Server Client license for 30 days. The trial serial key will be sent to the email address
you specify in the request form.
To use the system permanently and with a greater number of licenses, you have to license it
with purchased serial keys on a computer with the installed Server.
NOTE: After activation of any serial key, the embedded trial key expires.
Five types of serial keys are available:

 Permanent serial keys: These keys allow you to use licenses they contain during the
unlimited period of time.
 Trial serial keys: These keys allow you to use the licenses they contain during 30 days
(may vary) from activation and update the product during this period.
 Update and Support serial keys: These keys allow you to extend your update and
support period.
 Enterprise serial keys: These keys allow you to get an access to the enterprise features
of the Ekran System during the unlimited period of time.
 Trial enterprise keys: These keys allow you to get access to the enterprise features of
the Ekran System for 30 days (may vary) from activation and update the product during
this period.
Each permanent, trial, and update and support serial key contains the following data:
 Update & support period
 Licenses for the Clients
The enterprise serial key does not contain any Client licenses and is active during the unlimited
period of time. This key grants you an access to such valuable features of the Ekran System as
Database Archiving, Advanced SIEM Integration, One-time Password, and High-Availability,
Multi-Tenant Mode, Password Management, IP Filtering, Isolating database from Clients, and
Health Monitoring.
Once you have purchased serial keys, you can either activate serial keys online or add activated
serial keys if you have no Internet connection on a computer with the installed Server. Contact
your vendor for information on purchasing serial keys.
You need to belong to the Administrators user group of the built-in default tenant to activate
serial keys.
Please note, after the activation, serial keys are bound to a specific computer and cannot be
used on another computer.
About Update & Support Period

An Update & support period is a period that defines what updates can be applied to your copy
of the product. Updates are defined by their release date. After the update & support period
69
expires, you can still assign licenses to Clients, but you will be unable to update the System to
versions released after the update & support period expiration date.
The update & support period end date is defined during the serial key activation (either via the
Management Tool or on the vendor’s site). It is calculated using a serial key with the longest
update & support period period.
Example: If you activate two keys, one with a 30 days update & support period period and one
with a 12 months update & support period period, simultaneously, the update & support
period end date will be set to 12 months from the activation date.
When a new serial key is being activated, the update & support period period is prolonged
accordingly. Please note, if the current update & support period period is longer than the one
of a key being activated, current update & support period period does not change. For
example, if you activate a key with 12 months update & support period period after a key with
30 days update & support period period, the update & support period end date will be set to
12 months since the activation date. But if you activate a key with 30 days update & support
period period after a key with 12 months update & support period period, the update &
support period end date will not change.
If your update & support period expires, you can purchase a special serial key, which does not
contain any licenses, but extends your update & support period period, or you can activate any
other serial key.
Viewing License State

You can view the information on serial keys you have activated or added and license details on
the Serial Key Management page in the Management Tool.
To view the license state, open the Management Tool and click Serial Key Management
navigation link on the left.
The following information is displayed on the Serial Key Management page:

 Update & support period end date: The update & support period end date is calculated
basing on dates of serial keys activation and their subscription periods.
 Workstation/Terminal Server/Infrastructure Server/Linux/UNIX Server Client licenses
used: The number of licenses of the corresponding type used out of total number, which
is summed up from all activated serial keys.
 Not licensed Clients: The number of installed Clients with no licenses assigned.
 Enterprise key: Displays whether the target Server computer has an activated
enterprise serial key.
The following information is displayed in the Serial Keys Management grid:

o Key
o Activation date
o Type: Enterprise/Permanent/Update and Support/Trial/Trial Enterprise
70
o State: activated/deactivated/expired
o Details: expiration/deactivation date, type and number of licenses
Activating Serial Keys Online

To activate purchased serial keys online, do the following:
1. Make sure you have an active Internet connection on the computer with the installed
Server.
2. Log in to the Management Tool as a user of the Administrators user group.
3. Click the Serial Key Management navigation link on the left.
4. On the Serial Keys tab, click Activate keys online.
5. In the Serial Key Activation window, enter serial keys to be activated separating them with
semicolons or paragraphs and click Activate.
6. The activated keys will appear on the Serial Key Management page.
7. The number of available licenses and the update & support period end date change.
Adding Activated Serial Keys Offline

If you have no Internet connection on a computer on which the serial keys are to be activated,
you can activate them on the license site and then add the activated serial keys offline. For
more information, send an email to info@ekransystem.com
71
NOTE: Update and Support serial keys cannot be activated offline.
To activate serial keys offline on the license site, do the following:

1. On the computer with the installed Server, start the UniqueIdentifierGenerator.exe file,
which you can download at
https://www.ekransystem.com/sites/default/files/ekransystem/UniqueIdentifierGenerator.
exe
2. The Unique Identifier Generator window opens.
3. Click Generate to generate a unique identifier for your computer.
4. When a unique identifier for your computer is generated, it will appear in a text box under
the Unique Identifier group of options.
5. Copy the unique identifier from the text box to a text file on a removable drive.
6. Go to the license site.
7. Enter the generated unique identifier in the Unique Identifier box.
8. Copy and paste the purchased serial keys to the Serial Keys box separating them with
paragraphs or spaces.
9. Enter the CAPTCHA text in a text box near the CAPTCHA image.
10. Click Activate.
11. The activatedKeys.txt file will be generated. Save the file on a removable drive.
12. Copy the file to the computer on which you will open the Management Tool.
NOTE: Please do not edit the generated file activatedKeys.txt.
To add activated serial keys in offline mode, do the following:

3. On the Serial Keys tab, click Add activated keys.
4. On the Activated Serial Key Adding page, click Choose File and navigate to the
activatedKeys.txt file with activated serial keys.
5. Click Add.
6. The newly added serial keys appear on the Serial Key Management page.
8. If there are both licensed and unlicensed Clients in your network and you want to license
the rest of Clients with a purchased key, you will have to assign the license to the remaining
unlicensed Clients manually.
Configuring Proxy Server for Serial Keys Activation

When Ekran Server is installed on the machine that is a part of the local network, access to a
larger-scale network such as the Internet may be performed via the Proxy Server. In this case,
72
to avoid issues with the serial keys activation, you need to define the Proxy Server parameters
in the Ekran Server configuration file.
To define the Proxy Server parameters in the Ekran Server configuration file, do the
following:
1. On the machine with the installed Ekran Server, navigate to the folder with the
EkranServer.exe.conf file. By default, C:\Program Files\Ekran System\Ekran System\Server.
2. Open the EkranServer.exe.conf file.
3. In the EkranServer.exe.conf file, in the BasicHttpBinding group, define the Proxy Server
IP address and port, and then set the useDefaultWebProxy value to false.
Example:
// <basicHttpBinding>
<binding name="GetLicenseBinding" proxyAddress="http://10.0.0.000:10"
useDefaultWebProxy="false" />
<binding name="GUIDDeactivationBinding"
proxyAddress="http://10.0.0.000:10" useDefaultWebProxy="false" />
<binding name="GetLicensesByHwidBinding"
<binding name="GetTrialBinding" proxyAddress="http://10.0.0.000:10"
useDefaultWebProxy="false" />
<binding name="GetLicenseByGuidBinding"
<binding name="GetActualVersionBinding"
</basicHttpBinding>
4. Restart the Ekran System Server service.

5. Activate serial keys.
Deactivating Serial Keys

If for some reason you decide to discontinue using Ekran System, you can deactivate serial
keys.
To deactivate a serial key, do the following:
1. Make sure you have an active Internet connection on the computer with the installed
Server.
4. On the Serial Keys tab, select a serial key to be deactivated and click Deactivate selected.
NOTE: Expired serial keys can’t be deactivated.
5. In the confirmation message, click Deactivate.
6. The deactivated serial key is marked as Deactivated in the State column of the Serial Key
Management page.
73
Client License Management
The Client license management is performed in the Management Tool by the user with the
administrative Client installation and management and License management permissions.
You can assign a license to a Client or unassign it manually any time. The license can be
assigned to an offline Client and it will be applied after the Client is online. If the Client is
uninstalled, its license becomes free and can be assigned to another Client.
NOTE: When a trial serial key expires, the corresponding number of licenses is automatically
unassigned from Clients.
Information about the number of used and free licenses of each type is displayed on the
License Management page in the Management Tool.
To assign the license to one Client, do the following:

1. Log in to the Management Tool as a user with the administrative Client installation
and management permission.
2. Click the Client Management navigation link on the left.
3. On the Clients page, select the needed Client from the list and then click Edit Client
4. On the Editing Client page, on the Properties tab, in the License box, select the type
of license you want to assign to the Client.
5. Click Finish.
6. The license is assigned to the Client.
To manage the licenses for several Clients, do the following:

1. Log in to the Management Tool as a user with the administrative Client installation
and management permission.
2. Сlick the Client Management navigation link on the left.
3. On the Clients page, click Manage Licenses.
4. On the License Management page, select the Clients, to which the licenses should be
assigned. To find a specific Client, enter its name in the Contains box and click Apply
Filters.
5. When the Clients are selected, click one of the following:
 Assign recommended license: Assigns licenses to the selected Clients, automatically
defining the type of license basing on the operating system of the Client computers. If
the corresponding type of license is missing, a license of a higher type can be assigned.
 Assign license of specific type: Assigns selected licenses of a specific type to the
selected Clients.
 Unassign license: Removes licenses from the selected Clients.
74
NOTE: To change the Client license type, you do not need to unassign the current license.
This will be done automatically.
75
Windows Clients
About
Windows Client is a program that can be installed on the target computers to monitor the
activity of their users. The monitored data is sent by the Windows Client to the Server and can
be viewed in the Management Tool.
Depending upon their permissions, a user can install/uninstall Clients remotely, manage their
configuration, and manage Client groups.
Monitoring via Windows Clients

The Windows Clients work as follows:
 Each Windows Client starts automatically on computer start.
 A licensed Windows Client monitors both local and remote sessions, depending on the
license type:
- Workstation Client license (one local/remote session)
- Infrastructure license (up to two concurrent sessions)
- Terminal Server Client license (several concurrent sessions)
 Every time the computer is restarted, the Windows Client starts recording user activity in a
new session. The maximum duration of one session can be 24 hours. At 00:00 all live
sessions are terminated. After their termination (their status changes from live to finished),
new live sessions automatically start.
 If a user works with several monitors, the Windows Client creates screenshots from all of
them.
 The Windows Client sends its monitoring results to the Server. On the Client side, the
monitoring data is compressed before sending it to the Server.
To disable the data compression on the Client side, in the Windows Registry Editor, select
the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key and add a new value:
o Value type: DWORD
o Value name: Compression
o Value data: 0
 If there is no connection with the Server, the Client stores the monitored data locally and
automatically sends it to the Server when the connection is restored. The data is stored in
the TempWrite.dat file in the Client installation folder. The Client can stop writing data to
an offline cache in one of the following cases:
o The amount of data stored offline reaches the limit at which the Client must stop
writing to offline cache: This limit is defined during remote Client installation or
during generation of Client installation package.
o There is 500 MB of free space on the hard drive left. This parameter can be
defined during remote Client installation or generation of Client installation
package. The default value is 500 MB.
76
 By default, the Windows Client records user activity as follows:
o Typing: every 10 seconds.
o Mouse clicking: every 3 seconds.
o Active window changing: every 3 seconds.
To change the frequency of user activity recording, in the Windows Registry Editor, select the
HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key and modify a value data:
1. Typing
o Value name: SmartScrTimer
2. Mouse clicking
o Value name: SmartScrTimerMouse
User activity recording triggers usually influence each other, though the average frequency of
user activity recording is higher.
Installing Windows Clients

About
During the system deployment, remote installation of the Windows Clients is used. Remote
installation of the Clients is performed via the Management Tool.
To ensure successful remote installation of the Windows Clients, you have to set up the
network environment beforehand. If your computers belong to a workgroup but not a domain,
you need to know the administrator account credentials for each remote computer. Otherwise
knowing the domain administrator credentials is enough.
The Windows Clients can also be installed locally via the installation package generated in the
Management Tool. Thus you can distribute the installation package of the Client with
predefined settings among the network computers and install it. This kind of installation is
useful when you experience difficulties with installing the Clients remotely via the
Management Tool, or the computers in your network are part of a workgroup and do not have
the same administrative account for each computer.
Setting up Environment for Remote Installation

Windows Client Installation Prerequisites
The majority of Windows Client installation/uninstallation issues are caused by incorrect
system or network settings.
The following conditions have to be met for successful Windows Client installation:
 The remote computer has to be online and accessible via network.
 Shared folders have to be accessible on the remote computer. Simple file sharing
(Sharing Wizard) has to be disabled if the computer is in a workgroup (for domain
computers this requirement can be skipped).
77
 You need to know the domain administrator or local administrator account credentials
for the remote computer.
 The Server and the Remote Procedure Call (RPC) system services have to be running on
the remote computer.
 Windows Vista and Windows XP Firewall has to be properly set up on the remote
computer during the Clients remote installation.
 In Windows 8, Windows 7, Windows Server 2012 and Windows Server 2008 Firewall,
inbound connections have to be allowed in the Remote Service Management (RPC) rule
for the remote computers and the File and Printer Sharing option has to be enabled (in
this case it is not necessary to disable Windows Firewall).
 Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2
SP1, the Microsoft Security Advisory update 3033929 needs to be installed:
https://technet.microsoft.com/en-us/library/security/3033929.aspx.
In Windows Firewall on the Server side, allow the Server executable to accept TCP connections
via ports 9447 (for the connection between the Server and the Clients).
NOTE: These rules will be added to Windows Firewall automatically, if Windows Firewall is
enabled during the Server installation.
Make sure the conditions mentioned above are met to avoid possible problems with Client
remote installation.
Disabling Simple File Sharing in Windows XP

To disable simple file sharing in Windows XP, do the following:
1. Open My Computer.
2. Select Tools > Folder Options in the menu.
3. In the Folder Options window, select the View tab.
78
Clear the Use simple file sharing check box.
4. Click Apply and OK to close the window.
Disabling Sharing Wizard in Windows 8.1, Windows 8 and Windows 7

To disable the Sharing wizard in Windows 8.1, Windows 8, and Windows 7, do the following:
1. Open the Folder options window:
 For Windows 8.1/Windows 8: Open the Control Panel and then select
Appearance and Personalization.
 For Windows 7: Open Computer and then select Organize > Folder and search
options.
2. In the Folder Options window, select the View tab.
79
Clear the Use Sharing Wizard check box.
3. Click Apply and OK to close the window.
Checking System Services

To check that the Server and Remote Procedure Call (RPC) system services are running:
1. Right click Computer and select Manage. The Computer Management window opens.
2. Expand the Services and Applications node and select Services. To quickly access
Windows Services, press Windows+R, type services.msc in the Run text box and press
Enter.
3. Find the Server service and the Remote Procedure Call (RPC) service in the list of
services. Make sure both services are running (their status is displayed as Started).
80
4. If one or both services are not running, start them manually. To start the service,
right-click it and select Start from the context menu. The selected service is started.
Setting up Windows Vista, Windows XP, Windows Server 2003

Firewall
It is not necessary to disable the Firewall in Windows Vista, Windows XP, and Windows Server
2003. For successful remote installation of the Clients, you have to enable the File and Printer
Sharing option.
To set up Windows Vista, Windows XP, and Windows Server 2003 Firewall, do the following:
1. Select Start > Control Panel > Windows Firewall.
81
2. In the Windows Firewall window, select the Exceptions tab.
3. On the Exceptions tab, select the File and Printer Sharing check box.
4. Click Ok.
82
Setting up Firewall for Windows 10, Windows 8.1, Windows 8,
Windows 7, Windows Server 2012, Windows Server 2008
It is not necessary to disable the Firewall in Windows 8.1, Windows 8, Windows 7, Windows
Server 2012, and Windows Server 2008. For successful remote installation of the Clients, you
have to allow inbound connections in the Remote Service Management (RPC) rule for the
remote computers and enable the File and Printer Sharing option.
To enable inbound connections for the Remote Management Service (RPC), do the following:
1. Select Control Panel > System and Security > Windows Firewall.
3. In the Windows Firewall with Advanced Security window, click Inbound Rules and
then double-click the Remote Service Management (RPC) rule in the rules list.
4. The Remote Service Management (RPC) Properties window opens.

5. In the General tab, select Enabled under General and click Allow the connection
under Action.
83
6. In the Advanced tab, under Profiles, select the profile of the network used for
connecting remote computers and the Server.
7. Click Apply and then OK to save the settings and close the Properties window.
8. Close the Windows Firewall window.
84
To enable the File and Printer Sharing option, do the following:
1. Select Control Panel > System and Security > Windows Firewall.
2. In the Windows Firewall window, click Allow an app or feature through Windows Firewall.
3. In the opened Allowed apps window, click Change settings.
4. Select the File and Printer Sharing option and then click OK.
85
Installing Windows Clients Remotely via the Management
Tool
About
You can install the Windows Clients remotely via the Management Tool. This way of installation
is very convenient if all computers in your network have the same domain administrator
credentials.
Remote Windows Client Installation is performed by a user who has the Client installation and
management permission in two steps:
1. Selecting computers on which Clients will be installed.
2. Defining installation parameters and installing the Clients.
Selecting Computers
To select the computers for Client installation, do the following:
1. Log in to the Management Tool as a user with the Client installation and management
permission.
2. Click the Client Management navigation link to the left.
3. On the Clients page, click Install Clients.
4. The Computers without Clients page opens. On this page, you can see the computers, for
which the previous installations failed.
5. Select how you would like to search for computers where the Windows Clients will be
installed:
 To select computers from the list of all computers in your network, click Deploy via
network scan.
 To select computers by IP range (IPv4 or IPv6 addresses), click Deploy via IP range.
 To select computers by their names, click Deploy on specific computers.
6. In the Choose search results window:
 Click Start new search to look for computers with defined parameters.
86
 Click Previous search results to choose the computers found in the previous search.
If you have not performed any searches yet, this button will be absent.
7. If you have selected the Deploy via IP range option, the Computers Scan page opens. In the
From Address and To Address boxes, enter the IP range (either IPv4 or IPv6), for which the
network should be scanned. To find only one computer, enter the same IP address in both
boxes. Click Scan.
8. If you have selected the Deploy on specific computers option, the Adding Computers page
opens. Enter the names of computers on which Windows Clients must be installed in the
box Name and click Scan. Use semicolon to separate computer names.
Please note that you should enter the full name of the computer.
9. The scanning process starts. The list of found computers will be updated automatically. If it
is not updated, click Refresh. To stop the scanning process, click Stop.
10. When the scanning process finishes, select check boxes next to the computers that you
want to install the Clients on. Click Next.
11. The selected computers are added to the list on the Computers without Clients page.
87
12. If you want to remove some computers from this list, click Remove from list next to the
selected computer.
Remote Windows Client Installation Process

When all computers for Windows Сlient installation are selected, you are ready to start
installation. Please make sure that all selected computers are correctly adjusted.
To install the Windows Clients remotely, do the following:

1. On the Computers without Clients page, click Install.
2. On the Client Configuration page, define the name/IP of the Server, to which the Windows
Clients will be connecting, and define the Client configuration for the Clients you are
installing. Click Next.
NOTE: The Server IP address has to be static for Clients to connect to it successfully.
Unique external IP addresses should be used for cloud-based Servers. You can add several
names and IP addresses separated with comma or semicolon.
3. On the Installation credentials page, enter the credentials of a user with administrator
permissions on the target computers for Client installation and then click Next.
 If the computers are in a domain, enter the domain name and domain administrator
account credentials.
 If the computers are in workgroup, enter the credentials of a local administrator for
target computers.
If you leave the Domain box empty, the entered credentials will be used as the credentials
of a local user of a target computer and the Client will be installed under the <target PC
name>\<user name> account.
NOTE: All workgroup computers must have the same administrator account credentials.
Otherwise use installation via installation package method to deploy the Clients.
88
4. The installation process starts. The progress of installation will be updated automatically on
the Client installation page. If it is not updated, click Refresh.
NOTE: If the connection with the Server fails, the Client will be not installed.
5. After the end of the installation, the installed Clients will appear on the Clients page in All
Clients group. If the installation of some Clients fails, these computers will remain in the
Computers without Clients list and you can click Retry to start the installation again.
Remote Installation from an Existing .INI File

If you already have an .ini file with defined settings generated in the Management Tool and
saved to your computer, you can use it for installing the Windows Clients.
To install the Windows Clients remotely, using an existing .ini file do the following:
1. On the Computers without Clients page, click Install using existing .ini file.
2. On the INI file selection page, click Choose file to select the .ini file that will be used for
configuration of new Clients.
Please note, if any parameter except RemoteHost is absent or not valid, its value will be set
to default. The RemoteHost parameter is ignored, in this type of installation. The Client will
connect to the Server to which the Management Tool is connected.
3. Once the .ini file is chosen, click Next and continue the installation the same way as when
installing the Clients remotely in a common way.
Installing Windows Clients Locally

About
You can install the Windows Clients locally using the Client installation file generated in the
Management Tool. You have two options for downloading the Client installation file from the
Management Tool:
 Generate the installation package and set the Windows Client configuration during
generation.
 Use Client installation file (.exe) to install the Client with default parameters.
89
NOTE: Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2
SP1, the Microsoft Security Advisory update 3033929 needs to be installed:
https://technet.microsoft.com/en-us/library/security/3033929.aspx.
Windows Client Installation Package

The installation package consists of 2 components:
 A signed EkranSystemClient.exe installation file.
 An EkranSystemClient.ini text configuration file that contains the Windows Client
installation parameters defining the Server, to which the Client will connect, and
client configuration.
The table below lists all the Windows Client installation parameters. If any parameter
except RemoteHost is absent or not valid, its value will be set to default.
Parameter Description Default Value
Server name/IP
RemoteHost A name or IP address of the computer on which No

the Server is installed. This parameter might
contain several names and IP addresses
separated with comma or semicolon.
NOTE: The Server IP address has to be static for
Clients to connect to it successfully. Unique
external IP addresses should be used for cloud-
based Servers.
RemotePort The Ekran Server port via which the Clients 9447
connect to the Server. By default, it is set to
9447.
Frequency settings for user activity recording
EnableActivity Recording user activity and creating screenshots Enabled

when an active window is changed. If the value is
1, the option is enabled, if the value is 0 —
disabled.
EnableWndNmChan Recording user activity and creating screenshots Enabled

ges when a window name is changed. If the value is
1, the option is enabled, if the value is 0 —
disabled.
90
EnableKBandMouse Recording user activity and creating screenshots Enabled

on clicking and a key pressing. If the value is 1,
the option is enabled, if the value is 0 —
disabled.
EnableTimer Recording user activity and creating screenshots Disabled

with a certain time interval. If the value is 1, the
option is enabled, if the value is 0 — disabled.
Timer Time interval of user activity recording and 30

screenshot creation in seconds. This period can’t
be less than 30 seconds. This parameter is
needed if the EnableTimer parameter is set.
Screenshot settings
EnableScreenshotCr Creating screenshots along with recording user Enabled

eation activity. If the value is 1, the option is enabled, if
the value is 0 – disabled.
EnableCaptureActive Screenshots and recorded metadata will contain Disabled

WindowOnly information on active window only. If the value
is 1, the option is enabled, if the value is 0 –
disabled.
ColorDepth A colour scheme used for screenshots saving. 7(4 bits

7— 4 bits (Grayscale), 8 — 8 bits, 16 — 24 bits. (Grayscale))
Monitoring parameters
EnableClipboardMo Logging of copy and paste operations. If the Enabled

n value is 1, the option is enabled, if the value is 0
— disabled.
EnableSystemIdleDe The system idle event detection. If the value is 1, Enabled

tect the system idle event detection is enabled, if the
value is 0 — disabled.
EnableIdleForceTime Registering idle event when user is inactive. If Enabled

out the value is 1, the forced idle event timeout is
enabled, if the value is 0- disabled.
IdleForceTimeout Time interval when user is inactive. This period 15

can’t be less than 5 minutes. By default, it is set
to 15 minutes.
91
EnableSwiftUsernam
Logging of user names used to log in to the SWIFT Disabled
eMonitoring network. If the value is 1, the option is enabled, if
the value is 0 - disabled.
NOTE: This parameter works only if
EnableScreenshotCreation=1.
EnableSoundCapturi Recording the audio data. If the value is 1, the Disabled

ng option is enabled, if the value is 0 - disabled.
Keystroke monitoring parameters
EnableKeystrokes Logging of a keystroke. If the value is 1, the Enabled

StartSessionOnKeyw Starting monitoring on detecting a suspicious Disabled

ord keyword in the keystrokes. If the value is 1, the
option is enabled, if the value is 0 – disabled.
Keywords A list of keywords, which being typed trigger the Empty

session start, separated with comma (e.g., drugs,
medicine). Keywords are combined with OR
logic; the LIKE operator is applied to the typed
keywords (if drug is written, then drugstore will
trigger the session start).
KeystrokeFiltering Keystroke filtering during monitoring. If the Disabled

value is “disabled”, the keystroke filtering is
disabled and all applications are monitored. If
the value is “include”, the keystroke filtering is
enabled in the Include mode, and only
applications listed in
KeystrokeFilteringAppNames or
KeystrokeFilteringAppTitles are monitored. If the
value is “exclude”, the keystroke filtering is
enabled in the Exclude mode, and only
applications not listed in
KeystrokeFilteringAppNames or
KeystrokeFilteringAppTitles are monitored.
KeystrokeFilteringAp The list of application names separated with Empty

pNames comma (e.g., word.exe, skype.exe). Names are
combined with OR logic; the LIKE operator is
applied to names (e.g., if word.exe is written
then winword.exe will be monitored).
92
KeystrokeFilteringAp The list of application titles separated with Empty

pTitles comma (e.g., Facebook, Google). Names are
applied to titles (if Facebook is written, then
Facebook-Messages will be monitored).
Log files
MonLogging Creation of monitoring logs on the Client Disabled

computer. 0 - monitoring logs creation is
disabled, 1 - monitoring text log will be created
in the LogPath location.
LogPath The path to the monitoring logs location. Using C:\ProgramDa

environment variables (%appdata%, %temp%, ta\Ekran
etc.) is allowed. System\MonL
ogs
EventLoggingEnable Logging of the Ekran System events, such as Disabled

d errors, warnings, and informational messages to
the Windows Event Log. If the value is 1, the
option is enabled, if the value is 0 – disabled.
A severity level of the log entries to be saved to the

LogLevelThreshold Disabled
Windows event log. If the value is 0, only log
entries at the Error level are written; if the value
is 1 – log entries at Error and Warning levels are
written; if the value is 2 – log entries at Error,
Warning, and Information levels are written.
EventLoggingEnabled=1.
URL Monitoring
URLMonitoring Monitoring of URL addresses. If the value is 1, Enabled

the option is enabled, if the value is 0 —
disabled.
MonitorTopDomain Monitoring of top and second-level domain Enabled

names. If the value is 1, the option is enabled, if
the value is 0 — disabled.
URLMonitoring=1.
93
Application Filtering
FilterState Application filtering during monitoring. If the Disabled

value is “disabled”, the application filtering is
disabled and all applications are monitored. If
the value is “include”, the application filtering is
enabled in the Include mode, and only
applications listed in FilterAppName or
FilterAppTitle are monitored. If the value is
“exclude”, the application filtering is enabled in
the Exclude mode, and only applications not
listed in FilterAppName or FilterAppTitle are
monitored.
FilterAppName The list of application names separated with Empty

comma (e.g., word.exe, skype.exe). Names are
applied to names (e.g., if word.exe is written
then winword.exe will be monitored).
FilterAppTitle The list of application titles separated with Empty

comma (e.g., Facebook, Google). Names are
applied to titles (if Facebook is written, then
Facebook-Messages will be monitored).
User Filtering
UserFilterState User filtering during monitoring. If the value is Disabled

“disabled”, activity of all users is monitored. If
the value is “include”, the user filtering is
enabled in the Include mode, and only activity of
users listed in UserFilterNames is monitored. If
the value is “exclude”, the application filtering is
enabled in the Exclude mode, and only activity of
users not listed in UserFilterNames is monitored.
UserFilterNames The list of user names separated with a Empty

semicolon (e.g., work\jane;work\john). Names
are combined with OR logic. Using asterisk (*) as
name/domain mask is allowed (e.g.,
*\administrator or *\admin*).
Additional options
94
EnableProtectedMo The mode of Client work. If the value is 1, the Disabled

de protected mode is enabled, if the value is 0 —
disabled.
UpdateAutomaticall The Client update mode. If the value is 1, the Enabled

y automatic Client update is enabled, if the value
is 0 – disabled and the Client requires manual
update.
DisplayClientIcon The Client tray icon displaying. If the value is 1, Disabled

the Client tray icon is displayed, if the value is 0 –
hidden.
JumpServerMode The Jump Server mode. If the value is 1, the Disabled

Jump Server mode is enabled, if the value is 0 –
disabled.
OfflineClientDetecti The notification about the Clients that are offline Disabled
on for more than specified time period. If the value
is 1, the offline Client detection is enabled, if the
value is 0 – disabled.
OfflineClientDetecti The time period after which the Client will be 01d00h00m
onInterval detected as “lost”.
OfflineClientNotifica The list of emails to which the notifications will Empty

tionEmail be sent separated with semicolon (;).
Monitoring Time Filtering
MonitorTimeFilterSt Filtering the time of recording user activity. If the Disabled

ate value is “disabled”, the user activity is recorded
twenty-four seven. If the value is “include”, the
user activity is recorded only on days defined in
MonitoringDays and only during hours defined in
MonitoringHours. If the value is “exclude”, the
user activity is not recorded on days defined in
MonitoringDays and during hours defined in
MonitoringHours.
MonitoringDays The days of the week during which the Client will Mon, Tue,
or will not record users' activity. The days of the Wed, Thu, Fri
week are combined by OR logic.
95
MonitoringHours The hours during which the Client will or will not 8:00 – 18:00
record users' activity.
IP Filtering
IPFilterState IP filtering during monitoring. If the value is Disabled

“disabled”, remote sessions from all IP addresses
are monitored. If the value is “includePublic”,
the IP filtering is enabled in the Include mode,
and only remote sessions from public IP
addresses listed in IPFilterAddresses are
monitored. If the value is “excludePublic”, the IP
filtering is enabled in the Exclude mode, and only
remote sessions from public IP addresses not
listed in IPFilterAddresses are monitored. If the
value is “includePrivate”, the IP filtering is
enabled in the Include mode, and only remote
sessions from private IP addresses listed in
IPFilterAddresses are monitored. If the value is
“excludePrivate”, the IP filtering is enabled in the
Exclude mode, and only remote sessions from
private IP addresses not listed in
IPFilterAddresses are monitored.
IPFilterValue The list of IP addresses separated with a comma Empty

(e.g., 10.100.0.1,10.100.0.2). IP addresses are
combined with OR logic. Using asterisk (*) as a
mask is allowed (e.g., 10.200.*.*).
Authentication Options
NotificationMessage The message that is displayed on user login to Disabled

the system.
EnableNotificationC Additional option that requires the user to Disabled

omment comment on the additional message displayed
on login to the system. If the value is 1, the
RequireTicketNumb Additional option that requires the user to enter Disabled

er a valid ticket number of an integrated ticketing
system to start working with the Client
computer. If the value is 1, the option is enabled,
if the value is 0 – disabled.
96
Two-Factor and Secondary Authentication
EnableForcedAuth Additional identification of users that log in to Disabled

the Client computer with server operation
system. If the value is 1, the option is enabled, if
the value is 0 — disabled.
EnableOneTimePass Additional option that allows the user to request Disabled

word a one-time password to get a temporary access.
If the value is 1, the option is enabled, if the
value is 0 — disabled.
EnableTwoFactorAut The option that requires the user to enter a Disabled

h time-based one-time password to log in. If the
value is 1, the option is enabled, if the value is 0
— disabled.
Advanced Options
InstallDir The path to the Client installation folder. Using %ProgramFile

environment variables (%appdata%, %temp%, s%\Ekran
etc.) is allowed. System\Ekran
System
LocalCacheLimit Size of the Client offline data cache in MB. 500
TenantKey A unique identifier used by Clients to detect the <Key value>

tenant they belong to.
Generating Windows Client Installation Package

To generate an installation package, do the following:
1. Log in to the Management Tool as a user with the Client installation and
management permission.
2. Click the Client Management navigation link on the left.
4. On the Computers without Clients page, click Download installation file.
5. On the Installation File Download page, select the Windows option in the drop-down
list, and then click Windows Client installation package (.ini + .exe).
6. On the Generate Installation Package page, optionally, protect the installation
package file from modification, define the name/IP of the Server, to which the Clients
will connect, and define the client configuration to be applied to the Client and then
click Next.
97
NOTE: The Server IP address has to be static for Clients to connect to it successfully.
Unique external IP addresses should be used for cloud-based Servers.
7. The installation package is successfully created and downloaded to your computer.
The download settings depend upon the settings of your browser.
Installing Windows Clients Locally with Custom Monitoring

Parameters
To install the Windows Client locally using the installation package, do the following:
1. Copy the package (the EkranSystemClient.exe installation file and the EkranSystemClient.ini
file) to the target computer.
2. Start the EkranSystemClient.exe installation file under the administrator account on the
target computer.
3. After the package is deployed, the name of the required computer appears on the Client
Management page in the Management Tool.
Downloading Windows Client Installation File (.exe)

To download the file for Windows Client installation, do the following:
5. On the Installation File Download page, select the Windows option in the drop-down
list, and then click Windows Client Installation (.exe).
6. File downloading starts. The download settings depend upon the settings of your
browser.
Installing Windows Clients Locally without .ini File

This type of installation allows you to install the Windows Clients with default configuration.
This way you will need only an EkranSystemClient.exe file for Client installation. The
EkranSystemClient.ini file with default parameters will be generated automatically.
To install the Windows Client locally using the installation package on the target computer:
1. Copy the downloaded EkranSystemClient.exe file to the target computer and do one of the
following:
 Start the EkranSystemClient.exe installation file under the administrator account on
the target computer and then in the opened window, enter the name or IP address
of the computer, on which the Server is installed and after that click Install.
98
 In the Command Prompt (cmd.exe) started under administrator, enter
EkranSystemClient.exe /ServerName=<Server Name>.
NOTE. If there is no connection with the server, installation will failed and error
message will be displayed.
2. After the package is deployed, the installed Client appears in the list on the Client
Management page in the Management Tool.
Installation via Third Party Software

If you want to install the Windows Client via a third-party tool (e.g. via System Center
Configuration Manager, Active Directory, etc.), download the Client installation file and use the
following command: EkranSystemClient.exe /ServerName=<Server Name>. The Client will be
installed with a default configuration.
Installing Windows Client on Amazon WorkSpace

To install the Windows Client on Amazon Workspaces, do the following:
1. Download the Client installation file.
2. Connect to the Amazon WorkSpace and run the Client installation file (.exe).
3. Open the Windows Registry Editor and select the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client
4. Select the AgentGUID value and click Delete in the context menu.
5. In the opened confirmation message, click Yes.
NOTE: You will not be able to edit the registry values in the Protected Mode.
6. In the Amazon WorkSpaces management console, do the following:
 Create an image of the Amazon WorkSpace with installed Windows Client.
 Create a bundle from the newly created image.
 Create new Amazon WorkSpaces from the newly created bundle.
7. All new Amazon WorkSpaces created from the bundle will automatically connect to the
Ekran Server.
NOTE: Make sure that Ekran Server is allowed to accept TCP connections via 9447 port for
connection between Ekran Server and Ekran Clients.
Installing Windows Client Remotely Using PsExec

To install the Windows Client remotely using PsExec, do the following:
1. Download the PsTools package and unpack it.
2. Download the Client installation file.
3. Copy both the installation file and PsExec.exe to the same folder.
99
4. Run the Command Prompt (cmd.exe) as administrator.
5. Navigate to the folder with the the installation file and PsExec.exe by entering the following
command:
cd path/to/folder
6. Enter the following command to the command line:
psexec\\<target PC IP>-u<user name>-p< password>-c EkranSystemClient.exe
/servername=<server name/IP> and press Enter
The parameters have the following meaning:

<target_PC_IP>: The IP address of the computer on which Windows Client must be
installed.
-u<user name>: The user name for login to the target computer. Please note, the user must
have the administrative rights.
-p< password>: The password of the defined user. If you omit this parameter, you will be
promted to enter the password after the command execution.
-c EkranSystemClient.exe: The Client installation file.
/servername=<server name/IP>: The name or IP address of the Ekran Server to which the
Windows Client will be connected. Please note, if the Virtual Local Area Networks are
different, it is necessary to ping the Ekran Server from the Client computer.
Cloning a Virtual Machine with Installed Client

Each Windows Client has its own unique ID, which it receives when it connects to the Server.
When you prepare a virtual machine, which is to be monitored, for cloning, you need to remove
the Client ID to ensure the proper Client connection to Server.
To remove the Client ID, do the following:

1. Make sure the Client is offline (does not have any connection with the Server).
3. In the Registry Editor window, select the following key:
NOTE: You will not be able to edit the registry values in the Protected Mode.
Each new Client with a new AgentGUID will be displayed as a separate instance in the
Management Tool. To avoid displaying multiple Clients, you can run the script below to
use the virtual machine name as AgentGUID. The script must be run on each system start.
100
taskkill /f /im ekran*
reg delete HKLM\SOFTWARE\EkranSystem\Client /v AgentGUID /f

reg delete /v PreviousState /f
del "c:\Program Files\Ekran System\Ekran System\Client\OfflinePool.dat" /q
reg add HKLM\SOFTWARE\EkranSystem\Client /v AgentGUID /t REG_SZ /d
%COMPUTERNAME% /f
net start EkranClient
Unassigning License on Virtual Machine Shutdown

If Ekran Windows Client is used on virtual machines, in some cases the master image might be
used multiple times. To prevent wasting Client licenses when this occurs, you can either
configure the Client license to be unassigned on the virtual machine shutdown or enable the
Golden Image mode for the Server.
Golden Image Mode for the Server

If the Golden Image mode is enabled for Ekran System Server, then the Server will
automatically unassign a license from the Client when it becomes offline.
To enable Golden Image mode for the Server, do the following:

1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification
area or find the EkranServer service in the Task Manager and click Stop.
3. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem
key.
4. Select Edit > New > DWORD (32-bit) Value and define the following:
 Value name: GoldenImageMode
 Value data: 1
Unassigning License via the Script on the Client Side

Before configuring a virtual machine image, you have to create a cmd file (for example,
uninstall_client.cmd) containing the following command-line command:
call “<path to EkranClient.exe>” -uninstwl <uninstallation key>
For example (default installation parameters used):
call “C:\Progra~1\EkranS~1\EkranS~1\Client\EkranClient.exe” -uninstwl allowed
To configure the image of the virtual machine with the Client for the license to be unassigned
on shutdown:
101
1. Start your virtual machine image.
2. Configure the system and install the necessary software.
3. Install Ekran Client (via remote installation or locally) with the Protected Mode option
disabled.
8. Copy uninstall_client.cmd to the target folder on your virtual machine.
10. Enter the gpedit command.
11. In the Local Group Policy Editor window, select Computer Configuration -> Windows
Settings -> Scripts (Startup/Shutdown) -> Shutdown
12. In the Shutdown Properties window, click Add and select the uninstall_client.cmd file.
13. Click OK.
14. Create the master snapshot (gold image).
15. From now on, whenever you start the virtual machine using this image, the Client is
going to connect to the Server as a new Client and get a license assigned to it. Whenever
the virtual machine is shutdown, the license is going to be unassigned from the Client.
NOTE: If you need the license to be unassigned on Logoff, you have to edit the Logoff script in
a similar way in the Local Group Policy Editor (User Configuration -> Windows Settings ->
Scripts (Logon/Logoff) -> Logoff -> Properties).
Updating Windows Clients

About
Ekran System offers two update options for Windows Clients:
- automatic update
- update of selected Clients via the Management Tool
The automatic Client update is performed when a Windows Client connects to the Server of a
newer version. It is recommended to use the automatic Client update.
If you want to control the update of target Client machines yourself, you can disable the
automatic update on the required Clients and update them via the Management Tool.
After the Windows Client is updated, you will still be able to access the monitored data
received before its update.
NOTE: Windows Clients of very old versions might not be able to update. In this case, you
need to re-install the Clients.
102
Windows Client Status after Server Update
If the Update Client automatically option is enabled for the Windows Client, it is updated
automatically when it connects to the Server of a newer version.
If the Update Client automatically option is disabled for the Windows Client and it requires
manual update, it is displayed with the icon in the grid on the Clients page. Such Clients
store the monitoring data locally. They restart sending monitoring data to the Server after
update.
Updating Windows Clients Automatically

To update a Windows Client automatically, do the following:
1. Log in to the Management Tool as a user that has the Client configuration
3. On the Clients page, select the Client that needs to be updated automatically and click
Edit Client.
4. On the Editing Client page, on the Properties tab, select the Update Client
automatically option.
5. Click Finish.
6. The Client will be updated automatically when it connects to the Server of a newer
version.
Updating Windows Client Manually

To update a selected Windows Client via the Management Tool, do the following:
3. On the Clients page, select the Client that needs to be updated and click Edit Client.
4. On the Editing Client page, on the Properties tab, clear the Update Client
5. Click Finish to save the changes.
6. Update the Server.
10. On the Editing Client page, on the Properties tab, click Update.
11. On its next connection to the Server, the Client will be updated to a newer version.
103
Reconnecting Windows Clients to Another Server
If you want to reconnect the Windows Clients to another Server, start the remote installation
from that Server. The Clients will be reconnected.
Please note that this way of reconnection can be used only for the Clients that work in the non-
protected mode. If your Clients work in the protected mode, first disable the protected mode
and then reconnect the Clients.
Uninstalling Windows Clients

About
Windows Clients can be uninstalled locally or remotely. It is possible to uninstall the
Windows Client locally only with the help of the Uninstallation key.
After uninstallation, the Client stops sending its data to the Server, but its data is not
deleted from the Server and the Client is displayed in the Management Tool. The Client
status in the Management Tool becomes offline after uninstallation.
To delete the Client from the Server (with all its captured data) and from the
Management Tool, follow the steps described in the Deleting the Client section.
Client Uninstallation Key

During the Server installation it is possible to define the Client Uninstallation key. By
default, this key is allowed.
The Client Uninstallation key is used during the local Client uninstallation.
The user is able to view or change the Client Uninstallation key in the Management Tool.
If you change the Uninstallation key, the Client will receive it after connection to the
Server. If the Client has not connected to the Server yet, then its Uninstallation key is
allowed. If the Client has not connected to the Server after the Uninstallation key has
been changed, the Client has to be uninstalled with the help of an old Uninstallation key.
To change the uninstallation key, do the following:
1. Log in to the Management Tool as a user with the Client uninstallation permission.
3. On the Clients page, click Edit Uninstallation Key.
4. On the Custom Uninstall Key page, enter the new uninstallation key in the New Key
field.
5. Re-enter the new uninstallation key in the Confirm Key field and then click Save.
6. The uninstallation key is changed.
104
Uninstalling Windows Clients Remotely
To uninstall a Windows Client, do the following:
1. Log in to the Management Tool as a user that has the Client uninstallation permission.
3. On the Clients page, select the Client you want to uninstall and click Edit Client.
4. On the Editing Client page on the Properties tab, click Uninstall Client.
NOTE: This option is not displayed if the Client is already uninstalled or you don’t
have the Client uninstallation permission for it.
5. In the confirmation message, click Uninstall.
6. The Client is uninstalled.
To uninstall several Windows Clients, do the following:

3. On the Clients page, select Uninstall Clients.
4. On the Client Uninstallation page, click Add Clients to list.
5. The page with the Clients for which you have the Client uninstallation permission
opens.
6. Select the Clients that you want to uninstall and click Next. To find a specific Client,
enter its name or a part of its name in the Contains box and click Apply Filters.
7. Make sure you have added all necessary Clients to the uninstallation list and click
Uninstall.
8. The selected Clients are uninstalled.
Uninstalling Windows Clients Locally

It is possible to uninstall the Windows Client locally only with the help of the Uninstallation key
that is defined during the Server installation or in the Management Tool.
To uninstall the Windows Client locally, do the following:
2. In the Command Prompt, go to the Client installation folder. By default, it is located here:
C:\Program Files\Ekran System\Ekran System\
3. Enter the following command: UninstallClient.exe /key=<uninstallation key> /silent=true
4. Press Enter.
5. The Client is successfully uninstalled.
NOTE: If you do not add the /silent=true parameter to the uninstallation command, the
confirmation message for uninstalling the Client will be displayed on the Client computer.
105
Viewing Windows Clients
Windows Clients are displayed in groups on the Client Management page. If the user has an
administrative Client installation and management permission, he/she will see all Clients. In
other case, the user will see only those Clients for which they have at least one Client
permission.
The Client list contains the following information:
 Client name
 Status
 Type
 Domain
 IPv4
 IPv6
 Description
Please note, if there are several network cards on the Client computer, only those IPv4 and
IPv6 addresses used by Windows Clients will be displayed in the Management Tool.
You can filter Windows Clients in the following ways:

 To sort Clients by the type of operating system, click the Type column header.
 To find Windows Clients only, select the Hide Linux Clients and Hide macOS Clients
options and click Apply Filters.
 To find Clients by their host name or description, enter the name/description or a part
of it in the Contains box and click Apply Filters.
 To hide offline/online/uninstalled/licensed Clients, select the corresponding option in
the Filtering pane and click Apply Filters.
On the Client Management page you have the following options: Add Client Group, Install
Clients, Manage Licenses, Edit Uninstallation Key, Uninstall Clients, Delete Clients, Edit Client
Configuration, and Edit Client Groups. The number of available options depends upon
permissions.
106
macOS Clients
About
macOS Client is a program that can be installed on the target computers to monitor the activity
of their users. The monitored data is sent to the Server and can be viewed via the Session
Viewer in the Management Tool.
Monitoring via macOS Clients

The macOS Clients work as follows:
 Each macOS Client starts automatically on computer start.
 A macOS Client with a Workstation Client license monitors either one local or remote
session.
 Every time the computer is restarted, the macOS Client starts recording user activity in a
new session. The maximum duration of one session can be 24 hours. At 00:00 all live
sessions are terminated. After their termination (their status changes from Live to
Finished), new live sessions automatically start.
 The session status becomes Finished whenever: the computer is turned off, the user is
logged out, or the macOS Client is disconnected from the Server. Whenever the macOS
Client reconnects to the Server, the session status changes from Finished back to Live.
 If a user works with several monitors, the macOS Client creates screenshots from all of
them.
 If there is no connection with the Server, the Client stores the monitored data locally
(default folder is /Library/Application Support/Ekran) and automatically sends it to the
Server when the connection is restored. It is recommended to have not less than 500MB of
free space on the disk where the Client is installed to save data during the offline session.
 The frequency of user activity recording of the macOS Client is the following:
o If the user is typing the text, the user activity is recorded every 10 seconds.
o If the user clicks a mouse, the user activity is recorded every 3 seconds.
o If the user changes an active window, the user activity is recorded every 3 seconds.
User activity recording triggers usually influence each other, though the average frequency
of user activity recording is higher.
107
Installing macOS Client
About
You can install the macOS Clients locally using the Client installation file generated in the
Management Tool.
Downloading macOS Client Installation File

To download the file for macOS Client installation, do the following:
5. On the Installation File Download page, select the MacOS option in the drop-down
list, and then click MacOS x64 Client Installation (.tar.gz).
browser.
Installing macOS Clients

This type of installation allows you to install the macOS Clients locally using the downloaded
EkranSystemmacOSClientx64.tar.gz package.
To install the macOS Client on the target computer with a macOS operating system from the
command line:
1. Make sure that there is only one user logged in to the computer.
2. Copy the installation package to any folder.
3. Run the Terminal.
4. Navigate to the folder with the installation package by entering the following command:
cd path/to/folder
5. Unpack the installation package using the following command:
tar xvfz <installation package name>
6. Navigate to the unpacked EkranClient folder using the following command:
cd EkranClient
The EkranClient folder contains the install.sh script used to install the Client.
7. Run the macOS Client installation script specifying the Server name or Server IP address
and the port used for connection to the Server (9447 is recommended):
./install.sh <server_name/IP> <server_port>.
8. After the end of the installation, macOS Client will appear in the list on the Clients page in
the Management Tool.
108
Uninstalling macOS Clients
About
macOS Clients can be uninstalled locally or remotely.
After uninstallation, the Client stops sending its data to the Server, but its data is not
deleted from the Server and the Client is displayed in the Management Tool. The Client
status in the Management Tool becomes offline after uninstallation.
To delete the Client from the Server (with all its captured data) and from the Management
Tool, follow the steps described in the Deleting the Client section.
Uninstalling macOS Clients Remotely

To uninstall a macOS Client, do the following:
1. Log in to the Management Tool as a user that has the Client uninstallation
permission.
3. On the Clients page, select the Client you want to uninstall and click Edit Client.
4. On the Editing Client page on the Properties tab, click Uninstall Client.
NOTE: This option is not displayed if the Client is already uninstalled or you do not
have the Client uninstallation permission for it.
5. In the confirmation message, click Uninstall.
6. The Client is uninstalled.
To uninstall several macOS Clients, do the following:

3. On the Clients page, select Uninstall Clients.
4. On the Client Uninstallation page, click Add Clients to list.
5. The page with the Clients for which you have the Client uninstallation permission
opens.
6. Select the Clients that you want to uninstall and click Next. To find a specific Client,
enter its name or a part of its name in the Contains box and click Apply Filters.
7. Make sure you have added all necessary Clients to the uninstallation list and click
Uninstall.
8. The selected Clients are uninstalled.
109
Uninstalling macOS Clients Locally
To uninstall the macOS Client from the command line, do the following:
1. Run the Terminal.
2. Do one of the following:
 Navigate to the folder with the macOS Client by entering the command:
sudo cd /Library/Application\ Support/Ekran/EkranAgent.
 The EkranAgent folder contains the uninstall.sh script used to uninstall the Client.
 Run the uninstallation script by entering the following command: sudo ./uninstall.sh
and press Enter.
Or
 Run the uninstallation script by entering the following command: sudo
/Library/Application\ Support/Ekran/EkranAgent/uninstall.sh and press Enter.
3. Enter the password of the superuser.
4. macOS Client is successfully uninstalled.
Viewing macOS Clients

The macOS Clients are displayed in the Management Tool in the Clients list along with the
Windows and Linux Clients. If the users have an administrative Client installation and
management permission, they will see all Clients. In other case, the users will see only those
Clients for which they have at least one Client permission.
 Client name
 Status
 Type
 IPv4
 IPv6
 Description
The Domain column is empty for macOS Clients.
Please note, if there are several network cards on the Client computer, only the IPv4 and IPv6
addresses used by macOS Client will be displayed in the Management Tool.
You can filter macOS Clients in the following ways:
 To find macOS Clients only, select Hide Windows Clients and Hide Linux Clients and
click Apply Filters.
110
Linux Clients
About
The Linux Client is a program that can be installed on the target computers to monitor the
activity of their users in the terminal. The monitored data is sent by the Linux Client to the
Server and can be viewed via the Session Viewer in the Management Tool.
Optionally, during the Linux Client installation, you can enable monitoring of graphical interface
for X Window System. It allows monitoring the user sessions started locally via the graphical
interface.
NOTE: Monitoring of graphical interface for X Window System is a Beta version.
Monitoring via Linux Clients

Remote SSH Session Monitoring
The Linux Client monitors the following actions:
1. User actions (input commands and responses from the terminal).
2. System calls.
3. Commands being executed in the running script.
Linux Clients start recording a new monitoring session each time the remote SSH terminal is
opened.
There is no time limitation for a remote Linux Client session. The session status becomes
Finished whenever the remote SSH terminal is closed or the Linux Client is disconnected from
the Server. Whenever the Linux Client reconnects to the Server, the session status changes
from Finished back to Live. Even if the license is unassigned from the Linux Client or the Linux
Client process is killed, monitoring of started sessions continues until the remote SSH terminal
is closed.
Local Sessions Monitoring (for X Window System)

Ekran System allows you to monitor the user session started locally via the graphical interface.
The session includes recorded user activity (screenshots, application name, activity title, activity
time).
The Linux Clients start monitoring after a user opens a new application window. The user
activity is recorded every 10 seconds.
A new session is started every time the computer is restarted. The maximum duration of one
local session can be 24 hours. At 00:00 all live sessions are terminated. After their termination
(their status changes from live to finished), new live sessions automatically start.
111
Installing Linux Client
About
You can install the Linux Clients locally from the command line using the
EkranSystemLinuxClient.tar.gz package, respectively:
 EkranSystemLinuxClientx64.tar.gz for the 64-bit system
 EkranSystemLinuxClientx86.tar.gz for the 32-bit system
Downloading Linux Client Installation File

To download the file for Linux Client installation, do the following:
5. On the Installation File Download page, select the Linux option in the drop-down list,
and then click Linux x86 Client Installation (.tar.gz) or Linux x64 Client Installation
(.tar.gz).
6. On the Generate Installation Package page, optionally, protect the installation
package file from modification, and then define the name/IP of the Server to which
the Clients will connect, and click Download.
browser.
Installing Linux Clients

This type of installation allows you to install the Linux Clients locally from the command line
using the downloaded EkranSystemLinuxClient.tar.gz package.
On the operating systems with enabled Security-Enhanced Linux (for example, CentOS and
RedHat), before installing the Client to the custom directory, you need to pre-configure the
SELinux Policy first.
On the Solaris operating system, before installing the Client, you need to update bash first.
NOTE: For Linux, AIX, and Solaris distributions, GNU bash 3.2.25(1) or higher must be
installed.
To install the Linux Client on the target computer with a Linux operating system from the
command line:
1. Copy the installation package to any folder. Make sure you use the correct installation
package (x64 or x86).
112
2. Run the command-line terminal.
3. Navigate to the folder with the installation package by entering the following command:
$ cd path/to/folder
4. Unpack the installation package using the following command:
$ tar xvfz <installation package name>
5. Go to the unpacked EkranClient folder using the following command:

$ cd EkranClient
The EkranClient folder contains the install.sh script used to install the Client.
6. Run the Linux Client installation script specifying the Server name or Server IP address and
the port used for connection to the Server (9447 is recommended).
$ sudo ./install.sh <server name or Server IP address> <server port>
If the Multi-Tenant mode is enabled, specify the Tenant Key parameter and the Tenant Key
value of the required tenant.
$ sudo ./install.sh <server name or Server IP address> <server port> -tenantKey <tenant
key value>
Optionally, to enable the monitoring of graphical interface for X Window System, specify
the X11 parameter.
$ sudo ./install.sh <server name or Server IP address> <server port> -withX11
Examples:
 $ sudo ./install.sh 10.100.4.182 9447 – The Client connects to the Server with IP
10.100.4.182 through the port 9447. The monitoring of graphical interface for X
Window System is not enabled.
 $ sudo ./install.sh Server1 9447 -withX11 -tenantKey 90807A10-DF80-45EA-A7DE-
A550B55F548A - The Client connects to the Server with the name Server1 through
113
the port 9447. The monitoring of graphical interface for X Window System is
enabled. The Client belongs to the tenant with the specified tenant key.
7. After the Client is installed, it starts monitoring a new session with the next user login.
8. The installed Linux Client appears in the list on the Client Management page in the
Management Tool.
Updating Linux Clients

About
Ekran System offers two update options for Linux Clients:
- automatic update
- update of selected Clients via the Management Tool
The automatic Client update is performed when a Linux Client connects to the Server of a
newer version. It is recommended to use the automatic Client update.
If you want to control the update of target Client computers yourself, you can disable the
automatic update on the required Clients and update them via the Management Tool.
After the Linux Client is updated, you will still be able to access the monitored data received
before its update.
NOTE: Linux Clients of very old versions might not be able to update. In this case, you need to
re-install the Clients.
Linux Client Status after Server Update

If the Update Client automatically option is enabled for the Linux Client, it is updated
automatically when it connects to the Server of a newer version.
If the Update Client automatically option is disabled for the Linux Client and it requires manual
update, it is displayed with the icon in the grid on the Clients page. Such Clients store the
monitoring data locally. They restart sending monitoring data to the Server after update.
Updating Linux Clients Automatically

To update a Linux Client automatically, do the following:
3. On the Clients page, select the Client that needs to be updated automatically and
click Edit Client.
4. On the Editing Client page, on the Properties tab, select the Update Client
5. Click Finish.
114
6. The Client will be updated automatically when it connects to the Server of a newer
version.
Updating Linux Client Manually

To update a selected Linux Client via the Management Tool, do the following:
4. On the Editing Client page, on the Properties tab, clear the Update Client
5. Click Finish to save the changes.
6. Update the Server.
10. On the Editing Client page, on the Properties tab, click Update Client.
11. On its next connection to the Server, the Client will be updated to a newer version.
Uninstalling Linux Clients

To uninstall the Linux Client from the command line, do the following:
1. Run the command line terminal.

2. Navigate to the folder with the Linux Client by entering the command:
$ cd /opt/.Ekran
3. The .Ekran folder contains the uninstall.sh script used to uninstall the Client.
4. Run the uninstallation script by entering the following command: $ sudo ./uninstall.sh
and press Enter.
5. Enter the password of the superuser.
6. Linux Client is successfully uninstalled.
Viewing Linux Clients

The Linux Clients are displayed in the Management Tool in the Clients list along with the
Windows Clients. If the user has an administrative Client installation and management
permission, they will see all Clients. In other case, the user will see only those Clients for which
they have at least one Client permission.
115
 Client name
 Status
 Type
 IPv4
 IPv6
 Description
The Domain column is empty for Linux Clients.
Please note, if there are several network cards on the Client computer, only the IPv4 and IPv6
addresses used by Linux Clients will be displayed in the Management Tool.
You can filter Linux Clients in the following ways:
 To find Linux Clients only, select Hide Windows Clients and Hide macOS Clients and
click Apply Filters.
116
Tray Notifications Application
About
The Ekran System Tray Notifications is a component to the Ekran System application that allows
you to receive notifications on alert events on Clients. Alerts are instances that notify the
investigator of a specific activity (potentially harmful/forbidden actions) on the target
computers with operating system on which Clients are installed and allow the investigator to
respond to such activity quickly without performing searches.
The application is completely independent and can be used for receiving alert notifications on
any computer.
Installing/Uninstalling the Tray Notifications Application

Installing the Tray Notifications Application
To install the Tray Notifications application, do the following:
1. Run the TrayNotifications_<version>.msi installation file.
3. Carefully read the terms of the End-User License Agreement and select I Accept
the terms in the License Agreement check box and click Next.
4. On the Destination Folder page, enter the installation path for deploying. Click Next.
5. Click Install to confirm the installation.

6. The installation process starts.
7. After the end of the installation process, click Finish to exit the wizard.
117
Uninstalling the Tray Notifications Application
To uninstall the Tray Notifications application, do the following:
1. Run the TrayNotifications_<version>.msi installation file.
2. The setup wizard opens.
4. On the Change, repair, or remove installation page, select Remove.
5. Click Remove to confirm removing.

6. Wait for the uninstallation process to complete.
118
Troubleshooting
Quick Access to Log Files
Log files contain information that might be useful for administrator for detecting problems in
the system if any.
You can either analyse the log files yourself to get more information on what is happening in
your system or send them to the Support team to help them in detecting the source of
problems in your system.
To download the Management Tool log file, click the Health Monitoring navigation link to the
left, click next to the System state tab and select Download MT log file in the menu. In the
Save As window, browse to the location, where the log file should be saved, and click Save. The
log file will be downloaded to your computer.
To download the Server log file, click the Health Monitoring navigation link to the left, click
next to the System state tab and select Download Server log file. In the Save As window,
browse to the location, where the log file should be saved, and click Save. The log file will be
downloaded to your computer.
Please note that every time the Server restarts, a new log file is created. The latter log file can
be downloaded via Management Tool, other log files can be viewed in C:\Program Files\Ekran
System\Ekran System\ServerLogs.
To download the Client log file, click the Client Management navigation link to the left, and
then click the Download Logs link for the required online Client. In the Save As window, browse
to the location, where the log file should be saved, and click Save. The Client log file will be
downloaded to your computer.
NOTE: The log files can be downloaded only for the online Clients.
To download the Client log files for the Client Group, click the Client Management navigation
link to the left, and then click the Download All Logs link for the required Client Group. In the
Save As window, browse to the location, where the log files should be saved, and click Save.
The Client log files will be downloaded to your computer.
Database/Server
Database/Server Related Issues
Issue Cause/Solution
I cannot start the Server from the To start the Server, the Server tray service must be
Server tray. started under the administrator account.
There are too many records in the Use the automatic or manual database
database. cleanup feature to remove the old records
from the database.
119
I have defined a new database, what The old database remains in place and is not
happened to the old one? changed.
I need to create a non-default SQL Make sure you have granted the dbcreator
database user whose account will be and public role to the SQL Server user whose
used for running Ekran System Server. account will be used for running CyFIR
Server. The User must change password at
next login option must be cleared.
I need to transfer the data from an old Unfortunately, the data cannot be
database to a new one/I want to transferred from one database to another.
change the type of the database
without losing data.
I have transferred the SQL database to Unfortunately, you can’t relocate the SQL
another computer. database to another computer. Though you can
move it to another location on the same PC with
SQL means.
I have changed the location of the To redefine the location of the Firebird
Firebird database. database, move it to another location and
change the corresponding values in the
Windows Registry Editor. See Moving the
Server Database chapter in the user manual
for more details.
I have installed a new version of the If you have updated the Server, your old
Server and I want to use the old database will remain. If you have reinstalled
database. the Server, you need to use a new database.
I have used the database cleanup The cleanup feature only removes data from
feature, but the size of the database the database, but doesn’t change the size
didn’t change. reserved by it. To reduce the size of the
database, click Shrink database on the
Database Management tab on the
Configuration page of the Management
Tool.
I have accidentally removed the You need to define a new database. To do

database from the MS SQL Server. this, you need to reinstall the Server.
I cannot shrink the database: the  Make sure you use the MS SQL Server
Shrink database button is absent in the database.
Management Tool on the Database  The shrinking cannot be performed if
Options tab. the cleanup procedure is in progress.
120
My anti-virus blocks the Server Due to the uninstaller specifics some anti-viruses
uninstallation/update. might detect it as a false positive during virus scan.
In this case, it is recommended to disable your
anti-virus during Server uninstallation/update.
Database/Server Related Error Messages

The following table provides the list of error messages related to databases and the Server and
their causes and possible solutions. These messages may appear in the Management Tool,
from the Server tray service, or during the installation of the Server.
Message Cause/Solution
If you get the following message in the  The Server has lost the connection to the
Management Tool: "Connection with MS SQL Server. Please make sure that the
MS SQL database is lost. Please check MS SQL Server is running and it is online and
that the database is accessible and try accessible. To check that the MS SQL Server
again." computer is accessible, enter the following
command in the Windows command line:
ping <name of the MS SQL Server computer>
 The connection to the MS SQL Server is
blocked by the Firewall. Try disabling the
Firewall on the MS SQL Server side.
If you get the following message when You can restart the Server service only under
trying to restart the Server service: the administrator account.
“Not enough permissions to restart
the Server.”
121
If you get the following error while  The program encountered an

trying to clean up the database: “Error unexpected error while trying to clear the
occurred while clearing the database. database. Try clearing the database again.
Please try again.”  Make sure the Server service is running.
There was a problem with connection to the
database. Please make sure that the
computer on which the database is installed
is online and accessible. To check that the
computer is accessible, enter the following
ping <name of the computer with installed
database>
If the problem still appears, please, send us
logs (the Server Service file), which you can
find in the Server sub-folder of the Ekran
System installation folder.
If you get the following message from  The Server has lost the connection to the
the Server tray service: "The Server database. Please make sure that the
connection with the database has computer on which the database is installed
been lost. Click to view logs." is online and accessible. To check that the
computer is accessible, enter the following
database>
If the problem comes up again, please, send
us logs (the Server Service file), which you
can find in the Server sub-folder of the Ekran
If you get one of the following  The program encountered an unexpected

messages while trying to perform an error while trying to perform an action with
action with database: database. Please try performing the action again.
 "An error occurred when  There was a problem with connection to
shrinking database. Please try the database. Please make sure that the
again." computer on which the database is installed
 "Error occurred while retrieving is online and accessible. To check that the
database info. Please try computer is accessible, enter the following
again." command in the Windows command line:
database>
If the problem still appears, please, send us
logs (the Server Service file), which you can
122
find in the Server sub-folder of the Ekran
Management Tool
Management Tool Related Issues
HTTP 500 Internal Server error is For Windows 7, follow these instructions:
displayed when I try to connect to the 1. Make sure that all the following check boxes
Management Tool. are selected in the Windows Features window:
Net Framework 3.5> Windows
Communication Foundation HTTP Activation
and Windows Communication Foundation
non-HTTP Activation.
2. Run the Command Prompt (cmd.exe) as
administrator:
Enter cd
%windir%\Microsoft.NET\Framework\v4.0.xxxx
x\aspnet_regiis.exe –iru (for 32 bit machine) or
%windir%\Microsoft.NET\Framework64\v4.0.x
xxxx\aspnet_regiis.exe –iru (for 64 bit
machine).
Example:
C:\Windows\Microsoft.NET\Framework64\v4.
0.30319\aspnet_regiis.exe –iru
3. Press Enter.
For Windows 10, 8.0 or 8.1, make sure that all the
following options are selected in the Windows
Features window: Net Framework 3.5> Windows
Communication Foundation HTTP Activation and
Windows Communication Foundation non-HTTP
Activation.
The license management function is Make sure you have the administrative Client
unavailable and I cannot assign licenses installation and management and License
to Clients. management permissions. In the Single-tenant
mode, if you have this permission, but the license
management function is still unavailable, then your
copy of the program is not licensed. Please purchase
serial keys and activate them online or activate
them on your vendor’s license site and add them
123
offline. In the Multi-tenant mode, if you are a user of
a not default tenant, contact your technician to
make sure you have the granted licenses.
I have no Internet connection on the You can activate the serial on the license site of your
computer with the installed Server and vendor and then add activated keys on the
cannot activate serial keys. computer with the installed Server.
I have reinstalled/updated the Server  If you activated serial keys online, after you
and now there are no activated serial reinstall or update the Server, activated serial
keys in it. keys will be automatically synchronized. For this
purpose, you need to have an active Internet
connection during the first start of the Server.
 If you used an offline activation (added activated
serial keys), you need to add them in the
Management Tool again.
The list of the domain computers is This problem can be caused by network or Windows
empty during the Client installation. issues (e.g. your computer cannot connect to the
local network). If there are no network problems, try
searching for computers via the Add computers by
IP option. To install Clients in such a way, on the
Computers without Clients page click Add
computers by IP.
The list of the domain computers is Ekran System obtains the list of domain computers
not complete during the Client using standard Windows methods, which do not
installation. always provide the full list of computers.
The target computer is out of the If DNS settings of your computer network allow, you
domain. can:
 Search for computers using the Add computers by
IP option. To install Clients in such a way, on the
Computers without Clients page, click Add
computers by IP.
 Create an installation package and install a Client
locally on the target computer. To generate an
installation package, on the Computers without
Clients page, click Download installation file and
then select the type of the installation file you
want to download. When the installation file is
downloaded to your computer, you can start the
installation process.
I have assigned a Terminal Server Any license can be unassigned from a Client
Client license instead of a Workstation anytime.
124
Client license to the Client or I have
assigned a license to the wrong Client.
There are some Clients that I did not These may be old Clients that were installed earlier.
install. You can uninstall them remotely via the
Management Tool or locally on the Client computer.
I do not receive email notifications, Make sure you do not use Microsoft Exchange
although the parameters are correct. Server 2010, which is not supported.
Some of the Management Tool Make sure that you have the corresponding
functions are unavailable. permissions for these functions.
The Management Tool page is Try clearing the browser cache and cookies and sign
displayed incorrectly. in again.
Some of the navigation links are not Try clearing the browser cache and cookies and sign
displayed on the Management Tool in again.
page.
I do not want to provide the user with By defining the Client permissions for the user in the
access to all Clients. Management Tool, you can define which Clients the
user will have the access to.
I forgot the password of the internal Contact the administrator and ask him to change the
user. password.
I forgot the password of the tenant If the tenant admin is registered via email, please
admin. contact your technician and ask to resend an email
with a new password.
If the tenant admin is a domain user, contact your
system administrator.
The user is able to perform actions that Check the groups which the user belongs to. He/she
are supposed to be prohibited for might have inherited some new permissions from
him/her (e.g. the user sees the Clients these groups.
that he/she doesn’t have a permission
for).
I haven’t received any reports or alert Check the Spam folder.

notifications by email.
Management Tool Error Messages

The following table provides the list of error messages that you may see while working in the
Management Tool and their causes and possible solutions.
125
If you get the following message when The program encountered an unexpected error
trying to connect to the Management while trying to perform an action.
Tool: “Server is unavailable. Please  Please refresh the Management Tool.
contact administrator.”
 Please make sure that the Server is
running.
 Please restart the Server and try again.
If the problem comes up again, please contact the
support.
If you get the following message when Please make sure that your login and the
trying to connect to the Management password are correct. If you are logging in as a
Tool: “Wrong password or Windows user, don’t forget to write <domain
username.” name>\<login>.
126
Windows Client
Checking that the Client Is Installed
If the Client is successfully installed, it will appear on the Clients page of the Management Tool
in the Data View pane.
If there is no Client in the Management Tool, you have to check whether the Client has been
installed.
You can check if the Client is installed on the investigated computer in one of the following
ways:
 The EkranService.exe process is running.
 The EkranClient and EkranController services are started.
 There is a <system disk>:\Program Files\Ekran System\Ekran System\Client\ folder

with executable files.
127
 The HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key has the following
values:
128
Clients Installation/Uninstallation Issues and Error Messages
The common reasons of issues with remote installation or uninstallation of Clients are the
inadequate network configuration or system settings. If you are sure that a user has
administrative rights on the Client computer, please check whether all of the conditions for
successful installation are met.
Remote Installation Error Messages

During remote Client installation you can get the following error messages:
 The user doesn’t have enough permission on the remote host.
 The network name cannot be found.
 Client machine must be rebooted before agent installation.
 The host is unavailable now or turned off. Try again later.
Solving Remote Installation Issues

If you receive the following error message during the remote Client installation: “The User
doesn’t have enough permission on the remote host”, as a rule, such issue may be caused by
the following reasons:
 There is no access to network shares.
 DNS service is unavailable.
 UAC is enabled (Windows 10/8/7/Vista).
 Errors in Active Directory.
 Issues with the Service Principle Name for the domain.
 Two computers have the same computer name.
Issue: There is No Access to Network Shares

For successful remote installation, Ekran System needs to access the administrative shares on
the target computers. At first, please check that you have access to administrative shares and if
there is no access, enable it.
How to Check:
To check the administrative shares availability, do the following:
1. Open Windows Explorer.
2. In the address bar type \\<target_computer_IP/Name>\admin$ and press Enter.
129
3. When the Enter Network Password window opens, enter administrator credentials
and click OK.
4. If the login credentials are accepted, the system folder opens (by default,
C:\Windows).
If you get an error after performing step 2, try the following:

 Open the Command Prompt (cmd.exe). Enter and execute the ping
<target_computer_name or IP> command. Check the following:
1. If you do not get ping replies, network may be down. Check the
network connection and try again.
2. If the network is up, but you do not get the ping reply, check the
firewall on the remote computer. Disable the firewall on the target
remote computer.
 If you are receiving ping replies, but the administrative share is still unavailable, check
that the Sharing Wizard or the Simple file sharing are disabled.
 If you are receiving ping replies and the sharing options are good, but you still cannot
access the administrative shares, check that the Server system service is running on the
remote computer.
If you get a login error after performing step 3, try the following:
 Make sure that the credentials you enter are correct. You have to enter the credentials
of a domain administrator or a local administrator account on the remote computer.
 Verify that the account password is not empty. Accounts with empty passwords cannot
be used for remote connection.
 Try typing the username as <domain_name>\<username> if the remote computer is in
a domain, or <computer_name>\<username> if the PC belongs to a workgroup.
130
How to Fix:
To enable access to administrative shares, you need to enable the Local Account Token
Filter Policy.
NOTE: This is a known Windows issue that might block remote application installation.
To enable Local Account Token Filter Policy:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Syste
m.
3. Double-click the LocalAccountTokenFilterPolicy value, or select it and click Modify in the
right-click menu.
4. In the Value data box, type 1, and then click OK.
5. Close the Windows Registry Editor.
If the LocalAccountTokenFilterPolicy registry value does not exist, follow these steps:
1. In the Windows Registry Editor in the Edit menu, click New, and then click DWORD Value.
2. Type LocalAccountTokenFilterPolicy and then press ENTER.
3. In the Value data box, type 1, and then click OK.
4. Close the Windows Registry Editor.
Issue: DNS Service is Unavailable
DNS service may be unavailable in your network. Try using the remote computer's IP address if
you cannot access it by the name.
How to check:
To check the DNS Service availability, please execute the following command in the Command
line (cmd.exe): ping <Computer name>.
If the command doesn’t respond, you have to enable the DNS Service.
How to fix:
To enable the DNS Service, please follow the instructions of the Windows Troubleshooting. In
the Windows Server 2003, you can use the netdiag.exe tool.
Issue: UAC is Enabled (Windows 10/8/7/Vista)

If you access the administrative shares normally on the remote PC running Window Vista or
Windows 7/8, but the Client remote installation fails, try disabling the User Account Control on
the remote computer.
131
How to check:
By default, UAC is enabled in Windows 8/7/Vista.
How to fix:
To disable UAC, do the following:
2. Select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System.
3. Double-click the EnableLUA value, or select it and click Modify in the right-click menu.
4. In the opened window, in the Value data filed, enter 0 and click OK.
5. Close the Windows Registry Editor window and then reboot the Client computer.
Issue: Active Directory Errors

Errors in Active Directory may be caused by the absence of the critical object that represents
the trust relationship between the two Active Directory domains, which have a parent/child or
tree root trust relationship.
How to Check:
Errors in Active Directory may occur when you have two or more replicated domains.
How to Fix:
To resolve errors in Active Directory, do the following:
1. Open the Active Directory Users > Computer Tools.
2. Open the System Container.
3. If there is no TDO object (trusted domain object) in the System container, please reset
the trust between parent and child relationships between domain controllers of
different domains with netdom.
Issue: Errors in Service Principal Name for the Domain

Issues with Service Principle Name (SPN) for the domain which is hosting the replica, can occur
when it has not been propagated to the domain that contains the account which you use when
you run the Dcpromo.exe file. This propagation may have been delayed because of replication
latencies.
How to Fix:
To resolve issues with SPN, do one of the following:
 Login with domain admin of the child domain.
 Wait for replication to complete and use the root admin account.
132
Issue: Two Computers Have the Same Computer Name
The computer in the child domain has the same name as the computer in the parent domain.
How to Fix:
To resolve this issue, rename the computer in the parent domain which has the same
name as the computer in the child domain.
If you get a message at the end of the remote Client installation: “The network name
cannot be found”, it can be caused by the following reasons:
 There is no access to the remote computer.
 There is no access to Network Shares.
Issue: There is No Access to the Remote Computer
How to Check:
Please check that you have access to the remote computer. To do this, enter the
following command in the Windows command line: ping <name of the remote computer>
If you do not receive any response, the access might be blocked by the remote computer
Firewall.
How to Fix:
Try enabling the Local Account Token Filter Policy on the target computer.
Issue: There is No Access to Network Shares.

Please follow the instructions described above.
If you get a message at the end of the remote Client installation: “Client machine must be
rebooted before agent installation”, please, reboot the computer because if the Client has
been recently uninstalled, the Client computer must be rebooted first.
If you get a message after clicking Uninstall Ekran System Client: “The host is unavailable now
or turned off. Try again later.”, this means that the Client may be offline or may not be able to
connect to the Server. Please do one of the following:
 Wait until the Client appears online.
 If the Client does not appear online, uninstall it locally on the Client computer via the
Windows command line by executing the following command: UninstallClient.exe
/key=<uninstallation key>
By default, the UninstallClient.exe file is located here: C:\Program Files\Ekran System\Ekran
System\.
133
Linux Client
Checking the State of the Linux Client
If the Linux Client is successfully installed, it will appear on the Clients page of the Management
Tool in the Data View pane.
If there is no Linux Client in the Management Tool, you have to check whether the Client has
been installed.
To check the status of the Linux Client, run the command-line terminal and enter the following
command:
$ service Ekran status
Restarting Linux Client

To restart the Linux Client, use the following command in the terminal of the Client computer:
 $ sudo service Ekran restart
Alternatively, stop and restart the Linux Client using the following commands:
 $ sudo service Ekran stop
 $ sudo service Ekran start
134

Ekran System Deployment Guide

Uploaded by

Copyright:

Available Formats

Ekran System Deployment Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ekran System Deployment Guide

Uploaded by

Copyright:

Available Formats

Ekran System v.6.

Welcome to Ekran System!

Ekran System Server requirements:

Management Tool requirements:

Windows Client requirements:

macOS Client requirements:

Linux Client requirements:

Debian Debian 9.0, 8.0, 7.0

Linux Mint 17.xx - 13

RedHat RedHat 7.0, 6.0

Sun Microsystems Solaris 10.0

IBM AIX 7.2, 7.1

Ubuntu Ubuntu 18.04.1 LTS, Ubuntu 16.04.5 LTS, Ubuntu 16.04.2,

CentOS CentOS 7.1 – 7.5, CentOS 6.1 – 6.9

Suse Linux Enterprise 12(SP1, SP2, SP3)

Ekran System is an application specially designed to control user activity remotely.

Ekran System includes the following components:

 Ekran System Management Tool (further referred to as Management Tool): It is a

 Ekran System Linux/Unix Clients (further referred to as Linux Clients): Being

 Ekran System Tray Notifications application (further referred to as Tray

Database Types Comparison

Feature MS SQL Database PostgreSQL Database

Commercial/ Commercial database from Open source product

Processing High High

Additional o Maintenance tasks can be o Cross-platform. It can be run on

Backup Flexible backup logic Flexible backup logic

Microsoft website at the PostgreSQL website at

High Availability Mode

Standard and High Availability Modes Comparison

Feature Standard Mode High Availability Mode

Number of Servers One Multiple

System requirements Standard system Standard system requirements,

Component Physical IP address Logical IP address

Recommended for Average number of Large number of Client computers.

Installing Remote PostgreSQL Database Server

12. Click Install.

Backing up Ekran Master Certificate

2. In the opened User Account Control window, click Yes.

10. The Certificate Export Wizard opens.

Importing Ekran Master Certificate

Adding Server Executable to Windows Firewall

To add the Server executable to the Windows Firewall, do the following:

Using an External/Cloud-Based Server Computer

To update the Server, do the following:

5. On the Uninstall Ekran System page, click Uninstall.

7. Wait for the uninstallation process to complete.

Changing Server Port for Client Connection

Moving Binary Data to Shared or Local Folder

To move binary data to the shared folder, do the following:

Validating Monitoring Data

Signing Monitoring Data with Certificate

Step 1. Importing Trusted Certificate

10. The Certificate Import Wizard opens.

14. On the Certificate Store page, click Next.

Editing Database Parameters

Management Tool Installation Prerequisites

To be able to install the Management Tool, you need to:

Turning on Internet Information Service (IIS)

Turning on IIS for Windows Server 2008 R2