Managing Remote Clients

In this topic:

Managing Your Installation

It is possible to monitor computers that "leave" the network or normally operate from a remote location. Gather Client data across the Internet by providing a path for a Client to communicate with Server Components, and for the Control Center to communicate with the Client:

The Client connects to the Servers via VPN. Each remote Client computer has a VPN connection to the remote computer where the Server Components are installed, or to the network where the Server Components are accessible. The remote Clients are essentially on the same network as the central Server and are no different from local Clients.
The Client connects to the Servers via Internet connection. Each remote Client computer communicates with central Server Components via a static external IP address open to the Internet. Configure Clients to use a “raw” Internet connection for communication.

In both cases, the Clients send recorded data to the central Data Vault Server, request web filtering instructions from the central Web Filter Server, request updates and licensing from the central Primary Server, and are managed by the central Control Center.

Port Forwarding

The Client is configured to communicate with each Server component on a specific port. If the Client is connected by VPN, normally all open ports are available. If the Client is connected by Internet, you need to configure the Server-side device receiving communication to forward ports requested by the Client to the correct port at the computer where each Server is installed. By default, Clients and Servers are configured for communication at the following ports:

Client to Control Center: 16768
Client to Data Vault: 16769
Client to Primary Server: 16770
Client to Web Filter Server: 16771
Control Center to Client: 2468

When a Client is connected via VPN, the Control Center has no trouble communicating with and managing the Client. When a Client is connected via Internet, unless the Client is operating from a static IP address that can be added to the Server-side DNS or host file, the Control Center will not be able to identify or manage the remote Client. However, Client data is still delivered to the central Data Vault and processed for viewing, and web site access is still filtered by the Web Filter Server.

Client VPN Connection

A VPN connection allows communication with a remote Client as if it were local.

To set up Client VPN connection:

Use the Deployment Utility or Configure Computers > Client Settings.
On the Client’s Server Settings panel, make sure that you specify the correct central Computer Name or Static IP Address and Port for each Server.
Make sure the Control Center Properties for each Server are set to the same IP address and Port.
As long as the Client is on the network (locally or via VPN) you can install the Client from the Control Center.

The VPN connection allows:

Secure access to the server at the central location.
Installing, configuring, and integrated management of the remote Clients from the centralized Control Center.
Communication between each remote Client and the central Primary Server.
Delivery of recorded data from the remote Clients to the central Data Vault server.
Centralized Web Filtering provided by the Web Fi lter Server (WFS) at the remote Clients.

Client Internet Connection

When you configure Clients to connect to a static, external IP address at the Server side,, you must ensure that the necessary ports are forwarded and open to traffic. The diagram below assumes the Client is using the default ports and communicating from a static IP address.

To set up Client\Server Communication via the Internet:

Use a static IP for all Server computers.
Each Server Component should be installed on a computer using a static IP address. In the above illustration, all Servers are installed on a computer with the address 192.168.1.10.
Set up the external static IP address.
This IP address will be used to receive communication from the roaming Clients for the Servers. In the above illustration, a NAT router device has the address 65.8.119.2.

Opening up external IP addresses leaves your network vulnerable to hackers for DoS and flood attacks. It is imperative that you use industry strength, standard Firewall protection.

Build a Client Install file that uses the external static IP address.
This install file will have different settings from the one used for local Clients, and will have to be installed manually because the central Control Center won’t be able to resolve the remote computer names.

Use the Deployment Utility at the Control Center.
When you arrive at the Server Settings panel in the Deployment Utility, for ALL Servers check Use Static IP.
In each Server section, use the Edit button next to the Server IP field to enter the external IP address. In the above illustration the address 65.8.119.2 would be entered in each field.
Make sure the Port entries for each server are correct.
After building the remote Client Install file, rename the .sds file with an .exe suffix; for example, spsetup_settings.exe.

Install the Client manually.
Run the .exe file at each computer. See Installing at the Client Computer. If the Client communicates from a static IP address, you can add the Client's static IP address to your Server side DNS or host file to provide name resolution. The Control Center will then be able to fully manage the Client.
Configure port forwarding.
Use your NAT or other system configuration interface to forward the ports used by the Client (as were listed in the Server Settings panel) to the appropriate Server port. If possible, forward the Client listening port on the Client side.