Configure various system wide settings affecting the entire Collective.
Background information
For a description of how certificates/tokens control user access, and Token renewal, refer to: System operation - token flows.
For more about tokens and token renewal, refer to the section on Robust resillient architecture.
Settings
Collective Details
Collective Name
You can change the assigned name to a more meaningful name.
Expiration Settings
SPA Token Expiration (seconds)
The special SPA packets used throughout the Collective have a specific lifetime. To prevent replay attacks during this time, a cache is kept of accepted SPA packets. The time/cache may be dynamically reduced to conserve memory when it runs short. On new systems the default is set to 3600.
Claims Token Expiration (minutes)
A user's Token lifetime. The Client will try to renew the Claims token during the 5 minute window before it actually expires. The Claims Token renewal experience will depend on the IdP and Client configuration:
With LDAP/RADIUS, the Client caches the user credentials in memory so the claims token renewal should be transparent for the user.
With SAML, if SAML/Certificate auto sign-in is enabled the browser will open but the user experience will depend on the OS, browser and SAML provider.
With SAML, if SAML/Certificate auto sign-in is disabled the Client will prompt the user to re-authenticate..
With SAML, if the ForceAuthn option is enabled in the IdP, then the user will have to perform SAML re-authentication.
If MFA at Sign-in is set to Always, then the user will have to use their MFA in all situations.
After the 5 minute window, if renewal has not happened, then the Gateways will block the user's traffic. Defaults to 1440 minutes (24 hours).
Entitlement Token Expiration (minutes)
A user's Token lifetime. If changes to a user's Entitlements need to be implemented quickly, Entitlement Tokens can be revoked manually. Learn more about how to Disable, change or remove access. Use Registered Devices to renew tokens.
Defaults to 1440 minutes (24 hours). Maximum is limited to 10080 minutes (7 days).
Administration Token Expiration (minutes)
An admin's Token lifetime. Defaults to 1440 minutes (24 hours)
VPN Certificate Expiration (minutes)
A user's VPN Certificate (or Client Certificate) lifetime. Defaults to 525600 minutes (365 days)
Registered Device Expiration (days)
Registered devices are purged from the system automatically X days after they are last seen. Defaults to 90 days
Messages
Administration Banner Message
This message will appear on the sign-in form of the admin UI. This should be used for any warning you might want to have about improper use, monitoring, etc
Message Of The Day
This message will be presented to users after signing-in with the admin UI or Client. It is also possible to present a message to SSH users. This needs to be configured from the command line using SSH.
General Appliance Settings
Global Client Profile DNS name
This DNS name is used when Client profiles are created and is typically shared across all the Controllers. It was generated when you created your first Controller.
SPA Use
SPA protects access to the System TLS Connection on port 443. The appliance must receive a special SPA packet before a connection can be established.
New systems will have TCP SPA enabled by default. The System Security - best practice guidance recommends you use UDP-TCP SPA as the best way to configure SPA. To better understand these alternatives there is a detailed explanation about Single Packet Authorization in SPA . This includes details of the per appliance override feature for SPA which can be useful when users are experiencing connectivity problems (dropped or mis-routed UDP packets) when using SPA in UDP-TCP mode.
Check TCP SPA key before allowing connections
TCP port 443 remains open, however only connection attempts that include the special TLS ClientHello packet can establish a TLS connection. The TLS ClientHello packet comprises a specially crafted custom extension. Please ensure this is not filtered or removed by any application aware firewalls.
Check UDP (and TCP) SPA key before allowing connections
TCP port 443 is closed and is only opened for the connecting IP address once a specially crafted UDP packet is presented. The TLS ClientHello packet can then be sent to establish a TLS connection. (DTLS tunnels will just use UDP 443).
The specially crafted UDP packet is sent two different ways - as a SPA-DTLS packet on port 443 and as a SPA-DNS packet on port 53. Only one of these needs to make it through to the appliance. On receipt, the appliance's firewall is updated to allow 443 access for UDP (for DTLS) or TCP (for TLS) from the Clients IP address. Please ensure your firewalls allow UDP traffic on port 443 and port 53.
Backup API
This allows an API to be used for taking appliance backups.
NOTE
When this is unchecked any existing passphrase will be deleted.
Backup Passphrase
When using Controller APIs for taking appliance backups, the file will be encrypted. Set the passphrase to be used to encrypt the backup files.
GeoIP
Enable the update of the GeoIP database. See GeoIP location database for more details.
Defaults to DISABLED.
Audit Log Persistence Mode
Log persistence has a performance impact. Choose the mode which best suits your business needs. More information about Audit Log Persistence can be found in Audit Logs.