Configure various system wide settings affecting the entire Collective.
Background information
For a description of how certificates/tokens control user access, and token renewal, refer to: System operation - token flows.
For more about tokens and token renewal, refer to the section on Robust resillient architecture.
Settings
The following subsections describe the fields in the Global Settings page.
Collective Details
Complete the following to update the Collective details:
Collective Name. You can change the assigned name to a more meaningful name.
Expiration Settings
SPA Token Expiration (seconds). The special SPA packets used throughout the Collective have a specific lifetime. To prevent replay attacks during this time, a cache is kept of accepted SPA packets. The time/cache may be dynamically reduced to conserve memory when it runs short. On new systems the default is set to 3600.
Claims Token Expiration (minutes). A user's Token lifetime. The Client will try to renew the Claims token during the 5 minute window before it actually expires. The Claims Token renewal experience will depend on the IdP and Client configuration:
With LDAP/RADIUS, the Client caches the user credentials in memory so the claims token renewal should be transparent for the user.
With SAML, if SAML/Certificate auto sign-in is enabled the browser will open but the user experience will depend on the OS, browser and SAML provider.
With SAML, if SAML/Certificate auto sign-in is disabled the Client will prompt the user to re-authenticate..
With SAML, if the ForceAuthn option is enabled in the IdP, then the user will have to perform SAML re-authentication.
If MFA at Sign-in is set to Always, then the user will have to use their MFA in all situations.
After the 5 minute window, if renewal has not happened, then the Gateways will block the user's traffic. Defaults to 1440 minutes (24 hours).
Entitlement Token Expiration (minutes). A user's Token lifetime. If changes to a user's entitlements need to be implemented quickly, Entitlement Tokens can be revoked manually. Learn more about how to Disable, change or remove access. Use Registered Devices to renew tokens. Defaults to 1440 minutes (24 hours). Maximum is limited to 10080 minutes (7 days).
Administration Token Expiration (minutes). An admin's Token lifetime. Defaults to 1440 minutes (24 hours)
VPN Certificate Expiration (minutes). A user's VPN Certificate (or Client Certificate) lifetime. Defaults to 525600 minutes (365 days)
Registered Device Expiration (days). Registered devices are purged from the system automatically X days after they are last seen. Defaults to 90 days
Messages
Administration Banner Message. This message will appear on the sign-in form of the admin UI. This should be used for any warning you might want to have about improper use, monitoring, etc
Message Of The Day. This message will be presented to users after signing in with the admin UI or Client. It is also possible to present a message to SSH users. This needs to be configured from the command line using SSH.
General Appliance Settings
Global Client Profile DNS name. This DNS name is used when Client profiles are created and is typically shared across all the Controllers. It was generated when you created your first Controller.
SPA Use. SPA protects access to the System TLS Connection on port 443. The appliance must receive a special SPA packet before a connection can be established.
New systems will have TCP SPA enabled by default. The System Security - best practice guidance recommends you use UDP-TCP SPA as the best way to configure SPA. To better understand these alternatives there is a detailed explanation about Single Packet Authorization in SPA . This includes details of the per appliance override feature for SPA which can be useful when users are experiencing connectivity problems (dropped or mis-routed UDP packets) when using SPA in UDP-TCP mode.Check TCP SPA key before allowing connections. TCP port 443 remains open, however only connection attempts that include the special TLS ClientHello packet can establish a TLS connection. The TLS ClientHello packet comprises a specially crafted custom extension. Please ensure this is not filtered or removed by any application aware firewalls.
Check UDP (and TCP) SPA key before allowing connections. TCP port 443 is closed and is only opened for the connecting IP address once a specially crafted UDP packet is presented. The TLS ClientHello packet can then be sent to establish a TLS connection. (DTLS tunnels will just use UDP 443).
The specially crafted UDP packet is sent two different ways - as a SPA-DTLS packet on port 443 and as a SPA-DNS packet on port 53. Only one of these needs to make it through to the appliance. On receipt, the appliance's firewall is updated to allow 443 access for UDP (for DTLS) or TCP (for TLS) from the Clients IP address. Please ensure your firewalls allow UDP traffic on port 443 and port 53.
Backup API. This allows an API to be used for taking appliance backups.
Backup Passphrase. When using Controller APIs for taking appliance backups, the file will be encrypted. Set the passphrase to be used to encrypt the backup files.
NOTE
When this is unchecked any existing passphrase will be deleted.
GeoLocation Updates. Defaults to Disabled. Allows you to configure and enable the source of your GeoIP database. Select Disabled, Default, or configure your Maxmind or IPinfo account. You can also use a Custom URL. See Geolocation database for more details.
Maxmind account. Enter your Account ID and License Key.
IPinfo account. Select your database and enter your token.
Custom URL. Enter the URL.
NOTE
The GeoIP database can be gigbytes in size. To verify the new database before replacing the old, both must be on the disk at the same time. Ensure there is enough free disk space on the Gateway and Controller appliances to hold the size of the database you will be using.
Audit Log Persistence Mode. Log persistence has a performance impact. Choose the mode which best suits your business needs. More information about Audit Log Persistence can be found in Audit Logs.