Exium’s SASE/XDR Central Admin Console offers several advanced settings that administrators can configure to tailor the service to their organization's specific needs. These settings can be toggled with simple YES/NO options, providing flexibility and control over how the service is deployed and used across devices and users. Below are detailed instructions on how to configure these advanced settings:
¶ Advanced Settings Configuration
¶ 1. Users/Devices Settings
¶ 1.1 Auto Attach Device to User
- Description: This setting, when enabled (YES), allows Managed Service Providers (MSPs) to use a device-based RMM script. Exium's algorithms will attempt to match devices to existing users in the admin console by utilizing information such as the signed-in user.
- Configuration: Toggle to YES to activate automatic device attachment to users, enhancing ease of device management within the tenant workspace.
¶ 1.2. Dynamic creation of users
- Description: When the agent is installed on an end user's device without mapping that device to a specific user, the installation fails. However, enabling this setting allows for the dynamic creation of users if no device-to-user mapping is found.
- Configuration: Set this option to NO to prevent dynamic user creation when there is no device-to-user mapping. Please note that in this configuration, the agent installation will fail.
¶ 1.3. Limit to One Device per OS/Platform
- Description: Although a user license can cover up to five devices, enabling this setting limits the use to one device per platform. For example, a user can only use Exium agent on one Windows device if this is set to YES. For more details, see our article on “Securing a Workspace by Restricting New Users and Devices”.
- Configuration: Select YES to ensure device usage is restricted to one per operating system or platform, maintaining control over device assignments.
¶ 1.4. Enable Linux
- Description: This setting allows users to use the Exium agent on Linux devices. Note that enabling Linux excludes Chromebook deployment, as the console currently supports one or the other, not both simultaneously.
- Configuration: Toggle YES if there is a need to support Linux devices within your network.
¶ 2. Tunnel Settings
¶ 2.1. SASE Tunnel for the clients
- Description: Determines if the SASE Tunnel has to be established on end user devices. By default, this is set to Yes. In some scenarios, if customer wants to disable the SASE Tunnel on end user, this setting can be used.
- Configuration: Toggle NO if there is a need to disable SASE Tunnel on end user devices.
¶ 2.2. Tunnel All Private Subnets Traffic
- Description: Determines if all private subnets (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) traffic is routed via the Mesh or the select subnets (Trust Paths) are routed via the Mesh. For more details on traffic routing, see our article on “Optimizing Traffic Routing in Exium's SASE CyberMesh”.
- Configuration: Set to NO when you like users' local traffic not routed through the Mesh.
¶ 2.3. Route LAN Traffic Through Tunnel (Kill Switch)
- Description: Decides whether the LAN subnet, where the device is assigned an IP address, should be routed through the Mesh network. For more details on traffic routing, see our article on “Optimizing Traffic Routing in Exium's SASE CyberMesh”.
- Configuration: Select NO if you prefer the users' LAN subnet to bypass the Mesh routing.
¶ 3. User Device Controls
¶ 3.1. User Controls
- Description: Enabling this setting (YES) installs a tray application on endpoints, allowing users to switch the Exium SASE agent ON or OFF. This gives end-users control over their connectivity, in particular, when users need to switch between personal and work apps.
- Configuration: Select YES to allow user-friendly control over the agent via the tray application.
¶ 3.2. Auto Reconnect
- Description: When set to YES, the SASE agent will automatically reconnect after a 5-minute grace period. This grace period can be controlled by using Auto Reconnect Timer value. This is particularly useful when users need temporary disconnection, such as when accessing captive portals on public Wi-Fi networks.
- Configuration: Enable YES for seamless reconnection capabilities, ensuring consistent network connectivity without manual intervention.
¶ 3.3. Auto Reconnect Timer
- Description: This setting is linked to previous setting. If Auto Reconnect is set to Yes, You can also set the Auto Reconnect Timer value which will decide the grace period within which the agent reconnects automatically.
- Configuration: This is in term os minutes and the value should be in multiples of 5. For example, it can be set as 5 minutes or 10 minutes or 60minutes.
¶ 4. Agent Authentication
¶ 4.1 Enable Agent Authentication
- Description: This option ensures that the SASE agent only connects upon successful Single Sign-On (SSO) authentication. You can use any SSO mechanisms integrated with Exium for this authentication process.
- Configuration: Toggle to YES to secure connections with SSO verification, enhancing security through verified user authentication.
¶ 4.2. Activate Agent Authentication Exclusively for SPA Users
- Description: This setting mandates that the SASE agent for SPA users establishes a connection only after successful Single Sign-On (SSO) authentication. Meanwhile, for users solely on SIA, a seamless silent authentication will occur.
- Configuration: Switch to YES to enforce SSO verification for SPA connections, thereby strengthening security with confirmed user authentication.
¶ 5. Agent Upgrades/Others
¶ 5.1. Auto Upgrade
- Description: Ensures that the SASE agents are automatically updated to the latest software release, maintaining up-to-date security features and enhancements.
- Configuration: Set to YES to keep agents current without manual updates, ensuring optimal performance and security.
¶ Unlocking the Advanced Settings
- Navigate to the MSP admin console → Companies → Click on Company name (or directly go to the Customer/ Client Workspace Sign In)
- Click on Settings → Advanced
- Make your selections and click “Update”
¶ Conclusion
Configuring these advanced settings allows you to optimize the use of Exium’s SASE/XDR services according to your organizational requirements. With straightforward YES/NO selections, you can tailor device management, user interactions, and security protocols, ensuring a seamless and secure experience across your network. Adjust these settings as needed to maintain alignment with your security policies and operational needs.
For expert guidance on implementing SASE, XDR, IAM, and GRC solutions, reach out to Exium at partners@exium.net. If you are ready to get started, check out our testing and onboarding process.