General

Windows based firewalls normally run on a Windows Server specifically configured to provide border security on a network.


Operational Functions

Secure connectivity
HyperManage can provide Server Console Access via HyperNode IP-KVM port. The IP-KVM server connection of the HyperNode allows to remote a Windows Server access by physically remoting its Keyboard, Video, and Mouse and operate them from a different computer normally located in a remote location. Furthermore the HyperNode based IP-KVM System does not only allows full Server Remote Access down to the BIOS level, it also provides remote media mapping so that a block type device like a disk image physically located on the remote computer can be made available on the Controlled Server.
LAN based services on the Windows Server based Firewall can also be accessed in full security through the HyperNode LAN port, that provides a secure IP tunnel right up to the firewall software. This gives access to different services like configuration services available via an http/https connection. Such connection can be used in full security via the HyperManage virtual VPN system without necessarily using the Server Console KVM access feature for such type of access.

Operational Condition:
The Server Console access based on the IP-KVM interface does not relay on the Server's LAN access being active and operational so, as far as the HyperNode can connect to the HyperServer via either its standard LAN access, via an alternative or Out of band LAN access (via a USB 3G PEN for instance) then the access to the Server's console is guaranteed.
On the other hand if something goes wrong to the Server's LAN connectivity due to the primary LAN failure or a Firewall LAN misconfiguration then the LAN based access will become inoperative.



Automatic login procedure
The HyperManage platform can be set up to centrally store all device credentials, in order to avoid to share them with all the various people that might need to access the such devices: this is a more efficient way to manage security in accessing remote devices especially when “free-lance” technicians are employed maybe through an outsourcing contract. When any technician ends his job and he is not supposed to perform further accesses to some systems, to avoid further connections, his/her account or access scheme can be centrally disabled or reconfigured without worrying about having distributed any specific device access credentials to third parties.
On an IP-KVM based console access, the credentials necessary to log into the system with the right privilege level can be automatically “typed-in” by the HyperNode by a keyboard shortcut user request: this way the technician logs in into the Windows Server based firewall with the privilege level predefined by the HyperManage system administrators without ever having any knowledge of the Server Passwords.
On the LAN based FireWall specific services, custom login scripts can be easily developed: they are then downloaded to the relevant HyperNodes and executed on a specific request for access to an authorised LAN based service. This again provides automatic login to potentially every service to the specific authorised users.

Remote power control
HyperManage external proprietary PDUs (Power Distribution Unit) connected to a specific HyperNode, allow to remotely control the mains power of Windows Server based Firewalls. This is a further essential tool that can enable the technician to perform a cold boot on a firewall, being able to follow, via the IP-KVM based console connection, all the boot process, with the possibility to intervene during such process, including entering the BIOS level configuration procedures.


Management Functions

Session recording and logging
All maintenance sessions to Windows Server based Firewalls can be fully recorded, to enable the post analysis of all operations performed during any intervention. All accesses performed through the IP-KVM system to the Server's console will be recorded and stored as video-clip files on the HyperServer subsystem called HyperRelay.
When LAN-based services are used to access the Firewall, depending on the implementation of the connection, either a video file or a list of commands and answers passed through the HyperNode can be recorded.
Full information on the technician performing the connection is also recorded: Technician's Name, Date and Time of the start of the intervention, Date and Time of the end of the intervention, the IP address used by the technician during the connection are fully available for subsequent analysis.

Proactive monitoring
While all HyperManage monitoring services, on all type of equipment, are performed externally by the HyperNode hardware connecting to the monitored devices through different interfaces, without ever needing to install any software on such monitored equipment, in the case of a Windows Server, in order to make available a proactive monitoring service, HyperMatrix had developed a specific software that running as a service on the Windows Servers, can provide continuous monitoring of a set of system wide parameters.
This is the only way available that can guarantee that the Server is always running in a good healthy state and that the processes that are essential to the services provided by such Server are up and running. Such software is in permanent connection wit a local HyperNode that is responsible for the monitoring operation.
When HyperManage via an advise of the local HyperNode detects a faulty condition, like a parameter running over a programmed threshold, it generates an alarm.
Like all other alarms, the reaction can be alerting users and/or technicians via Email/SMS/SNMP/Telephone call notifications and the alarm will obviously be displayed on the management view of the HyperManage platform.


In order to monitor specific software or specific hardware installed in the firewall it is also possible to use the SNMP monitoring over LAN service. HyperManage allows to centrally upload a MIB file describing the relevant SNMP traps generated by the firewall. It is then possible to configure the HyperNode to react upon reception of such traps containing specific OIDs (Object Identifier) and generate configurable alarms on the HyperManage platform.
It must be noted that there is an important difference between SNMP based monitoring and HyperManage Windows Server Monitoring service. The SNMP procedures are in general passive procedures: the generation of an alarm relays on the fact that the monitored system/process is in condition of sending the trap via a LAN connection. If the system suddenly crashes it is possible that no traps are sent to the monitoring system simply because the system was not able to do so. In the case of HyperManage Windows Server Monitoring service, the HyperNode responsible for monitoring such server is expecting a regular report on the system status by the relevant windows service software running on the Windows Server. If the Windows Server Service software fails to perform its reporting then an alarm can be generated. The HyperManage Windows Server Monitoring service can also be programmed to perform some automatic action in case for instance of the sudden death of a process: such process can be automatically restarted by the Windows Monitoring Service and such action can be signaled to the HyperManage central monitoring system by the HyperNode.

Central storage of configuration/backup files
HyperManage can be configured to allow the centralized storage of the configuration files of a managed firewall as a backup system. This way users and technicians can upload the firewall's configuration files to the HyperManage Server. The centralized access to such files by privileged technician in order to analyze them can be very important in fault prevention. The system wide availability of the firewall configuration files will be perceived an essential feature during a fail-over procedure. Each configuration can be uploaded as a compressed file, and a comment file can be linked to each uploaded configuration. For every backup configuration uploaded, HyperManage makes sure that all user's details including date and time of the backup operation are stored in the system.