Security Settings
The Solstice Pod is a network-attached device that provides straightforward and secure wireless access to existing display infrastructure by leveraging a host IT network. By configuring your Pods according to these guidelines, users can quickly connect and share content to the displays in Pod-enabled rooms while still maintaining network security standards. Pods that are not configured properly can be vulnerable to user and network security breaches, including unauthorized user access, screen capture and recording, unauthorized changes to configuration settings, and denial-of-service attacks.
How To
To protect Solstice Pod configurations, you can set an admin password for each Pod that may be required to add Pods to Solstice Dashboard management and to make Pod configuration changes through USB-based local config, browser-based web config, and the configuration API. The admin password is also required to retrieve usage logs from Solstice Pods or to perform a factory reset.
Tip
Mersive strongly recommends setting the same administrator password for all your Solstice displays.
In Solstice Dashboard, select all your displays from the list of Your Solstice Instances.
Go to the Security tab.
To enforce password validation rules (8-character minimum, one uppercase and one lowercase character, one number or special character), select the Enforce password validation rules option.
In the Admin Password field, enter in the password to use for the selected displays, or remove the password entirely .
Click Apply.
Even without an admin password set to protect Solstice configurations, you can prevent users from making in-room changes by disabling the ability to configure the Solstice Pod using the local configuration panel (accessed directly via the Pod) or the web configuration panel (accessed via a web browser). However, doing so means that you can only configure Pods using Solstice Dashboard or Solstice Cloud, both of which require Pods to have network connectivity.
In Solstice Dashboard, select your displays in the list of Your Solstice Instances.
Note
If you have multiple instance groups, such as Pods and Windows Display Software instances, select apply changes to each group separately.
Go to the Security tab.
In the Administration section, uncheck Allow Local Configuration to disable in-room configuration changes.
Uncheck Allow Browsers to Configure Pod to disable web configuration panel changes.
Click Apply.
Note
The Solstice QuickConnect client was deprecated in Solstice 6. The 'Always serve the Solstice client via port 443' setting may still appear in Solstice Dashboard but will not affect Pod functionality.
Disables the ability to ping Pods over the wireless access point (WAP), wireless, or Ethernet networks and prevents ICMP/Ping flooding that could lock up the Pod. This feature is disabled by default.
In Solstice Dashboard, select your Pods from the list of Your Solstice Instances.
Go to the Security tab.
In the Administration section, select Disable ICMP Pings to the Pod.
Click Apply.
Notice
Solstice versions 6.1 and later no longer perform captive portal checks. The directions below detail how to disable this functionality in earlier versions.
By default, Solstice Pods periodically check to see if they have access to the internet. However, you can disable these checks if you want to eliminate this network traffic.
In Solstice Dashboard, select your Pods from the list of Your Solstice Instances.
Go to the Security tab.
In the Administration section, select Disable Captive Portal Checking.
Click Apply.
With this option enabled, when a user enters the Pod IP address in their browser, they are automatically redirected to the HTTPS hostname as determined by a reverse DNS lookup by the defined DNS server.
Note
This feature requires that a valid DNS Hostname be set in Network > Wireless Settings and/or Network > Ethernet Settings, depending on your network configurations, and for the Pod to have a valid client-to-server certificate. Note that Pods ship with a generic default client-to-server certificate that can be replaced using the Certificate Tools on the Security tab of the Solstice Dashboard.
In Solstice Dashboard, select your Pods from the list of Your Solstice Instances.
Go to the Security tab.
In the Administration section, check Redirect to HTTPS hostname. A message containing additional DNS lookup information related to this setting appears.
Click OK to acknowledge.
Click Apply.
When the screen key is enabled, in-room users will be required to enter the four-digit code that appears on the Solstice display before they are able to connect.
In Solstice Dashboard, select your displays from the list of Your Solstice Instances.
Go to the Security tab and scroll to the Access Control settings.
Check Screen key enabled to require the entry of the screen key to connect to a display. A pop-up warning may appear.
If you agree with the requirements of the warning, click Yes, enable Screen Key.
Click Apply.
Browser look-in gives users a full resolution view of the collaboration session on their device by entering the Solstice display's IP address into their web browser.
In Solstice Dashboard, select your displays from the list of Your Solstice Instances.
Go to the Appearance and Usage tab.
In the Usage and Feature Management section, select one of the following Browser Look-in options:
Enabled: Users can view the session remotely.
Disabled: Users cannot view the session remotely.
Determine at Runtime: In-room users determine if browser look-in functionality is enabled when a collaboration session begins.
Click Apply.
Moderator Mode allows a user to make a session moderated, meaning they can approve or deny subsequent requests for users to join the session or post content to the display. Moderator mode is enabled by default.
In Solstice Dashboard, select your displays from the list of Your Solstice Instances.
Go to the Security tab.
In the Access Control section, uncheck Moderator approval disabled.
Click Apply.
This setting allows Solstice network traffic between a Solstice display and Solstice user apps to be encrypted using a standard RSA/SHA cipher with a 2048-bit private key. This also includes network traffic related to configuration via either the Solstice Dashboard, the display’s web-based configuration (if enabled), or Solstice Cloud management. When this option is enabled, Dashboard also sends Solstice Local Release updates via port 443.
By default, Solstice display servers are loaded with a self-signed CA certificate from Mersive that is used when a display receives HTTPS connections. However, you may also upload a custom CA certificate bundle to be used instead. Note that the display always uses the CA certificate for HTTPS traffic, even when Solstice client-server encryption is disabled. For more information about certificate management in Solstice, see Enterprise Certificate Management.
Note
An issue existed in Solstice 5.5 and 5.5.1 where loading a custom PFX (.p12) certificate to encrypt Solstice client/server traffic caused a fatal boot loop. Installing a custom .p12 certificate should be avoided for Solstice Pods running these versions of Solstice. (PEM certificates can still be used.) Mersive resolved this issue in Solstice 5.5.2.
In Solstice Dashboard, select a Solstice display from the list of Your Solstice Instances.
Go to the Security tab.
In the Encryption section, select Encrypt Client/Server Communications to encrypt communication between the Solstice Pod or Solstice Windows Display and user devices.
To upload a custom CA certificate bundle to be used instead of the Solstice display's default self-signed certificate for external HTTPS connections, check Use Custom CA Certificate Bundle for External Communications and Browse to select the PFX certificate file.
Click Apply.
By default, Solstice Pods are configured with a self-signed certificate from Mersive. However, for enterprises where this is insufficient, Solstice admins can use the following enterprise certificate management tools to centrally manage certificates in Solstice Dashboard. These tools allow Solstice admins to manage client-server certificates for communication between Solstice Pods and user devices and 802.1x certificates within Solstice. For detailed information about certificate management in Solstice, see Enterprise Certificate Management.
In Solstice Dashboard, select the desired Pod from the list of Your Solstice Instances.
Go to the Security tab and scroll to the Certificate Tools section.
If a new certificate is needed, select Generate certificate signing request and click Open. Use the following options to generate your .csr certificate signing request file that can be submitted to your chosen certificate authority.
Generate a Pod client/server communications CSR to request a certificate for encrypting Solstice traffic between the Pod and user devices.
Or generate a 802.1x EAP User Ethernet Certificate or 802.1x EAP User WiFi Certificate CSR to seek a certificate to authenticate the Solstice Pod your 802.1x wired or wireless network.
Browse to select the OpenSSL file that contains configuration info for your request. Click View to see an example of an OpenSSL config file.
After you have a signed certificate from your certificate authority that corresponds to the private key on the Solstice Pod, select Install certificate and click Open to upload it.
To upload a certificate to the Solstice Pod, select Pod server.
To begin configuration for 802.1x network device authentication, select either 802.1x EAP Ethernet User Certificate or 802.1x EAP WiFi User Certificate.
Browse and select the appropriate signed certificate file.
Note
Solstice supports PFX and PEM certificate formats. Note that only PEM certificates with the .crt file extension are supported.
If you are uploading a PFX certificate, enter its password in PKCS #12 Password.
Click Import.
Click OK to exit the Import Success message.
Note
If you imported 802.1x certificates, go to the Network tab for additional configuration steps.
If you have both a signed certificate and its private key, select Install certificate and private key and click Open to configure encryption for Solstice traffic between the Pod and user devices.
Browse to select the appropriate certificate and private key files.
Click Import.
Click OK to exit the Import Success message.
Click Apply.