Server Settings
Server settings are settings that are global, as opposed to those that are per user group. They can be found in the Settings tab on the left side of the Administrative Web UI. In most cases, a change to a global setting requires a restart of some or all components. For a single server environment that would mean just restarting the kasm services on the server. For distributed environments you may only need to restart certain components. The tables below indicate which components need restarted for each setting.
The following shows how to restart all services or individual services.
# restart all services on a server
cd /opt/kasm/bin
./stop
./start
# restart individual components
sudo docker restart kasm_agent
sudo docker restart kasm_api
sudo docker restart kasm_manager
sudo docker restart kasm_db
sudo docker restart kasm_proxy
Authentication
Name |
Description |
Services Need Restarted |
Anonymous User Expiration |
Anonymous user accounts are deleted from the system after the defined number of hours. Set this value to 0 to disable automatic deletion. |
None |
Enable Kasm Authorization |
Requires client requests to the Kasm for content such as downloads and uploads to be authenticated with the user’s current session token. |
None |
Enable SAML |
Enables Single Sign on with SAML 2.0 for users. |
None |
Kasm Authorization Domain |
Override the domain used in the Kasm session cookie. The default value will use the domain name the user request came in on, which will fit most use cases. Statically setting the domain name will ensure your Workspaces deployment cannot be proxied under different domain names. |
None |
Login Assistance |
An optional link to display on the login page that will direct users to another site for login assistance. |
None |
Max Login Attempts |
The number of invalid login attempts before an account is locked out. This setting only applies to local accounts. |
None |
Notice Message |
A login banner message to show to users at the login page. |
None |
Notice Title |
The title of the login banner to show to users at the login page. |
None |
Component Registration Token |
Used for multi-server deployments to register new components to the deployment. |
None |
Same Site Cookie Policy |
Configures the SameSite attribute for the Set-Cookie HTTP response headers. Valid options are Lax, Strict and None. |
API |
Session Lifetime |
The number of seconds a session token is valid for. |
API |
Token Drift |
How many minutes plus and minus to allow TOTP tokens to drift from the server’s UTC time. |
API |
WebAuthn Request Lifetime |
The number of seconds a WebAuthn Authenticator or Registration session is valid for. |
API |
CAPTCHA Settings
The CAPTCHA settings allow administrators to select which type of CAPTCHA they want to use if they choose to use CAPTCHA. This is used on session casting.
Name |
Description |
Services Need Restarted |
CAPTCHA Selection |
Choose which type of CAPTCHA to use, selecting one will automatically attempt to set the API URL. |
None |
CAPTCHA API URL |
The API URL to use for verifying results, the correct URL should automatically be set when a CAPTCH type is selected. |
None |
CAPTCHA Private Key |
The CAPTCHA Private Key, |
None |
CAPTCHA Site Key |
The CAPTCHA Site Key. |
None |
Logging
Kasm provides centralized logging out of the box, whether you install Kasm all on a single server in a distributed system with redundant API servers and multiple Kasm agents, all logs are collected and aggregated. Kasm provides basic log aggregation, analyses, and storage. The system also support logging directly to Splunk or File Based Logs can be ingested by a SIEM solution of choice.
Name |
Description |
Services Need Restarted |
Debug Log Retention |
Number of hours to keep debug logs. Default is 4 hours. See the section on log retention for more details. |
None |
Splunk HEC Token |
For Splunk logging, this token provides authentication |
Manager, API |
HTTP Method |
The HTTP method to use, POST or PUT are supported. |
Manager, API |
Disable Log Certificate Validation |
If set to true, the remote logging server’s certificate is ignored. This is required if using self signed certs. If you use properly signed certs you do not need to enable this. |
Manager, API |
Log Host |
The hostname or IP address of the remote logging system. |
Manager, API |
Log Port |
The port number for the remote logging system. Splunk’s default is 8088 other systems may use 443. |
Manager, API |
Log Protocol |
Remote logging protocol. Valid values are https and splunk. |
Manager, API |
Log Retention |
Number of days to keep local logs (excluding debug logs). See the section on log retention for more details. |
None |
URL Endpoint |
The URI path for the logging system. See the sections below for specific logging solutions like Splunk. |
Manager, API |
Native Kasm Logging
By default, logs are stored in the Kasm database. Kasm managers and Kasm API servers write their logs directly to the database. Kasm Agent nodes send logs via HTTPs to their respective Kasm Manager. The Kasm Dashboard relies on the native logging to provide visual statistics. Native logging cannot be disabled, if you enable remote logging the native logging will continue. See the log settings table for details on adjustments to default log settings.
Splunk Logging
Kasm supports Splunk HEC logging over HTTPS. See Splunk documentation http://dev.splunk.com/view/event-collector/SP-CAAAE7G for details on configuring a HEC input. Note that the URI path for a Cloud Splunk instance and a self hosted Splunk instance are different. The example configuration below is for Splunk Cloud SaaS. A cloud instance will have two domain names, the one you access the UI from and one for inputs. Per the linked documentation, the Splunk Cloud SaaS domain name for data input is the same as the UI but with input- at the front.
Log Protocol - splunk
Log Host - input-your_cloud_splunk_hostname
Log Port - 8088
URL Endpoint - /services/collector/event
HTTP Method - POST
Disable Log Certificate Validation - false
Splunk HEC Token - 12345678-1234-1234-1234-1234567890AB
Logging Retention
Logging retention applies only to local logging, it does not affect remote logging. Before adjusting the Log Retention or Debug Log Retention you should evaluate your database system. Ensure the database system has adequate storage and processing power to handle the increased logging. If log retention beyond 30 days is required, it is highly recommended to use a proper external logging solution. The Debug Log Retention setting should not be adjusted unless needed to troubleshoot issues over a longer period of time. A Kasm system can produce over 10,000 debug logs per hour, therefore, the retention of those logs should be considered very carefully.
Manager
Name |
Description |
Services Need Restarted |
Agent Version |
This setting is used to restrict which versions of the Kasm Agent are allowed to communicate with the Manager. |
Manager |
Primary Manager Timeout |
The number of seconds until the primary manager is considered unavailable. If other managers are alive one will take over the primary role. |
None |
Same Zone Reply |
If set to true, a manager will only reply to agent heartbeats with a list of managers in the same zone as itself. Otherwise a list of all managers is given. This allows Agents to failover to managers in other zones. |
Manager |
Token |
An authentication token used in the communication between Kasm Agents and the Manager API server. |
Manager |
Update Check |
This setting will enable/disable the manager checking for Kasm system updates. |
None |
Egress Plugins
The Egress Plugin settings are only applicable when a license has been applied to Kasm Workspaces that includes seats for an Egress Plugin.
Name |
Description |
Services Need Restarted |
Egress Plugin Update Check |
Allow for Egress Plugins to check in to Update Egress Gateways and Egress Accounts. |
None |
Egress Plugin Update URL |
The URL Used to Update Egress Gateways and Egress Accounts associated with an Egress Plugin. |
None |
Images
Name |
Description |
Services Need Restarted |
Add Images To Default Group |
Automatically add images to default group when new images are added. |
API |
Default CPU Allocation Method |
Sets the default cpu allocation strategy for container images. Valid options are |
None |
Web Filter
Name |
Description |
Services Need Restarted |
Web Filter Update URL |
URL used to interface with Kasm’s URL category service |
API |
Connections
Name |
Description |
Services Need Restarted |
Default VM RDP Connection Settings |
See detailed description below. |
API |
Default VM SSH Connection Settings |
See detailed description below. |
API |
Default VM VNC Connection Settings |
See detailed description below. |
API |
RDP config file expiration |
How long the authentication token in the generated RDP file is valid. |
API |
RDP Private Key |
This key is used to generate the JWT tokens used for authenticating the RDP file by the RDP Gateway. |
API |
RDP Public Cert |
This certificate is used to validate the JWT tokens used for authenticating the RDP file by the RDP Gateway. |
API |
RDP File Signing Private Key |
The private key that is used to sign the RDP file. |
API |
RDP File Signing Cert |
The certificate used to verify the signed RDP file has not been modified, this is also used to set the trusted publishers setting in microsoft group policy. |
API |
Default VM RDP Connection Settings
This Kasm setting is used to define a series of connection parameters for connecting to external RDP/KasmVNC endpoints. It is defined as a single JSON string, a default example is:
{
"guac": {
"type": "rdp",
"settings": {
"security": "any",
"ignore-cert": true,
"enable-font-smoothing": true,
"enable-wallpaper": true,
"enable-theming": true,
"enable-full-window-drag": false,
"enable-menu-animations": false,
"resize-method": "display-update",
"server-layout": "en-us-qwerty",
"printer-name": "Kasm"
}
},
"kasm_svc": {
"port": 4902
}
}
A break-down of the Guacamole (guac/rdp) settings can be found below:
Name |
Description |
security |
The security mode to use for the RDP connection. This mode dictates how data will be encrypted and what type of authentication will be performed, if any. Options any,nla,nla-ext,tls,vmconnect,rdp. |
ignore-cert |
If set to “true”, the certificate returned by the server will be ignored, even if that certificate cannot be validated. |
enable-font-smoothing |
If set to “true”, text will be rendered with smooth edges. Text over RDP is rendered with rough edges by default. |
enable-wallpaper |
If set to “true”, enables rendering of the desktop wallpaper. By default, wallpaper will be disabled, such that unnecessary bandwidth need not be spent redrawing the desktop. |
enable-theming |
If set to “true”, enables use of theming of windows and controls. By default, theming within RDP sessions is disabled. |
enable-full-window-drag |
If set to “true”, the contents of windows will be displayed as windows are moved. By default, the RDP server will only draw the window border while windows are being dragged. |
enable-menu-animations |
If set to “true”, menu open and close animations will be allowed. Menu animations are disabled by default. |
resize-method |
The method to use to update the RDP server when the width or height of the client display changes. Options display-update,reconnect. |
fixed-display-size |
If this is set to “true”, the resolution of the RDP session will be fixed to the resolution specified by the provided width and height settings. |
server-layout |
The server-side keyboard layout. Options da-dk-qwerty,de-ch-qwertz,de-de-qwertz,en-gb-qwerty,en-us-qwerty,es-es-qwerty,fr-ch-qwertz,fr-fr-azerty,it-it-qwerty,ja-jp-qwerty,pt-br-qwerty,sv-se-qwerty,tr-tr-qwerty. |
timezone |
This parameter allows control of the timezone that is sent to the server over the RDP connection, which will change the way local time is displayed on the server when that server is part of a RDS cluster. Kasm will auto fill in this parameter based on the Kasm Session Timezone user profile setting when not overridden in the server configuration or this global setting. |
printer-name |
The name of the redirected printer device that is passed through to the RDP session. The final name displayed in all printing related settings will be in the format printer_name (redirected session_id). This is a naming convention imposed by Windows to indicate that it is a redirected printer, with session_id denoting the specific session the printer is associated with. |
Additional Guacamole connection settings can be found here.
RDP Session Watermarking
Kasm supports watermarking RDP sessions with customizable text overlays as well as images. The watermark settings are configured within the kasm_svc
section of the VM RDP connection settings JSON. The connection settings can be overridden at the Server level or Auto Scale Configs for auto scaled servers.
Note
The watermark feature is limited to configurations where the username is known at session creation time. This includes Static Credentials, Single Sign-On with Static Local Accounts, Single Sign-On with Dynamic Local Accounts, and Single Sign-On with Active Directory.
Warning
There are limited UI elements that may appear over the watermark. At this time, the only known UI elements known to appear over the watermark is the start menu and the Task Manager.
The following is an example of a valid watermark configuration:
{
"guac": {
"type": "rdp",
"settings": {
"security": "any",
"ignore-cert": true,
"enable-font-smoothing": true,
"enable-wallpaper": true,
"enable-theming": true,
"enable-full-window-drag": false,
"enable-menu-animations": false,
"resize-method": "display-update",
"server-layout": "en-us-qwerty",
"printer-name": "Kasm"
}
},
"kasm_svc": {
"port": 4902,
"watermark": {
"text": "${KASM_USER} at %H:%M on %d/%m/%Y",
"tint": "255,0,255,255",
"repeat-spacing": 100
}
}
}
A break-down of the allowed watermark settings can be found below:
Setting |
Default |
Description |
text |
The text content of the watermark can include the following session variables: ${KASM_USER}, ${KASM_USER_ID}, ${KASM_ID}, ${WINDOWS_USER} as well as time formatting using the format %H:%M:%S. |
|
timezone |
The timezone to be used for time formatting, ie. “America/New_York”. |
|
font |
Arial |
The font family to use for the watermark text. |
font-size |
20 |
The font size in points for the watermark text. |
tint |
“255,255,255,255” |
The color value for the watermark in “r,g,b,a” format where each value is between 0 and 255. |
opacity |
1.0 |
The opacity of the watermark image in range 0.0 to 1.0. |
location |
center |
The x,y coordinate location for the watermark in “x,y” format. The default value is “center”. However, defining repeat-spacing will overwrite this default, changing the placement of the watermark accordingly. |
rotation |
The rotation in degrees for the watermark text in range -180 to 180. |
|
repeat-spacing |
The spacing in pixels to repeat the watermark text across the session both horizontally and vertically. |
|
image |
The absolute path to the image file to be displayed as the watermark |
Default VM VNC Connection Settings
This Kasm setting is used to define a series of connection parameters for connecting to external VNC endpoints. It is defined as a single JSON string, a default example is:
{
"guac": {
"type": "vnc",
"settings": {
"autoretry": 5,
"color_depth": 32
}
}
}
A break-down of the Guacamole (guac/vnc) settings can be found below:
Name |
Description |
hostname |
The hostname or IP address of the VNC server. |
port |
The port the VNC server is listening on. |
autoretry |
The number of times to retry connecting before returning an error. |
swap-red-blue |
Boolean that will swap red and blue colors to correct display colors being swapped. |
cursor |
Set to “remote” to have the mouse pointer rendered on the remote server. |
encodings |
A space-delimited list of VNC encodings to use. |
read-only |
If set to “true”, the vnc connection made will be read-only, input will not be accepted. |
Additional Guacamole connection settings can be found here.
Default VM SSH Connection Settings
This Kasm setting is used to define a series of connection parameters for connecting to external SSH endpoints. It is defined as a single JSON string, a default example is:
{
"guac": {
"type": "ssh",
"settings": {
"font-size": "11",
"color-scheme": "gray-black",
"font-name": "monospace",
"scrollback": "1000"
}
}
}
A break-down of the Guacamole (guac/ssh) settings can be found below:
Name |
Description |
hostname |
The hostname or IP address of the SSH server. |
port |
The port the SSH server is listening on. |
host-key |
The known hosts entry for the SSH server. This parameter is optional, and, if not provided, no verification of host identity will be done. |
server-alive-interval |
By default the SSH client does not send keepalive requests to the server. This parameter allows you to configure the the interval in seconds at which the client connection sends keepalive packets to the server. |
color-scheme |
The color scheme to use for the terminal emulator used by SSH connections. For details on each option see the Guacamole documentation at the link below. |
font-name |
The name of the font to use. |
font-size |
The font size to use in points. |
scrollback |
The maximum number of rows to allow within the terminal scrollback buffer. |
command |
The command to execute over the SSH session, if any. This parameter is optional. If not specified, the SSH session will use the user’s default shell. |
locale |
This parameter allows control of the specific locale to request for the SSH session. This parameter is optional and may be any value accepted by the LANG environment variable of the SSH server. Kasm will auto fill in this parameter based on the Kasm Session Language user profile setting when not overridden in the server configuration or this global setting. |
timezone |
This parameter allows control of the timezone that is sent to the server over the SSH connection, which will change the way local time is displayed on the server. Kasm will auto fill in this parameter based on the Kasm Session Timezone user profile setting when not overridden in the server configuration or this global setting. |
Additional Guacamole connection settings can be found here.
Scale
Name |
Description |
Services Need Restarted |
Automatically Enable Agents |
Automatically enable agents if disabled every time they check in. |
None |
Guardian Interval |
How often to run the guardian. Guardian handles cleanup of agents and Kasms. As well as provision of autoscale agents. |
Manager |
Guardian Provision Threads |
Number of threads to use for tear down and provision tasks. |
Manager |
Host Dead Expiration |
How long to wait after an agent stops checking in before marking it dead. If it was auto provisioned, it will be cleaned up once marked dead. |
Manager |
Host Missing Expiration |
How long to wait after an agent stops checking in before marking it missing. This value should always be less than the Host Dead Expiration |
Manager |
Keep Alive Expiration |
How long the session will stay alive when no client is connected. This is the global setting, can be overridden at the group level. |
API |
Provision Timeout |
How long to wait for an autoscale VM to finish provisioning. |
API, Manager |
Component Missing Expiration |
Change components to a Missing status after they fail to check in within this timeframe. This applies to components such as connection proxies. |
None |
Component Dead Expiration |
Automatically delete components that fail to check in within this timeframe, a value of 0 disables this feature. This applies to components such as connection proxies. |
None |
Theme
Name |
Description |
Services Need Restarted |
Launcher Background URL |
This URL provides the location of a background image to use on the Workspaces launcher. There are servera built in backgrounds that can be set, See Default Backgrounds for a list of available default images. After changing the setting please logout and log back in for the setting to take effect. |
None |
Web Filter
Name |
Description |
Services Need Restarted |
Web Filter Update URL |
URL used to interface with Kasm’s URL category service |
API |
Storage
Name |
Description |
Services Need Restarted |
---|---|---|
Object Storage Key |
AWS Access Key ID used to access S3, used for S3 based persistent profiles. |
API |
Object Storage Secret |
AWS Access Key Secret used to access S3, used for S3 based persistent profiles. |
API |
Recording
Name |
Description |
---|---|
Session Recording Framerate |
The framerate for session recordings. A minimum of 2 frames per second is supported for RDP, VNC and SSH sessions. More frames per second will result in smother video but higher storage and bandwidth usage. |
Session Recording Bitrate |
The bitrate for session recordings. A higher bitrate will result in higher quality recordings, but also higher storage and bandwidth usage. It is measured in Mbps. |
Session Recording Width |
The width for session recordings. This is the number of pixels in width the video is, a higher number gives higher quality recordings, while increasing storage and bandwidth usage. |
Session Recording Height |
The height for session recordings. This is the number of pixels in height the video is, a higher number gives higher quality recordings, while increasing storage and bandwidth usage. |
Session Recording Upload Location |
The upload location will be a dynamic URL pointing to an AWS S3 Bucket where the session recording will be stored. This must be the full video path including the filename ending in |
Each file will have the epoch added to allow uploading multiple clips per session. |
|
The URL can include several templated variables to tailor the storage path. See Session Recording for more details. |
|
An example of a valid URL is: |
|
Session Recording Queue Length |
For RDP, VNC and SSH sessions this is how many recording clips are being processed and uploaded at once on each connection proxy server. For higher concurrent session counts this number should be increased. |
This will have an effect on the number of CPU cores and memory that are available to handle proxying connections to RDP, VNC and SSH sessions and so resources for the connection proxy server should be |
|
adjusted accordingly. Session recording encoding is quite CPU intensive. Refer to the Kasm sizing guide for more information |
|
Session Recording Retention Period |
This value is how long the connection proxy will continue to try and upload recorded clips that have failed to upload. This value is measured in hours and applies to RDP, VNC, and SSH sessions only. |
Clips that have failed to upload and haven’t exceeded the retention period can also be copied out from the folder |
|
Object Storage Access Key ID |
Object storage (S3) access key ID. This ID is specific for session recording purposes. |
Object Storage Access Key Secret |
Object Storage Access Key Secret. This secret is specific for session recording purposes. |
Disk Usage Limit for Session Recordings |
This is a percentage of the disk space that is allowed to be consumed on the Connection Proxy, before session recording will stop and session creation when session recording is enabled will fail. |
The default value is 0.90 or otherwise saying when the disk is 90% full session recording stops |
Setting Properties
The following table lists the properties of each setting.
Name |
Setting name |
Category |
Setting Category |
Services Restart |
What services need to be restarted on setting change |
Value |
Settings Actual Value |
Value Type |
Data Type |
Description |
Setting Description |