How to Secure Fastvue Reporter with Login Credentials

You’ve downloaded Fastvue Reporter and are ready to generate network reports and gain accelerated security insights. But you first need to take the crucial step of restricting access, ensuring only authorized users can view or manage reports.

Fastvue Reporter integrates with Windows Authentication and Authorization rules in IIS, allowing administrators full access while restricting report viewing to specific users.

Secure Fastvue Reporter and control report access (Windows)

Step 1: Create User Groups

First, set up two security groups. These can either be security groups in Active Directory, or local groups on the Fastvue Server:

• Fastvue Admins – Users with full access to the application.

• Fastvue Viewers – Users who can only view reports.

Option A: Create local user groups on the Fastvue Server

1. Log into the Fastvue Reporter server.

2. Open Server Manager and go to Tasks > Computer Management.

3. Expand System Tools and navigate to Local Users and Groups > Groups.

4. Right-click Groups and select New Group.

5. Name the group Fastvue Admins and add users who need full access. Click Create.

6. Create another group called Fastvue Viewers and add users who should only view reports. Click Create.

Option B: Create Security Groups in Active Directory

1. Log into a domain-joined workstation or server that has Active Directory Users and Computers (ADUC) installed.

2. Open ADUC by navigating to Start > Administrative Tools > Active Directory Users and Computers or by running “dsa.msc”.

3. Navigate to the Organizational Unit (OU) or container where you want the new groups to reside.

4. Right-click the OU and select New > Group. Enter “Fastvue Admins” as the group name, and click OK.

5. Open the properties of “Fastvue Admins”, go to the Members tab, and add the users who need full access to Fastvue Reporter.

6. Right-click the same OU again, select New > Group, and create a group named “Fastvue Viewers” and click OK.

7. Open the properties of “Fastvue Viewers”, navigate to the Members tab, and add the users who should be able to view reports, but not access the rest of the app (Settings etc)..

Now, IIS can be configured to grant access based on these groups.

Step 2: Enable Windows Authentication in IIS

Fastvue Reporter uses IIS (Internet Information Services) for authentication. By enabling Windows Authentication, users will be verified automatically when they access the site.

How to enable Windows Authentication:

1. Open IIS Manager on the Fastvue Reporter server.

2. Select the Fastvue Reporter site or virtual directory.

3. Ensure Features View is selected, then double-click Authentication.

4. Right-click Windows Authentication and select Enable.

Note: If Windows Authentication is missing, install it via:

• Server Manager Web Server (IIS) | Role Services > Add Windows Authentication.

Step 3: Add an Authorization Rule for Admins

Now, create a rule to allow the Fastvue Admins group full access to the entire site.

How to configure an authorization rule:

• In IIS Manager, select the Fastvue Reporter site.

• Double-click Authorization Rules.

  • If Authorization Rules is missing, install URL Authorization via: Server Manager > Web Server (IIS) > Role Services.

• Delete the default rule that allows all users.

• Add a new rule to Allow the Fastvue Admins group.

  • For local groups, enter ‘Fastvue Admins’ in the Specified roles or user groups field.

  • For Active Directory security groups, enter ‘Domain\Fastvue Admins’ in the Specified roles or user groups field, replacing Domain\ with your actual AD domain. 

Only users in the Fastvue Admins group will now have full access. Test this by navigating to the Fastvue website. You should be prompted for credentials and denied access unless you enter credentials that are in the Fastvue Admins group. Step 4: Add Authorization Rules for Report Viewers

When users access a Private Report link (such as when a scheduled report is emailed to them), they need access to the folders in IIS where private reports are served from.

 What folders do Fastvue Viewers need access to?

• Private Reports are shared from the /p folder, so users must be granted access to view them.

• The /_ (underscore) folder contains scripts and assets required for the Fastvue Reporter site to function correctly. If access is not granted, reports will not load.

How to configure authorization rules for report viewers:

1. In IIS Manager, navigate to the Fastvue Reporter site.

2. Select the /p folder, then open Authorization Rules.

3. Add a rule to Allow the Fastvue Viewers group.

   • For local groups, enter ‘Fastvue Viewers' in the Specified roles or user groups field.

   • For Active Directory security groups, enter ‘Domain\Fastvue Viewers’ in the Specified roles or user groups field, replacing Domain\ with your actual AD domain. 

4. Select the /_ (underscore) folder, open Authorization Rules, and add another rule to Allow the Fastvue Viewers group.

   • For local groups, enter ‘Fastvue Viewers' in the Specified roles or user groups field.

   • For Active Directory security groups, enter ‘Domain\Fastvue Viewers’ in the Specified roles or user groups field, replacing Domain\ with your actual AD domain. 

By applying these rules, Fastvue Viewers can access shared reports without breaking site functionality.

Step 5: Test the Configuration

Testing for Admins:

• Log into Windows with a Fastvue Admins group user.

• Access Fastvue Reporter and confirm you can view and manage reports.

Testing for Report Viewers:

• Before logging in as a Fastvue Viewer, go to Reports and open or generate a new report, then click the Share button and copy the URL.

• Log into Windows with a Fastvue Viewers group user.

• Open the report URL copied in step 1

• Confirm you can view reports but cannot access admin features.

Note: Report viewers can only generate reports by drilling down into values in a report that has been shared with them, and they cannot remove filters from the initial report. 

For example, if a report is filtered by the Marketing department, a Marketing Manager can hover over a site such as youtube.com and run an Activity Report to see all users within the Marketing department who accessed YouTube. However, they cannot remove the department filter to view users in other departments who may have accessed YouTube.

Secure Fastvue Reporter and control report access (Linux)

Fastvue Reporter’s Docker image allows for external authentication and SSL configuration through Apache. These configurations persist between container runs.

These configuration files must exist under the /config/apache path in the mapped data volume.

Inside the container, the mapped data volume exists at /data, so any paths that the provided config files refer to must use this as the base directory.

For example, if you store Fastvue Reporter's data at /var/fastvue/reporter-for-firewall-xyz on your host, then on the host, the auth config file would be at /var/fastvue/reporter-for-firewall-xyz/config/apache/auth.conf, and the authpasswd file would exist at /var/fastvue/reporter-for-firewall-xyz/config/apache/authpasswd, but inside the container, these would exist at /data/config/apache/auth.conf and /data/config/apache/authpasswd.

Step 1: Create an Authentication Configuration File

1. Create a Config file in /(basepath)/config/apache/auth.conf

Where (basepath) is the Fastvue Reporter's data path on the host.

Example for Basic auth mode:

AuthType Basic
AuthName "Fastvue Reporter"
AuthUserFile /data/config/apache/authpasswd
Require valid-user

Step 2: Create the Authentication Password File

1. Run the following command to create the password file and add a user:

 htpasswd -c (basepath)/config/apache/authpasswd admin

• Replace admin with the username of your choice.

• Enter and confirm the password when prompted.

• The -c flag should only be used when creating the file for the first time.

Step 3: Configure LDAP Authentication (Optional)

If you are using LDAP authentication, update auth.conf with the following:

AuthType Basic
AuthName "Fastvue Reporter"
AuthBasicProvider ldap
AuthLDAPURL "ldap://dc-server.domain.local:389/DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "[email protected]"
AuthLDAPBindPassword "(password)"
Require valid-user

Then, update the LDAP URL and credentials to match your environment. For example:

The LDAP URL would be specific to your system configuration, but the ?sAMAccountName?sub?(objectClass=*) part is required. The AuthLDAPBindBN also must either be the FQDN of a user authorised to make auth queries or the username in UPN syntax (user@domain).

Step 4: Configure Private Report Sharing (Optional)

Allowing anonymous or alternate auth access to /_ and /p for private report sharing is supported through a secondary config file named authshared.conf. The directives in this file will only apply to the /_ and /p directories.

Example, authshared.conf allowing full anonymous access to /_ and /p regardless of the site root's auth configuration: Require all granted

If authshared.conf is not provided, these directories will inherit the root authentication settings.  If the auth.conf file is not provided, the site root will default to Require all granted, allowing anybody to access the site.

Optional: Enforce Secure Connections (SSL)

To further secure Fastvue Reporter, you should enforce SSL encryption to ensure all report data is securely transmitted. Any site requiring credentials should always use HTTPS and certificates for authentication and encryption.

For Windows: 

Step 1: Generate a Certificate

Before enabling SSL, you need an SSL certificate. For internal use, you can create a self-signed certificate, but for production environments, it’s best to use a certificate from your internal PKI or a trusted third-party CA (such as DigiCert or Let’s Encrypt).

To create a self-signed certificate in IIS:

1. Open IIS Manager and select the server (not the site).

2. Select Server Certificates.

3. Click Create Self-Signed Certificate.

4. Enter a friendly name (ideally the server’s FQDN).

5. Click OK to generate the certificate.

Step 2: Bind SSL to the Fastvue Reporter Site

• In IIS Manager, select the Fastvue Reporter site.

• Under Actions, click Bindings….

• Click Add, then:

  • Set Type to HTTPS.

  • In the SSL certificate box, select the certificate you created earlier.

• Click OK to save.

Step 3: Enforce SSL in IIS

1. Select the Fastvue Reporter site again in IIS Manager.

2. Double-click SSL Settings.

3. Check Require SSL.

4. Click Apply in the Actions pane.

At this point, all HTTP requests will be blocked, and users will need to access Fastvue Reporter via HTTPS. If you used a self-signed certificate, you may see a browser warning—this can be resolved by using a certificate from a trusted CA.

Step 4: Redirect HTTP to HTTPS (Optional, Recommended)

To avoid a 403 – Forbidden: Access is denied error when users try to access the site over HTTP, configure an automatic redirect:

1. In IIS Manager, select the Fastvue Reporter site.

2. Click Error Pages.

3. Select 403 and click Edit Feature Settings.

4. Choose Respond with a 302 Redirect.

5. Enter your HTTPS site URL (e.g., https://fastvue01.mydomain.com).

6. Click OK to save.

Now, any attempt to access the site over HTTP will automatically redirect users to HTTPS.

Step 5: Update Fastvue Site Settings to Use HTTPS

Fastvue Reporter uses the configured Site URL when sending email reports and alerts. To avoid issues with redirections:

1. In Fastvue Reporter, go to Settings > Site Settings.

2. Update the URL to use https:// instead of http://.

3. Click Save.

For Linux: 

Step 1: Configure SSL in Apache

Edit the SSL configuration file located at:
/config/apache/ssl.conf

Ensure the following lines are present and correctly configured:

SSLEngine	On
SSLCertificateFile	/data/config/apache/sslcert.pem
SSLCertificateKeyFile	/data/config/apache/sslprivate.key

The certificate (sslcert.pem) and key file (sslprivate.key) can be either self-signed or provided by a trusted Certificate Authority.

Step 2: Create a Self-Signed Certificate (if required)

To generate a self-signed certificate, run the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout (basepath)/config/apache/sslprivate.key -out (basepath)/config/apache/sslcert.pem

Replace (basepath) with the actual path to your data volume on the host.

The command will prompt you to enter details for the certificate.

Need Help? Contact Fastvue Support

By following these steps, you can restrict access to Fastvue Reporter, ensuring only authorised users can view or manage reports. Whether using Windows Authentication or Apache authentication in Linux, securing access is crucial for maintaining data privacy and security.

If you’re still having trouble securing Fastvue Reporter, our support team is ready to assist.

Reach out via Fastvue Support for real-time help with setup, troubleshooting, and best practices.