How can we help?

Find help articles, troubleshooting guides, and tutorials

Search

image
Explainer Videos

Video tutorials explaining how to set up various aspect of Timus tutorials listed on this Knowledge Base page

image
Quick Set-Up

A quick guide to setup Timus and be up and running in no time

image
Use Cases

Learn how others use Timus to secure their clients

image
FAQ

Browse the frequently asked questions when using Timus

image
YouTube Videos

Explore our YouTube channel for how-to videos, partner use, and insights on Timus and the MSP space.

image
Certified Specialist Exam

This exam assesses your proficiency and understanding of some of the key functionalities of the Timus’ Zero Trust Network Security Solution.

logo

Documentation

Here, you'll find comprehensive guides, tutorials, and references to help you seamlessly navigate our products and services.

Read More
logo

Feature Request

Looking for a feature? Share your suggestion and get the community to vote, helping us improve our products and services.

Read More

Popular articles

🎥 Explainer Videos

Discover Timus features and configurations through quick and easy-to-follow video tutorials. Perfect for a visual walkthrough of our capabilities.

Welcome to the Timus Explainer Videos page!

Explore our comprehensive library of video guides that simplify the essential features and configurations of Timus Networks. Designed for both beginners and advanced users, these quick and engaging tutorials will help you:

  • Optimize your setup
  • Enhance security
  • Leverage advanced tools—all at your own pace.

Setting up Zero Trust Access, The Timus Way

Learn how to configure Zero Trust policies with context-aware access control to protect your network and ensure only the right users have access to the right resources.

Configuring Firewall Rules

Master the creation and management of firewall rules to secure your network, prevent threats, and streamline network traffic.

Web Filtering and Content Blocking 

Learn how to block unwanted content and enforce web filtering policies, ensuring a safe and productive network environment.

Segmenting Traffic With Split Tunneling 

Explore how to segment network traffic effectively, optimizing performance while maintaining security and control.

Timus Connect Installation Walk Through 

Follow this step-by-step installation guide for Timus Connect to get your network running securely and efficiently in no time.

See more
🔐 Setting up Zero Trust Access, The Timus Way

As security threats grow increasingly sophisticated, adopting a Zero Trust framework has become a necessity. Built on the principle of Never trust, always verify”, Zero Trust ensures that every access request is meticulously validated, protecting your network and confirming user identities.

What Is Zero Trust Access? 🔒

Zero Trust Access is a cutting-edge security approach designed to:

  • Authenticate and authorize every access request, whether it's from inside or outside your network.
  • Continuously monitor user behavior and device posture during active sessions.
  • Protect against unauthorized access, regardless of the user's location or the device they use.

By implementing Zero Trust, organizations reduce vulnerabilities and strengthen their defenses against breaches.

🎬 Learn the Timus Way

Timus Networks Conditional Access the Timus Way 

In this video you'll learn: 

  • How Timus continuously monitors and verifies user behavior.
  • The step-by-step process to configure and enforce Zero Trust Access policies.
  • Real-life use cases demonstrating how Zero Trust prevents potential security breaches.

See more
🌐 Configuring an IPsec Tunnel

The Timus Gateway is more than just a security measure; it’s the key to seamless connectivity. By hosting a cloud firewall, it enables secure communication between your network environments. With IPsec tunneling, you can connect your Timus Gateway to an on-premise firewall, ensuring secure and reliable access to data—no matter where it resides.

🎬 Learn the Timus Way

Timus Networks Connecting Branch Offices with IPSec 

In this video you'll explore: 

  • How to set up an IPsec tunnel on your Timus Gateway.
  • Configuring secure communication with your on-premise firewall.
  • Real-world benefits of IPsec tunneling for hybrid network environments.

See more
🛡️Configuring Firewall Rules

Timus Adaptive Cloud Firewall: Securing Users Anywhere

In today’s dynamic work environment, where users can connect from virtually anywhere, static security rules are no longer sufficient. The Timus Adaptive Cloud Firewall ensures your security perimeter moves with the user—aligning with their identity rather than just their device or location. This innovative approach enables true secure access at the edge, providing robust protection and seamless connectivity.

Why Choose Adaptive Cloud Firewall Rules?

  • User-Centric Security: Policies follow the user, adapting dynamically to their behavior and identity.
  • Device and Location Independence: Protect access regardless of the user’s device or connection location.
  • Edge Security: Enable secure resource access with real-time, context-aware rules.

🎬 Learn the Timus Way

Timus Networks Granularity within the Timus Firewall 

In this video you'll discover: 

  • How to create user-centric firewall rules.
  • Real-world examples of adaptive firewall configurations.
  • The benefits of aligning security policies with user identity.

 

See more
🌍 Static IP Address: Unlocking Full Network Control

A static IP address is more than just a number—it’s the foundation of complete network control. Every Timus Gateway is equipped with a private, static IP address, providing unparalleled visibility, enhanced security, and total control over your network.

🎬 Learn the Timus Way

Timus Networks Locking Down Saas with Static IP

In this video you'll explore: 

  • The key advantages of using a static IP address.
  • How it enhances network visibility and strengthens security.
  • Real-life use cases for SaaS app management and conditional access.

 

Real-World Applications

  1. Secure SaaS Access
    • Scenario: Your team relies on critical SaaS tools like CRM or ERP systems.
    • Solution: Whitelist your static IP to ensure only authorized users on your network can access these tools, reducing unauthorized logins.
  2. Remote Workforce Management
    • Scenario: Employees need to connect remotely to access corporate resources.
    • Solution: Use the static IP as the single point of entry to enforce conditional access policies, ensuring secure and monitored connectivity.
  3. Improved Threat Detection
    • Scenario: You require better visibility into network traffic to identify potential risks.
    • Solution: Route all incoming traffic through your static IP, enabling streamlined analytics, faster threat detection, and efficient mitigation.
See more
🖥️ Web Filtering and Content Blocking

The Timus Secure Web Gateway provides your organization with cutting-edge tools to manage web access, block harmful content, and bolster network security. By utilizing robust web filtering, content blocking, and anti-virus protection at the network layer, you can ensure that users only access safe applications and websites—whether working in the office or remotely.

🎬 Learn the Timus Way

Timus Networks Conent and Category Blocking

In this video you'll learn: 

  • How Timus filters malicious websites and risky applications.
  • Step-by-step guidance to block inappropriate or harmful content.
  • How anti-virus protection safeguards browsing experiences.

Core Features of Timus Web Filtering

🔍 Web Filtering

  • Benefit: Protect users from accessing malicious or non-work-related websites.
  • How It Works: Apply access policies for specific domains or categories like "Social Media," "Adult Content," or "Phishing Sites."

🚫 Content Blocking

  • Benefit: Restrict harmful or distracting content with customizable rules.
  • How It Works: Block specific URLs to prevent unauthorized content from entering or leaving the network.

Why Choose Timus Secure Web Gateway?

  • Enhanced Productivity: Ensure users stay focused on work-related activities.
  • Advanced Protection: Safeguard the network from cyber threats like phishing and malware.
  • Centralized Management: Simplify policy management and monitoring through a single interface.
See more
Enabling Support Access for Timus Support Team in the Timus Manager

As part of recent improvements to the Partner and Manager portal, access to your tenant via SSO (Single Sign-On) has been restricted. By default, Support teams no longer have access to any tenant. If you would like to grant the Timus Support team access to your tenant, follow the steps below.

Steps to Enable Support Access:

  • Log in to the Timus Manager.
  • Navigate to the Organization tab.
  • Locate the Support Access option.
  • Click Create New.
Support_Access.png

 

On the opening page, configure the following:

  • Set the Expires At field to your desired expiration date. 
Expires_Access.png

 

  • Click Save to apply the changes.
    Support_Date.png

 

Note:

  • Enabling this setting grants the Timus Support team permission to access your tenant.
  • If you do not enable this setting, the Timus Support team will not be able to assist with tenant related issues.
  • Regularly review and update the expiration date to ensure continued access as needed.

For further assistance, please contact the Timus Support team.

See more
Main Dashboard

The Dashboard provides a real-time, centralized view of your organization’s network activity, user engagement, device connectivity, and traffic flow. It’s designed to give IT teams instant situational awareness and visibility into critical performance and security indicators—all in one place.

📍 To access this screen, click Dashboard from the left-side menu

👤 Users Online

Displays the number of end users currently connected to the network.

Use this widget to monitor real-time user engagement or detect unexpected sign-in spikes.

 

💻 Devices Online

Shows how many devices are actively connected at the moment.

This helps you track endpoint activity and detect any anomalies—such as unexpected device surges.

 

🌐 Sites Online

Indicates the number of configured Sites that are currently online.

A sudden drop may indicate network issues, outages, or site disconnections that require investigation.

 

📊 Traffic Graph

Visualizes upload and download traffic across your entire network in real time.

Hover over any point to view exact values.

You can change the timeframe using the dropdown menu:

  • Last 4 Hours (default)
  • Last 12 Hours
  • Last 24 Hours

This widget is ideal for identifying bandwidth trends, usage spikes, or abnormal traffic behavior.

 

📱 Most Active Devices

Lists the top devices consuming the most bandwidth.

Each entry shows the device name and operating system icon.

Click the ••• → Configure the number of devices shown.

 

🙋 Most Active Users

Displays the users with the highest data usage or interaction levels.

Users currently online are marked with a green status dot.

Click the ••• → Configure the number of users shown.

 

📝 Recent Events

Shows a timeline of device connection activities, sorted with the most recent at the top.

Each event includes a timestamp and short description of what occurred (e.g., connection established, disconnected).

Click the ••• → Configure the number of events shown.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

See more
Partner Portal

The partner portal dashboard will provide visibility into customers' relevant information & all data pertaining to your partnership with Timus Networks.

MSPs will leverage the Timus Networks partner portal as their primary dashboard for day to day management of the Timus solution. Within the portal, you will be able to add, remove & manage all clients for both billing and technical management.

Link to - partner portal

 

See more
Agent Deployment

he Agent Deployment screen allows you to access the latest versions of Timus Connect Application for all supported platforms. This screen supports both manual and automated deployment workflows—ensuring your users can connect securely and consistently.

📍 To access this screen, go to Settings → Agent Deployment

Downloads

The Downloads tab lists the most recent agent versions per operating system, helping you deploy Timus Connect reliably at scale. You can:

  • Copy direct download links for each platform
  • Verify file integrity using the SHA512 checksum
  • Download MSI packages for silent or scripted installation

Timus Connect Application is essential for secure remote access, device posture validation, and policy enforcement.

📚 Related Guides

For platform-specific installation and configuration instructions, refer to the following:


Deployment Tokens (NEW)

The Deployment Tokens tab enables you to generate time-limited tokens that automate the registration and sign-in process during installation. These tokens simplify mass deployments via RMM tools or scripting across Windows and macOS.

Create a Deployment Token

  1. Click Create Token at the top-right of the screen.
  2. Set the Token Lifetime, which defines how long the registration window remains valid after generation. Tokens expire automatically after this duration.

After creation, the token is:

  • Displayed only once in plain text
  • Automatically filled into the deployment command field

⚠️ Please store your token securely—it cannot be retrieved after you leave or refresh the page.

Installation Commands

Under the Copy & Run the Command section, ready-to-use deployment commands are generated for both platforms. These commands insert the deployment token and user email into the installer process, enabling automatic sign-in.

Select User (Optional)

You may select a user from the dropdown to prefill their email address in the command.

Windows

msiexec /i "Timus-Connect.msi" /quiet DEPLOY_TOKEN="<YOUR_TOKEN>" DEPLOY_EMAIL="<USER_EMAIL>"

macOS

sudo defaults write /Library/Preferences/com.timus.connect.plist DEPLOY_TOKEN -string "<YOUR_TOKEN>"
  sudo defaults write /Library/Preferences/com.timus.connect.plist DEPLOY_EMAIL -string "<USER_EMAIL>"
  sudo installer -pkg Timus-Connect.pkg -target /

Click the copy icon to quickly copy the command to your clipboard.

Notes

  • Ensure the Timus Connect installer is already present on the target device before executing the command.
  • If no user is selected manually, the installer attempts to detect the signed-in OS user and initiate authentication using their email.
  • Timus Connect version must be 4.6.8 or higher is required for token-based deployment.
See more
Timus Connect App for Microsoft Windows® User Guide

The Timus Connect for Windows application allows your users to establish a secure, encrypted tunnel between their devices and your corporate network. It supports posture validation, policy enforcement, and ensures seamless access to protected resources across distributed environments.

You can download the installer from Manager → Settings → Agent Deployment → Downloads screen. Alternatively, users can access the same version from Timus My → Downloads screen.

Installation & Sign-In Flow

To install Timus Connect on a user’s Windows device:

  1. Download the Installer

    Navigate to the Downloads in Timus My and select the latest Windows version.

  2. Launch the Application

    After installation, launch Timus Connect. The user must read and accept the End User License Agreement (EULA) before proceeding.

  3. Enter Timus Account Email

    The user must enter their Timus account email address to initiate authentication.

  4. Authenticate and Select Network

    • If the account is directory-synced (e.g., Microsoft Entra ID, Okta, Google Workspace), the user will redirect to the corresponding identity provider to complete sign-in.
    • Otherwise, the user will be prompted to select a network and enter their password.

Establishing a Connection

Once signed in, the user is directed to the Connect screen.

  1. Select a Gateway

    All gateways associated with the user’s authorized sites are listed here. Each gateway includes a real-time round-trip latency metric to assist in selecting the most optimal connection point.

  2. Use the “Select Fastest” Option

    Automatically selects and connects to the gateway with the lowest latency.

  3. Connect

    Clicking Connect establishes the secure tunnel between the user’s device and the selected gateway.

Agent Settings

The Settings tab in the Timus Connect application allows to configure how the agent behaves on the user’s device. These configurations are managed through Agent Profiles in the Manager portal and can be optionally exposed for user-level control.

You can define and assign custom Agent Profiles to your users through the Manager portal.

Go to Agent Profiles Guide
  1. VPN Protocol Selection

    Choose the tunnel protocol used to establish the connection:

    • WireGuard
    • OpenVPN

    If Smart Tunnel Protocol Fallback is enabled, the application will automatically attempt the alternative protocol if the selected one fails.

  2. Startup Behavior

    • Start on boot: Automatically launches the Timus Connect application when the user’s device starts.
    • Connect on application start: Automatically initiates a connection to the last used or default gateway upon launch.
  3. Network Optimization

    • Smart tunnel protocol fallback: Maintains high availability by switching protocols in case of failure.
    • Adaptive MTU adjustment: Dynamically adjusts the MTU to prevent packet fragmentation and optimize throughput.
    • Automatic update: Keeps the agent up-to-date by silently applying the latest versions in the background.

    *Users can modify these settings if the “Users can modify“ ***setting is enabled in their assigned Agent Profile.

Support Tools

The Support tab in the Timus Connect application provides essential tools for troubleshooting, diagnostics, and SSL certificate management.

  1. Install certificate

    Installs the required Timus SSL Root Certificate to the device. This enables:

    • Trusted communication with internal systems and gateways
    • Full functionality of features such as traffic inspection and secure tunnel setup
  2. Give feedback

    Users can submit feedback or suggestions directly to the Timus team. Submissions include device metadata to provide helpful diagnostic context.

  3. Collect logs

    Generates a compressed ZIP file containing system and agent logs. The user is prompted to select a location for saving the file. This file can then be sent to you or the Timus support team for investigation.

  4. About:

    Displays application version and device metadata useful for technical troubleshooting.

Manual Certificate Installation (If Needed)

If SSL certificate installation fails or users encounter trust-related warnings:

  1. Sign in to Timus My and download the .crt file.
  2. Open the file and launch the Certificate Import Wizard.
  3. Choose Local Machine as the target.
  4. Select Place all certificates in the following store.
  5. Choose Trusted Root Certification Authorities.
  6. Complete the wizard to finalize the import.

If the issue persists, contact the Timus support team for assistance.

Silent Deployment (Optional)

To deploy the Windows app silently using an RMM or scripting tool, refer to:

Go to Timus Connect for Windows - Silent Deployment Script

See more
Timus Connect App for macOS® User Guide

The Timus Connect for macOS application allows your users to establish a secure, encrypted tunnel between their devices and your corporate network. It supports posture validation, policy enforcement, and ensures seamless access to protected resources across distributed environments.

Timus Connect is compatible with macOS Monterey (12.0) and later versions.

You can download the installer from Manager → Settings → Agent Deployment → Downloads screen. Alternatively, users can access the same version from Timus My → Downloads screen.

When installing Timus Connect for the first time, the user account on the macOS device must have administrator privileges. Administrator rights are not required for future updates.

Installation & Sign-In Flow

To install Timus Connect on a user’s macOS device:

  1. Download the Installer

    Navigate to the Downloads in Timus My and select the latest macOS version.

  2. Launch the Application

    After installation, launch Timus Connect. The user must read and accept the End User License Agreement (EULA) before proceeding.

  3. Enter Timus Account Email

    The user must enter their Timus account email address to initiate authentication.

  4. Authenticate and Select Network

    • If the account is directory-synced (e.g., Microsoft Entra ID, Okta, Google Workspace), the user will redirect to the corresponding identity provider to complete sign-in.
    • Otherwise, the user will be prompted to select a network and enter their password.

Establishing a Connection

Once signed in, the user is directed to the Connect screen.

  1. Select a Gateway

    All gateways associated with the user’s authorized sites are listed here. Each gateway includes a real-time round-trip latency metric to assist in selecting the most optimal connection point.

  2. Use the “Select Fastest” Option

    Automatically selects and connects to the gateway with the lowest latency.

  3. Connect

    Clicking Connect establishes the secure tunnel between the user’s device and the selected gateway.

Agent Settings

The Settings tab in the Timus Connect application allows to configure how the agent behaves on the user’s device. These configurations are managed through Agent Profiles in the Manager portal and can be optionally exposed for user-level control.

You can define and assign custom Agent Profiles to your users through the Manager portal.

Go to Agent Profile Guide

  1. VPN Protocol Selection

    Choose the tunnel protocol used to establish the connection:

    • WireGuard
    • OpenVPN

    If Smart Tunnel Protocol Fallback is enabled, the application will automatically attempt the alternative protocol if the selected one fails.

  2. Startup Behavior

    • Start on boot: Automatically launches the Timus Connect application when the user’s device starts.
    • Connect on application start: Automatically initiates a connection to the last used or default gateway upon launch.
  3. Network Optimization

    • Smart tunnel protocol fallback: Maintains high availability by switching protocols in case of failure.
    • Adaptive MTU adjustment: Dynamically adjusts the MTU to prevent packet fragmentation and optimize throughput.
    • Automatic update: Keeps the agent up-to-date by silently applying the latest versions in the background.

    *Users can modify these settings if the “Users can modify“ ***setting is enabled in their assigned Agent Profile.

Support Tools

The Support tab in the Timus Connect application provides essential tools for troubleshooting, diagnostics, and SSL certificate management.

  1. Install certificate

    Installs the required Timus SSL Root Certificate to the device. This enables:

    • Trusted communication with internal systems and gateways
    • Full functionality of features such as traffic inspection and secure tunnel setup
  2. Give feedback

    Users can submit feedback or suggestions directly to the Timus team. Submissions include device metadata to provide helpful diagnostic context.

  3. Collect logs

    Generates a compressed ZIP file containing system and agent logs. The user is prompted to select a location for saving the file. This file can then be sent to you or the Timus support team for investigation.

  4. About:

    Displays application version and device metadata useful for technical troubleshooting.

Manual Certificate Installation (If Needed)

If SSL certificate installation fails or users encounter trust-related warnings:

  1. Open Keychain Access from Applications → Utilities.
  2. In the search bar, type the name of your SDN.
  3. Locate and double-click the corresponding certificate.
  4. Expand the Trust section and set When using this certificate to Always Trust.
  5. Close the window and enter your macOS password to confirm the changes.

If the issue persists, contact the Timus support team for assistance.

Silent Deployment (Optional)

To deploy the Windows app silently using an RMM or scripting tool, refer to:

Go to Timus Connect for MacOS - Silent Deployment Script

See more
Timus Connect App for Android™ User Guide

The Timus Connect for Android application allows your users to securely connect to your corporate network by establishing an encrypted tunnel to the Timus platform. It supports posture-aware access, policy enforcement, and seamless connectivity in mobile environments.

Timus Connect is compatible with Android 10 and later versions.

You can download the installer from Manager → Settings → Agent Deployment → Downloads screen. Alternatively, users can access the same version from Timus My → Downloads screen or directly from the Google Play Store.

Installation & Sign-In Flow

To install Timus Connect on a user’s Android device:

  1. Download the Installer

    Search for Timus Connect on the Google Play Store, or navigate to the Downloads in Timus My and select the latest Android version.

  2. Launch the Application

    After installation, launch Timus Connect. The user must read and accept the End User License Agreement (EULA) before proceeding.

  3. Enter Timus Account Email

    The user must enter their Timus account email address to initiate authentication.

  4. Authenticate and Select Network

    • If the account is directory-synced (e.g., Microsoft Entra ID, Okta, Google Workspace), the user will redirect to the corresponding identity provider to complete sign-in.
    • Otherwise, the user will be prompted to select a network and enter their password.

Establishing a Connection

Once signed in, the user is directed to the Connect screen.

  1. Select a Gateway

    All gateways associated with the user’s authorized sites are listed here. Each gateway includes a real-time round-trip latency metric to assist in selecting the most optimal connection point.

  2. Use the “Select Fastest” Option

    Automatically selects and connects to the gateway with the lowest latency.

  3. Connect

    Clicking Connect establishes the secure tunnel between the user’s device and the selected gateway.

Agent Settings

The Settings tab in the Timus Connect application allows to configure how the agent behaves on the user’s device. These configurations are managed through Agent Profiles in the Manager portal and can be optionally exposed for user-level control.

You can define and assign custom Agent Profiles to your users through the Manager portal.

Go to Agent Profiles Guide

  1. VPN Protocol Selection

    Choose the tunnel protocol used to establish the connection:

    • WireGuard
    • OpenVPN

Support Tools

The Support tab in the Timus Connect application provides essential tools for troubleshooting, diagnostics, and SSL certificate management.

  1. Install certificate

    Installs the required Timus SSL Root Certificate to the device. This enables:

    • Trusted communication with internal systems and gateways
    • Full functionality of features such as traffic inspection and secure tunnel setup
  2. Give feedback

    Users can submit feedback or suggestions directly to the Timus team. Submissions include device metadata to provide helpful diagnostic context.

  3. Collect logs

    Generates a compressed ZIP file containing system and agent logs. The user is prompted to select a location for saving the file. This file can then be sent to you or the Timus support team for investigation.

  4. About:

    Displays application version and device metadata useful for technical troubleshooting.

See more
Timus Connect for iOS: User Guide

The Timus Connect for iOS application allows your users to securely connect to your corporate network by establishing an encrypted tunnel to the Timus platform. It supports posture-aware access, policy enforcement, and seamless connectivity in mobile environments.

Timus Connect is compatible with iOS 14 and later versions.

You can download the installer from Manager → Settings → Agent Deployment → Downloads screen. Alternatively, users can access the same version from Timus My → Downloads screen or directly from the App Store.

Installation & Sign-In Flow

To install Timus Connect on a user’s iOS device:

  1. Download the Installer

    Search for Timus Connect on the App Store, or navigate to the Downloads in Timus My and select the latest iOS version.

  2. Launch the Application

    After installation, launch Timus Connect. The user must read and accept the End User License Agreement (EULA) before proceeding.

  3. Enter Timus Account Email

    The user must enter their Timus account email address to initiate authentication.

  4. Authenticate and Select Network
    • If the account is directory-synced (e.g., Microsoft Entra ID, Okta, Google Workspace), the user will redirect to the corresponding identity provider to complete sign-in.
    • Otherwise, the user will be prompted to select a network and enter their password.

Establishing a Connection

Once signed in, the user is directed to the Connect screen.

  1. Select a Gateway

    All gateways associated with the user’s authorized sites are listed here. Each gateway includes a real-time round-trip latency metric to assist in selecting the most optimal connection point.

  2. Permission Prompt

    On the first connection attempt, iOS will request permission to add a VPN configuration profile.

    • Tap Allow to proceed.
    • If Don’t Allow is selected, the user will not be able to establish a VPN connection.
  3. Use the “Select Fastest” Option

    Automatically selects and connects to the gateway with the lowest latency.

  4. Connect

    Clicking Connect establishes the secure tunnel between the user’s device and the selected gateway.

Agent Settings

The Settings tab in the Timus Connect application allows to configure how the agent behaves on the user’s device. These configurations are managed through Agent Profiles in the Manager portal and can be optionally exposed for user-level control.

You can define and assign custom Agent Profiles to your users through the Manager portal.

Go to Agent Profile Guide

  1. VPN Protocol Selection

    Choose the tunnel protocol used to establish the connection:

    • WireGuard
    • OpenVPN

Support Tools

The Support tab in the Timus Connect application provides essential tools for troubleshooting, diagnostics, and SSL certificate management.

  1. Install certificate

    Installs the required Timus SSL Root Certificate to the device. This enables:

    • Trusted communication with internal systems and gateways
    • Full functionality of features such as traffic inspection and secure tunnel setup
  2. Give feedback

    Users can submit feedback or suggestions directly to the Timus team. Submissions include device metadata to provide helpful diagnostic context.

  3. Collect logs

    Generates a compressed ZIP file containing system and agent logs. The user is prompted to select a location for saving the file. This file can then be sent to you or the Timus support team for investigation.

  4. About:

    Displays application version and device metadata useful for technical troubleshooting.

See more
Timus Connect App Management
This article explains how to download and install versions of the Timus Connect App that are suitable for different operating systems.
To install Timus Connect App on your device:
  1. Open Timus Manager and go to Settings > Downloads page.
  2. Find the row on the Downloads page that corresponds to the name, version and icon of your device's operating system.
  3. Click the "Copy Link" button, then paste the link you copied into your browser's search bar and press Enter to begin the download.
  4. Alternatively, you can directly click the "Download" button to start the download process.

For more information on Timus Connect App versions for different operating systems, go to:

See more
Blocked IP Addresses

The Blocked IP Addresses screen helps you monitor and manage public IPs that have been automatically blocked due to sign-in policy violations. These blocks are triggered when a User Sign-In Policy or Administrator Sign-In Policy includes the Block IP action—typically used for risky or suspicious login attempts.

📍 To access this screen, go to Insights → Blocked IP Addresses

This view enhances visibility and gives you full control over how your environment responds to unauthorized or anomalous sign-in activity.


The screen is divided into two tabs:

  • User: Lists public IP addresses blocked after failed or risky sign-in attempts by end users
  • Administrator: Shows blocked IPs resulting from sign-in attempts by administrator accounts

Each row includes:

ColumnDescription
Public IPThe external IP address that was blocked
User / AdministratorThe account associated with the attempted sign-in
Policy NameThe sign-in policy that triggered the block
LocationGeographic location of the IP (if detected)
TimeThe timestamp when the block was applied

 

Auto-unblock IP Addresses

Click the Settings button in the top-right corner to configure auto-unblock behavior.

You can set a duration (in hours) after which blocked IPs will be automatically unblocked, unless a new violation re-triggers the same policy.

SettingDescription
Block DurationNumber of hours an IP remains blocked
Reset on ViolationEach new violation resets the block timer

This helps strike a balance between proactive protection and operational flexibility—reducing the need for manual clean-up while keeping your environment secure.

See more
Password Policies

The Password Policies screen allows you to define and enforce secure password rules for both users and administrators. These rules help you strengthen account protection, support compliance frameworks, and reduce the risk of unauthorized access.

📍 To access this screen, go to Users & Teams → Password Policies from the left-side menu

You can configure two predefined policies:

Policy NameApplies To
Policy for All AdministratorsAll Timus Manager portal admins
Policy for All UsersAll standard user accounts managed in Timus

These policies only apply to accounts managed directly within Timus. Users authenticated via external identity providers—such as Microsoft Entra ID, Okta, or Google Workspace—are governed by the password rules set in those platforms.

Edit a Password Policy

Click Edit next to a policy to open the configuration form. Each policy includes multiple rule options you can enable or adjust based on your organization’s security standards.

Available Password Rules

RuleDescription
Minimum character lengthSet the minimum number of total characters required.
Minimum lowercase lettersRequire a minimum number of lowercase (a–z) characters.
Minimum uppercase lettersRequire a minimum number of uppercase (A–Z) characters.
Minimum digits (0–9)Require numeric digits in the password.
Minimum special charactersRequire symbols such as !@#$%&*+
Maximum consecutive digitsPrevent sequences like 1234 or 0000
Cannot use commonly used passwordsBlocks popular weak passwords (e.g., password123, admin2024)
Cannot contain keywordsAllows you to define specific words (like company name or brand) that cannot appear in passwords.
Cannot contain email prefixPrevents using the part of the user’s email before @
Cannot contain first nameBlocks use of the user’s first name in their password.
Cannot contain last nameBlocks use of the user’s last name in their password.
Password expiration periodForces password renewal after a defined number of days.

 

Once saved, changes apply to all newly created, updated, or reset passwords. Existing passwords remain valid until changed or expired.

Best Practices

  • Always enable "Cannot use commonly used passwords" to prevent predictable passwords.
  • Use a balanced mix of lowercase, uppercase, numbers, and symbols.
  • Set a reasonable expiration period (e.g., 90 days) to reduce long-term exposure.
  • Use the "Cannot contain keywords" rule to block sensitive internal terms (e.g., company name, product name).
See more
User Management

Users

The User Management screen provides complete visibility and control over all users in your organization. Whether you're onboarding new employees, enforcing security policies, or monitoring user activity, this screen helps you do it all—clearly, efficiently, and at scale.

📍 To access this screen, go to Users & Teams Users

The user list shows essential details for every user in your system:

Column Description
Username Full name of the user
Email User’s email address
Team Team membership; shows Unassigned if not assigned
Tags Assigned static or dynamic tags
Remote Sites Sites the user can access remotely
Identity Provider Shows whether the user logs in via internal database or an external IdP
2FA Setup Indicates whether two-factor authentication is configured
Status Current status of the user
Created Date Date when the user account was created

 

 

Create a New User

Click Create New to open the user creation form. You’ll be asked to enter:

  • First Name (required)
  • Last Name (required)
  • Email Address (required)
  • Status (Enabled or Disabled)
  • Team (optional)
  • Tags (optional; supports static and dynamic)
  • Allowed Sites – define which remote sites the user can access.
    • Selecting All grants universal remote access.
    • If none are selected, the user cannot connect remotely.

Click Save to create the user.

 

User Details

To view a user’s activity and telemetry-based insights, click the ••• next to their entry and select Details.

 

Events

  • Sign-ins, disconnections, and connection attempts
  • Timestamp, device, network, and event type

Behavior Analysis

  • Detected behaviors based on Sign-In Policy
  • Helpful for spotting risk patterns or anomalies

Traffic

  • Upload/download volume over time
  • Adjustable via date picker

Productivity (if enabled)

If the user’s Agent Profile has Productivity Tracker enabled:

  • A time-based productivity graph
  • Breakdown of time as Productive, Unproductive, or Neutral
  • Table of app usage with durations and ratios

Want to see these insights?

Agent Profiles

User Actions

From the ••• next to any user:
  • View / Edit – Update user details
  • Enable / Disable – Toggle account status
  • Ban / Unban – Temporarily block login access
  • Reset Password – Sends a reset email
  • Drop Connection – Immediately disconnect the user. Does not prevent re-login unless the user is banned
  • Reset 2FA – Clears two-factor setup
  • Delete – Permanently deletes the account. Appears in reports as Deleted User (ID: {id})
 

Bulk Actions

You can select multiple users to apply actions in bulk:
  • Edit Settings – Update team, tags, or site access
  • Ban / Unban
  • Reset Password
  • Reset 2FA
  • Drop Connection
  • Delete Users
 

📥 Import Users

Click Import to upload users via CSV (max 5MB).
Required Fields
Notes
First Name
Max 120 characters
Last Name
Max 120 characters
Email
Must be in valid format
Team
Optional – will auto-create if not found
Remote Sites
Optional – must match existing sites
You can upload up to 500 users in a single CSV.

Separate multiple sites using commas: HQ, Branch A, Branch B

Imported users receive an automatic activation email.
 

📤 Export Users

Click Export to download the current table view as a CSV file.

Applied filters and sorting are reflected in the export.
 
 
See more
Team Management

Teams

The Teams screen allows you to group users into logical units—such as departments, project teams, or locations—to streamline access control, reporting, and policy application.

Grouping users by team helps you manage them more efficiently across different features like tags, remote access, traffic reports, and Sign-In Policies.

📍 To access this screen, go to Users & Teams → Teams from the left-side menu


Each row in the table represents a team. You can view:

ColumnDescription
TitleThe name of the team
TagsStatic and dynamic tags assigned to the team
UsersNumber of users currently in the team
Created DateThe date and time the team was created

The Unassigned group is a system default. Users not assigned to any team will appear here automatically. This team cannot be edited or deleted.

Teams synced from identity providers (e.g., Microsoft Entra ID, SAML 2.0) will appear automatically and are managed externally. You cannot edit or delete them from this screen.


Creating a New Team

To manually create a team, click the Create New button and complete the form:

FieldDescription
TitleThe name of the team (required, max 30 characters)
TagsAssign static tags to the team (optional)

Click Confirm to save the team. It will immediately appear in your list.

Team Actions

Click the ••• next to a team to access available actions:

  • Details – Opens a team-specific dashboard that includes:
    • A traffic chart showing upload and download data for all team members
    • Adjustable date range for data filtering
  • Edit – Change the team’s name or modify assigned static tags
  • Delete – Permanently delete the team. Appears in reports as Deleted Team (ID: {id})
See more
Timus Support : Timus Networks: How to Create Agent Profiles for Adjusting User Behaviors

 

How to Guide:

Creating and managing agent profiles in Timus Networks helps in effectively controlling and optimizing user behaviors on your network. By following these steps, you can ensure that network policies are enforced and user experiences are tailored to your organizational needs. If you need further assistance, please feel free to reach out at any time.

 

Step 1: Log in to the Timus Mange Portal


Step 2: Navigate to the “ Users and Teams “on the Left-Pane

Step 3: Click On “ Agent Profiles ”on the Middle Pane

Step 4: Click " Create New "

Step 5: Fill the Template

Step 6: Choose the Desired Operating System to Apply the User Preferences

Step 7: Select the Agent Profile Rules You Want

Step 8 : Click on “ Confirm “ to Create the Profile

Step 9: Elevate the New Profile to the Upper Section Amidst Existing Profiles by Utilizing the Directional Arrows to Ascertain Its Position within the Hierarchy.

Step 10: Make Sure That All the Changes Are Applied to the User Account

 

NOTE: Users are required to disconnect and reconnect in order to access the updated settings.

 

Conclusion:

The introduction of a new Agent Profile functionality empowers administrators with granular control over user machine configurations, facilitating seamless integration of preferred rules tailored to organizational needs. This feature encompasses a spectrum of customizable parameters including tunnel type selection, startup configurations, administrative approval requirements for user logins and logouts, and the implementation of productivity tracking mechanisms. By leveraging this advanced toolset, administrators can optimize operational efficiency, enhance security protocols, and streamline user experiences within the system.

See more
Productivity Tracker

The Productivity Tracker is a core feature of Timus Manager that empowers organizations to monitor, analyze, and optimize workforce efficiency. This guide provides step-by-step instructions for managing and utilizing the Productivity Tracker, along with detailed insights into Application Classification and Categorization.


This feature allows you to monitor user activities on Windows and macOS systems through the Timus Connect Application. It categorizes application usage as Productive, Unproductive, or Neutral and provides actionable insights through intuitive reports.

Key Features:

  • Automatic application classification using AI.
  • Customizable categorization to align with organizational goals.
  • Team-based application configuration for granular productivity analysis.
  • Comprehensive reports for users, teams, and applications.

📌 The feature must be activated in the Agent Profiles section to enable Productivity Tracker.

 


Enabling the Productivity Tracker

  1. Navigate to Users & Teams > Agent Profiles.
  2. Click on an existing Agent Profile or create a new one by selecting Create New.
  3. Select the Windows or macOS tab.
  4. Enable the toggle for Productivity tracker.

⚠️ Users assigned to this profile will automatically be monitored while signed into the Timus Connect Application.

 


Application Classification and Categorization

Applications are automatically classified into Predefined Categories and assigned a Predefined Classification by the system. You can:

  • Override predefined values by setting a Selected Classification or Selected Category.
  • Customize configurations based on teams for more granular reporting.

Editing Application Details

  1. Go to Settings > Configurations > Productivity tab.

  2. Locate the application in the table and click Edit.

  3. Update the following fields:

    • Selected Classification:
      • Choose between Productive, Neutral, or Unproductive.
    • Selected Category:
      • Reassign the application to an appropriate category.
    • Team-Based Customization:
      • Add team-specific configurations by selecting a team, category, and classification.

     

    ⚠️ Changes will reflect in reports and productivity metrics across relevant users or teams.

     

Screenshot 2024-12-16 110905.png
 

Accessing Productivity Reports

Productivity data can be reviewed in the Insights > Productivity Reports section. Reports are divided into the following tabs:

Screenshot 2024-12-16 111024.png
 
 
  • Overview:

    • Displays total productivity metrics, top users, teams, and applications.
  • Users:
    • Provides individual user activity and productivity rates.
    • View user reports, including active time, productivity breakdown, and application usage. Click Details for a deeper analysis.

      image8.png

 
 
  • Teams:

    • Offers insights into team-level productivity trends.
    • Examine team-wide productivity, categorized by total productive and unproductive time.
  • Applications:

    • Highlights application usage patterns and their impact on productivity.
    • Review application usage trends, categorized by predefined and selected values.

    image10.png

    📌 Use the Export button to download reports in CSV format for further analysis.


    Technical Considerations

    1. Windows Security Settings:
      • Ensure active-win-windows.exe is whitelisted in Endpoint Protection Platforms (EPPs) to avoid interference.
    2. macOS Permissions:
      • Grant Full Disk Access, Accessibility, and Screen Recording permissions to the Timus Connect Application for seamless tracking.

 

 
See more
Device Posture Checks

Device Posture Checks in Timus Manager let you enforce access policies based on the real-time security posture of user devices. This ensures that only healthy, compliant, and trustworthy endpoints are allowed to connect—regardless of whether the user has valid credentials.

As a core component of your Zero Trust Security architecture, posture checks shift access decisions from identity-based trust alone to context-aware access, incorporating endpoint risk into every session decision.

📍 To access this screen, go to Zero Trust Security → Device Posture Checks from the left-side menu

To use Device Posture Checks effectively, make sure your Endpoint Protection Platforms (EPPs) are properly integrated. Supported platforms include: Bitdefender, Heimdal, Microsoft Defender, and SentinelOne.

Go to Third Party Integrations


What Are Device Posture Checks?

Device Posture Checks allow you to define a set of required conditions a device must meet before access is granted. These conditions are evaluated using telemetry from the Timus Connect agent and integrated EPPs.

Examples of posture attributes include:

  • Antivirus agent installed or signature updated
  • Full disk encryption enabled
  • Operating system version is within an allowed range
  • No malware infections or unresolved detections reported by EPP
  • Essential services and startup configurations are intact

Posture checks are continuously evaluated. If a device no longer meets the expected conditions, access can be dynamically revoked or downgraded using User Sign-In Policies and Behaviors.


Create a New Device Posture Check

Navigate to Zero Trust Security → Device Posture Checks. You’ll see a list of existing posture checks. Click Create New to define a new one.

General Settings

Configure the high-level properties of the posture check:

Field Description
Title Name of the posture check (required, max 30 characters)
Status Enabled or Disabled
Description Optional summary for internal reference (max 70 characters)
Assigned Operating System Target OS for this posture check: Windows, macOS, Linux, Windows Server, iOS, or Android

Each posture check is created per OS. After saving, you will proceed to define the logic using attributes.

Define Compliance Attributes

In the Attributes tab, you add one or more security conditions based on telemetry or EPP data.

Field Description
Data Source Where the data is coming from (Timus Connect or EPP)
Attribute Security or system state to evaluate
Condition Logical operator (e.g., is equal to, is any of, none of them)
Pass Value Value that must be met for the check to pass

All attributes must be satisfied unless otherwise configured. For example, you can design posture checks that fail if any required value is missing (ideal for strict security teams).


Supported Data Sources by OS

Not all data sources are available on all operating systems:

OS Timus Connect Bitdefender Heimdal Microsoft Defender SentinelOne
Windows
macOS
Windows Server
Linux
iOS
Android

Attribute Library (per Data Source)

Each data source exposes different posture elements:

🔹 Timus Connect

  • Antivirus State
  • Disk Encryption
  • Firewall
  • Operating System
  • Running Processes
  • Service State
  • Startup Items
  • Timus Connect Installed

🔹 Bitdefender

  • Antivirus Agent Outdated
  • Antivirus Agent Update Disabled
  • Antivirus Agent Signature Outdated
  • Antivirus Agent Signature Update Disabled
  • Device Infected
  • Malware Detected
  • Disk Encryption
  • Agent Installed
  • Operating System
  • Risk Score

🔹 Heimdal

  • Detection Resolution
  • Detection Status
  • Vulnerable 3rd Party Software
  • Probability of Infection
  • Threat Severity
  • Microsoft Update Severity
  • Disk Encryption
  • Operating System
  • Risk Score

🔹 Microsoft Defender

  • Antivirus Engine Mode
  • Antivirus Engine Updated Mode
  • Antivirus Platform Updated
  • Antivirus Signature Updated
  • Exposure Level
  • Agent Installed
  • Operating System
  • Risk Score

🔹 SentinelOne

  • Agent Installed
  • Antivirus Agent Outdated
  • Device Infected
  • Disk Encryption
  • Operating System

Monitoring & Reporting

Once deployed, each user device is evaluated at sign-ins. Failing devices are blocked or prompted with additional authentication steps depending on policies.

Logs and evaluation results are available under: Insights → Device Posture Reports

Go to Device Posture Reports

The device posture reports include:

  • Summary of pass/fail rates
  • Devices with repeated posture failures
  • Top failing attributes
  • Policy-level compliance trends
See more
Device Management (NEW)

Devices

The Devices screen provides full visibility into all endpoints connecting via Timus Connect. Whether users are on the internal network or working remotely, this screen shows you which devices are active, how they are configured, and whether they meet your organization’s posture policies.

📍 To access this screen, go to Devices from the left-side menu

Devices are listed automatically as they connect to the network. The table provides key technical and contextual information for each endpoint:

ColumnDescription
NameCustom device name (alias). If not edited, defaults to system hostname
MACDevice’s MAC address
IPMost recently reported IP address
OSDetected operating system (Windows, macOS, Linux, etc.)
Client VersionInstalled version of Timus Connect
UserThe user associated with the device, if any
StatusCurrent connection state
TagsAny static or dynamic tags assigned
SiteGateway name the device is connected through
Last Sign-in DateTimestamp of the last successful connection from this device

Posture Overview

At the top of the screen, you’ll find real-time posture insights summarizing the results of the most recent device check.

CardDescription
Last Posture CheckHow long ago the last check was performed
Devices CheckedTotal number of devices evaluated
Devices PassedDevices that passed all active posture checks
Devices FailedDevices that failed one or more posture conditions

These posture results are based on the Device Posture Checks configured under Zero Trust Security. Only devices with telemetry enabled via Timus Connect are evaluated.

Device Actions

Click the ••• next to any device:

  • View Posture Details – Opens a breakdown of the device’s most recent posture check, showing condition-level pass/fail results
  • Edit Device Settings – Opens the edit modal where you can:
    • Rename the device
    • Assign or remove tags
    • Enable/disable SSL Inspection
    • Manage site-based remote access
    • View system details (IP, MAC, OS, client version, VPN type)
  • Drop Connection – Immediately terminate the device’s active VPN session
  • Delete Device – Remove the device from the system. Appears in reports as Deleted Device (ID: {id})

Bulk Actions

You can select multiple devices and apply actions in bulk via the Actions menu at the top:

  • Edit Settings – Apply tag changes or toggle SSL Inspection for multiple devices at once
  • Drop Connection – Immediately terminate the selected devices’ active VPN session
  • Delete – Remove the selected devices from the system. Appear in reports as Deleted Device (ID: {id})

🆕 What’s New

In earlier version, assigning a static IP to a device was done through the Edit Device screen. This has now been moved under Interface Management to align with interface-level configuration best practices. it has now been moved under Edit Interface screen.

This update ensures:

  • IP assignments are consistent with network topology rather than tied to user/device objects
  • Interface-level context is preserved, which improves visibility, auditability, and operational accuracy
  • Easier automation and management for working with VLANs, bridges, and static addressing
See more
Trusted Networks

The Trusted Networks screen lets you define specific networks that are considered secure and reliable. When a user connects from one of these networks, certain policies—like authentication requirements or posture enforcement—can be relaxed or adapted accordingly.

This feature is especially useful in Zero Trust environments where context matters as much as identity. By defining what you trust, you gain flexibility without compromising security.

📍 To access this screen, go to Settings → Configurations → Trusted Networks

Trusted Networks only work if the Trusted Networks feature is active in the Agent Profiles.

Go to Agent Profiles Guide

Each row represents a defined trusted network entry:

Column Description
Title The name you give the trusted network (e.g., Office Wi-Fi)
Description Optional notes to help you recognize the network
Network Type How the network is identified — via SSID, Wired, or Wireless
Status Current status of the trusted network

You can add multiple entries to account for different branches, remote offices, or known home setups.


Create a New Trusted Network

Click Create New to define a new trusted network. You’ll see a modal with the following fields:

Field Description
Title A recognizable name for this network (required)
Status Set to Enabled or Disabled
Description Optional description to provide internal context
Network Type Choose how the network is identified:

SSID: Useful for known Wi-Fi names

Wired: Matches any physical (LAN) connection

Wireless: Matches all wireless connections
Source MAC The MAC address of the router or access point (required for SSID or Wireless types)
See more
Tunnel Routing

The Tunnel Configuration screen allows you to define how specific users or teams route their internet or application traffic—either directly through the internet or securely over a VPN tunnel.

This configuration ensures more granular control over how data flows between users and remote destinations, based on your access or compliance requirements.

📍 To access this screen, go to Agent Configuration → Tunnel Configuration

Create New Tunnel Configuration

You can define a new routing rule by clicking the Create New button at the top right of the Tunnel Configuration screen.

FieldDescription
TitleEnter a descriptive name for this configuration (max 30 characters)
SourceSelect one or more users or teams. This defines who the rule applies to. You can mix both types if needed.
DestinationChoose how the destination should be reached. You can define multiple destinations:

Through VPN: Routes traffic securely over VPN. Requires either an IP address or a domain.

Through Internet: Sends traffic directly over the public internet. Only IP address input is supported here.

You can add multiple destinations in the same configuration.
See more
Agent Profiles

The Agent Profiles screen allows you to centrally define how the Timus Connect app behaves across user devices—including Windows, macOS, iOS, and Android platforms. This ensures that VPN behavior, telemetry reporting, DNS handling, and security policies are applied consistently across your organization.

📍 To access this screen, go to Users & Teams → Agent Profiles from the left-side menu

Use profiles to enforce secure defaults, automate VPN behaviors, and apply settings dynamically to specific users, teams, or tags.


Each row in the Agent Profiles table includes:

FieldDescription
TitleThe name of the profile
DescriptionInternal notes about its purpose
StatusCurrent status of the profile

The Default Profile cannot be renamed or deleted, but you can modify its settings.


Create a New Profile

Click Create New to begin. In the setup modal:

  • Enter a Title (required, max 30 characters)
  • Add a Description (optional, max 120 characters)
  • Set the Status to Enabled ****or Disabled
  • Assign the profile to one or more Users, Teams, or Tags

Once assigned, the profile opens platform-specific configuration tabs for detailed setup.

💻 Windows & macOS Configuration (NEW)

These platforms offer comprehensive control over how Timus Connect operates. Settings include:

SettingDescription
Tunnel ProtocolChoose between WireGuard or OpenVPN; optionally allow users to switch
WireGuard MTU / OpenVPN MTUFine-tune WireGuard MTU and OpenVPN MTU for performance (defaults: 1420/1500)
Start on bootLaunch Timus Connect automatically when the system starts
Connect on application startAutomatically connect VPN when Timus Connect opens
Always-on VPNKeep VPN connected continuously; optionally restrict disconnect to administrators only
Trusted networksDefine known networks where VPN auto-disconnects (e.g., office Wi-Fi)
Productivity trackerEnable application usage tracking for productivity reporting
Enforce Local DNS responderEnforce DNS resolution through local responder for added security
Auto updateAutomatically update the Timus Connect application
TelemetryEnable diagnostic data collection for performance analysis
🆕 Smart Tunnel Protocol FallbackDetects and auto-switches to the most stable protocol in real time (Ideal for mobile or unstable connections)
🆕 Adaptive MTU AdjustmentDynamically applies optimal MTU values to improve VPN stability (Reduces fragmentation, no manual tuning required)

🆕 Smart Tunnel Protocol Fallback and Adaptive MTU Adjustment features are added to reduce connection issues and optimize performance in real-time—especially useful in mobile, roaming, or constrained network environments.

💡 Want to give users control over certain settings? Enable the User can modify toggle for those fields.

📱 iOS & Android Configuration

Mobile platforms include essential VPN controls:

SettingDescription
Tunnel ProtocolChoose WireGuard or OpenVPN; allow switching if needed
See more
SAML Integration for JumpCloud

This guide will walk you through the process of integrating JumpCloud with Timus using SAML 2.0 for secure Single Sign-On (SSO). Follow these steps to configure your JumpCloud application and complete the setup within Timus Manager.

1️⃣ Create a New JumpCloud Application

  1. Sign in to your JumpCloud Admin Console
  2. In the left menu, go to SSO Applications

  1. Click + Add New Application
    • If it's your first SAML app, click Get Started instead
  2. Search for and select SAML 2.0

  1. Click Next, then:
    • Display Label: Enter a name
    • (Optional) Upload a custom logo
    • Click Save Application

2️⃣ Configure Basic SAML Settings

After saving, you will be directed to the app configuration screen.

Untitled.png

Untitled.png

 

JumpCloud Field Value
IdP Entity ID Provided automatically by JumpCloud (e.g., https://sso.jumpcloud.com/saml2/timusnetworks)
SP Entity ID Same as IdP Entity ID
ACS URL https://auth.timuscloud.com/user/external/saml
Subject NameID email
NameID Format urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
Signature Algorithm RSA-SHA256
Signing Option Assertion and Response

JumpCloud uses the Display Label to auto-generate the Identifier. Ensure your app name is unique to avoid conflicts across SDNs in Timus.

 

3️⃣ Add User Attributes

  1. Go to the Attributes section
  2. Click + Add Attribute
  3. Add the following fields:

Untitled.png

Name Value
firstname User's first name
lastname User's last name

4️⃣ Assign Users or Groups

  1. Navigate to the User Groups tab
  2. Select the groups who should have access to this SAML application
  3. Click Save

Only users assigned to this SAML app will be able to authenticate through it.


5️⃣ Configure the Integration in Timus Manager

  1. Navigate to Settings → Integrations → SAML 2.0 → Manage
  2. Click Create New and fill in:
Timus Field Entra Equivalent
Title e.g., JumpCloud SAML
Identifier https://sso.jumpcloud.com/saml2/[app-name] (auto-generated from Display Label)
SAML 2.0 Service URL Same as Identifier
X.509 Certificate Copy the Hex format certificate from the JumpCloud SAML Certificate section
  1. (Optional) Enable Require Encrypted Assertions if you’ve configured encryption
  2. Define Allowed Sites and enable Remote Access if needed
  3. Click Save

Untitled.png


⚠️ Important: Use a Unique Application Name

JumpCloud generates the Identifier based on the application's name. For example, naming your app timusnetworks results in: https://sso.jumpcloud.com/saml2/timusnetworks

❗ This value must be unique across all SDNs.

To avoid conflicts:

  • Always choose a unique Display Label
  • This ensures proper tenant isolation and prevents login issues

✅ Test the Integration

  1. Go to JumpCloud User Console
  2. Sign in as a test user assigned to the SAML app
  3. Click on the SAML app you just created
  4. You should be redirected to Timus and signed in without being prompted for credentials again

The first successful login creates the user in Timus. Future sign-ins can occur directly from the Timus Connect application.


Troubleshooting Tips

  • Make sure the app name (and thus the Identifier) is unique
  • Use Hex format when copying the X.509 certificate
  • Ensure the SAML attributes firstname, lastname, and nameID (email) are included
  • Verify that the user has been assigned to the SAML application in JumpCloud
  • Wait a few minutes after assigning users—JumpCloud may take time to apply changes

 

See more
SAML 2.0 Integration

The SAML 2.0 Integration in Timus Manager allows you to configure secure, standards-based Single Sign-On (SSO) for users authenticating via identity providers such as Okta, JumpCloud, or Microsoft Entra ID. This enables your organization to enforce consistent identity policies while simplifying access to Timus applications.

Timus supports multiple SAML integrations per tenant. The integration card displays the number of active configurations, and each can define its own access scope and remote access permissions.

What This Integration Enables

  • Enable SSO via your preferred Identity Provider (IdP)
  • Allow users to sign in to Timus applications using their corporate SAML credentials
  • Control access to specific sites per integration
  • Optionally enforce encrypted SAML assertions
  • Provision users automatically on first login through the IdP

How to Set Up a SAML Integration

  1. Navigate to Settings → Integrations → SAML 2.0
  2. Click Manage to open the integrations list
  1. Click Create New to open the configuration form

Configuration Fields

Field Description
Title A unique, descriptive name for this integration
Identifier Also called the Issuer—provided by your IdP (e.g., https://your-idp.com/saml)
SAML 2.0 Service URL The login URL users are redirected to for SSO
X.509 Certificate Public certificate used to validate incoming assertions
Require Encrypted Assertions (optional) Enables encrypted SAML responses; only use if your IdP supports encryption and has exchanged public keys with Timus
Allowed Sites Select the gateways this integration provides access to
Remote Access Toggle remote (VPN-style) access for users authenticating via this integration

You can define different Allowed Sites and Remote Access settings per SAML integration to support flexible, identity-based access policies.


Provider-Specific Setup Guides

To complete the setup process, refer to the guide matching your Identity Provider:

Each guide includes:

  • Application registration steps
  • Metadata configuration (Identifier, Service URL, X.509 Certificate)
  • Attribute & claim mapping
  • Tips for encryption and login verification

Attribute Mapping

Ensure your Identity Provider maps the following attributes to enable accurate user provisioning:

  • nameID – Email address (used as the unique user ID in Timus)
  • firstname – User’s first name
  • lastname – User’s last name

These attributes are required for displaying user identity properly in the Timus Manager and for enforcing user-based access rules.

Assertion Encryption (Optional)

If you enable the Require Encrypted Assertions checkbox:

  • Timus will reject unencrypted SAML responses
  • Your IdP must encrypt assertions using Timus's public key
  • The decryption key is securely managed inside the Timus platform

Only activate this setting if encryption is supported and configured correctly on both sides.

First-Time Sign-in Behavior

  • Users must initiate login from your IdP’s SAML app
  • This initial login creates the user profile in Timus
  • Attempting to sign in directly via Timus without prior SAML login will result in failure

It may take up to 30 minutes for a new integration to fully sync, depending on group complexity and user volume.

Notes

  • Identifier and SAML Service URL must be unique per SDN
  • Reusing credentials across SDNs will trigger a validation error
  • SAML-based user creation does not trigger the Connect Agent download email:
    • Downloads are available under Settings → Downloads or via my.timusnetworks.com
    • You can use RMM tools to silently deploy the Connect agent

Support & Troubleshooting

If users are unable to log in:

  • Check the SAML response payload for:
    • Correct Identifier and Audience values
    • Matching Assertion Consumer Service (ACS) URL
    • Valid certificate and active signature
    • Required attributes (nameID, firstname, lastname)
  • Use the appropriate Timus ACS URL:

SAML Integration for Okta AD

SAML Integration for Microsoft Entra ID (Azure AD)

SAML Integration for JumpCloud

See more
Establishing an IPSec Tunnel Between Timus Networks and AWS

This article guides you through establishing a secure site-to-site IPSec tunnel connection between your Timus Network and an Amazon Web Services (AWS) Virtual Private Cloud (VPC).

Prerequisites:

  • An active Timus Network subscription with a deployed gateway.
  • An AWS account with a VPC configured.
  • Administrative access to both the Timus Manager and AWS Management Console.

Important Note:

This article provides a general overview of the configuration steps. The specific settings may vary depending on your individual Timus and AWS configurations. Refer to the official documentation for both Timus and AWS for the latest configuration details and any advanced options.

Configuration Steps:

  1. Configure AWS VPN Connection:
    • Access the AWS Management Console and navigate to the Virtual Private Cloud (VPC) service.
    • Locate the target VPC where you want to establish the IPSec tunnel connection.
    • Under the Connectivity section, select VPN Connections.
    • Click on Create VPN Connection.
    • Choose the Customer Gateway option and provide a descriptive name for the connection.
image (1).png

Review the example configuration above, Following the on-screen instructions to configure the VPN endpoint details, including the Outside IP address of your Timus Network gateway.

  • Download the AWS VPN configuration file (.ovpn) for future reference.
  1. Configure Timus Network (Phase 1 - IKE):
    • Log in to the Timus Manager and navigate to the Sites section.
    • Click on Create New and select Connector.
    • Enter a descriptive name for the IPSec tunnel.
    • Under Type, choose IKEv2.
    • In the Parameters section, configure the following
      image (2).png
    • AWS Default configuration example above
    • Local Peer: Select the Timus Network gateway interface that will be used for the tunnel.
      • Peer identifier may be left blank
    • Remote Endpoint section, configure the following based on the downloaded AWS VPN configuration file:
      • Remote Address: Enter the public IP address of the AWS VPN endpoint.
      • Pre-Shared Key: Enter a strong pre-shared key to be used for authentication.
      • Authentication and Encryption: AWS default sha1 and aes128. Ensure your setting match between platforms. 
      • DH Groups: by default is 1024(2) we also support 1024(14) for a stronger connection. 
    • Under Miscellaneous, configure the Dead Peer Detection (DPD) settings to automatically re-establish the tunnel in case of connection disruptions.
      image (3).png
    • Click Save to apply the Phase 1 configuration.
  2. Configure Timus Network (Phase 2 - ESP):
    • After saving the Phase 1 configuration, locate the newly created connector and click the dropdown arrow.
    • Select View to access the detailed configuration options.
    • Click on Create New Tunnel to configure the Phase 2 settings.
    • Enter a descriptive name for the Phase 2 tunnel.
    • In the Local Network section, define the local subnet(s) within your Timus Network that will have access to the AWS VPC resources through the tunnel.
    • In the Remote Network section, refer to the downloaded AWS VPN configuration file and specify the VPC CIDR block(s) you want to access from your Timus Network.
    • Choose the appropriate Encryption Algorithm and Hash Algorithm based on the AWS VPN configuration file.
    • Click Save to complete the Phase 2 configuration.
      image (4).png
  3. Verification:
    • Once both Phase 1 and Phase 2 configurations are complete on the Timus Network side, monitor the Timus Manager for any errors or warnings.
    • The tunnel status should indicate Online when the connection is successful.

Additional Resources:

Disclaimer:

This guide is intended for informational purposes only. The accuracy and completeness of the information may vary depending on specific Timus and AWS configurations. For troubleshooting or advanced configuration assistance, please contact Timus Network support or refer to the official documentation for both platforms.

See more
Third-Party Integrations

The Settings → Integrations screen in Timus Manager provides a centralized interface to manage all available third-party integrations. These integrations extend Timus capabilities by synchronizing with identity providers, endpoint protection platforms (EPPs), directory services, and notification tools—powering automation, visibility, and security throughout your network.

📍 To access this screen, go to Settings → Integrations

Each integration appears as a tile showing:

  • The integration name and associated icon
  • A status badge indicating whether the integration is enabled or disabled
  • A short description of its functionality
  • A settings icon to manage or disable the integration

Identity Providers Integrations

Connect to your on-premises AD using the Timus Directory Connector. Synchronize users and groups, assign them to specific teams, and control access to sites.

Active Directory

Synchronize your Active Directory users and groups with Timus. Users can sign in using their AD credentials.

Go to Active Directory Integration Guide
 

Google Workspace 

Synchronize users and groups using a service account. Supports Google SSO and group-based access mapping for Cloud Gateways and remote connectivity.

Go to Google Workspace Integration Guide
 

Microsoft Entra ID

Authenticate and sync users from Azure Entra ID (formerly Azure AD). Supports team assignment, gateway access control, and user tagging by Entra groups.

Go to Microsoft Entra ID Integration Guide

 

Okta

Use Okta as your identity provider for federated SAML authentication. Supports user mapping, group-based access, and automatic user provisioning on first sign-in.

Go to Okta Integration Guide

 

SAML 2.0

Integrate with any generic SAML 2.0 provider (e.g., JumpCloud, Entra ID, Okta) to enable Single Sign-On (SSO). Supports per-provider access scopes and remote access toggles.

Go to SAML 2.0 Integration Guide

All identity integrations support team-based access control and can be used to trigger ZTNA policies or link posture enforcement.
 

Endpoint Protection Platform (EPP) Integrations

These integrations enable Device Posture Checks by retrieving real-time telemetry from EPP agents. This allows Timus to assess device health and enforce conditional access policies.

Bitdefender

Collect security posture data from Bitdefender EPP. Enforce posture checks using attributes such as malware detection, agent update status, disk encryption, and risk scores.

Go to BitDefender Integration Guide
 

Heimdal

Ingest posture telemetry from Heimdal, including detection resolution status, vulnerable software risk scores, and threat severity. Supports attribute-based posture enforcement.

Microsoft Defender

Fetch threat intelligence and endpoint state data via Microsoft Defender APIs. Supports posture enforcement for antivirus status, signature updates, exposure level, and more.

Go to Microsoft Defender Integration Guide

 

SentinelOne

Connect to your SentinelOne tenant to retrieve real-time endpoint protection data such as disk encryption status, agent presence, and infection state.


Go to SentinelOne Integration Guide

Pair these EPP integrations with Device Posture Checks to dynamically allow, deny, or isolate user sessions based on real-time device health.
 

Monitoring & Notification Integrations

These integrations push critical Timus events to external platforms—keeping your IT and security teams proactively informed.

Google Sheets

Automatically export user sign-in/out events or device activity logs to a connected Google Sheet. Useful for custom dashboards, reporting, or long-term log retention.

Go to Google Sheets Integration Guide

Slack

Send alerts directly to a Slack channel. Includes posture violations, sign-in attempts, and other high-priority system messages.

Go to Slack Integration Guide

Telegram

Receive real-time alerts via private Telegram messages. Link your Telegram account to the Timus bot using a secure pairing code.

Go to Telegram Integration Guide
 

Billing Integration

ConnectWise

Streamlines invoicing and billing processes for MSPs, ensuring accuracy by syncing product catalogs and usage data directly with ConnectWise agreements. This reduces manual input, saving time and reducing the risk of errors. With the integration, MSPs can anticipate smoother billing operations, thanks to automated syncing of product and usage data. This integration provides seamless invoicing management, allowing partners to focus on customer success rather than manual billing tasks.

Go to Connectwise PSA Guide
 

 

See more
Active Directory Integration

The Active Directory (AD) Integration in Timus Manager enables seamless synchronization of your on-premises AD users and groups with your cloud environment. This allows centralized identity management, site-based access control, and automated user provisioning—making it ideal for enterprise and hybrid deployments.

What This Integration Enables

  • Synchronize AD users and groups directly into Timus
  • Automatically assign synced users to the AD Users team
  • Define access to specific sites based on group membership
  • Enable or restrict Remote Access per site
  • Schedule recurring sync operations via the lightweight Directory Connector agent

Prerequisites

Before getting started, ensure:

  • You have access to a domain-joined Windows Server for installing the Directory Connector
  • Outbound HTTPS (TCP 443) is allowed on the server
  • An API credential has been created in the Timus Manager portal for this integration

Need help generating API credentials?

Go to API Access Guide

Install the Directory Connector Agent

  1. Navigate to Settings → Integrations
  2. Find the Active Directory card and click ⚙️ → Manage
  3. Click Download Agent to download the Directory Connector
  4. Install the agent on your Active Directory Domain Controller

The agent runs as a background service and communicates securely with Timus Cloud.

Create API Credentials in Timus Manager

  1. Navigate to Settings → Configurations → API Access
  2. Click Create New
  3. Enter a Title and choose Application Type = Active Directory
  4. Save the form to receive your credentials:
    • Client ID → Used as the Key
    • Client Secret → Used as the Secret

These credentials are used to authenticate the Directory Connector. Store them securely and never share publicly.

Authenticate the Directory Connector

  1. Launch the installed Directory Connector application
  2. Enter the Key and Secret from the API Access screen
  3. Click Sign In

Upon successful login, the agent will initialize and display:

  • A Synchronization tab for configuring your AD connection
  • A Logs tab for tracking sync status, errors, and activity history

Fill in the required AD domain and bind credentials to proceed.

Enable Synchronization

  1. Return to Settings → Integrations → Manage Active Directory
  2. Toggle Synchronization Status to ON
  3. Confirm the Last Sync timestamp to verify that data is syncing correctly

🔄 Synchronization will continue periodically while the agent remains active and authorized.

Sync Frequency, Sign-In, and Sync Eligibility

Once synchronization is enabled, the Directory Connector initiates a periodic sync every 15 minutes to fetch the latest users and group data from Active Directory.

  • If you add users or groups in AD, these changes will automatically reflect in Timus after the next sync cycle.
  • You don’t have to wait for the next interval — simply open the Directory Connector application and click Sync Now button to trigger immediate synchronization.
  • This is especially useful when new users need access without delay or when testing new group mappings.

Sign-In Behavior

Synchronized users can sign in using their Active Directory email and password.

  • No password setup email will be sent by Timus.
  • If the password changes in AD, the user’s Timus login will automatically reflect the new password.
  • Authentication fully relies on the user’s AD credentials.

Sync Eligibility Rules

Only users with valid Name and Email attributes in Active Directory are eligible for synchronization.

  • If either field is missing, the user will be excluded from the sync process.
  • This ensures that all users imported into Timus meet minimum identity requirements for sign-in and policy enforcement.

Important: The Synchronization Status must be remain ON for periodic or manual sync to function properly.

Note: You can sync one SDN with one Active Directory.

Map Groups & Configure Access

In the Mapping section:

  1. Select AD groups from the list
  2. Under Allowed Sites, define which site they can access
  3. Optionally, enable Remote Access for VPN-style connectivity

Site permissions apply immediately and can be adjusted later under Users or via Bulk Actions.

Post-Sync Behavior

  • Synced users appear under Users & Teams → Users
  • By default, users are added to the AD Users team
  • AD group memberships are re-evaluated during each sync
  • Manual team assignments remain unless overridden by future sync mappings

Disable the Integration

To deactivate:

  1. Navigate to Settings → Integrations.
  2. Click the ⚙️ → Disable on the Active Directory card.

Disabling the integration will:

  • Stop all future synchronization events
  • Preserve existing users and teams
  • Unlink group mappings
  • Allow you to re-enable the connection later if needed

🔐 Security & Data Considerations

  • All sync operations use encrypted connections
  • API credentials are securely stored and scoped to read-only user/group data
  • Timus never alters your AD environment—only reads necessary data for provisioning
See more
BitDefender Integration

The BitDefender Integration in Timus Manager allows you to retrieve real-time endpoint security data from your BitDefender GravityZone environment. This integration enhances your Device Posture Checks under Zero Trust Security, enabling you to assess device compliance based on live security posture signals—without installing new agents or modifying endpoints.

What This Integration Enables

  • Connect your GravityZone tenant to Timus Manager securely
  • Fetch posture data such as malware detection, antivirus status, and disk encryption state
  • Incorporate BitDefender-sourced attributes into Device Posture Checks
  • Automate compliance assessments using verified endpoint telemetry

Once connected, BitDefender will appear as a selectable Data Source in posture check configurations.


Prerequisites

Before starting:

  • Access to your BitDefender GravityZone Console as an administrator
  • Permission to generate API keys with appropriate scopes
  • Your tenant’s Management URL (e.g., https://cloud.gravityzone.bitdefender.com)

Generate Your API Key in GravityZone

  1. Sign in to https://gravityzone.bitdefender.com/:
  2. Click your profile name (top right) → My Account
  3. Go to the API Keys section and click Add
  4. Configure the new key:
    • Name: (e.g., Timus Integration)
    • Scope: Select Network API
    • Permissions:
      • **Endpoints** → Read
      • **Network** → Read
  5. Click Generate and securely copy the resulting key

🔐 Store your API key securely. It will be required during configuration and should not be shared externally.

Confirm Your Management URL

Your Management URL is the base address of your GravityZone tenant (e.g., https://cloud.gravityzone.bitdefender.com).

Make sure this URL matches the region or hosting environment used by your organization.

Configure the Integration in Timus Manager

  1. Navigate to Settings → Integrations
  2. Locate the BitDefender card and click ⚙️ → Manage
  3. Enter the required details:
    • API Key: Paste the key copied from GravityZone
    • Management URL: Enter the appropriate URL
  4. Click Save

If the credentials are valid, BitDefender will be activated as a data source and ready for use in posture policies.

Use BitDefender in Device Posture Checks

Once enabled:

  1. Go to Zero Trust Security → Device Posture Checks
  2. Create or edit a posture check
  3. Add an attribute and select BitDefender in the Data Source dropdown
  4. Choose from available BitDefender attributes

Disable the Integration

To turn off the integration:

  1. Go to Settings → Integrations
  2. Click the ⚙️ → Disable on the BitDefender card

Disabling the integration will:

  • Stop real-time posture updates from GravityZone
  • Remove BitDefender from the Data Source dropdown
  • Retain historical data for review and audit purposes

🔐 Security & Data Handling

  • API credentials are encrypted and used only for read-only operations
  • Timus does not modify devices, endpoints, or policies in GravityZone
  • Retrieved data is evaluated within your existing access control and privacy framework
See more
View ZTNA Dashboard

This article explains how to access data on the ZTNA Dashboard and enhance productivity and security by leveraging all available information in zero trust scenarios.

The Zero Trust Network Access (ZTNA) Dashboard provides a complete overview of all user and admin events within your network, all displayed on one page.

To filter the data displayed in widgets, start by using the User & Admin Events filter and the time filter located in the upper-right corner of the ZTNA Dashboard.

Access the information on successful logins, failed logins, high-risk login attempts, lockouts for failed logins, sign-in rule denies, and sign-in locations on graph and a map.

  • You can also access the locations of all events using the map in the Sign-In Locations widget.
  • To zoom in on the map, use ctrl+ scroll. In addition, you can view the event types included in the widget by using the map filter in the upper-right corner.
  • Double-click the purple number icons on the map to access login information such as the username, public IP, location, and time.
  • For a better view, use the Keyboard Shortcuts dialog located in the lower-right corner of the map.
  • By clicking on the widgets, you will be directed to the Events page where you can see all the User Events and Administrator Events, including their respective details with the IP Intelligence information about their device. Click the View Events page to see more.
See more
Create Behavior

To add customized behaviors to your network, visit Timus Manager, then select Zero Trust Security> Behaviors. This allows you to expand on the default behaviors provided by ZTNA for more comprehensive risk assessments in network use cases.

To find your network's pre-configured behaviors, go to the Name and Details parameters page. These behavior settings are already set up for your network and can be viewed and adjusted if necessary.

The general information of the default behaviors displayed on the page are as follows:

  1. New Device - Default Compare with the last 10 authentications.
  2. Out of Radius - Default When the Radius from the location is 50 miles. Last 3 locations
  3. New Country - Default Compare with the last 5 authentications.
  4. Impossible Travel - Default When the assumed maximum speed is 1000 mph.
  5. Last Sign-In Date - Default Last sign-on date older than 30 days.
  6. Untrusted IP - Default
  7. Breached E-mail Address - Default Include Breaches and Disclosures that occurred within the last 180 days.
  8. Consecutive Failures at Same Account - Default When consecutive failures are 5 times.
  9. Consecutive Failures at Any Account - Default When consecutive failures are 5 times.
  • You can get more information about a behavior by clicking on the ">" symbol next to its name.
  • To customize the default behavior, click on the ellipsis icon (three dots) next to the "Details" option.
  • This will open the Edit feature where you can make changes according to your preferences.
  • Moreover, you can create a new behavior by copying the default behavior with just one click on the Copy Feature.
  • This way, you can modify the copied behavior without affecting the original.

To create custom behaviors for your network policies, do the following:

  1. On the right side of the page, find the Create Behavior button.
  2. Click on the Create Behavior button to start creating a new behavior.
  3. Follow the prompts and provide the necessary information to define the behavior.
  4. Enter a Name select a Behavior Type - the behavior classification of Timus for the ZTNA trigger.
  5. Click Confirm.
New Device
This behavior is triggered when users attempt to sign in to the system from a different device than the previous devices they successfully signed in with.
New Geo-Location
This behavior is triggered when users attempt to log into the system from a different location than their previous successful signed-in locations.
New Country
This behavior is triggered when users attempt to sign in to the system from a new country than the previous countries they successfully signed in from.
Impossible Travel
This behavior is triggered if there is an unusual time and distance between the user's last sign attempts.
Last Sign-On Date
This behavior is triggered if more than the specified time has passed since the user's last successful login.
Untrusted IP
This behavior is triggered when the user tries to sign in with an untrusted IP address.
An IP address is tagged as “untrusted” if it has recently been involved in abusive activities, or is part of the TOR network, or is part of a proxy network.
Certain public IP addresses can be used for malicious purposes, causing them to be tagged as Untrusted IPs by Timus ZTNA framework. Those IP addresses may then be given to legitimate users by the IPs. If you use Untrusted IP behavior to deny user or admin sign-ins, their sign-ins will be denied until their IP addresses become trusted again, or they start using other trusted IP addresses.
Breached E-mail Address - Default
This behavior is triggered if there have been any breaches or disclosures within the selected days.
Consecutive Failures for the Same Account
This behavior is triggered if more than a specified number of failed login attempts have been tried to the same user's account.
Consecutive Failures at Any Account
This behavior is triggered if more than a specified number of failed login attempts have been tried on any user's account.
Device Posture Check This behavior depends on what EPP you have been using, the trigger can be Passes or Fails.
See more
Manage Zero Trust Policies

Timus Zero Trust Policies provides a user/ behavior-based access control as an alternative to traditional IP-based access control and makes it easier for an organization to manage network access.

  • You can view the default sign-in policies for both Users and Admins by visiting the Zero Trust Policies pages.
  • You can create custom user/admin sign-in policies.
  • Edit, copy, deactivate, and delete your Custom and Copied policies.

The policies within Timus' Zero Trust Network Access (ZTNA) security framework are organized and prioritized by its place in the policy table. A policy, which is placed higher in the table, is more prioritized than the other policies.

It means that you are able to prioritize the Timus ZTNA rules by yourself.

It allows for more granular control over access rights, ensuring the right people have the right access at the right time.

The security model of this zero trust approach protects your organization against potential threats by increasing network security.

See more
Create an Administrator Sign-In Policy

This article shows administrator how to create Timus ZTNA's behavior-based administrator sign-in policies and apply them to your network.

Timus ZTNA's policies provide a distinctive and enhanced access control approach to expand your business while maintaining the fundamental aspects of your network security: Infrastructure, Application and Data, User and Device.

To protect your organization and users against today's ever more sophisticated cyber security threats, you can create User/Administrator-based sign-in policies in Timus Manager that automatically respond to any predefined risk level.

On the Admin Sign-in Policies page, you can view the following left to right:

  • You can easily navigate the page, view and configure policies using the Search filter located in the page's upper-left corner.

The policies within Timus' Zero Trust Network Access (ZTNA) security framework are organized and prioritized by its place in the policy table. A policy, which is placed higher in the table, is more prioritized than the other Admin Sign-In policies.

It means that you are able to prioritize the Timus ZTNA rules by yourself.

  • You can create custom policies for admins by clicking the Create Admin Sign-in Policy button on the right side of the page.
  • In the area on the page with the default and custom policies, you can get general information about the policies, such as Name, Description, and Status.
  • The total number of policies defined in your network is displayed just below.
  • By clicking the ellipsis icon at the end of the general details of a policy: You can Edit the policy and easily create a new policy with the Copy feature. You can Deactivate and Delete the policy.

You cannot Deactivate or Delete the default administrator sign-in policy.

 

If you want to create a new Administrator Sign-In/ Login Policy, follow the steps below:
  1. Go to Timus Manager> Zero Trust Security> Admin Sign-in Policies.
  2. Click the Create Admin Sign-in Policy button on the right side of the page and display the pop-up on the screen with the following tabs:
    • Source
    • Condition
    • Action
    • Alerts & Notifications

On the Source tab,

  1. You must first enter a Name and Description for the policy you are about to create. For example, Default Administrator Sign-in Policy Default Administrator Sign-in Policy for High-Risk Attempts
  2. Click on Select and choose an Administrator.
  3. If needed, you can select multiple administrators to apply to the policy.
  4. Click on Save.

On the Condition tab,

  1. Set Risk Level as Any, High, Medium, or Low.
  2. Select the behaviors on which this policy will be applied. More than one can be selected.
  3. If you move your mouse over the new behavior, a pop-up text will appear displaying information about that specific behavior.
  4. If you want to set the time, click Schedule. You can set the day(s) and start/ end date here.
  5. Click Confirm.

When "All Selected Behaviors" is chosen, all selected behaviors such as Untrusted IPs, New Device, and Breached E-mail Address must be active simultaneously for the policy to take the action.

When "Any Selected Behavior" is chosen, at least one of the selected behaviors must be triggered the policy to take the action.

You can consider All Selected Behaviors like "AND &&" and Any Selected Behaviors like "OR ||" as in coding language.

Experience the user-friendly interface of Timus by hovering over the info icons on the policy creation screen:

When you add a behavior to the policy with the add behavior button on the screen and hover over that behavior, you can view the brief explanation about the behavior you added:

In the Action tab,

Decide what action the system should take when a behavior triggers the policy. The actions defined in the system are as follows:

  1. Allow
  2. Deny
  3. MFA-Email
  4. MFA Authenticator App
  5. Deny and Block IP

You can set multiple actions for multifactor authentication with Timus ZTNA.

The actions you select are numbered in the tab shown on the left.

  1. Select an Action from the drop-down list.
  2. If you choose is MFA- Authenticator App and MFA- Email actions with multifactor authentication capability, you will see the Add More Actions button on the screen.

So, in a scenario where the first authentication step fails, you can enable another action for login attempts and send authentication setup instructions to administrators who have not completed the setup process.

On the Alerts and Notifications tab, you can configure the policy to send Alerts and Notifications each time it is triggered.

  1. Enter a Title for the policy alert.
  2. Set the Severity of the alert. Severity can be defined as High/ Medium or Low.
  3. Set Status ON to enable the alert.
  4. Specify which Result Conditions will be given an alert. Conditions can be Successful/ Failed or Timeout.
  5. Click on Notification.
  6. Enter a Title for notification.
  7. Set the Severity of notification. Severity can be defined as High/ Medium or Low.
  8. Set Status ON to enable the notification.
  9. Decide which Result Conditions will receive notification. Conditions can be Successful/ Failed or Timeout.
  10. If necessary, check Notify Administrators Matching Conditions to have the system notify the policy-bound user.
  11. If necessary, enter a Recipients for the notifications to be generated,
  12. Choose a recipient type: This can be one of your Admin(s) or an External user. More than one recipient can be assigned to the policy.
  13. When the administrator is selected, all administrators defined in the system are listed by name, and you can also select All Administrators in here.
  14. When External is selected, enter a Name and E-mail Address.
  15. Click +Add and view administrators' information, such as Name/ Type and E-mail Address below.
  16. Clicking Delete at the end of the line deletes the recipient.
  17. By clicking on Save, you will have created your first Create Admin Sign-in Policy with Timus ZTNA.
  • When you open the page, click the ellipsis icon in the default policy row and select Edit from the mini drop-down list.
  • Then you can change the configuration of the default policy and reapply it to Timus ZTNA with your final configuration.
  • Also, you can create a similar but slightly different policy: If needed, use the Copy feature in this list.
 
 
See more
Cloud Gateways (NEW)

Cloud Gateway management has been completely reengineered in version 1.30.0—not just redesigned, but fundamentally rethought to align with real-world needs. This version introduces a scalable, observable, and operationally sound foundation for managing your network edge across distributed environments.

Previously, managing a Cloud Gateway meant navigating shared creation flows, fragmented configuration areas, and external troubleshooting tools. This made even basic operations more complex, and made advanced ones unnecessarily error-prone. There was no unified structure—just a set of loosely connected functions.

With this release, that fragmented experience is replaced by a modular, transparent, and fully integrated architecture. Each gateway is now created through a dedicated flow. Every operational aspect—DNS, traffic filtering, routing behavior, interface configuration, diagnostics—is surfaced in its own clear section. Instead of scattering control, the system now delivers it.

More importantly, Cloud Gateway management now speaks the same language as your network. Real-time telemetry, centralized IP planning, role-based interface provisioning, and structured failover logic come together in one place. You no longer have to guess how the system behaves under load or during routing shifts—you can see it, act on it, and trust it.

📍 To access this screen, go to Sites from the left-side menu

Sites

The Sites screen remains your central hub for managing Cloud Gateways and IPsec Connectors. It displays essential metrics such as region, gateway health, throughput, and the number of connected devices.

Column Description
Name The display name you assigned to the site
Region The cloud region where the Cloud Gateway is hosted
Type Displays the gateway type (Controller for Cloud Gateways)
Health Displays the real-time connection quality to the Timus Cloud
Throughput Real-time upload and download bandwidth
Networks Total number of interfaces defined on the gateway
Devices Number of actively connected endpoints
Status Current operational state of the gateway

You can manage each gateway through the ••• menu, with options to:

  • Edit – Modify the gateway configurations (only the Title is editable)
  • Details – Open the tab-based configuration screen
  • Delete – Permanently remove the gateway from the system

🆕 What Changed?

In previous versions, clicking Create New opened a shared modal for both Cloud Gateways and Connectors — often resulting in errors or incorrect selections.

In this version:

  • Create Site opens the Cloud Gateway creation flow.
  • Create IPsec Connector launches the Connector configuration screen.

Create a New Cloud Gateway

Click Create Site to start provisioning a new Cloud Gateway.

Field Description
Type Cloud Gateway
Title Required — enter a unique name to identify the gateway

🆕 The Gateway Version is assigned automatically to ensure consistency across your deployment and reduce manual errors.

Once saved, your gateway will appear in the Sites list, ready for further configuration.

Cloud Gateway Details

Click Details to open the configuration screen. Each section is organized into its own tab for clarity and modular management.

Tab Purpose
Overview View real-time metrics like latency, throughput, and connection health
DNS Manage global DNS servers, static records, and internal Split DNS
Advanced Filtering Enable and configure Web Filter, Application Filter, and Antivirus
Firewall Settings Adjust packet-level behaviors like ICMP and multicast
Diagnostics Troubleshoot with live tools like Ping, Traceroute, and DNS Lookup
Logs Browse structured log entries
Maintenance Schedule updates and define safe upgrade windows
Advanced Settings Optimize network performance at the protocol level

Each tab contains feature-specific tools and settings designed to work independently and in combination.

Overview

The Overview tab provides real-time telemetry and metadata for your gateway.

🛰️ Connectivity Metrics

Metric Description
Health Stability and reachability to the Timus Cloud
Throughput Real-time upload and download speeds
Latency Round-trip time to cloud services
Jitter Latency variation over time
Loss Packet loss percentage

📈 Network Statistics

View time-series graphs for metrics such as:

  • Latency
  • Throughput
  • Jitter

You can filter the view by interface and time range for granular troubleshooting.

🧾 Site Information

Field Description
Region Hosting region of the gateway
Type Cloud Gateway
Application Filter Whether traffic identification is active
Web Filter Whether category-based filtering is applied
Antivirus Whether HTTP(S) download scanning is enabled
Gateway Version Current software version
Status Operational status of the gateway

🌐 Network Interfaces

Every Cloud Gateway comes with pre-provisioned interfaces:

  • port0: Primary WAN interface for external communication
  • tun0: OpenVPN tunnel interface
  • wg0: WireGuard tunnel interface
In earlier releases, static IPs had to be defined per device — often through the user/device configuration screen. This made subnet consistency harder to maintain.
 
🆕 Static IP management is now centralized under the DHCP tab for each interface. This lets you reserve IPs directly within the subnet of the selected interface and ensures alignment with DHCP ranges.
 
Column Description
Name Identifier for the interface
Type Physical or tunnel
Role LAN, management, or other custom-defined use
IP / Network IP address and subnet
Status Interface state
Bound Interfaces Related virtual or bonded interfaces
Addressing Mode DHCP or Static assignment
Description Optional purpose or note

Interface Configuration:

Manage your interfaces in one place. Assign roles, set IP configurations, and view system-level details like MTU and MAC address.

Go to Interfaces & IP Management Guide

Configuration Sections (NEW)

Use the following configuration tabs to control how your Cloud Gateway filters, resolves, logs, and responds to traffic across your environment.

 

 

See more
Diagnostics & Troubleshooting Tools

The Diagnostics tab provides built-in tools that help you investigate connectivity problems, resolve DNS issues, and monitor live network activity—all directly from the Cloud Gateway.

Unlike client-side tests, these diagnostics run at the edge of your network, offering a more accurate and authoritative view of what’s happening.

To get started, choose a test from the Diagnostic Tool dropdown. Each tool has its own fields and outputs, shown dynamically as you switch between options.


🧪 Available Diagnostic Tools

1. DNS Query

Use this tool to validate DNS resolution from the gateway’s perspective. It checks whether the configured DNS servers are responding correctly to queries.

FieldDescription
Domain NameEnter the domain (e.g., example.com) to resolve. The gateway returns the resolved IP address or failure reason.

✔️ Ideal for testing Split DNS behavior or resolving internal/external domain failures.


2. Current Network Activity

This tool offers a real-time view of network usage per interface. It includes bandwidth statistics and detailed flow-level visibility.

FieldDescription
InterfaceSelect the interface to monitor.
IP(Optional) Filter by source or destination IP to narrow down results.

Once started, the gateway shows:

  • Download/Upload Rate (live)
  • Total Transferred Volume
  • Per-Flow Table with source/destination IP, protocol, usage volume, and real-time speed

Use this to identify anomalies, monitor policy effects, or debug bottlenecks in specific interfaces.


3. Ping Control

This classic test sends ICMP Echo Requests to a remote host, helping you confirm reachability and measure latency.

FieldDescription
IP Address or DomainEnter a hostname or IP address (e.g., 8.8.8.8). Response times and status will be returned.

A reliable way to test internet access or upstream availability from the gateway itself.


4. Traceroute

Traceroute shows the full path a packet takes from the gateway to a destination, including each intermediate hop and the delay it introduces.

FieldDescription
IP Address or DomainInput a remote host or IP to trace. You’ll see a hop-by-hop list of routers and latency values.

Helps you identify routing issues, delays, or unreachable segments.

See more
Firewall Engine Settings

The Firewall Settings tab gives you granular control over how the Cloud Gateway processes certain types of low-level network traffic. These settings operate below policy-level enforcement and directly influence how the firewall engine reacts to broadcast, multicast, UDP, ICMP, and IPsec-related flows.

This section is especially useful for fine-tuning network behavior in environments where bandwidth usage, attack surface, or protocol edge cases must be carefully managed.

Each setting includes an on/off toggle and, where supported, an optional logging feature that writes matching packet data to the traffic logs.

⚠️ These options affect how traffic is handled at the system level. Misconfiguration can lead to dropped sessions or reduced network visibility. Use with care.


⚙️ Configuration Options

SettingDescription
Drop broadcast traffic packetsPrevents Layer 2/3 broadcast traffic from entering or passing through the gateway. Optional logging shows dropped packets in the traffic logs.
- Recommended for environments where broadcasts are unnecessary or may pose a security risk. 
Drop multicast traffic packetsFilters out multicast traffic commonly used by discovery protocols or group communication apps. Optional logging provides insight into multicast activity and misconfigured services in the traffic logs.
- Helpful in reducing noise and limiting unwanted traffic exposure. 
Increase firewall UDP timeoutExtends the default timeout period for UDP flows.
- Useful in media-heavy environments where VoIP or video traffic may otherwise time out prematurely. 
Enable ICMP redirectionAllows the gateway to issue ICMP Redirect messages to endpoints.
- Typically disabled for security, but may be required in specialized routing setups. 
Enable ISAKMP/IKE fragmented packet handlingEnables support for fragmented IPsec Phase 1 packets.
- Important when dealing with VPN peers that send large or split IKE payloads. 

📝 Logging Options

If logging is enabled for broadcast or multicast drops:

  • Matching traffic will appear in the traffic logs, categorized by drop action.
  • Logging can help you validate effectiveness or identify misbehaving devices.
  • However, excessive logging of high-frequency traffic types can overwhelm storage or obscure important events.

💡 Enable logging during testing or diagnosis, then disable it in stable environments to conserve resources.

 

See more
Advanced Filtering & Traffic Inspection

The Advanced Filtering tab gives you full control over how outbound traffic is inspected and restricted at the application layer. These policies are applied globally—across all interfaces—and help ensure that your network remains secure, compliant, and aligned with usage expectations.

By enabling this feature set, you can:

  • Enforce acceptable use policies across teams or locations
  • Detect and block risky domains or high-risk applications
  • Inspect downloaded content for malware before it reaches endpoints

Whether you're securing a single branch or managing multiple distributed sites, Advanced Filtering provides a unified inspection layer directly on the gateway—no external proxy or agent required.


🌐 Web Filter

The Web Filter allows you to define which types of web traffic should be inspected and controlled based on destination port and protocol.

FieldDescription
Web FilterToggle to enable or disable web domain filtering.
- When enabled, domains are inspected and evaluated against the configured rules. 
ProtocolSelect from HTTP, HTTPS, or define custom variants.
- Use custom options to target non-standard ports. 
PortDefine the destination port (e.g., 80, 443, 8080, 8443) to be filtered.
- Only traffic on these ports is inspected. 
AddAdds the selected protocol-port pair to the active inspection list. Multiple entries can be configured.

Use category-based filtering to block access to social media, adult content, or risky domains across all traffic passing through the gateway.


📦 Application Filter

The Application Filter enables deep packet inspection to classify traffic by application protocol, even when ports or encryption obscure the destination.

FieldDescription
Application FilterToggle to enable or disable app-layer visibility.
- The gateway will inspect and classify traffic by application type, regardless of port or encryption. 

Recommended for environments where productivity monitoring or app usage insights are important—especially where traditional port-based filters fall short due to encrypted or obfuscated traffic.


🛡️ Antivirus

The Antivirus engine scans filtered traffic for known malware and threats.

FieldDescription
AntivirusToggle to enable or disable threat detection.
- The engine scans content for known threats before allowing it to pass through to the user. 

Ideal for networks that lack strong endpoint protection or allow guest/BYOD access.


✅ Best Practices

  • Combine Web Filtering with well-defined protocol-port rules to ensure consistent coverage.
  • Enable Application Filtering for granular visibility into SaaS, collaboration tools, or unmanaged app usage.
  • Use Antivirus scanning in environments where traffic inspection is your first line of defense—especially in branch offices.
See more
Interface & IP Management

The Sites → Details → Networks tab introduces a redesigned and centralized interface management system for Cloud Gateways. This update replaces fragmented configurations from previous versions with a unified, policy-driven model that simplifies control, improves visibility, and reduces the risk of misconfiguration.

🆕 What’s New in Interface Management

  • Unified Interface View: View all physical, tunnel, and virtual interfaces from a single table with real-time metadata like MTU, IP mode, and operational state.
  • Centralized IP Reservations: Static IP assignments are now handled directly under the DHCP tab of each tunnel interface—eliminating per-device configuration and reducing errors.
  • Fully Configurable Tunnel Interfaces: OpenVPN and WireGuard tunnels can be edited in full, including ports, protocols, DNS settings, and inspection preferences.
  • System-Level Attributes Made Visible: You can now inspect MTU values, MAC addresses, and access controls that were previously buried or unavailable.

Default Interfaces

Each Cloud Gateway includes three core interfaces by default:

  • port0 → Primary physical WAN uplink
  • tun0 → OpenVPN tunnel
  • wg0 → WireGuard tunnel

Networks Table

he table provides a detailed overview of each interface:

ColumnDescription
NameSystem-assigned interface name
TypeInterface type (e.g., Physical, Tunnel)
RoleInterface function, such as WAN or LAN
IP / NetworkAssigned IP address and subnet
StatusCurrent operational status
Bound InterfacesPhysical link associated with tunnels
Addressing ModeStatic or DHCP
DescriptionShort explanation of the interface’s purpose

The ••• menu on each row allows:

  • View — For port0 (WAN)
  • Edit — For tunnel interfaces (tun0, wg0)

🆕 Static IP assignment now occurs within the DHCP tab of each tunnel interface—streamlining workflows and eliminating fragmented logic.


port0 – Physical Interface

The WAN interface configuration is read-only and provides full metadata visibility.

1. Configuration

FieldDescription
DescriptionDefault system label
StatusOperational state
Interface TypePhysical
RoleWAN
MTUMaximum packet size
Address AssignmentDHCP
MAC AddressSystem-assigned hardware address
Access RestrictionToggle ping/web access

🆕 Previously hidden details like MTU and MAC address are now visible to improve diagnostics and audit readiness.

🚫 The DHCP tab is disabled for WAN interfaces, as they don’t provide DHCP services.


Tunnel Interfaces — tun0, wg0

Tunnel interfaces connect remote users or networks securely. Version 1.30.0 replaces per-device IP assignments with centralized management.

 

1. Configuration

FieldDescription
DescriptionA short information of the interface
Interface TypeTunnel
Tunnel TypeOpenVPN or WireGuard
MTUMaximum packet size
InterfaceParent physical interface
Address AssignmentStatic
IP Address / NetmaskSubnet allocated for tunnel clients
Protocol / PortTunnel protocol and listening port
Cipher / Compression (OpenVPN only)Encryption tuning
SSL InspectionToggle HTTPS inspection
Application FilterToggle app-level visibility
Enable DNSUse this interface’s DNS
Access RestrictionICMP/HTTP control

2. DHCP 🆕

This tab allows you to manage tunnel-level DNS and Static IP Reservations.

DNS Configuration:

FieldDescription
Domain Name ServersDNS servers offered to tunnel clients
Search DomainsAuto-suffix domains for resolution

IP Reservation:

FieldDescription
TypeReservation type: Device
Device NameSelect from known clients
IP AddressReserved IP inside tunnel subnet

🆕 This method ensures accuracy, avoids IP conflicts, and simplifies audits—replacing manual per-device entries from previous versions.

See more
How to Add Timus IP Address to Your Database Access List
How to Add Timus IP Address to Your Database Access List

How to Add Timus IP Address to Your Database Access List

⚠️ Disclaimer:
While this guide provides steps for enabling access from Timus, all responsibility for securing your database lies with the MSP or system administrator.
Timus is not liable for any misconfiguration or vulnerabilities that arise from improper database settings.

Overview

This guide helps you configure your database to accept connections from devices using the Timus connect. It includes how to find the Timus IP and properly allow it in your database setup.

Common Symptoms When Timus IP is Not Allowed

  • Connection refused
  • Timeouts or no response
  • "No pg_hba.conf entry" (PostgreSQL)
  • "Access denied for user" (MySQL)

Step-by-Step Configuration

1. Find Your Timus Gateway IP

  • Login to Timus Manager
  • Go to Network → Gateways
  • Copy the public IP address of the active gateway

2. PostgreSQL Setup

Edit pg_hba.conf and add:

# TYPE  DATABASE        USER            ADDRESS               METHOD
host    all             all             <Timus_IP>/32         md5

Then restart PostgreSQL:

sudo systemctl restart postgresql

4. Open Firewall for Timus IP

  • Ensure the port (3306 for MySQL, 5432 for PostgreSQL) is open to the Timus IP
  • On cloud environments, adjust Security Groups or Network ACLs

5. Confirm Access

  • Test connection using DBBeaver, pgAdmin, or another SQL client
  • Verify success logs on the DB server
See more
Cisco Meraki

This article will help you establish a site-to-site IPsec connection between Timus Networks and Cisco Meraki.

Step 1: Access the VPN Configuration

Navigate to: Security & SD-WAN > Configure > Site-to-site VPN
Click Add a peer to begin setting up the connection.

Step 2: Add Peer Details

  • Name: IPsec Tunnel to Timus
  • IKE Version: IKEv1
  • Public IP or Hostname:Timus Gateway Public IP
  • Remote ID: Timus Gateway Public IP
  • Shared Secret Key: Your Pre-shared Key
  • Routing: Static

Step 3: Define Subnets and Availability

  • Private Subnets: 192.168.249.0/24
  • Availability: All Networks

Phase 1 Configuration:

  • Encryption: AES256
  • Authentication: SHA256
  • Diffie-Hellman Group: 2
  • Lifetime: 28800 seconds

Phase 2 Configuration:

  • Encryption: AES256
  • Authentication: SHA256
  • PFS Group: Disabled
  • Lifetime: 3600 seconds

Step 5: Enable Local Subnet for Tunnel

Ensure the local LAN you want to share over the tunnel is Enabled:

  • Example LAN: 10.105.0.0/23

Timus Configuration for Meraki Firewall:

  • Go to the Timus Manager -> Sites -> Create New. Please note that you need to have a gateway to be able to create an IPsec tunnel (Connector).

  • After clicking on Create New, you need to select Connector on top and enter an IPsec tunnel name.

Parameters:

  • Note - You now have the option to select "Create firewall rules automatically".

Miscellaneous:

  • To enable Dead Peer Detection (DPD) is highly recommended. Once the IPsec tunnel gets disconnected for any reason, it will automatically reconnect.
  • After configuring the Phase 1 IKE configuration, click Save.
  • Then expand the gateway using the arrow, click the three dots, and select View.

  • On the View page, click Create New Tunnel to configure Phase 2 for IPsec.

Phase 2 configuration of Timus:

  • Note - You now have the option to select "Create firewall rules automatically".

  • After configuring Phase 2, click Save.
See more
Administrator Sign-In Policies

The Administrator Sign-In Policies screen allows you to enforce context-aware authentication rules for Timus Manager administrators using behavior-based Zero Trust principles. These policies help you protect your infrastructure, applications, and sensitive data by dynamically responding to sign-in attempts based on risk factors and behavioral context.

📍 To access this screen, go to Zero Trust Security → Administrator Sign-In Policies

The main table lists both default and custom sign-in policies:

ColumnDescription
NameName of the policy
DescriptionSummary of its purpose
StatusCurrent status of the policy

Policies higher in the list are evaluated first. You can reorder them using drag & drop to change priority.


Create a Administrator Sign-In Policy

Click Create New to open the policy builder. You’ll configure the policy using four tabs:

Source

Specify the administrators this rule applies to:

  • Add a Name and Description (optional)
  • Select one or more administrators from the system

Condition

Define the sign-in context in which the policy is enforced:

FieldDescription
Risk LevelAny, Low, Medium, or High
Behavior ConditionsSelect one or more behavior conditions (see supported types below)
Behavior Match LogicAll Selected Behaviors (AND) or Any Selected Behavior (OR)
ScheduleLimit policy to specific times/days if needed

Supported Behavior Types

Behavior TypePurpose
New DeviceDetects sign-ins from previously unseen devices
Out of RadiusFlags sign-ins from locations outside usual geographic range
New CountryDetects logins from new countries based on past activity
Impossible TravelDetects geographically implausible login movement
Last Sign-In DateTriggers if administrator hasn’t signed in recently
Untrusted IPFlags risky IPs (proxy, botnet, TOR, abuse score, etc.)
Breached EmailFlags email addresses found in breach databases
Consecutive Failures at Same AccountDetects brute-force attempts on a single user
Consecutive Failures at Any AccountDetects credential stuffing attempts across administrators

Action

Specify how the system should respond if the policy conditions are met:

OptionBehavior
AllowPermit access
DenyDeny access
MFA - EmailRequire email-based OTP
MFA - Authenticator AppRequire app-based TOTP
Deny and Block IPDeny access and blacklist the IP address

You can configure multi-step MFA (e.g., Email + App fallback) to strengthen layered authentication.

Alerts & Notifications

Improve incident visibility and team coordination with real-time alerts:

  • Alerts:
    • Define Title, Severity, and Status
    • Choose Trigger Results: Success, Failure, Timeout
  • Notifications:
    • Define Title, Severity, and Status
    • Choose Trigger Results: Success, Failure, Timeout
    • Choose whether to notify matching administrators, specific administrators, or external recipients
See more
Behaviors

The Zero Trust Security → Behaviors screen lets you define dynamic conditions that detect suspicious, risky, or non-compliant activity across your organization. These behaviors are not standalone actions—they act as conditions that can be reused across multiple Sign-In Policies.

They help you enforce adaptive access decisions based on context such as:

  • Device risk
  • User behavior
  • Sign-in patterns
  • IP reputation
  • Recent history

📍 To access this screen, go to Zero Trust Security → Behaviors


Each Behavior Type represents a category of detection logic. Within each type:

  • A default behavior is provided by the system (read-only)
  • You can create multiple custom behaviors with your own thresholds or filters

Each behavior includes a ••• where you can:

Behavior TypeOptions
DefaultView or Duplicate
CustomView, Edit, Duplicate, or Delete

This allows you to use system-provided templates or customize logic to match your organization's risk model.

Create a New Custom Behavior

lick Create Behavior to open the configuration modal. You’ll be asked to:

  • Name your behavior
  • Select a Behavior Type
  • Configure type-specific options (varies by type)

Once created, behaviors become available as conditions when building Sign-In ****Policies.


Available Behavior Types

TypeWhat It Detects
New DeviceSign-ins from previously unseen devices
Out of RadiusLocation-based anomalies outside past proximity
New CountrySign-ins from countries not seen in recent history
Impossible TravelImprobable travel speeds between sign-in locations
Last Sign-In DateLong periods of account inactivity
Untrusted IPRisky or anonymous IP addresses (VPN, proxy, abuse)
Breached EmailEmail address found in public breach data
Consecutive Failures – Same AccountRepeated failed logins to one account
Consecutive Failures – Any AccountFailed logins across multiple accounts
Device Posture CheckWhether a device passed or failed posture validation (User Sign-In policies only)

Using Behaviors in Sign-In Policies

Once created, behaviors can be added as conditions to any Sign-In Policy—enabling dynamic access control based on context.

During sign-in or access evaluation:

  • The system checks whether any behaviors in the policy are triggered
  • If so, it applies the defined policy action (e.g., Deny, Require MFA, Block IP)

Example Policy Condition:

“Allow access only if the device is trusted, and the IP is not untrusted.”

This adaptive model replaces static rules with real-time, context-aware security enforcement.

See more
Website & Application Categories (NEW)

Website & Application Categories

The Rules → Categories screen helps you organize both domains and applications into manageable groups, so you can apply traffic policies more efficiently and consistently across your organization.

With this version, this screen was redesigned to combine and enhance two powerful concepts:

  • Website Categories (based on domains)
  • Application Categories (based on detected application traffic)

You can now enforce access control at two levels:

  • Domain-level, using website categories
  • Application-level, using traffic-recognized app groups

📍 To access this screen, go to Rules → Categories


Website Categories

Website categories help you manage access to groups of domains instead of defining individual entries. You can use these categories in firewall rules, especially in environments where you want to:

  • Block or allow types of content (e.g., Gambling, File Sharing)
  • Whitelist trusted services
  • Enforce clean web usage policies

🔸 Website Categories Table

ColumnDescription
TitleThe name of the website category
TypePredefined or Custom
Total EntriesNumber of domains in the category (only for Custom)

The Whitelist category is fixed at the top and allows you to bypass all filtering rules for the included domains. Any domain listed here is always allowed.

Domain Lookup

Use the search bar at the top of the screen to look up any domain. If the domain exists in a category, the result will show which one. This is especially helpful for:

  • Preventing duplicate entries
  • Understanding how a domain is currently handled

Create and Edit a Website Category

Click Create New to add a custom website category. Each category can then be managed using the ••• to:

  • Edit its domain list
  • Import domains via CSV (max 1,000 entries)
  • Exclude specific domains even after they were included

You’ll see two management tabs:

  • Included Domains – Domains actively evaluated by rules
  • Excluded Domains – Domains ignored for auditing or exception purposes

Application Categories (NEW)

This new section introduces application-based traffic classification, giving you visibility and control over apps detected through your network activity—even when domain filtering is not enough.

These categories are:

  • Predefined by the system
  • Continuously updated based on recognized application signatures
  • Read-only, but fully visible and referenceable in rules
ColumnDescription
TitleThe name of the application category
Total ApplicationsNumber of applications in the group
ViewOpens a detail modal showing the list of applications

Using Categories in Rules

You can reference both Websites, Website Categories, Applications, and Application Categories under the Destination field when creating Firewall Rules.

This gives you:

  • A scalable way to define allow/block logic
  • Unified control over domains and apps
  • Easier maintenance of complex filtering policies
See more
Firewall Rules

The Rules → Firewall screen allows you to define how your organization handles network traffic. By configuring Allow or Deny actions based on source, destination, service, and time schedule, you can enforce strict access controls and secure your environment—whether you’re blocking suspicious activity, protecting internal systems, or managing internet usage.

📍 To access this screen, go to Rules → Firewall


The Firewall Rules table lists all firewall rules in the order they are evaluated—top to bottom. The first matching rule is applied, so rule order directly impacts behavior. You can drag and drop rules to reprioritize them.

Column Description
ID Unique identifier assigned to each rule
Type Indicates whether the rule is created by your team (Client) or delivered by your partner as a security baseline (Global)
Source Defines the traffic origin (e.g., IP, User, Device, Tag, or Interface)
Action Choose to Allow or Deny traffic
Destination Defines the target (e.g., IP, Application, Website Category)
Service The type of traffic or protocol (e.g., HTTP, DNS, or a custom service)
Description Short label explaining the rule’s purpose
Status Current status of the rule

Create a New Firewall Rule

Click Create New to open the rule configuration screen. Here’s a breakdown of the key:

Field Description
Description (Required) A meaningful name for identifying the rule
Action (Required) Choose whether to Allow or Deny matching traffic
Status (Required) Enable or disable the rule upon creation
Sources Default is Any. You may specify multiple entries, including: Network, Site, IP, Location, User, Team, Device, Tag, or Interface (with Gateway 14.0.0)
Destinations Default is Any. You may specify: Network, Interface (with Gateway 14.0.0), Site, IP, Location, Website Category, Application, Application Category, User, Team, Device, Tag, or Keywords
Services Select from predefined or custom service definitions
Custom Source Port (Optional) Define a specific port range if necessary
Clear Sessions Forcefully end current sessions that match this rule’s source, ensuring immediate enforcement
Enable Logging Log matching traffic in Network Activity → Firewall
Schedule Apply the rule only during specific hours or days (default: Everyday)

Once saved, the rule is added to the table and takes effect immediately—according to its position in the list.

Rule Actions

Click the ••• next to any rule to:

  • View / Edit – Review or update the rule configuration
  • Enable/Disable – Temporarily toggle the rule’s active status
  • Clear Sessions – Instantly drop all sessions affected by the rule
  • Delete – Permanently remove the rule. Appears in records as Deleted Firewall Rule (ID: {id})

Bulk Actions

You can select multiple rules and use the Actions menu to:

  1. Enable/Disable – Temporarily toggle the selected rules’ active statuses
  2. Clear Sessions – Instantly drop all sessions affected by the selected rules
  3. Delete – Permanently remove the selected rules. Appear in records as Deleted Firewall Rule (ID: {id})

🆕 What’s New in This Version?

Global Policies

The Type column indicates whether a rule is created by you (Client) or pushed by your partner as part of a managed security baseline (Global). This enables consistent enforcement of critical protections across environments, while maintaining flexibility.

Type What it means
Client Fully editable rules created in your own portal
Global Non-editable rules delivered by your security provider or partner

Why Global Policies?

Global rules are designed to help standardize and strengthen network security across all managed tenants—particularly useful for:

  • MSP environments
  • New customers needing out-of-the-box protections
  • Preventing configuration gaps in high-risk areas

You can:

  • Reorder Global rules to adjust their evaluation priority
  • Enable or disable them as needed to fit your context

They do not override your own rules—they simply provide a secure starting point.

See more
Forwarding Rules

The Rules → Forwarding screen enables you to expose internal services—such as web servers, VoIP, or RDP endpoints—to external access by securely forwarding traffic through specific interfaces and port configurations.

By creating forwarding rules, you control which incoming traffic is allowed into your network and where it should be delivered internally, supporting both operational flexibility and strong perimeter defense.

📍 To access this screen, go to Rules → Forwarding

Each row in the Forwarding Rules table defines how inbound traffic is processed and redirected:

Column Description
Source Where the external request originates (IP or Device)
Destination Service The protocol and port(s) being targeted from the outside
Destination Interface The interface receiving the incoming request
Forward The internal IP where the traffic will be redirected
Forward Service Protocol and port(s) used by the internal service
Description Short explanation of the rule's purpose
Status Current status of the rule

Create a New Forwarding Rule

Click Create New to define a new rule.

Field Description
Description (Required) Name to identify the rule in your list
Status (Required) Enable or disable the rule on creation
Source (Required) Specify the origin of the request—IP address or device
Destination Service (Required) Protocol (TCP/UDP) and external port(s). Accepts single ports (80) or ranges (8000–8100)
Destination Interface (Required) The interface through which the request enters (e.g., port0, wan1)
Forward (Required) The internal IP address receiving the traffic (e.g., 192.168.1.20)
Forward Service (Required) Protocol (TCP/UDP) and internal port(s). Accepts single ports or ranges
Map to Ports (Optional) When enabled, maps incoming and forwarded ports one-to-one. Useful for services like VoIP or gaming
Schedule (Optional) Apply the rule only during specific hours or days (default: Everyday)

Once configured, click Save.

Rule Actions

Click the ••• next to a rule to:

  1. View / Edit – Update or review rule configuration
  2. Delete – Permanently remove the rule. Appears in records as Deleted Forwarding Rule (ID: {id})
See more
User Sign-In Policy

The User Sign-In Policies screen allows you to enforce context-aware authentication rules using Timus ZTNA. These policies go far beyond simple password checks—leveraging device posture, sign-in origin, behavioral anomalies, and risk signals to determine whether access should be allowed, challenged with MFA, or blocked entirely.

📍 To access this screen, go to Zero Trust Security → User Sign-In Policies

The main table lists both default and custom sign-in policies:

Column Description
Name Name of the policy (e.g., Deny New Country Sign-Ins)
Description Summary of its purpose
Status Current status of the policy

Policies higher in the list are evaluated first. You can reorder them using drag & drop to change priority.


Create a New User Sign-In Policy

Click Create New to open the policy builder. You’ll configure the policy using four tabs:

Source

Specify the users or environments this rule applies to:

  • Add a Name and Description (optional)
  • Choose from Users, Teams, Tags, or Public IPs
  • You can assign multiple sources

Condition

Specify how the system should respond if the policy conditions are met:

Field Description
Authentication Method Choose from Any, Connect App, or User Portal
Risk Level Any, Low, Medium, or High
Behavior Conditions Select one or more behavior conditions (see supported types below)
Behavior Match Logic All Selected Behaviors (AND) or Any Selected Behavior (OR)
Schedule Limit policy to specific times/days if needed

Supported Behavior Types

Behavior Type Purpose
New Device Detects sign-ins from previously unseen devices
Out of Radius Flags sign-ins from locations outside usual geographic range
New Country Detects logins from new countries based on past activity
Impossible Travel Detects geographically implausible login movement
Last Sign-In Date Triggers if user hasn’t signed in recently
Untrusted IP Flags risky IPs (proxy, botnet, TOR, abuse score, etc.)
Breached Email Flags email addresses found in breach databases
Consecutive Failures at Same Account Detects brute-force attempts on a single user
Consecutive Failures at Any Account Detects credential stuffing attempts across users
Device Posture Check Evaluates posture policy (e.g., antivirus disabled, no encryption)

Action

Select how the system should respond:

Option Behavior
Allow Permit access
Deny Deny access
Ban Deny access and lock account to prevent further attempts
MFA - Email Require email-based OTP
MFA - Authenticator App Require app-based TOTP
Deny and Block IP Deny access and blacklist the IP address
Ban and Block IP Lock account and blacklist the IP address

You can configure multi-step MFA (e.g., Email + App fallback) to strengthen layered authentication.

Alerts & Notifications

Improve incident visibility and team coordination with real-time alerts:

  • Alerts:
    • Define Title, Severity, and Status
    • Choose Trigger Results: Success, Failure, Timeout
  • Notifications:
    • Define Title, Severity, and Status
    • Choose Trigger Results: Success, Failure, Timeout
    • Choose whether to notify matching users, specific administrators, or external recipients

✅ Why Use Behavior-Based Sign-In Policies?

Behavior-aware authentication lets you:

  • Detect suspicious activity like sign-ins from new countries or untrusted IPs
  • Apply MFA only when needed, reducing friction
  • Block known high-risk sign-ins before damage occurs
  • Customize policy logic per user, team, or environment
See more
System Customization

The Customization section under Configurations allows you to personalize system-wide settings such as interface language, timezone, and email branding. These options ensure the system behaves in line with your organization's preferences—both visually and regionally.

You can also define a short organization name (alias) that will appear in email notifications sent to users, providing a more branded and contextual experience.

📍 To access this screen, go to Settings → Configurations → Customization

FieldDescription
System LanguageSets the interface language for the entire system. This affects UI labels, messages, and menu items.
System Time ZoneDefines the default timezone used for logs, reports, alerts, and scheduled activities.
Enable CustomizationWhen enabled, allows you to define a custom alias that replaces the organization name in system-generated emails.
Organization AliasA short name or abbreviation of your company that will appear in emails. Only editable when customization is enabled.
See more
Configure Custom SMTP

The Email Server screen lets you configure how Timus sends system-generated emails such as password reset links, alerts, and scheduled reports. By default, emails are sent using Timus's built-in mail service. If you prefer using your organization's own email infrastructure, you can enable a custom SMTP server.

📍 To access this screen, go to Settings → Configurations → Email Server

At the top of the screen, you'll see a checkbox labeled Use Custom SMTP Server.

  • When this is unchecked, Timus continues to send emails using its own service. You don’t need to enter any additional information.
  • When you check this option, a set of fields appears for configuring your own SMTP server.

Once enabled, you’ll need to complete the following:

FieldDescription
Sender AccountThe email address that system messages will appear to come from
PasswordThe password for the sender email account. Used to authenticate with your mail server
SMTP Server AddressYour organization’s SMTP host (e.g., smtp.yourdomain.com)
PortThe port your SMTP server listens on. Common ports: 465 (SSL), 587 (TLS), or 25 (None)
Connection TypeSelect the type of connection: SSL/TLS or None
StartTLSIf you select None for the connection type, the StartTLS checkbox appears. Enable this if your server supports it

When you save your settings, Timus will send a test email. If you don’t receive it or the sender address doesn't match, the setup may be incorrect.

See more
Productivity

The Productivity screen allows you to manage how user application activity is categorized and classified across your organization. This is where telemetry data collected from endpoints becomes meaningful, enabling customized productivity analysis and reporting.

Timus Connect collects application activity data through telemetry, which must be enabled per user. If telemetry is disabled, this screen will remain empty.

Go to Agent Profiles Guide

Classifications and categories shown here directly affect how app usage appears in productivity reports. Adjusting them helps tailor reporting to your organization’s real-world workflows.

Go to Productivity Reports Guide


Once telemetry is active, applications used by your team will automatically appear in this list.

📍 To access this screen, go to Settings → Configurations → Productivity

Column Description
Application The name of the tracked application, as detected by the endpoint.
Predefined Category A default category (e.g., Business, Communication, Entertainment) assigned by Timus AI.
Selected Category The currently active category used for reporting. Initially matches the predefined one, but can be edited.
Predefined Classification AI-generated productivity classification: Productive, Unproductive, or Neutral.
Selected Classification The value used in your reports. You can change this to reflect your organization’s expectations.
Team Shows All if the rule applies globally, or Custom if specific team-based overrides exist.
Edit Opens the configuration modal to update classification and category settings.

Edit an Application’s Productivity

Clicking Edit on any row opens a detailed configuration modal for that application.

You can:

  • Change the Selected Category or Classification globally for all users
  • Define team-based overrides that apply only to users within selected teams

This gives you full flexibility to reflect your organization’s work habits. Team-specific settings override global ones—but only for those users.

These changes only affect new data going forward. Historical reports remain unchanged.

See more
API Access

The API Access screen allows you to securely generate client credentials (Client ID and Client Secret) to integrate external systems or services with Timus. These credentials are used to authorize and authenticate API calls from third-party applications.

Whether you're building a custom dashboard, automating user provisioning, or integrating identity providers, this screen is where you manage the tokens required to make those secure connections.

📍 To access this screen, go to Settings → Configurations → API Access

Each card represents an existing API access configuration and includes:

Column Description
Title A label you set to identify the integration
Expiration Date When the token will become invalid
Client ID The public identifier for the integration
Client Secret The private token used for authentication (can be revealed and copied)

You can manage multiple configurations at once, each tied to a different use case.


Create a New API Access

Click Create New to open the setup modal. You'll need to provide two values:

Field Description
Title Name of your integration. Keep it descriptive to distinguish between tokens (max 70 characters)
Application Type Select the system you’re integrating:
  • Active Directory: Use this when integrating with your AD setup.
  • Custom: Use this for internal tools, scripts, or other services not listed. |

Need help integrating with Active Directory?

Go to Active Directory Integration Guide 

Once saved, a Client ID and Client Secret will be generated. Use these in your external application’s API headers for secure communication.


✅ Best Practices

  • Keep your Client Secret safe. It grants full access on behalf of the integration.
  • Rotate tokens periodically for security. You can regenerate keys via the API or by creating a new entry.
  • Label clearly. Use meaningful titles to avoid confusion as your system scales.
See more
Alerts

The Alerts screen offers a real-time overview of important security events across your environment. These alerts are generated when defined risk conditions or infrastructure anomalies are detected—allowing you to respond quickly to emerging threats or system issues.

Whether a user fails authentication, an administrator signs in from a risky location, or a gateway goes offline, you’ll find it here—centralized and prioritized.

📍 To access this screen, go to Insights → Alerts


What Triggers an Alert?

Alerts are automatically created based on key events, including:

  • User Sign-In Policies – Triggered when user access attempts meet risky conditions
  • Administrator Sign-In Policies – Triggered by elevated-risk sign-ins from administrator accounts

Each row in the Alerts table summarizes a single alert:

Field Description
Title The name of the triggered sign-in policy or affected system
Type The alert source
Result The outcome of the triggering event
Severity Risk level assigned to the event
Date Timestamp of when the alert was generated

Alerts are updated in real time and displayed chronologically by default.

Manage Alerts

Click the ••• on any alert row to:

  • View Details – Opens a modal with full context, including triggered conditions and affected user or site
  • Mark as Read/Unread – Helps you organize and track which alerts you've already reviewed
  • Delete – Remove the alert from view. All deletions are audit-logged for traceability

📤 Export Alerts

You can export all visible alerts by clicking the Export button at the top right of the screen.

Your export reflects any filters or sorting applied to the table at the time of download.

 
See more
Events

The Events screen provides a comprehensive audit trail of identity-based activities across your environment. Events captured here include user and administrator sign-ins, authentication steps, policy enforcement outcomes, and behavior-based triggers—giving you full visibility into who did what, when, and from where.

This screen is essential for enforcing Zero Trust principles, monitoring anomalies, and investigating incidents across both workforce and administrative actions.

📍 To access this screen, go to Insights → Events


Event Types

Events are classified into two core types:

  • User Events – Generated by end users accessing systems or applications
  • Administrator Events – Triggered by administrative actions on the Timus platform

Each entry in the table includes:

Column Description
User / Administrator The account associated with the event
Public IP The source IP address from which the action originated
Type The type of event
Authentication Method and step (e.g., Password, OTP)
Result The event outcome
Risk Level Risk rating assigned to the event based on contextual signals
Location Geographic location inferred from the public IP
Date Timestamp of the event

Event Details

Click the ••• → View next to any event.

Field Description
User / Administrator Identity associated with the event
Public IP Source IP of the connection
Origin Where the event occurred (e.g., Connect app, Manager portal)
Risk Level Final risk score assigned
Event Type Category of activity
Policy Name The access policy that was evaluated (if applicable)
Behaviors Behavior(s) that caused the policy to trigger (if applicable)
Authentication Methods used in the authentication flow
Location Geolocation of the IP
Date Exact timestamp of the event

If the event includes Untrusted IP behavior, additional IP Intelligence fields are shown:

Field Description
Proxy Indicates if a proxy service was used
VPN Flags traffic from known VPN providers
TOR Detects traffic from the TOR network
Fraud Score Third-party fraud risk score
Abuse Velocity Rate of abuse history from this IP
Recent Abuse Whether recent malicious activity was reported
Bot Activity Indicates known bot-related behavior

📤 Export Event Logs

Click Export to download the current table view as a CSV file.

Applied filters and sorting are reflected in the export.

See more
Automated Reports
 

The Automated Reports feature helps you track key metrics across your network by generating scheduled, customizable reports. Using templates and flexible scheduling options, you can automatically deliver reports that highlight user activity, bandwidth usage, threat patterns, and more—directly to the right recipients via email.

With Automated Reports, you don’t need to build reports from scratch every time. You save time, reduce manual effort, and keep your team informed with clear, consistent insights—automatically.

📍 To access this screen, go to Insights → Automated Reports


Manage Report Templates

Templates define the structure and content of your reports. Before you can generate any reports, you need to set up at least one template.

  1. Go to Insights → Automated Reports.
  2. Click the Manage Templates in the top right corner.

Templates are organized into two types:

  • Predefined Templates – Ready-to-use templates provided by the system.
  • Custom Templates – Templates you create and configure based on your reporting needs.

Each template includes widgets, which are visual or tabular components used to present data in the report.


Create a New Custom Template

To build a custom report layout:

  1. In the Manage Templates screen, click Create Custom Template.
  2. Enter a title and click Create.
  3. On the template screen, click Add Widget to start adding data blocks.
  4. Select the widgets you want to include and click Add.
  5. Use drag-and-drop to arrange the widgets as desired.

To customize a widget:

  1. Click Configure.
  2. Choose a Data Range Type:
    • Relative (e.g., last 7 days)
    • Fixed (specific start and end dates)
  3. Choose how data should be grouped: Daily, Weekly, Monthly, or Yearly

You can edit any template later by clicking the ••• → Edit option.

Create a New Report

After preparing your template, follow these steps to create a report:

  1. Return to the Automated Reports screen.
  2. Click Create Report, or use the ••• next to a template and select Create Report.
  3. Enter a report title.
  4. Choose the Report Type:
    • On Demand – Manually generated when needed.
    • Scheduled – Automatically generated and delivered on a schedule.
  5. Select the Template you want to use.
  6. In the Recipients section, add the email addresses of people who should receive the report.
  7. Click Save to create the report.

To generate a report manually:

  • Click the Actions button in the upper-right corner and select Generate Report.
  • Click the link in the success message to view the report in your browser.

If you added recipients, the report will also be delivered to their email inboxes.

 

 

See more
Device Posture Reports

The Insights → Device Posture Reports screen helps you monitor the effectiveness of your device posture enforcement policies. This feature provides visibility into posture check results across users, devices, and policies—enabling you to detect recurring compliance issues, identify frequently failing attributes, and evaluate endpoint health over time.

Reports on this screen are automatically generated as long as your posture check policies are active and devices are sending telemetry through the Timus Connect Agent or integrated EPP solutions.

📍 To access this screen, go to Insights → Device Posture Reports

The screen is divided into three main sections:

  • Overview – A summary of pass/fail trends, top failing devices, and the most frequently violated attributes
  • Devices – Detailed run results for a selected endpoint, including pass/fail outcomes and attribute logs
  • Posture Checks – Aggregated results grouped by posture check policy, with drill-down options to investigate devices or attributes

Need help setting up your posture check policies or integrating external data sources?

Go to Device Posture Checks Guide

Go to Third Partner Integrations Guide


📊 Analyze Overall Posture Trends

The Overview tab provides a high-level summary of posture performance across your environment.

  • Most Failed Devices – Devices with the highest number of failed posture checks
  • Most Failed Attributes – Attributes that failed most frequently (e.g., OS mismatch, agent not installed)
  • Total Pass/Fail Rate – A visual chart summarizing overall compliance status
  • Pass Trend – A time-based graph showing changes in pass rate over the selected period
  • Check Summary Table, including:
    • Title of each posture check
    • Number of runs
    • Total checks performed
    • Average number of devices per run
    • Overall pass/fail rates

Use this view to identify widespread issues—such as common misconfigurations or telemetry gaps—before they impact your posture enforcement strategy.


Review Results for a Specific Device

The Devices tab allows you to drill into posture check results for a specific endpoint.

  1. Select a device using the dropdown at the top right.
  2. Choose a date range to filter the results.
  3. Once applied, you’ll see:
    • Total Runs: Number of posture checks executed for this device
    • Pass Rate and Fail Rate
    • A results table including:
      • Date and time of each run
      • Result (Passed / Failed)
      • Number of passed and failed attributes
      • Details link to explore further

Run Details

Click Details to view the full Device Posture Check Report for that run. It includes:

  • Data Source (e.g., Timus Connect, Bitdefender)
  • Attribute checked (e.g., Firewall, OS)
  • Condition and expected Pass Value
  • Actual Value received from the device
  • Result (Passed / Failed)

This detailed view helps you pinpoint the exact reason for failure—such as outdated antivirus, unsupported OS, or missing telemetry.


Evaluate Posture Check Policies

The Posture Checks tab displays results grouped by posture check policy, giving you a policy-centric view of enforcement success.

  1. Select a posture check from the dropdown.
  2. Choose a date range to filter the dataset.
  3. View policy-level metrics such as:
    • Total Runs
    • Attributes Checked
    • Pass Rate / Fail Rate
    • Pass Trend chart for visual monitoring

You’ll also see a run-level table with:

  • Date and time
  • Number of devices evaluated
  • Devices that passed / failed
  • A ••• menu with two options:
    • View Devices – Opens a list of affected devices and their results
    • View Attributes – Shows each attribute checked during the run

View Devices Associated with a Posture Check

This screen shows:

  • Device name
  • Failed attribute(s)
  • Pass / Fail per device

View Attribute-Level Results

This screen shows:

  • Data Source
  • Attribute name
  • Device Name the check was applied to
  • Condition, Pass Value, Actual Value
  • Result (Passed / Failed)

These breakdowns are useful for detecting systematic errors in posture configurations or integration gaps in endpoint telemetry.

See more
Productivity Reports

The Insights → Productivity Reports screen provides a powerful lens into how time and digital tools are used across your organization. Designed for managers, team leads, and IT administrators, this feature transforms activity data into meaningful insights—enabling you to identify high performers, uncover inefficiencies, and build a culture of focused productivity.

📍 To access this screen, go to Insights → Productivity Reports

Reports are automatically generated when:

  • The Productivity Tracker is enabled in the user’s Agent Profile.
  • The user is signed in through the Connect Application.

Looking to define productivity rules or manage classifications?

View Productivity Configurations 


User Reports

The Users tab provides individual-level insights into application usage and productivity. It allows you to evaluate how each person spends their time and whether their digital habits align with team and company goals.

You'll see the following breakdowns:

  • Most Active Users – Users with the highest total time across all applications.
  • Productive Users – Users who spend the largest share of time in apps marked as productive.
  • Unproductive Users – Users frequently engaging with low-value or distracting applications.

User Report Details

  1. Click Details next to any user to explore:
    • Time spent per application
    • Productivity classification per app
    • A sorted list of most-used applications

Team Reports

The Teams tab aggregates user activity to provide a comprehensive overview of group-level productivity. Whether you're managing departments or functional teams, this view helps you spot trends and take informed action.

You'll be able to compare:

  • Most Active Teams – Teams with the highest total usage across members.
  • Productive Teams – Teams spending a majority of time in productive tools.
  • Unproductive Teams – Teams with a noticeable reliance on unproductive applications.

Team Report Details

Click Details next to any team to explore:

  • Total Active Time across the team
  • Segmentation of time into Productive and Unproductive
  • Team Productivity Score based on usage patterns
  • Member rankings by engagement and productivity

Use this data to balance workloads, restructure roles, or support underperforming teams.


Application Reports

The Applications tab reveals how individual apps impact productivity across your organization. This view is especially useful for application lifecycle management, IT budgeting, and usage enforcement.

Categories include:

  • Most Productive Applications – Tools associated with high-value, focused work.
  • Unproductive Applications – Applications linked to non-work-related activities or distractions.
  • Neutral Applications – Apps with context-dependent usage patterns.

Application Report Details

  1. Click Details next to any application to explore:

    • Which users accessed the app
    • Time spent by each user
    • Productivity classification and trend analysis

    These insights help optimize software investments, improve training, and enforce digital policies.


📤 Export Reports

To export flow logs in .csv format, click the Export button in the top-right corner in the Users, Teams, or Applications tabs.

  • A maximum of 10,000 records can be exported.
  • Active filters and sorting will apply to the exported results.
See more
Network Activity

The Network Activity screen provides a real-time view of all traffic events in your environment—both allowed and blocked. It helps you detect suspicious behavior, troubleshoot network issues, and understand how your infrastructure is being used.

📍 To access this screen, go to Insights → Network Activity → Firewall


Traffic Logs

The Traffic tab shows log-level entries for every traffic event evaluated by your firewall rules. Each row reflects a specific rule match, giving you granular visibility into connections and policy enforcement.

FieldDescription
DateTimestamp of when the traffic event occurred
SourceOriginating IP address
Source PortPort used by the source
DestinationTarget IP address
Destination PortPort used on the destination
ProtocolCommunication protocol (e.g., TCP, UDP)
SiteThe site where the traffic was logged
ActionWhether the traffic was Allowed or Denied
Rule IDThe rule that triggered this log

Traffic Details

Hover the info icon (🛈) at the end of each row to open a detailed panel.

Details include:

  • Source IP, port, user, and team (if available)
  • Destination IP and port
  • Data size transferred
  • Site of observation
  • Rule ID and matched conditions

These insights help answer questions like:

Why was this traffic blocked?

Who attempted the connection?

📤 Export Traffic Logs

Click Export to download the current table view as a CSV file.

Applied filters and sorting are reflected in the export.


🆕 Flow Logs (NEW)

The Flows tab is a new feature introduced in this version, offering a deeper layer of visibility by analyzing full session-based connections—not just rule matches.

This feature is available only on gateways where Application Filter is enabled. It allows you to monitor real-time connections, identify risky or unknown applications, and understand bandwidth usage across ongoing sessions.

Why This Matters

Unlike traditional logs that record single events, Flow Logs track the entire lifecycle of a connection—from initiation to closure—while enriching each flow with:

  • Application Detection
  • Application Category
  • Risk Score Evaluation

This is especially valuable for detecting encrypted, unknown, or non-domain-based traffic that may bypass classic rule logic.

FieldDescription
DateStart time of the connection
DurationLength of the session
SourceIP that initiated the connection
Source PortPort used by the source
DestinationTarget IP address
Destination PortPort on the destination
ApplicationDetected application
CategoryApplication group (e.g., Business, Streaming)
SiteThe site observing the flow
ProtocolCommunication protocol
StateActive, Expired, or Closed
Risk ScoreNone, Low, Medium, High, Severe, Critical, Emergency

Flow Details

Hover over the info icon (🛈) to view detailed attributes for a flow:

  • Source and destination IPs/ports
  • Bytes Sent / Received
  • Packets Sent / Received
  • Detected user and team (if available)

📤 Export Flow Logs

Click Export to download the current table view as a CSV file.

Applied filters and sorting are reflected in the export.

Flow visibility gives you actionable insights into live or recent activity—making it easier to detect bandwidth abuse, malware behavior, or unauthorized app usage.

See more
How do i contact Support?

How does a Timus Partner get support? get help?

We have a wealth of ways to answer your questions or solve your issues. You can use our brand-new help center, submit a ticket in the help portal, email your issues, or chat with us.

Support Hours

Regular Support: Mon - Friday, 8:00 am EST - 5 pm EST

Chat Support: Mon - Friday, 9:00 am EST - 5 pm EST

Severity 1 Support: 24/7 

 

Submitting a request to Timus Support

Chat:

Web Form:

  • Submit a request by going to www.timus.zendesk.com and clicking on "Submit a request" on the top menu bar. Or you can click on the this link to submit a request.

Email: 

  • Send an email to support@timusnetworks.com with as much details as possible for us to solve your issues. Include logs, topology, steps to reproduce, etc., if applicable.

Updating an existing request

Support Portal

  • Go to www.timus.zendesk.com and click on your profile icon drop down. Select the option "Request" and navigate to the ticket thats needed an update. Scroll to the bottom and and click on the section called "Add to conversation". 

Email

  • Please find the correspondent ticket number messages in your inbox and reply to those emails.

Support Workflow process

Waiting on Partner 

  • After our support team communicates and needs additional information from the partner or believes we have solved the issue, we will put the ticket in a "Waiting on Partner" status. The ticket will stay in this status unless you respond. If you do not respond within 3 business days, the status will switch to "Still Issue".

Still Issue 

  • If the ticket workflow puts the ticket in "Still Issue" status, and you respond, the ticket will be updated. However, if you do not respond, the ticket will switch to "No Partner Response" status and be considered closed. You can reply to the ticket, and it will be reopened.
See more
Why Running Two VPNs on the Same Device Can Be Problematic

Our solution is not designed or optimized to run alongside another VPN on the same operating system. Running two VPNs simultaneously can lead to a range of issues, including:

  • Network Conflicts: Multiple VPNs may compete to control the network interface, resulting in unstable or broken connectivity.
  • Routing Issues: Each VPN establishes its own encrypted tunnel and routing rules. When both are active, they can override or conflict with each other’s routes, causing traffic to be misrouted or blocked entirely.
  • Performance Degradation: VPNs consume system resources and bandwidth. Running two at once can significantly impact device performance and network speed.
  • Security Risks: Instead of enhancing protection, overlapping VPNs can create unintended vulnerabilities, as one VPN may bypass or interfere with the encryption or DNS settings of the other.
  • MAC Address Conflicts: For example, FortiClient VPN may assign a virtual adapter with the same MAC address across different devices. When used in conjunction with Timus SASE, this causes identification conflicts in our platform, preventing proper policy enforcement and ultimately blocking access.
  • Timus SASE and ControlOne Conflicts: ControlOne and Timus SASE both implement low-level network drivers to manage secure access and routing. When both agents are active, they interfere with each other’s tunnel interfaces and route tables. This leads to unpredictable behavior such as traffic loops, broken connections, or one service completely overriding the other. As a result, users may experience loss of access, inconsistent security enforcement, or total VPN failure.

To ensure optimal performance, stability, and security, we recommend using only one VPN or secure access solution at a time on any given device.

See more
Conditional Access Policy Blocking Token Issuance with DUO MFA in Entra ID

Overview

This article explains the AADSTS53003 error encountered when using DUO MFA with Microsoft Entra ID (formerly Azure AD) under Conditional Access policies. The issue stems from policy configuration in Entra ID and how it interacts with DUO’s custom control mechanism. This is not related to infrastructure or service functionality on the Timus Networks side.

Symptoms

AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

This error means Microsoft Entra is enforcing a Conditional Access (CA) policy that blocks token issuance due to unmet conditions (e.g. MFA, device compliance, IP location).

Root Causes

  • Use of the common endpoint instead of a tenant-specific endpoint.
  • CA policy requiring MFA not satisfied by DUO’s Custom Control.
  • Policy applies to user or service principal with no exclusions defined.

How to Diagnose

  1. Log in to Microsoft Entra ID > Sign-in Logs.
  2. Locate the failed login attempt with the AADSTS53003 error.
  3. Open the sign-in log and view the Conditional Access tab.
  4. Identify which policy blocked the token issuance and why.

How to Resolve

  • Use your tenant ID, not "common":
    Replace https://login.microsoftonline.com/common with https://login.microsoftonline.com/<your-tenant-id>.
    [Microsoft Answers]
  • Adjust Conditional Access policies:
    - Exclude the affected user, group, or service principal from the blocking policy.
    - Loosen conditions (e.g. allow external MFA, accept custom controls).
    [Stack Overflow] | [Sync365]
  • Understand DUO limitations:
    - DUO Custom Control does not satisfy Microsoft’s native MFA claim requirement.
    - If strict MFA enforcement is needed, use DUO with AD FS or DUO SSO for federation-based authentication.
    [DUO Docs]

Important Notice

No action can be taken on the Timus Networks side to resolve this issue. This is not a service-level problem, but rather a result of how Conditional Access evaluates the token request in combination with DUO’s authentication method.

To clarify: This issue must be addressed jointly by your internal Entra ID administrators and DUO MFA configuration. The enforcement behavior and token issuance logic are fully governed by Microsoft Entra and how it recognizes external MFA solutions. Timus Networks has no control or authority to override these decisions.

References

See more
Troubleshooting High CPU & RAM Usage and Functionality Issues in Timus Connect Application on Windows

Overview:

This article provides troubleshooting steps to resolve common issues related to high CPU and RAM usage, as well as functionality disruptions in the Timus Connect application. It aims to assist in identifying and addressing problems that may arise due to antivirus or endpoint protection software blocking key executables or interfering with the application's native operations. By following these guidelines, users can ensure smooth performance and prevent potential conflicts that could lead to prolonged processes or system slowdowns.

To ensure full compatibility and performance of the Timus Connect application, it is critical that all related executable files are properly whitelisted in both Antivirus (AV) and Endpoint Protection Platform (EPP) tools.

Failing to whitelist these files may cause:

  • High CPU and memory usage
  • Stuck or unresponsive processes
  • VPN connection failures
  • Performance degradation due to blocked native API calls or memory hooks

Modern AV/EPP solutions may block more than just the executable file. They often inspect runtime behavior, command-line parameters and system-level API calls. Therefore, it is essential to allow not only the executables but also their full runtime behavior.


✅ Required Executables for Whitelisting

The following files must be excluded from scanning, behavioral analysis, and execution restrictions:

C:\Program Files\Timus Connect\Timus Connect.exe
C:\Program Files\Timus Connect\Uninstall Timus Connect.exe
C:\Program Files\Timus Connect\resources\elevate.exe
C:\Program Files\Timus Connect\resources\service\timus-connect-service.exe
C:\Program Files\Timus Connect\resources\service\timus-helper-service.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win32\certutil.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win32\modutil.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win32\pk12util.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win32\shlibsign.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win64\certutil.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win64\modutil.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win64\pk12util.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win64\shlibsign.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\openssl.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\openvpn.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\openvpn_2.4.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\tapctl.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\tuntap_win\tapctl.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\tuntap_win\tapinstall.exe
C:\Program Files\Timus Connect\resources\service\lib\win\telemetry\timus-telemetry.exe
C:\Program Files\Timus Connect\resources\service\lib\win\wireguard\amd64\timus-wireguard-tunnel-service.exe
C:\Program Files\Timus Connect\resources\service\lib\win\wireguard\amd64\wg.exe

🔐 General Whitelisting Guidelines

To ensure full functionality, perform whitelisting at two levels:

  1. Client-Side Agent – Exclude paths directly on the endpoint
  2. Central Console – Apply policy-wide exclusions for consistency and scale

For maximum compatibility:

  • Exclude by exact file path
  • Exclude entire Timus Connect folder to cover future updates

🔧 Configuration by Vendor (Antivirus + EPP)

1. Windows Defender (Microsoft Defender for Endpoint)

Client UI:

  • Go to Windows Security → Virus & threat protection → Manage settings → Add exclusions
  • Add both individual .exe files and the full folder path

PowerShell (for bulk deployment):

Add-MpPreference -ExclusionPath "C:\Program Files\Timus Connect"

Microsoft Defender for Endpoint (MDE Console):

  • Go to Device Configuration → Endpoint Security → Antivirus → Policy
  • Add exclusions under Microsoft Defender Antivirus settings

2. BitDefender GravityZone

Control Center:

  • Navigate to Policies → Antimalware → Settings → Exclusions
  • Add file paths for all relevant executables and their subfolders
  • If “Advanced Threat Control” flags the app, add a Process Exception

Client:

  • Open local agent settings → Go to Protection → Manage Exclusions
  • Add relevant paths manually

3. SentinelOne

Management Console:

  • Navigate to Threat Protection → Exclusions
  • Add executables by path
  • Create Behavioral AI exclusions to allow elevated processes and tunneling apps (OpenVPN/WireGuard)

Note: SentinelOne client does not support local UI configuration—central management only.


4. CrowdStrike Falcon

Cloud Console:

  • Go to Configuration → Prevention Policies
  • Add to “Allow List” using exact path
  • Confirm that the process is excluded from behavioral blocking policies (e.g., “Process Injection” or “Credential Access” rules)

5. Trend Micro Apex One

Control Manager:

  • Navigate to Policy Management → Agent Settings → Exceptions
  • Add both file and folder exclusions
  • Include all child .exe under Timus Connect path

Client:

  • Right-click agent icon → Go to Settings → Scan Exceptions

6. Symantec Endpoint Protection

SEPM Console:

  • Go to Policies → Exception Policies → Windows Exceptions
  • Add by File, Folder, and optionally by File Type (.exe)

Client:

  • Open SEP UI → Settings → Configure Exceptions

7. McAfee Trellix Endpoint Security

ePolicy Orchestrator (ePO):

  • Go to Policy Catalog → Endpoint Security Threat Prevention → Access Protection → Exclusions
  • Add by path and allow for:
    • Read/Write Access
    • Memory Access

Client Console:

  • Open ENS client → Go to Threat Prevention → Show Advanced Settings → Exclusions

8. ESET Endpoint Security

ESET PROTECT Console:

  • Go to Policies → Detection Engine → Exclusions
  • Add all Timus .exe files and folders

Client Interface:

  • Open ESET UI → Setup → Detection Engine → Manage Exclusions

9. ThreatLocker

Portal:

  • Navigate to Application Control → Policies → Add Policy
  • Create a custom group for Timus Connect
  • Approve each executable manually
  • Ensure compatibility with Ring0 operations (driver/low-level calls)

10. Datto AV/EPP

Control Manager:

  • Navigate to Security ManagementPoliciesExclusions
  • Add full folder C:\Program Files\Timus Connect\ and all executable paths
  • Allow behaviors: privilege elevation, service creation, VPN tunneling (OpenVPN/WireGuard)

Client:

  • Open Local AgentSettingsExclusions
  • Add Timus Connect folder and executables manually
  • Allow runtime behaviors if blocked

11. FortiEDR / FortiClient 

FortiEDR Console

    • Log in to the FortiEDR Management Console

    • Navigate to PoliciesEndpoint Policies

    • Select your policy → Edit

    • In the left pane, choose ExclusionsFile and Folder Exclusions

    • Click Add → browse to C:\Program Files\Timus Connect\

    • Select all .exe files and their parent folders under that path

    • Save changes → Publish updated policy

FortiClient (Client Interface)

  • Open FortiClient on the endpoint

  • Click Settings (gear icon) → Antivirus

  • Scroll to ExclusionsManage Exclusions

  • Click Add ExclusionBrowse to C:\Program Files\Timus Connect\

  • Select all .exe files (include subfolders) → OK

  • Click Apply to activate exclusions


11. SolarWinds

Orion Console (Server-Side)

  • Log in to the Orion Web Console

  • Go to SettingsAll Settings

  • Under SAM Settings, click Manage File & Directory Monitors

  • Select any monitor that might scan Timus files → Edit

  • In Excluded Paths, click Add and enter: C:\Program Files\Timus Connect\

  • Click Save and Apply

SolarWinds Agent (Client-Side)

  • Open the SolarWinds Agent local UI (e.g. http://localhost:17778/)

  • Click SettingsFile & Directory Exclusions

  • Click Add Exclusion → browse to: C:\Program Files\Timus Connect\

  • Check Include subfolders

  • Click OK, then Save or Apply


⚠️ Additional Notes on Runtime Behavior

  • Some Timus components use privilege elevation (elevate.exe), create or manage services, and perform tunneling operations using OpenVPN and WireGuard.
  • EPPs with behavioral engines may falsely classify this behavior as malicious.
  • We strongly recommend creating behavioral exclusions where applicable to allow full functionality.
  • Monitor the application’s performance post-deployment and check for flagged events in your EPP logs.

⚠️Additional Step: Run System File Checker (SFC) and DISM

If you continue to experience high CPU, RAM usage, or functionality issues after whitelisting the executables, it may be helpful to run the System File Checker (SFC) and DISM commands to repair potential system file corruption. Follow these steps:

  1. Open Command Prompt as Administrator.
  2. Run the following command to check for and repair corrupted system files:
    sfc /scannow
  3. Once SFC completes, run the following DISM command to repair the Windows image:
    DISM /Online /Cleanup-Image /RestoreHealth

These steps can help resolve underlying system issues that might be contributing to performance problems or functionality disruptions.

 

Please note - Huntress currently does not support traditional software exclusions in the way antivirus or endpoint protection platforms might (e.g., excluding a specific folder or process from scanning).  We recommend putting the machine in maintenance mode when installing our application.


Summary of Actions

AVs and EPPs Exclude by Path Behavioral Exclusion Folder-Level Exclusion
Windows Defender
BitDefender
SentinelOne
CrowdStrike
Trend Micro
Symantec
McAfee ENS
ESET
ThreatLocker

Datto AV/EPP

FortiEDR

SolarWinds

 

See more
Timus Connect JavaScript Errors and Security Software Conflicts on Windows

Overview

This article provides a step-by-step guide for resolving JavaScript errors when installing or launching the Timus Connect application on Windows. These errors are commonly caused by missing permissions or interference from endpoint security tools like BitDefender, Windows Defender, SentinelOne, and ThreatLocker. You’ll also learn how to properly configure exclusions and allowlisting to ensure smooth installation and operation.

Uncaught Exception: Error: EPERM: operation not permitted, mkdir ‘C:\ProgramData\Timus Connect’

java-script-error.png

This error indicates that the installer was unable to create a required folder due to permission issues or security software interference.
A similar error may also occur when attempting to create:

  • C:\Program Files\Timus Connect

✅ Pre-Installation Checklist

Before proceeding, ensure the following:

  • Administrator Rights
    The installer (Timus-Connect.exe) must be run with elevated privileges.
  • Disable Conflicting Tools
    Close any VPN or network security tools (e.g., Todyl, other VPN clients) that may interfere with the network stack.
  • Stable Internet Access
    Ensure the machine can access Timus services—see allowlisting requirements below.

🛠 Step-by-Step Resolution

1. Run the Installer as Administrator

  • Right-click on Timus-Connect.exe → Select Run as administrator
  • If deploying via RMM, ensure it's executed in the Local System or Admin context
  • ⚠️ Do not run the installer from a network share—copy it to a local folder first

2. Manually Create Required Folders (Optional Workaround)

To prevent EPERM errors:

  • Open File Explorer or Command Prompt as Administrator
  • Create required folders:
    mkdir "C:\ProgramData\Timus Connect"
    mkdir "C:\Program Files\Timus Connect"
    
  • Set folder permissions:
    • Right-click folder → Properties → Security → Edit
    • Add the Users group with at least Modify rights
    • Ensure Administrators and SYSTEM have Full Control

⚠️ Only grant the minimum permissions required. Avoid giving "Everyone" access.


3. Configure Security Software

🔒 Bitdefender (Endpoint or GravityZone)

  • Policy → Antimalware → Exclusions
    Add:
    • C:\ProgramData\Timus Connect
    • C:\Program Files\Timus Connect
    • Timus-Connect.exe
  • Firewall: Allow outbound HTTPS over port 443 (TCP/UDP)

🛡 SentinelOne

  • Local Agent:
    • Add exclusions for Timus-Connect.exe, C:\ProgramData\Timus Connect, and C:\Program Files\Timus Connect
    • Add app to Controlled Folder Access
  • Managed Environment:
    • Ask your security admin to allowlist the hash of Timus-Connect.exe
  • Optionally, temporarily disable protection during installation

🔰 Windows Defender

  • Add the following under:
    Windows Security → Virus & Threat Protection → Exclusions
    • Folder: C:\ProgramData\Timus Connect
    • Folder: C:\Program Files\Timus Connect
    • File: Timus-Connect.exe
  • If Controlled Folder Access is enabled:
    • Allow Timus-Connect.exe via:
      Manage ransomware protection → Allow an app through Controlled folder access

⚙️ ThreatLocker

  • Allow Timus-Connect.exe in Application Control policies
  • Whitelist paths:
    • C:\ProgramData\Timus Connect
    • C:\Program Files\Timus Connect
  • If issues persist, temporarily switch to Audit Mode during install

⚠️ Re-enable protection immediately after installation


4. Allowlist Required Domains & Ports

🔗 Domains

If wildcard rules are supported, allow:

  • *.timusnetworks.com
  • *.timuscloud.com

Otherwise, allow:

  • auth.timuscloud.com
  • user.timuscloud.com
  • device.timuscloud.com
  • config.timuscloud.com
  • my.timusnetworks.com

🌐 Ports

Ensure the following are allowed:

Port Protocol Purpose
443 TCP & UDP HTTPS communication
53 UDP & TCP Local DNS (127.0.2.1:53)
1195 UDP OpenVPN
1196 UDP WireGuard
7505 TCP (localhost) OpenVPN management (127.0.0.1)
49202 TCP (localhost) Local Connect Service
49204 TCP (localhost) Connect Helper Service
 

If behind a proxy, configure it to allow Timus-Connect.exe access to these domains over port 443.


5. Re-run the Installer

  • Reboot the machine (recommended)
  • Try to install Timus Connect Application again.
See more
IPsec Error Code Reference and Troubleshooting Guide

This article explains how to troubleshoot IPsec tunnel issues and interpret related error codes for effective diagnosis and resolution.

Start by reviewing the View IPsec Logs article to locate IPsec logs within the Timus Manager.

Here are the IPsec error codes for both Initiators and Responders, along with their corresponding fixes.

 

Failure Type Error (Initiator) Error (Responder) Fix
IPsec connection issue Peer not responding Peer not responding Ensure UDP ports 4500 and 500, as well as the ESP protocol (50), are allowed on both Timus and MSP's on-prem firewalls.
Phase 1 DH mismatch NO_PROPOSAL_CHOSEN MODP mismatch Match MODP/DH group
Phase 1 identifier mismatch AUTHENTICATION_FAILED no peer config found Match IKE IDs
Phase 1 mode mismatch AUTHENTICATION_FAILED Aggressive Mode PSK disabled Use same mode (Main or Aggressive)
Phase 1 encryption mismatch NO_PROPOSAL_CHOSEN AES 128 vs AES 256 mismatch Match IKE encryption
Phase 1 hash mismatch NO_PROPOSAL_CHOSEN missing HMAC in initiator proposal Match hash (HMAC) algorithms
Phase 1 PSK mismatch invalid HASH_V1 and could not decrypt payloads invalid ID_V1 and could not decrypt payloads Use matching pre-shared keys
Phase 2 encryption mismatch NO_PROPOSAL_CHOSEN ESP AES mismatch (128 vs 256) Match Phase 2 encryption (ESP proposals)
Phase 2 network mismatch INVALID_ID_INFORMATION no matching CHILD_SA config found Match Phase 2 local/remote subnet definitions
Phase 2 PFS mismatch NO_PROPOSAL_CHOSEN no acceptable DIFFIE_HELLMAN_GROUP found Match PFS settings (enable/disable or same group)
Phase 1 and Phase 2 are online on Timus, but subnets are not communicating

No errors will be visible in the Connector Logs, as this issue originates from the firewall configuration rather than the IPsec service itself.

No errors will be visible in the Connector Logs, as this issue originates from the firewall configuration rather than the IPsec service itself.

Timus
• Check if 'Create firewall rules automatically' is enabled during Phase 1 and 2 setup. 
• Ensure no firewall rules are blocking IPsec Phase 2 subnets or overwriting auto-created IPsec rules in Timus Manager.”


On-Prem Firewall:
• Ensure that static routings are configured correctly.
• Ensure proper firewall rules for IPsec Phase 2 subnets and correct interface selection. 
Phase 1 Local IDs and Remote IDs mismatch (this happens once the IPsec on the on-prem devices run behind the main router remote host is behind NAT and IDir '1.1.1.1' does not match to '2.2.2.2' remote host is behind NAT and IDir '1.1.1.1' does not match to '2.2.2.2' The log shows Remote ID (1.1.1.1) mismatches with the expected internal IP (2.2.2.2); ensure NAT-T is enabled, configure NAT for IKE/ESP, and set Remote IP to public (e.g., 1.1.1.1) and Remote ID to internal (e.g., 2.2.2.2).


 

See more
Endpoint Protection Interference with Timus Connect (e.g., Todyl SGN Connect)

Certain Endpoint Protection (EPP) and network security solutions can interfere with Timus Connect by modifying the system’s routing table. This interference disrupts VPN functionality, particularly for users relying on IPsec tunnels, split tunneling, and other VPN-related configurations. Additionally, kindly review the routing table to confirm there are no unusual entries that could be contributing to the issue.

Symptoms:

  • Users are unable to access resources through Timus Connect.
  • Network traffic is improperly routed due to altered routing tables.
  • The connection appears active but fails to transmit data correctly.

Example: Todyl (SGN Connect) Interference on Windows

When Todyl (SGN Connect) is installed and actively running, it overrides routing tables to establish its own connection priorities. This can conflict with the routes set by Timus Connect.

Example of Routing Table Showing Interference (Windows):

Network Destination        Netmask          Gateway                Interface            Metric
0.0.0.0                    0.0.0.0          192.0.x.x (Todyl)      192.168.1.x           x

Cause:

EPP and network security software, such as Todyl (SGN Connect) and similar tools, manipulate routing tables to enforce security policies. These modifications may unintentionally disrupt Timus Connect’s intended network routes.

Workaround / Solution:

  1. Disable or Uninstall Todyl (SGN Connect):

    • If the issue persists, temporarily disable the interfering software while using Timus Connect or uninstall it entirely:
    • Windows: Go to Control Panel > Programs and Features > Uninstall a program and remove the conflicting application.SGN_Uninstall.jpg
    • MacOS: Use the application manager or terminal commands to remove it.

     

    Restart Timus Connect Application:

    • Restart the Timus Connect application to ensure it can properly update its routes.
    • Alternatively, you can restart the service from the system icon by right-clicking the Timus app and selecting the restart option (Windows & MacOS).
    Restart_Timus.png
  2. Routing Table:
    • Adjust routing tables to restore Timus Connect’s intended routes. To do this:
      • Windows: Run ipconfig /all to check active adapters, then use route print to view routing tables.
      • MacOS: Use netstat -nr to check routing tables.
      • Identify your SGN Connect gateway and compare it to the intended Timus Connect route.

Example of Correct Routing Table for Wireguard (Windows):

Network Destination        Netmask              Gateway             Interface        Metric
0.0.0.0                    128.0.0.0          192.168.249.x         192.168.249.3       x
128.0.0.0                  128.0.0.0          192.168.249.x         192.168.249.3       x

Recommendation:

If you encounter this issue, consider reviewing your routing table configurations using your terminal. First, check the active adapters by running ipconfig /all (Windows) or ifconfig (MacOS). Then, inspect the routing table using:

  • Windows: route print
  • MacOS: netstat -nr

Check for any entries inserted by security software. If another VPN or EPP is overriding the routing table, Timus Connect may not function as expected. Ensuring that only one VPN solution is managing network routes is crucial for maintaining proper connectivity.

See more
Timus Networks: Your 30-Day Satisfaction Guarantee v2

This document outlines the details of your 30-Day Satisfaction Guarantee period with Timus Networks. It provides clear instructions on how to manage your subscription and, should you choose not to proceed, how to initiate a cancellation directly within the Partner Portal.


Understanding Your 30-Day Satisfaction Guarantee

At Timus Networks, we are confident in the value and performance of our SASE solution. To ensure your complete satisfaction, every new partner engagement begins with a 30-Day Satisfaction Guarantee period. This probationary period is designed to allow you to thoroughly evaluate the Timus platform's capabilities, integrate it into your operations, and experience its benefits firsthand, all with the assurance of our dedicated support.

Our goal is for you to clearly see how Timus Networks can enhance your service offerings and protect your clients.

During this initial 30-day period, your access to the Timus Networks system is completely free. You are not limited to a specific number of gateways or users; the entire platform is fully available for your use. Feel free to add as many gateways and users as needed for your comprehensive evaluation directly from the "Manage Subscription" screen within your Partner Portal. This allows for a thorough assessment of our solution's scalability and performance in your real-world environment.

Our Customer Success team will conduct regular health checks to ensure the quality of your deployment and facilitate optimal product absorption. This proactive engagement helps us address any early questions and ensure you're getting the most out of Timus.

Should you choose to proceed with Timus Networks after this period, and per your signed agreement, your subscription will automatically convert on the 30th day to a 12-month annual commitment with convenient monthly payments, provided your payment information is on file. This seamless transition ensures uninterrupted service and access to our discounted annual rates.


Initiating a Cancellation During the Satisfaction Guarantee Period

Should you determine that Timus Networks is not the right fit for your needs within this 30-day period, we have empowered our MSP/MSSP partners to directly manage their subscription cancellation through the Partner Portal. This ensures you retain full control over your account.

Please note: Email notifications are not sufficient for initiating a cancellation. To ensure a clear and documented process, cancellation requests must be triggered through the Partner Portal by following the steps below. Our team will then process your request promptly.

See more
Timus Networks: Your 30-Day Satisfaction Guarantee

This document outlines the details of your 30-Day Satisfaction Guarantee period with Timus Networks. It provides clear instructions on how to manage your subscription and, should you choose not to proceed, how to initiate a cancellation directly within the Partner Portal.


Understanding Your 30-Day Satisfaction Guarantee

At Timus Networks, we are confident in the value and performance of our SASE solution. To ensure your complete satisfaction, every new partner engagement begins with a 30-Day Satisfaction Guarantee period. This probationary period is designed to allow you to thoroughly evaluate the Timus platform's capabilities, integrate it into your operations, and experience its benefits firsthand, all with the assurance of our dedicated support.

Our goal is for you to clearly see how Timus Networks can enhance your service offerings and protect your clients.

During this initial 30-day period, your access to the Timus Networks system is completely free. You are not limited to a specific number of gateways or users; the entire platform is fully available for your use. Feel free to add as many gateways and users as needed for your comprehensive evaluation directly from the "Manage Subscription" screen within your Partner Portal. This allows for a thorough assessment of our solution's scalability and performance in your real-world environment.

Our Customer Success team will conduct regular health checks to ensure the quality of your deployment and facilitate optimal product absorption. This proactive engagement helps us address any early questions and ensure you're getting the most out of Timus.

Should you choose to proceed with Timus Networks after this period, and per your signed agreement, your subscription will automatically convert on the 30th day to a 12-month annual commitment with convenient monthly payments, provided your payment information is on file. This seamless transition ensures uninterrupted service and access to our discounted annual rates.


Initiating a Cancellation During the Satisfaction Guarantee Period

Should you determine that Timus Networks is not the right fit for your needs within this 30-day period, we have empowered our MSP/MSSP partners to directly manage their subscription cancellation through the Partner Portal. This ensures you retain full control over your account.

Please note: Email notifications are not sufficient for initiating a cancellation. To ensure a clear and documented process, cancellation requests must be triggered through the Partner Portal by following the steps below. Our team will then process your request promptly.


Step-by-Step Guide: How to Cancel Your Satisfaction Guarantee Subscription

To cancel your Timus Networks subscription during the 30-Day Satisfaction Guarantee period, please follow these instructions:

  1. Log in to your Timus Networks Partner Portal.
  2. From the left-hand navigation menu, click on the "Customers" tab.
  3. Locate the specific tenant subscription you wish to cancel. Next to your tenant's name, click on the ellipses (...) icon to reveal a dropdown menu.
  4. From the dropdown menu, select the "Manage Subscription" option.
  5. A new dialog window will open, displaying your subscription details. In the lower-left section of this window, you will find the "Cancel Subscription" button, highlighted in red.
    Screenshot 2025-06-17 at 9.53.41 AM.png
  6. Click "Cancel Subscription".
  7. Follow the on-screen prompts to confirm your request. You will be asked to provide a reason for the cancellation; your feedback is valuable to us for continuous improvement.
    Screenshot 2025-06-17 at 9.54.02 AM.png

Once these steps are completed in the Partner Portal, our team will receive your cancellation request and process it accordingly.


For any questions regarding your Satisfaction Guarantee period or the cancellation process, please do not hesitate to contact our Partner Success team.

See more
View all

Step-by-Step Video Guides

Explore our most popular video tutorials on our YouTube channel.

Video Thumbnail

Segmenting Traffic with Split Tunneling

Manage your network, add tunnels, users, rules and licenses from a multi-tenant cloud portal with Timus.

Video Thumbnail

Connecting Branch Offices with IPSec

Connect to offices or protect SaaS apps through private gateways with a single static IP address.

Video Thumbnail

Granularity within the Timus Firewall

The Timus firewall sits in the cloud and intercepts all encrypted user traffic.

×

Frequently asked questions

How does Timus help us against ransomware & phishing attacks?

Timus uses zero-trust secure remote access and least privilege principles before granting any access to the network and data to protect against hackers, criminals, and ransomware. Additionally, Timus uses a best-of-breed DNS filter (at the network level) protecting users from zero-day threats and malicious sites from wherever they may encounter it (any device, application, protocol or port). A user is protected against all of the below: Malicious software including drop servers and compromised websites, including drive by downloads and adware Fraudulent phishing websites that aim to trick users into handing over personal or financial information Command and Control botnet hosts Sites which serve files or host applications that force the web browser to mine cryptocurrency Domains which have been registered in the last 30 days and in the last 24 hours Parked sites & domains that may no longer be controlled by the original owner

How does Timus ZTNA improve security?

The Timus solution is superior to traditional VPNs for secure remote access. User verification is hardened with behavioral and contextual analysis. Multi-factor authentication (MFA) can be deployed adaptively (ie. when signing in from a new device, new country, etc), improving user experience. Timus ZTNA can work with another IAM solution or standalone. Timus has one of the richest behavioral checks in the industry for Zero Trust Verification.

Does Timus provide shared or dedicated gateways?

Timus provides dedicated gateways with static IP addresses. An MSP can whitelist the Static IP in SaaS applications for controlled access and security.

Which tunneling protocols are supported by the Timus Connect agent?

WireGuard and OpenVPN tunneling protocols are supported.

How does split tunneling work?

The tunnel for secure connections can be configured to pass all user traffic, or just part of it, through the tunnel. Split tunnel configurations can be created in Manager->Settings-Tunnel Configuration page. Default configuration is all traffic passes through the tunnel. Timus Connect agent gets the tunnel configuration valid for the user and context, and passes traffic through the tunnel accordingly. This feature is currently available only for Windows and macOS releases of Timus Connect app.

Documentation

Still have questions? Explore our in-depth documentation for comprehensive guides and detailed solutions.

Go to documentation