Discover Timus features and configurations through quick and easy-to-follow video tutorials. Perfect for a visual walkthrough of our capabilities.

Welcome to the Timus Explainer Videos page!

Explore our comprehensive library of video guides that simplify the essential features and configurations of Timus Networks. Designed for both beginners and advanced users, these quick and engaging tutorials will help you:

• Optimize your setup
• Enhance security
• Leverage advanced tools—all at your own pace.

Setting up Zero Trust Access, The Timus Way

Learn how to configure Zero Trust policies with context-aware access control to protect your network and ensure only the right users have access to the right resources.

Configuring Firewall Rules

Master the creation and management of firewall rules to secure your network, prevent threats, and streamline network traffic.

Web Filtering and Content Blocking 

Learn how to block unwanted content and enforce web filtering policies, ensuring a safe and productive network environment.

Segmenting Traffic With Split Tunneling 

Explore how to segment network traffic effectively, optimizing performance while maintaining security and control.

Timus Connect Installation Walk Through 

Follow this step-by-step installation guide for Timus Connect to get your network running securely and efficiently in no time.

As security threats grow increasingly sophisticated, adopting a Zero Trust framework has become a necessity. Built on the principle of “Never trust, always verify”, Zero Trust ensures that every access request is meticulously validated, protecting your network and confirming user identities.

What Is Zero Trust Access? 🔒

Zero Trust Access is a cutting-edge security approach designed to:

• Authenticate and authorize every access request, whether it's from inside or outside your network.
• Continuously monitor user behavior and device posture during active sessions.
• Protect against unauthorized access, regardless of the user's location or the device they use.

By implementing Zero Trust, organizations reduce vulnerabilities and strengthen their defenses against breaches.

🎬 Learn the Timus Way

Timus Networks Conditional Access the Timus Way 

In this video you'll learn: 

• How Timus continuously monitors and verifies user behavior.
• The step-by-step process to configure and enforce Zero Trust Access policies.
• Real-life use cases demonstrating how Zero Trust prevents potential security breaches.

The Timus Gateway is more than just a security measure; it’s the key to seamless connectivity. By hosting a cloud firewall, it enables secure communication between your network environments. With IPsec tunneling, you can connect your Timus Gateway to an on-premise firewall, ensuring secure and reliable access to data—no matter where it resides.

🎬 Learn the Timus Way

Timus Networks Connecting Branch Offices with IPSec 

In this video you'll explore: 

• How to set up an IPsec tunnel on your Timus Gateway.
• Configuring secure communication with your on-premise firewall.
• Real-world benefits of IPsec tunneling for hybrid network environments.

Timus Adaptive Cloud Firewall: Securing Users Anywhere

In today’s dynamic work environment, where users can connect from virtually anywhere, static security rules are no longer sufficient. The Timus Adaptive Cloud Firewall ensures your security perimeter moves with the user—aligning with their identity rather than just their device or location. This innovative approach enables true secure access at the edge, providing robust protection and seamless connectivity.

Why Choose Adaptive Cloud Firewall Rules?

• User-Centric Security: Policies follow the user, adapting dynamically to their behavior and identity.
• Device and Location Independence: Protect access regardless of the user’s device or connection location.
• Edge Security: Enable secure resource access with real-time, context-aware rules.

🎬 Learn the Timus Way

Timus Networks Granularity within the Timus Firewall 

In this video you'll discover: 

• How to create user-centric firewall rules.
• Real-world examples of adaptive firewall configurations.
• The benefits of aligning security policies with user identity.

A static IP address is more than just a number—it’s the foundation of complete network control. Every Timus Gateway is equipped with a private, static IP address, providing unparalleled visibility, enhanced security, and total control over your network.

🎬 Learn the Timus Way

Timus Networks Locking Down Saas with Static IP

In this video you'll explore: 

• The key advantages of using a static IP address.
• How it enhances network visibility and strengthens security.
• Real-life use cases for SaaS app management and conditional access.

Real-World Applications

1. Secure SaaS Access
   • Scenario: Your team relies on critical SaaS tools like CRM or ERP systems.
   • Solution: Whitelist your static IP to ensure only authorized users on your network can access these tools, reducing unauthorized logins.
2. Remote Workforce Management
   • Scenario: Employees need to connect remotely to access corporate resources.
   • Solution: Use the static IP as the single point of entry to enforce conditional access policies, ensuring secure and monitored connectivity.
3. Improved Threat Detection
   • Scenario: You require better visibility into network traffic to identify potential risks.
   • Solution: Route all incoming traffic through your static IP, enabling streamlined analytics, faster threat detection, and efficient mitigation.

The Timus Secure Web Gateway provides your organization with cutting-edge tools to manage web access, block harmful content, and bolster network security. By utilizing robust web filtering, content blocking, and anti-virus protection at the network layer, you can ensure that users only access safe applications and websites—whether working in the office or remotely.

🎬 Learn the Timus Way

Timus Networks Conent and Category Blocking

In this video you'll learn: 

• How Timus filters malicious websites and risky applications.
• Step-by-step guidance to block inappropriate or harmful content.
• How anti-virus protection safeguards browsing experiences.

Core Features of Timus Web Filtering

🔍 Web Filtering

• Benefit: Protect users from accessing malicious or non-work-related websites.
• How It Works: Apply access policies for specific domains or categories like "Social Media," "Adult Content," or "Phishing Sites."

🚫 Content Blocking

• Benefit: Restrict harmful or distracting content with customizable rules.
• How It Works: Block specific URLs to prevent unauthorized content from entering or leaving the network.

Why Choose Timus Secure Web Gateway?

• Enhanced Productivity: Ensure users stay focused on work-related activities.
• Advanced Protection: Safeguard the network from cyber threats like phishing and malware.
• Centralized Management: Simplify policy management and monitoring through a single interface.

As part of recent improvements to the Partner and Manager portal, access to your tenant via SSO (Single Sign-On) has been restricted. By default, Support teams no longer have access to any tenant. If you would like to grant the Timus Support team access to your tenant, follow the steps below.

Steps to Enable Support Access:

• Log in to the Timus Manager.
• Navigate to the Organization tab.
• Locate the Support Access option.
• Click Create New.

On the opening page, configure the following:

• Set the Expires At field to your desired expiration date. 

• Click Save to apply the changes.

  

Note:

• Enabling this setting grants the Timus Support team permission to access your tenant.
• If you do not enable this setting, the Timus Support team will not be able to assist with tenant related issues.
• Regularly review and update the expiration date to ensure continued access as needed.

For further assistance, please contact the Timus Support team.

The Dashboard provides a real-time, centralized view of your organization’s network activity, user engagement, device connectivity, and traffic flow. It’s designed to give IT teams instant situational awareness and visibility into critical performance and security indicators—all in one place.

📍 To access this screen, click Dashboard from the left-side menu

👤 Users Online

Displays the number of end users currently connected to the network.

Use this widget to monitor real-time user engagement or detect unexpected sign-in spikes.

💻 Devices Online

Shows how many devices are actively connected at the moment.

This helps you track endpoint activity and detect any anomalies—such as unexpected device surges.

🌐 Sites Online

Indicates the number of configured Sites that are currently online.

A sudden drop may indicate network issues, outages, or site disconnections that require investigation.

📊 Traffic Graph

Visualizes upload and download traffic across your entire network in real time.

Hover over any point to view exact values.

You can change the timeframe using the dropdown menu:

• Last 4 Hours (default)
• Last 12 Hours
• Last 24 Hours

This widget is ideal for identifying bandwidth trends, usage spikes, or abnormal traffic behavior.

📱 Most Active Devices

Lists the top devices consuming the most bandwidth.

Each entry shows the device name and operating system icon.

Click the ••• → Configure the number of devices shown.

🙋 Most Active Users

Displays the users with the highest data usage or interaction levels.

Users currently online are marked with a green status dot.

Click the ••• → Configure the number of users shown.

📝 Recent Events

Shows a timeline of device connection activities, sorted with the most recent at the top.

Each event includes a timestamp and short description of what occurred (e.g., connection established, disconnected).

Click the ••• → Configure the number of events shown.

The partner portal dashboard will provide visibility into customers' relevant information & all data pertaining to your partnership with Timus Networks.

MSPs will leverage the Timus Networks partner portal as their primary dashboard for day to day management of the Timus solution. Within the portal, you will be able to add, remove & manage all clients for both billing and technical management.

Link to - partner portal​

he Agent Deployment screen allows you to access the latest versions of Timus Connect Application for all supported platforms. This screen supports both manual and automated deployment workflows—ensuring your users can connect securely and consistently.

📍 To access this screen, go to Settings → Agent Deployment

Downloads

The Downloads tab lists the most recent agent versions per operating system, helping you deploy Timus Connect reliably at scale. You can:

• Copy direct download links for each platform
• Verify file integrity using the SHA512 checksum
• Download MSI packages for silent or scripted installation

Timus Connect Application is essential for secure remote access, device posture validation, and policy enforcement.

📚 Related Guides

For platform-specific installation and configuration instructions, refer to the following:

Deployment Tokens (NEW)

The Deployment Tokens tab enables you to generate time-limited tokens that automate the registration and sign-in process during installation. These tokens simplify mass deployments via RMM tools or scripting across Windows and macOS.

Create a Deployment Token

1. Click Create Token at the top-right of the screen.
2. Set the Token Lifetime, which defines how long the registration window remains valid after generation. Tokens expire automatically after this duration.

After creation, the token is:

• Displayed only once in plain text
• Automatically filled into the deployment command field

⚠️ Please store your token securely—it cannot be retrieved after you leave or refresh the page.

Installation Commands

Under the Copy & Run the Command section, ready-to-use deployment commands are generated for both platforms. These commands insert the deployment token and user email into the installer process, enabling automatic sign-in.

Select User (Optional)

You may select a user from the dropdown to prefill their email address in the command.

Windows

msiexec /i "Timus-Connect.msi" /quiet DEPLOY_TOKEN="<YOUR_TOKEN>" DEPLOY_EMAIL="<USER_EMAIL>"

macOS

sudo defaults write /Library/Preferences/com.timus.connect.plist DEPLOY_TOKEN -string "<YOUR_TOKEN>"
  sudo defaults write /Library/Preferences/com.timus.connect.plist DEPLOY_EMAIL -string "<USER_EMAIL>"
  sudo installer -pkg Timus-Connect.pkg -target /

Click the copy icon to quickly copy the command to your clipboard.

Notes

• Ensure the Timus Connect installer is already present on the target device before executing the command.
• If no user is selected manually, the installer attempts to detect the signed-in OS user and initiate authentication using their email.
• Timus Connect version must be 4.6.8 or higher is required for token-based deployment.

The Timus Connect for Windows application allows your users to establish a secure, encrypted tunnel between their devices and your corporate network. It supports posture validation, policy enforcement, and ensures seamless access to protected resources across distributed environments.

You can download the installer from Manager → Settings → Agent Deployment → Downloads screen. Alternatively, users can access the same version from Timus My → Downloads screen.

Installation & Sign-In Flow

To install Timus Connect on a user’s Windows device:

1. Download the Installer

   Navigate to the Downloads in Timus My and select the latest Windows version.

2. Launch the Application

   After installation, launch Timus Connect. The user must read and accept the End User License Agreement (EULA) before proceeding.

3. Enter Timus Account Email

   The user must enter their Timus account email address to initiate authentication.

4. Authenticate and Select Network

   • If the account is directory-synced (e.g., Microsoft Entra ID, Okta, Google Workspace), the user will redirect to the corresponding identity provider to complete sign-in.
   • Otherwise, the user will be prompted to select a network and enter their password.

Establishing a Connection

Once signed in, the user is directed to the Connect screen.

1. Select a Gateway

   All gateways associated with the user’s authorized sites are listed here. Each gateway includes a real-time round-trip latency metric to assist in selecting the most optimal connection point.

2. Use the “Select Fastest” Option

   Automatically selects and connects to the gateway with the lowest latency.

3. Connect

   Clicking Connect establishes the secure tunnel between the user’s device and the selected gateway.

Agent Settings

The Settings tab in the Timus Connect application allows to configure how the agent behaves on the user’s device. These configurations are managed through Agent Profiles in the Manager portal and can be optionally exposed for user-level control.

You can define and assign custom Agent Profiles to your users through the Manager portal.

Go to Agent Profiles Guide

1. VPN Protocol Selection

   Choose the tunnel protocol used to establish the connection:

   • WireGuard
   • OpenVPN

   If Smart Tunnel Protocol Fallback is enabled, the application will automatically attempt the alternative protocol if the selected one fails.

2. Startup Behavior

   • Start on boot: Automatically launches the Timus Connect application when the user’s device starts.
   • Connect on application start: Automatically initiates a connection to the last used or default gateway upon launch.

3. Network Optimization

   • Smart tunnel protocol fallback: Maintains high availability by switching protocols in case of failure.
   • Adaptive MTU adjustment: Dynamically adjusts the MTU to prevent packet fragmentation and optimize throughput.
   • Automatic update: Keeps the agent up-to-date by silently applying the latest versions in the background.

   *Users can modify these settings if the “Users can modify“ ***setting is enabled in their assigned Agent Profile.

Support Tools

The Support tab in the Timus Connect application provides essential tools for troubleshooting, diagnostics, and SSL certificate management.

1. Install certificate

   Installs the required Timus SSL Root Certificate to the device. This enables:

   • Trusted communication with internal systems and gateways
   • Full functionality of features such as traffic inspection and secure tunnel setup

2. Give feedback

   Users can submit feedback or suggestions directly to the Timus team. Submissions include device metadata to provide helpful diagnostic context.

3. Collect logs

   Generates a compressed ZIP file containing system and agent logs. The user is prompted to select a location for saving the file. This file can then be sent to you or the Timus support team for investigation.

4. About:

   Displays application version and device metadata useful for technical troubleshooting.

Manual Certificate Installation (If Needed)

If SSL certificate installation fails or users encounter trust-related warnings:

1. Sign in to Timus My and download the .crt file.
2. Open the file and launch the Certificate Import Wizard.
3. Choose Local Machine as the target.
4. Select Place all certificates in the following store.
5. Choose Trusted Root Certification Authorities.
6. Complete the wizard to finalize the import.

If the issue persists, contact the Timus support team for assistance.

Silent Deployment (Optional)

To deploy the Windows app silently using an RMM or scripting tool, refer to:

Go to Timus Connect for Windows - Silent Deployment Script

The Timus Connect for macOS application allows your users to establish a secure, encrypted tunnel between their devices and your corporate network. It supports posture validation, policy enforcement, and ensures seamless access to protected resources across distributed environments.

Timus Connect is compatible with macOS Monterey (12.0) and later versions.

You can download the installer from Manager → Settings → Agent Deployment → Downloads screen. Alternatively, users can access the same version from Timus My → Downloads screen.

When installing Timus Connect for the first time, the user account on the macOS device must have administrator privileges. Administrator rights are not required for future updates.

Installation & Sign-In Flow

To install Timus Connect on a user’s macOS device:

1. Download the Installer

   Navigate to the Downloads in Timus My and select the latest macOS version.

2. Launch the Application

   After installation, launch Timus Connect. The user must read and accept the End User License Agreement (EULA) before proceeding.

3. Enter Timus Account Email

   The user must enter their Timus account email address to initiate authentication.

4. Authenticate and Select Network

   • If the account is directory-synced (e.g., Microsoft Entra ID, Okta, Google Workspace), the user will redirect to the corresponding identity provider to complete sign-in.
   • Otherwise, the user will be prompted to select a network and enter their password.

Establishing a Connection

Once signed in, the user is directed to the Connect screen.

1. Select a Gateway

   All gateways associated with the user’s authorized sites are listed here. Each gateway includes a real-time round-trip latency metric to assist in selecting the most optimal connection point.

2. Use the “Select Fastest” Option

   Automatically selects and connects to the gateway with the lowest latency.

3. Connect

   Clicking Connect establishes the secure tunnel between the user’s device and the selected gateway.

Agent Settings

The Settings tab in the Timus Connect application allows to configure how the agent behaves on the user’s device. These configurations are managed through Agent Profiles in the Manager portal and can be optionally exposed for user-level control.

You can define and assign custom Agent Profiles to your users through the Manager portal.

Go to Agent Profile Guide

1. VPN Protocol Selection

   Choose the tunnel protocol used to establish the connection:

   • WireGuard
   • OpenVPN

   If Smart Tunnel Protocol Fallback is enabled, the application will automatically attempt the alternative protocol if the selected one fails.

2. Startup Behavior

   • Start on boot: Automatically launches the Timus Connect application when the user’s device starts.
   • Connect on application start: Automatically initiates a connection to the last used or default gateway upon launch.

3. Network Optimization

   • Smart tunnel protocol fallback: Maintains high availability by switching protocols in case of failure.
   • Adaptive MTU adjustment: Dynamically adjusts the MTU to prevent packet fragmentation and optimize throughput.
   • Automatic update: Keeps the agent up-to-date by silently applying the latest versions in the background.

   *Users can modify these settings if the “Users can modify“ ***setting is enabled in their assigned Agent Profile.

Support Tools

The Support tab in the Timus Connect application provides essential tools for troubleshooting, diagnostics, and SSL certificate management.

1. Install certificate

   Installs the required Timus SSL Root Certificate to the device. This enables:

   • Trusted communication with internal systems and gateways
   • Full functionality of features such as traffic inspection and secure tunnel setup

2. Give feedback

   Users can submit feedback or suggestions directly to the Timus team. Submissions include device metadata to provide helpful diagnostic context.

3. Collect logs

   Generates a compressed ZIP file containing system and agent logs. The user is prompted to select a location for saving the file. This file can then be sent to you or the Timus support team for investigation.

4. About:

   Displays application version and device metadata useful for technical troubleshooting.

Manual Certificate Installation (If Needed)

If SSL certificate installation fails or users encounter trust-related warnings:

1. Open Keychain Access from Applications → Utilities.
2. In the search bar, type the name of your SDN.
3. Locate and double-click the corresponding certificate.
4. Expand the Trust section and set When using this certificate to Always Trust.
5. Close the window and enter your macOS password to confirm the changes.

If the issue persists, contact the Timus support team for assistance.

Silent Deployment (Optional)

To deploy the Windows app silently using an RMM or scripting tool, refer to:

Go to Timus Connect for MacOS - Silent Deployment Script

The Timus Connect for Android application allows your users to securely connect to your corporate network by establishing an encrypted tunnel to the Timus platform. It supports posture-aware access, policy enforcement, and seamless connectivity in mobile environments.

Timus Connect is compatible with Android 10 and later versions.

You can download the installer from Manager → Settings → Agent Deployment → Downloads screen. Alternatively, users can access the same version from Timus My → Downloads screen or directly from the Google Play Store.

Installation & Sign-In Flow

To install Timus Connect on a user’s Android device:

1. Download the Installer

   Search for Timus Connect on the Google Play Store, or navigate to the Downloads in Timus My and select the latest Android version.

2. Launch the Application

   After installation, launch Timus Connect. The user must read and accept the End User License Agreement (EULA) before proceeding.

3. Enter Timus Account Email

   The user must enter their Timus account email address to initiate authentication.

4. Authenticate and Select Network

   • If the account is directory-synced (e.g., Microsoft Entra ID, Okta, Google Workspace), the user will redirect to the corresponding identity provider to complete sign-in.
   • Otherwise, the user will be prompted to select a network and enter their password.

Establishing a Connection

Once signed in, the user is directed to the Connect screen.

1. Select a Gateway

   All gateways associated with the user’s authorized sites are listed here. Each gateway includes a real-time round-trip latency metric to assist in selecting the most optimal connection point.

2. Use the “Select Fastest” Option

   Automatically selects and connects to the gateway with the lowest latency.

3. Connect

   Clicking Connect establishes the secure tunnel between the user’s device and the selected gateway.

Agent Settings

The Settings tab in the Timus Connect application allows to configure how the agent behaves on the user’s device. These configurations are managed through Agent Profiles in the Manager portal and can be optionally exposed for user-level control.

You can define and assign custom Agent Profiles to your users through the Manager portal.

Go to Agent Profiles Guide

1. VPN Protocol Selection

   Choose the tunnel protocol used to establish the connection:

   • WireGuard
   • OpenVPN

Support Tools

The Support tab in the Timus Connect application provides essential tools for troubleshooting, diagnostics, and SSL certificate management.

1. Install certificate

   Installs the required Timus SSL Root Certificate to the device. This enables:

   • Trusted communication with internal systems and gateways
   • Full functionality of features such as traffic inspection and secure tunnel setup

2. Give feedback

   Users can submit feedback or suggestions directly to the Timus team. Submissions include device metadata to provide helpful diagnostic context.

3. Collect logs

   Generates a compressed ZIP file containing system and agent logs. The user is prompted to select a location for saving the file. This file can then be sent to you or the Timus support team for investigation.

4. About:

   Displays application version and device metadata useful for technical troubleshooting.

The Timus Connect for iOS application allows your users to securely connect to your corporate network by establishing an encrypted tunnel to the Timus platform. It supports posture-aware access, policy enforcement, and seamless connectivity in mobile environments.

Timus Connect is compatible with iOS 14 and later versions.

You can download the installer from Manager → Settings → Agent Deployment → Downloads screen. Alternatively, users can access the same version from Timus My → Downloads screen or directly from the App Store.

Installation & Sign-In Flow

To install Timus Connect on a user’s iOS device:

1. Download the Installer

   Search for Timus Connect on the App Store, or navigate to the Downloads in Timus My and select the latest iOS version.

2. Launch the Application

   After installation, launch Timus Connect. The user must read and accept the End User License Agreement (EULA) before proceeding.

3. Enter Timus Account Email

   The user must enter their Timus account email address to initiate authentication.

4. Authenticate and Select Network
   • If the account is directory-synced (e.g., Microsoft Entra ID, Okta, Google Workspace), the user will redirect to the corresponding identity provider to complete sign-in.
   • Otherwise, the user will be prompted to select a network and enter their password.

Establishing a Connection

Once signed in, the user is directed to the Connect screen.

1. Select a Gateway

   All gateways associated with the user’s authorized sites are listed here. Each gateway includes a real-time round-trip latency metric to assist in selecting the most optimal connection point.

2. Permission Prompt

   On the first connection attempt, iOS will request permission to add a VPN configuration profile.

   • Tap Allow to proceed.
   • If Don’t Allow is selected, the user will not be able to establish a VPN connection.

3. Use the “Select Fastest” Option

   Automatically selects and connects to the gateway with the lowest latency.

4. Connect

   Clicking Connect establishes the secure tunnel between the user’s device and the selected gateway.

Agent Settings

The Settings tab in the Timus Connect application allows to configure how the agent behaves on the user’s device. These configurations are managed through Agent Profiles in the Manager portal and can be optionally exposed for user-level control.

You can define and assign custom Agent Profiles to your users through the Manager portal.

Go to Agent Profile Guide

1. VPN Protocol Selection

   Choose the tunnel protocol used to establish the connection:

   • WireGuard
   • OpenVPN

Support Tools

The Support tab in the Timus Connect application provides essential tools for troubleshooting, diagnostics, and SSL certificate management.

1. Install certificate

   Installs the required Timus SSL Root Certificate to the device. This enables:

   • Trusted communication with internal systems and gateways
   • Full functionality of features such as traffic inspection and secure tunnel setup

2. Give feedback

   Users can submit feedback or suggestions directly to the Timus team. Submissions include device metadata to provide helpful diagnostic context.

3. Collect logs

   Generates a compressed ZIP file containing system and agent logs. The user is prompted to select a location for saving the file. This file can then be sent to you or the Timus support team for investigation.

4. About:

   Displays application version and device metadata useful for technical troubleshooting.

The Blocked IP Addresses screen helps you monitor and manage public IPs that have been automatically blocked due to sign-in policy violations. These blocks are triggered when a User Sign-In Policy or Administrator Sign-In Policy includes the Block IP action—typically used for risky or suspicious login attempts.

📍 To access this screen, go to Insights → Blocked IP Addresses

This view enhances visibility and gives you full control over how your environment responds to unauthorized or anomalous sign-in activity.

The screen is divided into two tabs:

• User: Lists public IP addresses blocked after failed or risky sign-in attempts by end users
• Administrator: Shows blocked IPs resulting from sign-in attempts by administrator accounts

Each row includes:

Auto-unblock IP Addresses

Click the Settings button in the top-right corner to configure auto-unblock behavior.

You can set a duration (in hours) after which blocked IPs will be automatically unblocked, unless a new violation re-triggers the same policy.

This helps strike a balance between proactive protection and operational flexibility—reducing the need for manual clean-up while keeping your environment secure.

The Password Policies screen allows you to define and enforce secure password rules for both users and administrators. These rules help you strengthen account protection, support compliance frameworks, and reduce the risk of unauthorized access.

📍 To access this screen, go to Users & Teams → Password Policies from the left-side menu

You can configure two predefined policies:

These policies only apply to accounts managed directly within Timus. Users authenticated via external identity providers—such as Microsoft Entra ID, Okta, or Google Workspace—are governed by the password rules set in those platforms.

Edit a Password Policy

Click Edit next to a policy to open the configuration form. Each policy includes multiple rule options you can enable or adjust based on your organization’s security standards.

Available Password Rules

Once saved, changes apply to all newly created, updated, or reset passwords. Existing passwords remain valid until changed or expired.

✅ Best Practices

• Always enable "Cannot use commonly used passwords" to prevent predictable passwords.
• Use a balanced mix of lowercase, uppercase, numbers, and symbols.
• Set a reasonable expiration period (e.g., 90 days) to reduce long-term exposure.
• Use the "Cannot contain keywords" rule to block sensitive internal terms (e.g., company name, product name).

Users

The User Management screen provides complete visibility and control over all users in your organization. Whether you're onboarding new employees, enforcing security policies, or monitoring user activity, this screen helps you do it all—clearly, efficiently, and at scale.

📍 To access this screen, go to Users & Teams → Users

The user list shows essential details for every user in your system:

Create a New User

Click Create New to open the user creation form. You’ll be asked to enter:

• First Name (required)
• Last Name (required)
• Email Address (required)
• Status (Enabled or Disabled)
• Team (optional)
• Tags (optional; supports static and dynamic)
• Allowed Sites – define which remote sites the user can access.
  • Selecting All grants universal remote access.
  • If none are selected, the user cannot connect remotely.

Click Save to create the user.

User Details

To view a user’s activity and telemetry-based insights, click the ••• next to their entry and select Details.

Events

• Sign-ins, disconnections, and connection attempts
• Timestamp, device, network, and event type

Behavior Analysis

• Detected behaviors based on Sign-In Policy
• Helpful for spotting risk patterns or anomalies

Traffic

• Upload/download volume over time
• Adjustable via date picker

Productivity (if enabled)

If the user’s Agent Profile has Productivity Tracker enabled:

• A time-based productivity graph
• Breakdown of time as Productive, Unproductive, or Neutral
• Table of app usage with durations and ratios

Want to see these insights?

Agent Profiles

Teams

The Teams screen allows you to group users into logical units—such as departments, project teams, or locations—to streamline access control, reporting, and policy application.

Grouping users by team helps you manage them more efficiently across different features like tags, remote access, traffic reports, and Sign-In Policies.

📍 To access this screen, go to Users & Teams → Teams from the left-side menu

Each row in the table represents a team. You can view:

The Unassigned group is a system default. Users not assigned to any team will appear here automatically. This team cannot be edited or deleted.

Teams synced from identity providers (e.g., Microsoft Entra ID, SAML 2.0) will appear automatically and are managed externally. You cannot edit or delete them from this screen.

Creating a New Team

To manually create a team, click the Create New button and complete the form:

Click Confirm to save the team. It will immediately appear in your list.

Team Actions

Click the ••• next to a team to access available actions:

• Details – Opens a team-specific dashboard that includes:
  • A traffic chart showing upload and download data for all team members
  • Adjustable date range for data filtering
• Edit – Change the team’s name or modify assigned static tags
• Delete – Permanently delete the team. Appears in reports as Deleted Team (ID: {id})

Device Posture Checks in Timus Manager let you enforce access policies based on the real-time security posture of user devices. This ensures that only healthy, compliant, and trustworthy endpoints are allowed to connect—regardless of whether the user has valid credentials.

As a core component of your Zero Trust Security architecture, posture checks shift access decisions from identity-based trust alone to context-aware access, incorporating endpoint risk into every session decision.

📍 To access this screen, go to Zero Trust Security → Device Posture Checks from the left-side menu

To use Device Posture Checks effectively, make sure your Endpoint Protection Platforms (EPPs) are properly integrated. Supported platforms include: Bitdefender, Heimdal, Microsoft Defender, and SentinelOne.

Go to Third Party Integrations

What Are Device Posture Checks?

Device Posture Checks allow you to define a set of required conditions a device must meet before access is granted. These conditions are evaluated using telemetry from the Timus Connect agent and integrated EPPs.

Examples of posture attributes include:

• Antivirus agent installed or signature updated
• Full disk encryption enabled
• Operating system version is within an allowed range
• No malware infections or unresolved detections reported by EPP
• Essential services and startup configurations are intact

Posture checks are continuously evaluated. If a device no longer meets the expected conditions, access can be dynamically revoked or downgraded using User Sign-In Policies and Behaviors.

Create a New Device Posture Check

Navigate to Zero Trust Security → Device Posture Checks. You’ll see a list of existing posture checks. Click Create New to define a new one.

General Settings

Configure the high-level properties of the posture check:

Each posture check is created per OS. After saving, you will proceed to define the logic using attributes.

Define Compliance Attributes

In the Attributes tab, you add one or more security conditions based on telemetry or EPP data.

All attributes must be satisfied unless otherwise configured. For example, you can design posture checks that fail if any required value is missing (ideal for strict security teams).

Supported Data Sources by OS

Not all data sources are available on all operating systems:

Attribute Library (per Data Source)

Each data source exposes different posture elements:

🔹 Timus Connect

• Antivirus State
• Disk Encryption
• Firewall
• Operating System
• Running Processes
• Service State
• Startup Items
• Timus Connect Installed

🔹 Bitdefender

• Antivirus Agent Outdated
• Antivirus Agent Update Disabled
• Antivirus Agent Signature Outdated
• Antivirus Agent Signature Update Disabled
• Device Infected
• Malware Detected
• Disk Encryption
• Agent Installed
• Operating System
• Risk Score

🔹 Heimdal

• Detection Resolution
• Detection Status
• Vulnerable 3rd Party Software
• Probability of Infection
• Threat Severity
• Microsoft Update Severity
• Disk Encryption
• Operating System
• Risk Score

🔹 Microsoft Defender

• Antivirus Engine Mode
• Antivirus Engine Updated Mode
• Antivirus Platform Updated
• Antivirus Signature Updated
• Exposure Level
• Agent Installed
• Operating System
• Risk Score

🔹 SentinelOne

• Agent Installed
• Antivirus Agent Outdated
• Device Infected
• Disk Encryption
• Operating System

Monitoring & Reporting

Once deployed, each user device is evaluated at sign-ins. Failing devices are blocked or prompted with additional authentication steps depending on policies.

Logs and evaluation results are available under: Insights → Device Posture Reports

Go to Device Posture Reports

The device posture reports include:

• Summary of pass/fail rates
• Devices with repeated posture failures
• Top failing attributes
• Policy-level compliance trends

Devices

The Devices screen provides full visibility into all endpoints connecting via Timus Connect. Whether users are on the internal network or working remotely, this screen shows you which devices are active, how they are configured, and whether they meet your organization’s posture policies.

📍 To access this screen, go to Devices from the left-side menu

Devices are listed automatically as they connect to the network. The table provides key technical and contextual information for each endpoint:

Posture Overview

At the top of the screen, you’ll find real-time posture insights summarizing the results of the most recent device check.

These posture results are based on the Device Posture Checks configured under Zero Trust Security. Only devices with telemetry enabled via Timus Connect are evaluated.

Device Actions

Click the ••• next to any device:

• View Posture Details – Opens a breakdown of the device’s most recent posture check, showing condition-level pass/fail results
• Edit Device Settings – Opens the edit modal where you can:
  • Rename the device
  • Assign or remove tags
  • Enable/disable SSL Inspection
  • Manage site-based remote access
  • View system details (IP, MAC, OS, client version, VPN type)
• Drop Connection – Immediately terminate the device’s active VPN session
• Delete Device – Remove the device from the system. Appears in reports as Deleted Device (ID: {id})

Bulk Actions

You can select multiple devices and apply actions in bulk via the Actions menu at the top:

• Edit Settings – Apply tag changes or toggle SSL Inspection for multiple devices at once
• Drop Connection – Immediately terminate the selected devices’ active VPN session
• Delete – Remove the selected devices from the system. Appear in reports as Deleted Device (ID: {id})

🆕 What’s New

In earlier version, assigning a static IP to a device was done through the Edit Device screen. This has now been moved under Interface Management to align with interface-level configuration best practices. it has now been moved under Edit Interface screen.

This update ensures:

• IP assignments are consistent with network topology rather than tied to user/device objects
• Interface-level context is preserved, which improves visibility, auditability, and operational accuracy
• Easier automation and management for working with VLANs, bridges, and static addressing

The Trusted Networks screen lets you define specific networks that are considered secure and reliable. When a user connects from one of these networks, certain policies—like authentication requirements or posture enforcement—can be relaxed or adapted accordingly.

This feature is especially useful in Zero Trust environments where context matters as much as identity. By defining what you trust, you gain flexibility without compromising security.

📍 To access this screen, go to Settings → Configurations → Trusted Networks

Trusted Networks only work if the Trusted Networks feature is active in the Agent Profiles.

Go to Agent Profiles Guide

Each row represents a defined trusted network entry:

You can add multiple entries to account for different branches, remote offices, or known home setups.

Create a New Trusted Network

Click Create New to define a new trusted network. You’ll see a modal with the following fields:

The Tunnel Configuration screen allows you to define how specific users or teams route their internet or application traffic—either directly through the internet or securely over a VPN tunnel.

This configuration ensures more granular control over how data flows between users and remote destinations, based on your access or compliance requirements.

📍 To access this screen, go to Agent Configuration → Tunnel Configuration

Create New Tunnel Configuration

You can define a new routing rule by clicking the Create New button at the top right of the Tunnel Configuration screen.

The Agent Profiles screen allows you to centrally define how the Timus Connect app behaves across user devices—including Windows, macOS, iOS, and Android platforms. This ensures that VPN behavior, telemetry reporting, DNS handling, and security policies are applied consistently across your organization.

📍 To access this screen, go to Users & Teams → Agent Profiles from the left-side menu

Use profiles to enforce secure defaults, automate VPN behaviors, and apply settings dynamically to specific users, teams, or tags.

Each row in the Agent Profiles table includes:

The Default Profile cannot be renamed or deleted, but you can modify its settings.

Create a New Profile

Click Create New to begin. In the setup modal:

• Enter a Title (required, max 30 characters)
• Add a Description (optional, max 120 characters)
• Set the Status to Enabled ****or Disabled
• Assign the profile to one or more Users, Teams, or Tags

Once assigned, the profile opens platform-specific configuration tabs for detailed setup.

💻 Windows & macOS Configuration (NEW)

These platforms offer comprehensive control over how Timus Connect operates. Settings include:

🆕 Smart Tunnel Protocol Fallback and Adaptive MTU Adjustment features are added to reduce connection issues and optimize performance in real-time—especially useful in mobile, roaming, or constrained network environments.

💡 Want to give users control over certain settings? Enable the User can modify toggle for those fields.

📱 iOS & Android Configuration

Mobile platforms include essential VPN controls:

This guide will walk you through the process of integrating JumpCloud with Timus using SAML 2.0 for secure Single Sign-On (SSO). Follow these steps to configure your JumpCloud application and complete the setup within Timus Manager.

1️⃣ Create a New JumpCloud Application

1. Sign in to your JumpCloud Admin Console
2. In the left menu, go to SSO Applications

1. 
2. Click + Add New Application
   • If it's your first SAML app, click Get Started instead
3. Search for and select SAML 2.0

1. Click Next, then:
   • Display Label: Enter a name
   • (Optional) Upload a custom logo
   • Click Save Application

2️⃣ Configure Basic SAML Settings

After saving, you will be directed to the app configuration screen.

✅ JumpCloud uses the Display Label to auto-generate the Identifier. Ensure your app name is unique to avoid conflicts across SDNs in Timus.

3️⃣ Add User Attributes

1. Go to the Attributes section
2. Click + Add Attribute
3. Add the following fields:

4️⃣ Assign Users or Groups

1. Navigate to the User Groups tab
2. Select the groups who should have access to this SAML application
3. Click Save

Only users assigned to this SAML app will be able to authenticate through it.

5️⃣ Configure the Integration in Timus Manager

1. Navigate to Settings → Integrations → SAML 2.0 → Manage
2. Click Create New and fill in:

1. (Optional) Enable Require Encrypted Assertions if you’ve configured encryption
2. Define Allowed Sites and enable Remote Access if needed
3. Click Save

⚠️ Important: Use a Unique Application Name

JumpCloud generates the Identifier based on the application's name. For example, naming your app timusnetworks results in: https://sso.jumpcloud.com/saml2/timusnetworks

❗ This value must be unique across all SDNs.

To avoid conflicts:

• Always choose a unique Display Label
• This ensures proper tenant isolation and prevents login issues

✅ Test the Integration

1. Go to JumpCloud User Console
2. Sign in as a test user assigned to the SAML app
3. Click on the SAML app you just created
4. You should be redirected to Timus and signed in without being prompted for credentials again

The first successful login creates the user in Timus. Future sign-ins can occur directly from the Timus Connect application.

Troubleshooting Tips

• Make sure the app name (and thus the Identifier) is unique
• Use Hex format when copying the X.509 certificate
• Ensure the SAML attributes firstname, lastname, and nameID (email) are included
• Verify that the user has been assigned to the SAML application in JumpCloud
• Wait a few minutes after assigning users—JumpCloud may take time to apply changes

The SAML 2.0 Integration in Timus Manager allows you to configure secure, standards-based Single Sign-On (SSO) for users authenticating via identity providers such as Okta, JumpCloud, or Microsoft Entra ID. This enables your organization to enforce consistent identity policies while simplifying access to Timus applications.

Timus supports multiple SAML integrations per tenant. The integration card displays the number of active configurations, and each can define its own access scope and remote access permissions.

What This Integration Enables

• Enable SSO via your preferred Identity Provider (IdP)
• Allow users to sign in to Timus applications using their corporate SAML credentials
• Control access to specific sites per integration
• Optionally enforce encrypted SAML assertions
• Provision users automatically on first login through the IdP

How to Set Up a SAML Integration

1. Navigate to Settings → Integrations → SAML 2.0
2. Click Manage to open the integrations list

3. Click Create New to open the configuration form

Configuration Fields

You can define different Allowed Sites and Remote Access settings per SAML integration to support flexible, identity-based access policies.

Provider-Specific Setup Guides

To complete the setup process, refer to the guide matching your Identity Provider:

• SAML Integration for Okta AD
• SAML Integration for JumpCloud
• SAML Integration for Microsoft Entra ID

Each guide includes:

• Application registration steps
• Metadata configuration (Identifier, Service URL, X.509 Certificate)
• Attribute & claim mapping
• Tips for encryption and login verification

Attribute Mapping

Ensure your Identity Provider maps the following attributes to enable accurate user provisioning:

• nameID – Email address (used as the unique user ID in Timus)
• firstname – User’s first name
• lastname – User’s last name

These attributes are required for displaying user identity properly in the Timus Manager and for enforcing user-based access rules.

Assertion Encryption (Optional)

If you enable the Require Encrypted Assertions checkbox:

• Timus will reject unencrypted SAML responses
• Your IdP must encrypt assertions using Timus's public key
• The decryption key is securely managed inside the Timus platform

Only activate this setting if encryption is supported and configured correctly on both sides.

First-Time Sign-in Behavior

• Users must initiate login from your IdP’s SAML app
• This initial login creates the user profile in Timus
• Attempting to sign in directly via Timus without prior SAML login will result in failure

It may take up to 30 minutes for a new integration to fully sync, depending on group complexity and user volume.

Notes

• Identifier and SAML Service URL must be unique per SDN
• Reusing credentials across SDNs will trigger a validation error
• SAML-based user creation does not trigger the Connect Agent download email:
  • Downloads are available under Settings → Downloads or via my.timusnetworks.com
  • You can use RMM tools to silently deploy the Connect agent

Support & Troubleshooting

If users are unable to log in:

• Check the SAML response payload for:
  • Correct Identifier and Audience values
  • Matching Assertion Consumer Service (ACS) URL
  • Valid certificate and active signature
  • Required attributes (nameID, firstname, lastname)
• Use the appropriate Timus ACS URL:
  • Production: https://auth.timuscloud.com/user/external/saml
  • Beta: https://auth-beta-us-01.timuscloud.com/user/external/saml

SAML Integration for Okta AD

SAML Integration for Microsoft Entra ID (Azure AD)

SAML Integration for JumpCloud

The Settings → Integrations screen in Timus Manager provides a centralized interface to manage all available third-party integrations. These integrations extend Timus capabilities by synchronizing with identity providers, endpoint protection platforms (EPPs), directory services, and notification tools—powering automation, visibility, and security throughout your network.

📍 To access this screen, go to Settings → Integrations

Each integration appears as a tile showing:

• The integration name and associated icon
• A status badge indicating whether the integration is enabled or disabled
• A short description of its functionality
• A settings icon to manage or disable the integration

Identity Providers Integrations

Connect to your on-premises AD using the Timus Directory Connector. Synchronize users and groups, assign them to specific teams, and control access to sites.

Active Directory

Synchronize your Active Directory users and groups with Timus. Users can sign in using their AD credentials.

Go to Active Directory Integration Guide
 

Google Workspace 

Synchronize users and groups using a service account. Supports Google SSO and group-based access mapping for Cloud Gateways and remote connectivity.

Go to Google Workspace Integration Guide
 

Microsoft Entra ID

Authenticate and sync users from Azure Entra ID (formerly Azure AD). Supports team assignment, gateway access control, and user tagging by Entra groups.

Go to Microsoft Entra ID Integration Guide

Okta

Use Okta as your identity provider for federated SAML authentication. Supports user mapping, group-based access, and automatic user provisioning on first sign-in.

Go to Okta Integration Guide

SAML 2.0

Integrate with any generic SAML 2.0 provider (e.g., JumpCloud, Entra ID, Okta) to enable Single Sign-On (SSO). Supports per-provider access scopes and remote access toggles.

Go to SAML 2.0 Integration Guide

All identity integrations support team-based access control and can be used to trigger ZTNA policies or link posture enforcement.
 

Endpoint Protection Platform (EPP) Integrations

These integrations enable Device Posture Checks by retrieving real-time telemetry from EPP agents. This allows Timus to assess device health and enforce conditional access policies.

Bitdefender

Collect security posture data from Bitdefender EPP. Enforce posture checks using attributes such as malware detection, agent update status, disk encryption, and risk scores.

Go to BitDefender Integration Guide
 

Heimdal

Ingest posture telemetry from Heimdal, including detection resolution status, vulnerable software risk scores, and threat severity. Supports attribute-based posture enforcement.

• Go to Heimdal Integration Guide
   

Microsoft Defender

Fetch threat intelligence and endpoint state data via Microsoft Defender APIs. Supports posture enforcement for antivirus status, signature updates, exposure level, and more.

Go to Microsoft Defender Integration Guide

SentinelOne

Connect to your SentinelOne tenant to retrieve real-time endpoint protection data such as disk encryption status, agent presence, and infection state.

Go to SentinelOne Integration Guide

Pair these EPP integrations with Device Posture Checks to dynamically allow, deny, or isolate user sessions based on real-time device health.
 

Monitoring & Notification Integrations

These integrations push critical Timus events to external platforms—keeping your IT and security teams proactively informed.

Google Sheets

Automatically export user sign-in/out events or device activity logs to a connected Google Sheet. Useful for custom dashboards, reporting, or long-term log retention.

Go to Google Sheets Integration Guide

Slack

Send alerts directly to a Slack channel. Includes posture violations, sign-in attempts, and other high-priority system messages.

Go to Slack Integration Guide

Telegram

Receive real-time alerts via private Telegram messages. Link your Telegram account to the Timus bot using a secure pairing code.

Go to Telegram Integration Guide
 

Billing Integration

ConnectWise

Streamlines invoicing and billing processes for MSPs, ensuring accuracy by syncing product catalogs and usage data directly with ConnectWise agreements. This reduces manual input, saving time and reducing the risk of errors. With the integration, MSPs can anticipate smoother billing operations, thanks to automated syncing of product and usage data. This integration provides seamless invoicing management, allowing partners to focus on customer success rather than manual billing tasks.

Go to Connectwise PSA Guide
 

The BitDefender Integration in Timus Manager allows you to retrieve real-time endpoint security data from your BitDefender GravityZone environment. This integration enhances your Device Posture Checks under Zero Trust Security, enabling you to assess device compliance based on live security posture signals—without installing new agents or modifying endpoints.

What This Integration Enables

• Connect your GravityZone tenant to Timus Manager securely
• Fetch posture data such as malware detection, antivirus status, and disk encryption state
• Incorporate BitDefender-sourced attributes into Device Posture Checks
• Automate compliance assessments using verified endpoint telemetry

Once connected, BitDefender will appear as a selectable Data Source in posture check configurations.

Prerequisites

Before starting:

• Access to your BitDefender GravityZone Console as an administrator
• Permission to generate API keys with appropriate scopes
• Your tenant’s Management URL (e.g., https://cloud.gravityzone.bitdefender.com)

Generate Your API Key in GravityZone

1. Sign in to https://gravityzone.bitdefender.com/:
2. Click your profile name (top right) → My Account
3. Go to the API Keys section and click Add
4. Configure the new key:
   • Name: (e.g., Timus Integration)
   • Scope: Select Network API
   • Permissions:
     • **Endpoints** → Read
     • **Network** → Read
5. Click Generate and securely copy the resulting key

🔐 Store your API key securely. It will be required during configuration and should not be shared externally.

Confirm Your Management URL

Your Management URL is the base address of your GravityZone tenant (e.g., https://cloud.gravityzone.bitdefender.com).

Make sure this URL matches the region or hosting environment used by your organization.

Configure the Integration in Timus Manager

1. Navigate to Settings → Integrations
2. Locate the BitDefender card and click ⚙️ → Manage
3. Enter the required details:
   • API Key: Paste the key copied from GravityZone
   • Management URL: Enter the appropriate URL
4. Click Save

If the credentials are valid, BitDefender will be activated as a data source and ready for use in posture policies.

Use BitDefender in Device Posture Checks

Once enabled:

1. Go to Zero Trust Security → Device Posture Checks
2. Create or edit a posture check
3. Add an attribute and select BitDefender in the Data Source dropdown
4. Choose from available BitDefender attributes

Disable the Integration

To turn off the integration:

1. Go to Settings → Integrations
2. Click the ⚙️ → Disable on the BitDefender card

Disabling the integration will:

• Stop real-time posture updates from GravityZone
• Remove BitDefender from the Data Source dropdown
• Retain historical data for review and audit purposes

🔐 Security & Data Handling

• API credentials are encrypted and used only for read-only operations
• Timus does not modify devices, endpoints, or policies in GravityZone
• Retrieved data is evaluated within your existing access control and privacy framework

Cloud Gateway management has been completely reengineered in version 1.30.0—not just redesigned, but fundamentally rethought to align with real-world needs. This version introduces a scalable, observable, and operationally sound foundation for managing your network edge across distributed environments.

Previously, managing a Cloud Gateway meant navigating shared creation flows, fragmented configuration areas, and external troubleshooting tools. This made even basic operations more complex, and made advanced ones unnecessarily error-prone. There was no unified structure—just a set of loosely connected functions.

With this release, that fragmented experience is replaced by a modular, transparent, and fully integrated architecture. Each gateway is now created through a dedicated flow. Every operational aspect—DNS, traffic filtering, routing behavior, interface configuration, diagnostics—is surfaced in its own clear section. Instead of scattering control, the system now delivers it.

More importantly, Cloud Gateway management now speaks the same language as your network. Real-time telemetry, centralized IP planning, role-based interface provisioning, and structured failover logic come together in one place. You no longer have to guess how the system behaves under load or during routing shifts—you can see it, act on it, and trust it.

📍 To access this screen, go to Sites from the left-side menu

Sites

The Sites screen remains your central hub for managing Cloud Gateways and IPsec Connectors. It displays essential metrics such as region, gateway health, throughput, and the number of connected devices.

You can manage each gateway through the ••• menu, with options to:

• Edit – Modify the gateway configurations (only the Title is editable)
• Details – Open the tab-based configuration screen
• Delete – Permanently remove the gateway from the system

🆕 What Changed?

In previous versions, clicking Create New opened a shared modal for both Cloud Gateways and Connectors — often resulting in errors or incorrect selections.

In this version:

• Create Site opens the Cloud Gateway creation flow.
• Create IPsec Connector launches the Connector configuration screen.

Create a New Cloud Gateway

Click Create Site to start provisioning a new Cloud Gateway.

🆕 The Gateway Version is assigned automatically to ensure consistency across your deployment and reduce manual errors.

Once saved, your gateway will appear in the Sites list, ready for further configuration.

Cloud Gateway Details

Click Details to open the configuration screen. Each section is organized into its own tab for clarity and modular management.

Each tab contains feature-specific tools and settings designed to work independently and in combination.

Overview

The Overview tab provides real-time telemetry and metadata for your gateway.

🛰️ Connectivity Metrics

📈 Network Statistics

View time-series graphs for metrics such as:

• Latency
• Throughput
• Jitter

You can filter the view by interface and time range for granular troubleshooting.

🧾 Site Information

🌐 Network Interfaces

Every Cloud Gateway comes with pre-provisioned interfaces:

• port0: Primary WAN interface for external communication
• tun0: OpenVPN tunnel interface
• wg0: WireGuard tunnel interface

Interface Configuration:

Manage your interfaces in one place. Assign roles, set IP configurations, and view system-level details like MTU and MAC address.

Go to Interfaces & IP Management Guide

Configuration Sections (NEW)

Use the following configuration tabs to control how your Cloud Gateway filters, resolves, logs, and responds to traffic across your environment.

• DNS: Manage external DNS servers, static domain mappings, and internal Split DNS resolution.
  • Go to DNS Configuration Guide
• Advanced Filtering: Apply Web Filter, Application Filter, and Antivirus protections from a unified policy screen.
  • Go to Advance Filtering & Traffic Inspections Guide
• Firewall Settings: Tune low-level packet handling such as ICMP redirection and multicast filtering.
  • Go to Firewall Engine Settings Guide
• Diagnostics: Run Ping, Traceroute, DNS lookups, and inspect live traffic for real-time troubleshooting.
  • Go to Diagnostics & Troubleshooting Tools Guide
• Logs: Browse structured logs with filtering by date and event type.
  • Go to Operations Logs Guide
• Maintenance: Schedule gateway updates and define safe maintenance windows across time zones.
  • Go to Gateway Maintenance Settings Guide
• Advanced Settings: Optimize TCP congestion control algorithms and timestamp settings for network performance.
  • Go to Low-Level Network Tuning Guide 

The Diagnostics tab provides built-in tools that help you investigate connectivity problems, resolve DNS issues, and monitor live network activity—all directly from the Cloud Gateway.

Unlike client-side tests, these diagnostics run at the edge of your network, offering a more accurate and authoritative view of what’s happening.

To get started, choose a test from the Diagnostic Tool dropdown. Each tool has its own fields and outputs, shown dynamically as you switch between options.

🧪 Available Diagnostic Tools

1. DNS Query

Use this tool to validate DNS resolution from the gateway’s perspective. It checks whether the configured DNS servers are responding correctly to queries.

✔️ Ideal for testing Split DNS behavior or resolving internal/external domain failures.

2. Current Network Activity

This tool offers a real-time view of network usage per interface. It includes bandwidth statistics and detailed flow-level visibility.

Once started, the gateway shows:

• Download/Upload Rate (live)
• Total Transferred Volume
• Per-Flow Table with source/destination IP, protocol, usage volume, and real-time speed

Use this to identify anomalies, monitor policy effects, or debug bottlenecks in specific interfaces.

3. Ping Control

This classic test sends ICMP Echo Requests to a remote host, helping you confirm reachability and measure latency.

A reliable way to test internet access or upstream availability from the gateway itself.

4. Traceroute

Traceroute shows the full path a packet takes from the gateway to a destination, including each intermediate hop and the delay it introduces.

Helps you identify routing issues, delays, or unreachable segments.

The Firewall Settings tab gives you granular control over how the Cloud Gateway processes certain types of low-level network traffic. These settings operate below policy-level enforcement and directly influence how the firewall engine reacts to broadcast, multicast, UDP, ICMP, and IPsec-related flows.

This section is especially useful for fine-tuning network behavior in environments where bandwidth usage, attack surface, or protocol edge cases must be carefully managed.

Each setting includes an on/off toggle and, where supported, an optional logging feature that writes matching packet data to the traffic logs.

⚠️ These options affect how traffic is handled at the system level. Misconfiguration can lead to dropped sessions or reduced network visibility. Use with care.

⚙️ Configuration Options

📝 Logging Options

If logging is enabled for broadcast or multicast drops:

• Matching traffic will appear in the traffic logs, categorized by drop action.
• Logging can help you validate effectiveness or identify misbehaving devices.
• However, excessive logging of high-frequency traffic types can overwhelm storage or obscure important events.

💡 Enable logging during testing or diagnosis, then disable it in stable environments to conserve resources.

The Advanced Filtering tab gives you full control over how outbound traffic is inspected and restricted at the application layer. These policies are applied globally—across all interfaces—and help ensure that your network remains secure, compliant, and aligned with usage expectations.

By enabling this feature set, you can:

• Enforce acceptable use policies across teams or locations
• Detect and block risky domains or high-risk applications
• Inspect downloaded content for malware before it reaches endpoints

Whether you're securing a single branch or managing multiple distributed sites, Advanced Filtering provides a unified inspection layer directly on the gateway—no external proxy or agent required.

🌐 Web Filter

The Web Filter allows you to define which types of web traffic should be inspected and controlled based on destination port and protocol.

Use category-based filtering to block access to social media, adult content, or risky domains across all traffic passing through the gateway.

📦 Application Filter

The Application Filter enables deep packet inspection to classify traffic by application protocol, even when ports or encryption obscure the destination.

Recommended for environments where productivity monitoring or app usage insights are important—especially where traditional port-based filters fall short due to encrypted or obfuscated traffic.

🛡️ Antivirus

The Antivirus engine scans filtered traffic for known malware and threats.

Ideal for networks that lack strong endpoint protection or allow guest/BYOD access.

✅ Best Practices

• Combine Web Filtering with well-defined protocol-port rules to ensure consistent coverage.
• Enable Application Filtering for granular visibility into SaaS, collaboration tools, or unmanaged app usage.
• Use Antivirus scanning in environments where traffic inspection is your first line of defense—especially in branch offices.

The Sites → Details → Networks tab introduces a redesigned and centralized interface management system for Cloud Gateways. This update replaces fragmented configurations from previous versions with a unified, policy-driven model that simplifies control, improves visibility, and reduces the risk of misconfiguration.

🆕 What’s New in Interface Management

• Unified Interface View: View all physical, tunnel, and virtual interfaces from a single table with real-time metadata like MTU, IP mode, and operational state.
• Centralized IP Reservations: Static IP assignments are now handled directly under the DHCP tab of each tunnel interface—eliminating per-device configuration and reducing errors.
• Fully Configurable Tunnel Interfaces: OpenVPN and WireGuard tunnels can be edited in full, including ports, protocols, DNS settings, and inspection preferences.
• System-Level Attributes Made Visible: You can now inspect MTU values, MAC addresses, and access controls that were previously buried or unavailable.

Default Interfaces

Each Cloud Gateway includes three core interfaces by default:

• port0 → Primary physical WAN uplink
• tun0 → OpenVPN tunnel
• wg0 → WireGuard tunnel

Networks Table

he table provides a detailed overview of each interface:

The ••• menu on each row allows:

• View — For port0 (WAN)
• Edit — For tunnel interfaces (tun0, wg0)

🆕 Static IP assignment now occurs within the DHCP tab of each tunnel interface—streamlining workflows and eliminating fragmented logic.

port0 – Physical Interface

The WAN interface configuration is read-only and provides full metadata visibility.

1. Configuration

🆕 Previously hidden details like MTU and MAC address are now visible to improve diagnostics and audit readiness.

🚫 The DHCP tab is disabled for WAN interfaces, as they don’t provide DHCP services.

Tunnel Interfaces — tun0, wg0

Tunnel interfaces connect remote users or networks securely. Version 1.30.0 replaces per-device IP assignments with centralized management.

1. Configuration

2. DHCP 🆕

This tab allows you to manage tunnel-level DNS and Static IP Reservations.

DNS Configuration:

IP Reservation:

🆕 This method ensures accuracy, avoids IP conflicts, and simplifies audits—replacing manual per-device entries from previous versions.

How to Add Timus IP Address to Your Database Access List

Overview

This guide helps you configure your database to accept connections from devices using the Timus connect. It includes how to find the Timus IP and properly allow it in your database setup.

Common Symptoms When Timus IP is Not Allowed

• Connection refused
• Timeouts or no response
• "No pg_hba.conf entry" (PostgreSQL)
• "Access denied for user" (MySQL)

Step-by-Step Configuration

1. Find Your Timus Gateway IP

• Login to Timus Manager
• Go to Network → Gateways
• Copy the public IP address of the active gateway

2. PostgreSQL Setup

Edit pg_hba.conf and add:

# TYPE  DATABASE        USER            ADDRESS               METHOD
host    all             all             <Timus_IP>/32         md5

Then restart PostgreSQL:

sudo systemctl restart postgresql

4. Open Firewall for Timus IP

• Ensure the port (3306 for MySQL, 5432 for PostgreSQL) is open to the Timus IP
• On cloud environments, adjust Security Groups or Network ACLs

5. Confirm Access

• Test connection using DBBeaver, pgAdmin, or another SQL client
• Verify success logs on the DB server

The Administrator Sign-In Policies screen allows you to enforce context-aware authentication rules for Timus Manager administrators using behavior-based Zero Trust principles. These policies help you protect your infrastructure, applications, and sensitive data by dynamically responding to sign-in attempts based on risk factors and behavioral context.

📍 To access this screen, go to Zero Trust Security → Administrator Sign-In Policies

The main table lists both default and custom sign-in policies:

Policies higher in the list are evaluated first. You can reorder them using drag & drop to change priority.

Create a Administrator Sign-In Policy

Click Create New to open the policy builder. You’ll configure the policy using four tabs:

Source

Specify the administrators this rule applies to:

• Add a Name and Description (optional)
• Select one or more administrators from the system

Condition

Define the sign-in context in which the policy is enforced:

Supported Behavior Types

Action

Specify how the system should respond if the policy conditions are met:

You can configure multi-step MFA (e.g., Email + App fallback) to strengthen layered authentication.

Alerts & Notifications

Improve incident visibility and team coordination with real-time alerts:

• Alerts:
  • Define Title, Severity, and Status
  • Choose Trigger Results: Success, Failure, Timeout
• Notifications:
  • Define Title, Severity, and Status
  • Choose Trigger Results: Success, Failure, Timeout
  • Choose whether to notify matching administrators, specific administrators, or external recipients

The Zero Trust Security → Behaviors screen lets you define dynamic conditions that detect suspicious, risky, or non-compliant activity across your organization. These behaviors are not standalone actions—they act as conditions that can be reused across multiple Sign-In Policies.

They help you enforce adaptive access decisions based on context such as:

• Device risk
• User behavior
• Sign-in patterns
• IP reputation
• Recent history

📍 To access this screen, go to Zero Trust Security → Behaviors

Each Behavior Type represents a category of detection logic. Within each type:

• A default behavior is provided by the system (read-only)
• You can create multiple custom behaviors with your own thresholds or filters

Each behavior includes a ••• where you can:

This allows you to use system-provided templates or customize logic to match your organization's risk model.

Create a New Custom Behavior

lick Create Behavior to open the configuration modal. You’ll be asked to:

• Name your behavior
• Select a Behavior Type
• Configure type-specific options (varies by type)

Once created, behaviors become available as conditions when building Sign-In ****Policies.

Available Behavior Types

Using Behaviors in Sign-In Policies

Once created, behaviors can be added as conditions to any Sign-In Policy—enabling dynamic access control based on context.

During sign-in or access evaluation:

• The system checks whether any behaviors in the policy are triggered
• If so, it applies the defined policy action (e.g., Deny, Require MFA, Block IP)

Example Policy Condition:

“Allow access only if the device is trusted, and the IP is not untrusted.”

This adaptive model replaces static rules with real-time, context-aware security enforcement.

Website & Application Categories

The Rules → Categories screen helps you organize both domains and applications into manageable groups, so you can apply traffic policies more efficiently and consistently across your organization.

With this version, this screen was redesigned to combine and enhance two powerful concepts:

• Website Categories (based on domains)
• Application Categories (based on detected application traffic)

You can now enforce access control at two levels:

• Domain-level, using website categories
• Application-level, using traffic-recognized app groups

📍 To access this screen, go to Rules → Categories

Website Categories

Website categories help you manage access to groups of domains instead of defining individual entries. You can use these categories in firewall rules, especially in environments where you want to:

• Block or allow types of content (e.g., Gambling, File Sharing)
• Whitelist trusted services
• Enforce clean web usage policies

🔸 Website Categories Table

The Whitelist category is fixed at the top and allows you to bypass all filtering rules for the included domains. Any domain listed here is always allowed.

Domain Lookup

Use the search bar at the top of the screen to look up any domain. If the domain exists in a category, the result will show which one. This is especially helpful for:

• Preventing duplicate entries
• Understanding how a domain is currently handled

Create and Edit a Website Category

Click Create New to add a custom website category. Each category can then be managed using the ••• to:

• Edit its domain list
• Import domains via CSV (max 1,000 entries)
• Exclude specific domains even after they were included

You’ll see two management tabs:

• Included Domains – Domains actively evaluated by rules
• Excluded Domains – Domains ignored for auditing or exception purposes

Application Categories (NEW)

This new section introduces application-based traffic classification, giving you visibility and control over apps detected through your network activity—even when domain filtering is not enough.

These categories are:

• Predefined by the system
• Continuously updated based on recognized application signatures
• Read-only, but fully visible and referenceable in rules

Using Categories in Rules

You can reference both Websites, Website Categories, Applications, and Application Categories under the Destination field when creating Firewall Rules.

This gives you:

• A scalable way to define allow/block logic
• Unified control over domains and apps
• Easier maintenance of complex filtering policies

The Rules → Firewall screen allows you to define how your organization handles network traffic. By configuring Allow or Deny actions based on source, destination, service, and time schedule, you can enforce strict access controls and secure your environment—whether you’re blocking suspicious activity, protecting internal systems, or managing internet usage.

📍 To access this screen, go to Rules → Firewall

The Firewall Rules table lists all firewall rules in the order they are evaluated—top to bottom. The first matching rule is applied, so rule order directly impacts behavior. You can drag and drop rules to reprioritize them.

Create a New Firewall Rule

Click Create New to open the rule configuration screen. Here’s a breakdown of the key:

Once saved, the rule is added to the table and takes effect immediately—according to its position in the list.

Rule Actions

Click the ••• next to any rule to:

• View / Edit – Review or update the rule configuration
• Enable/Disable – Temporarily toggle the rule’s active status
• Clear Sessions – Instantly drop all sessions affected by the rule
• Delete – Permanently remove the rule. Appears in records as Deleted Firewall Rule (ID: {id})

Bulk Actions

You can select multiple rules and use the Actions menu to:

1. Enable/Disable – Temporarily toggle the selected rules’ active statuses
2. Clear Sessions – Instantly drop all sessions affected by the selected rules
3. Delete – Permanently remove the selected rules. Appear in records as Deleted Firewall Rule (ID: {id})

🆕 What’s New in This Version?

Global Policies

The Type column indicates whether a rule is created by you (Client) or pushed by your partner as part of a managed security baseline (Global). This enables consistent enforcement of critical protections across environments, while maintaining flexibility.

Why Global Policies?

Global rules are designed to help standardize and strengthen network security across all managed tenants—particularly useful for:

• MSP environments
• New customers needing out-of-the-box protections
• Preventing configuration gaps in high-risk areas

You can:

• Reorder Global rules to adjust their evaluation priority
• Enable or disable them as needed to fit your context

They do not override your own rules—they simply provide a secure starting point.

The Rules → Forwarding screen enables you to expose internal services—such as web servers, VoIP, or RDP endpoints—to external access by securely forwarding traffic through specific interfaces and port configurations.

By creating forwarding rules, you control which incoming traffic is allowed into your network and where it should be delivered internally, supporting both operational flexibility and strong perimeter defense.

📍 To access this screen, go to Rules → Forwarding

Each row in the Forwarding Rules table defines how inbound traffic is processed and redirected:

Create a New Forwarding Rule

Click Create New to define a new rule.

Once configured, click Save.

Rule Actions

Click the ••• next to a rule to:

1. View / Edit – Update or review rule configuration
2. Delete – Permanently remove the rule. Appears in records as Deleted Forwarding Rule (ID: {id})

The User Sign-In Policies screen allows you to enforce context-aware authentication rules using Timus ZTNA. These policies go far beyond simple password checks—leveraging device posture, sign-in origin, behavioral anomalies, and risk signals to determine whether access should be allowed, challenged with MFA, or blocked entirely.

📍 To access this screen, go to Zero Trust Security → User Sign-In Policies

The main table lists both default and custom sign-in policies:

Policies higher in the list are evaluated first. You can reorder them using drag & drop to change priority.

Create a New User Sign-In Policy

Click Create New to open the policy builder. You’ll configure the policy using four tabs:

Source

Specify the users or environments this rule applies to:

• Add a Name and Description (optional)
• Choose from Users, Teams, Tags, or Public IPs
• You can assign multiple sources

Condition

Specify how the system should respond if the policy conditions are met:

Supported Behavior Types

Action

Select how the system should respond:

You can configure multi-step MFA (e.g., Email + App fallback) to strengthen layered authentication.

Alerts & Notifications

Improve incident visibility and team coordination with real-time alerts:

• Alerts:
  • Define Title, Severity, and Status
  • Choose Trigger Results: Success, Failure, Timeout
• Notifications:
  • Define Title, Severity, and Status
  • Choose Trigger Results: Success, Failure, Timeout
  • Choose whether to notify matching users, specific administrators, or external recipients

✅ Why Use Behavior-Based Sign-In Policies?

Behavior-aware authentication lets you:

• Detect suspicious activity like sign-ins from new countries or untrusted IPs
• Apply MFA only when needed, reducing friction
• Block known high-risk sign-ins before damage occurs
• Customize policy logic per user, team, or environment

The Customization section under Configurations allows you to personalize system-wide settings such as interface language, timezone, and email branding. These options ensure the system behaves in line with your organization's preferences—both visually and regionally.

You can also define a short organization name (alias) that will appear in email notifications sent to users, providing a more branded and contextual experience.

📍 To access this screen, go to Settings → Configurations → Customization

The Email Server screen lets you configure how Timus sends system-generated emails such as password reset links, alerts, and scheduled reports. By default, emails are sent using Timus's built-in mail service. If you prefer using your organization's own email infrastructure, you can enable a custom SMTP server.

📍 To access this screen, go to Settings → Configurations → Email Server

At the top of the screen, you'll see a checkbox labeled Use Custom SMTP Server.

• When this is unchecked, Timus continues to send emails using its own service. You don’t need to enter any additional information.
• When you check this option, a set of fields appears for configuring your own SMTP server.

Once enabled, you’ll need to complete the following:

When you save your settings, Timus will send a test email. If you don’t receive it or the sender address doesn't match, the setup may be incorrect.

The Productivity screen allows you to manage how user application activity is categorized and classified across your organization. This is where telemetry data collected from endpoints becomes meaningful, enabling customized productivity analysis and reporting.

Timus Connect collects application activity data through telemetry, which must be enabled per user. If telemetry is disabled, this screen will remain empty.

Go to Agent Profiles Guide

Classifications and categories shown here directly affect how app usage appears in productivity reports. Adjusting them helps tailor reporting to your organization’s real-world workflows.

Go to Productivity Reports Guide

Once telemetry is active, applications used by your team will automatically appear in this list.

📍 To access this screen, go to Settings → Configurations → Productivity

Edit an Application’s Productivity

Clicking Edit on any row opens a detailed configuration modal for that application.

You can:

• Change the Selected Category or Classification globally for all users
• Define team-based overrides that apply only to users within selected teams

This gives you full flexibility to reflect your organization’s work habits. Team-specific settings override global ones—but only for those users.

These changes only affect new data going forward. Historical reports remain unchanged.

The API Access screen allows you to securely generate client credentials (Client ID and Client Secret) to integrate external systems or services with Timus. These credentials are used to authorize and authenticate API calls from third-party applications.

Whether you're building a custom dashboard, automating user provisioning, or integrating identity providers, this screen is where you manage the tokens required to make those secure connections.

📍 To access this screen, go to Settings → Configurations → API Access

Each card represents an existing API access configuration and includes:

You can manage multiple configurations at once, each tied to a different use case.

Create a New API Access

Click Create New to open the setup modal. You'll need to provide two values:

• Active Directory: Use this when integrating with your AD setup.
• Custom: Use this for internal tools, scripts, or other services not listed. |

Need help integrating with Active Directory?

Go to Active Directory Integration Guide 

Once saved, a Client ID and Client Secret will be generated. Use these in your external application’s API headers for secure communication.

✅ Best Practices

• Keep your Client Secret safe. It grants full access on behalf of the integration.
• Rotate tokens periodically for security. You can regenerate keys via the API or by creating a new entry.
• Label clearly. Use meaningful titles to avoid confusion as your system scales.

The Events screen provides a comprehensive audit trail of identity-based activities across your environment. Events captured here include user and administrator sign-ins, authentication steps, policy enforcement outcomes, and behavior-based triggers—giving you full visibility into who did what, when, and from where.

This screen is essential for enforcing Zero Trust principles, monitoring anomalies, and investigating incidents across both workforce and administrative actions.

📍 To access this screen, go to Insights → Events

Event Types

Events are classified into two core types:

• User Events – Generated by end users accessing systems or applications
• Administrator Events – Triggered by administrative actions on the Timus platform

Each entry in the table includes:

Event Details

Click the ••• → View next to any event.

If the event includes Untrusted IP behavior, additional IP Intelligence fields are shown:

📤 Export Event Logs

Click Export to download the current table view as a CSV file.

Applied filters and sorting are reflected in the export.

The Automated Reports feature helps you track key metrics across your network by generating scheduled, customizable reports. Using templates and flexible scheduling options, you can automatically deliver reports that highlight user activity, bandwidth usage, threat patterns, and more—directly to the right recipients via email.

With Automated Reports, you don’t need to build reports from scratch every time. You save time, reduce manual effort, and keep your team informed with clear, consistent insights—automatically.

📍 To access this screen, go to Insights → Automated Reports

Manage Report Templates

Templates define the structure and content of your reports. Before you can generate any reports, you need to set up at least one template.

1. Go to Insights → Automated Reports.
2. Click the Manage Templates in the top right corner.

Templates are organized into two types:

• Predefined Templates – Ready-to-use templates provided by the system.
• Custom Templates – Templates you create and configure based on your reporting needs.

Each template includes widgets, which are visual or tabular components used to present data in the report.

Create a New Custom Template

To build a custom report layout:

1. In the Manage Templates screen, click Create Custom Template.
2. Enter a title and click Create.
3. On the template screen, click Add Widget to start adding data blocks.
4. Select the widgets you want to include and click Add.
5. Use drag-and-drop to arrange the widgets as desired.

To customize a widget:

1. Click Configure.
2. Choose a Data Range Type:
   • Relative (e.g., last 7 days)
   • Fixed (specific start and end dates)
3. Choose how data should be grouped: Daily, Weekly, Monthly, or Yearly

You can edit any template later by clicking the ••• → Edit option.

Create a New Report

After preparing your template, follow these steps to create a report:

1. Return to the Automated Reports screen.
2. Click Create Report, or use the ••• next to a template and select Create Report.
3. Enter a report title.
4. Choose the Report Type:
   • On Demand – Manually generated when needed.
   • Scheduled – Automatically generated and delivered on a schedule.
5. Select the Template you want to use.
6. In the Recipients section, add the email addresses of people who should receive the report.
7. Click Save to create the report.

To generate a report manually:

• Click the Actions button in the upper-right corner and select Generate Report.
• Click the link in the success message to view the report in your browser.

If you added recipients, the report will also be delivered to their email inboxes.

The Insights → Device Posture Reports screen helps you monitor the effectiveness of your device posture enforcement policies. This feature provides visibility into posture check results across users, devices, and policies—enabling you to detect recurring compliance issues, identify frequently failing attributes, and evaluate endpoint health over time.

Reports on this screen are automatically generated as long as your posture check policies are active and devices are sending telemetry through the Timus Connect Agent or integrated EPP solutions.

📍 To access this screen, go to Insights → Device Posture Reports

The screen is divided into three main sections:

• Overview – A summary of pass/fail trends, top failing devices, and the most frequently violated attributes
• Devices – Detailed run results for a selected endpoint, including pass/fail outcomes and attribute logs
• Posture Checks – Aggregated results grouped by posture check policy, with drill-down options to investigate devices or attributes

Need help setting up your posture check policies or integrating external data sources?

Go to Device Posture Checks Guide

Go to Third Partner Integrations Guide

📊 Analyze Overall Posture Trends

The Overview tab provides a high-level summary of posture performance across your environment.

• Most Failed Devices – Devices with the highest number of failed posture checks
• Most Failed Attributes – Attributes that failed most frequently (e.g., OS mismatch, agent not installed)
• Total Pass/Fail Rate – A visual chart summarizing overall compliance status
• Pass Trend – A time-based graph showing changes in pass rate over the selected period
• Check Summary Table, including:
  • Title of each posture check
  • Number of runs
  • Total checks performed
  • Average number of devices per run
  • Overall pass/fail rates

Use this view to identify widespread issues—such as common misconfigurations or telemetry gaps—before they impact your posture enforcement strategy.

Review Results for a Specific Device

The Devices tab allows you to drill into posture check results for a specific endpoint.

1. Select a device using the dropdown at the top right.
2. Choose a date range to filter the results.
3. Once applied, you’ll see:
   • Total Runs: Number of posture checks executed for this device
   • Pass Rate and Fail Rate
   • A results table including:
     • Date and time of each run
     • Result (Passed / Failed)
     • Number of passed and failed attributes
     • Details link to explore further

Run Details

Click Details to view the full Device Posture Check Report for that run. It includes:

• Data Source (e.g., Timus Connect, Bitdefender)
• Attribute checked (e.g., Firewall, OS)
• Condition and expected Pass Value
• Actual Value received from the device
• Result (Passed / Failed)

This detailed view helps you pinpoint the exact reason for failure—such as outdated antivirus, unsupported OS, or missing telemetry.

Evaluate Posture Check Policies

The Posture Checks tab displays results grouped by posture check policy, giving you a policy-centric view of enforcement success.

1. Select a posture check from the dropdown.
2. Choose a date range to filter the dataset.
3. View policy-level metrics such as:
   • Total Runs
   • Attributes Checked
   • Pass Rate / Fail Rate
   • Pass Trend chart for visual monitoring

You’ll also see a run-level table with:

• Date and time
• Number of devices evaluated
• Devices that passed / failed
• A ••• menu with two options:
  • View Devices – Opens a list of affected devices and their results
  • View Attributes – Shows each attribute checked during the run

View Devices Associated with a Posture Check

This screen shows:

• Device name
• Failed attribute(s)
• Pass / Fail per device

View Attribute-Level Results

This screen shows:

• Data Source
• Attribute name
• Device Name the check was applied to
• Condition, Pass Value, Actual Value
• Result (Passed / Failed)

These breakdowns are useful for detecting systematic errors in posture configurations or integration gaps in endpoint telemetry.

The Insights → Productivity Reports screen provides a powerful lens into how time and digital tools are used across your organization. Designed for managers, team leads, and IT administrators, this feature transforms activity data into meaningful insights—enabling you to identify high performers, uncover inefficiencies, and build a culture of focused productivity.

📍 To access this screen, go to Insights → Productivity Reports

Reports are automatically generated when:

• The Productivity Tracker is enabled in the user’s Agent Profile.
• The user is signed in through the Connect Application.

Looking to define productivity rules or manage classifications?

View Productivity Configurations 

User Reports

The Users tab provides individual-level insights into application usage and productivity. It allows you to evaluate how each person spends their time and whether their digital habits align with team and company goals.

You'll see the following breakdowns:

• Most Active Users – Users with the highest total time across all applications.
• Productive Users – Users who spend the largest share of time in apps marked as productive.
• Unproductive Users – Users frequently engaging with low-value or distracting applications.

User Report Details

1. Click Details next to any user to explore:
   • Time spent per application
   • Productivity classification per app
   • A sorted list of most-used applications

Team Reports

The Teams tab aggregates user activity to provide a comprehensive overview of group-level productivity. Whether you're managing departments or functional teams, this view helps you spot trends and take informed action.

You'll be able to compare:

• Most Active Teams – Teams with the highest total usage across members.
• Productive Teams – Teams spending a majority of time in productive tools.
• Unproductive Teams – Teams with a noticeable reliance on unproductive applications.

Team Report Details

Click Details next to any team to explore:

• Total Active Time across the team
• Segmentation of time into Productive and Unproductive
• Team Productivity Score based on usage patterns
• Member rankings by engagement and productivity

Use this data to balance workloads, restructure roles, or support underperforming teams.

Application Reports

The Applications tab reveals how individual apps impact productivity across your organization. This view is especially useful for application lifecycle management, IT budgeting, and usage enforcement.

Categories include:

• Most Productive Applications – Tools associated with high-value, focused work.
• Unproductive Applications – Applications linked to non-work-related activities or distractions.
• Neutral Applications – Apps with context-dependent usage patterns.

Application Report Details

1. Click Details next to any application to explore:

   • Which users accessed the app
   • Time spent by each user
   • Productivity classification and trend analysis

   These insights help optimize software investments, improve training, and enforce digital policies.

📤 Export Reports

To export flow logs in .csv format, click the Export button in the top-right corner in the Users, Teams, or Applications tabs.

• A maximum of 10,000 records can be exported.
• Active filters and sorting will apply to the exported results.

The Network Activity screen provides a real-time view of all traffic events in your environment—both allowed and blocked. It helps you detect suspicious behavior, troubleshoot network issues, and understand how your infrastructure is being used.

📍 To access this screen, go to Insights → Network Activity → Firewall

Traffic Logs

The Traffic tab shows log-level entries for every traffic event evaluated by your firewall rules. Each row reflects a specific rule match, giving you granular visibility into connections and policy enforcement.

Traffic Details

Hover the info icon (🛈) at the end of each row to open a detailed panel.

Details include:

• Source IP, port, user, and team (if available)
• Destination IP and port
• Data size transferred
• Site of observation
• Rule ID and matched conditions

These insights help answer questions like:

• Why was this traffic blocked?

• Who attempted the connection?

📤 Export Traffic Logs

Click Export to download the current table view as a CSV file.

Applied filters and sorting are reflected in the export.

🆕 Flow Logs (NEW)

The Flows tab is a new feature introduced in this version, offering a deeper layer of visibility by analyzing full session-based connections—not just rule matches.

This feature is available only on gateways where Application Filter is enabled. It allows you to monitor real-time connections, identify risky or unknown applications, and understand bandwidth usage across ongoing sessions.

Why This Matters

Unlike traditional logs that record single events, Flow Logs track the entire lifecycle of a connection—from initiation to closure—while enriching each flow with:

• Application Detection
• Application Category
• Risk Score Evaluation

This is especially valuable for detecting encrypted, unknown, or non-domain-based traffic that may bypass classic rule logic.

Flow Details

Hover over the info icon (🛈) to view detailed attributes for a flow:

• Source and destination IPs/ports
• Bytes Sent / Received
• Packets Sent / Received
• Detected user and team (if available)

📤 Export Flow Logs

Click Export to download the current table view as a CSV file.

Applied filters and sorting are reflected in the export.

Flow visibility gives you actionable insights into live or recent activity—making it easier to detect bandwidth abuse, malware behavior, or unauthorized app usage.

How does a Timus Partner get support? get help?

We have a wealth of ways to answer your questions or solve your issues. You can use our brand-new help center, submit a ticket in the help portal, email your issues, or chat with us.

Support Hours

Regular Support: Mon - Friday, 8:00 am EST - 5 pm EST

Chat Support: Mon - Friday, 9:00 am EST - 5 pm EST

Severity 1 Support: 24/7 

Submitting a request to Timus Support

Chat:

• Go to support.timusnetworks.com/hc/en-us and click on the chat icon in the bottom right to chat with support during our support hours

Web Form:

• Submit a request by going to www.timus.zendesk.com and clicking on "Submit a request" on the top menu bar. Or you can click on the this link to submit a request.

Email: 

• Send an email to support@timusnetworks.com with as much details as possible for us to solve your issues. Include logs, topology, steps to reproduce, etc., if applicable.

Updating an existing request

Support Portal

• Go to www.timus.zendesk.com and click on your profile icon drop down. Select the option "Request" and navigate to the ticket thats needed an update. Scroll to the bottom and and click on the section called "Add to conversation". 

Email

• Please find the correspondent ticket number messages in your inbox and reply to those emails.

Support Workflow process

Waiting on Partner 

• After our support team communicates and needs additional information from the partner or believes we have solved the issue, we will put the ticket in a "Waiting on Partner" status. The ticket will stay in this status unless you respond. If you do not respond within 3 business days, the status will switch to "Still Issue".

Still Issue 

• If the ticket workflow puts the ticket in "Still Issue" status, and you respond, the ticket will be updated. However, if you do not respond, the ticket will switch to "No Partner Response" status and be considered closed. You can reply to the ticket, and it will be reopened.

Our solution is not designed or optimized to run alongside another VPN on the same operating system. Running two VPNs simultaneously can lead to a range of issues, including:

• Network Conflicts: Multiple VPNs may compete to control the network interface, resulting in unstable or broken connectivity.
• Routing Issues: Each VPN establishes its own encrypted tunnel and routing rules. When both are active, they can override or conflict with each other’s routes, causing traffic to be misrouted or blocked entirely.
• Performance Degradation: VPNs consume system resources and bandwidth. Running two at once can significantly impact device performance and network speed.
• Security Risks: Instead of enhancing protection, overlapping VPNs can create unintended vulnerabilities, as one VPN may bypass or interfere with the encryption or DNS settings of the other.
• MAC Address Conflicts: For example, FortiClient VPN may assign a virtual adapter with the same MAC address across different devices. When used in conjunction with Timus SASE, this causes identification conflicts in our platform, preventing proper policy enforcement and ultimately blocking access.
• Timus SASE and ControlOne Conflicts: ControlOne and Timus SASE both implement low-level network drivers to manage secure access and routing. When both agents are active, they interfere with each other’s tunnel interfaces and route tables. This leads to unpredictable behavior such as traffic loops, broken connections, or one service completely overriding the other. As a result, users may experience loss of access, inconsistent security enforcement, or total VPN failure.

To ensure optimal performance, stability, and security, we recommend using only one VPN or secure access solution at a time on any given device.

Overview

This article explains the AADSTS53003 error encountered when using DUO MFA with Microsoft Entra ID (formerly Azure AD) under Conditional Access policies. The issue stems from policy configuration in Entra ID and how it interacts with DUO’s custom control mechanism. This is not related to infrastructure or service functionality on the Timus Networks side.

Symptoms

AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

This error means Microsoft Entra is enforcing a Conditional Access (CA) policy that blocks token issuance due to unmet conditions (e.g. MFA, device compliance, IP location).

Root Causes

• Use of the common endpoint instead of a tenant-specific endpoint.
• CA policy requiring MFA not satisfied by DUO’s Custom Control.
• Policy applies to user or service principal with no exclusions defined.

How to Diagnose

1. Log in to Microsoft Entra ID > Sign-in Logs.
2. Locate the failed login attempt with the AADSTS53003 error.
3. Open the sign-in log and view the Conditional Access tab.
4. Identify which policy blocked the token issuance and why.

How to Resolve

• Use your tenant ID, not "common":
  Replace https://login.microsoftonline.com/common with https://login.microsoftonline.com/<your-tenant-id>.
  [Microsoft Answers]
• Adjust Conditional Access policies:
  - Exclude the affected user, group, or service principal from the blocking policy.
  - Loosen conditions (e.g. allow external MFA, accept custom controls).
  [Stack Overflow] | [Sync365]
• Understand DUO limitations:
  - DUO Custom Control does not satisfy Microsoft’s native MFA claim requirement.
  - If strict MFA enforcement is needed, use DUO with AD FS or DUO SSO for federation-based authentication.
  [DUO Docs]

Important Notice

No action can be taken on the Timus Networks side to resolve this issue. This is not a service-level problem, but rather a result of how Conditional Access evaluates the token request in combination with DUO’s authentication method.

To clarify: This issue must be addressed jointly by your internal Entra ID administrators and DUO MFA configuration. The enforcement behavior and token issuance logic are fully governed by Microsoft Entra and how it recognizes external MFA solutions. Timus Networks has no control or authority to override these decisions.

References

• Microsoft Answers – AADSTS53003 using 'common' endpoint
• Stack Overflow – Conditional Access blocking token
• Sync365 – Troubleshooting Conditional Access
• DUO Docs – Azure Conditional Access Integration

Overview:

This article provides troubleshooting steps to resolve common issues related to high CPU and RAM usage, as well as functionality disruptions in the Timus Connect application. It aims to assist in identifying and addressing problems that may arise due to antivirus or endpoint protection software blocking key executables or interfering with the application's native operations. By following these guidelines, users can ensure smooth performance and prevent potential conflicts that could lead to prolonged processes or system slowdowns.

To ensure full compatibility and performance of the Timus Connect application, it is critical that all related executable files are properly whitelisted in both Antivirus (AV) and Endpoint Protection Platform (EPP) tools.

Failing to whitelist these files may cause:

• High CPU and memory usage
• Stuck or unresponsive processes
• VPN connection failures
• Performance degradation due to blocked native API calls or memory hooks

Modern AV/EPP solutions may block more than just the executable file. They often inspect runtime behavior, command-line parameters and system-level API calls. Therefore, it is essential to allow not only the executables but also their full runtime behavior.

✅ Required Executables for Whitelisting

The following files must be excluded from scanning, behavioral analysis, and execution restrictions:

C:\Program Files\Timus Connect\Timus Connect.exe
C:\Program Files\Timus Connect\Uninstall Timus Connect.exe
C:\Program Files\Timus Connect\resources\elevate.exe
C:\Program Files\Timus Connect\resources\service\timus-connect-service.exe
C:\Program Files\Timus Connect\resources\service\timus-helper-service.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win32\certutil.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win32\modutil.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win32\pk12util.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win32\shlibsign.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win64\certutil.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win64\modutil.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win64\pk12util.exe
C:\Program Files\Timus Connect\resources\service\lib\win\nss\win64\shlibsign.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\openssl.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\openvpn.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\openvpn_2.4.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\tapctl.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\tuntap_win\tapctl.exe
C:\Program Files\Timus Connect\resources\service\lib\win\openvpn\tuntap_win\tapinstall.exe
C:\Program Files\Timus Connect\resources\service\lib\win\telemetry\timus-telemetry.exe
C:\Program Files\Timus Connect\resources\service\lib\win\wireguard\amd64\timus-wireguard-tunnel-service.exe
C:\Program Files\Timus Connect\resources\service\lib\win\wireguard\amd64\wg.exe

🔐 General Whitelisting Guidelines

To ensure full functionality, perform whitelisting at two levels:

1. Client-Side Agent – Exclude paths directly on the endpoint
2. Central Console – Apply policy-wide exclusions for consistency and scale

For maximum compatibility:

• Exclude by exact file path
• Exclude entire Timus Connect folder to cover future updates

🔧 Configuration by Vendor (Antivirus + EPP)

1. Windows Defender (Microsoft Defender for Endpoint)

Client UI:

• Go to Windows Security → Virus & threat protection → Manage settings → Add exclusions
• Add both individual .exe files and the full folder path

PowerShell (for bulk deployment):

Add-MpPreference -ExclusionPath "C:\Program Files\Timus Connect"

Microsoft Defender for Endpoint (MDE Console):

• Go to Device Configuration → Endpoint Security → Antivirus → Policy
• Add exclusions under Microsoft Defender Antivirus settings

2. BitDefender GravityZone

Control Center:

• Navigate to Policies → Antimalware → Settings → Exclusions
• Add file paths for all relevant executables and their subfolders
• If “Advanced Threat Control” flags the app, add a Process Exception

Client:

• Open local agent settings → Go to Protection → Manage Exclusions
• Add relevant paths manually

3. SentinelOne

Management Console:

• Navigate to Threat Protection → Exclusions
• Add executables by path
• Create Behavioral AI exclusions to allow elevated processes and tunneling apps (OpenVPN/WireGuard)

Note: SentinelOne client does not support local UI configuration—central management only.

4. CrowdStrike Falcon

Cloud Console:

• Go to Configuration → Prevention Policies
• Add to “Allow List” using exact path
• Confirm that the process is excluded from behavioral blocking policies (e.g., “Process Injection” or “Credential Access” rules)

5. Trend Micro Apex One

Control Manager:

• Navigate to Policy Management → Agent Settings → Exceptions
• Add both file and folder exclusions
• Include all child .exe under Timus Connect path

Client:

• Right-click agent icon → Go to Settings → Scan Exceptions

6. Symantec Endpoint Protection

SEPM Console:

• Go to Policies → Exception Policies → Windows Exceptions
• Add by File, Folder, and optionally by File Type (.exe)

Client:

• Open SEP UI → Settings → Configure Exceptions

7. McAfee Trellix Endpoint Security

ePolicy Orchestrator (ePO):

• Go to Policy Catalog → Endpoint Security Threat Prevention → Access Protection → Exclusions
• Add by path and allow for:
  • Read/Write Access
  • Memory Access

Client Console:

• Open ENS client → Go to Threat Prevention → Show Advanced Settings → Exclusions

8. ESET Endpoint Security

ESET PROTECT Console:

• Go to Policies → Detection Engine → Exclusions
• Add all Timus .exe files and folders

Client Interface:

• Open ESET UI → Setup → Detection Engine → Manage Exclusions

9. ThreatLocker

Portal:

• Navigate to Application Control → Policies → Add Policy
• Create a custom group for Timus Connect
• Approve each executable manually
• Ensure compatibility with Ring0 operations (driver/low-level calls)

10. Datto AV/EPP

Control Manager:

• Navigate to Security Management → Policies → Exclusions
• Add full folder C:\Program Files\Timus Connect\ and all executable paths
• Allow behaviors: privilege elevation, service creation, VPN tunneling (OpenVPN/WireGuard)

Client:

• Open Local Agent→ Settings → Exclusions
• Add Timus Connect folder and executables manually
• Allow runtime behaviors if blocked

11. FortiEDR / FortiClient 

FortiEDR Console

• • Log in to the FortiEDR Management Console

  • Navigate to Policies → Endpoint Policies

  • Select your policy → Edit

  • In the left pane, choose Exclusions → File and Folder Exclusions

  • Click Add → browse to C:\Program Files\Timus Connect\

  • Select all .exe files and their parent folders under that path

  • Save changes → Publish updated policy