Аdmin Panel

Authorization in the Admin Panel

Admin Panel Interface Language

• Set the desired language as primary in your browser settings.
• Or manually change the _admin_locale parameter in Cookies via the developer console:
  1. Open the admin panel.
  2. Press F12 (or Fn + F12).
  3. Go to Application > Cookies > select the server address.
  4. Find _admin_locale and change the value to ru (Russian) or en (English).
  5. Refresh the page.

This section contains a list of users and bots on the corporate server.

Searching for Users

In the search field on CTS and ECTS, you can search for users by HUID, name, email, domain, and position as specified in their corporate account. On RTS and ETS, you can search for users by name, phone number, as provided by the user during initial registration or later in profile settings in eXpress.

Creating Users

You can manually create a new user on the corporate server by clicking the corresponding button. Such a user will only be able to log in via email. When synchronizing with a corporate directory (e.g., Active Directory), create users in the directory, not manually on the corporate server!

Batch User Creation from CSV

Requires direct access to CTS.

1. Install python2: sudo apt install python2
2. Copy the import script matching your server version (example for 3.11.1): sudo docker cp cts_admin_1:/app/lib/admin-3.11.1/priv/scripts/add_users_from_csv.py .
3. Prepare the import.csv file with users:
   • Delimiter: ;
   • Encoding: UTF-8
   • Fields: name email company position department office description manager
4. Upload the file to the server and run: sudo python2 add_users_from_csv.py import.csv
5. Verify users in the Users section.

Editing and Deleting Manually Created Users

Click the pencil button on a manually created user in the list to edit their data (the email field is non-editable as it serves as the login).

To delete such a user:

1. Initiate and confirm their logout
2. Click the trash button

Exporting the User List

The Download as .CSV button downloads the user list in CSV format. This list can later be imported into a group chat or channel for bulk user additions. To filter the exported list, use the search function. When clicking the button, you will be prompted to select user types for export:

• cts_user — registered corporate users.
• unregistered — unregistered users.
• botx — bots and Smart Apps.

User Profile

Clicking on a user opens their profile information:

• HUID — the user’s unique identifier. Learn more.
• Company details, position, etc. (filled manually by the administrator or synchronized automatically).
• RTS ID/ETS ID/CTS ID — the registration server ID. To determine the specific server address, find this ID in the “Servers” section.
• Type of the profile:
  • botx (CTS, ETS, RTS) — bot (Smart App) account
  • cts_user (CTS) — active corporate account
  • external_client (CTS) — external client app account
  • guest (CTS, and on ETS, RTS) — guest account
  • unregistered (ETS, RTS) — inactive account
  • user (ETS, RTS) — personal account not linked to a corporate server
• Registration type (details):
  • default — phone number registration
  • cts_only — registration without a phone number
• AD groups — displayed for users synchronized from Active Directory
• Dates of account creation, update, or deletion (updated upon server login or synchronization)

Additional Profile Sections

• Activations — active and completed sessions:
  • Each session is identified by UDID
  • Contains device information, software versions, and locks information
  • Displays permissions (Device Meta):
    • permissions.microphone — microphone access
    • permissions.notifications — browser/OS notifications
    • pushes — in-app notifications
    • permissions.contacts — contact access
    • permissions.storage — storage access

  Available actions for activations:

  1. Clean chats/Clean contacts — forced cache clearance with subsequent server reload
  2. Clean all — clears chats/contacts and ends the session
  3. Delete (RTS/ETS only) — clears cache, ends the session, and removes the activation record
• Blocks — list of account blocks in Active Directory and their reasons.
• Keys — user’s encryption keys:
  A new pair of cts and rts keys is generated:

  • When resetting the personal password for encryption keys.
  • After deleting an account and re-registering.

  Upon login after logout, keys are forcibly synchronized between servers.

• Chats — list of all user chats.
• Recovering keys in chats — fixes encryption key issues in chats (details).
• Clean cache — clears local chat/contact cache on all user devices.
• Clean all — deletes cache and forces a return to the login screen on all user devices.
• Logout — sends a request for logout from the corporate server (requires administrator confirmation in the “Logout Requests” section).

This section provides a complete list of all chats and channels of users on the current server.

Searching for Chats

In the search field, you can find chats by:

• Chat ID
• Chat name
• HUID of a user (to find their “Saved Messages” chat)

Chat Properties

When clicking on a chat, the following information is displayed:

• ID — the unique chat identifier.
• Description — filled in by the chat creator or administrator.
• Active — the chat activity status:
  • The chat is deactivated on RTS when switching to a corporate status.
  • The chat is deactivated on CTS when switching to a non-corporate status.
  • The status depends on the servers where the participants are located — if all participants leave a specific server, the chat on that server is deactivated.
  • The status is updated whenever the chat is modified (e.g., when a participant is added).
• Type — chat type:
  • group_chat
  • chat (personal chat)
  • botx (bot chat)
  • channel
• Members — chat participants (the full list is available via the Members button at the top of the interface).
• Created at — the time the chat was created.

Additional Chat Sections

The following sections and buttons are available in the interface:

• Members — managing chat participants:
  • Add members — manual addition of participants from the current server
  • Import members — bulk addition via CSV/TXT file
  • Assigning/revoking admin rights (via the Administrator column)
    
    This function requires at least one administrator participant from the current server.
  • Viewing the user profile type (column Conn type: CTS/RTS)
  • Routing scheme (the Routing link shows the traffic path) — more details.
  • Removing users (trash bin button)
• Events JSON — the chat event log in JSON format.
• Events table — the event log in table view.
• Chat JSON — complete chat information in JSON format.
• Make the chat open/private — makes the chat or channel available/unavailable in the corporate catalog.
• Enable/Disable end-to-end (e2ee) encryption — managing end-to-end encryption of messages in a group chat or channel.

This section displays the full list of open chats and channels on the server available in the corporate chat directory. Users can join them independently. The section is only accessible for CTS and ECTS.

Searching for Open Chats

In the search field, you can find open chats by ID or name.

Open Chat Properties

Clicking on a chat will open its detailed information (see above).

Creating Open Chat

The Create button allows you to create a new open chat on the server.

The first participant of an open chat cannot be added via the admin panel. The user must join independently through the chat directory in the client application.

In the Calls section, a complete list of all completed and current calls on the server is displayed. Conferences are not shown in this list — they have a separate section with the similar controls.

Calls Table

Call information is presented in a table with the following columns:

1. Avatar
2. Chat
3. Call Chat
4. Call
5. Active
6. Call Start Time
7. Call End Time
8. Destroy Call
9. Call Logs

Searching for Calls

In the search field, you can find calls by:

• date and time
• chat name
• chat ID
• call ID
• HUID, email or name of a participant

Call Logs

The Download logs function is available to download call logs as a ZIP archive.

The Clear logs button deletes all call logs on the server.

Ending a Call

The cross button forcibly ends a call (use for stuck calls).

Information About the Group Chat Where the Call Took Place

Clicking on the chat ID opens information about the chat where the call was held (see above).

Call Properties

Clicking on the call ID displays the following information:

• Voex call [ID] — the unique call identifier in the page header.
• room_id — the call chat (room) identifier.
• Call Participants — detailed information in the table:
  • Name
  • Platform
  • App Version
  • In call now
  • Publishing screen
  • Joined call
  • user_huid
  • udid
  • server_id
  • audio
  • video
  • screen
  • Answered at
  • Hangup at

This subsection contains tools for working with conferences, similar to call tools. Important limitations:

• conferences are only displayed if they were created on the current server.

This section was introduced in server software version 3.33. Here, the administrator can approve or reject user requests to change profile information (avatar) if moderation is enabled in the “Server” section.

❓Related Topics:

• Avatar, Name, and Other Profile Data
• Server

This section displays a list of users for whom a logout request has been sent:

• by the user;
• via the corporate server administrator;
• due to an event in the corporate directory.

Here, you can view user information, check the logout reason, and Accept or Reject the request. This section is only available for CTS and ECTS.

Logout Reasons

• user_request — the logout request was sent by the user. This usually means the user initiated a logout on one of their devices. On other devices, they will continue working as usual. If this request is erroneous, the user can log in again with the same credentials — the logout request will disappear automatically (after refreshing the admin page) or can be declined manually.
• PWD_last_set_changed — logout due to a password change in AD.
• account_disabled — the account was disabled in AD.
• account_deleted — the account was deleted in AD.
• lockout — the user was locked out in AD.
• password_expired — the password expired in AD.
• account_expired — the account expired in AD.
• admin_request — a logout request from an administrator.
• excluded_from_search_filter — the Automatic logout when synchronization with AD is excluded from the selection checkbox is enabled in the Active Directory section, and the user was excluded from the selection (e.g., removed from an AD sync group).

After clicking Accept, the user's corporate account is detached from the personal account and changes to the unregistered status.

Bulk Selection of Requests

Starting from server software version 3.27, multiple logout requests can be selected using checkboxes. To select all entries (the top checkbox in the first column), first specify the logout reason in the filter. If no filter is applied, bulk selection is unavailable — entries will need to be marked manually.

Deleting an Account After Logout

After logout, the account remains in the list in the “Users” section. The deletion method depends on the account type:

• Manually created in the admin panel — deleted via the trash icon in the Users list.
• Synchronized from the AD corporate directory — disappears after deleting the synchronization group in Active Directory.
• Synchronized from KeyCloak — deletion is not possible.

Configuring user access to the admin panel. You can create and view users and groups.

Creating a User

To create a user for the admin panel, in the Administrators section, click Create. Specify the login, password, group memberships, and the account expiration date (check the Enable block box and enter the date below).

Administrator Password Requirements

The password must contain:

• A special character: #!?&@$%^*().
• A lowercase letter.
• An uppercase letter.

Minimum password length is 8 characters.

Creating a Group

To create a group, in the Administrators section, click List groups > Create. Specify the group name, the corresponding LDAP group, and configure permissions for the admin panel sections: no (no access), read (view only), write (edit).

This section displays all servers connected to this server: RTS, CTS (ECTS), ETS, Trusts, as well as the routing scheme Graph with all connected servers.

Server Status Indicators

A green indicator next to the server name means the server is available and connected. A red indicator indicates no connection.

Deleting a Server

The trash bin button deletes a server record (token) or a trust connection.

Deleting a CTS Record from RTS

Deleting an inactive server from RTS may be necessary if a user needs to register on a new server, but the old server is physically unavailable, yet its record remains on RTS. This can only be done through eXpress support. Deletion is only allowed if the server cannot be restored! After deletion, additional chat recovery will be required on servers where chats with its users existed. Before disconnecting the server, all users must perform a logout.

Searching for Servers

In the search field on the corresponding tab, you can find servers by ID, name, or address.

Adding a New Server

Click the Create button to add a new server for connection to the current server.

Trust Connections

The Trusts tab displays trusted connections of this server to other corporate servers.
The Allow trust search option (when editing the trust connection) determines whether users of the trusted server can search for users on the current server.
The Trust search setting in the Server > Server Features section manages trust search for all servers with the Allow trust search option enabled.

Server Properties

Clicking on a server opens information about it and its connection. Here, you can manage the connection, edit server properties, or delete it.

Changing the Host

If a server's host has changed, edit the record and specify the new address. Connected clients will encounter a connection error, and users may need to relogin to the client. The chat history will be preserved.

This section allows you to configure and connect chat bots and Smart Apps on the corporate server. You can enable or disable already added bots and Smart Apps, modify their properties, avatar, visibility in the catalog, access settings (including user group-based permissions for the role model starting from server version 3.21), and other options. This section is only available for CTS and ECTS.

In this section, you can connect built-in bots to the global chat:

1. Conference Notifier Bot. Notifies users about upcoming conferences. It also allows you to set up regular reminders for standing conferences.
2. Notifications Bot. A bot for sending messages to the global chat.
3. Recordings Bot. A bot for notifications about ready call recordings.

This section is designed for configuring integration with Vinteo (currently in development). Such accounts are created for computers in meeting rooms or in other cases when logging into the application requires using a non-personalized account.

To modify the data of an external client user (for example, their email), locate them on the Users page.

A UI Alert is a trigger that blocks the use of the client application if its version is lower than the specified one. The list displays created UI Alerts. This section is available only for RTS and ETS.

Creating a New UI Alert

Click the Create button to create a new UI Alert. Field descriptions:

1. Platform — the client platform for which the trigger is intended.
2. Must update to version — the minimum required client version for the selected platform (format x.x.x: major version.minor version.patch).
3. Update kind — actions required from the user:
   • must_update — the client must be updated to the latest version;
   • must_clear_data — the user must reauthenticate the session to clear the local cache;
   • must_update_and_clear_data — the client must be updated and the session reauthenticated.

This section displays a list of all Docker containers on the server. Here you can:

• View the container version
• Check its status
• Review container logs

Viewing Container Logs

To view logs of a container from the corporate server:

1. Click >_logs next to the desired container
2. Enter the date and the number of lines to display
3. Uncheck the follow box (to disable real-time mode)
4. Click the show button

If Docker containers are not in use, this section will be unavailable.

The following events are displayed in this section:

1. User login attempts to the corporate server
2. Administrator login attempts to the admin panel
3. Logout requests
4. User settings changes
5. Server settings changes

The displayed event table can be filtered and downloaded as a CSV file.

This section displays sticker packs added to the server.

Creating and Editing a Sticker Pack

To create a new sticker pack, click the Create button. To edit a pack, click its ID.

In the sticker editor, you can:

1. Add or remove stickers
2. Make a sticker pack public

A public sticker pack becomes available to all server users—they can find it in the server’s sticker catalog and add it to their collection.

Sticker Requirements

File format: PNG with transparent background
Maximum size: 512 KB
Image dimensions: must fit within a 512×512-pixel square (one side—512 pixels, the other—512 pixels or less)

Deleting a Sticker Pack

To delete existing sticker packs, click the trash bin button.

This section allows you to manage the display order of chats, channels, and bots in the corporate catalog. This section is only available for CTS and ECTS.

Chats, channels, and bots from the catalog are automatically displayed in the general chat list for all users of the corporate server. They cannot be removed for an individual user — this can only be done centrally for everyone in this section of the admin panel.

This section displays server statistics in the following categories:

• Users
• Chats
• Messages
• Group Calls

Statistics data is stored only for the last two weeks. It is sourced from the built-in Prometheus monitoring software, where the default retention period is set to 2 weeks. For longer storage, data can be migrated from the built-in Prometheus to another compatible storage. Contact eXpress support for assistance.

The role model configures security policies for different user groups and the current server. The role model allows you to:

• prevent data leaks in advance
• simplify the process of imposing restrictions on employees and partners of the organization
• manage access to app features based on various attributes

Basic Settings

The Role model activated toggle allows you to enable or disable the role model on the server.

Below is a list of categories and rules created under them. For each rule, the following is displayed:

• Rule name
• Description
• Status (here you can activate or pause the rule)
• Rule properties
• edit, duplicate, and delete buttons

Role Model Setup Approach

To avoid difficulties when setting up the role model from the very beginning, configure it using the following steps:

1. Clearly define which specific action and which users need to be restricted using the role model.
2. Create, configure, and test a user group. A target user group is required for most role model rules.
3. Create and configure a rule suitable for your task.

Role Model and CDTN Contour Settings

All role model settings (both user groups and rules) involving external/internal contours use the internal contour IP mask value specified in the Contour group under the File Service section.

When configuring the role model for file-related restrictions, keep in mind that they may overlap with rules configured for the Corporate Data Transmission Network (CDTN) contour:

• if a file action is restricted in the role model but not in the CDTN settings — the role model will restrict the action;
• if a file action is restricted in the CDTN settings but not in the role model — the CDTN will restrict the action.

Thus, simultaneously enabled CDTN contour and role model restrictions are cumulative. To use the contour in the role model without CDTN contour restrictions:

1. Enable the CDTN contour in the File Service section, set any in all settings fields, and enter the list of IPs/masks for the internal contour. The role model will use the specified internal contour.
2. In the role model user group settings, select Internal contour to apply rules to users inside the specified CDTN contour or External contour to apply rules to users outside the CDTN contour.
3. Create a role model rule targeting this user group.

In the future, the CDTN contour settings are planned to be fully moved to the role model section.

Creating a Role Model Rule

To create a new rule, click Create new rule and configure it.

Rule Configuration Fields

After creating the rule, don’t forget to activate it.

Restriction Target, Global and Local Rules

The fields chat participant type (Select users whose presense in the chat prohibits the action) and chat type (Select the chat type to be restricted) in the Restriction target group can be left empty — then the rule will apply globally. If at least one of these fields is filled, the rule works locally (becomes narrowly targeted).

The list of fields in the restriction target depends on the selected attachment type and the rule itself.

Global Rule

Applies to all user chats. The server sends the rule to the client when logging into the app and when reconnecting to the server.

Fields that, when filled, keep the rule global:

• Select users whose attachments are restricted
• Maximum file size (MB)
• Type of restricted extentions (relevant only for documents; images and videos are not checked by extension type)

A global rule can be created without attributes by filling only the fields Rule name, User groups, Rule action, and Attachment Type. This means that attachments from any users, of any size, and with any extension will be prohibited.

• If the extension and size of attachments are not specified, a prohibition is created for the selected attachment type with all its extensions and sizes (e.g., prohibiting sending any documents in a chat)
• If chat type (Select the chat type to be restricted) or chat participant type (Select users whose presense in the chat prohibits the action) is not specified, the prohibition applies to all user chats and channels
• If sender (Select users whose attachments are restricted) is not specified, the prohibition applies to attachments received from any user

By default, if an attribute field is not filled, the attribute has the value “all”.

Local Rule

Applies to specific user chats based on specified attributes. The server sends the rule to the client when entering a specific chat, channel, or thread.

The rule becomes local when these fields are filled:

• chat participant type (Select users whose presense in the chat prohibits the action)
• chat type (Select the chat type to be restricted)

When filling the chat participant type (Select users whose presense in the chat prohibits the action) or chat type (Select the chat type to be restricted) field, you can specify excluded chats in the Exception chats field. Excluded chats do not apply to global rules.

In addition to chat attributes, local rules can include the fields size (Maximum file size (MB)), extension (Type of restricted extentions), or sender (Select users whose attachments are restricted).

Attribute Combinations

Attachment attributes: sender, size, extension. Chat attributes: chat participant type, chat type.

If chat attributes are not specified, rules for attachment attributes apply globally. If chat attributes are specified, rules apply only in the specified chats.

Attributes are independent and do not depend on each other. The logical “OR” rule applies between them.

Examples:

• if for the attachment type Documents, you specified size = no more than 30 MB, and in the extension type field — pdf, pptx, a rule with two attributes is created:
  • prohibited action with all documents over 30 MB (any extension)
  • prohibited action with files of extensions pdf and pptx (any size)
• when both chat participant type and chat type are filled, the rule applies:
  • in chats that match the chat participant type field value
  • in chats that match the chat type field value
• if for the attachment type Documents, you specified size = no more than 30 MB and selected a chat type, the action will be prohibited for all documents larger than 30 MB with any extension in chats of the selected type

Since role model rules operate only on a denial basis, when configuring multiple different prohibitions for a user group, they are cumulative and apply simultaneously.

Rules for Smart Apps

Role model rules can be configured not only for messenger chats but also for Smart Apps. Prohibitions for Smart Apps apply only to actions with attachments in them. Actions with the content itself (e.g., forwarding an email in the Email Smart App) cannot be controlled via the role model.

Configuring Smart Apps Rules

In a Smart App rule, you can specify:

• application to all Smart Apps (with the option to specify exceptions)
• application to specific Smart Apps

Attachments in Smart Apps can be restricted entirely or by file size/extension. Smart Apps handle attachments differently in web/desktop and mobile apps:

• In Smart Apps in web/desktop apps, the attachment type cannot be selected when sending — photos and videos are sent only as photos or videos; they cannot be sent as documents
• In Smart Apps in mobile apps, the attachment type can be specified when sending. Prohibitions trigger based on the attachment type in the rule and the selected type when sending. For example, if sending all documents is prohibited in the mobile app, photos or videos cannot be sent as documents

When viewing/saving, all attachments in web/desktop and mobile apps are determined by extension — downloaded as photos/videos or as documents. Therefore, the prohibition on downloading/saving documents applies only to document extensions.

Rules for Smart Apps Chat Bots

Role model rules for Smart Apps also apply in chats with their bots:

• in a 1-on-1 chat with a Smart App bot, only Smart App rules apply
• in a 1-on-1 chat with a regular bot (not a Smart App), global or local rules for chats apply
• in group chats and channels with any bot, global or local rules for chats apply

Searching and Checking Role Model Rules by User

To search and check rules, use the search field at the top of the page.

Searching for a rule by the user it applies to is performed only by the user HUID.

Search works by name (entered in the top search field), connection type, platform, and status.

“Sending/forwarding attachments in chats is not allowed” Rule

“Downloading/viewing attachments is not allowed” Rule

“Forwarding/sharing/saving attachments to device memory is not allowed” Rule

“Recipients are not allowed to download attachments from cts users”

• internal contour — a user in the CDTN contour from the same server;
• trusted contour — a user in the CDTN contour from a trusted server.

Sender and Recipient

• the sender is a user from the group for which this rule is configured. The prohibition will apply to attachments sent by users of this group.
• the recipient is a user who meets the criteria specified in the rule.

Mandatory Rule Fields

• Select contour
• Select the users for whom the action will be restricted

Instant Action of the Restriction

Contour and Role Model Rules Comparison

• with a prohibition via the CDTN contour using the Corporate files can read field, the attachment will be available to the recipient under these conditions — the contour is disabled, but the IP mask is filled in, and the user is within this network;
• with a prohibition via the role model (with contour restriction), the attachment will be unavailable to the recipient under these conditions.

“Require pin” Rule

This role model rule adds a mandatory requirement to create a PIN code for the app additional protection. The rule applies only to iOS, Android, and the desktop app.

When the Rule Triggers

After enabling the rule:

• A user logging into the app will see a screen for creating a mandatory PIN code, which cannot be skipped:
  • On iOS, the user will see the mandatory PIN creation screen immediately after authentication;
  • On Android and in the desktop app — upon the next app launch.
• A user already logged into the app will see the mandatory PIN creation screen upon app restart, reconnecting to the network on all platforms, or after a post-check (where rules are re-requested, and the user receives all applicable rules).

How the Rule Works in Apps

When this rule is enabled:

• In the iOS and Android apps, the Disable PIN button disappears;
• In the desktop app, the Disable PIN Code button remains, as it is used to change the PIN code, which remains available to the user. After clicking this button in the desktop app, the user is immediately taken to the screen for creating a new mandatory PIN code.

Enabling or disabling the “Require pin” rule or the role model itself may not immediately show or hide the PIN creation screen, but only after restarting the app or reconnecting to the network. This behavior is more common on Android and less frequent on iOS — for example, when disabling the rule.

❓Related Topics:
• What to Do If You Forgot Your PIN Code

Configuring Smart Apps Visibility in the Smart Apps Catalog

Currently, this is the only rule that is configured not in the Role Model section but in the bot or Smart App settings under “Bots”.

To configure Smart App visibility in the Smart Apps catalog in the app:

1. In the admin panel, go to the “Bots” section.
2. Click the pencil button next to the desired Smart App.
3. Specify the desired Availability: for all users or specific user groups. If specific groups are selected, the Smart App will only appear in the catalog for users from these groups. In the Contacts section, it will remain available to everyone regardless of the settings.
4. Save the changes.

Rule Operation Example

The impact of availability settings using the Calendar SmartApp as an example:

This section of the admin panel is used to create user groups that will be subject to the role model rules.

Creating a User Group

Adding Users to a Group

Field Descriptions

This section collects information about call and conference ratings submitted by users. The list can be filtered using dropdown menus, date pickers, and the search field at the top.

❓Related Topics:
• User ratings

This section is only available on CTS and ECTS.

It allows you to view and manage the call and conference recording processing queue. The queue can be filtered using the status dropdown and the search field at the top.

Recording Properties

The recording page includes a button to resend the recording for transcoding and information about the recording start, readiness, and participant media streams.

This section is available only for ETS and RTS.

This section contains a list of all SMS messages with confirmation codes requested and received by users. The confirmation codes themselves are not displayed here. For SMS statuses on RTS, check with eXpress support, and for SMS statuses on ETS, check with the connected SMS provider’s support.

SMS Status Codes

• delivered — SMS was successfully transmitted from the SMS provider to the user’s mobile operator. If the user cannot log in, possible reasons include an incorrect code, incorrect phone number, or SMS blocking by the mobile operator. In this case, the user should contact their operator.
• one_number_limit_exceeded — the daily SMS limit has been exceeded. On RTS, the limit is 10 SMS per day. On ETS, the administrator can set a different limit (see the SMS > Security section on ETS).
• number_is_forbidden — the phone number is blacklisted by the SMS provider. Contact the SMS provider’s support.
• If the status waiting is displayed for a long time and then changes to failed, there may be widespread issues. Contact the SMS provider’s support.
• message is denied — the mobile operator has blocked the SMS. Ask the user if they recently changed their SIM card or mobile operator. In such cases, the provider may block the SIM card for 24–48 hours. The user should try logging in again after 24 hours.

❓Related Topics:
• Error After Requesting an SMS Code | SMS Code Is Incorrect or Not Received

Configuring Administrator Connections from Active Directory

This section is only available for CTS and ECTS.

AD Synchronization

When creating an AD-synchronized administrator group, in the LDAP Group field, specify not the full path but the value of the cn attribute from AD.

In this section, you can enable user connection tracking by selecting the Track users connects/disconnects checkbox and configure sending audit event information to a third-party SIEM system.

Here, the administrator can enable and configure the global chat on the current server. The global chat enabled in the CTS settings will be available only to users of this CTS, while the global chat enabled in the ETS settings will be visible to all users of corporate servers connected to the ETS.

Global Chat Setup

1. Enable the server’s global chat by selecting the Enabled checkbox, then specify the name, avatar, and description. If this is an ETS and you need to hide the federated eXpress global chat, clear the RTS global checkbox.
2. Click the Save button. The global chat will appear for users of the current corporate server or for users of all corporate servers connected to the ETS.
3. In the Internal Bots section, enable the Notifications bot: click the pencil button next to it and select the Enabled checkbox.
4. Add the Notifications bot to the list in the Global Bots subsection: select Add Bot to Global Chat and click the plus button next to Notifications bot.
5. Add the user who should send messages to the global chat as a bot administrator: in the Internal Bots section, click the gear button next to Notifications bot and select Add bot admins.

Sending a Message to the Global Chat

The user assigned as the bot administrator can find instructions for sending messages to the global chat here.

Multiple Global Chats

Users may see two global chats in their chat list: one from the current CTS and another from the RTS or ETS. The first is configured in the CTS admin panel, while the second is managed in the RTS admin panel (controlled by the eXpress team) or the ETS admin panel.

In this section, you can specify your custom host for chat and call invitation links instead of the default one, as well as configure the minimum access level:

• public (any users)
• corporate (corporate users)
• trusts (users of the current server and trusted servers).

xlnk.ms

The default link host xlnk.ms is owned by eXpress and is located in a Russian data center.

Guests on the Current Server

Enable the Generate links for guest users to this server option, and guest users who receive new links will connect via this corporate server instead of RTS from now on.

Connecting the push notification mechanism for various platforms: Android, web browsers, Huawei, iOS. This section is only available for ETS and RTS, as these servers are responsible for handling push notifications.

For configuration details, refer to the Administrator Documentation.

Contour

This group of settings is available only on CTS or ECTS. Here you can configure which IP addresses are considered part of the internal contour of the corporate data transmission network (CDTN), as well as define file handling permissions for users within the internal contour.

Configuring the CDTN Contour

1. Add the IP address assigned by the ISP or the subnet mask separated by a / symbol to the list, separating values with a comma. Example: 11.22.33.44/32, 55.66.77.88/32.
   You can check the IP address from the ISP on the following websites:

   • 2ip.ru
   • Google — enter the query “what is my ip”.
2. Set the required parameters for reading and sending files.
3. Check the Enabled box and click the Save button.

CDTN Contour Parameters

• Corporate users can send — defines who a CDTN user can send files to:
  • any — any user in the federation, regardless of the server they are on. Only a CDTN user can open the file. Files can be sent to open chats, channels, and chats with end-to-end encryption disabled.
  • corporate — a user on any corporate server of any organization (except RTS). Only a CDTN user can open the file. Files can be sent to open chats, channels, and chats with end-to-end encryption disabled.
  • trust — a user on a server with which a trusted connection is established. Only a CDTN user can open the file. Files cannot be sent to open chats, channels, or chats with end-to-end encryption disabled.
  • local — a user on the same server as the sender. Only a CDTN user can open the file. Files cannot be sent to open chats, channels, or chats with end-to-end encryption disabled.
• Corporate users can read — defines who a CDTN user can receive and open files from:
  • any — from any user, regardless of the server. The sender’s and recipient’s contours do not affect file access.
  • corporate — from a user on a corporate server. The sender’s and recipient’s contours do not affect file access.
  • trust — from a user on a server with which a trusted connection is established.
  • local — from a user on the same server as the recipient.
  • contour — from a user on the same contour as the recipient.
• Corporate files can read — defines who can view files sent from the CDTN:
  • any — any user from any server. The sender’s and recipient’s contours do not affect file access.
  • corporate — a corporate user from a sender on a corporate server. The sender’s and recipient’s contours do not affect file access.
  • trust — a user on a corporate server connected via a trusted connection to the sender’s server. The sender’s and recipient’s contours do not affect file access.
  • local — a user on the same corporate server as the sender. The sender’s and recipient’s contours do not affect file access.
  • contour — a CDTN user on the same contour as the sender.

CDTN Contour and End-to-End Encryption

When selecting the Trust or Local parameters, users within the CDTN cannot send files to open chats or chats with end-to-end encryption disabled. When selecting Any or Corporate, sending is possible (starting from server software version 2.9).

File Service Retention

This section allows you to configure automatic deletion of certain file types from the server after a specified number of days.

Files Sent from Another Server

Note that the File Retention feature activated on the server also applies to files sent by users from other servers. This is because chats and files are uploaded from there to the current server, where automatic deletion will take effect after specific time left.

Proxying

Proxying settings for static content delivery to public clients: the ability to download a file via File Service instead of a redirect link to S3.

This section and its subsections are available only for CTS and ECTS. Click Save to apply changes.

CTS-Only Registration

• Allow registration without phone number. A global server parameter that determines whether a user can log in without a phone number: via corporate email or corporate server address.
• Display a warning that registration will be forbidden soon. If enabled, client app users will receive a notification that registration using a phone number will soon be mandatory: Add a phone number. The administrator has prohibited login without a telephone number. Add a telephone number to continue using the application.

Attention! If you, as an administrator, plan to prohibit logging in without a phone number, be sure to enable the warning so users have time to add phone numbers and avoid login errors. Otherwise, uncheck this box.

Additionally, in builds of the branded ETS app, some login method buttons may be disabled.

• Allow skipping two-factor authentication within the contour. If enabled, users with a phone number can skip SMS code verification when connecting from within the Corporate Data Transfer Network (CDTN) contour if they previously logged in without a number but were later detected with one.

User Contact Management

• Allow to add phone number. Server users can link a mobile phone number to their account for authentication and to allow others to find them by number in contacts.
• Allow to edit phone number. Server users can modify their linked phone number.
• Allow to delete phone number. Server users can remove their linked phone number.

Registration Methods

Select the registration and authentication method for the corporate server: E-mail, NTLM (Active Directory), or OpenID (KeyCloak). Only one method can be selected.

E-mail

Authentication is performed using a code sent to the linked email.

NTLM

Authentication is performed using AD login and password. User data is synchronized with AD. Synchronization runs on long and short cycles.

Full synchronization runs every 3 hours, as well as on the schedule specified in the Full synchronization schedule (cron format) field. During synchronization, new users are added, the address book is updated based on AD changes, and users excluded from the sync filter are disabled.

Short synchronization runs every 15 minutes. It checks the status of the AD account (disabled account, lockout, expired password, expired account, password change).

If needed, synchronization can be manually triggered using the Sync button.

OpenID

Authentication mechanism using a Keycloak account. For example, users without an AD account or corporate email can log in using a special token.

Authentication Method Availability

• Authentication via email code is available for accounts added from AD as well as those created manually in the admin panel.
• Authentication via AD login and password is only available for accounts added from AD if NTLM is selected.
• Authentication via OpenID is only available for accounts added from OpenID if OpenID is selected.

Checking the Current Authentication Method

The current corporate server authentication method can be checked not only in the admin panel but also by entering the following URL in a browser: https://the_server_FQDN/api/v2/ad_integration/register_methods. The response will indicate: "register_methods":["current_authentication_type"]}.

Synchronization Settings

• Synchronization sources. Select the corporate system from which user accounts are synchronized.
• Full synchronization schedule. Configure the synchronization time in Cron format.
  The minimum interval is 1 hour (0 * * * *). This is an additional synchronization schedule, apart from the standard one (every 3 hours).
• The Sync button. Forces synchronization of users with the connected corporate system.

This section configures the synchronization of the app with Active Directory.

Connection Parameters

Specify the FQDN or IP address of the domain controller, the connection port, and the Active Directory domain.

Session Termination Policies

• Max login attempts and Failed login timeout (in seconds) — protection against password brute-forcing. It is recommended to set this to 1 attempt less than in AD policies.
• Logoff by disabled — closing sessions when the account is disabled in AD
• Logoff by lockout — closing sessions when the account is locked in AD
• Logoff by account expired — closing sessions when the account expires in AD
• Logoff by password expired — closing sessions when the password expires in AD
• Automatic logout when synchronization with AD is excluded from the selection — sends a logout request when a user is excluded from the AD sync filter with the app.

  The system only initiates a logout request — final confirmation in the “Logout Requests” section remains with the administrator.

• Logoff by password change — closing sessions after a password change in AD
• User Account Disabled (AD LDS) — closing sessions and sending a logout request when the account is disabled in AD.

Authorization Method

Choose between a simplified (matching by email domain) and a full authentication method.

Attribute Mapping

Define which user attributes from AD will be used in the messenger profiles.

For proper operation, ensure the attribute case matches the LDAP records.

Manage Settings

• Default settings — resets to standard values
• Delete — disables synchronization (does not affect existing users)
• Save — applies changes.

Troubleshooting Sync Issues

If an account from AD does not appear in the Users section of the admin panel:

1. Wait for synchronization or force it manually.
2. Check in AD: account status, password expiration, and other restrictions.
3. Perform a test LDAP query (e.g., ldapsearch) to verify the sync filter.

Email Mask

Configure the email address filter for user self-registration. The system uses regular expressions.

• To specify multiple domains, use the mask: ^[\w-\.]+@(domain1.com|domain2.com)$
• When the feature is enabled, users can register automatically, even without prior account creation on the server
• To disable the feature, leave the field blank

⚠️ Warning! If a user self-registers with an email address that already has an account, a duplicate account will be created.

Password Attempt Limit

Limit the number of one-time code entry attempts. If the number of failed attempts is exceeded, a new code must be requested.

Code Request Attempt Limit

Limit the number of one-time code requests from an IP address. If the limit is exceeded, further requests will be available after 24 hours.

This section configures synchronization with Keycloak. For detailed instructions, refer to the administrator documentation.

OpenID Provider

• Keycloak version below 17;
• Keycloak version 17 and above;
• Blitz.

Connection Parameters

Specify the host, port, identifiers, and other OpenID connection parameters.

In the OpenID login prefill field, you can choose whether the login field in Keycloak forms will be automatically filled with the user’s phone number or email.

Session Termination Policies

Configure the conditions for automatic user session termination and logout requests:

• Logout by disabled — closing sessions and logout request when the account is disabled in OpenID;
• Logout by missing user role — closing sessions and logout request when a role is removed from the account in OpenID.

Attribute Mapping

Define which user attributes from OpenID will be used in the messenger profiles.

This section configures who can view corporate user fields. It is only available for CTS and ECTS.

The Public name field cannot be hidden, but in the Active Directory section, you can configure which AD attribute will be loaded into this field.

The visibility of corporate profile fields is configured individually for specific user groups:

• nobody;
• all users;
• corporate users only;
• only users of trusted servers;
• only users of your corporate server.

This section configures sending verification code messages via email.

Specify the following details:

• Application name;
• Sender address;
• Authentication details for the outgoing mail server;
• Connection security;
• Send emails with current settings or RTS settings.

There is a field nearby to test sending a message.

This section allows you to configure the welcome email with instructions sent to users. You can attach images to the email (using a dedicated button, not via clipboard).

To automatically send instructions to new users, check the Send to new users box. The email will be sent upon account creation on the server.

To send instructions to unregistered users, click the Send to all unregistered users button. The email will be received by everyone with a corporate account on the server who has not yet logged in.

Nearby is a field for test-sending the message.

This subsection configures the email sent to users whose corporate account has been blocked in AD.

Nearby is a field for test-sending the message.

This section configures calls, in-app conferences, and integrations with third-party systems: Mind, Vinteo, SIP telephony. Detailed setup instructions are available in the administrator documentation.

Janus Instances & Janus load

Configures the ability to use multiple Janus servers.

VoEx

Configures calls and conferences in the app.

• Enable screen sharing for corporate users outside of contour — enables participants outside the Corporate Data Transmission Network (CDTN) to view screen sharing. If unchecked, only users within the CDTN can see the screen sharing. User server affiliation is not checked here; only the network contour matters.
• TURN Server, STUN Server — servers (and connection ports) that facilitate voice traffic routing for client apps behind NAT/PAT.
• VoEx local network — configures the local network for the VoEx service.
• Force relay ice — the app will use only the TURN server for NAT traversal, even if a direct (p2p) connection is possible. Improves connection reliability.
• Allow TCP ICE — enables TCP instead of UDP within the ICE protocol. Useful in environments where UDP is blocked.
• Enable audio streams mixing — optimizes audio traffic. Required for noise suppression and advanced call features.
• Allow use of optional video codec — supports video stream compression using the VP9 codec.
• Enable use of internal host for servers, List of servers which will use internal janus host — use internal Janus host for specified CTS IDs.
• Enable ability to record calls — activates audio and video recording for calls and conferences.

User Ratings

• Enable logs — records server logs for all calls and conferences.
• Always ask if call has an error — automatically requests feedback if a call error occurs. Logs and feedback are sent to the server and available in the server log archive.
• Call's assessment frequency — how often users are automatically prompted for feedback (in number of calls).
• Retention of user logs — the retention period (in months) for logs uploaded from client apps.

❓Related Topics:
• Call Ratings
• Calls
• Conferences

Third-Party Integrations

The Mind, Vinteo, and SIP groups configure integrations with third-party calling systems. See the administrator documentation.

Server Settings

The following settings are available in this group:

• Avatar and backgrounds. You can upload a server avatar (displayed in the client app under Settings > About) and background images for chats (wallpapers) displayed to server users in light and dark themes.
  Wallpapers must not exceed 50 KB in size, and the image must be square (600×600 pixels).
• Hide server name. If enabled, the server name and address are not displayed to external users. For your own and trusted servers, the server name is always visible. In the user card, external users will see Corporate server instead of the address.

Server Features

Configure the features available on the server:

• Corporate search. Enables search across corporate contacts.
• Trust search. Enables search across trusted (trust) contacts.
• Enable e2e encryption by default in group chats. Determines whether end-to-end encryption is automatically activated when creating a group chat.
• Enable e2e encryption by default in channels. Determines whether end-to-end encryption is automatically activated when creating a channel.
• Disable corporate phonebook. Disables the corporate phonebook.
• Allow the user to control their avatar. Users can upload new avatars when editing their corporate profile. Requires server software and client version 3.33 or higher. If disabled, user avatars will be replaced with those manually set by the administrator or synced from the corporate directory.
• Moderate user's requests for profile changes. Avatar change requests will require administrator approval in the “Profile Change Request List” section. Requires server software and client version 3.33 or higher.

❓Related Topics:
• Display All Corporate Contacts in the List
• Avatar, Name, and Other Profile Data
• Profile Change Request List

Notification During Logging In

Configure the custom agreement text displayed before logging into the server. The file format is HTML (UTF-8 encoding, size up to 1.5 MB; scripts are not supported; styles and classes are not yet supported).

Notification of Technical Works

If enabled or upon a 502 error in the response to the settings request from the client side, users will see the message “Maintenance is underway, there may be interruptions in the work of the application.

Update Notification

If the client app version lags behind the server software by the specified number of minor versions (x.X.x), the user will receive a notification prompting them to update. This is an additional mechanism (does not affect automatic updates via app stores or update checks in the web/desktop app).

To enable:

1. Check the Notify about an existing update box and specify the allowable lag of client app versions behind the server software.
2. To enforce updates, enable Block application interface until update is started (available with server software version 3.32).
3. Select the client platforms where the feature will work.

The feature works for desktop apps only with automatic update functionality support.

RTS ID, ETS ID, CTS ID

Displays the RTS (ETS) ID associated with the server, as well as the server’s own ID.

Certificates

Upload certificates to the server. Details are available in the administrator documentation.

Admin Info

Specify the administrator’s contact details — they will be displayed to the user when contacting support or encountering an error.

Service Versions

Displays the versions of the corporate server service containers.

Support Contact Information

Here you can configure the display of contact details for users to reach support via phone, email, Telegram chat, or WhatsApp chat.

If the Show eXpress Support Contacts checkbox is enabled, users will see the support details provided by eXpress, and uploading a custom FAQ file will not be possible.

Help File (FAQ)

Here you can upload a file with tips for users or answers to frequently asked questions (in Russian and English). The file format is HTML (UTF-8 encoding, maximum size 1.5 MB; scripts are not supported; styles and classes are not yet supported).

Displaying Support Contacts and FAQ in Clients

Users can view support contacts and FAQ:

• During app login — a blue button with a question mark in the bottom-right corner.
• After logging in, in the Settings section > Contact support.

When clicking the button, the user will see the FAQ, followed by a button displaying the support contacts.

Where Support Contacts and FAQ Are Downloaded to the Client

On the SMS code entry page, the user will see the FAQ uploaded to RTS or ETS. At the next stage, after entering the SMS code, the user will see the FAQ added to CTS or ECTS.

In this section, you can:

• select which Smart App will be the home page and appear when the client app launches;
• enable the catalog and choose the Smart App used as the catalog, as well as the default mail client Smart App;
• configure proxy hosts for Smart Apps if a file located within the corporate data transfer network (CDTN) will be used in Smart Apps.

A detailed description of the settings is available in the administrator documentation.

In these two subsections, you can configure the displayed buttons:

• in the bottom menu of mobile apps;
• in the side menu of the web/desktop app.

This section configures the activation lifetime in seconds for different clients. For the web app, the default is set to one week.

Activation Report

On the CTS, there is a Download activations as .CSV button that provides information about user activations.

In this section:

• select the provider for sending SMS with verification codes;
• modify the accompanying text for the verification code.

This subsection specifies the integration data for SMS providers.

For detailed configuration instructions, refer to the administrator documentation.

This subsection configures SMS spam protection.

• Request Rate Limiter by IP Address. Sets the maximum number of SMS requests allowed from a specific IP address within a specified time period in seconds.
• Filter by User-Agent. Blocks SMS requests from browsers with specified User Agents using regular expressions.
• Filter by DEF-code. Blocks SMS requests for phone numbers from specific countries and with specific DEF codes.
• Filter by phone. Blocks SMS requests for phone numbers matching specified regular expressions.
• Max. requests limit per phone number. If a number owner exceeds the specified number of SMS requests, this capability will be blocked for them for 24 hours.
• Unblock user. Enter a mobile phone number (without the plus sign, with strict country code format, no spaces or hyphens) or user IP address in this field and click Unblock to remove active SMS request restrictions.

This subsection enables additional SMS spam protection using Captcha. When the Invisible Captcha checkbox is selected, verification will only be requested when suspicious activity is detected. Configuration details are available in the administrator documentation.

Yandex Captcha

Currently this is the only supported Captcha provider.

⚠️ For Yandex Captcha to work and allow phone number login, client devices must have access to the following resources on port 443:

This section configures simplified email authentication (suggests). This feature allows mapping email domains to server URLs (hosts) to simplify user login — users will not need to manually enter server addresses. Here you can view and edit existing mappings.

To change a mapped server's display name, go to the Servers section > on the CTS tab click the pencil icon next to the desired server > enter the name in the Name field.

Creating a Simplified Authentication Template

Click the Create button. Specify as template:

• Domain (without @ symbol) — all users with this domain will be offered the server
• Full email address — only the user with this exact email address will be offered the server

Then select the server that should be suggested in the template.

You can create multiple templates pointing to the same CTS. Multiple domains cannot be specified in a single template.