1. Support
  2. User Guides
  3. Goverlan Reach Server

Goverlan Reach Server

What is the Goverlan Reach Server?

The Goverlan Reach Server (GRS) is a central authority for all Goverlan services. Once implemented and advertised within your network, the GRS is used as the authoritative source for policies, auditing and other server services as described below.

The Goverlan Reach Server is not required for the Goverlan solution to work. However, it is highly recommended if you wish to centrally and securely control the behavior of the Goverlan services, centralize auditing or provide support services outside of your private network.

Goverlan Reach Server Services

Global Policy distribution

The Global Policy feature allows you to granularly control the behavior and settings of the Goverlan services across your network. For example, a policy such as a User Acceptance prompt that displays before a remote control session starts or a policy to disable remote control services on a particular set of servers. Both can be pushed using the Global Policy feature.

Policy distribution via the GRS is highly secure and cannot be tampered with (unlike policy distribution via a Group Policy Object).

Goverlan Reach Gateway Services

Goverlan Reach Gateway Services provide uninterrupted management of computers regardless of their network location.  Reach equipped computer nodes are remotely accessible and manageable using Goverlan services. These remote nodes can be connected to your private network or anywhere else over the internet, without requiring a VPN bridge. Goverlan Reach also supports on-demand assistance sessions allowing easy access to anyone’s computer over the internet.

Goverlan Auditing Services

The GRS is also used to centrally store audit events generated by the Goverlan services. Currently, only Goverlan Remote Control session audits and Windows login/logout events audits are registered with the GRS.

Goverlan Licensing Services

The Goverlan Reach Server can be used to distribute and manage Goverlan licenses on premise.

This can be used:

  • If internet access from the Operators’ machine is unavailable.
  • To enable silent license distribution.

Goverlan Client Agents Installation

The Goverlan Reach Server includes the Goverlan Agent Manager tool that allows the remote management of Goverlan Client Agents on the machines within your network.

Implementing a Goverlan Reach Server

Implementation Overview

The Goverlan Reach Server is a software component that can be installed on Windows Server 2008 or later.

Implementing a Goverlan Reach Server infrastructure is done via the following 3 steps:

The Goverlan Reach Server requires an active sign-on account to start. By default, each Goverlan account is provisioned with a single Goverlan Reach Server license.

A GRS license can only be used to sign into a single GRS server. However, you can generate an unlimited number of GRS licenses free of charge. Login to my.goverlan.com, select the Goverlan Reach Server product under the Licenses section, and click on the Add License option.


Installing the Goverlan Reach Server

Download and Install the GRS

The latest Goverlan Reach Server can be downloaded by logging into the my.goverlan.com portal, selecting the Goverlan Reach Server tab and clicking on Download Product.

Minimum System Requirements: The Goverlan Reach Server software can be installed on any Windows Server 2008/Server 2008 R2 or later operating system with a minimum of 4GB of RAM and 200MB of available disk space. ​

Configure Reach Server

Open the Server Configuration window and configure the following options:


A GRS can be a primary server or a dependent server. The primary (master) server is the one installed within the authoritative site (the site where Goverlan operators reside).

If this is your first GRS, keep this setting as the Primary Goverlan Reach Server.

Server Settings

Network Configuration

The Server Listening Port is the port exposed on the internal side of the network. This port is used to provide GRS services to your machines. This port should be reachable by all of your machines within the private infrastructure.

The default port number is 22100.

Server Services Authentication

Enter the user ID and password that will be used start the Goverlan Reach Server and Goverlan Reach Gateway Services.

This account needs to have the following privileges:

  • Log on as a service permission
  • Local Administrator permission on the server itself
  • DB Creator rights if using an MS SQL Server (Optional)


Database Settings

By default, the GRS installer will automatically install the LocalDB database. The file-based database can accommodate medium sized networks of 500 or less nodes. No further configuration is necessary for the LocalDB database.

For larger networks, use the GRS settings to switch to a MS SQL Server/Express instance for the database after the installer has completed.

SQL Server Configuration

Change the database type to Microsoft SQL Server and enter the SQL Server details. The Service Account configured in Server Services Authentication is used when Windows Authentication is selected.

If SQL Authentication is required, change the authentication method and enter the SQL account credentials.


Start your Engine

This completes the minimum setting requirements. Click on OK to close the configuration window. Once completed the following message will be displayed:


Click on Start the Server


This will have no effect on the network as we have not yet advertised this server’s existence.


Advertising the Goverlan Reach Server

To use GRS services, the implemented GRS must be advertised on your network. The GRS advertisement enforces that the configured policies and other services’ configuration are applied across all Goverlan software within your infrastructure (both Operator and Client side).

There are multiple ways to advertise a GRS as described below:

Method Description Pros & Cons
DNS Service Location Record This method is preferred for large environments where security is a concern. Global policies and audit log overwriting cannot be tampered with when using this method. Pros: Secure / Scalable / Fast distribution / Easy to maintain / Permanent

Cons: Requires DNS server access

See Advertising a GRS via DNS for instructions.

Group Policy Object Use this method when there is no access to the DNS configuration for the site. Pros: Scalable / Easy to maintain / Permanent

Cons: Not secure / Slow distribution / Requires GPO admin template access

See Advertising a GRS via Group Policies for instructions.

Manual Configuration via Registry Use this method in small environments or during an evaluation of Goverlan Services. Pros: No DNS/GPO access required / Quick configuration changes possible.


Cons: Not secure / No scalable / Not Permanent / Hard to maintain.

See Advertising a GRS Manually for instructions.

Advertising the Goverlan Reach Server via DNS

Your Goverlan Reach Server must be registered in DNS in order for clients to be aware of its existence. To register your server in DNS, you must create at least one Service Location Record (SRV) for it.

Create the Goverlan Service Location Record

The following describes how to create the Goverlan SRV DNS record using the Microsoft DNS MMC snap-in. If you do not use this tool, any other DNS Administration tool will do.

1. Open the DNS MMC Snap-in and set the container focus to the ROOT _tcp folder of your primary domain:

2. From the menu, select Action > Other New Records…, scroll down the list of resource types and select Service Location (SRV) and click on Create Record…

3.  Set the Service to _goverlanServer, the protocol to _tcp and configure the Port Number to 22100.

Finally, enter the full DNS name of the server which is hosting the Goverlan Reach Server.


22100 is the default port number used by Goverlan Reach Server. However, the port number is configurable in Goverlan Server Settings. Make sure that the port number configured in the DNS SRV record matches the port number used by the server.

4. Click on OK. Then click on Done.

Advertising the Goverlan Reach Server via GPO

An alternative to using DNS, is to use a Group Policy Object to publish the existence of your GRS server. Even though a GPO is a less secure way to publish your GRS, it is more practical. If security is less of a concern or if you have an internal system to protect your Group Policy settings then this is a good way to publish your GRS.


GPO configuration does not bypass a DNS configuration. If both a GPO and a DNS configuration exists, the DNS configuration takes precedence.


Once you have installed the Goverlan GPO Template(C:\Program Files\Goverlan Reach Console 9\GPO Templates) open the Goverlan Global Policies > Goverlan Common Settings category and configure the Goverlan Reach Server Configuration setting:

The Goverlan Reach Server Configuration Policy is defined via a single string that represents a coma separated value list of server names and ports.

Format: Server1:PORT, Server2:PORT, ServerX:PORT


After performing a GPUPDATE /FORCE on your Console machine, you should see the Reach Server appear under Application > General Settings > Reach Server in the Goverlan Console.

The following Registry Key will be consumed by both the Goverlan Console and Goverlan Client Agents for the existence of a Goverlan Reach Server:
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Goverlan Inc\Global Policies\GCS

String Value Name: _gcs_v3_server_list

Value: FQDNofServer:PORT    Example:   myGRS.corp.local:22100

Deploying the Goverlan Software

Once the GRS is implemented and advertised, begin deploying the Goverlan software to the Operators and the Goverlan Client Agent to client machines (endpoints). All Goverlan software within the scope of the GRS’ advertisement will be under the influence of your server.


If you wish to use the GRS Goverlan Licensing Services, do so before deploying the Goverlan Operator software.

To pre-install the Goverlan Client Agents on a set of client machines, you can use the Goverlan Agent Manager. See Goverlan Client Agents Installation.

Troubleshooting the GRS

Monitor Server Load and Error Management

Monitor activity and load statistics of the GRS in the Server Controls section of the console. Select this section and click on Turn On under the Server Statistics section of the ribbon bar.


When statistics are enabled, the number of active connections and network bandwidth usage information will be shown. Use this view to see the activity logs and monitor machines that are communicating with the server. The log will include the Goverlan Product, Request Type, and Response.

To view the full activity log, click on the View full log link, or select View Server Log > View Activity Log.

Viewing server execution events

In addition to the activity log, the GRS also registers execution events and errors in a separate log. This log is useful to troubleshoot initialization issues or connection problems. The execution log contains execution events related to server initialization, policy distribution, Reach services, and auditing.

View the execution log by selecting View Server Log > View Error Log from the ribbon bar.

Error Management Settings

By default, the Goverlan Reach Server will save 2 days of activity and execution events. This period can be changed in the Server Settings section of the Server Configuration window.

Also, GRS events can be registered in multiple locations:

  • The database
  • The local Windows Event Application log
  • A log file

Error management settings can be configured in the Error Management section of the Server Configuration window.


Goverlan Global Policy Services


One of the primary purposes of the Goverlan Reach Server is the distribution of Global Policies across machines.

Goverlan Global Policies dictate the behavior and configuration settings of Goverlan Services (both client and operator sides); for example, configuring whether or not a client is prompted to authorize a remote control session, or even customizing the wording displayed by the Goverlan client user interface.

How are the Goverlan Global Policies Distributed?

Once the GRS is implemented, the Goverlan software will use it to retrieve policies. Policies are queried when the software starts, and then updated on a periodic basis during the life span of the process.

The frequency at which the process checks for the policy updates is controlled by a system policy named GRS Global Policy Refresh Interval (See Understanding Scopes later in this document). The default is every 30 minutes (1800 seconds).

The GRS Global Policy Refresh Interval directly affects policy application speed against network traffic.


It is advisable to reduce this refresh interval initially (increase the refresh frequency) while working on finalizing the global policies. Once the policy set is fully configured, raise the refresh interval to reduce network traffic to the server.

Pushing Policies

The Global Policy view of the Goverlan Reach Server includes three primary sections:

  1. The controls and information panel (located in ribbon bar)
  2. The available Global Policy objects (located on the right of the main view)
  3. The currently configured Policy view


To push a policy, drag it from the Global Policy List (2) and drop it in the desired Policy Scope Object in the main view (3).

Upon initial configuration, only one policy scope object is configured: All Users & Devices. This Policy Scope defines the entire infrastructure and should be used to define policies that apply to all machines (policy scopes are explained under Understanding Policy Scopes).

Once a policy object is bound to a policy scope, its configuration window opens as shown below:


A global policy can either benot configurednot enforced, or enforced.


At the root policy scope level (All Users & Devices), the not enforced option is identical to not configured. It is not necessary to configure such a policy here. These options will come into play later on.

Configure the values to be applied to the policy and click on OK.

This policy is now configured. However, it is not yet active as it hasn’t been published. Once a policy has been configured or changed, the following options will be displayed in the control area:


Test Configuration Click on this option to temporarily activate the policy changes without publishing them.

While in Test Mode, the currently configured policy set is exposed as if it had been published. Proper policy distribution can then be tested on specific endpoints.

Click this option again to deactivate Test Mode.

Publish Changes Click to Publish the Global Policies as configured. Publishing the policies makes them active on your network and their distribution will start immediately.


Cancel Changes Click on this option to cancel any policy changes made and revert to the last published policy set.


Reload Prior Configuration This option is available once a policy set is published once.

Activate it to reload the last known published policy set. Once a prior configuration has been reloaded, publish it to make it active again.


Viewing and Modifying Configured Policies

To view the configured policies of a scope object, click on the Policies button located to the right of it.

  • To modify the values of a policy, click on the Edit button of the policy entry.
  • To delete a policy, click the Close button of the policy entry twice.

System vs User Policies

The Goverlan Reach Server has a set of system policies that are distributed via the Global Policies Services. For instance, the GRS Global Policy Refresh Interval setting is published as a system policy.

System policies are located at the Root of All Users & Devices scope. Some system policies are modifiable and some are read only. System policies cannot be deleted from the root policy scope.


Understanding Policy Scopes

The GRS Global Policies are assigned to a Policy Scope Object. The scope defines the recipient endpoints that will inherit the policies.

The Goverlan Reach Server includes the root scope object: All Users & Devices, which defines your entire network. To fine tune Global Policy distribution, you must create a hierarchy of policy scopes.

Here are some examples of hierarchies that can be configured:

For instance, you can design a policy scope hierarchy by hardware type:

Or choose a geographical mapping:

Or for IT Service Providers, by active clients:

It is best to first configure the default set of policies at the root level, then build a sub-hierarchy of scopes to answer exceptions.

Creating a Policy Sub-Scope

To create a Policy Sub-Scope object, place the mouse cursor over the parent scope object, and click on the Add Filter button, specify a relevant name for the scope and press [ENTER]:

  • To rename a Policy Scope Object, simply double-click on its name.
  • To delete a Policy Scope Object, click twice on the cross on the left of the name.

Policy Scope Object Filters

Once a Policy Scope Object is created, configure the endpoint selection criteria to be associated with it. To do so, place the mouse cursor over it and click on the […] button on its right:

A Policy filter definition is a set of AND/OR statements based on one or more of the following machine attributes:

Local Active Directory OU Any machine with an AD account that belongs to the specified Active Directory OU (local network only)
Local Active Directory Group Any machine with an AD account that belongs to the specified Active Directory Group (local network only)
Goverlan REACH Site Any Reach node endpoint registered under the specified Reach Site name
IP Range Any machine with an IP address that belongs to the specified IP range
OS Type Any machine with an Operating System with the specified attributes
Individual Objects Any machine that belongs to the list of specified individual machine sets

Use the Policy Filter Definition window to configure the filters of the selected Policy Scope Object. Filters can have one or more conditions that are grouped with AND / OR operators.


Policy Scope Objects that have a filter configured will display the […] indicator.


Filter definitions are not required on a Policy Scope Object. However, if no filter definition is configured, all machines resulting from the parent scope will inherit the policies. Such filter-less Policy Scope Objects can be used to categorize the policies themselves.

How are Policies Assigned to Endpoints?

When an endpoint queries the Goverlan Reach Server policies, the endpoint’s information is passed through the entire policy scope hierarchy tree. If the endpoint’s characteristics match the Policy Scope’s filter, only then does it inherit the policies.

Let’s consider the following configuration:

Following the configured policy assignments, all machines get the All Users & Devices policies, however, if the machine belongs to the Legal Department, it inherits from that node’s policies, as well as the Servers node’s policy if it is a server, etc. In other words, a machine node will receive all policies throughout the hierarchy that applies to it.

Order of Precedence

Policies configured on lower scope objects take precedence over policies configured higher up. Consequently, if the same policy is configured multiple times within a branch, then the policy of the lowest nodes is applied to the recipient.

Precedence can also be used to un-enforce a policy for a subset of machines within a branch. Simply apply a DO NOT ENFORCE policy configuration on a sub-scope object.

Use the following interface options to navigate large Policy Graphs:

  • Scale to Fit – If the graph is larger than the viewing area, click on this button to scale it down to fit.
  • Un-Scale View – Click on this button to scale-down the graph to its original resolution.
  • Branch Collapsing / Expanding – A branch node with children can be collapsed or expanded by clicking on the (-) or (+) button below it. Also, the entire graph can be collapsed by clicking on the Collapse All button or the entire graph can be expanded by clicking on the Expand All button.


Troubleshooting Policy Distribution

All Goverlan software (except for the Goverlan Client Agent) comes with a GRS Client Tester utility that can be used to view the global policies inherited by this endpoint.

The GRS Client Tester can be accessed by opening the Goverlan Reach Server section of the application settings, and clicking on Open GRS Tester:

The GRS Tester displays the resulting set of policies as inherited by the local machine. Select any setting to disclose the path of the Policy Scope Object it resulted from:



Goverlan Reach Gateway Services

The Goverlan Reach Gateway Services provide uninterrupted management of computers regardless of their network location. Goverlan Reach equipped computer nodes are accessible and manageable remotely using the Goverlan services whether they are connected to your private network, or anywhere else over the internet, without requiring a VPN bridge.

The Goverlan Reach Gateway Service is completely self-hosted and does not depend on any outside services or vendors to establish connections. Since there is no ‘middle-man’ between you and your clients, external points of failure and security dependencies are eliminated.

For further information about the Goverlan Reach Gateway Services, please view the Goverlan Reach Gateway Service User Guide.


Goverlan Auditing Services

The Goverlan Reach Server automatically receives audited events and centrally stores them in the database. Currently, only Goverlan Remote Control Session events and Windows Login/Logout events are registered.

Viewing Audit Events

Select the Auditing tab to view a snapshot of the most recent events received by the server.

The top section displays Remote Control Session events while the bottom section displays Windows Login/Logout events. To view the full list of events, click on the corresponding View Full Log link. This opens a log viewer from where you can execute searches or export data.

If Secondary Goverlan Reach Servers are implemented on one or more remote client sites, and Auditing Redirection is turned on, auditing events from these sites will also be displayed. Use the REACH Site column to define the origin of an audited event.

Auditing Settings

By default, the GRS keeps 180 days of events for each log type. However, this value can be changed in Auditing Settings.


  • Auditing cannot be turned off.
  • Windows login/logout events registered in the GRS are used by the Goverlan’s FastConnect feature that detects user logged-in workstations. Therefore, it is recommended to keep at least 30 days’ worth of events in the database to maintain detection accuracy.


Goverlan Licensing Services

Enabling On-Site Licensing Services

The Goverlan Reach Server can be used to distribute and manage Goverlan licenses on premise.

This can be used:

  • If internet access from the Operators’ machine is unavailable.
  • To enable silent license distribution.

Open the Goverlan Reach Server’s Server Configuration window and select the Licensing Server Settings section:

Setting Description
Use this GRS as a Licensing Server Disabled

Disables the on-premise licensing services. Goverlan Operators will require internet connectivity or web proxy access to the Goverlan Licensing Servers to perform licensing tasks.



Enable as a proxy
The GRS redirects all inbound licensing requests to the online Goverlan Licensing Server.


In this mode, Goverlan Operators will not require internet connectivity. However, the Goverlan Reach Server must be able to communicate with the online GLS at the following address:


Listening Port The inbound communication port used to service Goverlan Operator licensing requests.
Enable silent license distribution Enable this option if you do not wish Goverlan Operators to have to sign-in to the software. This feature requires a Goverlan account to be configured.

See: Enabling Silent License Distribution


Once configured, click on OK to publish your settings.


In order for the On-Premise Goverlan licensing Services to work, the Goverlan Reach Server must be properly advertised and started.


Enabling Silent License Distribution

Enable this option to distribute sign-in credentials to Goverlan Operators automatically.

This option requires the configuration of a pre-existing Goverlan account. This account will be used to perform silent sign-in on behalf of the Goverlan Operators.

As a best practice, create a dedicated NON-ADMIN account for auto-sign in (for instance autosign@mycompany.com), and assign it to the licenses that you wish to distribute to your operators.

If multiple licenses are associated to the auto-sign in account, the Goverlan software automatically consumes the most appropriate license based on the locally installed features. For instance, if the operator only installs the Goverlan Remote Control feature, and the Goverlan auto-sign in account is associated with both a Goverlan Suite license and a Goverlan RC license, then the Goverlan RC license is used.

Once this setting is published, new Goverlan Operators will be able to open their Goverlan products without a Goverlan account. A floating license is silently provided to the user and released when the user closes the product.


Troubleshooting On-Site GLS

Goverlan Operators may still be prompted to sign-in to the software if one of the following occurs:

  • The GRS Licensing Services configuration was not detected on the operator machine. In this case, use the GRS Client Tester utility to validate proper settings distribution.
  • None of the licenses associated with the silent sign-in account matched the feature-set required by the Goverlan software product, or the licenses are maxed out. To review license usage, login to my.goverlan.com.
  • The Goverlan Reach Server cannot communicate with the online Goverlan Licenses Services. If this is the case, the Licensing Server Settings window will display an error message.


Goverlan Client Agents Installation

You can use the GRS to query, install, update or uninstall the Goverlan Client Agents on network machines.

To run a maintenance, check on the Goverlan Client Agents, use the Goverlan Agent Manager that can be found in the Application menu of any Goverlan product, including the Goverlan Reach Server:

Configure a set of endpoints using an Active Directory Domain, an IP range or individual machines. Select all endpoints within the view and click on Install/Update Agents



Advertising GRS via DNS

To register the Goverlan Reach Server in DNS, you must create at least a Service Location Record (SRV) for your server.

Create the Goverlan Service Location Record

The following describes how to create the Goverlan SRV DNS record using the Microsoft DNS MMC snap-in. If you do not use this tool, any other DNS Administration tool will do.

  1. Open the DNS MMC Snap-in and set the container focus to the ROOT _tcp folder of your primary domain:


  1. From the menu, select Action > Other New Records…, scroll down the list of resource types and select Service Location (SRV) and click on Create Record…

  1. Change the Service to _goverlanServer, leave the protocol to _tcp and configure the Port Number to the configured server port (by default: 22100).
  2. Finally, enter the full DNS name of the server which is hosting the Goverlan Reach Server.

  1. Click on OK. Then click on Done.

Implementation for Large Geographical Networks & Load Balancing

The Goverlan Reach Server Control Interface allows you to monitor the current load on a server. If you have a large network and see that a Goverlan Reach Server is overloaded, you can add more Goverlan Reach Servers to distribute the load. Two or more Goverlan Servers can be registered within the name domain in two ways: add Active Directory Sites Registrations and/or use load balancing.

Active Directory Site Registration

If you have two or more sites configured in Active Directory, you can register one or more Goverlan Reach Servers for each site. To do so, simply create a DNS Service Location Record in the _tcp folder for that site. For instance, the following screenshot shows the SRV Record for the _goverlanServer service in the Sydney site of corp.pjtec.com:

Service Name Resolution Precedence

The Goverlan Clients (including Goverlan, Goverlan Remote Control, and the Goverlan Agents) will first prioritize their Site’s Goverlan Reach Server. If none are found or if GRS is not available, the Root Goverlan Reach Server is used. Therefore, unless you only want some but not all sites to use a Goverlan Reach Server, it is good practice to always configure a Goverlan Service Location Record in the ROOT _tcp folder of your domain.

Load Balancing

DNS allows you to create two or more DNS Service Location Records for the same domain (or site) to provide for load balancing. The DNS registration settings of the SRV records have PRIORITY and WEIGHT factors which can also be configured to fine tune and control the load balancing. Please refer to the DNS User Guide for more information about these settings.

Both Load Balancing and Site Registration can be used.


No replication mechanism has been implemented in the Goverlan Reach Server. If you use more than one Goverlan Reach Server, you will have to configure each individually.


Advertising GRS via Group Policies


An alternative to using DNS to publish the existence of your GRS server is to use a Group Policy Object. Even though a GPO is a less secure way to publish your GRS, it is simpler.


A GPO configuration does not bypass a DNS configuration. If both a GPO and a DNS configuration exist, the DNS configuration takes precedence.


Once you have installed the Goverlan Group Policy Administrative Template (see Goverlan GPO Template), open the Goverlan Global Policies > Goverlan Common Settings category and configure the Goverlan Central Server Configuration setting:

The Goverlan Central Server Configuration Policy is defined via a single string that represents a comma separated value list of server names and ports.

Format : Server1:PORT, Server2:PORT, ServerX:PORT

If you only have a single GRS named corpGRS.myComp.us.com and this one is configured to listen for communication on port 22100, then the policy is configured as follows:


If you have a primary and backup Goverlan Reach Server, then the policy is configured as follows:


Advertising GRS Manually

Manual Configuration via the Goverlan Agent Manager

The Goverlan Agent Manager can be used to push a GRS configuration onto your machines. This tool is accessible from the Application menu of the Goverlan Reach Server (as well as Goverlan Operator software).

Using the Goverlan Agent Manager:

  1. Define the list of machines to be configured.
  2. Select them all and click on Push Agent Configuration > Manually Publish a Goverlan Reach Server.
  3. Enter the Goverlan Reach Server address and port and click on Apply.

The remote machines must be equipped with the Goverlan Client Agents to receive a configuration.

Manual Configuration via the Operator Configuration

The configuration of a Goverlan Reach Server can also be performed directly via the settings of the Goverlan Remote Control and Goverlan Management Console software.


If a GRS advertisement via DNS or GPO has been detected, you will not be able to manually configure an entry.

Select the Goverlan Reach Server section of the Application Settings window of the software and enter the network address of the GRS to use:

Goverlan GPO Template

Agent Behavior can be controlled centrally using your existing Group Policy infrastructure. Use the Goverlan Administrative GPO template to apply policies to your agents. The Goverlan Administrative GPO Template can be used to back up the Goverlan Reach Server in the event that the GRS is no longer available.

Goverlan Administrative GPO Template Requirements

To use the Goverlan GPO you will need access to the corporate Domain Controllers. Goverlan comes with both an ADM and ADMX/ADML group policy template file.


Domain Controllers running Windows Server 2008 and later.


Domain Controllers running Windows Server 2003 and prior versions.

Goverlan Admin GPO Template Location

The GPO template can be found in the GPO Templates subdirectory of the Goverlan installation directory.

For example C:\Program Files\Goverlan Central Server v3\GPO Templates

Both ADMX/ADML files will be located in this folder.

Installing Goverlan Administrative GPO Templates

ADMX/ADML Installation


If you already have a Group Policy infrastructure, skip step 1.

  1. Create the central store folder in the SYSVOL directory on a Domain Controller e.g.: \\corp.contoso.com\policies\PolicyDefinitions\ where “corp.contoso.com” is the FQDN of your organization’s domain.
  2. Copy the Goverlan GPO template admx file to \\corp.contoso.com\policies\PolicyDefinitions\
  3. Copy the Goverlan GPO template adml file to \\corp.contoso.com\policies\PolicyDefinitions\en-us\

ADM Installation

  1. Copy the Goverlan GPO template adm file to any location on the Domain Controller
  2. Open the Group Policy Management Console on your domain controller.
  3. Create a new policy or edit an existing one
  4. Browse to Computer Configuration → Policies → Administrative Templates
  5. Right-click Administrative Templates and select Add/Remove Templates…
  6. Browse for the Goverlan GPO template adm file and import it.

Once the templates are imported, open the Group Policy Management Console, create a new policy that will govern the agent behavior or open an existing GPO to add Goverlan agent policies to it.

Goverlan Policies will be under Computer Configuration → Policies → Administrative Templates → Goverlan Global Policies

Was this article helpful?

Related Articles