Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.5 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving Cleaning up audit data Using plugins Forwarding data to third-party systems Starling integration
User management and access control
Login settings Managing One Identity Safeguard for Privileged Sessions (SPS) users locally Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database Authenticating users to a RADIUS server Authenticating users with X.509 certificates Authenticating users with SAML2 Managing user rights and usergroups Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes
Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing One Identity Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)
Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received Using UPN usernames in audited SSH connections
Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

General connection settings

Connections determine if a server can be accessed from a particular client.

  • The policies used in the connection definition can restrict the availability of the connection based on the user name, time, authentication method, and so on. Channel policies (see Creating and editing channel policies) determine if a particular channel can be used within an already established connection.

  • The policies used in the channel policy can restrict the availability of the channel based on the server and the client IP address, user name, and so on. The types of policies available in a connection depend on the protocol (SSH, RDP, and so on) enabled in the connection.

SPS compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. SPS applies to the connection the first connection policy that completely matches the connection request.

This section describes how to configure connections, and details the general configuration options and policies that apply to every type of connection that SPS can control: HTTP, ICA, RDP, SSH, Telnet, and VNC. For a detailed list of supported protocol versions, see Supported protocols and client applications.

Protocol-specific configuration options are described in their respective sections: HTTP-specific settings, ICA-specific settings, RDP-specific settings, SSH-specific settings, Telnet-specific settings, and VNC-specific settings.

Configuring connections

This section describes how to configure connections.

NOTE:

When configuring HTTP or SSH connections, avoid using the IP address configured for administrator or user login on SPS.

To configure connections

  1. Select the type of connection from the main menu.

    • To configure an HTTP connection, select HTTP Control > Connections.

    • To configure an ICA connection, select ICA Control > Connections.

    • To configure a Remote Desktop connection, select RDP Control > Connections.

    • To configure a Secure Shell connection, select SSH Control > Connections.

    • To configure a Telnet connection, select Telnet Control > Connections.

    • To configure a VNC connection, select VNC Control > Connections.

  2. Click to define a new connection and enter a name that identifies the connection (for example, admin_mainserver).

    TIP: Use descriptive names that give information about the connection, for example, refer to the name of the accessible server, the allowed clients, and so on.

    Figure 168: <Protocol name> Control > Connections — Configuring connections

  3. In the From field, enter the IP address of the client that is permitted to access the server. To list additional clients, click .

    You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

    Alternatively, you can enter a hostname instead. SPS automatically resolves the hostname to an IP address.

    NOTE: Note the following limitations:

    • To resolve the hostnames, SPS uses the Domain Name Servers set in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields.

    • If the Domain Name Server returns multiple IP addresses, SPS randomly selects from the list.

  4. In the To field, enter the IP address that the clients request.

    You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

    Alternatively, you can enter a hostname instead. SPS automatically resolves the hostname to an IP address.

    NOTE: Note the following limitations:

    • To resolve the hostnames, SPS uses the Domain Name Servers set in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields.

    • If the Domain Name Server returns multiple IP addresses, SPS randomly selects from the list.

    • In non-transparent mode, enter the IP address of an SPS logical interface.

      For more information on setting up logical network interfaces on SPS, see Managing logical interfaces.

      For more information, see Non-transparent mode.

    • In transparent mode, enter the IP address of the protected server.

      For more information, see Transparent mode.

    To add additional IP addresses, click .

  5. If the clients use a custom port to address the server instead of the default port of the protocol, in the Port field, enter the port number that the clients request. To list additional port numbers, click .

    NOTE: SPS can handle a maximum of 15 unique ports per connection policy. If you want to add more than 15 custom ports, create additional connection policies.

  6. Non-transparent mode: In the Target field, enter the IP address and port number of the target server. SPS connects all incoming client-side connections to this server.

    For details on organizing connections in non-transparent mode, see Organizing connections in non-transparent mode.

    Figure 169: <Protocol name> Control > Connections — Configuring non-transparent connections

  7. If needed, configure advanced settings (for example, network address translation, channel policy, gateway authentication, various policies, or other settings).

  8. To save the connection, click Commit.

    TIP: To temporarily disable a connection, deselect the checkbox of the connection.

  9. If needed, reorder the list of the connection policies. You can move connection policies by clicking the and buttons.

    SPS compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. SPS applies to the connection the first connection policy that completely matches the connection request.

  10. Depending on your needs and on your environment, you can configure the following settings for your connections:

    • Modify the destination or source addresses of the connections.

      For more information, see Modifying the destination address and Modifying the source address.

    • Select a Backup Policy and an Archiving Policy for the audit trails and indexes of the connection.

      For more information on creating backup and archive policies, see Data and configuration backups and Archiving.

      If you have indexed trails, the index is archived every 30 days.

      Caution:

      Hazard of data loss! Make sure you also back up your data besides archiving it.

      For more information, see Data and configuration backups.

      If a system crash occurs, you can lose up to 30 days of index, since the index is only archived every 30 days.

      NOTE: The backup and archive policies set for the connection apply only to the audit trails and indexes of the connection. General data about the connections that is displayed on the Search page is archived and backed up as part of the system-backup process of SPS.

    • To timestamp, encrypt, or sign the audit trails, configure an Audit Policy to suit your needs.

      For more information, see Audit policies.

      Caution:

      In RDP connections, if the client uses the Windows login screen to authenticate on the server, the password of the client is visible in the audit trail. To avoid displaying the password when replaying the audit trail, encrypt the upstream traffic in the audit trail using a separate certificate from the downstream traffic.

      For more information, see Encrypting audit trails in the Administration Guide.

    • Require the users to authenticate themselves not only on the target server, but on SPS as well.

      For more information, see Configuring gateway authentication.

    • Require four-eyes authorization on the connections, with the possibility of an auditor monitoring the connection in real-time.

      For more information, see Configuring four-eyes authorization.

    • In the case of certain connections and scenarios (for example SSH authentication, gateway authentication, Network Level Authentication (NLA) connections), SPS can authenticate you to an LDAP database, or retrieve your group memberships. To use these features, select an LDAP Server.

      For more information, see Authenticating users to an LDAP server.

      NOTE: To display the usergroups that can access a specific Connection Policy, open the Connection Policy, then on the Connections page, select Show connection permissions > Show.

    • To limit the number of new connection requests accepted from a single client IP address per minute, in the Connection rate limit field, enter the maximum number of accepted connections.

    • If you have joined an SPP appliance to SPS and want to share specific SPS functions with SPP, use the Functions shared with SPP option.

      For more information, see Sharing SPS functions with SPP.

      To share an RDP or an SSH connection policy with SPP to initiate sessions, select Share connection policy with SPP.

      For more information, see sections Sharing RDP connection policies with SPP and Sharing SSH connection policies with SPP.

    NOTE: Protocol-specific configuration options are described in their respective sections:

  11. If your clients and servers support it, configure the connection to use strong encryption.

  12. For graphical connections, adjust the settings of your servers for optimal performance:

    • Caution:

      For optimal performance and text recognition in graphical protocols, disable antialiasing on your servers. Antialiased text in the audit trails of RDP, VNC, and X11 connections is not recognized by the OCR engine of the Audit Player. The indexer service recognizes antialiased text, but its accuracy depends on the exact antialiasing settings. To properly index the trails of these connections, disable antialiasing.

      Note that by default, antialiasing is enabled on Windows Vista and later versions. Antialiasing is also called font smoothing. To optimize performance, disable ClearType, which is an antialiasing technology used on Microsoft Windows.

    • When processing RDP connections, SPS attempts to extract the username from the connection.

      To ensure that your users can access the target servers only when their username is recorded, see Usernames in RDP connections.

Modifying the destination address

The destination address is the address of the server where the clients finally connect to.

To modify the destination address of a connection

  1. Navigate to the Connections tab storing the connection and click to display the details of the connection.

    Figure 170: Traffic Controls > Protocol name > Connections — Configuring connections

  2. The Target section allows you to configure Network Address Translation (NAT) on the server side of One Identity Safeguard for Privileged Sessions (SPS). Destination NAT determines the target IP address of the server-side connection. Set the destination address as required. The following options are available:

    NOTE: It is not possible to direct the traffic to the IP addresses belonging to SPS.

    • Use the original target address of the client: Connect to the IP address targeted by the client. This is the default behavior in transparent mode. This option is not available in non-transparent mode. For HTTP connections, you can use the Use the original target address of the client option only when the Act as HTTP proxy option is disabled.

    • NAT destination address: Perform a network address translation on the target address. Enter the target address in IP address/Prefix format.

      Alternatively, you can enter a hostname instead. SPS automatically resolves the hostname to an IP address.

      NOTE: Note the following limitations:

      • To resolve the hostnames, SPS uses the Domain Name Servers set in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields.

      • If the Domain Name Server returns multiple IP addresses, SPS randomly selects from the list.

    • Use fixed address: Enter the IP address and port number of the server. The connection will connect always to this address, redirecting the clients to the server.

      Alternatively, you can enter a hostname instead. SPS automatically resolves the hostname to an IP address.

      NOTE: Note the following limitations:

      • To resolve the hostnames, SPS uses the Domain Name Servers set in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields.

      • If the Domain Name Server returns multiple IP addresses, SPS randomly selects from the list.

    • Inband destination selection: Extract the address of the server from the username. Note that for HTTP connections, you can use the Inband destination selection option only when the Act as HTTP proxy option is enabled. For details, see Configuring inband destination selection.

  3. Optional Step: to enable a custom DNS server to be used for target selection in server-side Channel Policies, select Enable Custom Target DNS server, then enter the IP address of the custom DNS server to look up target addresses and resolve FQDN or wildcard FQDN addresses in the Target fields of your Channel Policies.
  4. Click .

Configuring inband destination selection

With inband destination selection, you can create a single connection policy and allow users to access any server by including the name of the target server in their username (for example, ssh username@targetserver@scb_address, or username%@targetserver%scb_address). If you do not specify the username or the address in nontransparent SSH and Telnet connections, One Identity Safeguard for Privileged Sessions (SPS) displays a terminal prompt where the user can enter the username and the server address.

Prerequisites

To configure a Connection Policy to extract the address of the server from the username

  1. Navigate to the Connection policy you want to modify, for example, to Traffic Controls > SSH > Connections.

  2. Select Inband destination selection.

    Figure 171: Traffic Controls > Protocol name > Connections — Configuring inband destination selection

  3. Optional Step: Enter the IP address or the hostname of the domain name server used to resolve the address of the target server into the DNS Server field.

    If you do not set the DNS Server field, SPS will use the global DNS server (set on the Basic Settings > Networking page) to resolve the hostnames in this connection.

  4. Optional Step: Configure domain names and CNAME records.

    If the clients do not include the domain name when addressing the server (for example they use username@server instead of username@server.example.com, or username%server for RDP connections), SPS can automatically add domain information (for example, example.com). Enter the domain name to add into the Append domain field.

    SPS can also resolve CNAME records.

    To enter more domain names (for example, because connections extend through subnets), click . In case of more domain names in the Append domain field, SPS appends the first domain name in the list that the target can be resolved with.

  5. Enter the addresses of the servers that the users are permitted to access into the Targets field. Note the following points:

    • Use the IP address/prefix (for example 192.168.2.16/32, or 10.10.0.0/16) format. Alternatively, you can use the FQDN of the server. To permit access to any server, enter *.

    • For FQDN, you can use the * and ? wildcard characters.

      Caution:

      If only the hostname of the server is listed and the client targets the server using its IP address, SPS refuses the connection.

      Caution:

      When the client uses hostname in inband destination selections, the hostname must comply with RFC5890: Internationalized Domain Names for Applications (IDNA). For example, from the ASCII characters only letters, digits, and the hyphen character is permitted.

      Starting with version 6.1.0, SPS rejects connection requests where the hostname does not comply with RFC5890.

    • If the clients target the server using its IP address, include the IP address of the server in the Targets > Domain list. This is required because SPS resolves the hostnames to IP addresses, but does not reverse-resolve IP addresses to hostnames.

    • If the clients target the server using its hostname, then the hostname-from-the-client-request + the-value-of-the-Append-domain-option must appear in the Targets > Domain list. Alternatively, you must include the IP address of the hostname-from-the-client-request + the-value-of-the-Append-domain-option host.

    Example: Hostnames and inband destination selection

    For example, you have set Append domain to example.com, and your clients use the username%servername request, then you must include either the servername.example.com host or its IP address in the Targets > Domain list.

  6. If the clients can access only a specified port on the server, enter it into the Port field. If the Port is not set, the clients may access any port on the server.

  7. If there are any servers that the users cannot target using inband destination selection, add them to the Exceptions field.

  8. To use inband destination selection with RDP connections without using One Identity Safeguard for Privileged Sessions (SPS) as a Remote Desktop Gateway (or RD Gateway), you must use SSL-encrypted RDP connections (see Enabling TLS-encryption for RDP connections).

  9. Click .

    Expected result

    The connection policy will extract the address of the destination server from the protocol information.

    NOTE: For examples on using inband destination selection to establish an SSH connection, including scenarios where non-standard ports or gateway authentication is used, see Using inband destination selection in SSH connections.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating