Use the Trace Route test to obtain route information, such as the paths packets take from one IP address to another.
- Navigate to Network Diagnostics:
web client: Navigate to 
Appliance > Network Diagnostics.
- Click Trace Route.
- Enter the remote host's IP or Hostname.
- Optionally, click More Settings to configure the following:
- Resolve IP addresses to hostname
- Maximize number of hops to search for target
- Timeout in milliseconds to wait for each reply
- Click Trace to run the test. The test results display in the Output window.
On Networking, view and configure the primary network interface, and if applicable, a proxy server to relay web traffic, and the sessions network interface.
The Network Interface (X1) can be used to add additional virtual network adapters associated with X1 in the web client.
It is the responsibility of the Appliance Administrator to ensure the network interfaces are configured correctly.
|
|
CAUTION: For AWS or Azure, network settings user interfaces are read-only. Network settings configured by the AWS or Azure Administrator. Changing the internal network address on a clustered appliance will break the cluster and require the appliance to be unjoined/rejoined. |
To modify the networking configuration settings
- Navigate to Appliance > Networking.
- For Network X0, complete the network settings below. For more information, see Modifying the IP address..
- For Network X1 (web client), complete the network settings below to add additional virtual network adapters on up to 31 VLANs.
- For the Proxy Server (web client), complete the network settings below.
- Proxy URI: The IP address or DNS name of the proxy server.
- Port: The port number used by the proxy server to listen for HTTP requests. The value is an integer from 1 to 65535. If different ports are specified in the proxy URI and the Port field, the Port field takes precedence.
- Username: The user name used to connect to the proxy server. The username and password are only required if your proxy server requires them to be specified.
- Password: The password required to connect to the proxy server. The username and password are only required if your proxy server requires them to be specified.
- Click Show Static Routes and make changes using the information which follows. When you are done, click Save. When you click Save, a message like the following displays: Changing these values may cause all users to lose connection to the appliance. This is a general Saving network settings error and not specific to static routes.
- Use the following toolbar buttons, as needed.
- To add a route, click
and complete the information.
- To modify the information for a route, select the route, click
Edit, and then change the information.
- To delete a route, select the route then click
Delete Static Route. The route is immediately deleted.
- To discard unsaved changes and revert to what was last retrieved from the database, select the route and click
Revert all unsaved Static Route edits.
- The following information can be added or changed:
- IP Version: Select IPv4 or IPv6.
- Prefix: The IPv4 or IPv6 IP address.
- Prefix Length: The IP subnet prefix length.
- Next Hop: The IP address of the next closest or most optimal router in the routing path.
- Metric: A value that identifies the cost that is associated with using the route.
Modifying the IP address
You can change the IP address of an SPP Appliance as long as the other appliances in the SPP cluster are able to see the new subnet.
It is recommended you use the procedure below in a test environment and then deploy the steps in production. Allow plenty of time for the IP address to change. The operation will take several minutes to complete before the cluster has adjusted to the change.
- Ensure you are using Safeguard for Privileged Passwords 2.4 or above.
- Before changing the X0 IP address, make a backup.
- Generate a support bundle on the appliance you plan to modify the IP address on. Start with the replica first.
- After the X0 IP address change, verify clustering is working. It is recommended you change some data on the primary and verify it appears on the replica by logging on to the replica.
- Repeat step 3, 4, and 5 for the other replicas.
- Once the replicas are changed, proceed with the Primary.
SPS IP address change
|
|
CAUTION: When Safeguard for Privileged Passwords (SPP) and SPS (SPS) are linked and then the IP address of either the SPS cluster master (Central Management role) or the Safeguard for Privileged Passwords primary appliance are changed, then the SPP/SPS link will need to be redone. See the information that follows. |
- Use the following information in the SPS documentation to understand SPS cluster roles, settings, and IP address updating.
- If the IP address is changed, you must relink the cluster. For more information, see Linking SPS to SPP.
- Once the SPS IP addresses are successfully changed, you will need to delete the session connection in the Safeguard for Privileged Passwords settings and relink the SPS cluster master to the Safeguard for Privileged Passwords primary. For more information, see Safeguard for Privileged Passwords and SPS appliance link guidance..
Available on virtual machine only not via hardware.
It is the responsibility of the Appliance Administrator to ensure the operating system is configured. Operating system licensing is automatic in the AWS and Azure deployments.
Use the Operating System Licensing pane to view and configure the operating system of a virtual appliance.
- Navigate to Operating System Licensing:
- web client: Navigate to Appliance > Operating System Licensing.
- Click
Refresh anytime to refresh the settings.
- The display shows if Windows is licensed with KMS or licensed with a product key. Click Details to see additional information.
The Appliance Administrator has the option to configure SSH Algorithms, if necessary, to restrict the algorithms used when connecting to any SSH server. The settings are applied whenever Safeguard for Privileged Passwords connects to any SSH server, either to connect to an asset using SSH or to connect to an archive server using SSH.
When an SSH client connects to a server, each side of the connection offers four lists of algorithms to use as connection parameters to the other side. These are:
- Public Key: The public key algorithms accepted for an SSH server to authenticate itself to an SSH client
- Cipher: The ciphers to encrypt the connection
- Kex: The key exchange methods that are used to generate per-connection keys
- MAC: The message authentication codes used to detect traffic modification
By default, Safeguard for Privileged Passwords offers all supported algorithms when using SSH to connect to an archive server or asset. For each algorithm type, you can configure Safeguard to offer a subset of the supported algorithms. To return to the default (support all algorithms), delete all algorithm information entered then save the changes.
For a successful connection, there must be at least one mutually-supported choice for each parameter. Safeguard for Privileged Passwords may initiate an SSH connection to an asset or archive server and not be able to negotiate a mutually-acceptable algorithm. An error is reported and an attempt is made to identify the algorithm type that could not be negotiated. Some SSH servers do not provide enough information to identify the algorithm type.
Adjusting the preferred order of preference for public key algorithms
By default, the list of public key algorithms supported for host keys and available for identity keys is negotiated with the SSHD server in this order of preference:
-
Ssh-ed25519,
-
ecdsa-sha2-nistp256,
-
ecdsa-sha2-nistp384,
-
ecdsa-sha2-nistp521
-
ssh-rsa
-
rsa-sha2-256
-
rsa-sha2-512
-
ssh-dss
You can change the preferred order and/or restrict the available algorithms to a subset of this list by configuring the PublicKey list using the SshAlgorithms API.
