One Identity Safeguard for Privileged Sessions 6.0.5 - Administration Guide

Configuring connections

The following describes how to configure connections.

To configure connections

1. Select the type of connection from the main menu.

   • To configure a HTTP connection, select HTTP Control > Connections.

   • To configure an ICA connection, select ICA Control > Connections.

   • To configure a Remote Desktop connection, select RDP Control > Connections.

   • To configure a Secure Shell connection, select SSH Control > Connections.

   • To configure a Telnet connection, select Telnet Control > Connections.

   • To configure a VNC connection, select VNC Control > Connections.

2. Click to define a new connection and enter a name that will identify the connection (for example admin_mainserver).

   TIP: It is recommended to use descriptive names that give information about the connection, for example refer to the name of the accessible server, the allowed clients, and so on.

   Figure 140: <Protocol name> Control > Connections — Configuring connections

   

   

3. Enter the IP address of the client that will be permitted to access the server into the From field. Click to list additional clients.

   You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

   You can also enter a hostname instead of the IP address, and One Identity Safeguard for Privileged Sessions (SPS) automatically resolves the hostname to IP address. Note the following limitations:

   • SPS uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

   • If the Domain Name Server returns multiple IP addresses, SPS selects randomly from the list.

4. Enter the IP address that the clients will request into the To field.

   You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

   You can also enter a hostname instead of the IP address, and One Identity Safeguard for Privileged Sessions (SPS) automatically resolves the hostname to IP address. Note the following limitations:

   • SPS uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

   • If the Domain Name Server returns multiple IP addresses, SPS selects randomly from the list.

   • In non-transparent mode, enter the IP address of a SPS logical interface.

     For more information on setting up logical network interfaces on SPS, see Managing logical interfaces.

   • In transparent mode, enter the IP address of the protected server.

   Click to add additional IP addresses.

5. If the clients use a custom port to address the server instead of the default port used by the protocol, enter the port number that the clients will request into the Port field. Click to list additional port numbers.

   NOTE: SPS can handle a maximum of 15 unique ports per connection policy. If you wish to specify more than 15 custom ports, create additional connection policies.

6. Non-transparent mode: Enter the IP address and port number of the target server into the Target field. SPS will connect all incoming client-side connections to this server. For details on organizing connections in non-transparent mode, see Organizing connections in non-transparent mode.

   Figure 141: <Protocol name> Control > Connections — Configuring non-transparent connections

   

7. Configure advanced settings if needed, like network address translation, channel policy, gateway authentication, various policies, or other settings.

8. Click to save the connection.

   TIP: To temporarily disable a connection, deselect the checkbox before the name of the connection.

9. If needed, reorder the list of the connection policies. You can move connection policies by clicking the and buttons.

   One Identity Safeguard for Privileged Sessions (SPS) compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. The first connection policy completely matching the connection request is applied to the connection.

10. Depending on your needs and environment, you may want to set further settings for your connections.

    • To modify the destination or source addresses of the connections, see Modifying the destination address and Modifying the source address.

    • Select a Backup Policy and an Archiving Policy for the audit trails and indexes of the connection.

      You can find more information on creating backup and archive policies in Data and configuration backups and Archiving and cleanup.

      If you have indexed trails, the index itself is also archived:

      When using the Indexer service: Every 30 days, unless the Backup & Archive/Cleanup > Archive/Cleanup policies > Delete data from SPS after is configured to occur less frequently (more than 30 days). For example, if the Delete data from SPS after is 60 days, the index will be archived every 60 days. The content of the archived index will be the content that was available X days before the archival date, where X is the number in the Delete data from SPS after field.

      Caution: Hazard of data loss Make sure you also backup your data besides archiving (for details, see Data and configuration backups). If a system crash occurs, you can lose up to 30 days of index, since the index is only archived in every 30 days.

      NOTE: The backup and archive policies set for the connection operate only on the audit trails and indexes of the connection. General data about the connections that is displayed on the Search page is archived and backed up as part of the system-backup process of SPS.

    • If you want to timestamp, encrypt, or sign the audit trails, configure an Audit Policy to suit your needs. For details, see Audit policies.

      Caution: In RDP connections, if the client uses the Windows login screen to authenticate on the server, the password of the client is visible in the audit trail. To avoid displaying the password when replaying the audit trail, you are recommended to encrypt the upstream traffic in the audit trail using a separate certificate from the downstream traffic. For details, see "Encrypting audit trails" in the Administration Guide.

    • To require the users to authenticate themselves not only on the target server, but on SPS as well, see Configuring gateway authentication.

    • To require four-eyes authorization on the connections, with the possibility of an auditor monitoring the connection in real-time, see Configuring four-eyes authorization.

    • In the case of certain connections and scenarios (for example SSH authentication, gateway authentication, Network Level Authentication (NLA) connections), SPS can authenticate the user to an LDAP database, or retrieve the group memberships of the user. To use these features, select an LDAP Server. For details, see Authenticating users to an LDAP server.

      NOTE: To display the usergroups that can access a specific Connection Policy, open the Connection Policy, then select Show connection permissions > Show on the Connections page.

    • To limit the number of new connection requests accepted from a single client IP address per minute, enter the maximal number of accepted connections into the Connection rate limit field.

    NOTE: Protocol-specific configuration options are described in their respective sections: HTTP-specific settings, ICA-specific settings, RDP-specific settings, SSH-specific settings, Telnet-specific settings, and VNC-specific settings.

11. If your clients and servers support it, configure the connection to use strong encryption.

    • For HTTP connections, see Enabling TLS encryption in HTTP.

    • For Citrix ICA connections, use the following scenario: Client - Broker - original secure gateway - Secure Ticket Authority (STA) - SPS - Server.

    • For RDP connections, see Enabling TLS-encryption for RDP connections.

    • For SSH connections, see Creating and editing protocol-level SSH settings.

    • For Telnet connections, see Enabling TLS-encryption for Telnet connections.

    • For VNC connections, see Enabling TLS-encryption for VNC connections.

12. For graphical connections, adjust the settings of your servers for optimal performance:

    • Caution: For optimal performance and text recognition in graphical protocols, disable antialiasing on your servers. Antialiased text in the audit trails of RDP, VNC, and X11 connections is not recognized by the OCR engine of the Audit Player. The indexer service recognizes antialiased text, but its accuracy depends on the exact antialiasing settings. Disable antialiasing in order to properly index the trails of these connections. Note that antialiasing is enabled by default on Windows Vista and newer. Antialiasing is also called font smoothing. ClearType is an antialiasing technology used on Microsoft Windows, and should be disabled for optimal performance.

    • When processing RDP connections, SPS attempts to extract the username from the connection. To ensure that your users can access the target servers only when their username is recorded, see Usernames in RDP connections.

Modifying the destination address

The destination address is the address of the server where the clients finally connect to.

To modify the destination address of a connection

1. Navigate to the Connections tab storing the connection and click to display the details of the connection.

   Figure 142: <Protocol name> Control > Connections — Configuring connections

   

2. The Target section allows you to configure Network Address Translation (NAT) on the server side of One Identity Safeguard for Privileged Sessions (SPS). Destination NAT determines the target IP address of the server-side connection. Set the destination address as required. The following options are available:

   NOTE: It is not possible to direct the traffic to the IP addresses belonging to SPS.

   • Use the original target address of the client: Connect to the IP address targeted by the client. This is the default behavior in transparent mode. This option is not available in non-transparent mode. For HTTP connections, you can use the Use the original target address of the client option only when the Act as HTTP proxy option is disabled.

   • NAT destination address: Perform a network address translation on the target address. Enter the target address in IP address/Prefix format.

     You can also enter a hostname instead of the IP address, and One Identity Safeguard for Privileged Sessions (SPS) automatically resolves the hostname to IP address. Note the following limitations:

     • SPS uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

     • If the Domain Name Server returns multiple IP addresses, SPS selects randomly from the list.

   • Use fixed address: Enter the IP address and port number of the server. The connection will connect always to this address, redirecting the clients to the server.

     You can also enter a hostname instead of the IP address, and One Identity Safeguard for Privileged Sessions (SPS) automatically resolves the hostname to IP address. Note the following limitations:

     • SPS uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

     • If the Domain Name Server returns multiple IP addresses, SPS selects randomly from the list.

   • Inband destination selection: Extract the address of the server from the username. Note that for HTTP connections, you can use the Inband destination selection option only when the Act as HTTP proxy option is enabled. For details, see Configuring inband destination selection.

3. Click .

Configuring inband destination selection

With inband destination selection, you can create a single connection policy and allow users to access any server by including the name of the target server in their username (for example, ssh username@targetserver@scb_address, or username%@targetserver%scb_address).

To configure a Connection Policy to extract the address of the server from the username

1. Navigate to the Connection policy you want to modify, for example, to SSH Control > Connections.

2. Select Inband destination selection.

   Figure 143: <Protocol name> Control > Connections — Configuring inband destination selection

   

3. Optional Step: Enter the IP address or the hostname of the domain name server used to resolve the address of the target server into the DNS Server field.

   If you do not set the DNS Server field, SPS will use the global DNS server (set on the Basic Settings > Networking page) to resolve the hostnames in this connection.

4. Optional Step: Configure domain names and CNAME records.

   If the clients do not include the domain name when addressing the server (for example they use username@server instead of username@server.example.com, or username%server for RDP connections), SPS can automatically add domain information (for example example.com). Enter the domain name to add into the Append domain field.

   SPS can also resolve CNAME records.

   To enter more domain names (for example because connections extend through subnets), click . In case of more domain names in the Append domain field, SPS appends the first domain name in the list that the target can be resolved with.

5. Enter the addresses of the servers that the users are permitted to access into the Targets field. Note the following points:

   • Use the IP address/prefix (for example 192.168.2.16/32, or 10.10.0.0/16) format. Alternatively, you can use the FQDN of the server. To permit access to any server, enter *.

   • For FQDN, you can use the * and ? wildcard characters.

     Caution: If only the hostname of the server is listed and the client targets the server using its IP address, SPS refuses the connection.

   • If the clients target the server using its IP address, include the IP address of the server in the Targets > Domain list. This is required because SPS resolves the hostnames to IP addresses, but does not reverse-resolve IP addresses to hostnames.

   • If the clients target the server using its hostname, then the hostname-from-the-client-request + the-value-of-the-Append-domain-option must appear in the Targets > Domain list. Alternatively, you must include the IP address of the hostname-from-the-client-request + the-value-of-the-Append-domain-option host.

   Example: Hostnames and inband destination selection

   For example, you have set Append domain to example.com, and your clients use the username%servername request, then you must include either the servername.example.com host or its IP address in the Targets > Domain list.

6. If the clients can access only a specified port on the server, enter it into the Port field. If the Port is not set, the clients may access any port on the server.

7. If there are any servers that the users cannot target using inband destination selection, add them to the Exceptions field.

8. To use inband destination selection with RDP connections without using One Identity Safeguard for Privileged Sessions (SPS) as a Remote Desktop Gateway (or RD Gateway), you must use SSL-encrypted RDP connections (see Enabling TLS-encryption for RDP connections).

9. Click .

   Expected result

   The connection policy will extract the address of the destination server from the protocol information.

   NOTE: For examples on using inband destination selection to establish an SSH connection, including scenarios where non-standard ports or gateway authentication is used, see Using inband destination selection in SSH connections.

Modifying the source address

The source address is the address that One Identity Safeguard for Privileged Sessions (SPS) uses to connect the server. The server sees this address as the source of the connection.

To modify the source address of a connection

1. Navigate to the Connections tab storing the connection and click to display the details of the connection.

   Figure 144: <Protocol name> Control > Connections — Configuring connections

   

2. The SNAT section allows you to configure Source Network Address Translation (SNAT) on the server side of SPS. SNAT determines the IP address SPS uses in the server-side connection. The target server will see the connection coming from this address. The following options are available:

   • Use the IP address of a SPS logical interface: Server-side connections will originate from SPS's logical network interface. This is the default behavior of the connection.

   • Use the original IP address of the client: Server-side connections will originate from the client's IP address, as seen by SPS.

   • Use fixed address: Enter the IP address that will be used as the source address in server-side connections.

     You can also enter a hostname instead of the IP address, and One Identity Safeguard for Privileged Sessions (SPS) automatically resolves the hostname to IP address. Note the following limitations:

     • SPS uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

     • If the Domain Name Server returns multiple IP addresses, SPS selects randomly from the list.

     Caution: Do not forget to properly configure routers and other network devices when using the Use fixed address option: messages sent by the server to this address must reach SPS.

3. Click .