Preface
Introduction
The concepts of SPS
The philosophy of SPS
Policies
Credential Stores
Plugin framework
Indexing
Supported protocols and client applications
Modes of operation
The Welcome Wizard and the first login
Transparent mode
Single-interface transparent mode
Non-transparent mode
Inband destination selection
Connecting to a server through SPS
Connecting to a server through SPS using SSH
Connecting to a server through SPS using RDP
Connecting to a server through SPS using an RD Gateway
Archive and backup concepts
Configuration export
System backup
Connection backup
Connection archive
Support bundle
Debug logs
Connection logs
Core dump files
Maximizing the scope of auditing
IPv6 in SPS
SSH hostkeys
Authenticating clients using public-key authentication in SSH
The gateway authentication process
Four-eyes authorization
Network interfaces
High Availability support in SPS
Versions and releases of SPS
Accessing and configuring SPS
The initial connection to SPS
Basic settings
Creating an alias IP address (Microsoft Windows)
Creating an alias IP address (Linux)
Modifying the IP address of SPS
Accessing the Welcome Wizard from a non-standard interface
Configuring SPS with the Welcome Wizard
Logging in to SPS and configuring the first connection
Supported web browsers and operating systems
The structure of the web interface
Network settings
User management and access control
Configuring user and administrator login addresses
Managing logical interfaces
Routing uncontrolled traffic between logical interfaces
Configuring the routing table
Configuring date and time
System logging, SNMP and e-mail alerts
Configuring system logging
Configuring e-mail alerts
Configuring SNMP alerts
Querying SPS status information using agents
Customize system logging in SPS
Configuring system monitoring on SPS
Configuring monitoring
Health monitoring
Preventing disk space fill-up
System related traps
Traffic related traps
Data and configuration backups
Creating a backup policy using Rsync over SSH
Creating a backup policy using SMB/CIFS
Creating a backup policy using NFS
Creating configuration backups
Creating data backups
Encrypting configuration backups with GPG
Archiving and cleanup
Creating a cleanup policy
Creating an archive policy using SMB/CIFS
Creating an archive policy using NFS
Archiving or cleaning up the collected data
Forwarding logs
Managing SPS users locally
Setting password policies for local users
Managing local usergroups
Managing SPS users from an LDAP database
Authenticating users to a RADIUS server
Authenticating users with X.509 certificates
Managing user rights and usergroups
Managing SPS
Assigning privileges to usergroups for the SPS web interface
Modifying group privileges
Finding specific usergroups
Using usergroups
Built-in usergroups of SPS
Listing and searching configuration changes
Displaying the privileges of users and user groups
Controlling SPS: reboot, shutdown
Managing Safeguard for Privileged Sessions clusters
General connection settings
Cluster roles
Enabling cluster management
Building a cluster
Assigning roles to nodes in your cluster
Configuration synchronization across nodes in a cluster
Monitoring the status of nodes in your cluster
Updating the IP address of a node in a cluster
Managing a high availability SPS cluster
Upgrading SPS
Upgrade checklist
Upgrading SPS (single node)
Upgrading a high availability SPS cluster
Troubleshooting
Exporting the configuration of SPS
Importing the configuration of SPS
Managing the SPS license
Accessing the SPS console
Using the console menu of SPS
Enabling SSH access to the SPS host
Changing the root password of SPS
Firmware update using SSH
Exporting and importing the configuration of SPS using the console
Sealed mode
Out-of-band management of SPS
Managing the certificates used on SPS
Configuring connections
Modifying the destination address
Configuring inband destination selection
Modifying the source address
Creating and editing channel policies
Real-time content monitoring with Content Policies
Configuring time policies
Creating and editing user lists
Authenticating users to an LDAP server
Audit policies
HTTP-specific settings
Encrypting audit trails
Timestamping audit trails with built-in timestamping service
Timestamping audit trails with external timestamping service
Digitally signing audit trails
Verifying certificates with Certificate Authorities
Signing certificates on-the-fly
Creating a Local User Database
Configuring cleanup for the SPS connection database
Limitations in handling HTTP connections
Authentication in HTTP and HTTPS
Creating a new HTTP authentication policy
Setting up HTTP connections
ICA-specific settings
Setting up a transparent HTTP connection
Enabling SPS to act as a HTTP proxy
Enabling SSL encryption in HTTP
Configuring half-sided SSL encryption in HTTP
Session-handling in HTTP
Creating and editing protocol-level HTTP settings
Setting up ICA connections
Supported ICA channel types
Creating and editing protocol-level ICA settings
SPS deployment scenarios in a Citrix environment
Troubleshooting Citrix-related problems
RDP-specific settings
Supported RDP channel types
Creating and editing protocol-level RDP settings
Network Level Authentication (NLA) with SPS
SSH-specific settings
Network Level Authentication (NLA) with domain membership
Using SPS across multiple domains
Network Level Authentication without domain membership
Verifying the certificate of the RDP server in encrypted connections
Enabling TLS-encryption for RDP connections
Using SPS as a Remote Desktop Gateway
Configuring Remote Desktop clients for gateway authentication
Inband destination selection in RDP connections
Usernames in RDP connections
Saving login credentials for RDP on Windows
Configuring RemoteApps
Setting the SSH host keys and certificates of the connection
Supported SSH channel types
Authentication Policies
Telnet-specific settings
Creating a new authentication policy
Client-side authentication settings
Relayed authentication methods
Configuring your Kerberos environment
Kerberos authentication settings
Server host keys and certificates
Automatically adding the host keys and host certificates of a server to SPS
Manually adding the host key or host certificate of a server
Creating and editing protocol-level SSH settings
Supported encryption algorithms
Enabling TLS-encryption for Telnet connections
Creating a new Telnet authentication policy
Extracting username from Telnet connections
Creating and editing protocol-level Telnet settings
Inband destination selection in Telnet connections
Limitations of using TN5250 protocol with IBM iSeries Access for Windows
VMware Horizon View connections
VNC-specific settings
Indexing audit trails
Configuring the internal indexer
Configuring external indexers
Using the Search (classic) interface
Prerequisites and limitations
Hardware requirements for the external indexer host
Configuring SPS to use external indexers
Installing the external indexer
Configuring the external indexer
Uploading decryption keys to the external indexer
Configuring a hardware security module (HSM) or smart card to integrate with external indexer
Monitoring the status of the indexer services
HTTP indexer configuration format
Setting up and testing the environment
Encrypting a PKCS#11 PIN
Starting and restarting the external-indexer service when using a custom password for PKCS#11 PIN encryption
Configuring SoftHSM
Configuring AWS CloudHSM
Configuring a smart card
Customizing the indexing of HTTP traffic
Starting the external indexer
Disabling indexing on SPS
Managing the indexers
Upgrading the external indexer
Troubleshooting external indexers
Searching audit trails: the SPS connection database
Using the Search interface
Connection details
Replaying audit trails in your browser in Search (classic)
Replaying encrypted audit trails in your browser
Using the content search
Connection metadata
Using and managing search filters
The search and filter process
Displaying statistics on search results
Searching audit trails: the SPS connection database
Searching session data on a central node in a cluster
Advanced authentication and authorization techniques
Specifying time ranges
Using the connection search
Searching database fields
Using the content query
Displaying statistics on search results
Analyzing data using One Identity Safeguard for Privileged Analytics
The search and filter process
Viewing connection details
Replaying audit trails in your browser
Handling encrypted audit trails
Creating report subchapters from search queries
Configuring usermapping policies
Configuring gateway authentication
Reports
Configuring out-of-band gateway authentication
Performing out-of-band gateway authentication on SPS
Performing inband gateway authentication in SSH and Telnet connections
Performing inband gateway authentication in RDP connections
Troubleshooting gateway authentication
Configuring four-eyes authorization
Using credential stores for server-side authentication
Configuring local Credential Stores
Performing gateway authentication to RDP servers using local Credential Store and NLA
Configuring password-protected Credential Stores
Unlocking Credential Stores
Using Lieberman ERPM to authenticate on the target hosts
Using a custom Credential Store plugin to authenticate on the target hosts
Integrating external authentication and authorization systems
How Authentication and Authorization plugins work
Authorizing connections to the target hosts with a SPS plugin
Performing authentication with AA plugin in terminal connections
Performing authentication with AA plugin in Remote Desktop connections
Integrating ticketing systems
Ingesting logs with SPS
Creating a custom plugin
Contents of the operational reports
Configuring custom reports
Creating reports from audit trail content
Creating statistics from custom database queries
Database tables available for custom queries
The SPS RPC API
The alerting table
The aps table
The archives table
The audit_trail_downloads table
The channels table
The closed_connection_audit_channels view
The closed_not_indexed_audit_channels view
The connection_events view
The connection_occurrences view
The connections view
The events table
The file_xfer table
The http_req_resp_pair table
The indexer_jobs table
The occurrences table
The progresses table
The results table
The skipped_connections table
The usermapped_channels view
Querying trail content with the lucene-search function
Generating partial reports
Creating PCI DSS reports
Contents of PCI DSS reports
Requirements for using the RPC API
RPC client requirements
Locking SPS configuration from the RPC API
Documentation of the RPC API
Enabling RPC API access to SPS
The SPS REST API
SPS scenarios
Configuring public-key authentication on SPS
Troubleshooting SPS
Configuring public-key authentication using local keys
Configuring public-key authentication using an LDAP server and a fixed key
Configuring public-key authentication using an LDAP server and generated keys
Organizing connections in non-transparent mode
Using inband destination selection in SSH connections
Using inband destination selection with PuTTY
Using inband destination selection with OpenSSH
Using inband selection and nonstandard ports with PuTTY
Using inband selection and nonstandard ports with OpenSSH
Using inband destination selection and gateway authentication with PuTTY
Using inband destination selection and gateway authentication with OpenSSH
SSH usermapping and keymapping in AD with public key
Network troubleshooting
Gathering data about system problems
Viewing logs on SPS
Changing log verbosity level of SPS
Collecting logs and system information for error reporting
Status history and statistics
Configuring external devices
Connection statistics
Memory
Disk
CPU
Network connections
Interface
Load average
Number of processes
Displaying custom connection statistics
Troubleshooting a SPS cluster
Understanding SPS cluster statuses
Recovering SPS if both nodes broke down
Recovering from a split brain situation
Replacing a HA node in a SPS cluster
Resolving an IP conflict between cluster nodes
Understanding SPS RAID status
Restoring SPS configuration and data
VNC is not working with TLS
Configuring the IPMI interface from the BIOS after losing IPMI password
Incomplete TSA response received
Configuring advanced routing on Linux
Configuring advanced routing on Cisco routers
Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls
Using SCP with agent-forwarding
Security checklist for configuring SPS
Jumplists for in-product help
Basic Settings > Management
Basic Settings > Local Services
Basic Settings > System
<Protocol name> Control > Global Options
Third-party contributions
GNU General Public License
About us
Preamble
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
GNU Lesser General Public License
Section 0
Section 1
Section 2
Section 3
Section 4
Section 5
Section 6
Section 7
Section 8
Section 9
Section 10
NO WARRANTY Section 11
Section 12
How to Apply These Terms to Your New Programs
Preamble
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
License attributions
Section 0
Section 1
Section 2
Section 3
Section 4
Section 5
Section 6
Section 7
Section 8
Section 9
Section 10
Section 11
Section 12
Section 13
Section 14
NO WARRANTY Section 15
NO WARRANTY Section 16
How to Apply These Terms to Your New Libraries
Routing uncontrolled traffic between logical interfaces
Purpose:
You can enable routing between logical interfaces, which allows you to direct uncontrolled traffic through SPS.
Steps:
-
Navigate to Basic Settings > Network > IP forwarding.
Figure 43: Basic Settings > Network > IP forwarding — IP forwarding between interfaces
-
To add a new forwarding rule, choose
and select the two logical interfaces to connect. You can select the same interface in both fields to use that logical interface in single-interface router mode.
To delete an existing rule, choose
.
-
Click
.
Configuring the routing table
Purpose:
The routing table contains the network destinations SPS can reach. You have to make sure that both the monitored connections, and the local services of SPS (including connections made to the backup and archive servers, the syslog server, and the SMTP server) are routed properly.
You can add multiple IPv4 and IPv6 addresses and address ranges along with their respective gateways.
Steps:
-
To add a new routing entry, navigate to Basic Settings > Network.
You can add interface-specific network routes using the Advanced routing option of each interface. Otherwise, use the Routing table option to manage networking routes.
Figure 44: Basic Settings > Network > Routing table — Routing
-
Click
, then enter the IP address and the network prefix into the Network field.
-
Enter the IP address of the gateway used on that subnetwork into the Gateway field.
-
Click
Configuring date and time
To configure the date and time-related settings of SPS, navigate to Basic Settings > Date & Time.
Figure 45: Basic Settings > Date & Time — Date and time management
|
|
Caution:
It is essential to set the date and time correctly on SPS, otherwise the date information of the logs SPS displays a warning on this page and sends an alert if the time becomes out of sync. |
To explicitly set the date and time on SPS, enter the current date into respective fields of the Date & Time settings group and click Set Date & Time.
When two SPS units are operating in high availability mode, the slave nodes automatically synchronizes its time and date to the master node. To manually synchronize the time between the nodes, click Sync Master (available only in high availability mode).
To retrieve the date automatically from a time server, complete the following steps:
-
Select your timezone in the Timezone field.
-
Enter the IP address of an NTP time server into the Address field.
Use an IPv4 address.
-
Click
-
Click the
-
Optional: If the time setting of SPS is very inaccurate (that is, the difference between the system time and the actual time is great), it might take a long time to retrieve the date from the NTP server. In this case, click Sync Now or Sync Master to sync the time immediately using SNTP.
System logging, SNMP and e-mail alerts
E-mail alerts