Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Single-interface transparent mode

Single-interface transparent mode is similar to transparent mode, but both client-side and server-side traffic use the same interface. An external device \xe2\x80\x94 typically a firewall or a router (or a layer3 switch) \xe2\x80\x94 is required that actively redirects the audited traffic to SPS. To accomplish this, the external device must support advanced routing (also called policy-based routing or PBR). For details on configuring an external devices to work with SPS in single-interface transparent mode, see Configuring external devices.

Figure 9: SPS in single-interface transparent mode


The advantages of using the single-interface transparent mode are:

  • Totally transparent for the clients, no need to modify their configuration

  • The network topology is not changed

  • Only the audited traffic is routed to SPS, production traffic is not


The disadvantages of using the single-interface transparent mode are:

  • SPS acts as a man-in-the-middle regarding the connection between the client and the target server. Instead of a single client-server connection, there are two separate connections: the first between the client and SPS, and a second between SPS and the server. Depending on how you configure SPS, the source IP in the SPS-server connection can be the IP address of SPS, or the IP address of the client. In the latter case — when operating in transparent mode (including single-interface transparent mode) — SPS performs IP spoofing. Consult the security policy of your organization to see if it permits IP spoofing on your network.

  • Traffic must be actively routed to SPS using an external device, consequently a network administrator can disable SPS by changing routing rules.

  • When adding a new port or subnet to the list of audited connections, the configuration of the external device must be modified as well.

  • A network administrator can (intentionally or unintentionally) easily disable monitoring of the servers, therefore additional measures have to be applied to detect such activities.

Non-transparent mode

In non-transparent mode, SPS acts as a bastion host — administrators can address only SPS, the administered servers cannot be targeted directly. The firewall of the network has to be configured to ensure that only connections originating from SPS can access the servers. SPS determines which server to connect based on the parameters of the incoming connection (the IP address of the administrator and the target IP and port).

Non-transparent mode inherently ensures that only the controlled (management and server administration) traffic reaches SPS. Services and applications running on the servers are accessible even in case SPS breaks down, so SPS cannot become a single point of failure.


Non-transparent mode is useful if the general (not inspected) traffic is very high and could not be forwarded by SPS.


In case there is a high number of target devices, do not Use fixed address rules in non-transparent mode as configuration validation might fail. Consider using one of the dynamic configuration options, such as inband destination selection or transparent mode.

Figure 10: SPS in non-transparent mode

Non-transparent mode is often used together with inband destination selection. For details, see Inband destination selection).

Inband destination selection

Inband destination selection allows you to create a single connection policy and allow users to access any server by including the name of the target server in their username (for example, ssh username@targetserver:port@scb_address). SPS can extract the address from the username and direct the connection to the target server.

Figure 11: Inband destination selection

Since some client applications do not permit the @ and : characters in the username, therefore alternative characters can be used as well:

  • To separate the username and the target server, use the @ or % characters, for example: username%targetserver@scb_address

  • To separate the target server and the port number, use the :, +, or / characters, for example: username%targetserver+port@scb_address

You can use both IPv4 and IPv6 addresses with inband destination selection. For IPv6 addresses, add square brackets to separate the address and the port number:


When Network Level Authentication (NLA) is disabled, you can omit the username when starting an RDP connection (for example, use only %targetserver). The user can type the username later in the graphical login screen. However, the username must be specified if Network Level Authentication (NLA) is used in the connection.

For other details on inband destination selection in RDP connections, see Inband destination selection in RDP connections.

You can find examples of using inband destination selection in Using inband destination selection in SSH connections.

Connecting to a server through SPS

When a client initiates a connection to a server, SPS performs a procedure similar to the ones detailed below. The exact procedure depends on the protocol used in the connection.

Related Documents