Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.4.0 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS) The Welcome Wizard and the first login Basic settings
Supported web browsers and operating systems The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving and cleanup Forwarding data to third-party systems Joining to One Identity Starling
User management and access control Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) RPC API The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS) Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Configuring user and administrator login addresses

You can configure two separate login addresses for accessing the web interface of One Identity Safeguard for Privileged Sessions (SPS):

  • Web login for administrators and users: On this address, users can, depending on their access privileges, modify the configuration of SPS, and perform authentication-related activities (gateway authentication, 4-eyes authorization).

  • Web login for users only: The configuration of SPS cannot be viewed or altered from this address. Users (even ones with administrator privileges) can only perform gateway authentication and 4-eyes authorization.

NOTE:

You can find more information about gateway authentication and 4-eyes authorization in Advanced authentication and authorization techniques.

Both login addresses can be configured to restrict connections to a configured set of IP addresses only.

NOTE:

Avoid using the IP address configured for administrator or user login on One Identity Safeguard for Privileged Sessions (SPS) when configuring HTTP or SSH connections.

The login addresses are, by default, protected against brute-force attacks: after five unsuccessful login attempts, all following attempts are denied for increasing periods of time. You can turn this off by unselecting the Protect against brute-force attacks option for the web login addresses.

To configure two separate login addresses for accessing the web interface of SPS

  1. Navigate to Basic Settings > Local Services > Web login.

    Figure 43: Basic Settings > Local Services > Web login — Configuring web login address

  2. Choose in the Listening addresses field.

  3. Enter the IP address to use for connecting to SPS's user interface into the Address field.

    The available addresses correspond to the interface addresses configured in Basic Settings > Network > Interfaces. Only IPv4 addresses can be selected.

  4. Enter the port number for HTTP connections into the HTTP field.

  5. Enter the port number for HTTPS connections into the HTTPS field.

  6. (Optional) To permit access to the SPS web interface only from selected subnets or IP addresses, select Restrict clients, click and enter the IP address and netmask of the allowed clients. Note that these settings do not affect the SSH access to SPS.

    Caution:

    Permit administrative access to SPS only from trusted networks. If possible, monitored connections and administrative access to the SPS web interface should originate from separate networks.

    After comitting the changes, the web interface will be available only from the configured subnets or IP addresses.

    Use an IPv4 address.

  7. Recommended: configure a separate login address for user connections in Web login (user only). The configuration settings of SPS cannot be viewed or modified from this address.

  8. Click Commit.

Managing logical interfaces

You can assign logical interfaces to a physical interface. Each logical interface must have its own VLAN ID, and can have its own set of (alias) IP addresses and prefixes. The configured name for each logical interface is visible on One Identity Safeguard for Privileged Sessions (SPS)'s user interface only.

You can configure IPv4 and IPv6 addresses as well. IPv6 is intended for configuring monitored connections. Local services (including the web login) require IPv4 addresses. An interface can have multiple IP addresses, including a mix of IPv4 and IPv6 addresses.

NOTE:

SPS does not support scenarios with two hosts using the same IP address on different VLAN groups.

To manage logical interfaces

  1. Navigate to Basic Settings > Network > Interfaces.

    Figure 44: Basic Settings > Network > Interfaces — Managing the logical interfaces

  2. If necessary, use the label on the SPS hardware to identify the physical interface to which you want to assign a logical interface.

  3. Choose to add a new logical interface. Provide the following:

    • VLAN: The VLAN ID of the logical interface. Optional.

      Caution:

      Do not set the VLAN ID unless your network environment is already configured to use this VLAN. Otherwise, your SPS appliance will be unavailable using this interface.

    • Address: The IP address of the logical interface.

      Alternatively, you can also enter a hostname instead. One Identity Safeguard for Privileged Sessions (SPS) automatically resolves the hostname to an IP address.

      NOTE:

      Note the following limitations:

      • SPS uses the Domain Name Servers set in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

      • If the Domain Name Server returns multiple IP addresses, SPS selects randomly from the list.

      NOTE:

      Do not use IP addresses that fall into the following ranges:

      • 1.2.0.0/16 (reserved for communication between SPS cluster nodes)

      • 127.0.0.0/8 (localhost IP addresses)

    • Prefix: The IP range of the logical interface.

    • Optional: To add additional (alias) IP addresses and prefixes to a logical interface, click . To remove an alias IP address, click the corresponding .

    • MTU: Maximum Transmission Unit (MTU) to set per network interface (VLAN or network interface card). The default value is 1500.

    • Name: The name of the logical interface. This name is visible on SPS's user interface only.

    To remove a logical interface, choose the on the right side.

  4. Click Commit.

Routing uncontrolled traffic between logical interfaces

You can enable routing between logical interfaces, which allows you to direct uncontrolled traffic through SPS.

To enable routing between logical interfaces

  1. Navigate to Basic Settings > Network > IP forwarding.

    Figure 45: Basic Settings > Network > IP forwarding — IP forwarding between interfaces

  2. To add a new forwarding rule, choose and select the two logical interfaces to connect. You can select the same interface in both fields to use that logical interface in single-interface router mode.

    To delete an existing rule, choose .

  3. Click Commit.

Configuring the routing table

The routing table contains the network destinations SPS can reach. You have to make sure that both the monitored connections, and the local services of SPS (including connections made to the backup and archive servers, the syslog server, and the SMTP server) are routed properly.

You can add multiple IPv4 and IPv6 addresses and address ranges along with their respective gateways.

To configure the routing table

  1. To add a new routing entry, navigate to Basic Settings > Network.

    You can add interface-specific network routes using the Advanced routing option of each interface. Otherwise, use the Routing table option to manage networking routes.

    Figure 46: Basic Settings > Network > Routing table — Routing

  2. Click , then enter the IP address and the network prefix into the Network field.

  3. Enter the IP address of the gateway used on that subnetwork into the Gateway field.

  4. Click Commit.

Related Documents