立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Sessions 6.5.0 - Evaluation Guide

Evaluating One Identity Safeguard for Privileged Sessions in a virtual environment Setting up SPS and the virtual environment General connection settings Configuring connections: SSH Configuring connections: RDP Real-time content monitoring with Content Policies Indexing service

Network settings

Assigning logical interfaces to physical interfaces

To assign logical interfaces to the three physical interfaces of SPS, navigate to Basic Settings > Network > Interfaces.

Each logical interface must have its own VLAN ID, and can have its own set of (alias) IP addresses and prefixes. The configured name for each logical interface is visible on SPS's user interface only.

You can configure IPv4 and IPv6 addresses as well. IPv6 is intended for configuring monitored connections, local services (including the web login) require IPv4 addresses. An interface can have multiple IP addresses, including a mix of IPv4 and IPv6 addresses.

For details, see Network settings.

Routing uncontrolled traffic

To control how SPS routes uncontrolled traffic (that is, traffic that passes SPS but is not inspected or audited) between its network interfaces, navigate to Basic Settings > Network > IP forwarding.

You can connect interface pairs to each other, and SPS will route all uncontrolled traffic between these. To add a new forwarding rule, choose and select the two logical interfaces to connect. You can select the same interface in both fields to use that logical interface in single-interface router mode.

For details, see Routing uncontrolled traffic between logical interfaces.

Configuring connections: SSH

The following procedures provide a skeleton to configure SSH connections in SPS. If you want to have a deeper understanding, read the in-depth detailed procedure.

Configure an SSH connection with fixed destination IP

The following describes how to configure a basic Secure Shell (SSH) connection in SPS. This Connection Policy uses a fixed destination IP, that is, it receives connections on an IP address of SPS, and forwards them to a server explicitly set in the policy.

The destination address is the address of the server where the clients finally connect to. To modify the destination address of a connection, complete the following steps.

Prerequisites:
  • A SPS appliance where you have already completed the Welcome Wizard.

  • An SSH server that is running on a host that you can access from SPS. That is, SPS must be able to access the network of the SSH server (adjust any routing and firewall settings in your network to permit this connection). If you only want to do a quick test, you can install an SSH server on the host you are configuring SPS from.

To configure a basic SSH connection in SPS

  1. Navigate to SSH Control > Connections.

  2. Click to define a new connection and enter a name that will identify the connection (for example admin_mainserver).

    TIP:

    It is recommended to use descriptive names that give information about the connection, for example refer to the name of the accessible server, the allowed clients, and so on.

  3. Enter the IP address of the client that will be permitted to access the server into the From field. Click to list additional clients.

  4. Enter the IP address that the clients will request into the To field. To test SPS the easiest is to use the IP address of SPS, meaning that the connection will be non-transparent. (To test transparent connections, you must place SPS into the network between the client and the server, or route the traffic that way.)

    Figure 2: Configuring fix destination selection

  5. The Target section allows you to configure Network Address Translation (NAT) on the server side of SPS. Destination NAT determines the target IP address of the server-side connection. You can set the destination address as required for your environment. For this example non-transparent connection, select Use fixed address.

  6. Enter the IP address and port number of the server. SPS will connect all incoming client-side connections to this server. For example, to redirect the connections to your computer (if it is running an SSH server), enter the IP address of your computer.

    You can also enter a hostname instead of the IP address, and SPS automatically resolves the hostname to IP address. Note the following limitations:

    • SPS uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

    • Only IPv4 addresses are supported.

    • If the Domain Name Server returns multiple IP addresses, SPS selects randomly from the list.

  7. If the clients use a custom port to address the server instead of the default port used by the protocol, enter the port number that the clients will request into the Port field. Click to list additional port numbers. For details on organizing connections in non-transparent mode, see "Organizing connections in non-transparent mode" in the Administration Guide.

  8. Click Commit to save the connection.

    This connection allows any user from the client machine to connect to the specified server, but permits only terminal sessions — other SSH channels like TCP forwarding are disabled.

    TIP:

    To temporarily disable a connection, deselect the checkbox before the name of the connection.

  9. Test the new configuration: try to initiate an SSH connection from the client (your computer) to the server.

  10. After successfully connecting to the server, do something in the connection, for example, execute a simple command in SSH (for example, ls /tmp), then disconnect from the server.

  11. Navigate to Search on the SPS web interface. Your sessions are displayed in the list of connections. Note that for the transparent connection, the client addresses the target server, while the non-transparent connection addresses SPS.

  12. Click the icon. A summary will be displayed about the connection.

Server-side (only) password authentication

The default authentication method for SSH connection policies is to let the target system check credentials as it would happen when users access the server directly without SPS in place.

If you want to configure a different authentication method, create an authentication policy.

Figure 3: Authentication policy

An authentication policy is a list of authentication methods that can be used in a connection. Connection definitions refer to an authentication policy to determine how the client can authenticate to the target server. Separate authentication methods can be used on the client and the server-side of the connection.

To create a new authentication policy, navigate to SSH Control > Authentication Policies.

For details, see Authentication Policies.

相关文档