立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Sessions 7.2 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving Cleaning up audit data Using plugins Forwarding data to third-party systems Starling integration
User management and access control
Login settings Managing One Identity Safeguard for Privileged Sessions (SPS) users locally Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database Authenticating users to a RADIUS server Authenticating users with X.509 certificates Authenticating users with SAML2 Managing user rights and usergroups Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes
Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing One Identity Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)
Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received Using UPN usernames in audited SSH connections
Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Organizing connections in non-transparent mode

When using One Identity Safeguard for Privileged Sessions (SPS) in non-transparent mode, the administrators must address SPS to access the protected servers. If an administrator has access to more than one protected server, SPS must be able to determine which server the administrator wants to access. For each protected server, the administrators must address either different ports of the configured interface, or different alias IP addresses.

Topics:

Organizing connections based on port numbers

To allow the administrators to access protected servers by connecting to the IP address of One Identity Safeguard for Privileged Sessions (SPS), and use the port number to select which server they want to access. Organizing connections based on port numbers is advantageous if SPS has a public IP address and the protected servers must be administered from the Internet.

NOTE: Do not use the listening addresses configured for web login. For more details, see Configuring user and administrator login addresses.

For details on configuring alias IP addresses, see Managing logical interfaces.

To organize connections based on port numbers

  1. Navigate to the Connections tab of the SSH Control menu.

  2. Add a new connection. Enter the IP address of the administrators into the From fields, and the IP address and port number of the server into the Target field.

  3. Enter the IP address of the logical interface of SPS into the To field, and enter a port number into the Port field.

  4. Repeat Steps 2-3 for every protected server, but every time use a different port number in Step 3.

  5. Click .

Organizing connections based on alias IP addresses

To allow the administrators to access protected servers by connecting to an alias IP address of One Identity Safeguard for Privileged Sessions (SPS). The alias IP address determines which server they will access. Organizing connections based on alias IP addresses is advantageous if SPS is connected to a private network and many private IP addresses are available.

NOTE: Do not use the listening addresses configured for web login. For more details, see Configuring user and administrator login addresses.

To organize connections based on alias IP addresses

  1. Navigate to Basic Settings > Network.

  2. Set up a logical interface: click and configure a new logical interface. Add alias IP addresses for every protected server. (Use a different IP address for each.)

    For more information on configuring logical interfaces and alias IP addresses, see Managing logical interfaces.

  3. Navigate to SSH Control > Connections.

  4. Add a new connection. Enter the IP address of the administrators into the From fields, and the IP address and port number of the target server into the Target field.

  5. Enter an alias IP address of the configured logical interface of SPS into the To field.

  6. Repeat Steps 4-5 for every protected server, but every time use a different alias IP address in Step 5.

  7. Click .

Using inband destination selection in SSH connections

The following sections provide examples for using inband destination selection to establish an SSH connection, including scenarios where nonstandard ports or gateway authentication is used.

Since some client applications do not permit the @ and : characters in the username, alternative characters can be used as well:

  • To separate the username and the target server, use the @ or % characters, for example: username%targetserver@scb_address

  • To separate the target server and the port number, use the :, +, or / characters, for example: username%targetserver+port@scb_address

  • If you do not specify the username or the address in nontransparent SSH and Telnet connections, One Identity Safeguard for Privileged Sessions (SPS) displays an interactive prompt where you can enter the username and the server address.

In RDP, do not use the @ character as an inband data separator but use alternative characters, for example, the % character.

For detailed instructions on configuring inband authentication, see Configuring inband destination selection.

Topics:
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级