Table of Contents

Preface

1. Summary of contents

2. Target audience and prerequisites

3. Products covered in this guide

4. Typographical conventions

5. Contact and support information

5.1. Sales contact

5.2. Support contact

5.3. Training

6. About this document

6.1. Summary of changes

6.2. Feedback

1. Introduction

1.1. What SCB is

1.2. What SCB is not

1.3. Why is SCB needed?

1.4. Who uses SCB?

1.5. Public references for BalaBit Shell Control Box:

2. The concepts of SCB

2.1. The philosophy of SCB

2.2. Supported protocols and client applications

2.3. Modes of operation

2.3.1. SCB in Bridge mode

2.3.2. SCB in Router mode

2.3.3. SCB in Bastion mode

2.3.4. SCB in Nontransparent mode

2.4. Connecting to a server through SCB

2.4.1. Connecting to a server through SCB using SSH

2.4.2. Connecting to a server through SCB using RDP

2.5. SSH hostkeys

2.6. Authenticating clients using public-key authentication in SSH

2.7. The gateway authentication process

2.8. 4-eyes authorization

2.9. Network interfaces

2.10. High Availability support in SCB

2.11. Firmware in SCB

2.11.1. Firmwares and high availability

2.12. Versions and releases of SCB

2.13. Accessing and configuring SCB

2.14. Licenses

3. The Welcome Wizard and the first login

3.1. The initial connection to SCB

3.1.1. Creating an alias IP address (Microsoft Windows)

3.1.2. Creating an alias IP address (Linux)

3.1.3. Modifying the IP address of SCB

3.2. Configuring SCB with the Welcome Wizard

3.3. Logging in to SCB and configuring the first connection

4. Configuring and managing SCB

4.1. Supported web browsers and operating systems

4.2. The structure of the web interface

4.2.1. Elements of the main workspace

4.2.2. Multiple web users and locking

4.3. Basic settings

4.3.1. Network settings

4.3.2. Date and time configuration

4.3.3. System logging, SNMP and e-mail alerts

4.3.4. Configuring system monitoring on SCB

4.3.5. Data and configuration archiving and backups

4.4. User management and access control

4.4.1. Managing SCB users locally

4.4.2. Setting password policies for local users

4.4.3. Managing local usergroups

4.4.4. Managing SCB users from an LDAP database

4.4.5. Authenticating users to a RADIUS server

4.4.6. Managing user rights and usergroups

4.4.7. Listing and searching configuration changes

4.5. Managing SCB

4.5.1. Controlling SCB — restart, shutdown

4.5.2. Managing a high availability SCB cluster

4.5.3. Upgrading SCB

4.5.4. Troubleshooting SCB

4.5.5. Accessing the SCB console

4.5.6. Sealed mode

4.5.7. Out-of-band management of SCB

4.5.8. Managing the certificates used on SCB

5. Configuring connections

5.1. General connection settings

5.1.1. Configuring connections

5.1.2. Modifying the destination address

5.1.3. Modifying the source address

5.1.4. Creating and editing channel policies

5.1.5. Configuring time policies

5.1.6. Creating and editing user lists

5.1.7. Authenticating users to an LDAP server

5.1.8. Audit policies

5.1.9. Verifying certificates with Certificate Authorities

5.1.10. Signing certificates on-the-fly

5.1.11. Forwarding traffic to an IDS or DLP system

5.1.12. Configuring cleanup for the SCB connection database

5.2. SSH-specific settings

5.2.1. Setting the SSH host keys and certificates of the connection

5.2.2. Supported SSH channel types

5.2.3. Authentication Policies

5.2.4. Server host keys and certificates

5.2.5. Creating and editing protocol-level SSH settings

5.3. RDP-specific settings

5.3.1. Supported RDP channel types

5.3.2. Creating and editing protocol-level RDP settings

5.3.3. Joining SCB into a domain

5.3.4. Using SSL-encrypted RDP connections

5.3.5. Verifying the certificate of the RDP server in encrypted connections

5.3.6. Using SCB as a Terminal Services Gateway

5.3.7. Configuring Remote Desktop clients for gateway authentication

5.3.8. Usernames in RDP connections

5.4. ICA-specific settings

5.4.1. Setting up ICA connections

5.4.2. Supported ICA channel types

5.4.3. Creating and editing protocol-level ICA settings

5.4.4. SCB deployment scenarios in a Citrix environment

5.4.5. Troubleshooting Citrix-related problems

5.5. Telnet-specific settings

5.5.1. Creating and editing protocol-level Telnet settings

5.6. VNC-specific settings

5.6.1. Creating and editing protocol-level VNC settings

5.7. VMware View connections

6. Browsing log messages and SCB reports

6.1. Using the search interface

6.1.1. Customizing columns

6.2. Changelogs of SCB

6.3. Reports

6.4. The SCB connection database

6.4.1. Connection metadata

6.4.2. Creating predefined filters

6.5. Configuring custom reports

6.6. Monitoring the status of AP indexing services

6.7. Configuring full-text indexing of audit trails

7. Viewing session information and replaying audit trails

7.1. Installing the Audit Player application

7.2. Replaying audit trails

7.2.1. Downloading audit trails from SCB

7.2.2. Replaying a session with the Audit Player

7.2.3. Replaying SCP and SFTP sessions

7.3. Using AP

7.3.1. Finding specific audit trails

7.3.2. Using projects

7.3.3. Replaying and processing encrypted audit trails

7.3.4. Searching in graphical streams

7.4. Troubleshooting the Audit Player

7.4.1. Logging with the Audit Player

7.4.2. Keys and certificates

7.4.3. Keyframe building errors

8. Advanced authentication and authorization techniques

8.1. Configuring usermapping policies

8.2. Configuring gateway authentication

8.2.1. Configuring outband gateway authentication

8.2.2. Performing outband gateway authentication on SCB

8.2.3. Performing inband gateway authentication in SSH connections

8.2.4. Troubleshooting gateway authentication

8.3. Configuring 4-eyes authorization

8.3.1. Configuring 4-eyes authorization

8.3.2. Performing 4-eyes authorization on SCB

9. Best practices and configuration examples

9.1. Configuring public-key authentication on SCB

9.1.1. Configuring public-key authentication using local keys

9.1.2. Configuring public-key authentication using an LDAP server and a fixed key

9.1.3. Configuring public-key authentication using an LDAP server and generated keys

9.2. Organizing connections in Bastion mode

9.2.1. Organizing connections based on port numbers

9.2.2. Organizing connections based on alias IP addresses

9.2.3. Accessing the SCB host in Bastion mode using SSH

9.3. Using nontransparent Bastion mode

9.4. Restoring SCB configuration and data

10. SCB scenarios

10.1. SSH usermapping and keymapping in AD with public key

Appendix 1. About the Secure Shell protocol in a nutshell

1.1. The basic operation of SSH

1.2. Configuring encryption parameters

Appendix 2. Package contents inventory

Appendix 3. BalaBit Shell Control Box Hardware Installation Guide

3.1. Installing the SCB hardware

3.2. Installing two SCB units in HA mode

Appendix 4. BalaBit Shell Control Box VMware Installation Guide

4.1. Limitations of SCB under VMware

4.2. Installing SCB under VMware ESXi

Appendix 5. BalaBit Shell Control Box End User License Agreement

5.1. SUBJECT OF THE LICENSE CONTRACT

5.2. DEFINITIONS

5.3. WORDS AND EXPRESSIONS

5.4. LICENSE GRANTS AND RESTRICTIONS

5.5. SUBSIDIARIES

5.6. INTELLECTUAL PROPERTY RIGHTS

5.7. TRADE MARKS

5.8. NEGLIGENT INFRINGEMENT

5.9. INTELLECTUAL PROPERTY INDEMNIFICATION

5.10. LICENSE FEE

5.11. WARRANTIES

5.12. DISCLAIMER OF WARRANTIES

5.13. LIMITATION OF LIABILITY

5.14. DURATION AND TERMINATION

5.15. AMENDMENTS

5.16. WAIVER

5.17. SEVERABILITY

5.18. NOTICES

5.19. MISCELLANEOUS

Appendix 6. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License

Glossary

Index