Copyright © 1996-2012 BalaBit IT Security Ltd.
This guide is published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. See Appendix 6, Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License for details. The latest version is always available at http://www.balabit.com/support/documentation.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
This documentation and the product it describes are considered protected by copyright according to the applicable laws.
The Zorp™ name and the Zorp™ logo are registered trademarks of BalaBit.
The BalaBit Shell Control Box™ name and the BalaBit Shell Control Box™ logo are registered trademarks of BalaBit.
The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of BalaBit.
The BalaBit™ name and the BalaBit™ logo are registered trademarks of BalaBit.
Linux™ is a registered trademark of Linus Torvalds.
Debian™ is a registered trademark of Software in the Public Interest Inc.
Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008 and 7 are registered trademarks of Microsoft Corporation.
Linux™ is a registered trademark of Linus Torvalds.
Debian™ is a registered trademark of Software in the Public Interest Inc.
Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, and Server 2008 are registered trademarks of Microsoft Corporation.
MySQL™ is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Oracle™, JD Edwards™, PeopleSoft™, and Siebel™ are registered trademarks of Oracle Corporation and/or its affiliates.
Sun™, Sun Microsystems™, the Sun logo, Sun Fire 4140™, Sun Fire 2100™, Sun Fire 2200™, Sun Fire 4540™, and Sun StorageTek™ are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries.
VMware™, VMware ESX™ and VMware View™ are trademarks or registered trademarks of VMware, Inc. and/or its affiliates.
Citrix®, ICA® and XenApp™ are trademarks or registered trademarks of Citrix Systems, Inc.
All other product names mentioned herein are the trademarks of their respective owners.
Some rights reserved.
DISCLAIMER
BalaBit is not responsible for any third-party Web sites mentioned in this document. BalaBit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaBit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.
January 18, 2012
Abstract
This document is the primary manual of the BalaBit Shell Control Box 3 F2.
Table of Contents
- Preface
- 1. Introduction
- 2. The concepts of SCB
- 2.1. The philosophy of SCB
- 2.2. Supported protocols and client applications
- 2.3. Modes of operation
- 2.4. Connecting to a server through SCB
- 2.5. SSH hostkeys
- 2.6. Authenticating clients using public-key authentication in SSH
- 2.7. The gateway authentication process
- 2.8. 4-eyes authorization
- 2.9. Network interfaces
- 2.10. High Availability support in SCB
- 2.11. Firmware in SCB
- 2.12. Versions and releases of SCB
- 2.13. Accessing and configuring SCB
- 2.14. Licenses
- 3. The Welcome Wizard and the first login
- 4. Configuring and managing SCB
- 4.1. Supported web browsers and operating systems
- 4.2. The structure of the web interface
- 4.3. Basic settings
- 4.4. User management and access control
- 4.4.1. Managing SCB users locally
- 4.4.2. Setting password policies for local users
- 4.4.3. Managing local usergroups
- 4.4.4. Managing SCB users from an LDAP database
- 4.4.5. Authenticating users to a RADIUS server
- 4.4.6. Managing user rights and usergroups
- 4.4.7. Listing and searching configuration changes
- 4.4.8. Displaying the privileges of users and user groups
- 4.5. Managing SCB
- 5. Configuring connections
- 5.1. General connection settings
- 5.1.1. Configuring connections
- 5.1.2. Modifying the destination address
- 5.1.3. Modifying the source address
- 5.1.4. Creating and editing channel policies
- 5.1.5. Configuring time policies
- 5.1.6. Creating and editing user lists
- 5.1.7. Authenticating users to an LDAP server
- 5.1.8. Audit policies
- 5.1.9. Verifying certificates with Certificate Authorities
- 5.1.10. Signing certificates on-the-fly
- 5.1.11. Forwarding traffic to an IDS or DLP system
- 5.1.12. Configuring cleanup for the SCB connection database
- 5.2. SSH-specific settings
- 5.3. RDP-specific settings
- 5.3.1. Supported RDP channel types
- 5.3.2. Creating and editing protocol-level RDP settings
- 5.3.3. Joining SCB into a domain
- 5.3.4. Using SSL-encrypted RDP connections
- 5.3.5. Verifying the certificate of the RDP server in encrypted connections
- 5.3.6. Using SCB as a Terminal Services Gateway
- 5.3.7. Configuring Remote Desktop clients for gateway authentication
- 5.3.8. Usernames in RDP connections
- 5.4. ICA-specific settings
- 5.5. Telnet-specific settings
- 5.6. VNC-specific settings
- 5.7. VMware View connections
- 6. Browsing log messages and SCB reports
- 6.1. Using the search interface
- 6.2. Changelogs of SCB
- 6.3. The SCB connection database
- 6.4. Displaying statistics on search results
- 6.5. Creating statistics from custom database queries
- 6.6. Database tables available for custom queries
- 6.7. Reports
- 6.8. Indexing and reporting on audit-trail content
- 7. Viewing session information and replaying audit trails
- 8. Advanced authentication and authorization techniques
- 9. Best practices and configuration examples
- 10. SCB scenarios
- 1. About the Secure Shell protocol in a nutshell
- 2. Package contents inventory
- 3. BalaBit Shell Control Box Hardware Installation Guide
- 4. BalaBit Shell Control Box VMware Installation Guide
- 5. BalaBit Shell Control Box End User License Agreement
- 5.1. SUBJECT OF THE LICENSE CONTRACT
- 5.2. DEFINITIONS
- 5.3. WORDS AND EXPRESSIONS
- 5.4. LICENSE GRANTS AND RESTRICTIONS
- 5.5. SUBSIDIARIES
- 5.6. INTELLECTUAL PROPERTY RIGHTS
- 5.7. TRADE MARKS
- 5.8. NEGLIGENT INFRINGEMENT
- 5.9. INTELLECTUAL PROPERTY INDEMNIFICATION
- 5.10. LICENSE FEE
- 5.11. WARRANTIES
- 5.12. DISCLAIMER OF WARRANTIES
- 5.13. LIMITATION OF LIABILITY
- 5.14. DURATION AND TERMINATION
- 5.15. AMENDMENTS
- 5.16. WAIVER
- 5.17. SEVERABILITY
- 5.18. NOTICES
- 5.19. MISCELLANEOUS
- 6. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License
- Glossary
- Index
List of Examples
List of Procedures
- 2.4.1. Connecting to a server through SCB using SSH
- 2.4.2. Connecting to a server through SCB using RDP
- 2.7. The gateway authentication process
- 2.8. 4-eyes authorization
- 3.1.1. Creating an alias IP address (Microsoft Windows)
- 3.1.2. Creating an alias IP address (Linux)
- 3.1.3. Modifying the IP address of SCB
- 3.2. Configuring SCB with the Welcome Wizard
- 3.3. Logging in to SCB and configuring the first connection
- 4.3.1.1. Configuring the management interface
- 4.3.1.2. Routing management traffic to the management interface
- 4.3.2.1. Configuring a time (NTP) server
- 4.3.3.1. Configuring system logging
- 4.3.3.2. Configuring e-mail alerts
- 4.3.3.3. Configuring SNMP alerts
- 4.3.3.4. Querying SCB status information using agents
- 4.3.4.1. Configuring monitoring
- 4.3.4.3. Preventing disk space fill up
- 4.3.5.1. Creating configuration and data backups
- 4.3.5.2. Archiving the collected data
- 4.3.5.3. Encrypting configuration backups with GPG
- 4.3.5.4.1. Configuring Rsync over SSH
- 4.3.5.4.2. Configuring SMB
- 4.3.5.4.3. Configuring NFS
- 4.4.1. Managing SCB users locally
- 4.4.2. Setting password policies for local users
- 4.4.3. Managing local usergroups
- 4.4.4. Managing SCB users from an LDAP database
- 4.4.5. Authenticating users to a RADIUS server
- 4.4.6.1. Modifying group privileges
- 4.4.6.2. Creating new usergroups for the SCB web interface
- 4.5.1.1. Disabling controlled traffic
- 4.5.1.2. Disabling controlled traffic permanently
- 4.5.2.3. Configuring redundant Heartbeat interfaces
- 4.5.2.5. Configuring next-hop router monitoring
- 4.5.3.1.1. Updating SCB and managing the firmware
- 4.5.3.1.2. Upgrading both the core and the boot firmware of a high availability system
- 4.5.3.1.3. Reverting to an older firmware version
- 4.5.3.2. Updating the SCB license
- 4.5.3.3. Exporting the configuration of SCB
- 4.5.3.4. Importing the configuration of SCB
- 4.5.4.1. Network troubleshooting
- 4.5.4.3. Viewing logs on SCB
- 4.5.4.4. Changing log verbosity level of SCB
- 4.5.4.5. Collecting logs and system information for error reporting
- 4.5.4.6.1. Displaying custom connection statistics
- 4.5.4.7.1. Recovering SCB if both nodes broke down
- 4.5.4.7.2. Recovering from a split brain situation
- 4.5.5.2. Enabling SSH access to the SCB host
- 4.5.5.3. Changing the root password of SCB
- 4.5.6.1. Disabling sealed mode
- 4.5.8.1. Generating certificates for SCB
- 4.5.8.2. Uploading external certificates to SCB
- 5.1.1. Configuring connections
- 5.1.2. Modifying the destination address
- 5.1.3. Modifying the source address
- 5.1.4. Creating and editing channel policies
- 5.1.5. Configuring time policies
- 5.1.6. Creating and editing user lists
- 5.1.7. Authenticating users to an LDAP server
- 5.1.8.1. Encrypting audit trails
- 5.1.8.2.1. Built-in timestamping service
- 5.1.8.2.2. External timestamping service
- 5.1.8.3. Digitally signing audit trails
- 5.1.8.4. Limiting audit trails
- 5.1.9. Verifying certificates with Certificate Authorities
- 5.1.10. Signing certificates on-the-fly
- 5.1.11. Forwarding traffic to an IDS or DLP system
- 5.1.12. Configuring cleanup for the SCB connection database
- 5.2.1. Setting the SSH host keys and certificates of the connection
- 5.2.3.1. Creating a new authentication policy
- 5.2.3.2.1. Local client-side authentication
- 5.2.3.4. How to map keys and certificates
- 5.2.4.1. Automatically adding the host keys and host certificates of a server to SCB
- 5.2.4.2. Manually adding the host key or host certificate of a server
- 5.2.5. Creating and editing protocol-level SSH settings
- 5.3.2. Creating and editing protocol-level RDP settings
- 5.3.3. Joining SCB into a domain
- 5.3.4. Using SSL-encrypted RDP connections
- 5.3.5. Verifying the certificate of the RDP server in encrypted connections
- 5.3.6. Using SCB as a Terminal Services Gateway
- 5.3.7. Configuring Remote Desktop clients for gateway authentication
- 5.4.3. Creating and editing protocol-level ICA settings
- 5.5.1. Creating and editing protocol-level Telnet settings
- 5.6.1. Creating and editing protocol-level VNC settings
- 6.1.1. Customizing columns
- 6.3.2.1. Creating and saving filters for later use
- 6.4. Displaying statistics on search results
- 6.5. Creating statistics from custom database queries
- 6.7.2. Configuring custom reports
- 6.8.1. Configuring full-text indexing of audit trails
- 6.8.3. Creating reports from audit-trail content
- 7.1. Installing the Audit Player application
- 7.2.1. Downloading audit trails from SCB
- 7.2.2. Replaying a session with the Audit Player
- 7.2.3. Replaying SCP and SFTP sessions
- 7.3.3.1. Importing certificates with MMC
- 7.3.3.2. Converting certificates using OpenSSL
- 7.3.3.3. Converting certificates using Firefox
- 7.4.1.1. AP logging in user mode
- 7.4.1.2. AP logging as an indexer service
- 8.1. Configuring usermapping policies
- 8.2.1. Configuring outband gateway authentication
- 8.2.2. Performing outband gateway authentication on SCB
- 8.2.3. Performing inband gateway authentication in SSH connections
- 8.2.4. Performing inband gateway authentication in RDP connections
- 8.3.1. Configuring 4-eyes authorization
- 8.3.2. Performing 4-eyes authorization on SCB
- 8.4.1. Configuring local Credential Stores
- 8.4.2. Configuring password-protected Credential Stores
- 8.4.3. Unlocking Credential Stores
- 8.4.4. Using Lieberman ERPM to authenticate on the target hosts
- 9.1.1. Configuring public-key authentication using local keys
- 9.1.2. Configuring public-key authentication using an LDAP server and a fixed key
- 9.1.3. Configuring public-key authentication using an LDAP server and generated keys
- 9.2.1. Organizing connections based on port numbers
- 9.2.2. Organizing connections based on alias IP addresses
- 9.3. Using nontransparent Bastion mode
- 9.4. Restoring SCB configuration and data
- 10.1. SSH usermapping and keymapping in AD with public key
- 3.1. Installing the SCB hardware
- 3.2. Installing two SCB units in HA mode
- 4.2. Installing SCB under VMware ESXi
Welcome to the BalaBit Shell Control Box 3 F2 Administrator Guide!
This document describes how to configure and manage the BalaBit Shell Control Box (SCB). Background information for the technology and concepts used by the product is also discussed.
Chapter 1, Introduction describes the main functionality and purpose of the BalaBit Shell Control Box.
Chapter 2, The concepts of SCB discusses the technical concepts and philosophies behind SCB.
Chapter 3, The Welcome Wizard and the first login describes what to do after assembling SCB — it is a step-by-step guide for the initial configuration.
Chapter 4, Configuring and managing SCB provides detailed description on configuring and managing SCB as a host.
Chapter 5, Configuring connections discusses how to configure and audit SSH, RDP, ICA, Telnet, and VNC connections.
Chapter 7, Viewing session information and replaying audit trails describes how to search and display audit trails, generate reports, and replay the audited sessions.
Chapter 8, Advanced authentication and authorization techniques describes how to configure gateway authentication and 4-eyes authorization for the connections.
Chapter 9, Best practices and configuration examples gives step-by-step procedures to configure special aspects of SCB.
Chapter 10, SCB scenarios discusses common scenarios for SCB.
Appendix 1, About the Secure Shell protocol in a nutshell is a brief introduction into the Secure Shell protocol.
Appendix 2, Package contents inventory lists the contents of the package you receive with the BalaBit Shell Control Box.
Appendix 3, BalaBit Shell Control Box Hardware Installation Guide describes how to set up the BalaBit Shell Control Box (SCB) hardware.
Appendix 4, BalaBit Shell Control Box VMware Installation Guide describes how to install BalaBit Shell Control Box (SCB) as a virtual appliance.
Appendix 5, BalaBit Shell Control Box End User License Agreement includes the text of the End User License Agreement applicable to SCB products.
Appendix 6, Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License includes the text of the Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License applicable to The BalaBit Shell Control Box 3 F2 Administrator Guide.
The Glossary provides definitions of important terms used in this guide.
The Index provides cross-references to important terms used in this guide.
This guide is intended for auditors, consultants, and security experts responsible for securing, auditing, and monitoring server administration processes, especially remote server management. It is also useful for IT decision makers looking for a tool to improve the security and auditability of their servers, or to facilitate compliance to the Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Basel II, or the Payment Card Industry (PCI) standard.
The following skills and knowledge are necessary for a successful SCB administrator:
At least basic system administration knowledge.
An understanding of networks, TCP/IP protocols, and general network terminology.
Working knowledge of the UNIX or Linux operating system is not mandatory but highly useful.
In-depth knowledge of various server applications is required for forensics situations.
This guide describes the use of the BalaBit Shell Control Box version 3 F2.
Before you start using this guide, it is important to understand the terms and typographical conventions used in the documentation. For more information on specialized terms and abbreviations used in the documentation, see the Glossary at the end of this document.
The following kinds of text formatting and icons identify special information in the document.
![[Tip]](./tip.png) |
Tip |
|---|---|
Tips provide best practices and recommendations. |
![[Note]](./note.png) |
Note |
|---|---|
Notes provide additional information on a topic, and emphasize important facts and considerations. |
![[Warning]](./warning.png) |
Warning |
|---|---|
Warnings mark situations where loss of data or misconfiguration of the device is possible if the instructions are not obeyed. |
- Command
Commands you have to execute.
- Emphasis
Reference items, additional readings.
-
/path/to/file File names.
-
Parameters Parameter and attribute names.
- Label
GUI output messages or dialog labels.
A submenu or menu item in the menu bar.
Buttons in dialog windows.
This product is developed and maintained by BalaBit IT Security Ltd. We are located in Budapest, Hungary. Our address is:
BalaBit IT Security Ltd.
2 Alíz Street
H-1117 Budapest, Hungary
Tel: +36 1 398-6700
Fax: +36 1 208-0875
E-mail: <info@balabit.com>
Web: http://www.balabit.com/
You can directly contact us with sales related topics at the e-mail address
<sales@balabit.com>.
You can register your copy of your product online on the BalaBit website. Registration is a prerequisite for all of our product-related services. Your product can be registered online here.
Online and telephone support is available for registered users of this product, please write or call us for details.
Support e-mail address: <support@balabit.com>.
Support hotline: +36 1 371 0540 (available from 9 AM to 5 PM CET on weekdays)
For online support, sign up for an account at the MyBalaBit page and request access to the BalaBit Online Support System (BOSS). Online support is available 24 hours a day. BOSS is available only for registered users with a valid support package.
BalaBit IT Security Ltd. holds courses on using its products for new and experienced users. For dates, details, and application forms, visit the http://www.balabit.com/support/trainings/ webpage.
This guide is a work-in-progress document with new versions appearing periodically.
The latest version of this document can be downloaded from the BalaBit website here.
For news and update notifications about documentation, visit the BalaBit Documentation Blog.
Changes in product:
Changes in documentation:
Notes about username case-sensitivity and authenticating domain users have been added to Section 8.4, Using credential stores for server-side authentication.
Changes in product:
Console commands have been updated in Procedure 4.5.4.7.2, Recovering from a split brain situation.
Chapter 6, Browsing log messages and SCB reports has been updated and restructured.
Notes and warnings have been added about NAT and gateway authentication to Procedure 8.2.1, Configuring outband gateway authentication.
The option has been renamed to .
Section 4.4.8, Displaying the privileges of users and user groups has been added to the document.
Procedure Displaying information about connections has been renamed to Procedure 6.1.1, Customizing columns.
A note about DHCP traffic has been added to Section 2.3.1, SCB in Bridge mode.
Some labels on the page have been changed. Client authentication backend has been renamed to ; Server authentication methods has been renamed to ; and the Server authentication method has been renamed to .
Section 8.4, Using credential stores for server-side authentication has been added to the document.
Updated Procedure 4.5.8.2, Uploading external certificates to SCB with certificate requirements and possibilities on converting certificate.
Figures Authenticating using Credential Stores; Configuring local Credential Stores; Configuring password-protected Credential Stores; Using Lieberman ERPM to authenticate on the target hosts; Using Lieberman ERPM Domain/Host mapping have been added to the document.
Figures Performing 4-eyes authorization; Monitoring the status of the Audit Player clients; Configuring custom reports; Browsing the connections database; Browsing reports; ICA settings; Configuring SCB as a Terminal Services Gateway; Using SSL-encryption in RDP connections; Joining a domain; RDP settings; SSH settings; Mapping keys and certificates; Configuring authentication policies; Configuring authentication policies; Configuring SSH host keys of the connection; Configuring connection database cleanup for a connection; Configuring connection database cleanup for a protocol; Enabling IDS-forwarding; Configuring IDS-forwarding; Creating Signing CAs; Creating Trusted CA lists; Configuring a remote TSA; Signing audit trails; Configuring LDAP Server policies; Configuring user lists; Configuring time policies; Configuring channel policies; Configuring connections; Changing the web certificate of SCB; Information about the IPMI interface SCB; Changing the root password of SCB; Enabling remote SSH access to SCB; The dashboard; Disabling the controlled traffic persistently; Network troubleshooting with SCB; Exporting the SCB configuration; Updating the license; Managing the firmwares; Configuring next hop monitoring; Configuring redundant Heartbeat interfaces; Managing a high availability cluster; Disabling the controlled traffic; Performing basic management; Browsing configuration changes; Modifying group privileges; Finding specific usergroups; Configuring RADIUS authentication; Configuring LDAP authentication; Group management; Configuring password policies; Creating local users; Configuring backups via SMB/CIFS; Configuring backups using rsync; Configuring backups and archiving; Configuring system backups; Configuring NFS backups; Configuring SNMP and e-mail alerting; Configuring SNMP agent access; Configuring SNMP alerts using SNMPv3; Configuring SNMP alerts; Configuring e-mail sending; Configuring system logging and e-mail alerts; Configuring the management interface; Network settings; Date and time management; Structure of the web interface; A connection in Router mode; A connection in Bastion mode; Configuring 4-eyes authorization in the channel policy; Configuring 4-eyes authorization; Performing gateway authentication; Configuring gateway authentication; Configuring usermapping policies; Indexing and audit trail processing; Gateway authentication; Authentication policies; 4-eyes authorization have been updated.
Changes in documentation:
Section 5.2.3, Authentication Policies has been updated and clarified.
Procedure 7.1, Installing the Audit Player application has been updated for Audit Player version 2011.3.
A warning has been added to Procedure 4.5.2.3, Configuring redundant Heartbeat interfaces about using redundant HA links in Bridge mode.
A warning has been added to Procedure 4.5.3.3, Exporting the configuration of SCB about importing configurations of older SCB versions.
Section 7.4.3, Keyframe building errors has been added to Section 7.4, Troubleshooting the Audit Player.
Section 5.4.5, Troubleshooting Citrix-related problems has been added to Section 5.4, ICA-specific settings.
Updated version policy information in Section 2.12, Versions and releases of SCB.
Changes in product:
ICA protocol has been added to sections Section 4.2, The structure of the web interface; Section 2.1, The philosophy of SCB and Section 2.2, Supported protocols and client applications.
Section 5.4, ICA-specific settings has been added to the document.
Chapter 10, SCB scenarios has been added to the document.
-
Glossary has been updated with the following entries:
Common Gateway Protocol (CGP)
ICA
Figures A connection in Bastion mode; A connection in Router mode; Structure of the web interface; System monitor; Main workspace; Network settings; Configuring the management interface; Configuring system logging and e-mail alerts; Configuring e-mail sending; Configuring SNMP alerts; Configuring SNMP alerts using SNMPv3; Configuring SNMP agent access; Configuring SNMP and e-mail alerting; Configuring system backups; Configuring backups and archiving; Configuring backups using rsync; Configuring backups via SMB/CIFS; Creating local users; Configuring password policies; Group management; Configuring LDAP authentication; Configuring RADIUS authentication; Managing SCB users; Browsing configuration changes; Performing basic management; Disabling the controlled traffic; Disabling the controlled traffic persistently; Managing a high availability cluster; Configuring redundant Heartbeat interfaces; Configuring next hop monitoring; Managing the firmwares; Updating the license; Exporting the SCB configuration; Network troubleshooting with SCB; The dashboard; Enabling remote SSH access to SCB; Changing the root password of SCB; Information about the IPMI interface SCB; Changing the web certificate of SCB; Configuring connections; Configuring channel policies; Configuring time policies; Configuring user lists; Configuring LDAP Server policies; Encrypting audit trails; Configuring a remote TSA; Creating Trusted CA lists; Creating Signing CAs; Configuring IDS-forwarding; Enabling IDS-forwarding; Configuring connection database cleanup for a protocol; Configuring connection database cleanup for a connection; Configuring SSH host keys of the connection; Configuring authentication policies; Mapping keys and certificates; Server host keys; SSH settings; RDP settings; Joining a domain; Using SSL-encryption in RDP connections; Browsing reports; Browsing the connections database; Configuring custom reports; Monitoring the status of the Audit Player clients; Configuring usermapping policies; Performing gateway authentication; Configuring 4-eyes authorization in the channel policy; Performing 4-eyes authorization have been updated.
Figures ICA settings; Client - SCB - Server (Transparent mode); Client - SCB - Server (Non-transparent mode); Client - Broker - SCB - Server (Transparent mode); Client - Broker - original secure gateway - Secure Ticket Authority (STA) - SCB - Server; Client - Broker - SCB as socks proxy - Server; have been added to the document.
SCB can operate as a Terminal Services Gateway, as described in Procedure 5.3.6, Using SCB as a Terminal Services Gateway.
Section 3.1, The initial connection to SCB has been updated to include that SCB can receive IP address via DHCP.
Procedure 8.1, Configuring usermapping policies and Section 8.2, Configuring gateway authentication have been updated to include the Citrix ICA protocol.
Added a note about enabling SCB management and using IP aliases on the same interface to Section 4.3.1, Network settings.
Added a note about predefined filters without usergroups specified to Procedure 6.3.2.1, Creating and saving filters for later use.
Section 5.3.8, Usernames in RDP connections has been added to the document.
Changes in documentation:
Legal Notice has been updated.
Procedure Displaying information about connections has been renamed to Procedure 6.1.1, Customizing columns.
Clarified how timeout values work in the Creating and editing protocol-specific options procedures.
Procedure 5.3.5, Verifying the certificate of the RDP server in encrypted connections has been extended to include how to set the certificate the Windows server displays in RDP connections.
A warning has been added to Procedure 4.5.3.1.3, Reverting to an older firmware version.
A warning about CIFS incompatibility with NetApp devices has been added to Section 4.3.5, Data and configuration archiving and backups.
Corrected the list of supported color depth in RDP connections in Procedure 5.3.2, Creating and editing protocol-level RDP settings.
Editorial changes.
Changes in product:
A tip about using SCB in Router mode with a single network interface has been added to Section 2.3.2, SCB in Router mode.
References to hardware manuals in Appendix BalaBit Shell Control Box Hardware Installation Guide have been updated and corrected.
Procedure Replaying SCP and SFTP sessions has been added to the document.
Procedure Preventing disk space fill up has been added to the document.
Procedure Configuring cleanup for the SCB connection database has been added to the document.
Section VMware View connections has been added to the document.
Figure SFTP session has been added to the document.
Appendix BalaBit Shell Control Box Hardware Installation Guide and Section Licenses has been updated to cover the new appliances.
Appendix BalaBit Shell Control Box VMware Installation Guide has been added to the document.
Procedure Modifying the IP address of SCB has been added to the document.
Section Solving the "double-assign" problem in RDP has been removed from the document as the described problem has been corrected.
Appendix BalaBit Shell Control Box Software Installation Guide has been removed from the document.
Figures SCB in Bridge mode; SCB in Router mode; SCB in Bastion mode; SCB in Nontransparent mode; A connection in Router mode; User menu and user info; Main workspace; Network settings; Configuring the management interface; Routing; Configuring system logging and e-mail alerts; Configuring e-mail sending; Configuring SNMP alerts; Configuring SNMP alerts using SNMPv3; Configuring SNMP agent access; Configuring SNMP and e-mail alerting; Configuring system backups; Modifying group privileges; Browsing configuration changes; Disabling the controlled traffic; Disabling the controlled traffic persistently; Network troubleshooting with SCB; Changing the verbosity level; Collecting debug information; Managing the firmwares; Updating the license; Exporting the SCB configuration; Importing the SCB configuration; Enabling remote SSH access to SCB; Changing the root password of SCB; Changing the web certificate of SCB; Configuring connections; Configuring a remote TSA; Configuring IDS-forwarding; Configuring channel policies; Enabling IDS-forwarding; Using SSL-encryption in RDP connections; Displaying search information; Browsing reports; Configuring gateway authentication; Configuring 4-eyes authorization; Performing basic management; Managing a high availability cluster; Adjusting DRBD synchronization speed; Configuring redundant Heartbeat interfaces; Configuring next hop monitoring; Information about the IPMI interface SCB; Configuring service mode in AP; have been updated.
Figure Configuring LDAP authentication has been removed from the document.
Procedures Connecting to a server through SCB using SSH; Configuring 4-eyes authorization; Connecting to a server through SCB using RDP; Configuring system logging; Creating configuration and data backups; Configuring usermapping policies; Configuring gateway authentication; Managing SCB users from an LDAP database; Protocol-level SSH settings; Configuring connections have been updated.
Section Supported SSH channel types has been updated to cover the new options of the SFTP and SCP channels.
A warning has been added to Procedure Creating configuration and data backups about the list of files omitted from notification e-mails.
The list of metadata columns available in Section Connection metadata has been updated.
A procedure describing the usage of multicore processors in Audit Player has been added to Procedure Installing the Audit Player application.
Section High Availability status explained has been updated with 'Converted' status.
New alerts have been added to section System related traps.
Management Information Bases (MIB) are now downloadable directly from SCB.
Firefox 2.x versions have been removed from the supported browsers list in section Supported web browsers and operating systems.
Windows 7 has been added to the supported operating systems list in sections Supported web browsers and operating systems, Supported protocols and client applications and Viewing session information and replaying audit trails.
64-bit Windows platforms have been added to the supported operating systems list in Section Viewing session information and replaying audit trails.
SUN hardware options have been replaced with new BalaBit branded hardware options.
Intraday archival has been added to Procedure Archiving the collected data.
Changes in documentation:
Section Summary of changes has been added to the document.
Procedures in the HTML version of the document appear on separate HTML pages.
Labels of cross-references pointing to procedure steps have been corrected.
Procedures have been restructured to facilitate easier understanding.
Latin abbreviations have been replaced in document with their English equivalents.
Editorial changes.
Any feedback is greatly appreciated, especially on what else this document should cover.
General comments, errors found in the text, and any suggestions about how to improve the
documentation is welcome at <documentation@balabit.com>.
This chapter introduces the BalaBit Shell Control Box (SCB) in a non-technical manner, discussing how and why is it useful, and what additional security it offers to an existing IT infrastructure.
SCB is a device that controls, monitors, and audits remote administrative access to servers. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB — it integrates smoothly into the existing infrastructure.
SCB logs all administrative traffic (including configuration changes, executed commands, and so on) into audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. In case of any problems (server misconfiguration, database manipulation, unexpected shutdown) the circumstances of the event are readily available in the audit trails, thus the cause of the incident can be easily identified. The recorded audit trails can be displayed like a movie – recreating all actions of the administrator. All audit trails are indexed on a separate indexing-server, enabling fast forwarding during replay, searching for events (for example mouse clicks, pressing the Enter key) and texts seen by the administrator. Reports and automatic searches can be configured as well. To protect the sensitive information included in the communication, the two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys, thus sensitive information like passwords are displayed only when necessary.
SCB can also remove the encryption from the traffic and forward the unencrypted traffic to an Intrusion Detection System (IDS), making it possible to analyze the contents of the encrypted traffic. That way traffic that was so far unaccessible for IDS analyzes can be inspected real-time. Other protocols tunneled in SSH can be inspected as well. Similarly, the list of files transferred and accessed in the encrypted protocols can be sent to a Data Leakage Prevention (DLP) system.
SCB has full control over the SSH, RDP, Telnet, TN3270, Citrix ICA, and VNC connections, giving a framework (with solid boundaries) for the work of the administrators. The most notable features of SCB are the following:
Disable unwanted channels and features (for example TCP port forwarding, file transfer, VPN, and so on)
Enforce the use of the selected authentication methods (password, publickey, and so on)
Require outband authentication on the SCB gateway
Enforce 4-eyes authorization with real-time monitoring and auditing capabilities
Audit the selected channels into encrypted and timestamped , and digitally signed audit trails
Retrieve group memberships of the user from an LDAP database
Verify the hostkeys and host certificates of the accessed servers
SCB is configured and managed from any modern web browser that supports HTTPS connections, JavaScript, and cookies.
SCB is not a firewall. Although it uses advanced firewall technologies, it is an access controlling and auditing device focusing on server administration processes. Actually, it is a device that controls, monitors and audits remote administrative access to servers.
SCB monitors only the passing traffic of administrators accessing the servers remotely. Consequently, it cannot protect the server from local access, nor can it detect such events. If someone has access to a protected server from a local console, then anything he does is beyond the capabilities of SCB.
SCB can be used to control administrative access to the servers. In case of large server farms, it provides a simple way to change or restrict access policies, for example, to disable password-based authentication in SSH, control RDP channels, or to deny the account of an administrator, without having to modify the configuration of each server one-by-one. However, SCB does not and should not be used to replace the proper configuration of the servers, as perfunctory server configuration inevitably introduces security risk beyond the scope of SCB.
Server administration must be audited in order to record all important events about a server. However, — for security reasons — servers are almost exclusively administered using encrypted protocols, making system administration difficult to monitor and audit. To achieve reliable auditing, the data collection has to be transparent and independent from the client and the server. Otherwise, a skilled administrator (or attacker) could manipulate the logs to mask the traces of his actions or other events. SCB solves exactly these problems by transparently monitoring the encrypted channels used in administration and introducing a separate auditor layer to oversee system administrators.
The RDP (including VMware View) and VNC-auditing capabilities of SCB is beneficial to record and archive the actions performed on thin-client applications, and helpdesks.
The Telnet-auditing capability of SCB is useful to record and archive the administration of networking devices.
SCB is useful for everyone who has a server and has to control and audit the activities of the administrators. In particular, SCB is invaluable for:
Policy compliance: Certain regulations — such as the Sarbanes-Oxley Act (SOX) or Basel II — require the financial director of an organization to certify that all financial data they provide to the authorities is accurate and has not been modified. Other industries have similar regulations (like the Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry (PCI)) about protecting personal or credit card information. Such data is usually stored in a database on a central server, and is accessible only via dedicated applications, such as the accounting software. These applications always create the logs and reports necessary for policy compliance. However, these applications are aware only of legitimate accesses to the database. The server storing the database has to be accessible also by server administrators for maintenance reasons. Having superuser privileges on the server, these administrators have the possibility to directly access and manipulate the database, and also to erase the traces of such actions from the server logs. However, SCB can audit the actions of the administrators, complementing the logs and reports of other applications.
Organizations having outsourced IT: Many organizations hire external companies to configure, maintain, and oversee their servers and IT services. This essentially means that the organization is willing to trust the administrators of this external company with all their data (for example private and business e-mails, customer information, and so on), or even with business-critical services like the operation of their online shop. Obviously, in such situations it is reassuring to have an independent device that can reliably log all administrative activities. SCB does exactly this — it provides detailed information about any problems with the server, making it easy to find those responsible. Using the 4-eyes authorization method, SCB provides real-time control over the remote server access and the administrative actions.
Organizations offering remote management: Organizations on the other end of the outsourcing line — like server- and webhosting companies — can equally benefit from SCB. It gives them the possibility to oversee and audit the administrators, and is also a great tool to evaluate their effectiveness. The recorded audit trails can also be used as evidence to settle any issues about the remotely administered servers. SCB also improves the control over Service Level Agreements (SLA), as the fulfillment of the services can be verified using the recorded audit trails and access reports.
Organizations using thin-client infrastructures: SCB can audit the channels used in popular thin-client solutions, providing an application-independent way to record and monitor the activities of every client.
Real-time file transfer and file access monitoring: SCB can send the list of accessed and transferred files to an external Data Leakage Prevention (DLP) system that can recognize, track and alert on the access (data at rest) and transfer (data in motion) of sensitive data. That way the DLP policy of the organization can be extended to the – so far uncontrolled – encrypted protocols like SSH and SFTP.
Organizations in need to control SSH: Many organizations have to permit outgoing SSH connections, but do not wish to do so without control, as virtually any other protocol can be tunneled into SSH. SCB can control what type of traffic is permitted in an SSH connection, and can separately enable the different traffic types like terminal connections, SFTP file transfers, port- and X11 forwarding, or agent-forwarding.
Organizations using jump hosts: Many organizations use jump hosts to access remote servers or services. SCB can be used to authenticate and audit every access to the jump hosts. Since SCB can supports strong authentication methods (for example, X.509 certification based authentication) and authentication to user directories (for example Microsoft Active Directory and other LDAP databases), it can greatly simplify the key and password management of the hosts. This is especially useful if an organization has to access very many remote hosts, or has lots of jump hosts.
The following is a list of public references — companies who use SCB in their production environment:
This chapter discusses the technical concepts of SCB.
SCB is a device that examines Secure Shell (SSH, including forwarded X11 traffic), Secure Copy (SCP), SSH File Transfer Protocol (SFTP), Remote Desktop (RDP), Independent Computing Architecture (ICA), Telnet, VMware View, and VNC connections, ignoring and simply forwarding all other type of traffic. SCB uses man-in-the-middle techniques to decrypt and terminate the inspected connections. It separates the connections into two parts (client — SCB, SCB — server) and inspects all traffic, so that no data can be directly transferred between the server and the client.
|
Note |
|---|---|
SCB is built on application level technology, especially the SSH, RDP, and Telnet proxies of the Zorp Application Level Gateway. For more information on Zorp and this technology, visit BalaBit's website. |
The traffic is inspected on the application level, that is Layer 7 or the application layer of the OSI model. All communication must conform to the standards of the respective protocol, SCB rejects all protocol violations and anomalies to protect the servers from attacks. That way the servers are protected even from unknown attacks exploiting vulnerabilities of the server applications.
SCB has full control over the initial negotiation phase of the connection, when the client and the server decide the parameters of the encryption to be used in the communication. SCB can restrict the use of the various algorithms, forbidding the use of weak ones — an effective shield against downgrade attacks.
Since SCB isolates the client-server connection into two separate connections, the permitted algorithms can be different on the client and the server side.
SCB controls the connections right from the beginning — including user authentication. That way it is easy to mandate strong authentication for protocols where user information is available (for example SSH), because SCB can limit the allowed authentication methods and also the users permitted to access the servers.
SCB uses various policies to restrict who, when, and how can access a connection or a specific channel of the protocol. These policies (based on username, authentication method used, and so on) can be applied to connections between particular clients and servers, or also to specific channels of a connection (for example only to terminal-sessions in SSH, or desktop-sharing in RDP).
SCB is configured by an administrator or auditor using a web browser.
SCB supports the following protocols and clients. As a general rule, client applications not specifically tested but conforming to the relevant protocol standards should work with SCB.
-
Secure Shell Protocol: SCB supports only the SSHv2 protocol (RFCs 4251-54). The older and insecure v1 version is not supported. Supported client and server applications include: OpenSSH, Tectia®, and PuTTY.
-
Remote Desktop Protocol: RDP versions 4-7 are supported. Supported client and server applications: the built-in applications of the Windows XP, Windows Server 2003, Windows Vista, Windows 2008 Server, and Windows 7 platforms.
Note Other Remote Desktop clients are not explicitly supported, but may be compatible with SCB. When using an alternative client application, note the following limitations:
The rdesktop application and other client applications (for example, JAVA clients) that build on the rdesktop codebase do not support RDP shadowing and Terminal Services Gateway connections.
The Remote Desktop Connection Client for Mac application does not support RDP shadowing and Terminal Services Gateway connections.
-
ICA: The supported client versions: Online plugin 11 and 12 on Windows and Linux OS. The supported server versions: XenApp5 on Windows 2003 and 2008, XenApp6 on Windows 2008.
-
Telnet: Telnet traffic must conform RFC 854, and to various extensions described in RFCs 856-861, 652-658, 698, 726-27, 732-736, 749, 779, 885, 927, 933, 1041, 1043, 1053, 1073, 1079, 1091, 1096-97, 1184, 1372, 1408, 1572, 2066, 2217, 2840, 2941, and 2946.
TN3270: Telnet 3270 and 3270E terminal protocols.
-
Terminal Services Gateway Server Protocol: SCB can act as a Terminal Services Gateway and transfer the incoming connections to RDP connections.
-
Virtual Network Computing: VNC versions 3.3-3.8 are supported. Supported client and server applications: RealVNC, UltraVNC, TightVNC, KVM, Vino.
-
VMware View: VMware View Clients using the Remote Desktop (RDP) display protocol to access remote servers are supported. For details, see Section 5.7, VMware View connections.
SCB has three modes of operation: Bridge, Router, and Bastion. Which one is used depends on the layout of the network.
|
Tip |
|---|---|
It is recommended to design the network topology so that only management and server administration traffic passes SCB. This ensures that the services and applications running on the servers are accessible even in case SCB breaks down, so SCB cannot become a single point of failure. |
SCB supports also a nontransparent mode that works with any of the above three operation modes, but is most often used together with Bastion mode.
In Bridge mode, SCB acts as a network switch, and connects the network segment of the administrators to the segment of the protected servers at the data link layer (Layer 2 in the OSI model).
All traffic passing SCB originates from the MAC address of SCB's bridge interface. SCB replaces all MAC addresses in the ARP replies with its own MAC address. That way all traffic must pass SCB.
|
Note |
|---|---|
|
In Bridge mode, SCB forwards DHCP traffic between the external and internal interfaces. However, other multicast and broadcast traffic is blocked. |
Use Layer 3 devices (routers or firewalls) on both sides of SCB.
Using Bridge mode is recommended in the following network topologies:
or
Bridge mode in SCB uses a routing table. Use the routing table if more than one subnets are connected to SCB on the opposite side of the default gateway. For details, see Procedure 4.3.1.2, Routing management traffic to the management interface .
|
Warning |
|---|---|
Use dedicated switches on both sides of SCB when using bridge mode and high-availablity together. Do not connect other devices to these switches. |
In Router mode, SCB acts as a transparent router connecting the network segment of the administrators to the segment of the protected servers at the network layer (Layer 3 in the OSI model). All connections must pass SCB to reach the servers — SCB is a proxy gateway, completely separating the protected servers from the rest of the network. Controlled connections and traffic are inspected on the application level, while other types of connections are simply forwarded on the packet level.
|
Warning |
|---|---|
Routing mode does not support multicast traffic. |
In this mode SCB acts as a bastion host — administrators can address only SCB, the administered servers cannot be targeted directly. The firewall of the network has to be configured to ensure that only connections originating from SCB can access the servers. SCB determines which server to connect based on the parameters of the incoming connection (the IP address of the administrator and the target IP and port).
Bastion mode inherently ensures that only the controlled (management and server administration) traffic reaches SCB. This ensures that the services and applications running on the servers are accessible even in case SCB breaks down, so SCB cannot become a single point of failure. The firewall or router before the servers must be configured to direct the controlled SSH, RDP, Telnet, and VNC traffic to SCB. This can be accomplished on the IP level.
|
Tip |
|---|---|
Bastion mode is useful if the general (not inspected) traffic is very high and could not be forwarded by SCB. |
Bastion mode is often used together with the Nontransparent mode (for details, see Section 2.3.4, SCB in Nontransparent mode).
Nontransparent mode allows you to create a single connection policy and allow
users to access any server by including the name of the target server in their
username (for example ssh
username@targetserver:port@scb_address). SCB can extract the
address from the username and direct the connection to the target server.
Since some client applications do not permit the @ and
: characters in the username, the
% character may also be
used instead, for example
username%targetserver:port@scb_address. Between the target server and the port, the following characters can be used: :, + and /.
Windows RDP clients often send only the first 9 characters of the username to the
server, making nontransparent operation difficult. When using the RDP4 or RDP5
protocols, it is not necessary to include the username when starting an RDP
connection (for example use only @server); the user can type
the username later in the graphical login screen. However, the username must be
specified for RDP6 connections.
When a client initiates a connection to a server, SCB performs a procedure similar to the ones detailed below. The exact procedure depends on the protocol used in the connection.
For SSH connections, see Procedure 2.4.1, Connecting to a server through SCB using SSH.
For RDP and other connections, see Procedure 2.4.2, Connecting to a server through SCB using RDP.
2.4.1. Procedure – Connecting to a server through SCB using SSH
Steps:
The client tries to connect the server. SCB receives the connection request and establishes the TCP connection with the client.
-
SCB examines the connection request: it checks the IP address of the client and the IP address and port number of the intended destination server. If these parameters of the request match with a connection policy configured on SCB, SCB inspects the connection in detail. Other connections are ignored by SCB; they are simply forwarded on the packet level.
The selected connection policy determines all settings and parameters of the connection.
Note SCB compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. The first connection policy completely matching the connection request is applied to the connection. For details, see Procedure 5.1.1, Configuring connections.
-
Optionally, before establishing the server-side connection, SCB can evaluate the connection and channel policies to determine if the connection might be permitted at all, for example it is not denied by a Time Policy. For details, see Procedure 5.2.5, Creating and editing protocol-level SSH settings.
-
SCB selects the destination server based on the parameter of the connection policy. Network address translation of the target address can be performed at this step. For details, see Procedure 5.1.2, Modifying the destination address.
-
SCB selects the source address used in the server-side connection based on the parameter of the connection policy. For details, see Procedure 5.1.3, Modifying the source address.
SCB establishes the TCP connection to the server.
-
SCB negotiates the protocol parameters of the connection (for example SSH encryption parameters) according to the of the connection policy. The SSH handshake is performed simultaneously on the server- and the client-side.
-
SCB displays an SSH hostkey to the client. This hostkey is either generated on SCB, or it is the hostkey of the server (if it is available on SCB). The connection policy determines the hostkey shown to the client.
Warning If the SSH Settings of the connection enable only RSA keys in the connection, the RSA key shown to the client must be set in the connection policy. Similarly, if only DSA keys are permitted, the DSA key must be set.
SCB verifies the hostkey of the server. If the server has not been contacted before, SCB can accept and store the hostkey of the server. Alternatively, the hostkey of the server can be manually uploaded to SCB. For details, see Section 5.2.4, Server host keys and certificates.
-
The client authenticates itself using an authentication method permitted by the set in SCB. Different connections can use different authentication policies, thus allow different authentication methods. The Authentication policy also restricts which users can connect the server if public-key authentication is used.
-
If the authentication is successful, SCB checks whether the particular user is allowed to access the connection by consulting the assigned to the connection policy in the channel policy. If needed, SCB connects the LDAP servers set in the policy to resolve the group memberships of the user.
SCB performs the authentication on the server, using the data received from the client in Step 8, or using data received from a Credential Store. For details on Credentials Stores, see Procedure 8.4.1, Configuring local Credential Stores.
Both the server and the client side connections have been established. From this step, the client can try to open any type and any number of channels in the connection.
-
SCB consults the assigned to the connection for each channel opening request to see if the channel type (for example TCP forward or terminal session in SSH) requested by the client is permitted in the connection. Channel policies may impose restrictions on the availability of certain channels.
-
SCB consults the assigned to the channel policy. Channels may be opened only within the allowed period.
Tip Time policies are a good way to ensure that the server can be accessed only within the specified timeframe.
-
If gateway authentication is set for the connection policy, the SSH session of the client is paused until the client successfully completes the gateway authentication on SCB. The server-side connection is established only after the gateway authentication is completed. For details, see Procedure 2.7, The gateway authentication process.
-
If the Authentication Policy of the SSH connection policy requires separate authentication on the client and the server side, the client performs the client-side authentication.
-
If the Authentication Policy of the SSH connection policy requires separate authentication on the client and the server side, the client performs the server-side authentication.
-
If 4-eyes authorization is set in the Channel Policy, the SSH session of the client is paused until the authorizer permits the client to connect to the server. For details, see Procedure 2.8, 4-eyes authorization.
The client starts to work on the server. SCB records the entire communication into digitally encrypted audit trails if auditing is enabled in the Channel Policy. For details, see Procedure 5.1.4, Creating and editing channel policies.
2.4.2. Procedure – Connecting to a server through SCB using RDP
Steps:
The client tries to connect the server. SCB receives the connection request and establishes the TCP connection with the client.
-
SCB examines the connection request: it checks the IP address of the client and the IP address and port number of the intended destination server. If these parameters of the request match with a connection policy configured on SCB, SCB inspects the connection in detail. Other connections are ignored by SCB; they are simply forwarded on the packet level.
The selected connection policy determines all settings and parameters of the connection.
Note SCB compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. The first connection policy completely matching the connection request is applied to the connection. For details, see Procedure 5.1.1, Configuring connections.
-
SCB selects the destination server based on the parameter of the connection policy. Network address translation of the target address can be performed at this step. For details, see Procedure 5.1.2, Modifying the destination address.
-
SCB selects the source address used in the server-side connection based on the parameter of the connection policy. For details, see Procedure 5.1.3, Modifying the source address.
SCB establishes the TCP connection to the server.
-
SCB checks the protocol parameters of the connection (for example version of the RDP protocol used ) according to the of the connection policy. The RDP handshake is performed simultaneously on the server- and the client-side.
The server opens a Drawing channel for the user to perform authentication.
-
SCB consults the assigned to the connection to check if the Drawing channel is enabled.
-
SCB consults the assigned to the connection. Connections are accepted only within the allowed period.
Tip Time policies are a good way to ensure that the configuration of the server is modified only during maintenance hours.
-
If gateway authentication is set for the connection policy, the session of the client is paused until the client successfully completes the gateway authentication on SCB. The server-side connection is established only after the gateway authentication is completed. For details, see Procedure 2.7, The gateway authentication process.
The client authenticates on the server.
-
If 4-eyes authorization is set in the Channel Policy, the session of the client is paused until the authorizer permits the client to connect to the server. For details, see Procedure 2.8, 4-eyes authorization.
-
SCB establishes the server-side connection and authenticates the client on the server. If the authentication fails for any reason, SCB terminates the client-side connection as well. This is required to verify the username of the client when it attempts to access the server again.
Note For RDP connections, SCB can perform the server-side authentication using sdata received from a Credential Store. For details on Credentials Stores, see Procedure 8.4.1, Configuring local Credential Stores.
Both the server and the client side connections have been established. From this step, the server can open any type and any number of channels in the connection. (In RDP, the client requests a channel, and the server opens the channels towards the client.) SCB consults the assigned to the connection to check if the particular channel is enabled in the connection.
The client starts to work on the server. SCB records the entire communication into digitally encrypted audit trails if auditing is enabled in the Channel Policy. For details, see Procedure 5.1.4, Creating and editing channel policies.
The SSH communication authenticates the remote SSH server using public-key cryptography, either using plain hostkeys, or X.509 certificates. Client authentication can also use public-key cryptography. The identity of the remote server can be verified by inspecting its hostkey or certificate. When trying to connect a server via SCB, the client sees a hostkey (or certificate) shown by SCB. This key is either the hostkey of SCB, or the original hostkey of the server, provided that the private key of the server has been uploaded to SCB. In the latter case the client will not notice any difference and have no knowledge that he is not communicating directly with the server, but with SCB.
Public-key authentication requires a private and a public key (or an X.509 certificate) to be available on SCB. First, the public key of the user is needed to verify the user's identity in the client-side SSH connection: the key presented by the client is compared to the one stored on SCB. SCB uses a private key to authenticate itself to the sever in the server-side connection. SCB can use the private key of the user if it is uploaded to SCB. Alternatively, SCB can generate a new keypair, and use its private key for the server-side authentication, or use agent-forwarding, and authenticate the client with its own key.
|
Warning |
|---|---|
If SCB generates the private key for the server-side authentication, then the public part of the keypair must be imported to the server; otherwise the authentication will fail. Alternatively, SCB can upload the public key (or a generated X.509 certificate) into an LDAP database. |
2.7. Procedure – The gateway authentication process
Purpose:
When gateway authentication is required for a connection, the user must authenticate
on SCB as well. This additional authentication can be performed on the SCB web
interface, so it provides a protocol-independent, outband authentication method. That
way the connections can be authenticated to the central authentication database (for
example LDAP or RADIUS), even if the protocol itself does not support authentication
databases. Also, connections using general usernames (for example
root, Administrator, and so on) can be
connected to real user accounts.
|
Note |
|---|---|
|
For SSH and RDP connections, gateway authentication can be performed also inband, without having to access the SCB web interface.
|
Technically, the process of gateway authentication is the following:
Steps:
The user initiates a connection from a client.
If gateway authentication is required for the connection, SCB pauses the connection.
The user logs in to the SCB web interface, selects the connection from the list of paused connections, and enables it. It is possible to require that the authenticated session and the web session originate from the same client IP address.
-
The user performs the authentication on the server.
Note Gateway authentication can be used together with other advanced authentication and authorization techniques like 4-eyes authorization, client- and server-side authentication, and so on.
2.8. Procedure – 4-eyes authorization
Purpose:
When 4-eyes authorization is required for a connection, a user (called authorizer) must authorize the connection on SCB as well. This authorization is in addition to any authentication or group membership requirements needed for the user to access the remote server. Any connection can use 4-eyes authorization, so it provides a protocol-independent, outband authorization and monitoring method.
The authorizer has the possibility to terminate the connection any time, and also to monitor real-time the events of the authorized connections: SCB can stream the traffic to the Audit Player application, where the authorizer (or a separate auditor) can watch exactly what the user does on the server, just like watching a movie.
|
Note |
|---|---|
The auditor can only see the events if the required decryption keys are available on the host running the Audit Player application. |
Technically, the process of 4-eyes authorization is the following:
Steps:
The user initiates a connection from a client.
If 4-eyes authorization is required for the connection, SCB pauses the connection.
The authorizer logs in to the SCB web interface, selects the connection from the list of paused connections, and enables it.
The user performs the authentication on the server.
The auditor (who can be the authorizer, but is it possible to separate the roles) watches the actions of the user real-time.
|
Note |
|---|---|
4-eyes authorization can be used together with other advanced authentication and authorization techniques like gateway authentication , client- and server-side authentication, and so on. |
The SCB hardware has five network interfaces: the external, the management, the internal, the HA, and the IPMI interface. For details on hardware installation, see Appendix 3, BalaBit Shell Control Box Hardware Installation Guide.
The internal interface is used exclusively
for communication between SCB and the protected servers. The internal interface uses the Ethernet connector
labeled as INT.
The external interface is used for communication between
SCB and the clients: the
controlled connections of the clients (for example, the SSH connections of the system
administrators managing the servers) accessing the protected servers enter via this
interface. Also, the initial configuration of SCB is always
performed using the external interface (For details on the initial configuration, see Procedure 3.2, Configuring SCB with the Welcome Wizard). The external interface is used for management
purposes if the management interface is not configured. The external interface uses the
Ethernet connector labeled as EXT.
The management interface is used exclusively for communication
between SCB and the auditors or the administrators of SCB.
Incoming connections are accepted only to access the SCB web interface, other
connections targeting this interface are rejected. The management interface uses the
Ethernet connector labeled as MGMT.
The routing rules determine which interface is used for transferring remote backups and syslog messages of SCB.
|
Tip |
|---|---|
It is recommended to direct backups, syslog and SNMP messages, and e-mail alerts to the management interface. For details, see Procedure 4.3.1.2, Routing management traffic to the management interface . |
If the management interface is not configured, the external interface takes the role of the management interface.
The HA interface is an interface reserved for communication
between the nodes of SCB clusters. The HA interface uses the Ethernet connector
labeled as HA. For details on high availability, see Section 2.10, High Availability support in SCB.
The Intelligent Platform Management Interface (IPMI) interface allows system administrators to monitor system health and to manage SCB events remotely. IPMI operates independently of the operating system of SCB.
In high availability (HA) mode two SCB units (called master and slave nodes) having identical configuration are operating simultaneously. The master shares all data with the slave node, and if the master node stops functioning, the other one becomes immediately active, so the servers are continuously accessible. The slave node takes over the MAC addresses of the interfaces of the master node.
|
Warning |
|---|---|
Hazard of data loss! If the two nodes cannot communicate, the slave assumes that the master node broke down and becomes active, which can lead to both nodes being active at the same time (a split brain situation). This might result in data loss. For details on how to recover from a split brain situation, see Procedure 4.5.4.7.2, Recovering from a split brain situation. For details on how to avoid split brain situations, see Procedure 4.5.2.3, Configuring redundant Heartbeat interfaces. |
The slave node automatically synchronizes its hard disk with the master via the HA network interface. The disks must be synchronized for the HA support to operate correctly.
|
Warning |
|---|---|
When using the management interface and high availability together, do not forget to connect the management interface of both SCB nodes to the network. Otherwise you will not be able to remotely access SCB if a takeover occurs. |
The SCB firmware is separated into two parts: an external and an internal firmware.
The external firmware (also called boot firmware) boots up SCB, provides the high availability support, and starts the internal firmware. The external firmware changes very rarely.
The internal firmware (also called core firmware) handles everything else: provides the web interface, manages the connections, and so on. The internal firmware is updated regularly as new features are added to SCB.
Both firmwares can be updated from the SCB web interface. For details, see Section 4.5.3, Upgrading SCB.
When powering on the SCB nodes in high availability mode, both nodes boot and start the boot firmware. The boot firmwares then determine which unit is the master: the core firmware is started only on the master node.
Upgrading the SCB firmware via the web interface automatically upgrades the firmware on both nodes.
As of June 2011, the following release policy applies to BalaBit Shell Control Box:
Long Term Supported or LTS releases (for example, SCB 3 LTS) are supported for 3 years after their original publication date and for 1 year after the next LTS release is published (whichever date is later). The second digit of the revisions of such releases is 0 (for example, SCB 3.0.1). Maintenance releases to LTS releases contain only bugfixes and security updates.
Feature releases (for example, SCB 3 F1) are supported for 6 months after their original publication date and for 2 months after succeeding Feature or LTS Release is published (whichever date is later). Feature releases contain enhancements and new features, presumably 1-3 new feature per release. Only the last feature release is supported (for example when a new feature release comes out, the last one becomes unsupported within two months).
For a full description on stable and feature releases, see Stable and feature releases.
SCB has a web interface and is configured from a browser. The users of SCB can be authenticated using local, LDAP, or RADIUS databases. The privileges of the users are determined by group memberships; this can be managed either locally on SCB, or centrally in an LDAP database. Assigning privileges to groups is based on ACLs. It is also possible to match groups existing in the LDAP database to a set of SCB privileges. The access control in SCB is very detailed, it is possible to define exactly who can access which parts of the interface and of the stored data.
SCB's license determines the number of servers (IP addresses) that SCB protects; the license limits the number of IP addresses that SCB can connect on the internal interface. License expansion packs are available for all SCB appliances.
BalaBit Shell Control Box N1000 and N1000d: Available with license for 10 IP addresses; can be expanded up to unlimited IP addresses.
BalaBit Shell Control Box N10000: Available with license for 50 IP addresses; can be expanded up to unlimited IP addresses.
BalaBit Shell Control Box VA: Available with license for 5 IP addresses; can be expanded up to unlimited IP addresses.
Contact BalaBit or your local distributor for details. For details on installing a new license, see Procedure 4.5.3.2, Updating the SCB license.
This chapter describes the initial steps of configuring SCB. Before completing the steps below, unpack, assemble, and power on the hardware. Connect at least the external network interface to the local network, or directly to the computer from which SCB will be configured.
|
Note |
|---|---|
For details on unpacking and assembling the hardware, see Appendix 3, BalaBit Shell Control Box Hardware Installation Guide. For details on how to create a high availability SCB cluster, see Procedure 3.2, Installing two SCB units in HA mode. |
SCB can be connected from a client machine using any modern web browser.
SCB can be accessed from the local network. Starting with version 3.1 , SCB attempts to receive an IP address automatically via DHCP. If it fails to obtain an automatic IP address, it starts listening for HTTPS connections on the 192.168.1.1 IP address. Note that certain switch configurations and security settings can interfere with SCB receiving an IP address via DHCP.
SCB accepts connections via its external interface (EXT, for details on
the network interfaces, see Section 2.9, Network interfaces).
If SCB is listening on the 192.168.1.1 address, note that the 192.168.1.0/24 subnet must be accessible from the client. If
the client machine is in a different subnet (for example its IP address is
192.168.10.X), but in the same network segment, the easiest
way is to assign an alias IP address to the client machine. Creating an alias IP on the
client machine virtually puts both the client and SCB into the same subnet, so that
they can communicate. To create an alias IP complete the following steps.
For details on creating an alias IP on Microsoft Windows, see Procedure 3.1.1, Creating an alias IP address (Microsoft Windows).
For details on creating an alias IP on Linux, see Procedure 3.1.2, Creating an alias IP address (Linux).
If configuring an alias interface is not an option for some reason, you can modify the IP address of SCB. For details, see Procedure 3.1.3, Modifying the IP address of SCB.
|
Warning |
|---|---|
The Welcome Wizard can be accessed only using the external network interface of SCB, as the management interface is not configured yet. |
3.1.1. Procedure – Creating an alias IP address (Microsoft Windows)
This procedure describes how to assign an alias IP address to a network interface on Microsoft Windows platforms.
-
Navigate to .
-
Double click on the and then click .
-
Select the component in the list and click .
-
To display the Advanced TCP/IP Settings window, click .
-
Select the tab and in the section, click .
-
Into the field, enter
192.168.1.2. Into the field, enter255.255.255.0.Warning If your internal network uses the
192.168.1.0/24IP range, the192.168.1.1and192.168.1.2addresses might already be in use. In this case, disconnect SCB from the network, and connect directly a computer to its external interface using a standard cross-link cable. -
To complete the procedure, click .
3.1.2. Procedure – Creating an alias IP address (Linux)
This procedure describes how to assign an alias IP address to a network interface on Linux platforms.
-
Start a terminal console (for example gnome-terminal, konsole, xterm, and so on).
-
Issue the following command as root:
ifconfig <ethX>:0 192.168.1.2
where
<ethX>is the ID of the network interface of the client, usuallyeth0oreth1. -
Issue the ifconfig command. The
<ethX>:0interface appears in the output, havinginet addr:192.168.1.2. -
Issue the ping -c 3 192.168.1.1 command to verify that SCB is accessible. A similar result is displayed:
user@computer:~$ ping -c 3 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp-seq=1 ttl=63 time=0.357 ms
64 bytes from 192.168.1.1: icmp-seq=2 ttl=63 time=0.306 ms
64 bytes from 192.168.1.1: icmp-seq=3 ttl=63 time=0.314 ms
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2013ms
rtt min/avg/max/mdev = 0.306/0.325/0.357/0.030 ms
Open the page https://192.168.1.1 from your browser and accept the certificate shown. The Welcome Wizard of SCB appears.
3.1.3. Procedure – Modifying the IP address of SCB
To configure SCB to listen for connections on a custom IP address, complete the following steps.
|
Warning |
|---|---|
Use this procedure only before the initial configuration of SCB, that is, before completing the Welcome Wizard. For details on changing the IP address or other network settings of a configured SCB system, see Section 4.3.1, Network settings. |
-
Access SCB from the local console.
-
Login using the
rootas username anddefaultas password. -
In the Console Menu, select .
-
Change the IP address of SCB using the following command. Replace <IP-address> with an IPv4 address suitable for your environment.
ifconfig eth0 <IP-address> netmask 255.255.255.0 -
Set the default gateway using the following command:
route add default gw <IP-address-of-the-default-gateway> -
Type exit, then select from the Console Menu.
-
Open the page https://<IP-address-you-set-for-SCB> from your browser and accept the certificate shown. The Welcome Wizard of SCB appears.
3.2. Procedure – Configuring SCB with the Welcome Wizard
The Welcome Wizard guides you through the basic configuration steps of SCB. All parameters can be modified before the last step by using the button of the wizard, or later via the web interface of SCB.
-
Open the https://<IP-address-of-SCB-external-interface> page in your browser and accept the displayed certificate. The Welcome Wizard of SCB appears.
Tip The SCB console displays the IP address the external interface is listening on. SCB either receives an IP address automatically via DHCP, or if a DHCP server is not available, listens on the
192.168.1.1IP address. -
When configuring SCB for the first time, click .
It is also possible to import an existing configuration from a backup file. Use this feature to restore a backup configuration after a recovery, or to migrate an existing SCB configuration to a new device.
Click and select the configuration file to import.
Enter the passphrase used when the configuration was exported into the field.
-
Click .
Warning If you use the Import function to copy a configuration from one SCB to another, do not forget to configure the IP addresses of the second SCB. Having two devices with identical IP addresses on the same network leads to errors.
-
Accept the End User License Agreement and install the SCB license
Read the End User License Agreement and select .
Click , select the SCB license file received with SCB, then click .
Click .
-
Fill the fields to configure networking. The meaning of each field is described below. The background of unfilled required fields is red. All parameters can later be modified using the regular interface of SCB.
Hostname: Name of the machine running SCB (for example
SCB).Domain name: Name of the domain used on the network.
DNS server: IP address of the name server used for domain name resolution.
NTP server: The IP address or the hostname of the NTP server.
Syslog server: The IP address or the hostname of the syslog server.
SMTP server: The IP address or the hostname of the SMTP server used to deliver e-mails.
Administrator's e-mail: E-mail address of the SCB administrator.
Timezone: The timezone where the SCB is located.
-
External interface — IP address: IP address of the external interface of SCB (for example
192.168.1.1). The IP address can be chosen from the range of the corresponding physical subnet. Clients will connect the external interface, therefore it must be accessible to them.Note The IP address of the SCB host must not fall into the following ranges:
1.2.0.0/16,127.0.0.0/8. External interface — Netmask: The IP netmask of the given range in IP format. For example, general class C networks have the 255.255.255.0 netmask.
When configuring SCB for mode, enter the IP address and Netmask for the internal interface as well. SCB connects to the servers via the internal interface.
Default gateway: IP address of the default gateway. When using several network cards, the default gateway is usually in the direction of the external interface.
-
HA address: The IP address of the high availability (HA) interface. Leave this field on
autounless specifically requested by the support team. Click .
-
Enter the passwords used to access SCB.
Note SCB passwords can contain the following special characters:
!"#$%&'()*+,-./:;<=>?@[\]^-`{|}-
Admin password: The password of the
adminuser who can access the web interface of SCB. -
Root password: The password of the
rootuser, required to access SCB via SSH or from the local console.Note Accessing SCB using SSH is rarely needed, and recommended only for advanced users for troubleshooting situations.
If you want to prevent users from accessing SCB remotely via SSH or changing the root password of SCB, select the checkbox. Sealed mode can be activated later from the web interface as well. For details, see Section 4.5.6, Sealed mode.
Click .
-
-
Upload or create a certificate for the SCB web interface. This SSL certificate will be displayed by SCB to authenticate administrative HTTPS connections to the web interface.
To create a self-signed certificate, fill the fields of the section and click . The certificate will be self-signed by the SCB appliance; the hostname of SCB will be used as the issuer and common name.
Country: Select the country where SCB is located (for example HU-Hungary).
Locality: The city where SCB is located (for example Budapest).
Organization: The company who owns SCB (for example Example Inc.).
Organization unit: The division of the company who owns SCB (for example IT Security Department).
State or Province: The state or province where SCB is located.
Click .
If you want to use a certificate that is signed by an external Certificate Authority, in the field, click
to upload the certificate.Then in the field click
, upload
the private key, and enter the password protecting the private key.
-
Review the data entered in the previous steps. This page also displays the certificate generated in the last step; the RSA SSH key of SCB, and information about the license file.
If all information is correct, click .
Warning The configuration takes effect immediately after clicking . Incorrect network configuration data can render SCB unaccessible.
SCB is now accessible from the regular web interface via the IP address of its external interface.
-
Your browser is automatically redirected to the IP address set as the external interface of SCB, where you can login to the web interface of SCB using the
adminusername and the password you set for this user in the Welcome Wizard.
3.3. Procedure – Logging in to SCB and configuring the first connection
After finishing the initial configuration of SCB using the Welcome Wizard, connections must be configured between the clients and the servers. SCB inspects only the connections that are configured from the web interface; all other connections are forwarded without any inspection. The procedure below describes how to enable a simple SSH terminal or a Remote Desktop session.
-
Login to SCB's web interface.
Open the
https://IP-address-of-the-external-interface/page from your browser to access the web interface of SCB. Replace theIP-address-of-the-external-interfacestring with the IP set for the external interface in Configuring the external interface of the Welcome Wizard (for example192.168.1.1).The certificate created in Creating the web interface certificate of the Welcome Wizard is displayed. Accept it.
-
Login to the SCB web interface using the displayed login screen.
Enter
admininto the field.Enter the password set in Setting the administrator password for the
adminuser into the field.Click . The main page of the SCB administration interface is displayed.
-
Configure a new connection. This connection will allow any user to connect to a specified server from a specific client machine.
To configure an SSH connection, click on the item of the Main Menu. Only terminal sessions will be permitted.
To configure an RDP connection, click on the item of the Main Menu. Only basic Remote Desktop sessions will be permitted (that is, no clipboard or file-sharing).
Click on the
icon on the left to create a new
connection.-
Enter a name into the field that will identify the connection (for example
admin-mainserver).Tip It is recommended to use descriptive names that give information about the connection, for example refer to the name of the accessible server, the allowed users, and so on.
-
Bastion mode: Enter the IP addresses defining the connection. Skip this step if SCB is set to Router or Bridge mode.
Enter the IP address of the client that will be permitted to access the server into the field.
Enter the IP address of SCB's external interface into the field.
Enter a port number into the field.
Enter the IP address of the server into the field of the section.
Enter the port number where the server is accepting connections into the field of the section.
-
Router mode and Bridge mode: Enter the IP addresses defining the connection. Skip this step if SCB is set to Bastion mode.
Enter the IP address of the client that will be permitted to access the server into the field.
Enter the IP address of the server into the field.
Enter the port number where the server is accepting connections into the field.
-
Click .
This connection allows any user from the client machine to connect to the specified server, but permits only terminal sessions — other SSH channels like TCP forwarding are disabled.
-
Test the new configuration: try to initiate an SSH or and RDP connection from the client to the server. Note that in Bastion mode the client addresses SCB's external IP address and the port set in Configuring a connection in Bastion mode, while IP address of the the server set in Configuring a connection in Router mode in Router mode.
-
Navigate to on the SCB web interface. Your session will be displayed in the list of connections. the client to the server. Note that in Bastion mode the client addresses SCB's external IP address and the port set in Configuring a connection in Bastion mode, while IP address of the the server set in Configuring a connection in Router mode in Router mode.
-
Click the
icon in the column and save the audit trail of your session. -
Open the downloaded audit trail using the application and review your actions.
SCB is configured via the web interface. Configuration changes take effect
automatically after clicking 
. Only the modifications of the current page or tab are activated
— each page and tab must be committed separately.
This chapter describes how to configure, manage, and maintain SCB.
For details about the supported browsers, see Section 4.1, Supported web browsers and operating systems.
For details on how to use the web interface of SCB, see Section 4.2, The structure of the web interface.
For details on how to configure the basic settings of the SCB host like network settings, system monitoring, and backup settings, see Section 4.3, Basic settings.
For details on how to manage user accounts and privileges see Section 4.4, User management and access control.
For details on how to control, reboot, update, and troubleshoot SCB, see Section 4.5, Managing SCB.
Supported browsers: Mozilla Firefox 3.0 or newer and Microsoft Internet Explorer 7 and 8. The browser must support HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.
|
Note |
|---|---|
SCB displays a warning message if your browser is not supported or JavaScript is disabled. |
Supported operating systems: Microsoft Windows XP, Windows 2003 Server, Windows Vista, Windows 2008 Server, Windows 7, and Linux.
The SCB web interface can be accessed only using SSLv3 or TLSv1 encryption and strong cipher algorithms.
Note that when using Internet Explorer 7 on Windows 2008 to access SCB you must
enable active scripting for the Internet Zone, otherwise the SCB web interface will
not operate properly. This is not required on other platforms or browser versions. To
accomplish this, select , and set the field to
Enabled.
When using Internet Explorer 8.0 on Windows Server 2008 R2 Enterprise, disable the Content Advisor and the Protected Mode in the Internet Explorer. To accomplish this, select . Then select and unselect the option. Apply all settings and restart Internet Explorer.
The web interface consists of the following main sections:
Main menu: Each menu item displays its options in the main
workspace on one or more tabs. Click 
in front of a main menu item to
display the list of available tabs.
User menu: Provides possibilities to change your SCB password; to log out; and disable confirmation dialogs and tooltips using the option.
User info: Provides information about the user currently logged in:
username
IP address of the user's computer
date and IP address of the user's last login
System monitor: Displays accessibility and system health information about SCB, including the following:
System date and time.
The time remaining before the session to the web interface times out.
Indicators if SSH, RDP, ICA, Telnet, and VNC traffic is permitted to the protected servers.
The number of active SSH, RDP, ICA, Telnet, and VNC connections.
License information if the license is not valid, or an evaluation version license has expired.
The status of the RAID devices, if synchronization between the disks is in progress.
The HA status and the ID of the active node if two SCB units are running in a High Availability cluster. If there are redundant Heartbeat interfaces configured, their status is displayed as well. If the nodes of the cluster are synchronizing data between each other, the progress and the time remaining from the synchronization process is also displayed.
-
Average system load during the
last minute
last fifteen minutes
CPU, memory, hard disk, and swap use. Hover the mouse above the graphical bars to receive a more details in a tooltip, or navigate to for detailed reports.
The System monitor displays current information about the state of SCB. To display a history of these parameters, go to . For details, see Section 4.5.4.6, Status history and statistics.
The main workspace displays the configuration settings related to the selected
main menu item grouped into one or more tabs. Related parameters of a tab are
organized into labeled groups or sections, marked with blue outline 
.
- Each page includes one or more orange action buttons.
The most common action button is the , which saves
and activates the changes of the page.
/
Show/Hide Details: Displays
or hides additional configuration settings and options.- ,
Create entry: Create a
new row or entry (for example an IP address or a policy). 
, 
Delete entry:
Delete a row or an entry (for example an IP address or a policy).
, 
Open/collapse lists: Open or close a list of options
(for example the list of available reports).- Modify entries or upload files: Edit an
entry (for example a host key, a list, and so on), or upload a file (for
example a private key). These actions open a popup window where the actual
modification can be performed.
, 
Position an item in a list: Modify the order of items
in a list. The order of items in a list (for example the order of
connections, permitted channels in a channel policy, and so on) is important
because when SCB is looking for a policy, it evaluates the list from
top to down, and selects the first item completely matching the search
criteria. For example, when a client initiates a connection to a protected
server, SCB selects the first connection policy matching the client's
IP address, the server's IP address, and the target port (the From, To, and
Port fields of the connection).
Message window: This popup window displays the responses of SCB to the user's actions, for example Configuration saved successfully. Error messages are also displayed here. All messages are included in the system log. For detailed system logs (including message history), see the tab of the Basic menu. To make the window appear only for failed actions, navigate to and enable the option.
Multiple administrators can access the SCB web interface simultaneously, but only one of them can modify the configuration. This means that the configuration of SCB is automatically locked when the first administrator who can modify the configuration accesses a configuration page (for example the , , or menu). The username and IP address of the administrator locking the configuration is displayed in the field. Other administrators must wait until the locking administrator logs out, or the session of the administrator times out. However, it is possible to access the and menus,and to perform gateway authentication and 4-eyes authorization or browse the configuration with only View rights (for details, see Section 4.4.6, Managing user rights and usergroups).
|
Note |
|---|---|
If an administrator logs in to SCB using the local console or a remote SSH connection, access via the web interface is completely blocked. Inactive local and SSH connections timeout just like web connections. For details, see Section 4.5.5, Accessing the SCB console. |
Use the option of the main menu to configure the SCB host. The exact options are described in the following sections.
For details on how to configure the network interfaces, name resolution, and other networking-related settings, see Section 4.3.1, Network settings.
For details on how to control (for example reboot) SCB, upload a new firmware or license, export the current configuration, or stop the incoming syslog traffic, see Section 4.3.1, Network settings.
For details on how to set the system time and automatic time synchronization to an NTP server, see Section 4.3.2, Date and time configuration.
For details on how to configure where SNMP and e-mail alerts are sent, see Section 4.3.3, System logging, SNMP and e-mail alerts.
For details on how to configure system monitoring and alerts, see Section 4.3.4, Configuring system monitoring on SCB.
For details on how to configure data archiving and backups, see Section 4.3.5, Data and configuration archiving and backups.
The tab contains the network interface and naming settings of SCB.
-
Operation mode: SCB can operate in Bastion, Router, or Bridge mode. For details, see Section 2.3, Modes of operation.
-
Internal interface: The IP address and Netmask of the SCB network interface that connects to the protected servers. The internal interface is available only in Router mode.
To enable access to the SCB web interface from the internal interface (even if the management interface is configured), select the option.
-
Interfaces > External interface: The Address and Netmask of the SCB network interface that receives client connections. Click the
and icons to add new alias IP
addresses (also called alias interfaces) or delete existing ones. At least
one external interface must be configured. If the management interface is
disabled, the SCB web interface can be accessed via the external
interface. When multiple external interfaces are configured, the first one
refers to the physical network interface, all others are alias interfaces.
The SCB web interface can be accessed from all external interfaces (if
no management interface is configured).Optionally, you can enable access to the SCB web interface even if the management interface is configured by activating the function.
Warning If you enable management access on an interface and configure alias IP address(es) on the same interface, SCB will accept management connections only on the original address of the interface.
Note The speed of the interface is displayed for every interface. To explicitly set the speed of the interface, select the desired speed from the field. Modifying the speed of the interface is recommended only for advanced users. Also note that changing the interface speed might not take effect if the network card of SCB has been replaced with one different from the original.
-
Interfaces > Management interface: The Address and Netmask of the SCB network interface used to access the SCB web interface. If the management interface is configured, the web interface can be accessed only via this interface, unless access from other interfaces is explicitly enabled.
4.3.1.1. Procedure – Configuring the management interface
Purpose:
To activate the interface, complete the following steps.
Steps:
-
Navigate to .
In the field, select .
Into the field, enter the IP address of SCB's management interface.
Into the field, enter the netmask related to the IP address.
-
Warning After clicking , the web interface will be available only via the management interface — it will not be accessible using the current (external) interface, unless the option is selected for the external interface.
Ensure that the Ethernet cable is plugged and the management interface is connected to the network; this is indicated by a green check icon in the field. When using High Availability, ensure that the management interface of both SCB units is connected to the network.
The section indicates if a link is detected on the high availability interface.
Click .
-
HA address: The IP address of the high availability (HA) interface. Leave this field on
Auto negotiationunless specifically requested by the support team.Note As of SCB version 2.0.2, when both nodes of a cluster boot up in parallel, the node with the
1.2.4.1HA IP address will become the master node. -
Interfaces > Routing table: When sending a packet to a remote network, SCB consults the routing table to determine the path it should be sent. If there is no information in the routing table then the packet is sent to the default gateway. Use the routing table to define static routes to specific hosts or networks. You have to use the routing table if the internal interface is connected to multiple subnets, because the default gateway is (usually) towards the external interface. Click the
and icons to add new routes or delete existing
ones. A route means that messages sent to the
Address/Netmask network should be delivered to
Gateway.For detailed examples, see Procedure 4.3.1.2, Routing management traffic to the management interface .
-
Naming > Hostname: Name of the machine running SCB.
Naming > DNS search domain: Name of the domain used on the network. When resolving the domain names of the audited connections, SCB will use this domain to resolve the target hostname if the append domain entry is of a target address is empty.
-
Naming > Primary DNS server: IP address of the name server used for domain name resolution.
Naming > Secondary DNS server: IP address of the name server used for domain name resolution if the primary server is unaccessible.
4.3.1.2. Procedure – Routing management traffic to the management interface
Purpose:
For security reasons — and also to reduce network usage on the external and internal interfaces — it is recommended to direct all management-related traffic of SCB towards the management network interface. Such traffic includes access to the web interface, backups and archiving, syslog messages , and e-mail or SNMP alerts sent to the administrator.
|
Warning |
|---|---|
Complete the following procedure only if the management interface is configured; otherwise the data sent by SCB will be lost. For details on configuring the management interface, see Procedure 4.3.1.1, Configuring the management interface. |
Steps:
-
To add a new routing entry, navigate to and in the field, click
.
Enter the IP address of the backup server (as set in Procedure 4.3.5.1, Creating configuration and data backups) into the field.
Enter the related netmask into the field.
Enter the IP address of the gateway used on that subnetwork into the field.
Click .
Repeat Steps 1-5 and create a routing entry for other backup servers if needed.
Repeat Steps 1-5 and create a routing entry for the syslog server (as set in Section 4.3.3, System logging, SNMP and e-mail alerts).
Repeat Steps 1-5 and create a routing entry for the SMTP server (as set in Section 4.3.3, System logging, SNMP and e-mail alerts).
Date and time related settings of SCB can be configured on the tab of the page.
|
Warning |
|---|---|
|
It is essential to set the date and time correctly on SCB, otherwise the date information of the logs and audit trails will be inaccurate. SCB displays a warning on this page and sends an alert if the time becomes out of sync. |
To explicitly set the date and time on SCB, enter the current date into respective fields of the group and click .
4.3.2.1. Procedure – Configuring a time (NTP) server
Purpose:
To retrieve the date automatically from a time server, complete the following steps.
Steps:
Select your timezone in the field.
Enter the IP address of an NTP time server into the field.
Click .
Click the
and icons to add new servers or
delete existing ones.
|
Note |
|---|---|
|
If the time setting of SCB is very inaccurate (that is, the difference between the system time and the actual time is great), it might take a long time to retrieve the date from the NTP server. In this case, click to sync the time immediately using SNTP. When two SCB units are operating in high availability mode, the button is named , and synchronizes the time of the master node to the NTP server. To synchronize the time between the master and the slave nodes, click . |
E-mail alerts and system logging can be configured on the page.
4.3.3.1. Procedure – Configuring system logging
Purpose:
SCB can send its system log messages to remote syslog servers. To configure logging to a remote server, complete the following steps:
Steps:
Navigate to .
Click
in the field to
add a new syslog server.Enter the IP address and port of the syslog server into the respective fields.
-
Select the network protocol used to transfer the messages in the field. The
legacy-prefix corresponds to the legacy BSD-syslog protocol described in RFC3164, while theietf-prefix corresponds to the new IETF-syslog protocol described in RFC5424. Note that not every syslog server supports the IETF protocol yet.Select
TCP+TLSto send the log messages using a TLS-encrypted connection.Tip Transferring the syslog messages using TCP ensures that the server receives them.
Transferring the syslog messages using TLS encryption ensures that third parties cannot read the messages. However, not every syslog server accepts encrypted connections. The syslog-ng Premium Edition and Open Source Edition applications, and the syslog-ng Store Box (which is a log-collector appliance similar to SCB) support both encrypted connections and the new IETF-syslog protocol as well. For details on these products, see syslog-ng Premium Edition and syslog-ng Store Box.
To display separate hostnames for syslog messages sent by the nodes of a SCB HA cluster, select the option. The node ID included in the hostname filed of the syslog message is the MAC address of the node's HA interface. (Messages of the core firmware are always sent by the master node.)
-
If you have selected the
TCP+TLSprotocol, complete the following steps. Otherwise, click .-
If you want SCB to verify the certificate of the syslog server, select in the field and proceed to the next step.
If you want SCB to simply accept any certificate shown by the server, select in the field.
Note Alternatively, you can use the following, less strict options to check the certificate of the server:
Optional trusted: If the server sends a certificate, SCB checks if it is valid (not expired) and that the Common Name of the certificate contains the domain name or the IP address of the server. If these checks fail, SCB rejects the connection. However, SCB accepts the connection if the server does not send a certificate.
Required untrusted: SCB requests a certificate from the server, and rejects the connection if no certificate is received, if the certificate is not valid (expired), or if the Common Name of the certificate does not contain the domain name or the IP address of the server.
-
Click the
icon in the field. A popup window is displayed.Click , select the certificate of the Certificate Authority (CA) that issued the certificate of the syslog server, then click . Alternatively, you can paste the certificate into the field and click .
SCB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.
-
If the syslog server requires mutual authentication, that is, it expects a certificate from SCB, generate and sign a certificate for SCB, then click the
icon in the field to upload the certificate.
After that, click the icon in the field and upload the private key corresponding to
the certificate. Click .
-
-
Click the
and icons to add new servers or
delete existing ones.Note To reduce the risk of the syslog server not receiving log messages from SCB because of a network outage or other problem with the syslog server, SCB buffers up to 10 Megabytes of log messages to its hard disk in case the syslog server becomes unaccessible.
4.3.3.2. Procedure – Configuring e-mail alerts
Purpose:
To configure e-mail alerts, complete the following steps:
Steps:
Navigate to .
-
Enter the IP address or the hostname of the mail server into the field.
Enter the e-mail address of the administrator into the field. SCB sends notifications related to system-events (but not alerts and reports) to this address.
Enter the e-mail address of the administrator into the field. SCB sends monitoring alerts to this address.
Enter the e-mail address the person who should receive traffic reports from SCB into the field. For details on reports, see Section 6.7, Reports.
Click .
-
Click to send a test message.
If the test message does not arrive to the server, check if SCB can access the server. For details, see Section 4.5.4, Troubleshooting SCB.
Navigate to and select in which situations should SCB send an e-mail alert. For details, see Section 4.3.4, Configuring system monitoring on SCB.
Click .
4.3.3.3. Procedure – Configuring SNMP alerts
Purpose:
SCB can send alerts to a central monitoring server via SNMP (Simple Network Management Protocol). To configure SNMP alerts, complete the following steps:
Steps:
Navigate to .
-
Enter the IP address or the hostname of the SNMP server into the field.
-
Select the SNMP protocol to use.
To use the SNMP v2c protocol for SNMP queries, select , and enter the community to use into the field.
-
To use the SNMP v3 protocol, select and complete the following steps:
Enter the username to use into the field.
Enter the engine ID to use into the field. The engine ID is a hexadecimal number at least 10 digits long, starting with
0x. For example0xABABABABAB.Select the authentication method (
MD5, SHA1) to use from the field.Enter the password to use into the field.
Select the encryption method (
Disabled, DES, AES) to use from the field.Enter the encryption password to use into the field.
Click .
Navigate to and select in which situations should SCB send an SNMP alert. For details, see Section 4.3.4, Configuring system monitoring on SCB.
Click .
4.3.3.4. Procedure – Querying SCB status information using agents
Purpose:
External SNMP agents can query the status information of SCB. To configure which clients can query this information, complete the following steps:
Steps:
-
Navigate to .
The status of SCB can be queried dynamically via SNMP. By default, the status can be queried from any host. To restrict access to these data to a single host, enter the IP address of the host into the field.
Optionally, you can enter the details of the SNMP server into the , , and fields.
-
Select the SNMP protocol to use.
To use the SNMP v2c protocol for SNMP queries, select , and enter the community to use into the field.
To use the SNMP v3 protocol, select and complete the following steps:
Click
Enter the username used by the SNMP agent into the field.
Select the authentication method (
MD5, SHA1) to use from the field.Enter the password used by the SNMP agent into the field.
Select the encryption method (
Disabled, DES, AES) to use from the field.Enter the encryption password to use into the field.
To add other agents, click
.
Click .
SCB continuously monitors a number of parameters of the SCB hardware and its environment. If a parameter reaches a critical level (set in its respective field), SCB sends e-mail and SNMP messages to alert the administrator.
SCB sends SNMP alerts using the management network interface by default, or using the external interface if the management interface is disabled. SCB supports the SNMPv2c and SNMPv3 protocols. The SNMP server set on the tab can query status information from SCB.
|
Tip |
|---|---|
|
In order have your central monitoring system to recognize the SNMP alerts sent by SCB, import the SCB-specific Management Information Base (MIB) into your monitoring system. Download both MIBs by navigating to and clicking and import them into your monitoring system. For details, see the documentation of your monitoring system. |
4.3.4.1. Procedure – Configuring monitoring
Purpose:
To configure monitoring, complete the following steps:
Steps:
Navigate to .
The default threshold values of the parameters are suitable for most situations. Adjust the thresholds only if needed.
Click .
-
Navigate to and verify that the and of SCB are correct. SCB sends alerts only to the alert e-mail address and to the SNMP server.
Warning Sending alerts fails if these settings are incorrect.
The following sections describe the parameters you can receive alerts on.
For details on health-monitoring alerts, see Section 4.3.4.2, Health monitoring.
For details on system-monitoring alerts, see Section 4.3.4.4, System related traps.
For details on traffic-monitoring alerts, see Section 4.3.4.5, Traffic-related alerts.
-
Disk utilization maximum: Ratio of free space available on the hard disk. SCB sends an alert if the audit trails use more space than the set value. Archive the audit trails to a backup server to free disk space. For details, see Procedure 4.3.5.2, Archiving the collected data.
Note The alert message includes the actual disk usage, not the limit set on the web interface. For example, you set SCB to alert if the disk usage increases above
10percent. If the disk usage of SCB increases above this limit (for example to17percent), you receive the following alert message:less than 90% free (= 17%). This means that the amount of used disk space increased above 10% (what you set as a limit, so it is less than 90%), namely to 17%. Load 1|5|15 maximum: The average load of SCB during the last one, five, or 15 minutes.
Swap utilization maximum: Ratio of the swap space used by SCB. SCB sends an alert if it uses more swap space than the set value.
4.3.4.3. Procedure – Preventing disk space fill up
Purpose:
To prevent disk space from filling up, complete the following steps:
Steps:
Navigate to .
Set the limit of maximum disk utilization in percents in the respective field. When disk space is used above the set limit, SCB disconnects all clients. Entering
0turns the feature off. The default value is0.-
Optional step: Enable the option to automatically start all configured archiving/cleanup jobs when disk usage goes over the limit.
Note If there is no archiving policy set, enabling this option will not trigger automatic archiving.
Navigate to and enable alert .
Click .
| Name | SNMP alert ID | Description |
|---|---|---|
| Login failed | xcbLoginFailure |
Failed login attempts from SCB web interface. |
| Successful login | xcbLogin |
Successful login attempts into SCB web interface. |
| Logout from the management interface | xcbLogout |
Logouts from SCB web interface. |
| Configuration changed | xcbConfigChange |
Any modification of SCB's configuration. |
| General alert | xcbAlert |
General alerts and error messages occurring on SCB. Note, that alerts on general alerts and errors are sent whenever there is an alert or error level message in the SCB system log. These messages are very verbose and mainly useful only for debugging purposes. Enabling these alerts may result in multiple e-mails or SNMP traps sent about the same event. |
| General error | xcbError |
|
| Data and configuration backup failed | xcbBackupFailed |
Alerts if the backup procedure is unsuccessful. |
| Data archiving failed | xcbArchiveFailed |
Alerts if the archiving procedure is unsuccessful. |
| Database error occurred | xcbDBError |
An error occurred in the database where SCB stores the connection metadata. Contact our support team (see Section 5, Contact and support information for contact information). |
| Destination address limit reached | xcbLimitReached |
The number of protected servers reached the limit set in the SCB license. Clients cannot connect to new servers using SCB. |
| HA node state changed | xcbHaNodeChanged |
A node of the SCB cluster changed its state, for example, a takeover occurred. |
| Timestamping error occured | xcbTimestampError |
An error occurred during the timestaming process, for example the timestamping server did not respond. |
| Time sync lost | xcbTimeSyncLost |
The system time became out of sync. |
| Raid status changed | xcbRaidStatus |
The status of the node's RAID device changed its state. |
| Hardware error occured | xcbHWError |
SCB detected a hardware error. |
| Firmware is tainted | xcbFirmwareTainted |
A user has locally modified a file from the console. |
| Disk usage is above the defined ratio | xcbDiskFull |
Disk space is used above the limit set in . |
Table 4.1. System related traps
| Name | SNMP alert ID | Description |
|---|---|---|
| Channel opening denied | scbChannelDenied |
A user attempted to open a channel not permitted by the channel policy. |
| Connection denied | scbConnectionDenied |
A user attempted to connect a server not permitted in the connection policies. |
| User successfully authenticated | scbAuthSuccess |
A user successfully authenticated on a protected server using an SSH connection. |
| User authentication failed | scbAuthFailure |
A user failed to complete the authentication on a protected server using an SSH connection. |
| SSH host key mismatch | scbSshHostKeyMismatch |
The SSH host key of a server did not match the key stored on SCB. |
| New SSH host key learned | scbHostKeyLearned |
SCB learned a new SSH host key. |
| Connection timed out | scbConnectionTimedout |
A connection to a protected server timed out. |
| Connection to the server failed | scbConnectionFailed |
A connection to a protected server failed. |
| Audit trail rate limit exceeded | scbAuditRateLimit |
The growth of an audit trail exceeded the rate limit set in the of the protocol. This may have been caused by an a deliberate attack. |
| Audit trail size limit exceeded | scbAuditSizeLimit |
The size of an audit trail exceeded the file limit set in the of the protocol. |
| User successfully authenticated on the gateway | scbGWAuthSuccess |
A user has successfully authenticated a connection on SCB as part of a gateway-authentication process. |
| User authentication failed on the gateway | scbGWAuthFailure |
The gateway-authentication of a connection has failed. |
| User mapping failed on the gateway | scbUserMappingFailure |
A usermapping policy did not find a suitable mapping for the connection. |
| Decryption of a credential store failed | scbCredStoreDecrpytError | SCB could not unlock a password-protected Credential Store. Navigate to and enter the password(s) to open the Credential Store. |
| The requested credential store is closed | scbCredStoreClosed | A user attempted to access a connection policy that uses a password-protected Credential Store, and the Credential Store has not been unlocked. Navigate to and enter the password(s) to open the Credential Store. |
Table 4.2. Traffic-related alerts
The BalaBit Shell Control Box can create automatic backups of its configuration and the stored audit-trails to a remote server. Backups and archiving is controlled using backup and archiving policies that define the protocol to use, the address of the backup server, and other parameters.
4.3.5.1. Procedure – Creating configuration and data backups
Purpose:
To configure automatic configuration backups, complete the following steps:
Steps:
-
Create a backup policy.
Navigate to and click
in the
section to create a new
backup policy.Enter a name for the backup policy (for example
config-backup).Enter the time when the backup process should start into the field in HH:MM format (for example
23:00).Enter the IP address or the hostname of the remote server into the field (for example
backup.example.com).-
SCB can access the remote server via different protocols. Select the one to use from the available protocols:
Rsync over SSH: Execute the rsync command via the Secure Shell protocol. Note that the backup server must run rsync version 3.0 or newer.
-
SMB/CIFS: Server Message Block protocol used on Microsoft Windows Network.
Warning The CIFS implementation of NetApp storage devices is not compatible with the CIFS implementation used in SCB, therefore it is not possible to create backups and archives from SCB to NetApp devices using the CIFS protocol (the operation fails with a similar error message:
/opt/scb/mnt/14719217504d41370514043/reports/2010": Permission denied (13) '2010/day/' rsync: failed to set times on).To overcome this problem, either:
use the NFS protocol to access your NetApp devices, or
use a backup device that has a CIFS implementation compatible with SCB, for example, Windows or Linux Samba.
-
NFS: Network File System protocol.
Warning When using the NFS protocol to create backups or archives, ensure that the files on the remote server are readable for the
www-datauser as well, because SCB uses this user to access remote backups and archives if needed.
Provide the protocol-specific parameters for the selected method. The protocol-specific parameters are described in Section 4.3.5.4, Parameters of the backup protocols.
-
To receive e-mail notification of the backup, select the or the option. Notifications are sent to the administrator e-mail address set on the tab, and include the list of the files that were backed up.
Warning Starting with SCB 3.0, the notification e-mail does not include the list of backed up file. To include the list of files in the e-mail, select and disable the option. However, note that if list is very long (for example, SCB stores over 20000 audit trails), the SCB web interface might become unaccessible.
Note This e-mail notification is different from the one set on the tab. This notification is sent to the administrator's e-mail address, while the alerts are sent to the alert e-mail address (see Section 4.3.4, Configuring system monitoring on SCB).
Click .
Expected outcome:
A backup policy is created.
-
To use this policy to create configuration backups, navigate to , and select the backup policy you want to use for backing up the configuration of SCB in the field.
To use this policy to create data backups, navigate to , select the connection you want to backup, and select a backup policy in the field.
-
Click .
Tip To create an immediate backup of SCB's configuration to your machine (not to the backup server), select .
Note that the configuration export contains only the system settings and configuration files (including changelogs). System backups includes additional information like reports and alerts, and also the connection database.
|
Note |
|---|---|
Backup is different from archiving: the purpose of backup is to create a snapshot of SCB's configuration or the data stored on SCB that can be used for recovery in case of errors. Backup deletes all other data from the target directory; while restoring a backup deletes all other data from SCB. |
|
Tip |
|---|---|
|
To start the backup process immediately, click . The functionality works only after a backup policy has been selected. To restore the stored data (audit trails, logs, reports, and so on), click . Note that the function does not restore the configuration files of SCB. |
4.3.5.2. Procedure – Archiving the collected data
Purpose:
To configure data archiving, complete the following steps.
Steps:
-
Create an archive policy.
Navigate to and click
in the
section to create a
new archive policy.-
Enter a name for the archive policy.
Enter the time when the archive process should start into the field in HH:MM format (for example
23:00).-
To archive the data collected on SCB more than once a day, click
and enter the time for the other archive
process. Repeat this step as needed.Note In case an archive process is not finished before the next one starts, the next archive process waits for the previous process to be completed.
Only closed audit-trail files are archived, for which has already elapsed.
-
SCB can access the remote server via different protocols. Select the one to use from the available protocols:
-
Only cleanup, no archiving: Do not archive data to a server, simply delete the data that is older than .
Warning permanently deletes all audit trails and data that is older than without creating a backup copy or an archive. Such data is irrecoverably lost. Use this option with care.
-
SMB/CIFS: Server Message Block protocol used on Microsoft Windows Network.
Warning The CIFS implementation of NetApp storage devices is not compatible with the CIFS implementation used in SCB, therefore it is not possible to create backups and archives from SCB to NetApp devices using the CIFS protocol (the operation fails with a similar error message:
/opt/scb/mnt/14719217504d41370514043/reports/2010": Permission denied (13) '2010/day/' rsync: failed to set times on).To overcome this problem, either:
use the NFS protocol to access your NetApp devices, or
use a backup device that has a CIFS implementation compatible with SCB, for example, Windows or Linux Samba.
-
NFS: Network File System protocol.
Warning When using the NFS protocol to create backups or archives, ensure that the files on the remote server are readable for the
www-datauser as well, because SCB uses this user to access remote backups and archives if needed.
-
Enter the IP address or the hostname of the remote server into the field (for example
backup.example.com).-
Fill the field. Only audit data older than this value is archived to the external server.
Note The archived data is deleted from SCB.
Connection metadata is not deleted. Log files are not deleted at this point, but are rotated on a weekly basis.
Note Starting with SCB 3.0, data about archived connections can be automatically deleted from the connection database. For details, see Procedure 5.1.12, Configuring cleanup for the SCB connection database.
-
SCB organizes the audit trails into directories based on the date or the protocol. The subdirectories are created directly into the archive directory. Select one of the following directory structures:
For example, template will have create subdirectories for the audited protocols (that is,
ssh, rdp, telnet, vnc), for the name of the connection policy, and finally, for the date (YEAR-MONTH-DAY inYYYY-MM-DDformat).Note refers to the time the connection started, while to the time it was archived. The difference between the two dates depends on the retention time set for the archiving policy.
Provide the protocol-specific parameters for the selected method. The protocol-specific parameters are described in Section 4.3.5.4, Parameters of the backup protocols.
-
To receive e-mail notification of the backup, select the or the option. Notifications are sent to the administrator e-mail address set on the tab, and include the list of the files that were backed up.
Note This e-mail notification is different from the one set on the tab. This notification is sent to the administrator's e-mail address, while the alerts are sent to the alert e-mail address (see Section 4.3.4, Configuring system monitoring on SCB).
Click .
Expected outcome:
An archive policy is created.
To use this policy to archive the data of a connection policy, navigate to the connection (for example to , select the connection to archive the recorded audit trails from, and select the archive policy you want to use in the field.
-
Click .
Tip To start the archiving process immediately, click . The functionality works only after the archiving has been configured.
4.3.5.3. Procedure – Encrypting configuration backups with GPG
Purpose:
The configuration file of SCB during system-backups, upload the public-part of a GPG key. To enable GPG-encryption, complete the following steps:
|
Warning |
|---|---|
The regular backups of SCB contain other information (for example databases), but only the configuration file is encrypted. Note that system-backups do not contain data like audit-trails. |
Steps:
Navigate to .
Select .
-
Select
.To upload a key file, click , select the file containing the public GPG key, and click . SCB accepts both binary and ASCII-armored GPG keys.
To copy-paste the key from the clipboard, paste it into the field and click .
Note The GPG key you upload must be permitted to encrypt data. Keys that can be used only for signing cannot be used to encrypt the configuration file.
Click .
This section describes the details of the protocols used for data backup and archiving. Parameters of the protocol are described below.
For details on using Rsync, see Procedure 4.3.5.4.1, Configuring Rsync over SSH.
For details on using the Samba protocol, see Procedure 4.3.5.4.2, Configuring SMB.
For details on using NFS, see Procedure 4.3.5.4.3, Configuring NFS.
4.3.5.4.1. Procedure – Configuring Rsync over SSH
Purpose:
The backup method connects the target server with SSH and executes the rsync UNIX command to copy the data to the remote server. SCB authenticates itself with a public key — password-based authentication is not supported. To configure this method, complete the following steps.
|
Warning |
|---|---|
The backup server must run rsync version 3.0 or newer. |
Steps:
-
Select from the radio buttons.
Enter the username used to logon to the remote server into the field.
Click
in the Authentication key
field. A popup window is displayed.Generate a new keypair by clicking or upload or paste an existing one. This key will be used to authenticate SCB on the remote server. The public key of this keypair must be imported to the remote server.
Click
in the Server host key field. A
popup window is displayed.-
Click to download the host key of the server, or upload or paste the host key manually. SCB will compare the host key shown by the server to this key, and connect only if the two keys are identical.
Enter the port number of the SSH server running on the remote machine into the field.
Enter the path to the backup directory on the target server into the field (for example
/backups). SCB saves all data into this directory, automatically creating the subdirectories. Backups of audit-trails are stored in thedata, configuration backups in theconfigsubdirectory.Click .
4.3.5.4.2. Procedure – Configuring SMB
Purpose:
The backup method connects to a share on the target server with Server Message Block protocol. SMB/CIFS is mainly used on Microsoft Windows Networks. To configure this method, complete the following steps.
|
Warning |
|---|---|
|
The CIFS implementation of NetApp storage devices is not compatible with the CIFS implementation used in SCB, therefore it is not possible to create backups and archives from SCB to NetApp devices using the CIFS protocol (the operation fails with a similar error message: To overcome this problem, either:
|
Steps:
-
Select from the radio buttons.
Enter the username used to logon to the remote server into the field, or select the option.
Enter the password corresponding to the username into the field.
-
Enter the name of the share into the field.
SCB saves all data into this directory, automatically creating the subdirectories. Backups of audit-trails are stored in the
data, configuration backups in theconfigsubdirectory. Enter the domain name of the target server into the field.
Click .
4.3.5.4.3. Procedure – Configuring NFS
Purpose:
The backup method connects to a shared directory of
the target server with the Network File Share protocol. To configure this
method, enter the name of the NFS export into the
field. SCB saves all data into this directory, automatically creating
the subdirectories. Audit-trail backups are
stored in the data, configuration backups in the
config subdirectory.
The backup server must also be configured to accept backups from SCB. To configure NFS on the remote server, complete the following steps:
|
Note |
|---|---|
These steps must be performed on the remote server, not on SCB. |
Steps:
-
Add a line that corresponds to the settings of SCB to the
/etc/exportsfile of the backup server. This line should contain the following parameters:The path to the backup directory as set in the field of the SCB backup or archiving policy.
The IP address of the SCB interface that is used to access the remote server (that is, the address of the external interface, or the address of the management interface if it is enabled and the routing table of SCB is correctly configured — for details, see Section 4.3.1, Network settings.
The following parameters:
(rw,no_root_squash,sync).
![[Example]](./example.png)
Example 4.1. Configuring NFS on the remote server For example, if SCB connects the remote server from the
192.168.1.15IP address and the data is saved into the/var/backups/SCBdirectory, add the following line to the/etc/exportsfile:/var/backups/SCB 192.168.1.15(rw,no_root_squash,sync) Execute the following command: exportfs -a
Verify that the
rpc portmapperandrpc.statdapplications are running.
The different backup protocols assign different file ownerships to the files saved on the backup server. The owners of the backup files created using the different protocols are the following:
rsync: The user provided on the web interface.
SMB: The user provided on the web interface.
NFS:
rootwithno-root-squash,nobodyotherwise.
|
Warning |
|---|---|
SCB cannot modify the ownership of a file that already exists on the remote server. If you change the backup protocol but you use the same directory of the remote server to store the backups, make sure to adjust the ownership of the existing files according to the new protocol. Otherwise SCB cannot overwrite the files and the backup procedure fails. |
The menu (Authentication, Authorization, and Accounting) allows you to control the authentication, authorization, and accounting settings of the users accessing SCB. The following will be discussed in the next sections:
For details on how to authenticate locally on SCB — see Procedure 4.4.1, Managing SCB users locally.
For details on how to authenticate users using an external LDAP (for example Microsoft Active Directory) database — see Procedure 4.4.4, Managing SCB users from an LDAP database.
For details on how to authenticate users using an external RADIUS server — see Procedure 4.4.5, Authenticating users to a RADIUS server.
For details on how to control the privileges of users and usergroups — see Section 4.4.6, Managing user rights and usergroups.
For details on how to display the history of changes of SCB configuration — see Section 4.4.7, Listing and searching configuration changes.
4.4.1. Procedure – Managing SCB users locally
Purpose:
By default, SCB users are managed locally on SCB. To create and delete local users, modify the group membership of local users, or to modify the password of a user, complete the following procedure.
|
Note |
|---|---|
|
The Local users cannot be managed when LDAP authentication is used (see Procedure 4.4.4, Managing SCB users from an LDAP database). When LDAP authentication is enabled, the accounts of local users is disabled, they are not displayed on the page, but they are not deleted, When using RADIUS authentication together with local users, the users are authenticated to the RADIUS server, only their group memberships must be managed locally on SCB. For details, see Procedure 4.4.5, Authenticating users to a RADIUS server. |
Steps:
-
Navigate to and click
.
-
Enter the username into the field.
Note The following characters cannot be used in usernames:
\/[]:;|=,+*?<> -
Enter a password for the user into the and fields.
The strength of the password is indicated below the field as you type. To set a policy for password strength, see Procedure 4.4.2, Setting password policies for local users. The user can change the password later from the SCB web interface.
-
Click
in the section and select a
group that the user will be member of. Repeat this step to add the user to
multiple groups. For details about the different groups, see Section 4.4.6, Managing user rights and usergroups.To remove a user from a group, click
next to the
group.To delete a user, click
at the right edge of the
screen.
Click .
4.4.2. Procedure – Setting password policies for local users
Purpose:
SCB can use password policies to enforce minimal password strength and password expiry. To create a password policy, complete the following steps.
|
Warning |
|---|---|
When running the Audit Player application in service mode, the Audit Player application needs a valid user account to access SCB. When using password expiry, ensure that the password of this user is changed in time, and that it is changed also on the Audit Player hosts. |
|
Note |
|---|---|
|
Password policies apply only for locally managed users, it has no effect if you manage your users from an LDAP database, or if you authenticate your users to a RADIUS server. Password policies do not apply to the built-in |
Steps:
-
Navigate to .
-
Verify that the is set to and that the is set to .
Note If the setting of these fields is different (for example LDAP or RADIUS), then SCB is not configured to manage passwords locally.
Set how long the passwords are valid in the field. After this period, SCB users will have to change their password. To disable password expiry, enter
0.To prevent password-reuse (for example when a user has two password and instead of changing to a new password only switches between the two), set how many different passwords must the user use before reusing an old password.
-
To enforce the use of strong password, select the level of password-complexity from the field.
Note The strength of the password is determined by its entropy: the variety of numbers, letters, capital letters, and special characters used, not only by its length.
The option executes some simple dictionary-based attacks to find weak passwords.
-
Click .
Note Changes to the password policy do not affect existing passwords. However, setting password expiry will require every user to change their passwords after the expiry date, and the new passwords must comply with the strength requirements set in the password policy.
4.4.3. Procedure – Managing local usergroups
Purpose:
To display which users belong to a particular local usergroup, navigate to . You can edit the group memberships here as well.
You can use local groups to control the privileges of SCB local and LDAP users — who can view and configure what.
For the description of built-in groups, see Section 4.4.6.5, Built-in usergroups of SCB. To create a new group, complete the following steps:
Steps:
-
Navigate to and click
.
Enter a name for the group.
Enter the names of the users belonging to the group. Click
to
add more users.Click .
4.4.4. Procedure – Managing SCB users from an LDAP database
Purpose:
The SCB web interface can authenticate users to an external LDAP database to simplify the integration of SCB to your existing infrastructure. You can also specify multiple LDAP servers; if the first server is unavailable, SCB will try to connect to the second server. To enable LDAP authentication, complete the following steps.
|
Note |
|---|---|
|
The The Enabling LDAP authentication automatically disables the access of every local
user except for SCB accepts both pre-win2000-style and Win2003-style account names (User
Principal Names). User Principal Names (UPNs) consist of a username, the at (@)
character, and a domain name, for example
The following characters cannot be used in usernames and group names:
When using RADIUS authentication together with LDAP users, the users are authenticated to the RADIUS server, only their group memberships must be managed in LDAP. For details, see Procedure 4.4.5, Authenticating users to a RADIUS server. |
Steps:
Navigate to .
-
Select the option and enter the parameters of your LDAP server.
-
Enter the IP address or hostname and port of the LDAP server into the field.
To add multiple servers, click
and enter the address of
the next server. If a server is unreachable, SCB will try to
connect to the next server in the list in failover fashion.Warning If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example
ldap.example.com) in the field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate. Select the type of your LDAP server in the field. Select to connect to Microsoft Active Directory servers, or to connect to servers that use the POSIX LDAP scheme.
Enter the name of the DN to be used as the base of the queries into the field (for example
DC=demodomain,DC=exampleinc).-
Enter the name of the DN where SCB should bind to before accessing the database into the field.
For example:
CN=Administrator,CN=Users,DC=demodomain,DC=exampleinc.Note SCB accepts both pre-win2000-style and Win2003-style account names (User Principal Names), for example
administrator@example.comis also accepted. Enter the password to use when binding to the LDAP server into the field.
-
-
If you want to encrypt the communication between SCB and the LDAP server, select the option and complete the following steps:
Note TLS-encrypted connection to Microsoft Active Directory is supported only on Windows 2003 Server and newer platforms. Windows 2000 Server is not supported.
Only the STARTTLS method is supported to encrypt the communication between the LDAP server and SCB. The LDAPS protocol is not supported.
-
If you want SCB to verify the certificate of the server, click the
icon in the field. A popup window is displayed.Click , select the certificate of the Certificate Authority (CA) that issued the certificate of the LDAP server, then click . Alternatively, you can paste the certificate into the field and click .
SCB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.
If you want SCB to simply accept any certificate shown by the LDAP server, select in the field.
Note Alternatively, you can use the following options to check the certificate of the LDAP server:
None: Do not request a certificate from the remote host, and accept any certificate if the host sends one.
Optional trusted: If the remote host sends a certificate, SCB checks if it is valid (not expired) and that the Common Name of the certificate contains the domain name or the IP address of the host. If these checks fail, SCB rejects the connection. However, SCB accepts the connection if the host does not send a certificate.
Optional untrusted:Accept any certificate shown by the remote host. Note that the host must show a certificate.
Required trusted: Verify the certificate of the remote host. Only valid certificates signed by a trusted certificate authority are accepted. For details on importing CA certificates, see Procedure 4.5.8.2, Uploading external certificates to SCB. Note that the Common Name of the certificate must contain the domain name or the IP address of the host.
Request untrusted: SCB requests a certificate from the remote host, and rejects the connection if no certificate is received; if the certificate is not valid (expired); or if the Common Name of the certificate does not contain the domain name or the IP address of the host.
Warning If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example
ldap.example.com) in the field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate. -
If the LDAP server requires mutual authentication, that is, it expects a certificate from SCB, generate and sign a certificate for SCB, then click
in
the field to upload
the certificate. After that, click in the
field and upload the private key
corresponding to the certificate.
-
-
If you have modified the field or the keys used in the connections, perform the following steps:
Warning This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.
To activate the new settings, navigate to , and click .
-
Click .
Note You also have to configure the usergroups in SCB and possibly in your LDAP database. For details on using usergroups, see Section 4.4.6.4, How to use usergroups.
Click to test the connection. Note that the testing of SSL-encrypted connections is currently not supported.
4.4.5. Procedure – Authenticating users to a RADIUS server
Purpose:
SCB can authenticate its users to an external RADIUS server. Group memberships of the users must be managed either locally on SCB or in an LDAP database.
|
Warning |
|---|---|
The challange/response authentication methods is currently not supported. Other authentication methods (for example password, SecureID) should work. |
To authenticate SCB users to a RADIUS server, complete the following steps:
Steps:
-
Navigate to .
Set the field to .
Enter the IP address or domain name of the RADIUS server into the field.
Enter the password that SCB can use to access the server into the field.
-
To add more RADIUS servers, click
and repeat Steps 2-4.Repeat this step to add multiple servers. If a server is unreachable, SCB will try to connect to the next server in the list in failover fashion.
-
Warning After clicking , the SCB web interface will be available only after successfully authenticating to the RADIUS server. Note that the default
adminaccount of SCB will be able to login normally, even if the RADIUS server is unaccessible.Click .
In SCB, user rights can be assigned to usergroups. SCB has numerous usergroups defined by default, but custom user groups can be defined as well. Every group has a set of privileges: which pages of the SCB web interface it can access, and whether it can only view (read) or also modify (read & write/perform) those pages or perform certain actions.
|
Note |
|---|---|
Every group has either read or read & write/perform privileges to a set of pages. |
For details on modifying existing groups, see Procedure 4.4.6.1, Modifying group privileges.
For details on creating a new usergroup, see Procedure 4.4.6.2, Creating new usergroups for the SCB web interface.
For details on finding usergroups that have a specific privilege, see Section 4.4.6.3, Finding specific usergroups.
For tips on using usergroups, see Section 4.4.6.4, How to use usergroups.
For a detailed description about the privileges of the built-in usergroups, see Section 4.4.6.5, Built-in usergroups of SCB.
4.4.6.1. Procedure – Modifying group privileges
Purpose:
To modify the privileges of an existing group, complete the following steps:
Steps:
Navigate to .
Find the group you want to modify and click . The list of available privileges is displayed.
-
Select the privileges (pages of the SCB interface) to which the group will have access to and click .
Warning Assigning the privilege to a user on the AAA page automatically enables the privilege, and grants the user access to every audit trail, even if the user is not a member of the groups listed in the option of the particular connection policy.
Select the type of access (read or read & write) from the field.
Click .
4.4.6.2. Procedure – Creating new usergroups for the SCB web interface
Purpose:
To create a new group, complete the following steps:
Steps:
Navigate to and click
.Enter a name for the group. For details on how you should name your groups, see Section 4.4.6.4, How to use usergroups.
Click the
icon located next to the name of the group. The list
of available privileges is displayed.Select the privileges (pages of the SCB interface) to which the group will have access to and click .
Select the type of access (read or read & write) from the field.
Click .
|
Note |
|---|---|
|
To export the configuration of SCB, the Export configuration privilege is required. To import a configuration to SCB, the Import configuration privilege is required. To update the firmware and set the active firmware, the Firmware privilege is required. |
The admin user is available by default and has all
privileges. It is not possible to delete this user.
The section of the page provides you with a simple searching and filtering interface to search the names and privileges of usergroups.
To select usergroups starting with a specific string, enter the beginning of the name of the group into the field and select .
To select usergroups who have a specific privilege, click
,
select the privilege or privileges you are looking for, and click
.To filter for read or write access, use the option.
How you should name usergroups depends on the way you manage your SCB users.
Local users: If you use only local users, create or modify your usergroups on the page and add users to the groups on the or the page.
LDAP users and LDAP groups: If you manage your users from LDAP, and also have LDAP groups that match the way you want to group your SCB users, create or modify your usergroups on the page and ensure that the name of your LDAP group and the SCB usergroup is the same. For example, to make members of the
adminsLDAP group be able to use SCB, create a usergroup calledadminson the page and edit the privileges of the group as needed.RADIUS users and local groups: This is the case when you manage users from RADIUS, but you cannot or do not want to create groups in LDAP. Create your local groups on the page, and add your RADIUS users to these groups on the page.
SCB has the following usergroups by default:
|
Warning |
|---|---|
If you use LDAP authentication on the SCB web interface and want to use the default usergroups, you have to create these groups in your LDAP database and assign users to them. For details on using usergroups, see Section 4.4.6.4, How to use usergroups. |
basic-view: View the settings in the menu, including the system logs of SCB. Members of this group can also execute commands on the tab.
basic-write: Edit the settings in the menu. Members of this group can manage SCB as a host.
auth-view: View the names and privileges of the SCB administrators, the configured usergroups, and the authentication settings in the menu. Members of this group can also view the history of configuration changes.
-
auth-write: Edit authentication settings and manage users and usergroups.
Warning Members of the
auth-writegroup, or any other group with write privileges to the menu are essentially equivalent to system administrators of SCB, because they can give themselves any privilege. Users with limited rights should never have such privileges.If a user with write privileges to the menu gives himself new privileges (for example gives himself group membership to a new group), then he has to relogin to the SCB web interface to activate the new privilege.
-
search: Browse and download various logs and alerts in the menu. The members of this group have access to the audit trail files as well. Note that to open encrypted audit trail files, the proper encryption keys are required.
Note In SCB version 1.x, a separate privilege was required to view and download audit trail files. Now members of the search group automatically have these privileges.
changelog: View the history of SCB configuration changes in the menu.
-
report: Browse, create and manage reports, and add statistics-based chapters to the reports in the menu.
Note To control exactly which statistics-based chapters and reports can the user include in a report, use the
Use static subchaptersprivileges. policies-view: View the policies and settings in the menu.
policies-write: Edit the policies and settings in the menu.
ssh-view: View all connection and policy settings in the menu.
ssh-write: Edit all connection and policy settings in the menu.
rdp-view: View all connection and policy settings in the menu.
rdp-write: Edit all connection and policy settings in the menu.
telnet-view: View all connection and policy settings in the menu.
telnet-write: Edit all connection and policy settings in the menu.
vnc-view: View all connection and policy settings in the menu.
vnc-write: Edit all connection and policy settings in the menu.
indexing: Allows host running the Audit Player application to access and download audit trails for automatic indexing. Note that the members of this group can access the SCB web interface as well, and download any audit trail directly.
ica-view: View all connection and policy settings in the menu.
ica-write: Edit all connection and policy settings in the menu.
SCB automatically tracks every change of its configuration. To display the history of changes, select . The changes are organized as log messages, and can be browsed and searched using the regular SCB search interface (for details, see Chapter 6, Browsing log messages and SCB reports). The following information is displayed about each modification:
Timestamp: The date of the modification.
Author: Username of the administrator who modified the configuration of SCB.
Page: The menu item that was modified.
Field name: The name of the field or option that was modified.
New value: The new value of the configuration parameter.
Message: The changelog or commit log that the administrator submitted. This field is available only if the option is enabled (see below).
Old value: The old value of the configuration parameter.
To request the administrators to write an explanation to every configuration change, navigate to and select the option.
SCB version 3.2 and later provides an interface to query the user-rights and privileges of individual users and user groups. To display the privileges of a user or usergroup, navigate to , enter the name of the user or group into the respective field, then click . Note that:
It is not possible to filter on both the username and the group at the same time.
Partial matches are also displayed.
Usergroups can be local usergroups, userlists, or LDAP usergroups.
Web interface permissions. For usergroups accessing the SCB web interface, a table is displayed that lists the pages of the SCB web interface that the user or usergroup can access. The following information is displayed:
Page: The name of the page or group of pages, for example, .
Element: If a group has access only to a section of a page, the name of the element is listed here. For example, a particular Channel Policy.
Group: The name of the usergroup.
Permission: The type of access that the user or usergroup has to the page:
readorread and write/perform.
Connection permissions. To review which servers a user or usergroup can access, SCB collects the main information about the connections the user or group is permitted to use. The following information is displayed.
|
Note |
|---|---|
|
To display the usergroups that can access a specific Connection Policy, open the Connection Policy, then select on the Connections page. |
-
Gateway group: Lists the group memberships required to access the connection. Group memberships can be restricted at the following places:
Channel Policies > Gateway group
Policies > Usermapping Policies > Groups
-
Source:
Source IP: The IP address of the client.
-
To:
Destination IP: The IP address of the server as requested by the client.
-
To port:
Destination Port: The port number of the server as requested by the client.
-
Target:
Server IP: The IP address of the server connected by SCB.
-
Target port:
Server Port: The port number of the server connected by SCB.
-
Remote user:
Username on server: The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection. For details on usermapping, see Procedure 8.1, Configuring usermapping policies.
Remote group: The group that can access the destination server, as set in the Usermapping Policy (if any).
-
Protocol:
Protocol: The protocol used in the connection (SSH, RDP, Telnet, VNC and ICA).
-
Connection:
Connection Policy: The connection policy applied to the client's connection request.
-
Authorizer:
Four-eyes Authorizer: The username of the user who authorized the session. Available only if 4-eyes authorization is required for the channel. For details on 4-eyes authorization, see Section 8.3, Configuring 4-eyes authorization.
Auth type: The authentication method used in the client-side connection during gateway authentication.
Channel: The type of the channel, for example,
session-shell.Time: The name of the Time Policy used in the connection.
LDAP: The name of the LDAP Server used in the connection (if any).
Credential store: The name of the Credential Store used in the connection (if any).
Audit: Indicates if the connection is recorded into audit trails.
Ids: Indicates if the connection is forwarded to an Intrusion Detection System (IDS).
Usergroup memberships. When searhing for users, the table displays the group memberships of the matching users. When searching for usergroups, the table displays the members of the matching groups. The following information is displayed:
User: The username of the user.
Group: The name of the usergroup or userlist.
Exception: Usernames that are denied in case of default-deny userlists managed locally on SCB.
The following sections explain the basic management tasks of SCB, including the basic control (for example, shutdown or reboot) of the appliance, upgrading, as well as tips on troubleshooting SCB.
To restart or shut down SCB, navigate to and click the respective action button. The refers to the slave node of a high availability SCB cluster. For details on high availability clusters, see Section 4.5.2, Managing a high availability SCB cluster.
|
Note |
|---|---|
Web sessions to the SCB interface are persistent and remain open after rebooting SCB, so you do not have to relogin after a reboot. |
4.5.1.1. Procedure – Disabling controlled traffic
Purpose:
To temporarily disable some or all of the controlled traffic to the protected servers, complete the following steps:
|
Warning |
|---|---|
Disabling traffic that way is only temporary; connections will be enabled again after committing any other change from the SCB web interface. For details on how to permanently disable a type of traffic, see Procedure 4.5.1.2, Disabling controlled traffic permanently. |
|
Note |
|---|---|
Disabling the traffic affects only the traffic configured in the Connection policies, other traffic can pass SCB even if the all traffic is disabled. For details on configuring Connection policies, see Chapter 5, Configuring connections. |
Steps:
Navigate to the .
-
To disable SSH traffic, click in the field. Note that this also stops all other traffic forwarded in SSH, for example X11.
To disable RDP traffic, click in the field.
To disable Telnet and TN3270 traffic, click in the field.
To disable VNC traffic, click in the field.
To disable all types of traffic, click in the field.
The displays the status of all types of traffic.
4.5.1.2. Procedure – Disabling controlled traffic permanently
|
Note |
|---|---|
Disabling the traffic affects only the traffic configured in the Connection policies, other traffic can pass SCB even if the all traffic is disabled. For details on configuring Connection policies, see Chapter 5, Configuring connections. |
Steps:
-
Navigate to the page of the traffic type you want to disable, for example to to disable SSH traffic.
Set the field to
disabled.Click .
The page provides the following information about SCB:
|
Note |
|---|---|
Refer to Procedure 3.2, Installing two SCB units in HA mode of Appendix 3, BalaBit Shell Control Box Hardware Installation Guide for details on creating a high availability SCB cluster. |
Status: Indicates whether SCB is running in High Availability or Standalone mode.
Node ID: The MAC address of the
HAinterface of the node. This address is also printed on a label on the top cover of the SCB unit.Node HA state: Indicates whether the SCB node is running in High Availability or Standalone mode.
Node HA UUID: A unique identifier of the node. Only available in High Availability mode.
DRBD status: The status of data stored on SCB. The status must be
Consistenton the active node to prevent data loss.RAID status: The status of the RAID device of the node.
The active (master) SCB node is labeled as , this unit inspects the SSH traffic and provides the web interface. The SCB unit labeled as is the slave node that is activated if the master node becomes unavailable.
|
Note |
|---|---|
|
For SCB clusters, the ID of the node (the MAC address of its HA
interface) sending the message is included in the log messages. Note that if the central log server is a syslog-ng
server, the |
To activate the other node and disable the currently active node, click .
To reboot both nodes, click . Note that this will automatically reboot the two nodes, but will not result in a takeover.
|
Warning |
|---|---|
Hazard of data loss! Activating the slave node terminates all connections of SCB and might result in data loss. The slave node becomes active after about 60 seconds, during which the protected servers cannot be accessed. |
This section explains the possible statuses of the SCB nodes and the DRBD data storage system. SCB displays this information on the page.
|
Note |
|---|---|
If a redundant Heartbeat interface is configured, its status is also displayed in the field. For details on redundant Heartbeat interfaces, see Section 4.5.2.4, Redundant Heartbeat interface status explained and Procedure 4.5.2.3, Configuring redundant Heartbeat interfaces. |
The field indicates whether the SCB nodes recognize each other properly and whether those are configured to operate in high availability mode. The status of the individual SCB nodes is indicated in the field of the each node. The following statuses can occur:
Standalone: There is only one SCB unit running in
standalonemode, or the units have not been converted to a cluster (the of both nodes isstandalone). Click to enable High Availability mode.HA: The two SCB nodes are running in High Availability mode. is
HAon both nodes, and the is the same on both nodes.Half: High Availability mode is not configured properly, one node is in
standalone, the other one inHAmode. Connect to the node inHAmode, and click to enable High Availability mode.Broken: The two SCB nodes are running in High Availability mode. is
HAon both nodes, but the is different. Contact the BalaBit Support Team for help. For contact details, see Section 5, Contact and support information.Degraded: SCB was running in high availability mode, but one of the nodes has disappeared (for example broken down, or removed from the network). Power on, reconnect, or repair the missing node.
Degraded Sync: Two SCB units were joined to High Availability mode, and the first-time synchronization of the disks is currently in progress. Wait for the synchronization to complete. Note that in case of large disks with lots of stored data, synchronizing the disks can take several hours.
-
Split brain: The two nodes lost the connection to each other, with the possibility of both nodes being active (master) for a time.
Warning Hazard of data loss! In this case, valuable audit trails might be available on both SCB nodes, so special care must be taken to avoid data loss. For details on solving this problem, see Procedure 4.5.4.7.2, Recovering from a split brain situation.
Invalidated: The data on one of the nodes is considered out-of-sync and should be updated with data from the other node. This state usually occurs during the recovery of a split-brain situation when the DRBD is manually invalidated.
Converted: After converting nodes to a cluster (clicking ) or enabling High Availability mode (clicking ) and before rebooting the node(s).
|
Note |
|---|---|
If you experience problems because the nodes of the HA cluster do not find each other during system startup, navigate to and select . That way the IP address of the HA interfaces of the nodes will be fix, which helps if the HA connection between the nodes is slow. |
The field indicates whether the latest data (including SCB configuration, audit trails, log files, and so on) is available on both SCB nodes. The master node (this node) must always be in status to prevent data loss. Inconsistent status means that the data on the node is not up-to-date, and should be synchronized from the node having the latest data.
The field also indicates the connection between the disk system of the SCB nodes. The following statuses are possible:
-
Connected: Both nodes are functioning properly.
-
Invalidated: The data on one of the nodes is considered out-of-sync and should be updated with data from the other node. This state usually occurs during the recovery of a split-brain situation when the DRBD is manually invalidated.
-
Sync source or Sync target: One node (Sync target) is downloading data from the other node (Sync source).
Note When the two nodes are synchronizing data, it is not possible to reboot or shutdown the master node. If you absolutely must shutdown SCB in such a situation, shutdown the slave node first, and then the master node.
When synchronizing data, the progress and the remaining time is displayed in the .
-
Split brain: The two nodes lost the connection to each other, with the possibility of both nodes being active (master) for a time.
Warning Hazard of data loss! In this case, valuable audit trails might be available on both SCB nodes, so special care must be taken to avoid data loss. For details on solving this problem, see Procedure 4.5.4.7.2, Recovering from a split brain situation.
-
WFConnection: One node is waiting for the other node; the connection between the nodes has not been established yet.
When operating two SCB units in High Availability mode, every incoming
data copied from the master (active) node to the slave (passive) node. Since
synchronizing data can take up significant system-resources, the maximal speed
of the synchronization is limited, by default, to 10
MB/sec. However, this means that synchronizing large amount of
data can take very long time, so it is useful to increase the synchronization
speed in certain situations — for example, when synchronizing the disks
after converting a single node to a high availability cluster.
To change the limit of the DRBD synchronization rate, navigate to , select , and select the desired value.
|
Note |
|---|---|
Setting the sync rate to a high value is not recommended if the load of SCB is very high, because increasing the resources used by the synchronization process may degrade the general performance of SCB. |
4.5.2.3. Procedure – Configuring redundant Heartbeat interfaces
Purpose:
In order to avoid unnecessary takeovers and minimize the chance of split-brain situations, it is possible to configure additional Heartbeat interfaces in SCB. These redundant Heartbeat interfaces are used only to detect that the other node is still available; it is not used to synchronize data between the nodes (only Heartbeat messages are transferred). For example, if the main HA interface breaks down, or is accidentally unplugged and the nodes can still access each other on the redundant HA interface, no takeover occurs, but no data is synchronized to the slave node until the main HA link is restored. Similarly, if connection on the redundant Heartbeat interface is lost, but the main HA connection is available, no takeover occurs.
The redundant Heartbeat interface is a virtual interface that uses an existing interface of the SCB device (for example the external or the management interface). The original MAC address of the interface is displayed at , while the MAC address of the virtual redundant Heartbeat interface is displayed at . The MAC address of the redundant Heartbeat interface is generated in a way that it cannot interfere with the MAC addresses of physical interfaces.
|
Warning |
|---|---|
In case the nodes lose connection on the main HA interface, and after a time the connection is lost on the redundant Heartbeat interfaces as well, the slave node will become active. However, as the master node was active for a time when no data synchronization was possible between the nodes, this results in a split-brain situation which must be resolved before the HA functionality can be restored. For details, see Procedure 4.5.4.7.2, Recovering from a split brain situation. |
To configure a redundant Heartbeat interface, complete the following steps.
Steps:
Navigate to .
-
Select the interface you want to use as redundant Heartbeat interface (for example
External). Using an interface as a redundant Heartbeat interface does not affect the original traffic of the interface.Warning When using SCB in Bridge mode, use the
Managementinterface for redundant HA functionality. Enabling the redundant HA option on theExternalorInternalinterface in Bridge mode can cause network errors depending on your network architecture
Enter an IP address into the field of the selected interface. This IP address must be a real IP address that is visible from the other node. The two nodes cannot have the same IP address on their redundant Heartbeat interfaces. Enter the IP address of the gateway into the if needed.
Enter an IP address into the field of the selected interface. This IP address must be a real IP address that is visible from the other node. The two nodes cannot have the same IP address on their redundant Heartbeat interfaces. Enter the IP address of the gateway into the if needed.
Repeat the previous steps to add additional redundant Heartbeat interfaces if needed.
-
Click .
Warning For the changes to take effect, you have to restart both nodes. To restart both nodes, click .
The status of the redundant Heartbeat interfaces is displayed at , and also in the field of the System monitor. The possible status messages are explained below:
-
NOT USED: There are no redundant Heartbeat interfaces configured.
-
OK: Normal operation, every redundant Heartbeat interface is working properly.
-
DEGRADED-WORKING: Two or more redundant Heartbeat interfaces are configured, and at least one of them is functioning properly. This status is displayed also when a new redundant Heartbeat interface has been configured, but the nodes of the SCB cluster has not been restarted yet.
-
DEGRADED: The connection between the redundant Heartbeat interfaces has been lost. Investigate the problem to restore the connection.
-
INVALID: An error occurred with the redundant Heartbeat interfaces. Contact the BalaBit Support Team for help. For contact details, see Section 5, Contact and support information.
4.5.2.5. Procedure – Configuring next-hop router monitoring
Purpose:
By default, HA takeover occurs only if the master node stops working or becomes unreachable from the slave node. However, this does not cover the scenario when the master node becomes unaccessible to the outside world (for example its external interface or the router or switch connected to the external interface breaks down) while the slave node would be still accessible (for example because it is connected to a different router).
To address such situations, it is possible to specify IP addresses (usually next hop routers) which are continuously monitored from both the master and the slave nodes using ICMP echo (ping) messages. One such address can be set for every interface; the specified IP addresses must be on the same network segment as the respective interface of SCB. If any of the monitored addresses becomes unreachable from the master node while being reachable from the slave node (in other words, more monitored addresses are accessible from the slave node) than it is assumed that the master node is unreachable and a forced takeover occurs — even if the master node is otherwise functional.
Naturally, if the slave node is not capable of taking over the master node (for example because there is data not yet synchronized from the current master node) no takeover is performed.
To configure a next hop monitoring, complete the following steps.
Steps:
Navigate to .
-
Select the interface to use for monitoring its next-hop router.
Enter the IP address to monitor from the current master node (for example the IP address of the router or the switch connected to the interface) into the field of the selected interface. This IP address must be a real IP address that is visible from the interface, and must be on the same local network segment.
Enter the IP address to monitor from the current slave node (for example the IP address of the router or the switch connected to the interface) into the field of the selected interface. This IP address must be a real IP address that is visible from the interface, and must be on the same local network segment.
Repeat the previous steps to add IP addresses to be monitored from the other interfaces if needed.
-
Click .
Warning For the changes to take effect, you have to restart both nodes. To restart both nodes, click .
The following sections describe how to keep SCB up to date, and how to install a new license file if needed.
For details on how to upgrade SCB, see Section 4.5.3.1, Updating the SCB firmware.
For details on how to upgrade the firmware of an SCB cluster, see Procedure 4.5.3.1.2, Upgrading both the core and the boot firmware of a high availability system.
For details on how to install a new license file, see Procedure 4.5.3.2, Updating the SCB license.
For details on how to import or export the configuration of SCB, see Procedure 4.5.3.3, Exporting the configuration of SCB.
|
Warning |
|---|---|
Downgrading from a feature release to an earlier (and thus unsupported) feature release, or to the stable release is not supported: this means that once you upgrade a system from a stable release (for example 1.0) to a feature release (for example 1.1), you will have to keep upgrading to the new feature releases until the next stable version release (for example 2.0) is published, or risk using an unsupported product. |
SCB can be updated when a new firmware version is available. To display information about the firmware currently running on SCB, navigate to . The following is displayed:
Core firmware | Boot firmware: The version number of the firmwares currently running on SCB (for example
2.0).Build date: The date when the currently running firmware was created.
Updating SCB is described in the following sections.
|
Warning |
|---|---|
|
Before uploading a new firmware image, backup the configuration of SCB. For details, see Procedure 4.5.3.3, Exporting the configuration of SCB. Always read the release notes of the firmware before updating SCB, because the release notes may include special instructions specific to the firmware version. The release notes are available here . |
For details on how to upgrade a standalone SCB unit, complete Procedure 4.5.3.1.1, Updating SCB and managing the firmware.
For details on how to upgrade the firmware of an SCB cluster, complete Procedure 4.5.3.1.2, Upgrading both the core and the boot firmware of a high availability system.
For details on how to revert to an older firmware version (if possible), see Procedure 4.5.3.1.3, Reverting to an older firmware version.
4.5.3.1.1. Procedure – Updating SCB and managing the firmware
Steps:
Visit the BalaBit website and download the latest firmware here .
Navigate to the page.
-
To update the internal (core) firmware, select .
To update the external (boot) firmware, select .
For details on the different firmwares, see Section 2.11, Firmware in SCB.
Select the firmware file using the button. The extension of firmware files is
.binClick . After uploading, the new firmware is added to the list.
Click
in the column of
the new firmware.-
Navigate to and click .
Tip When SCB boots, it sends a message into the system log that includes the version numbers of both booted firmwares.
Note If you experience any problems on the BalaBit Shell Control Box web interface after performing the upgrade, first empty the cache of your browser, or click the Reload button of your browser while holding the Shift key.
4.5.3.1.2. Procedure – Upgrading both the core and the boot firmware of a high availability system
Purpose:
If an SCB release requires the upgrading of both the boot firmware and the core (internal) firmware, complete the following steps:
Steps:
Download both the core (internal) and the boot (external) firmware.
-
Update the core firmware of the SCB using the web interface.
Navigate to and upload the new core firmware.
-
When the upload is finished, select the option for the new firmware.
Warning DO NOT REBOOT SCB AFTER UPGRADING THE CORE FIRMWARE.
Repeat the previous step with the Boot firmware.
-
Select to restart both nodes.
Warning Hazard of data loss! As this step terminates all active connections, perform it only during maintenance hours to prevent data loss.
Note If you experience any problems on the BalaBit Shell Control Box web interface after performing the upgrade, empty the cache of your browser, or click the Reload button of your browser while holding the Shift key.
4.5.3.1.3. Procedure – Reverting to an older firmware version
Purpose:
SCB can store up to five different firmware versions, any of them can
be booted if required. The available firmwares are displayed on the
and
pages. The
list shows the detailed version of each firmware, including the version
number, the revision number, and the build date. The firmware running on
SCB is marked with 
in the column. The firmware
that will be run after the next SCB reboot is marked with 
in the column.
To boot an older firmware, complete the following steps:
|
Warning |
|---|---|
When upgrading SCB, it is possible that the configuration file is updated as well. In such cases, simply rebooting with the old firmware will not result in a complete downgrade, because the old firmware may not be able to read the new configuration file. If this happens, access the console menu of SCB, and select the option to restore the configuration file to its state before the firmware was upgraded. For details on using the console menu, see Section 4.5.5.1, Using the console menu of SCB. |
|
Warning |
|---|---|
Downgrading from a feature release to an earlier (and thus unsupported) feature release, or to the stable release is not supported: this means that once you upgrade a system from a stable release (for example 1.0) to a feature release (for example 1.1), you will have to keep upgrading to the new feature releases until the next stable version release (for example 2.0) is published, or risk using an unsupported product. |
Steps:
Navigate to .
Select the firmware version to use, and click
in the
column.Navigate to .
Select the firmware version to use, and click
in the column.-
Select to reboot SCB.
If you are running an SCB cluster, select .
4.5.3.2. Procedure – Updating the SCB license
Purpose:
The SCB license must be updated before the existing license expires or when you purchase a new license. Information of the current license of SCB is displayed on the page. The following information is displayed:
Customer: The company permitted to use the license (for example
Example Ltd.).Serial: The unique serial number of the license.
Host limit: The number of servers that can be connected through SCB (for example
25.).
SCB gives an automatic alert one week before the license expires. An
alert is sent also when the number of protected
servers exceeds
60% of the number of servers set in the Host
limit parameter of the license.
To update the license, complete the following steps:
|
Warning |
|---|---|
Before uploading a new license, you are recommended to backup the configuration of SCB. For details, see Procedure 4.5.3.3, Exporting the configuration of SCB. |
Steps:
Navigate to .
Click and select the new license file.
Click , then .
-
Warning This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.
To activate the new license, navigate to and click .
4.5.3.3. Procedure – Exporting the configuration of SCB
Purpose:
The configuration of SCB can be exported (for manual archiving, or to migrate it to another SCB unit) from the page. Use the respective action buttons to perform the desired operation.
Steps:
Navigate to .
-
Select how to encrypt the configuration:
-
To export the configuration file without encryption, select .
Warning Exporting the SCB configuration without encyption is not recommended, as it contains sensitive information such as password hashes and private keys.
To encrypt the configuration file with a simple password, select and enter the password into the and fields.
To encrypt the configuration file with GPG, select . Note that this option uses the same GPG key that is used to encrypt automatic system backups, and is only available if you have uploaded the public part of a GPG key to SCB at . For details, see Procedure 4.3.5.3, Encrypting configuration backups with GPG.
-
-
Click .
Note The exported file is a gzip-compressed archive. On Windows platforms, it can be decompressed with common archive managers such as the free 7-Zip tool.
The name of the exported file is
<hostname_of_SCB>-YYYMMDDTHHMM.config; the-encryptedor-gpgsuffix is added for password-encrypted and GPG-encrypted files, respectively.
4.5.3.4. Procedure – Importing the configuration of SCB
Purpose:
The configuration of SCB can be imported from the page. Use the respective action buttons to perform the desired operation.
|
Warning |
|---|---|
It is not possible to import the configuration of an older major release (for example, 1.0) into a newer release (for example, 2.0). |
Steps:
Navigate to .
Click and select the configuration file to import.
Enter the password into the field and click .
This section describes the tools to detect networking problems, and also how to collect core files and view the system logs of SCB.
4.5.4.1. Procedure – Network troubleshooting
Purpose:
The menu provides a number of diagnostic commands to resolve networking issues. Logfiles of SCB can also be displayed here — for details, see Procedure 4.5.4.3, Viewing logs on SCB.
The following commands are available:
ping: Sends a simple message to the specified host to test network connectivity.
traceroute: Sends a simple message from SCB to the specified host and displays all hosts on the path of the message. It is used to trace the path the message travels between the hosts.
connect: Attempts to connect the specified host using the specified port. It is used to test the availability or status of an application on the target host.
To execute one of the above commands, complete the following steps:
Steps:
Navigate to .
Enter the IP address or the hostname of the target host into the field of the respective command. For the Connect command, enter the target port into the field.
Click the respective action button to execute the command.
Check the results in the popup window. Log files are displayed in a separate browser window.
SCB automatically generates core files if an important software component (for example Zorp) of the system crashes for some reason. These core files can be of great help to the BalaBit Support Team to identify problems. When a core file is generated, the SCB administrator receives an alerting e-mail, and an SNMP trap is generated if alerting is properly configured (for details, see Section 4.3.4, Configuring system monitoring on SCB and Section 4.3.3, System logging, SNMP and e-mail alerts). To display a list of alerts if monitoring is not configured, navigate to .
To list and download the generated core files, navigate to .
By default, core files are deleted after 14 days. To change the deletion timeframe, navigate to .
|
Warning |
|---|---|
In the current version of SCB, core files are automatically deleted if the system is rebooted. |
4.5.4.3. Procedure – Viewing logs on SCB
Purpose:
The menu provides an interface to view the logs generated by the various components of SCB.
|
Note |
|---|---|
Because of performance reasons, log files larger than 2 Megabytes are not displayed in the web interface. To access these logs, download the file instead. |
Steps:
Navigate to .
-
Use the roll-down menu to select the message type.
SCB: Logs of the SCB web interface.
syslog: All system logs of the SCB host.
ssh: Logs of the SSH connections passing SCB.
rdp: Logs of the RDP connections passing SCB.
telnet: Logs of the Telnet connections passing SCB.
vnc: Logs of the VNC connections passing SCB.
To download the log file, click .
To follow the current log messages real-time, click .
To display the log messages, click .
-
To display log messages of the last seven days, select the desired day from the field and click .
Tip To display only the messages of a selected host or process, enter the name of the host or process into the field.
The field acts as a generic filter: enter a keyword or a regular expression to display only messages that contain the keyword or match the expression.
4.5.4.4. Procedure – Changing log verbosity level of SCB
Purpose:
The logging level of SCB can be set separately for every protocol. To change the verbosity level of SCB, complete the following steps:
|
Note |
|---|---|
The option is not related to the verbosity of traffic logs: it increases the log level of the non-network-related events, for example adds the commands executed by the SCB web interface to the logs, and so on |
Steps:
Navigate to the page of the traffic you want to change the log level of; for example to to change the log level of SSH traffic, for remote desktop traffic, and so on
-
Select the desired log level from the field.
Note The verbosity level ranges from 1 (no logging) to 10 (extremely detailed), with level 4 being the default normal level. To debug complex problems, you might have to increase the verbosity level to 6. Higher level is needed only in extreme cases.
Note that high verbosity levels generate very large amount of log messages.
4.5.4.5. Procedure – Collecting logs and system information for error reporting
Purpose:
To track down support requests, the BalaBit Support Team might request you to collect system-state and debugging information. This information is collected automatically, and contains log files, the configuration file of SCB, and various system-statistics.
|
Note |
|---|---|
|
Sensitive data like key files and passwords are automatically removed from the files. The option is not related to the verbosity of log messages: it adds the commands executed by the SCB web interface to the log. |
To collect system-state information, navigate to and click , then save the created zip file. The
name of the file uses the
debug_info-<hostname>YYYYMMDDHHMM
format.
To collect information for a specific error, complete the following steps:
Steps:
-
Navigate to .
-
Click .
Note Starting debug mode increases the log level of SCB, and might cause performance problems if the system is under a high load.
Reproduce the event that causes the error, for example connect to a server.
Click .
Click and save the created zip file. The name of the file uses the
debug_info-<hostname>YYYYMMDDHHMMformat.Attach the file to your support ticket.
SCB displays various statistics and status history of system data and performance on the dashboard at . The dashboard is essentially an extension of the system monitor: the system monitor displays only the current values, while the dashboard creates graphs and statistics of the system parameters.
The dashboard consists of different modules. Every module displays the history of a system parameter for the current day. To display the graph for a longer period (last week, last month, or last year), select the , , or options, respectively. Hovering the mouse over a module enlarges the graph and displays the color code used on the graph.
To display statistics of a module as a table for the selected period, click on the graph.
The following modules are displayed on the dashboard of SCB:
Connection statistics: Number of active connections per protocol.
Memory: The memory used by the system.
Disk: Filesystem usage for the different partitions.
CPU: CPU usage.
Network connections: Number of network connections.
External interface: Traffic on the external interface.
Internal interface: Traffic on the internal interface.
Management interface: Traffic on the management interface.
Load average: Average load of the system.
Processes: The number of running processes.
4.5.4.6.1. Procedure – Displaying custom connection statistics
Purpose:
To display statistics of a specific connection policy, complete the following procedure:
Steps:
Navigate to .
To display the statistics of a connection policy, enter the name of the policy into the .
Select the time period to display from the field.
Click .
The following sections help you to solve problems related to high availability clusters.
For details on how to recover a cluster that has broken down, see Procedure 4.5.4.7.1, Recovering SCB if both nodes broke down.
For details on how to resolve a split-bran situation when the nodes of the cluster were simultaneously active for a time, see Procedure 4.5.4.7.2, Recovering from a split brain situation.
4.5.4.7.1. Procedure – Recovering SCB if both nodes broke down
Purpose:
It can happen that both nodes break down simultaneously (for example because of a power failure), or the slave node breaks down before the original master node recovers. To properly recover SCB, complete the following steps:
|
Note |
|---|---|
As of SCB version
2.0.2, when both nodes of a cluster boot up in parallel,
the node with the |
Steps:
-
Power off both nodes by pressing and releasing the power button.
Warning Hazard of data loss! If SCB does not shut off, press and hold the power button for approximately 4 seconds. This method terminates connections passing SCB and might result in data loss.
-
Power on the node that was the master before SCB broke down. Consult the system logs to find out which node was the master before the incident: when a node boots as master, or when a takeover occurs, SCB sends a log message identifying the master node.
Tip Configure remote logging to send the log messages of SCB to a remote server where the messages are available even if the logs stored on SCB become unaccessible. For details on configuring remote logging, see Section 4.3.3, System logging, SNMP and e-mail alerts.
Wait until this node finishes the boot process.
Power on the other node.
4.5.4.7.2. Procedure – Recovering from a split brain situation
Purpose:
A split brain situation is caused by a temporary failure of the network link between the cluster nodes, resulting in both nodes switching to the active (master) role while disconnected. This might cause that new data (for example audit trails) is created on both nodes without being replicated to the other node. Thus, it is likely in this situation that two diverging sets of data have been created, which cannot be trivially merged.
|
Warning |
|---|---|
Hazard of data loss! In a split brain situation, valuable audit trails might be available on both SCB nodes, so special care must be taken to avoid data loss. |
The nodes of the SCB cluster automatically recognize the split brain
situation once the connection between the nodes is reestablished, and do not
perform any data synchronization to prevent data loss. When a split brain
situation is detected, it is visible on the SCB system monitor, in the
system logs (Split-Brain detected, dropping
connection!), and SCB sends an alert as well.
To recover an SCB cluster from a split brain situation, complete the following steps.
|
Warning |
|---|---|
Do NOT shut down the nodes. |
Steps:
-
Temporarily disable all traffic going through SCB. Navigate to and click in the field.
If the web interface is not accessible or unstable, complete the following steps:
Login to SCB as
rootlocally (or remotely using SSH) to access the Console menu.Select , and issue the zorpctl stop command.
Issue the date and check the system date and time. If it is incorrect (for example it displays 2000 January), replace the system battery. For details, see the hardware manual of the appliance.
Repeat the above steps on the other SCB node.
-
Optional step for data recovery: Check the audit trails saved on the SCB nodes.
Login to the node from a local console.
Select and enter cd /var/lib/zorp/audit. The audit trails are located under this directory.
Find which files were modified since the split brain situation occurred. Use the find . -mtime -n" to find the files modified during the last
n*24hours, or the find . -mmin -n to find the files modified during the lastnminutes.
-
Decide which node should be the master node from now on, then perform the following steps on the to-be-slave node:
Login to the node from a local console.
Optional step for data recovery: Select and enter cd /var/lib/zorp/audit. The audit trails are located under this directory.
-
Optional step for data recovery: Backup the audit trails that were modified since the split brain situation occurred.
Warning This data will be deleted from the SCB node when the split-brain situation is resolved There is no way to import this data back into the database of SCB; it will be available only for offline use.
Optional step for data recovery: To save the corresponding information that can be seen on the page, export the connection database using the su postgres -c 'pg_dump scb -f /tmp/database.sql' command, then backup the
/tmp/database.sqlfile.Optional step for data recovery: Type exit to return to the console menu.
Select . If the to-be-slave node is not already the slave node, fail over the cluster to the other node manually by issuing the /usr/share/heartbeat/hb_standby command.
Stop the core firmware. Issue the /etc/init.d/boot-xcb stop command.
-
Invalidate the DRBD. Issue the following commands:
/sbin/drbdsetup /dev/drbd0 disconnect
/sbin/drbdsetup /dev/drbd0 invalidate.
Reboot the to-be-slave node.
Reboot the to-be-master node. The SCB cluster will be now functional, accepting traffic as before.
After both nodes reboot, the cluster should be in state, the master being and the slave being . The master node should start synchronizing its data to the slave node. Depending on the amount of data, this can take a long time. To adjust the speed of the synchronization, see Section 4.5.2.2, Adjusting the synchronization speed of DRBD.
This section describes how to use the console menu of SCB, how to enable remote SSH access to SCB, and how to change the root password from the web interface.
|
Tip |
|---|---|
If you need to find the SCB appliance in the server room, navigate to and click . This will blink the LEDs of hard disk trays on the front of the SCB appliance in red. Note that this is available only for BalaBit Shell Control Box N10000. |
Connecting to the BalaBit Shell Control Box locally or remotely using Secure Shell (SSH) allows you to access the console menu of SCB. The console menu provides access to the most basic configuration and management settings of SCB. It is mainly used for troubleshooting purposes; the primary interface of SCB is the web interface.
The console menu is accessible to the root user using the password
set during completing the Welcome Wizard.
The console menu provides allows you to perform the following actions:
Select the active core and boot firmwares, and delete unneeded firmwares. Accessing the firmware management is useful if after an update the new firmware does not operate properly and the web interface is not available to activate the previous firmware.
Start backup processes.
Change the passwords of the
rootandadminusers.Access the local shells of the core and boot firmwares. This is usually not recommended and only required in certain troubleshooting situations.
Access the network-troubleshooting functions and display the available log files.
Reboot and shutdown the system.
Enable and disable sealed mode. For details, see Section 4.5.6, Sealed mode.
Revert the configuration file. For details, see Procedure 4.5.3.1.3, Reverting to an older firmware version.
Set the IP address of the HA interface.
|
Note |
|---|---|
Note that logging in to the console menu automatically locks the SCB interface, meaning that users cannot access the web interface while the console menu is used. The console menu can be accessed only if there are no users accessing the web interface. The connection of web-interface users can be terminated to force access to the console menu. |
4.5.5.2. Procedure – Enabling SSH access to the SCB host
Purpose:
Exclusively for troubleshooting purposes, you can access the SCB host using SSH. Completing the Welcome Wizard automatically disables SSH access. To enable it again, complete the following steps:
|
Warning |
|---|---|
Accessing the SCB host directly using SSH is not recommended nor supported, except for troubleshooting purposes. In such case, the BalaBit Support Team will give you exact instructions on what to do to solve the problem. |
Enabling the SSH server allows you to connect remotely to the SCB host
and login using the root user. The password of the root
user is the one you had to provide in the Welcome wizard. For details on how to
change the root password from the web interface, see Procedure 4.5.5.3, Changing the root password of SCB
Steps:
-
Navigate to .
-
Select the option.
Note Remote SSH access is automatically disabled if Sealed mode is enabled. For details, see Section 4.5.6, Sealed mode.
-
Set the authentication method for the remote SSH connections.
To enable password-based authentication, select the option.
To enable public-key authentication, click
in the
field, click and
upload the private keys of the users who can access and manage
SCB remotely via SSH.
Click .
The SSH server of SCB accepts connections only on the management interface if the management interface is configured. If the management interface is not configured, the SSH server accepts connections on the external interface. If possible, avoid enabling the SSH server of SCB when the management interface is not configured. For details on enabling the management connection, see Procedure 4.3.1.1, Configuring the management interface.
If you use SCB in Bastion mode and the management interface is not configured, read Section 9.2.3, Accessing the SCB host in Bastion mode using SSH for details on accessing the SCB host using SSH.
4.5.5.3. Procedure – Changing the root password of SCB
Purpose:
The root password is required to access SCB locally, or remotely via an
SSH connection. Note that the password of the root user
can be changed from the console menu as well. For details, see Section 4.5.5, Accessing the SCB console.
Steps:
-
Navigate to .
-
Enter the new password into the and fields.
Note SCB passwords can contain the following special characters:
!"#$%&'()*+,-./:;<=>?@[\]^-`{|} Click .
When sealed mode is enabled, the following settings are automatically applied:
SCB cannot be accessed remotely via SSH for maintenance;
the root password of SCB cannot be changed in sealed mode;
Sealed mode can be disabled only from the local console. For details, see Procedure 4.5.6.1, Disabling sealed mode.
To enable sealed mode use one of the following methods:
Select the option during the Welcome Wizard.
Select on the SCB web interface.
Login to SCB as root using SSH or the local console, and select from the console menu.
SCB 3 F2 includes a dedicated out-of-band management interface conforming to the Intelligent Platform Management Interface (IPMI) v2.0 standards. The IPMI interface allows system administrators to monitor the system health of SCB and to manage the computer events remotely, independently of the operating system of SCB. SCB is accessible using the IPMI interface only if the IPMI interface is physically connected to the network.
For details on connecting the IPMI interface, see Procedure 3.1, Installing the SCB hardware.
-
For details on configuring and using the IPMI interface to remotely monitor and manage SCB, see the following document:
The Onboard BMC/IPMI User's Guide, available at the BalaBit Hardware Documentation page.
Basic information about the IPMI interface is available also on the SCB web interface on the page. The following information is displayed:
IPMI default gateway IP: The address of the default gateway configured for the IPMI interface.
-
Hardware serial number: The unique serial number of the appliance.
IPMI IP address: The IP address of the IPMI interface.
IPMI subnet mask: The subnet mask of the IPMI interface.
IPMI IP address source: Shows how the IPMI interface receives its IP address: dynamically from a DHCP server, or it uses a fixed static address.
|
Tip |
|---|---|
If you need to find the SCB appliance in the server room, navigate to and click . This will blink the LEDs of hard disk trays on the front of the SCB appliance in red. Note that this is available only for BalaBit Shell Control Box N10000. |
SCB uses a number of certificates for different tasks that can be managed from the menu.
The following certificates can be modified here:
CA certificate: The certificate of the internal Certificate Authority of SCB.
-
Server certificate: The certificate of the SCB web interface, used to encrypt the communication between SCB and the administrators.
Note If this certificate is changed, the browser of SCB users will display a warning stating that the certificate of the site has changed.
TSA certificate: The certificate of the internal Timestamping Authority that provides the timestamps used when creating encrypted audit-trails.
For every certificate, the distinguished name (DN) of the X.509 certificate and the fingerprint of the private key is displayed. To display the entire certificate click on the DN; to display the public part of the private key, click on the fingerprint. It is not possible to download the private key itself from the SCB web interface, but the certificate can be downloaded in different formats (for example PEM, OpenSSH, Tectia).
|
Note |
|---|---|
Other parts of SCB may use additional certificates that are not managed here. |
During the initial configuration, SCB creates a self-signed CA certificate, and uses this CA to issue the certificate of the web interface (see Server certificate) and the internal Timestamping Authority (TSA certificate).
There are two methods to manage certificates of SCB:
-
Recommended: Generate certificates using your own PKI solution and upload them to SCB.
Generate a CA certificate and two other certificates signed with this CA using your PKI solution and upload them to SCB. For the Server and TSA certificates, upload the private key as well.
For details on uploading certificates and keys created with an external PKI, complete Procedure 4.5.8.2, Uploading external certificates to SCB.
Warning The Server and the TSA certificates must be issued by the same Certificate Authority.
-
Use the certificates generated on SCB. In case you want to generate new certificates and keys for SCB using its self-signed CA certificate, or generate a new self-signed CA certificate, complete Procedure 4.5.8.1, Generating certificates for SCB.
Note Generate certificates using your own PKI solution and upload them to SCB whenever possible. Certificates generated on SCB cannot be revoked, and can become a security risk if they are somehow compromised.
4.5.8.1. Procedure – Generating certificates for SCB
Purpose:
Create a new certificate for the SCB webserver or the Timestamping Authority using the internal CA of SCB, or create a new, self-signed CA certificate for the internal Certificate Authority of SCB.
Steps:
Navigate to .
-
Fill the fields of the new certificate:
Country: Select the country where SCB is located (for example HU - Hungary).
Locality: The city where SCB is located (for example Budapest).
Organization: The company who owns SCB (for example Example Inc.).
Organization unit: The division of the company who owns SCB (for example IT Security Department).
State or Province: The state or province where SCB is located.
-
Select the certificate you want to generate.
To create a new certificate for the SCB web interface, select .
To create a new certificate for the Timestamping Authority, select .
To create a new certificate for the internal Certificate Authority of SCB, select . Note that in this case new certificates are created automatically for the server and TSA certificates as well.
Note When generating new certificates, the server and TSA certificates are signed using the certificate of the CA. If you have uploaded an external CA certificate along with its private key, it will be used to create the new server and TSA certificates. If you have uploaded an external CA certificate without its private key, use your external PKI solution to generate certificates and upload them to SCB.
Warning Generating a new certificate automatically deletes the earlier certificate.
Click .
4.5.8.2. Procedure – Uploading external certificates to SCB
Purpose:
Upload a certificate generated by an external PKI system to SCB.
Prerequisites:
The certificate to upload. For the TSA and Server certificate, the private key of the certificate is needed as well. The certificates must meet the following requirements:
-
SCB accepts certificates in PEM format. The DER format is currently not supported.
-
SCB accepts private keys in PEM (RSA and DSA), PUTTY, and SSHCOM/Tectia format. Password-protected private keys are also supported.
For the internal CA certificate of SCB, uploading the private key is not required.
-
For the TSA certificate, the
X509v3 Extended Key Usageattribute must be enabled and its default value set toTime Stamping. For the Server certificate, the
X509v3 Extended Key Usageattribute must be enabled and its default value set toTLS Web Server Authentication. Also, the Common Name of the certificate must contain the domain name or the IP address of the SCB host.For the certificate used to sign audit trails, the
X509v3 Extended Key Usageattribute must be enabled and its default value set toTLS Web Server Authentication.
Steps:
Navigate to .
-
To upload a new certificate, click
next to the certificate you
want to modify. A popup window is displayed.Select , select the file containing the certificate, and click . Alternatively, you can also copy-paste the certificate into the field and click .
-
To upload the private key corresponding to the certificate, click the
icon next to the private key you want to modify. A popup window
is displayed.Select , select the file containing the certificate, and click . Alternatively, you can also copy-paste the certificate into the field and click .
Connections determine if a server can be accessed from a particular client. The policies used in the connection definition can restrict the availability of the connection based on the username, time, authentication method, and so on. Channel policies (see Procedure 5.1.4, Creating and editing channel policies) determine if a particular channel can be used within an already established connection. The policies used in the channel policy can restrict the availability of the channel based on the server and the client IP address, username, and so on. The types of policies available in a connection depend on the protocol (SSH, RDP, and so on) enabled in the connection.
SCB supports the following protocols:
Secure Shell version 2 (SSHv2)
RDP versions 4-7
ICA protocol
Telnet and TN3270, as described by the relevant RFCs
The Terminal Services Gateway Server Protocol
The Virtual Networking (VNC) protocol versions 3.3-3.8
VMware View when VMware View Clients using the Remote Desktop (RDP) display protocol to access remote servers. For details, see Section 5.7, VMware View connections.
This section describes how to configure connections, and details the general configuration options and policies that apply to every type of connection that SCB can control: SSH, RDP, ICA, Telnet, and VNC.
Protocol-specific configuration options are described in their respective sections: Section 5.2, SSH-specific settings, Section 5.3, RDP-specific settings, Section 5.4, ICA-specific settings, Section 5.5, Telnet-specific settings, and Section 5.6, VNC-specific settings.
5.1.1. Procedure – Configuring connections
Purpose:
To configure a connection, complete the following steps.
Steps:
-
Select the type of connection from the main menu.
To configure a Secure Shell connection, select .
To configure a Remote Desktop connection, select .
To configure an ICA connection, select .
To configure a Telnet connection, select .
To configure a VNC connection, select .
-
Click
to define a new connection and enter a name that will
identify the connection (for example
admin_mainserver).Tip It is recommended to use descriptive names that give information about the connection, for example refer to the name of the accessible server, the allowed clients, and so on.
Enter the IP address of the client that will be permitted to access the server into the field. Click
to list additional
clients.-
Enter the IP address that the clients will request into the field.
In Bastion mode, enter the IP address of SCB's external interface. If the audited connection is initiated on a protected server, enter the IP address of SCB's internal interface.
In Bridge mode, enter the IP address of the protected server.
In Router mode, enter the IP address of the protected server.
Click
to list additional IP addresses. If the clients use a custom port to address the server instead of the default port used by the protocol, enter the port number that the clients will request into the field. Click
to list additional
port numbers.Bastion mode: Enter the IP address and port number of the target server into the field. SCB will connect all incoming client-side connections to this server. For details on organizing connections in Bastion mode, see Section 9.2.3, Accessing the SCB host in Bastion mode using SSH.
Configure advanced settings if needed, like network address translation, channel policy, gateway authentication, various policies, or other settings.
-
Click to save the connection.
Tip To temporarily disable a connection, deselect the checkbox before the name of the connection.
-
Depending on your needs and environment, you may want to set further settings for your connections.
To modify the destination or source addresses of the connections, see Procedure 5.1.2, Modifying the destination address and Procedure 5.1.3, Modifying the source address.
-
Select a and an for the audit trails and indexes of the connection. For details, see Section 4.3.5, Data and configuration archiving and backups.
Note The backup and archive policies set for the connection operate only on the audit trails and indexes of the connection. General data about the connections that is displayed on the page is archived and backed up as part of the system-backup process of SCB.
If you want to timestamp, encrypt, or sign the audit trails, configure and to suit your needs. For details, see Section 5.1.8, Audit policies.
To require the users to authenticate themselves not only on the target server, but on SCB as well, see Section 8.2, Configuring gateway authentication.
To require 4-eyes authorization on the connections, with the possibility of an auditor monitoring the connection in real-time, see Section 8.3, Configuring 4-eyes authorization.
Certain connections and scenarios (for example SSH authentication, gateway authentication, RDP6 connections) SCB can authenticate the user to an LDAP database, or retrieve the group memberships of the user. To use these features, select an . For details, see Procedure 5.1.7, Authenticating users to an LDAP server.
-
To limit the number of new connection requests accepted from a single client IP address per minute, enter the maximal number of accepted connections into the field.
-
To display the usergroups that can access a specific Connection Policy, open the Connection Policy, then select on the Connections page.
Note Protocol-specific configuration options are described in their respective sections: Section 5.2, SSH-specific settings, Section 5.3, RDP-specific settings, Section 5.5, Telnet-specific settings, and Section 5.6, VNC-specific settings.
5.1.2. Procedure – Modifying the destination address
Purpose:
The destination address is the address of the server where the clients finally connect to. To modify the destination address of a connection, complete the following steps.
Steps:
-
Navigate to the tab storing the connection and click
to display the details of the connection.
-
The section allows you to configure Network Address Translation (NAT) on the server side of SCB. Destination NAT determines the target IP address of the server-side connection. Set the destination address as required. The following options are available:
Note It is not possible to direct the traffic to the IP addresses belonging to SCB.
: Connect to the IP address targeted by the client. This is the default behavior in Router and Bridge mode. This option is not available in Bastion mode.
: Perform a network address translation on the target address. Enter the target address in IP address/Netmask format.
: Enter the IP address and port number of the server. The connection will connect always to this address, redirecting the clients to the server.
-
: Extract the address of the server from the username. This method is most commonly used in nontransparent Bastion mode (for a detailed example, see Procedure 9.3, Using nontransparent Bastion mode). Enter the IP address or the hostname of the domain name server used to resolve the address of the server into the field.
If the clients do not include the domain name when addressing the server (for example they use
username@serverinstead ofusername@server1.example.com), SCB can automatically add domain information (for exampleexample.com). Enter the domain name to add into the field.Tip To use inband destination selection with RDP connections, it is recommended to use SCB as a Terminal Services Gateway. For details, see Procedure 5.3.6, Using SCB as a Terminal Services Gateway.
Note Inband destination selection is not available for Telnet and VNC connections.
SCB can also resolve CNAME records.
Note If the field is filled, SCB will always add this suffix to the hostname. If you specify a DNS suffix, make sure that the clients do not include the domain name in their requests.
Enter the addresses of the servers that the users are permitted to access into the field. Use the IP address/netmask (for example
192.168.2.16/32) format, or enter the hostname of the server. The hostnames may contain the*and?wildcard characters. If the clients address the server using its IP address, make sure to include the IP address of the server in the Targets list. This is required because SCB resolves the hostnames to IP addresses, but does not reverse-resolve IP addresses to hostnames.Warning If only the hostname of the server is listed and the client addresses the server using its IP address, SCB will refuse the connection.
Leave the field empty if the clients may access any port on the server, or enter the specified port they can access.
If there are any servers that the users cannot target using inband destination selection, add them to the field.
Click .
5.1.3. Procedure – Modifying the source address
Purpose:
The source address is the address that SCB uses to connect the server. The server sees this address as the source of the connection. To modify the source address of a connection, complete the following steps.
Steps:
-
Navigate to the tab storing the connection and click
to display the details of the connection.
-
The section allows you to configure Source Network Address Translation (SNAT) on the server side of SCB. SNAT determines the IP address SCB uses in the server-side connection. The target server will see the connection coming from this address. The following options are available:
: Server-side connections will originate from SCB's internal interface in Router and Bridge mode, and from the external interface in Bastion mode. This is the default behavior of the connection.
: Server-side connections will originate from the client's IP address, as seen by SCB's external interface. This option not available in Bastion mode.
-
: Enter the IP address that will be used as the source address in server-side connections.
Warning Do not forget to properly configure routers and other network devices when using the option: messages sent by the server to this address must reach SCB.
Click .
5.1.4. Procedure – Creating and editing channel policies
Purpose:
The channel policy lists the channels (for example, terminal session and SCP in SSH; Drawing, Clipboard in RDP) that can be used in a connection. The channel policy can further restrict access to each channel based on the IP address of the client or the server, a user list, user group, or a time policy. For example, all clients may access the servers defined in a connection via SSH terminal, but the channel policy may restrict SCP access only to a single client. The policies set in the channel policy are checked when the user attempts to open a particular channel type in the connection.
To create a new channel policy or edit an existing one, complete the following procedure:
Steps:
Channel policies are configured individually for every protocol. Navigate to the tab of the respective protocol (for example, ) and click
to create a new channel policy. Enter a name for the policy
into the field (for example,
shell_and_backup).Click
to add a new channel.-
Select the channel to be enabled in the connection from the field. All restrictions set in the following steps will be effective on this channel type. The available channels are different for every protocol. For their descriptions, see the following sections:
Section 5.2.2, Supported SSH channel types for the Secure Shell protocol
Section 5.3.1, Supported RDP channel types for the Remote Desktop Protocol.
Section 5.4.2, Supported ICA channel types for the Independent Computing Architecture protocol.
The Telnet protocol has only one channel type with no special configuration options.
The VNC protocol has only one channel type with no special configuration options.
To restrict the availability of the channel only to certain clients, click
in the field and enter the IP address of
the client allowed to use this type of the channel. Repeat this step until all
required client IPs are listed.-
To restrict the availability of the channel only to certain servers, click
in the field and enter the IP address
of the server allowed to use this type of the channel. Repeat this step until
all required server IPs are listed.Note Use the real IP address of the server, which may be different from the one addressed by the clients, specified in the field of the connection policy.
-
To restrict the availability of the channel only to certain users, click
in the field and enter the name of the
user group allowed to use this type of the channel. Repeat this step until all
permitted groups are listed.To restrict the availability of the channel when using gateway authentication, click
in the field and enter the name of the
user group allowed to use this type of the channel. Repeat this step until all
permitted groups are listed.You may list local user lists as defined in Procedure 5.1.6, Creating and editing user lists, or LDAP groups (for details on accessing LDAP servers from SCB, see Procedure 5.1.7, Authenticating users to an LDAP server). Note the following behavior of SCB:
-
If you list multiple groups, members of any of the groups can access the channel.
Note When listing both a whitelist and blacklist in the section and a username appears on both lists, the user will be able to access the channel.
If a local user list and an LDAP group has the same name and the LDAP server is configured in the connection that uses this channel policy, both the members of the LDAP group and the members of the local user list can access the channel.
Note User lists and LDAP support is currently available only for the SSH and RDP protocols. For other protocols, see Section 8.2, Configuring gateway authentication.
-
Select a time policy to narrow the availability of the channel. If the time policy of the channel policy is set to
7x24, the channel is always available. For details, see Procedure 5.1.5, Configuring time policies.-
Some channel types require additional parameters, for example port forwarding in SSH needs the IP addresses and ports of the source and destination machines. Click
in the field and enter the
required parameters. For a list of parameters used by the different channels,
see Section 5.2.2, Supported SSH channel types and Section 5.3.1, Supported RDP channel types. -
Select the option to record the activities of the channel into audit trails. Typically large file-transfers (for example system backups, SFTP channels) are not audited because they result in very large audit trails. Check regularly the free hard disk space available on SCB if you do audit such channels. You can also receive alerts about disk space fill up if you set these. For details, see Procedure 4.3.4.3, Preventing disk space fill up and Section 4.3.4.4, System related traps.
-
Select the option to require 4-eyes authorization to access the channel. For details, see Section 8.3, Configuring 4-eyes authorization.
-
Select the option to forward the contents of the channel to an IDS or DLP system. For details, see Procedure 5.1.11, Forwarding traffic to an IDS or DLP system.
Repeat Steps 2-11 to add other channels to the policy.
Click to save the list.
5.1.5. Procedure – Configuring time policies
Purpose:
The time policy determines the timeframe when the users are permitted to access a particular channel. By default, there is no time-based restriction, all channels are available 7x24. Complete the following procedure to create a time policy or edit an existing one:
Steps:
Navigate to the tab of the menu item and click
to create a
new time policy. Enter a name for the policy into the field (for example
workhoursonly).Click
to display the days of the week and the allowed
intervals.Enter the intervals for each day when the users are allowed to access the connection. Use the
hh:mmformat (for example from 08:00 to 16:00).To add multiple intervals for a day, click
.Click .
-
To actually restrict access to a connection or a channel based on the policy created in the previous steps:
Select this policy in the field of the channel policy.
Click .
5.1.6. Procedure – Creating and editing user lists
Purpose:
User lists are white- or blacklists of usernames that allow fine-control over who can access a connection or a channel. Complete the following procedure to create a new user list or edit an existing one:
Steps:
Navigate to the tab of the menu and click
to create a new
user list. Enter a name for the list into the
field (for example serveradmins).Click
to display the list of users.Select the default policy of the user list. Select for a whitelist, that is, to allow access only to the members of the list. Select for a blacklist, that is, to allow access to everyone except the members of the list.
Click
and enter a username into the displayed field. Repeat this
step until all required usernames are listed.Click to save the list.
-
To actually restrict access to a channel based on the user list created in the previous steps:
Navigate to the tab of the type of connection you want to control and click
to display
the details of the policy.-
Click
in the section to add a
new group to the policy and enter the name of the group. Repeat this
step to add other groups.Note When listing more groups, users of any of the listed groups can access the channel. For details, see Procedure 5.1.4, Creating and editing channel policies.
When listing both a whitelist and blacklist in the section and a username appears on both lists, the user will be able to access the channel.
Click .
5.1.7. Procedure – Authenticating users to an LDAP server
Purpose:
|
Note |
|---|---|
This feature is currently available only for SSH and RDP connections. For other protocols, see Section 8.2, Configuring gateway authentication. |
SCB can authenticate the users of the controlled connections to LDAP databases. To authenticate the users to an LDAP database, complete the following steps.
Steps:
Navigate to and click
to create a new LDAP policy.Enter a name for the policy into the field (for example
ldapservers).-
-
Enter the IP address or hostname and port of the LDAP server into the field.
To add multiple servers, click
and enter the address of
the next server. If a server is unreachable, SCB will try to
connect to the next server in the list in failover fashion.Warning If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example
ldap.example.com) in the field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate. Select the type of your LDAP server in the field. Select to connect to Microsoft Active Directory servers, or to connect to servers that use the POSIX LDAP scheme.
Enter the name of the DN to be used as the base of the queries into the field (for example
DC=demodomain,DC=exampleinc).-
Enter the name of the DN where SCB should bind to before accessing the database into the field.
For example:
CN=Administrator,CN=Users,DC=demodomain,DC=exampleinc.Note SCB accepts both pre-win2000-style and Win2003-style account names (User Principal Names), for example
administrator@example.comis also accepted. Enter the password to use when binding to the LDAP server into the field.
-
-
Skip this step if you use passwords to authenticate the users.
If you use public-key authentication and receive the public key of the users from the LDAP database, enter the name of the LDAP attribute that stores the public keys of the users into the field. For details on using public-key authentication with the LDAP database, see Section 9.1, Configuring public-key authentication on SCB.
If you use X.509 certificate for authentication and receive the certificates of the users from the LDAP database, enter the name of the LDAP attribute that stores the certificates of the users into the field.
-
Skip this step if you use passwords to authenticate the users.
If you use public-key authentication and want SCB to generate server-side encryption keys on-the-fly and store them in a separate attribute on the LDAP server, enter the name of the attribute into the field.
If you use certificate authentication and want SCB to generate server-side certificates on-the-fly and store them in a separate attribute on the LDAP server, enter the name of the attribute into the field.
-
If you want to encrypt the communication between SCB and the LDAP server, select the option and complete the following steps:
Note TLS-encrypted connection to Microsoft Active Directory is supported only on Windows 2003 Server and newer platforms. Windows 2000 Server is not supported.
Only the STARTTLS method is supported to encrypt the communication between the LDAP server and SCB. The LDAPS protocol is not supported.
-
If you want SCB to verify the certificate of the server, click the
icon in the field. A popup window is displayed.Click , select the certificate of the Certificate Authority (CA) that issued the certificate of the LDAP server, then click . Alternatively, you can paste the certificate into the field and click .
SCB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.
If you want SCB to simply accept any certificate shown by the LDAP server, select in the field.
Note Alternatively, you can use the following options to check the certificate of the LDAP server:
None: Do not request a certificate from the remote host, and accept any certificate if the host sends one.
Optional trusted: If the remote host sends a certificate, SCB checks if it is valid (not expired) and that the Common Name of the certificate contains the domain name or the IP address of the host. If these checks fail, SCB rejects the connection. However, SCB accepts the connection if the host does not send a certificate.
Optional untrusted:Accept any certificate shown by the remote host. Note that the host must show a certificate.
Required trusted: Verify the certificate of the remote host. Only valid certificates signed by a trusted certificate authority are accepted. For details on importing CA certificates, see Procedure 4.5.8.2, Uploading external certificates to SCB. Note that the Common Name of the certificate must contain the domain name or the IP address of the host.
Request untrusted: SCB requests a certificate from the remote host, and rejects the connection if no certificate is received; if the certificate is not valid (expired); or if the Common Name of the certificate does not contain the domain name or the IP address of the host.
Warning If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example
ldap.example.com) in the field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate. -
If the LDAP server requires mutual authentication, that is, it expects a certificate from SCB, generate and sign a certificate for SCB, then click
in
the field to upload
the certificate. After that, click in the
field and upload the private key
corresponding to the certificate.
-
-
If you have modified the field or the keys used in the connections, perform the following steps:
Warning This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.
To activate the new settings, navigate to section and click .
An audit trail is a file storing the recorded activities of the administrators. Audit trails can be replayed using the Audit Player application (for details, see Chapter 7, Viewing session information and replaying audit trails). The audit trails are automatically compressed, and can be optionally encrypted, timestamped, and signed as well. Note that audit trails are not created automatically for every connection, auditing must be enabled manually in the channel policy used in the connection. However, the default channel policies available enable auditing for the most common channels.
|
Tip |
|---|---|
By default, every connection uses the built-in audit policy. Unless you use a custom audit policy, modifying the audit policy will affect every audited channel of the connections passing SCB. |
|
Note |
|---|---|
In SCB 1.x it was possible to compress the audit trail files, and also to set the level of compression. Starting from version 2.0, the audit trails are automatically compressed. |
For details on how to configure audit trail encryption, see Procedure 5.1.8.1, Encrypting audit trails.
For details on how to configure timestamping, see Section 5.1.8.2, Timestamping audit trails.
For details on how to configure audit trail signing, see Procedure 5.1.8.3, Digitally signing audit trails.
For details on how to configure other audit trail options, see Procedure 5.1.8.4, Limiting audit trails.
5.1.8.1. Procedure – Encrypting audit trails
Purpose:
SCB can encrypt the audit trails to prevent unauthorized access to the audit trail files. Encryption requires one or more X.509 certificates. Note that SCB itself cannot create the certificates used to encrypt the audit trails.
SCB has the following different ways to encrypt the audit trails:
Encrypt the audit trails with a single certificate. This is the most simple approach: SCB uses one certificate to encrypt the audit trails; anyone who has the private key of that certificate can replay the audit trails. If that key is lost, there is no way to open the audit trails.
Encrypt the audit trails separately with multiple certificates. SCB uses two or more certificates separately to encrypt the audit trails; anyone who has the private key of one of the encryption certificates can replay the audit trails.
Encrypt the audit trails jointly with two certificates. SCB uses two certificates together (a certificate-pair) to encrypt the audit trails. The private keys of both encryption certificates are needed to replay the audit trails. This is a kind of "4-eyes in auditing".
-
Use a separate certificate to encrypt the upstream traffic. SCB can use a different certificate to encrypt the upstream traffic that contains sensitive information, for example the passwords typed by the user in a connection are visible in the upstream traffic. The upstream traffic will be displayed only if the private key of this certificate is available.
Note Even if the upstream traffic is encrypted with a separate certificate, only one audit trail file is created for a session.
|
Warning |
|---|---|
Sensitive information like passwords of the user logging in to the remote server are visible in the audit trails, unless the option is used. In this case, the passwords are visible only with the private key of the certificate used for encrypting the upstream traffic. |
|
Note |
|---|---|
|
You can combine the different encryption methods, so for example it is possible to encrypt the audit trails with multiple certificate-pairs, and to replay the trails only if the private keys of a certificate-pair are available. This is true for encrypting the upstream traffic as well. At the extreme, you will need four private keys to fully replay an audit trail: two to open the normal traffic, and two more to display the upstream traffic. For details on uploading certificates to SCB, see Procedure 4.5.8.2, Uploading external certificates to SCB. |
|
Tip |
|---|---|
If two certificates are displayed in a row, they are a certificate-pair and you need the private key of both to replay the audit trails. If two certificates are displayed in separate rows, you need the one of the private keys to replay the audit trails. If there are multiple rows containing two certificates, you need the private keys of the certificate(s) listed in any of the rows. |
Steps:
-
Navigate to and select the audit policy you will use in your connections.
Tip The policy is used by default by all added connections. Change this policy if you want to encrypt every audited connection.
Select the option.
Click
in the field. A new row is displayed.-
Click on the left
icon and upload a certificate to SCB.
This certificate will be used to encrypt the audit trails, and it must not
include the private key. Note To replay the audit trails, you will need the private key of the certificate on the computer running the Audit Player application.
Optional step: To encrypt the audit trails jointly with another certificate, click on the right
icon and upload a
certificate to SCB. Note that the private key of both certificates will
be required to replay the audit trails.Optional step: Repeat Steps 3-4 (and optionally Step 5) to encrypt the audit trails separately with additional certificates.
-
Optional step: To use a separate certificate to encrypt the upstream traffic, complete the following steps:
Select .
Click the left
icon in the field and upload a
certificate.Optional steps: If needed, add further certificate to jointly or separately encrypt the upstream traffic with.
Click .
SCB can add timestamps to the audit trails.
For details on how to use the built-in timestamping service of SCB, see Procedure 5.1.8.2.1, Built-in timestamping service.
For details on how to use an external Timestamping Authority, see Procedure 5.1.8.2.2, External timestamping service.
5.1.8.2.1. Procedure – Built-in timestamping service
Purpose:
To use the built-in timestamping service of SCB, complete the following steps:
Steps:
-
Navigate to and select the audit policy you will use in your connections.
Tip The policy is used by default by all added connections. Change this policy if you want to encrypt every audited connection.
-
Select the option.
-
Click . SCB will automatically add timestamps to the audit trails of every connection that is audited and uses this audit policy.
Note For details on how to change the certificate used for timestamping, see Section 4.5.8, Managing the certificates used on SCB.
Repeat the above steps for other audit policies if needed.
5.1.8.2.2. Procedure – External timestamping service
Purpose:
To request timestamps from a remote Timestamping Authority (TSA) , complete the following steps:
Steps:
-
Navigate to and select .
Enter the address of the timestamping server into the field. Note that currently only plain HTTP services are supported, password-protected and HTTPS services are not supported.
-
If the Timestamping Server has timestamping policies configured, enter the OID of the policy to use into the field. SCB will include this ID in the timestamping requests sent to the TSA.
Click .
Repeat the above steps for other protocols if needed.
-
Navigate to and select the audit policy you will use in your connections.
Tip The policy is used by default by all added connections. Change this policy if you want to encrypt every audited connection.
Select the option.
Click . SCB will automatically add timestamps to the audit trails of every connection that is audited and uses this audit policy.
Repeat the above steps for other audit policies if needed.
5.1.8.3. Procedure – Digitally signing audit trails
Purpose:
SCB can digitally sign the audit trails to prevent the manipulation of the audit trail files. This requires an X.509 certificate and also the private key of the certificate. Note that SCB can generate a private key that you can use to create a certificate, but SCB itself cannot create the certificate used to sign the audit trails.
Steps:
-
Navigate to and select the audit policy you will use in your connections.
Tip The policy is used by default by all added connections. Change this policy if you want to encrypt every audited connection.
Select the option.
-
Upload a certificate and the corresponding private key to SCB. For details, see Procedure 4.5.8.2, Uploading external certificates to SCB.
To generate a key-pair on SCB and use it to create a certificate in your PKI system, complete the following steps:
Click the
icon in the
field. A popup window opens.Select the length of the key in the field.
Set the type of the key (RSA or DSA) in the field.
Click . The fingerprint of the new private key is displayed in the field.
Click .
Click the fingerprint and select a format to download the public part of the key. Currently the key can be downloaded in the following formats:
OpenSSH,Tectia,PEM,DER.Use your PKI system to create a certificate request with the downloaded key, and sign it with your Certificate Authority (CA).
Click
in the
field and upload the certificate to SCB.
Click . SCB will automatically sign the audit trails of every connection that is audited and uses this audit policy.
Repeat the above steps for other audit policies if needed.
5.1.8.4. Procedure – Limiting audit trails
Purpose:
To impose limits on the audit trail files, complete the following steps:
The followings must be set for every controlled protocol separately.
Steps:
Navigate to .
Adjust the option if needed. If the size of an audit trail is increasing faster than this rate, SCB can send an alert to the administrator. Such connections may sign Denial of Service (DOS) attacks. Different protocols can have different rate limits.
Adjust the option if needed. The size of audit trail files is maximized to prevent a single connection from filling SCB's hard drive, causing a Denial of Service (DOS). The maximal size of the can be 4GB.
Enable the option to terminate any connection if the size of its audit trail reaches limit specified in . If the option is disabled, the connection will not be terminated, but SCB will not further audit the connection. Different protocols can have different size limits.
Click .
-
Warning This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.
To activate the new settings, select .
5.1.9. Procedure – Verifying certificates with Certificate Authorities
Purpose:
SCB can check the validity of certificates using the certificates and certificate-revocation lists of the certificate authorities that issued the certificates. This can be used for example to verify the certificates of the servers in SSH/RDP connections. To create a list of CA certificates to use during the certificate validation, complete the following steps:
Steps:
-
Navigate to and click
to create a new list. Enter a name for the CA list into the topmost field.
Click
in the field, and upload
the certificate of the Certificate Authority (CA) that will be used to validate
the certificates. For details on uploading certificates, see Procedure 4.5.8.2, Uploading external certificates to SCB.Enter the URL of the Certificate Revocation List of the CA into the field. Certificates appearing on the CRL list will be automatically rejected.
-
To further limit which certificates are accepted, you may use the following options:
Strict hostname check: Select this option to accept only certificates when the Common Name of the certificate contains the hostname or the IP address of the host showing the certificate.
Use DNS to lookup hostnames: Select this option to use the domain name server set on to resolve the hostnames and IP addresses for certificate validation. If you have enabled the option, you probably want to enable this option as well.
To restrict the accepted certificates based on the content of the certificate, enter the required value into the appropriate field of the section. For example, to accept only certificates that contain
Example Inc.in their Organization Name field, enterExample Inc.in to the field. In the Common name, E-mail address, and Alternative e-mail address fields you can use the$usernamemacro to refer to the username used in the connection. This macro makes it possible to check that the user is using his own certificate.
Click .
5.1.10. Procedure – Signing certificates on-the-fly
Purpose:
At a number of places, SCB can generate the server-side certificates on the fly. This technique is used for example in SSL-encrypted RDP sessions, RDP sessions that use Network Level Authentication (CredSSP), or SSH connections that use X.509-based authentication. To create a signing CA, complete the following steps:
|
Note |
|---|---|
Signing CAs require a CA certificate permitted to sign certificates, and also the corresponding private key. |
|
Note |
|---|---|
These CAs cannot be used to sign audit trails. For details on how to configure the certificates used to sign audit trails, see Procedure 5.1.8.3, Digitally signing audit trails. |
Steps:
-
Navigate to and click
. Enter a name for the CA into the topmost field.
-
To upload a CA certificate and its private key, complete the following steps. Skip this step if you want to generate a CA on SCB.
Click
in the
field and upload the certificate of the certificate authority.Click
in the field
and upload the private key of the certificate authority. For details,
see Procedure 4.5.8.2, Uploading external certificates to SCB.Click .
-
To generate a CA certificate on SCB, complete the following steps:
Enter the Common Name for the CA certificate into the field. This name will be visible in the
Issued Byfield of the certificates signed by this CA.Fill the other fields as required, then click .
Click .
5.1.11. Procedure – Forwarding traffic to an IDS or DLP system
Purpose:
SCB can forward the contents of the traffic to an Intrusion Detection System (IDS) or a Data Leak Prevention (DLP) system for further analysis. The IDS or DLP system and SCB must be on the same network segment (connected to the same network switch). SCB does not modify the traffic, only forwards the unencrypted traffic to the IDS/DLP. For example, if HTTP traffic is tunneled in SSH, the IDS will receive only the HTTP traffic. That way, the IDS/DLP system can inspect the contents of the encrypted traffic. To configure traffic forwarding, complete the following steps.
Steps:
-
Navigate to the type of traffic to forward (for example ), and select the page.
Select , and select which interface of SCB is connected to the same network segment (that is, to the same switch) as the IDS. Note that the HA interface of SCB cannot be used for this purpose.
Enter the MAC address of the network card of the IDS system into the field.
Click .
-
Select page, and select the channel policy you use in the connections that you want to forward to the IDS. Click
. Select the option for the channels you want to forward to the IDS.
Repeat the Steps 5-6 for other channel policies if needed.
-
Warning This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.
Navigate to , and click for this type of traffic.
Repeat the above steps for other types of traffic if needed.
5.1.12. Procedure – Configuring cleanup for the SCB connection database
Purpose:
SCB can automatically archive audit trails older than a specified retention time. However, the metadata of the corresponding connections is not deleted from the SCB connection database. Deleting the stored data about old connections decreases the size of the database, making searches faster, and might be also required by certain policies or regulations. The period after metadata is deleted can be specified individually for the different protocols, (for example, data about SSH connections can be stored longer than other connections) and also for every connection policy. In order to configure SCB to delete the metadata of old connections for a particular protocol, complete the following steps:
Steps:
Navigate to the page of the respective protocol, for example, to
SSH Control > Global Options.-
Enter how long SCB (in days) should keep the metadata into the field. For example, if you specify
365, SCB will delete the data of connections older than a year. Enter zero (0) to keep the data indefinitely (this is also the default behavior of SCB).Note The time you specify cannot be shorter than the set for the Archive policies used in the connections of this protocol.
The time you specify cannot be shorter than the set in the individual connection policies of this protocol.
Click and repeat the previous step for other protocols if needed.
-
To delete the metadata of certain connections earlier than the time set in the field of the protocol, navigate to the particular connection policy, and enter how long SCB (in days) should keep the metadata of the sessions of this connection policy into the field. Enter zero (
0) to use the settings of the protocol (this is also the default behavior of SCB).Note The time you specify cannot be shorter than the set for the Archive policy used in the particular connection.
Click and repeat the previous step for other connections if needed.
Expected outcome:
Every day SCB deletes the metadata of connections older than the given cleanup time from the connection database.
The following sections describe configuration settings available only for the SSH protocol. Use the following policies to control who, when, and how can access the SSH connection.
Hostkeys and host certificates: SCB allows you to set how the identity of the client hosts and servers is verified. For details, see Procedure 5.2.1, Setting the SSH host keys and certificates of the connection.
Authentication Policy: Authentication policies describe the authentication methods allowed in a connection. Different methods can be used for the client and server-side connections. For details, see Section 5.2.3, Authentication Policies.
-
User List: A user list is a list of usernames permitted to use — or forbidden from using — the connection. Essentially it is a blacklist or a whitelist. All users matching the other requirements of the connection are accepted by default. For details, see Procedure 5.1.6, Creating and editing user lists.
-
Channel Policy: The channel policy determines which SSH channels (for example terminal session, SCP, and so on) can be used in the connection, and whether they are audited or not. The different channels may be available only under certain restrictions, as set in the channel policy. For details, see Procedure 5.1.4, Creating and editing channel policies.
-
SSH settings: SSH settings determine the parameters of the connection on the protocol level, including timeout value and greeting message of the connection. The following parameters determine which algorithms are used in the connections, and can be set independently for the client and the server side: key exchange, host key, cipher, MAC, and compression algorithms. The default values include all possible algorithms. For details, see Procedure 5.2.5, Creating and editing protocol-level SSH settings.
5.2.1. Procedure – Setting the SSH host keys and certificates of the connection
Purpose:
By default, SCB accepts and stores the host key or certificate of the server when the connection is first established. To manually set the SSH keys and certificates used and accepted in the connection, complete the following steps.
Steps:
-
Navigate to and click
to display the details of the connection. -
To verify the identity of the servers based on their hostkeys, select .
Note At least one of the options must be enabled.
Select to automatically record the key shown by the server on the first connection. SCB will accept only this key from the server in later connections. This is the default behavior of SCB.
Select if the key of the server is already available on SCB. SCB will accept only the stored key from the server. For further information on setting the host keys of the server, see Section 5.2.4, Server host keys and certificates.
-
To verify the identity of the servers based on their X.509 host certificates, select .
Note At least one of the options must be enabled.
Select to automatically record the certificate shown by the server on the first connection. SCB will accept only this certificate from the server in later connections.
Select if the certificate of the server is already available on SCB. SCB will accept only the stored certificate from the server. for further information on setting the host certificate of the server, see Section 5.2.4, Server host keys and certificates.
-
Select to verify the host certificate of the server to a CA certificate, and select the Trusted CA list to use in the field. For details on creating CA lists, see Procedure 5.1.9, Verifying certificates with Certificate Authorities.
Note By default, SCB accepts only plain hostkeys, and accepts them for the first time.
To set the RSA and DSA host keys that SCB shows to the clients, select , and click the
icon in the or the fields to
set the RSA and DSA host keys, respectively. It is possible to upload or
paste a key or to generate a new one. Click on the fingerprint to display
the public part of the key.-
To enable SCB to show an X.509 certificate to the clients, select .
To always use the same certificate, select and upload a private key and a certificate.
To generate a new certificate for the connection policy (not for every session), select , and set the CA to use for signing the certificate in the field. For details about creating signing CAs, see Procedure 5.1.10, Signing certificates on-the-fly.
Click .
The available SSH channel types and their functionalities are described below. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.
Agent: Forwards the SSH authentication agent from the client to the server.
-
X11 Forward: Forwards the graphical X-server session from the server to the client. Enter the address of the client into the field to permit X11-forwarding only to the specified clients. Specify IP addresses or networks (in IP address/Netmask format).
Note Certain client applications send the Target address as a hostname, while others as an IP address. If you are using a mix of different client applications, you might have to duplicate the channel rules and create IP-address and hostname versions of the same rule.
-
Local Forward: Forwards traffic arriving to a local port of the client to a remote host. To enable forwarding only between selected hosts, enter their IP addresses into the field. If the field is empty, local forwarding is enabled without restriction, the client may forward any traffic to the remote host. Enter the source of the forwarded traffic into the , the target of the traffic into the field. Specify IP addresses or networks (in IP address/Netmask format). These parameters are the end-points of the forwarded traffic (that is, the local host that sends data to the remote host), and not the SSH server or the client. For example, to enable forwarding from the
192.168.20.20host to the remote host192.168.50.50, enter192.168.20.20into the , and192.168.50.50into the field.Note Certain client applications send the Originator and Target addresses as hostnames, while others as IP addresses. If you are using a mix of different client applications, you might have to duplicate the channel rules and create IP-address and hostname versions of the same rule.
Warning Port forwarding across SCB may fail for certain SSH client-server combinations. This happens if within the protocol, the address of the remote host is specified as a hostname during the port-forwarding request (
SSH_MSG_GLOBAL_REQUEST), but the hostname is resolved to IP address in the channel opening request (SSH_MSG_CHANNEL_OPEN. By default, SCB rejects such connections.To enable these connections, navigate to , and disable the option.
-
Remote Forward: Forwards traffic arriving a remote port of the server to the client. To enable forwarding only between selected hosts, enter their IP addresses into the field. If the field is empty, remote forwarding is enabled without restriction, the SSH server may forward any traffic to the client. Enter the source of the forwarded traffic into the , the target of the traffic into the field. Specify IP addresses or networks (in IP address/Netmask format). These parameters are the end-points of the forwarded traffic (that is, the remote host that sends data to the client), and not the SSH server. For example, to enable forwarding from the
192.168.20.20remote host to the client192.168.50.50, enter192.168.20.20into the , and192.168.50.50into the field.Note Certain client applications send the Originator and Target addresses as hostnames, while others as IP addresses. If you are using a mix of different client applications, you might have to duplicate the channel rules and create IP-address and hostname versions of the same rule.
Warning Port forwarding across SCB may fail for certain SSH client-server combinations. This happens if within the protocol, the address of the remote host is specified as a hostname during the port-forwarding request (
SSH_MSG_GLOBAL_REQUEST), but the hostname is resolved to IP address in the channel opening request (SSH_MSG_CHANNEL_OPEN. By default, SCB rejects such connections.To enable these connections, navigate to , and disable the option.
-
Session Exec: Execute a remote command (for example
rsync) without opening a session shell. Enter the permitted command into the field. Regular expressions may be used to specify the commands.Warning Restricting the commands available in channels does not guarantee that no other commands can be executed. Commands can be renamed, or executed from shell scripts to circumvent such restrictions.
-
Session Exec SCP: Transfers files using the Secure Copy (SCP) protocol.
To make the list of file operations available in the column of the page, navigate to and enable the option. This option is disabled by default.
-
To send the file operations into the system log, enable the option. This option is disabled by default.
Note Turning logging on might result in a slight performance penalty. If traffic load slows processes down, disable the option. You will see the file list in the audit player without enabling this option.
Session Subsystem: Use a subsystem. Enter the name of the permitted subsystem into the field.
-
Session SFTP: Transfers files using the Secure File Transfer Protocol (SFTP).
To make the list of file operations available in the column of the page, select the option. This option is disabled by default.
-
To send the file operations into the system log, enable the option. This option is disabled by default.
Note Turning logging on might result in a slight performance penalty. If traffic load slows processes down, disable the option. You will see the file list in the audit player without enabling this option.
Session Shell: The traditional remote terminal session.
An authentication policy is a list of authentication methods that can be used in a connection. Connection definitions refer to an authentication policy to determine how the client can authenticate to the target server. Separate authentication methods can be used on the client and the server-side of the connection.
5.2.3.1. Procedure – Creating a new authentication policy
Purpose:
To create a new authentication policy, follow the steps below:
Steps:
-
Navigate to , and click
. Enter a name for the policy into the field.
Select the authentication method used on the client-side in the field. For details on the client-side authentication settings, see Section 5.2.3.2, Client-side authentication settings.
Select the authentication method used on the server-side in the field. For details on the server-side authentication settings, see Section 5.2.3.3, Server-side authentication settings.
-
Click .
Note -
The client-side authentication settings apply for authenticating the user inband (that is, within the SSH protocol) to the SCB gateway, and is independent from the gateway authentication performed on the SCB web interface. The web-based gateway authentication is an outband gateway authentication method that can be required by the connection policy. For details on the outband gateway authentication, see Procedure 8.2.1, Configuring outband gateway authentication.
Gateway authentication on the SCB web interface can be used together with authentication policies. In an extreme setting, this would mean that the user has to perform three authentications: a client-side gateway authentication within the SSH protocol to SCB, an outband gateway authentication on the SCB web interface, and a final authentication on the target server.
The Connection Policy will ignore the settings for server-side authentication (set under ) if a Credential Store is used in the Connection Policy.
-
For the client-side connection, SCB can authenticate the client inband (within the SSH protocol) using the following authentication methods:
-
LDAP: SCB will authenticate the client to the LDAP database set in the of the connection policy. To use LDAP authentication on the client side, select , and select the permitted authentication methods (, , ). More than one method can be permitted.
Note SCB will authenticate the client-side connection to the LDAP server configured in the connection policy. This is not necessarily the same as the LDAP server used to authenticate the users accessing the SCB web interface.
The public keys of the users stored in the LDAP database must be in OpenSSH format.
Local: Authenticate the client locally on the SCB gateway. For details, see Procedure 5.2.3.2.1, Local client-side authentication.
RADIUS: SCB will authenticate the client to the specified RADIUS server. Select , enter the IP address or hostname of the RADIUS server into the field, and the shared secret of the RADIUS server into the field. Only password-authentication is supported (including one-time passwords), challenge-response based authentication is not.
-
None: Do not perform client-side authentication, the client will authenticate only on the target server.
Warning Hazard of security breach! If the authentication option is selected on the client side and SCB is configured to use public-key or certificate based authentication on the server, the user will not be authenticated at all unless gateway authentication is required for the connection.
5.2.3.2.1. Procedure – Local client-side authentication
Purpose:
To perform authentication locally on SCB for client-side connections, complete the following steps:
|
Note |
|---|---|
|
The users can be authenticated to their passwords, public-keys or X.509 certificates uploaded to SCB. Using passwords for local client-side authentication is available only in SCB 3 F2 and later. The accounts created to access the SCB web interface cannot be used to authenticate SSH connections. |
Steps:
Navigate to , and select the authentication policy to modify.
Select , and select the permitted authentication methods (, , ).
Navigate to the bottom of the policy, and click
.-
Enter the name of the user into the field.
Note If you also use Usermapping policies, enter the username that the client will use on the server side. If you also use gateway authentication, the gateway username can be used as well.
-
Depending on the authentication method selected, set the credentials of the user.
For password-authentication, select Client Side Passwords >
, and enter the password of the user.For public-key or certificate-based authentication, select Client Side (public key/certificate) >
and upload the public key or X.509 certificate of the user.
Repeat Steps 3-5 to add other users as required.
Click .
For the server-side connection (between SCB and the target server), the following authentication methods are available.
|
Note |
|---|---|
|
Even though these settings refer to the server-side connection, the client must support the selected authentication method and have it enabled. For example, to use publickey authentication on the server side, the client must support publickey authentication, even if a different authentication method is used on the client side. The Connection Policy will ignore the settings for server-side authentication (set under ) if a Credential Store is used in the Connection Policy. |
Password: Authentication based on username and password. The server will request a password from the user, even if a password-based authentication was already successful on the client-side.
Keyboard Interactive: Authentication based on exchanging messages between the user and the server. This method includes authentication schemes like S/Key or TIS authentication.
-
Public Key: Authentication based on public-private encryption keypairs. SCB supports the following public-key authentication scenarios:
-
Agent: Allow the client to use agent-forwarding, and use its own keypair on the server-side. If this option is used, SCB requests the client to use its SSH agent to authenticate on the target server.
Warning If agent-based authentication is enabled, the client must use agent authentication, no other authentication method can be used. Note that for agent-based authentication to work, the
Agent-forwadingchannel must be enabled in the channel policy used by the connection. Fix: Use the specified private key in the server-side connection. Select , and click
to upload the private
key. -
Map: SCB stores the public key of the user and a keypair for every user. This keypair is used in the server-side connection. For details, see Procedure 5.2.3.4, How to map keys and certificates.
-
Publish to LDAP: SCB generates a keypair, and uses this keypair in the server-side connection. The public key of this keypair is also uploaded to the LDAP database set in the of the connection policy. That way the server can authenticate the client to the generated public key stored under the user's username in the LDAP database. Select .
Note SCB generates a keypair for every user of the connection policy, not for every session.
-
-
X.509 certificate: Authentication based on X.509 certificates. SCB supports the following certificate-based authentication scenarios:
-
Agent: Allow the client to use agent-forwarding, and use its own certificate on the server-side. If this option is used, SCB requests the client to use its SSH agent to authenticate on the target server.
Warning If agent-based authentication is enabled, the client must use agent authentication, no other authentication method can be used. Note that for agent-based authentication to work, the
Agent-forwadingchannel must be enabled in the channel policy used by the connection. Fix: Use the specified private key and certificate in the server-side connection. Select , and click
to
upload the private key and the certificate.-
Map: SCB stores an X.509 certificate and the corresponding private key for the user, and uses the stored certificate in the server-side connection. For details, see Procedure 5.2.3.4, How to map keys and certificates.
Generate: SCB generates an X.509 certificate and the corresponding private key for every connection policy, and uses this certificate in the server-side connections. Select , and select the certificate authority to use for signing the generated certificates with from the field. For details on configuring signing CAs, see Procedure 5.1.10, Signing certificates on-the-fly.
-
Publish to LDAP: SCB generates an X.509 certificate and the corresponding private key for every connection policy, and uses this certificate in the server-side connections. The certificate is also uploaded to the LDAP database set in the of the connection policy. That way the server can authenticate the client to the generated certificate stored under the user's username in the LDAP database. Select , and select the certificate authority to use for signing the generated certificates with from the field. For details on configuring signing CAs, see Procedure 5.1.10, Signing certificates on-the-fly.
Note SCB generates a certificate for every connection policy, not for every session.
-
5.2.3.4. Procedure – How to map keys and certificates
Steps:
Navigate to , and select the authentication policy to modify.
-
Navigate to the bottom of the policy, and click
. -
Enter the name of the user into the field.
Note If you also use Usermapping policies, enter the username that the client will use on the server side. If you also use gateway authentication, the gateway username can be used as well.
-
If you use public-key based authentication on the client side, click the
icon in the field, and
upload the public key of the client.If you use certificate-based authentication on the client side, click the
icon in the field,
and upload the certificate of the client.
SCB will verify that a client trying to use the username set in Step 3 is authenticating itself with the private key that corresponds to the uploaded public key or certificate.
-
If you use public-key based authentication on the server side, click the
icon in the field, and
upload the private key of the client, or generate a new
key.If you use certificate-based authentication on the server side, click the
icon in the field, and upload the private key for
the certificate of the client. Then upload the certificate that
will be used on the server side.
SCB will use the uploaded private key to authenticate on the server if the client is trying to use the username set in Step 3.
Repeat Steps 2-5 to add other users as required.
Click .
The host keys and X.509 certificates of the trusted servers can be managed using the tab of the menu item. When a client tries to connect to a server, SCB verifies the host key or the certificate of the server. SCB allows connections only the servers listed on this page, unless the or the option is enabled in the connection policy.
5.2.4.1. Procedure – Automatically adding the host keys and host certificates of a server to SCB
Purpose:
The host keys and host certificates of the servers can be added either automatically or manually. To add the host key or certificates automatically, complete the following steps:
Steps:
Navigate to the .
-
Configure a connection: fill the , , and fields. If SCB is set to Bastion mode, fill the field as well.
Note Enter the IP address of the server into the field if SCB is set to Router, and into the field if SCB is set to Bastion mode.
-
Click
to display the advanced settings and verify that the
option is set to . If the servers use X.509 certificates, select , and verify that the option is set to .
Click .
Initiate an SSH connection from the client to the server. SCB will automatically record the host key of the server — the server's IP address and the host key will be listed on the page.
5.2.4.2. Procedure – Manually adding the host key or host certificate of a server
Purpose:
To add the host key or host certificate manually, complete the following steps:
Steps:
Navigate to the and click
.Enter the IP address and port of the server into the and fields.
-
To set the host key of the server, complete the following steps:
-
To add the RSA fingerprint of the server, click
in the
field. To add the DSA fingerprint of the server, click
in the
field.
A popup window is displayed.
-
Select to retrieve the host key from the server.
-
To upload the host key manually, select , select the file, and click . Optionally, you can also paste the key into the section and select .
Select to close the window.
-
-
To set the host certificates of the server, complete the following steps:
-
To add the RSA certificate of the server, click
in the field. To add the DSA certificate of the server, click
in the field.
A popup window is displayed.
-
To upload the host key manually, select , select the file, and click . Optionally, you can also paste the key into the section and select .
Select to close the window.
-
Click .
5.2.5. Procedure – Creating and editing protocol-level SSH settings
Purpose:
SSH settings determine the parameters of the connection on the protocol level, including when the server-side connection is built, as well as the timeout value and greeting message of the connection. The following parameters determine which algorithms are used in the connections, and can be set independently for the client and the server side: key exchange, host key, cipher, MAC, and compression algorithms. Complete the following procedure to create a new SSH settings profile or edit an existing one:
|
Warning |
|---|---|
Modifying the SSH settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing. |
Steps:
Navigate to the and click
to create an SSH setting profile. Enter a name for the profile
into the field (for example
strongencryption).Click
to display the parameters of the SSH connection.Modify the parameters as needed. The parameters can be set independently for the client- and the server-side connection. For a list of the available parameters, see Section 1.2, Configuring encryption parameters.
To check the protocol-level parameters of the connections very strictly, select the option. This option is enabled by default. When this option is enabled, SCB will reject connections that use unrealistic parameters (for example terminals of thousand by thousand characters) and port-forwarding connections where the address in the port-forwarding request and the channel-opening request does not match. Note that this option can interfere with certain client or server applications.
-
Before establishing the server-side connection, SCB can evaluate the connection and channel policies to determine if the connection might be permitted at all, for example it is not denied by a Time Policy. To enable this function, select the option. That way SCB establishes the server-side connection only if the evaluated policies permit the client to access the server.
Click .
Select this settings profile in the field of your connections.
The following sections describe configuration settings available only for the RDP protocol. Use the following policies to control who, when, and how can access the RDP connection.
-
Channel Policy: The channel policy determines which RDP channels (for example clipboard, file-sharing, and so on) can be used in the connection, and whether they are audited or not. The different channels may be available only under certain restrictions, as set in the channel policy. For details, see Procedure 5.1.4, Creating and editing channel policies.
-
RDP settings: RDP settings determine the parameters of the connection on the protocol level, including timeout value, display parameters, and the version of RDP permitted. For details, see Procedure 5.3.2, Creating and editing protocol-level RDP settings.
Domain membership: When using Network Layer Authentication (CredSSP) SCB must be a member of the domain. For details, see Procedure 5.3.3, Joining SCB into a domain.
SSL-encrypted connections: For details on how to setup SSL-encrypted RDP connections, see Procedure 5.3.4, Using SSL-encrypted RDP connections and Procedure 5.3.5, Verifying the certificate of the RDP server in encrypted connections.
SCB as a Terminal Services Gateway: For details on how to configure SCB to accept connections using the Terminal Services Gateway Server Protocol, see Procedure 5.3.6, Using SCB as a Terminal Services Gateway.
The available RDP channel types and their functionalities are described below. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.
-
Drawing: Enables access to the server's graphical desktop (screen). This channel must be enabled for RDP to work.
Note In case the Drawing channel is disabled and the load of SCB is high, or the connection requires 4-eyes authorization and the Authorizer is slow to accept the connection, the client might receive the following error message:
The Remote Desktop Gateway server administrator has ended the connection. Try reconnecting later or contact your network administrator for assistance
Clipboard: Enable access to the server's clipboard: the clipboard of the remote desktop can be pasted into local applications (and vice-versa). Note that SCB can audit the clipboard channel, but the Audit Player currently cannot search or display its contents.
-
Redirects: Enables access to every device redirections available in RDP, like file-sharing, printer sharing, device (for example CD-ROM) sharing, and so on. To enable only specific types of redirections, use the following channels:
Serial redirect: Enables access to serial-port redirections.
Parallel redirect: Enables access to parallel-port redirections.
Printer redirect: Enables access to shared printers.
Disk redirect: Enables access to shared disk drives.
SCard redirect: Enables access to shared SCard devices.
To permit only specific redirections, enter the unique name of the redirection into the field. For example, if you want to enable access only to the shared disk drive C:\, enable the channel and enter
C:\into the field. Note that the name of the device comes from the device itself, so it is case sensitive, and may not always be reliable from a security point of view. Sound: Enable access to the sound device of the server.
Custom: Applications can open custom channels to the clients connecting remotely to the server. Enabling the channel allows the clients to access all of these custom channels. To permit only specific channels, enter the unique names of the channel into the field.
Seamless: Enable seamless channels that run a single application on the RDP server, instead of accessing the entire desktop.
Dynamic virtual channel: Enable the server to open channels back to the client dynamically. To restrict which dynamic channels are permitted, select Channel details >
,
and enter the name of the permitted channel.
5.3.2. Procedure – Creating and editing protocol-level RDP settings
Purpose:
RDP settings determine the parameters of the connection on the protocol level, including timeout value, the version of RDP permitted in the connection, and display parameters. Complete the following procedure to create a new RDP settings profile or edit an existing one:
|
Warning |
|---|---|
Modifying the RDP settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing. |
Steps:
Navigate to and click
to create an RDP setting profile. Enter a name for the profile
into the field (for example
rdp5only).Click
to display the parameters of the RDP connection.-
Modify the parameters as needed. The following parameters are available:
-
Idle timeout: Timeout value for the connection in milliseconds. Negative numbers (for example
-1) set the timeout to unlimited.Warning Determining if a connection is idle is based on the network traffic generated by the connection, not the activity of the user. For example, if an application or the taskbar of a graphical desktop displays the time which is updated every minute, it generates network traffic every minute, negating the effects of timeout values greater than one minute and preventing SCB from closing the connection.
Maximum display width: The maximum allowed width of the remote desktop in pixels (for example
1024).Maximum display height: The maximum allowed height of the remote desktop in pixels (for example
768).-
Maximum display depth: The maximum allowed color depth the remote desktop in bits (for example
24). The following values are valid: 8, 15, 16, 24.Warning Using 32-bit color depth is not supported.
Warning Certain Windows versions do not support 24-bit color depth. In this case, those versions can only be displayed in 16-bit color depth. SCB automatically changes its settings to 16-bit.
Enable RDP4: Select this option to enable the version 4 of the Remote Desktop Protocol.
Enable RDP5: Select this option to enable the version 5 of the Remote Desktop Protocol.
-
Enable RDP6: Select this option to enable the use of Credential Security Service Provider (CredSSP, also called Network Level Authentication). Note that: SSL-encrypted connections (even in RDP6) do not require this option, it is only needed for Network Level Authentication. If you enable this option, you also have to configure SCB to join your domain. For details, see Procedure 5.3.3, Joining SCB into a domain. Also note that Smartcard authentication cannot be used when this option is enabled.
Warning To access hosts running Windows 2008 Server R2 using RDP6, select the Enable RDP4 style authentication option as well.
Warning To access servers with CredSSP from clients using Windows XP SP3, using RDP6, you have turn CredSSP on. For details, see Description of the CredSSP in Windows XP SP3.
Enable RDP4 style authentication: Select this option to enable RDP4 authentication within the RDP5 protocol. This might be needed for compatibility reasons with certain client applications.
-
Enable pre channel check: Select this option to evaluate the connection and channel policies before establishing the server-side connection. That way if the connection is not permitted at all, SCB does not establish the server-side connection.
-
Enable compression: Select this option to enable compression of the RDP channels. Note the following:
Disabling compression significantly increases the network load of RDP connections. The exact ratio of the increase depends on the content of the connections, but on the average the network load can be expected to increase by 500%.
The Drawing channel is always compressed, regardless of this setting.
Disable compression if you experience reliability problems in your RDP connections, for example, files copied in disk redirection channels become corrupt.
-
Autologon domain suffix: Enter the suffix that the client will append to the domain when using autologon in conjunction with Network Level Authentication (CredSSP).
-
Click .
Select this settings profile in the field of your connections.
5.3.3. Procedure – Joining SCB into a domain
Purpose:
Joining a domain is required when using Credential Security Service Provider (CredSSP, also called Network Layer Authentication).
Steps:
Navigate to .
-
Enter the name of the domain (for example
mydomain) into the field.
-
Enter the name of the realm (for example
mydomain.example.com) into the field.Note Ensure that your DNS settings are correct and that the full domain name can be resolved from SCB. To check this, navigate to , enter the full domain name into the field, and select .
Click . A popup window is displayed.
-
SCB requires an account to your domain to be able to join the domain. Enter the name of the user into the field, and the corresponding password into the field.
Optionally, you can enter the name of your domain controller into the field. If you leave this field blank, SCB will try to find the domain controller automatically.
Note Ensure that your DNS settings are correct and that the hostname of the domain controller can be resolved from SCB. To check this, navigate to , enter the name of the domain controller into the field, and select .
Click .
5.3.4. Procedure – Using SSL-encrypted RDP connections
Purpose:
RDP5 and RDP6 connections may use SSL encryption to encrypt the communication between the client and the server. If both the client and the server supports SSL encryption, the connection will be encrypted.
|
Note |
|---|---|
|
Using Network Level Authentication (CredSSP) automatically uses SSL-encryption, but does not require a signing CA. To enable SSL encryption, the option must be enabled in the protocol settings of the connection. In the default setting, this is enabled. To enable Network Level Authentication (CredSSP) the option must be enabled in the protocol settings of the connection. In the default setting, this is not enabled. For details, see Procedure 5.3.2, Creating and editing protocol-level RDP settings. |
When the RDP connection is SSL-encrypted, SCB has to show a certificate to the client. To set the certificate authority used to sign these certificates, complete the following steps.
Steps:
Create a certificate authority that will be used to sign the certificates that SCB shows to the client. For details, see Procedure 5.1.10, Signing certificates on-the-fly.
Navigate to and select the connection policy to modify.
-
In the field, select the certificate authority to use.
Warning SSL-encrypted RDP connections will be automatically rejected if no signing CA is selected.
Note Connections using Network Level Authentication (CredSSP) do not need a signing CA, because they use self-signed certificates that are created automatically.
Click .
5.3.5. Procedure – Verifying the certificate of the RDP server in encrypted connections
Purpose:
By default, SCB accepts any certificate shown by the server. To accept only verified certificates, complete the following steps:
Steps:
Create a list of trusted CA certificates that will be used to verify the certificate of the server. For details, see Procedure 5.1.9, Verifying certificates with Certificate Authorities.
Navigate to and select the connection policy to modify.
-
Select .
Select the CA list to use for verifying the certificate of the server from the field.
Click .
-
Optional Step: Configure your Windows servers to display a certificate signed with the above Certificate Authority for incoming RDP connections. To accomplish this, complete the following steps:
Generate a certificate that contains the IP address or the hostname of the target server in its Common Name (CN) field and sign it with the Certificate Authority whose certificate you added to the of SCB.
Convert the signed certificate of the target server to PKCS12 format that includes the private key.
Start the Microsoft Management Console (MMC) on the target server and select .
Right-click on the store, then select , and select the certificate created for the server.
Complete the Certificate Import Wizard, but do not select the option.
Select .
Right-click on the connection you want to configure and select .
Set the to .
Click and select the imported certificate. The server will use this certificate to verify its identity for the incoming RDP connections.
5.3.6. Procedure – Using SCB as a Terminal Services Gateway
Purpose:
Terminal Services Gateway (TS Gateway) is a role service in the Terminal Services server role that allows authorized remote users to connect to resources located on an internal or private network from any Internet-connected device. The accessible resources can be terminal servers, remote applications, remote desktops, and so on.
The Terminal Services Gateway Server Protocol is a remote procedure call (RPC) protocol using HTTPS as the transport mechanism, used primarily for tunneling client to server traffic across firewalls. The BalaBit Shell Control Box can act as a Terminal Services Gateway, receiving connections using the Terminal Services Gateway Server Protocol and transferring them to the target servers using the RDP protocol.
The Terminal Services Gateway Server Protocol enables inband destination selection, meaning that SCB can extract the address of the target server from the client connections. This greatly simplifies managing connections on SCB without having to encode the name of the target server in the username, which was problematic as the length of the username is limited on many platforms — especially in Bastion mode.
Prerequisites:
-
To access remote servers using a Terminal Services Gateway, the clients must use version 6.1 or newer of the Remote Desktop application. Note that officially only version 6.0 is available for the Windows 2003 Server operating system, though it is possible to install a newer version. However, this is a problem only when initiating RDP connections from the Windows 2003 Server host, not when the Windows 2003 Server is the target of the connection.
Please note that Windows XP clients can only access Terminal Services Gateway with Service Pack 3 and CredSSP fix installed. See the Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3 for details on installing CredSSP fix.
SCB must be a member of a Windows Domain. For details on joining a domain, see Procedure 5.3.3, Joining SCB into a domain.
Ensure that the system times of the Domain Controller, the target servers, the clients, and SCB are synchronized.
Gateway authentication on the SCB web interface cannot be used for connection policies that use SCB as a Terminal Services Gateway. However, the Remote Desktop applications of the clients can be configured to perform two separate authentications, one on the Terminal Services Gateway (that is, on SCB), and one on the target server. For details on configuring the Remote Desktop applications of the clients to perform gateway authentications, see Procedure 5.3.7, Configuring Remote Desktop clients for gateway authentication.
The Terminal Services Gateway Server Protocol supports Network Level Authentication (NTLM) and Smartcard authentication; SCB acting as a Terminal Services Gateway supports only Network Level Authentication.
SCB can be used as a Terminal Services Gateway in Bastion, Router, and Bridge modes, though most commonly it is used in Bastion mode. Note that in Bastion mode, the terminal service clients must be configured the use SCB as the Terminal Services Gateway. The SCB will connect the server (selected inband) after authentication.
Terminal Services Gateway will require a certificate. Decide whether you want to use a fix certificate, or an on-the-fly generated certificate before performing the steps below and prepare the certificate.
You may also need to adjust the port settings of the connections. The default port for RDP connections is 3389, but the Terminal Services Gateway Server Protocol uses port 443. However, the SCB web interface uses port 443 as well, and other connection policies might already use port 443. Therefore, if SCB management is enabled on the interface that receives the Terminal Services connections, add an alias IP address to the interface of SCB (for example, the external interface) and use this alias in your connection policy and the client configurations. For details on creating IP aliases on SCB, see Section 4.3.1, Network settings.
Steps:
Navigate to and create a new connection policy that will handle the incoming client connections that use the Terminal Services Gateway Server Protocol.
-
Enable the option.
-
Set the target of the connections.
To direct every incoming connection to a single target server, select and specify the address of the target server.
To extract the destination address from the Terminal Services Gateway Server Protocol, select and set the address of the servers the clients are allowed to access in the fields. For details on using inband destination selection, see Procedure 5.1.2, Modifying the destination address.
Note In Bastion mode, enter the IP address generated for the Terminal Services Gateway service into the To field. Do not enter the regular IP address of SCB management.
-
To act as a Terminal Services Gateway, SCB needs to display a certificate to the clients.
-
To display always the same certificate, select and upload the X.509 certificate and the matching private key.
Warning The Common Name (CN) of the certificate must be the FQDN of SCB, which is the address of the Terminal Services Gateway specified in the client applications. Otherwise the clients will reject the connections.
-
To automatically create new certificates on SCB for every client, select , then select the Certificate Authority (CA) to sign the generated certificates with from the field. For details on creating a signing CA, see Procedure 5.1.10, Signing certificates on-the-fly.
Note Save the CA certificate used to sign the certificate that SCB shows into DER format and import it to the clients into the store of the clients so that the clients can verify the identity of SCB.
-
-
Configure other parameters of the connection policy as needed for your environment.
Note You may also need to adjust the port settings of the connections. The default port for RDP connections is 3389, but the Terminal Services Gateway Server Protocol uses port 443. However, the SCB web interface uses port 443 as well, and other connection policies might already use port 443. Therefore, if SCB management is enabled on the interface that receives the Terminal Services connections, add an alias IP address to the interface of SCB (for example, the external interface) and use this alias in your connection policy and the client configurations. For details on creating IP aliases on SCB, see Section 4.3.1, Network settings.
Click .
5.3.7. Procedure – Configuring Remote Desktop clients for gateway authentication
Purpose:
To configure the Remote Desktop applications of the clients to perform two separate authentications: one on the Terminal Services Gateway (that is, on SCB), and one on the target server. For details on configuring SCB to act as a Terminal Services Gateway, see Procedure 5.3.6, Using SCB as a Terminal Services Gateway.
Prerequisites:
SCB must be configured to to act as a Terminal Services Gateway. For details, see Procedure 5.3.6, Using SCB as a Terminal Services Gateway.
The client must use version 6.1 or newer of the Remote Desktop application.
Both the client and the target server must be members of a domain.
The external interface of SCB must be accessible from the client. You might have to add the address of the external interface to the
Windows/System32/Drivers/etc/hostsfile to accomplish this.
Steps:
-
On your Windows client, start the application and select .
-
Configure the client to use SCB as its Terminal Services Gateway. Select .
Enter the address of SCB into the field. Use the address of the SCB's external interface that you have configured to accept RDP connections.
Select .
-
Uncheck the and options.
Note Technically, gateway authentication is performed even if the option is selected, but the same credentials are used on the gateway and on the remote server.
Click .
Into the enter the domain username (for example,
exampledomain\exampleusername).-
Click .
Note Depending on your network environment, it might take up to a minute until the connection is established.
The security setting of Windows servers affects the way SCB handles the server-side username in RDP connections. The registry setting of this parameter is at HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUsername for Windows 2000 Server and newer (or at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUsername on older Windows versions). This setting specifies whether the username from the last successful login is displayed on the login screen as a default for the next login. For more details, see the DontDisplayLastUserName TechNet article.
However, enabling the option has a side-effect: the username is not transferred within the RDP protocol, so SCB has no way of recording and handling it. In case you want SCB to have access to the username used in the connection, disable the registry setting on the target servers. Such situations include, but are not necessarily limited to:
You want to use gateway authentication for the connection. In this case, SCB compares the username on the server with the username on the gateway, and as it receives an empty username from the server, the connection will be denied by the usermapping policy unless a policy is set for the connection that allows every user for the given group. To add such a policy, specify
*in the field of the usermapping policy. For details on usermapping policies and gateway authentication, see Procedure 8.1, Configuring usermapping policies and Section 8.2, Configuring gateway authentication, respectively.You want to search or filter connections by the username on the SCB search interface, or create automatic statistics based on the username.
|
Note |
|---|---|
Registry settings can be overridden by Group Policy settings. |
SCB can record the username independently of the registry setting in the following situations:
RDP using Network Level Authentication (CredSSP).
The username and the password is specified in the client application before the connection is established and the login with these credentials is successful.
The following sections describe configuration settings available only for the ICA protocol. Use the following policies to control who, when, and how can access the ICA connection.
-
ICA connections: For details, see Section 5.4.1, Setting up ICA connections.
-
Channel Policy: The channel policy determines which ICA channels (for example clipboard, file-sharing, and so on) can be used in the connection, and whether they are audited or not. The different channels may be available only under certain restrictions, as set in the channel policy. For details, see Procedure 5.1.4, Creating and editing channel policies.
-
ICA settings: ICA settings determine the parameters of the connection on the protocol level, including timeout value and display parameters. For details, see Procedure 5.4.3, Creating and editing protocol-level ICA settings.
-
Deployment scenarios: These describe the available SCB deployment scenarios in a Citrix environment. For details, see Section 5.4.4, SCB deployment scenarios in a Citrix environment
This section focuses on describing the ICA-specific details of connection configuration. For a detailed description on configuring connections, see Section 5.1, General connection settings.
|
Warning |
|---|---|
|
If the clients are accessing a remote application or desktop that is shared for Anonymous users (that is, the properties of the application is set to To accomplish this, create a usermapping policy and set the option to |
Reliable connection is also known as Common Gateway Protocol (CGP). It attempts to reconnect to the server in case of a network failure. To use this feature, enable and enter the default port in the field in the upper right corner.
Enable to configure the client to use SCB as a SOCKS proxy. If you have enabled this option, you can select as . Enter the IP address or the IP address/Netmask of the brokers (Citrix XML Brokers) used by the client in this connection policy into the field. It is also recommended to enable access to the brokers on port 443, as the clients usually try to access the broker using this port first. Disabling port 443 will cause a denied connection to appear on the SCB Search interface for every connection attempt (but the clients will be able to connect the server).
|
Warning |
|---|---|
SCB does not audit or monitor the traffic between the brokers and the clients in any way, and are not listed on the SCB search interface. Only the connections between the clients and the actual servers are audited. |
|
Warning |
|---|---|
If SCB is acting as a SOCKS proxy and a client attempts to access a server that it is not permitted to access according to the configuration of SCB, SCB will deny the connection. However, the Citrix client application will automatically attempt to connect the server directly without using a proxy and will succeed if the server is directly accessible from the client. Ensure that your firewalls are configured properly to prevent such connections, as these direct connections cannot be audited by SCB. |
|
Note |
|---|---|
When enabling or the first time, a warning is displayed suggesting the default port to be used based on the specific settings. Also, read the tooltips on these options; they contain up-to-date information about the default port numbers. |
The available ICA channel types and their functionalities are described below. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.
Drawing (Thinwire): Enables access to the server's desktop (screen). This channel is for remoting graphics and user input (keyboad, mouse). This channel must be enabled for ICA to work.
Audio Mapping: Enable access to the sound device of the server.
Drive Mapping: Enable access to the client's hard drives on the server.
Clipboard: Enable access to the server's clipboard: the clipboard of the remote desktop can be pasted into local applications (and vice-versa). Note that SCB can audit the clipboard channel, but the Audit Player currently cannot search or display its contents.
Smartcard: Enable using client side installed smartcards in server-side applications.
Printer (COM1): Enable access to the serial port COM1.
Printer (COM2): Enable access to the serial port COM2.
Printer (LPT1): Enable access to the parallel port LPT1.
Printer (LPT2): Enable access to the parallel port LPT2.
Printer Spooler: Enable access to the client's printer from the remote desktops and applications.
HDX Mediastream: Some user widgets (for example Flash player) will not run on the server but on the client. These widgets are controlled from the server side using this channel. This is not supported by AP and it is disabled by default.
USB: Enable using client side installed USB devices in server-side applications.
Seamless: Enable seamless channels that run a single application on the ICA server, instead of accessing the entire desktop. When disabled, the application window will be accessed along with an empty desktop.
Speedbrowse: Speeds up web browsing. Not currently supported by AP, should be disabled by default.
Custom: Applications can open custom channels to the clients connecting remotely to the server. Enabling the channel allows the clients to access all of these custom channels. To permit only specific channels, enter the unique names of the channel into the field.
5.4.3. Procedure – Creating and editing protocol-level ICA settings
Purpose:
ICA settings determine the parameters of the connection on the protocol level, including timeout value, and so on. Complete the following procedure to create a new ICA settings profile or edit an existing one:
|
Warning |
|---|---|
Modifying the ICA settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing. |
Steps:
Navigate to the tab of the menu item and click
to create an ICA
setting profile. Enter a name for the profile into the field (for example
ica_special).Click
to display the parameters of the ICA
connection.-
Modify the parameters as needed. The following parameters are available:
-
Idle timeout: Connection timeout value in milliseconds. Negative numbers (for example
-1) set the timeout to unlimited.Warning Determining if a connection is idle is based on the network traffic generated by the connection, not the activity of the user. For example, if an application or the taskbar of a graphical desktop displays the time which is updated every minute, it generates network traffic every minute, negating the effects of timeout values greater than one minute and preventing SCB from closing the connection.
Reconnect timeout: How many milliseconds SCB waits for reconnections when reliable connections are used. Reliable connections use the Common Gateway Protocol (CGP).
Server connection attempts: How many times SCB tries to connect to the target server.
Reconnection intervals: How many milliseconds SCB waits between two connection attempts on the server side.
Enable pre channel check: Select this option to evaluate the connection and channel policies before establishing the server-side connection. That way if the connection is not permitted at all, SCB does not establish the server-side connection.
Note Reliability settings only apply if you have enabled in .
-
Click .
Select this settings profile in the field of your connections.
This section enlists the available SCB deployment scenarios in a Citrix environment. The text on the arrows are formatted in (<step number>) <target port> format. The target ports define the protocols used in the communication:
80: Web service, HTTP: the list of available resources fetched in an XML format from the broker (v12 and v11 with XenApp only). The broker sends all the necessary information, including secure gateway and server addresses to the client.
8080: XML service, HTTP+XML: application discovery, load balancing (v12 and v11 with XenApp only), used to fetch target to the application/desktop by the client from the broker (used for load balancing, and so on).
443: XML service access or SOCKS/ICA or CGP/ICA wrapped in SSL. The client communicates with the secure gateway on this port for everything.
1080: SOCKS. The client can be configured to access the target server and the broker using a SOCKS proxy.
1494: Plain ICA.
2598: CGP/ICA (reliable mode enabled).
The SCB is deployed between the client and the server and the clients use predefined connection files or Program Neighbourhood, without a broker or secure gateway. The clients try to connect to their original ICA/CGP server.
The SCB is deployed between the client and the server and the clients use predefined connection files or Program Neighbourhood, without a broker or secure gateway. The clients try to connect to the SCB, which can distinguish between the potential targets for example by source IP, or by having multiple IP addresses itself. (Clients do not seem to support changing their target port.)
The clients are using a farm broker which gives them a list of the available applications and servers, but they do not use a secure gateway in the network. The SCB is placed between the clients and the servers in transparent mode, and it catches the connections when the clients try to connect to the server IP addresses they got from the broker.
In this setup, a secure gateway is used in the network and the SCB is placed between this gateway and the servers in transparent mode. The clients connect to the broker for the list of available applications/servers and then make their further connections through the original secure gateway. That gateway forwards the connections either to the broker or to the CGP/ICA servers, which latter the SCB intercepts and audits/controls.
 |
Figure 5.39. Client - Broker - original secure gateway - Secure Ticket Authority (STA) - SCB - Server
In this setup, the SCB acts as a SOCKS proxy for the client. It can be set either manually or specified by the broker. The client then makes all its connections to the broker or to the server using SCB as a proxy and hence it can audit/control these connections.
Accessing Citrix servers using the Remote Desktop Protocol may fail in certain situations, and the connection is terminated with the ERROR: error while decompressing packet error message on the client, or with the Event56, TermDD, The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. message on the server.
To overcome this problem, modify the settings of the network card of the server, and disable the option.
|
Note |
|---|---|
| The problem is not related to using SCB in your environment. |
The following sections describe configuration settings available only for the Telnet protocol. Use the following policies to control who, when, and how can access the Telnet connection. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.
-
Telnet settings: Telnet settings determine the parameters of the connection on the protocol level, including timeout value, and so on. For details, see Procedure 5.5.1, Creating and editing protocol-level Telnet settings.
-
User lists in Channel Policies: User lists affect Telnet connections only when they are used together with Gateway Authentication. For details, see Section 8.2, Configuring gateway authentication.
5.5.1. Procedure – Creating and editing protocol-level Telnet settings
Procedure:
Telnet settings determine the parameters of the connection on the protocol level, including timeout value, and so on. Complete the following procedure to create a new Telnet settings profile or edit an existing one:
|
Warning |
|---|---|
Modifying the Telnet settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing. |
Steps:
Navigate to the tab of the menu item and click
to create a Telnet
setting profile. Enter a name for the profile into the field (for example
telnet_special).Click
to display the parameters of the Telnet
connection.-
Modify the parameters as needed. The following parameters are available:
-
Timeout: Timeout value for the connection in milliseconds. Negative numbers (for example
-1) set the timeout to unlimited.Warning Determining if a connection is idle is based on the network traffic generated by the connection, not the activity of the user. For example, if an application or the taskbar of a graphical desktop displays the time which is updated every minute, it generates network traffic every minute, negating the effects of timeout values greater than one minute and preventing SCB from closing the connection.
Enable pre channel check: Select this option to evaluate the connection and channel policies before establishing the server-side connection. That way if the connection is not permitted at all, SCB does not establish the server-side connection.
-
Click .
Select this settings profile in the field of your connections.
The following sections describe configuration settings available only for the Virtual Networking (VNC) protocol. Use the following policies to control who, when, and how can access the VNC connections. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.
-
VNC settings: VNC settings determine the parameters of the connection on the protocol level, including timeout value, and so on. For details, see Procedure 5.6.1, Creating and editing protocol-level VNC settings.
-
User lists in Channel Policies: User lists affect VNC connections only when they are used together with Gateway Authentication. For details, see Section 8.2, Configuring gateway authentication.
5.6.1. Procedure – Creating and editing protocol-level VNC settings
Purpose:
VNC settings determine the parameters of the connection on the protocol level, including timeout value, and so on. Complete the following procedure to create a new VNC settings profile or edit an existing one:
|
Warning |
|---|---|
Modifying the VNC settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing. |
Steps:
Navigate to and click
to create a VNC setting profile. Enter a name for the profile
into the field (for example
vnc_special).-
Modify the parameters as needed. The following parameters are available:
-
Timeout: Timeout value for the connection in milliseconds. Negative numbers (for example
-1) set the timeout to unlimited.Warning Determining if a connection is idle is based on the network traffic generated by the connection, not the activity of the user. For example, if an application or the taskbar of a graphical desktop displays the time which is updated every minute, it generates network traffic every minute, negating the effects of timeout values greater than one minute and preventing SCB from closing the connection.
Enable pre channel check: Select this option to evaluate the connection and channel policies before establishing the server-side connection. That way if the connection is not permitted at all, SCB does not establish the server-side connection.
-
Click .
Select this settings profile in the field of your connections.
The following sections describe how to use SCB to control and audit VMware View connections. When using SCB to control and audit VMware View connections, the following requirements and restrictions apply:
Only connections using the Remote Desktop (RDP) display protocol are supported. Connections using the PCoIP or HP Remote Graphics Software display protocols are not supported.
Only direct connections are supported. Tunnel connections are not supported.
-
The VMware View connections must pass SCB directly; it is best if SCB is deployed in Router or Bridge mode directly before the Virtual Desktops accessed with VMware View.
Deploying SCB that way has the advantage of auditing connections even if the clients access the Virtual Desktops directly, without using a View Connection Server.
Note Using Bastion mode is also possible if the VMware View traffic is routed to SCB with an external device (for example, a firewall).
SCB treats VMware View connections that satisfy these criteria as common RDP connections. All the features of SCB that are available for RDP connections can be used with VMware View connections as well, for example, 4-eyes authorization, auditing and replaying, indexing the recorded audit trails, and so on. For details on RPD-specific settings, see Section 5.3, RDP-specific settings.
This section describes how to browse the various types of log messages and audit trails on SCB and exactly what kind of information do they contain.
For the general use of the search interfaces, see Section 6.1, Using the search interface. Some of the search interfaces has certain special features, these are described in their respective sections.
Accounting information about the configuration changes performed on the SCB web interface: Shows the activity of the SCB users and administrators. Available at . For the list of displayed parameters, see Section 6.2, Changelogs of SCB.
Recorded audit trails: Audit trails stored on SCB or archived to a remote server. To browse these audit trails, select . For the list of displayed parameters, see Section 6.3, The SCB connection database.
SCB reports: PDF reports about the configuration changes, system health parameters, and other activities of SCB. Available at . For the list of displayed parameters, see Section 6.7, Reports.
Custom reports: PDF reports about the custom searches performed in the audit trails, available at . For the list of displayed parameters, see Procedure 6.7.2, Configuring custom reports.
For details about using and monitoring the indexing of audit trails, see Section 6.8.2, Monitoring the status of AP indexing services and Procedure 6.8.1, Configuring full-text indexing of audit trails.
SCB has a uniform interface for browsing SCB configuration changes, reports, and audit trails. This search interface consists of two main parts: a calendar bar and a table.
The calendar bar displays the number of log messages in the selected interval. Use the
, 
icons to zoom, and the arrows to display the previous or the next intervals.
To explicitly select a date, select and set the date in the
calendar. To select the length of the displayed interval use the
option.
Hovering the mouse above a calendar bar displays the number of entries and the start and end date of the period that the bar represents. Click a calendar bar to display the entries of that period in the table. Use Shift+Click to select multiple calendar bars. The field shows the starting and ending date of the period listed in the table.
6.1.1. Procedure – Customizing columns
Purpose:
To select the data displayed on a search interface, complete the following steps:
Steps:
Navigate to the database you want to browse, for example .
-
Click . A popup window containing the list of visible and available columns and dynamic columns is displayed.
-
The displayed parameters are enlisted in the field. All other available parameters are enlisted in the field.
To add parameters to the field, select the desired parameter(s) and click .
To remove parameters from the field, select the desired parameter(s) and click .
To freeze columns (to make them permanently visible, even when scrolling horizontally), enable the option next to the desired parameter.
Note To select multiple parameters, press Ctrl while clicking the items.
Click . The selected information is displayed.
If data is too long to fit on one line, it is automatically wrapped and only the first
line is displayed. To expand a row, click 
. To shrink the row back to its original size, click 
. To expand/shrink all rows, click the respective button on the
header of the table. The rows can also be expanded/shrunk by double clicking on the
respective row.
The table can be filtered for any parameter, or a combination of parameters. To filter the list, enter the filter expression into the text box and press Enter, or click on an entry in the table. For example, to display only changes performed by a specific user, enter the username into the text box and press Enter — or just click on the specific username in the table.
|
Note |
|---|---|
When you use filters, the calendar bar displays the statistics of the filtered results. |
Filtering displays also partial matches: for example filtering
for adm will display all changes
performed by users whose username contains the adm string.
To save the table of search results as a file, click .
This saves the table as a text file containing comma-separated values. Note that if an
error occurs when exporting the data, the exported CSV file will include a line (usually
as the last line of the file) starting with a zero and the details of the problem, for
example 0;description_of_the_error.
To save the audit trail of a session, click the icon in the column.
To restore the original table, click .
|
Tip |
|---|---|
Use the , , , and buttons to quickly filter the list for a single protocol. |
SCB automatically records the activity of its users and administrators. These activities are displayed at . The following information is available:
Timestamp: The date when the modification was committed in
YEAR-MONTH-DAY HOUR:MINUTE:SECONDformat.Author: The SCB user who performed the modification.
Page: The main menu item that was modified (for example
Basic Settings > Management).Field name: The name of the field on the page that was modified.
New value: The new value of the field after the modification.
Description: The changelog entered by the SCB administrator. Changelogs are available only if the option was enabled at the time of the change.
Old value: The original value of the field.
Swap: Signs if the order of objects was modified on the page (for example the order of two policies in the list).
The connection database detailing the various meta-information about connections and connection-requests is available on the page.
|
Warning |
|---|---|
|
Only users with the required privileges can access the Search page. The following users can access the Search page:
|
|
Note |
|---|---|
Starting with SCB 3.0, data about archived connections can be automatically deleted from the connection database. For details, see Procedure 5.1.12, Configuring cleanup for the SCB connection database. |
For a description about the available columns, see Section 6.3.1, Connection metadata.
The search results can be exported as a comma-separated text file. Select , and click .
To process the search results later with the Audit Player application, the search results can be exported in a special format. Select , and click . When you open this file in the Audit Player application, SCB will download the audit trails corresponding to the search results.
For details about how to use and save filters, see Section 6.3.2, Using and managing search filters.
To search in the content of the indexed audit trails, enter your search keywords into the field, and click . Note that the search is case insensitive. This feature is available only if auditing and full-text indexing was requested for the connection. For details, see Procedure 6.8.1, Configuring full-text indexing of audit trails.
For details about how to display statistics about your search results, see Procedure 6.4, Displaying statistics on search results.
SCB stores the following parameters about the connections:
Application name: The name of the application accessed in a seamless Citrix ICA connection.
Archive date: The date when the connection was archived or cleaned up.
Archive path: The path where the audit trail was archived on the remote server.
Archive server: The hostname or IP address of the remote server where the audit trail was archived.
-
Audit trail: Name and ID of the audit file storing the traffic of the channel. If the session has an audit trail, a download icon
is displayed. Note that a the following letters may
appear on the download icon:C: The audit trail has been cleaned up and is not available any more.
A: The audit trail has been archived. SCB will try to retrieve it from the archive server.
X: The audit trail is not available for some reason.
Authentication Method: The authentication method used in the connection.
Channel Policy: The channel policy applied to the channel opening request.
Commands: The list of commands that the user issued in a terminal session. Available only for Telnet and SSH session shell connections, if an Audit Player indexer service has processed the audit trail. For details on configuring Audit Player indexing, see Procedure 6.8.1, Configuring full-text indexing of audit trails.
Connection Policy: The connection policy applied to the client's connection request.
Destination IP: The IP address of the server as requested by the client.
Destination Port: The port number of the server as requested by the client.
Device Name: The name or ID of the shared device (redirect) used in the RDP connection.
Dynamic Channel: The name or ID of the dynamic channel opened in the RDP connection.
-
File Operations: The list of file operations (for example, file upload, create directory) performed by the client. Available only for SCP and SFTP sessions ( and SSH channels) if the option is enabled in the Channel Policy of the connection.
Note For SFTP connections, this field includes the path and the filename. For SCP connections, it includes only the filename; the path is available in the field.
Windows and UNIX systems use different separator characters in the pathname, backslash (
\) and slash (/), respectively. As the SCP and SFTP protocols do not specify the separator character used, SCB uses slash (/), for example,/var/log/messages.Tip Use the filter in the header of the column to find sessions containing a specific file (for example, enter
.gzto list sessions that accessed files with the .gz extension). Note that currently it is possible to search only in the filename and path, and not in the changed privileges. Four-eyes Authorizer: The username of the user who authorized the session. Available only if 4-eyes authorization is required for the channel. For details on 4-eyes authorization, see Section 8.3, Configuring 4-eyes authorization.
Four-eyes Description: The description submitted by the authorizer of the session.
Port-forward Target IP: The traffic was forwarded to this IP address in and channels.
Port-forward Target Port: The traffic was forwarded to this port in and channels.
Port/X11 forward Originator IP: The IP address of the host initiating the channel in and channels. Note that this host is not necessarily the client or the server of the SSH connection.
Port/X11 forward Originator Port: The number of the forwarded port in and channels.
Protocol: The protocol used in the connection (SSH, RDP, Telnet, VNC and ICA).
Rule number: he number of the line in the channel policy applied to the channel.
-
SCP Path: Name and path of the file copied via SCP. Available only for SCP sessions ( SSH channels) if the option is enabled in the Channel Policy of the connection.
Note This field includes only the path; the filename is available in the field.
Windows and UNIX systems use different separator characters in the pathname, backslash (
\) and slash (/), respectively. As the SCP and SFTP protocols do not specify the separator character used, SCB uses slash (/), for example,/var/log/messages. Server-local IP: The IP address of SCB used in the server-side connection.
Server-local Port: The port number of SCB used in the server-side connection.
Server Port: The port number of the server connected by SCB.
Subsystem Name: Name of the SSH subsystem used in the channel.
Username on server: The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection. For details on usermapping, see Procedure 8.1, Configuring usermapping policies.
-
Verdict: Indicates if the channel was accepted (
ACCEPT), deniedDENY, or failed (FAILED) for some reason. It can also indicate that the connection was rejected (CONN-DENY), failed (that is, it was allowed to pass SCB but timed out on the server —CONN-FAIL), the user authentication failed (CONN-AUTH-FAIL), or that the public-key authentication failed in SSH (CONN-KEY-FAIL).Note The column only accepts capital letters.
To filter the search results, set the filters you need and click .
To apply a predefined filter, select the filter from the field.
-
To delete a predefined filter, select the filter from the field and click . Note that you need the privilege to delete global filters.
To create and save a filter, complete Procedure 6.3.2.1, Creating and saving filters for later use.
6.3.2.1. Procedure – Creating and saving filters for later use
Purpose:
To create and save a filter for later use, complete the following steps:
Steps:
Navigate to the page.
Set the filters you need.
Select . A popup window is displayed.
-
Enter a name for the filter into the field.
-
If you want the filter to be available for other SCB users as well, select . To restrict the availability of the filter to a set of specific users, select , click
, and enter the name of the group whose members may use the filter. Repeat this step to add other groups if needed. filters are visible only for you.Note Filters cannot be modified later, only deleted. A filter can be deleted by the user who created it, and by users whose group has the privilege.
To modify the timeframe of the search, select , and set the beginning and ending date and time of the search. This is useful when you want to display only the connections of a specific event. Note that you must always set an interval for global filters.
Click .
6.4. Procedure – Displaying statistics on search results
Purpose:
SCB can create statistics (bar, pie and list) from various information about the search results, for example, the distribution of the target hosts, and so on. To display statistics about the connections, complete the following steps:
Steps:
Navigate to the page.
Set the filters you need.
-
Click a pie chart icon in the header of the table. A popup window is displayed.
Select the type of metadata you want to create statistics on from the field, for example, .
Select the type of chart to display, that is, , or . The chart will be displayed in the same popup window.
By default, the statistics start with the largest number of entries. To start statistics with the least number of entries, select .
-
Select the number of data groups to display from the field. For example, if you want to display the statistics of the ten hosts that start the most connections (the "top talkers"), select . That way the top ten talkers will be displayed individually, while the amount of connections started by the other hosts will be aggregated and labeled as .
Note For pie and bar charts you can select , and , for lists , , , and .
-
Optional step: To export statistics data to a CSV file, select , set the number of entries and click . SCB compiles the selected data into a
results.csvfile.Note This action exports all rows, not only the currently displayed ones.
-
Optional step: You can also save these statistics and include them in reports as a report subchapter. You can include these subchapters into your reports in the menu.
To save these statistics as custom statistics for reporting, click .
Add a name for the statistics in the field.
Select a group from the already existing groups in the field. The autocomplete function helps you with the selection.
Optional step: The function enables you to instantly add this statistics as a subchapter to the selected report.
Click . This action includes the saved statistics as a selectable subchapter into . For details on how to add this subchapter to a selected report, see Procedure 6.7.2, Configuring custom reports.
6.5. Procedure – Creating statistics from custom database queries
Purpose:
To create statistics from any custom queries from the SCB connection database, complete the following steps. These custom statistics can be added to regular reports as well.
|
Warning |
|---|---|
Hazard of denial of service (DoS)! This feature of SCB allows the user to execute read-only queries on the database of SCB. If the database is large (stores the data of many connections), and the query is not optimal, executing the query can consume significant CPU and memory resources, severely degrading the performance of SCB. Use this feature only if you possess the required knowledge about SQL queries. |
Steps:
Navigate to the page and click
.Enter a name for the statistics. The created statistics will be available for reports under this name as a subchapter.
-
Enter the SQL query that returns the data you need into the field. Note the following important points:
The query must be a full PostgreSQL query
-
SQL queries used for pie and bar charts must return a
titleand acntcolumn. For example:select remote_username as title, count(*) as cnt from channels
The query can be executed on the database tables and views that contain metadata about the audited connections, as well as the content of the audited connections (for example, the commands executed in a session) if indexing is used. Note that these tables do not contain any data from the upstream traffic, that is, passwords entered by the users are not available in the database.
The structure of the accessible tables may change in future versions of SCB. For details about the tables and their contents, see Section 6.6, Database tables available for custom queries.
Tip The query can include the following macros:
:range_start,:range_end. When including the statistics in a report, these macros will refer to the beginning and end dates of the reported interval. When clicking , the macros will refer to the start and end of the current day. -
Select the type of chart to display, that is, , or .
For bar charts, enter the name of the Y axis into the field.
For lists, you can customize the name of the columns in the list by clicking
and entering the name of the column into the field.
Click to test the query.
-
Optional Step: By default, users of the group can add these statistics to reports. To specify other groups, select Subchapter is accessible by the following groups >
.Note Accessing advanced statistics subchapters requires the Reporting > Advanced statistics privilege.
Click to save the query.
Add this new subchapter to a report. For details on how to add this subchapter to a selected report, see Procedure 6.7.2, Configuring custom reports
This section describes the database tables, views, and functions of SCB that can be used in the custom queries of the page. Generally, views contain a more organized dataset, while tables contain the raw data.
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Database table | Type | Description |
|---|---|---|
| aps | table | The list of Audit Player indexing services that are available for SCB. For details, see Section The aps table. |
| archives | table | Data about the archiving processes. For details, see Section The archives table. |
| channels | table | Contains metadata about the channel-opening requests and opened channels. This is the main table storing data about the connections. For details, see Section The channels table. |
| commands | table | The commands from the indexed audit trails. For details, see Section The commands table. |
| connection_commands | view | List of commands used in the connections. For details, see Section The connection_commands view. |
| connection_occurrences | view | Contains the tokens that are used as search keywords in Content subchapter reports (reports from audit-trail content) and where these tokens appear in the audit trails. For details, see Section The connection_occurrences view. |
| connections | view | A view containing data of the connections. This data is identical to the information available on the page. For details, see Section The connections view. |
| file_xfer | table | Data about the files transfered in the audited connections (SCP, SFTP). For details, see Section The file_xfer view. |
| finished_audits | view | Data about the finished audit trails, that is, sessions that have already ended. For details, see Section The finished_unprocessed_audits view. |
| finished_unprocessed_audits | view | Data about the finished audit trails that the Audit Player has not processed yet. For details, see Section The finished_audits view. |
| occurrences | table | Contains the tokens that are used as search keywords in Content subchapter reports (reports from audit-trail content) and where these tokens appear in the audit trails. For details, see Section The occurrences table. |
| progresses | table | Which audit trail is assigned to which Audit Player for processing. For details, see Section The progresses table. |
| results | table | Contains the tokens that are used as search keywords in Content subchapter reports (reports from audit-trail content) and in which audit trails were these tokens found. For details, see Section The results table. |
| sphinx | function | An SQL function that searches the content of audit trails that were processed using full-text indexing. For details, see Section Querying trail content with the sphinx function. |
| skipped_connections | table | List of errors encountered when processing audit trails. For details, see Section The skipped_connections table. |
| usermapped_channels | view | Information about sessions where usermapping was performed in the connection. For details, see Section The usermapped_channels view. |
Table 6.1. Database tables, views, and functions for custom queries
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description |
|---|---|---|
| ap_id | integer | The ID of the Audit Player indexer service that is processing the audit trail. |
| dead | boolean | Set to 1 if the Audit Player indexer service on this host is considered to be unavailable. |
| id | integer | The unique ID number of the entry. |
| last_poll | integer | The timestamp of the last time when the Audit Player indexer service on this host requested an audit trail from SCB. |
| remote_addr | text | The address of the host running the Audit Player indexer service. |
Table 6.2. Columns of the aps table
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description |
|---|---|---|
| id | integer | The unique ID number of the entry. |
| orig_filename | text | The original name of the file, as stored on SCB. |
| policy_id | text | The ID of the archiving policy that archived the file. |
| saved_filename | text | The name of the archive file containing the file. |
| server | text | The address of the server where the file was archived. |
| type | text | Indicates the type of the file: audit or index. |
Table 6.3. Columns of the archives table
For details of the different columns, see Section 6.3.1, Connection metadata.
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description | |||
|---|---|---|---|---|---|
| application | text | Application name: The name of the application accessed in a seamless Citrix ICA connection. |
|||
| _archive_date | date | Archive date: The date when the connection was archived or cleaned up. |
|||
| _archive_path | text | Archive path: The path where the audit trail was archived on the remote server. |
|||
| _archive_policy | text | ||||
| _archive_server | text | Archive server: The hostname or IP address of the remote server where the audit trail was archived. |
|||
| text | Audit trail: Name and ID of the audit file storing
the traffic of the channel. If the session has an audit trail, a
download icon
|
||||
| auth_method | text | Authentication Method: The authentication method used in the connection. |
|||
| channel_policy | text | Channel Policy: The channel policy applied to the channel opening request. |
|||
| channel_type | text | Channel Type: Type of the channel. |
|||
| connection_id | text | Connection ID: The identifier of the connection. |
|||
| connection | text | Connection Policy: The connection policy applied to the client's connection request. |
|||
| device_name | text | Device Name: The name or ID of the shared device (redirect) used in the RDP connection. |
|||
| dst_ip | text | Destination IP: The IP address of the server as requested by the client. |
|||
| dst_port | integer | Destination Port: The port number of the server as requested by the client. |
|||
| dynamic_channel | text | Dynamic Channel: The name or ID of the dynamic channel opened in the RDP connection. |
|||
| environment | text | Environment: The environment variables sent by the client. |
|||
| exec_cmd | text | Executed Command: The command executed in a channel. |
|||
| four_eyes_authorizer | text | Four-eyes Authorizer: The username of the user who authorized the session. Available only if 4-eyes authorization is required for the channel. For details on 4-eyes authorization, see Section 8.3, Configuring 4-eyes authorization. |
|||
| four_eyes_description | text | Four-eyes Description: The description submitted by the authorizer of the session. |
|||
| id | integer | The unique ID of the entry. | |||
| local_ip | text | Server-local IP: The IP address of SCB used in the server-side connection. |
|||
| local_port | integer | Server-local Port: The port number of SCB used in the server-side connection. |
|||
| originator_addr | text | Port/X11 forward Originator IP: The IP address of the host initiating the channel in and channels. Note that this host is not necessarily the client or the server of the SSH connection. |
|||
| originator_port | integer | Port/X11 forward Originator Port: The number of the forwarded port in and channels. |
|||
| protocol | text | Protocol: The protocol used in the connection (SSH, RDP, Telnet, VNC and ICA). |
|||
| remote_username | text | Username on server: The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection. For details on usermapping, see Procedure 8.1, Configuring usermapping policies. |
|||
| rule_num | text | Rule number: he number of the line in the channel policy applied to the channel. |
|||
| scp_path | text | SCP Path: Name and path of the file copied via SCP. Available only for SCP sessions ( SSH channels) if the option is enabled in the Channel Policy of the connection.
|
|||
| server_ip | text | Server IP: The IP address of the server connected by SCB. |
|||
| server_port | integer | Server Port: The port number of the server connected by SCB. |
|||
| session_end | integer | End Time: Date when the channel was closed. |
|||
| session_id | text | Session ID: ID number of the TCP session. |
|||
| session_start | integer | Start Time: Date when the channel was started. |
|||
| src_ip | text | Source IP: The IP address of the client. |
|||
| src_port | integer | Source Port: The port number of the client. |
|||
| subsystem_name | text | Subsystem Name: Name of the SSH subsystem used in the channel. |
|||
| target_addr | text | Port-forward Target IP: The traffic was forwarded to this IP address in and channels. |
|||
| target_port | integer | Port-forward Target Port: The traffic was forwarded to this port in and channels. |
|||
| username | text | Username on server: The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection. For details on usermapping, see Procedure 8.1, Configuring usermapping policies. |
|||
| verdict | text | Verdict: Indicates if the channel was accepted
(
|
Table 6.4. Columns of the channels table
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description |
|---|---|---|
| channel_id | integer | The ID of the channel. This value is actually a reference to the id column of the channels table. |
| command | text | The command executed in the channel (for example, ls, or exit). |
| id | integer | The unique ID number of the entry. |
Table 6.5. Columns of the commands table
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
This view collects the commands issued in a connection. The view is defined as follows:
SELECT channels._connection_channel_id AS id, commands.command, commands.printable
FROM channels, commands
WHERE channels.id = commands.channel_id;
Querying the table (for example, select * from connection_commands limit 10;) will return results similar to the following:
id | command | printable ----+-------------------------------------------------------------+----------- 1 | [user@exampleserver ~]$ ls | t 1 | [user@exampleserver ~]$ exit | t 2 | [user@exampleserver ~]$ su - | t 2 | Password: | t 2 | [root@exampleserver ~]# | t 2 | [root@exampleserver ~]# ifconfig | t 2 | [root@exampleserver ~]# ifconfig | t 2 | [root@exampleserver ~]# ifconfig | t 4 | [user@exampleserver ~]$ | t 4 | [user@exampleserver ~]$ | t
The the connection_commands view has the following columns.
| Column | Type | Description |
|---|---|---|
| command | text | The command executed in the channel (for example, ls, or exit). |
| id | integer | The unique ID number of the entry. |
| printable | boolean | Set to 1 if every character of the command can be displayed. |
Table 6.6. Columns of the connection_commands table
The view is defined as follows:
SELECT channels._connection_channel_id AS id, results.token, occurrences.start_time, occurrences.end_time, occurrences.screenshot FROM channels, results, occurrences WHERE channels.id = results.channel_id AND results.id = occurrences.result_id;
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description |
|---|---|---|
| end_time | integer | End Time: Date when the channel was closed. |
| id | text | The unique id of the entry. |
| screenshot | text | The filename of the PNG screenshot (as stored on SCB) about the occurrence of the search token. |
| start_time | integer | Start Time: Date when the channel was started. |
| token | text | The search token visible on the screenshot. |
Table 6.7. Columns of the connection_occurrences table
This view collects the metadata of the connections. The view is defined as follows:
SELECT channels."connection", channels.protocol, channels._connection_channel_id AS id, channels.connection_id, min(channels.session_start) AS session_start, max(channels.session_end) AS session_end, max(channels.src_ip) AS src_ip, max(channels.src_port) AS src_port, max(channels.server_ip) AS server_ip, max(channels.server_port) AS server_port, max(channels.username) AS username, max(channels.remote_username) AS remote_username, max(channels.channel_policy) AS channel_policy, sum(
CASE
WHEN channels.session_end IS NULL THEN 1
ELSE 0
END) AS active
FROM channels
GROUP BY channels._connection_channel_id, channels.protocol, channels."connection", channels.connection_id;
Querying the table (for example, select * from connections limit 10;) will return results similar to the following:
connection | protocol | id | connection_id | session_start | session_end | src_ip | src_port | server_ip | server_port | username | remote_username | channel_policy | active -------------+----------+--------+-------------------------+---------------+-------------+---------------+----------+-------------+-------------+-----------+-----------------+----------------+-------- SSH_Access2 | ssh | 1 | 5516465814bc36d5570ec8 | 1271098736 | 1271099582 | 192.168.0.62 | 4312 | 192.168.0.20 | 22 | joe | joe | shell-only | 0 SSH_Access | ssh | 10 | 20790868454bc33027964a0 | 1271258787 | 1271259645 | 10.100.58.27 | 2298 | 192.168.0.20 | 22 | joe | joe | shell-only | 0 SSH_Access | ssh | 100 | 20790868454bc33027964a0 | 1272391671 | 1272396886 | 10.100.58.14 | 51342 | 192.168.0.20 | 22 | phil | phil | shell-only | 0 SSH_Access | ssh | 1000 | 20790868454bc33027964a0 | 1274450541 | 1274475742 | 10.100.56.14 | 4633 | 192.168.0.20 | 22 | rick | rick | all | 0 SSH_Access2 | ssh | 10000 | 5516465814bc36d5570ec8 | 1282753195 | 1282764804 | 192.168.40.34 | 53097 | 192.168.0.20 | 22 | vivian | vivian | shell-only | 0 SSH_Access2 | ssh | 100000 | 5516465814bc36d5570ec8 | 1314979916 | 1314986038 | 192.168.40.85 | 34743 | 192.168.0.20 | 22 | elliot | elliot | Shell-SCP | 0 SSH_Access2 | ssh | 100001 | 5516465814bc36d5570ec8 | 1314979917 | 1314984561 | 192.168.40.65 | 56405 | 192.168.0.20 | 22 | root | root | Shell-SCP | 0 SSH_Access2 | ssh | 100002 | 5516465814bc36d5570ec8 | 1314979940 | 1314984171 | 192.168.40.100 | 1082 | 192.168.0.20 | 22 | allen | allen | Shell-SCP | 0 SSH_Access2 | ssh | 100003 | 5516465814bc36d5570ec8 | 1314979955 | 1314981233 | 192.168.40.10 | 34263 | 192.168.0.20 | 22 | steve | steve | Shell-SCP | 0 SSH_Access2 | ssh | 100004 | 5516465814bc36d5570ec8 | 1314980025 | 1314991838 | 192.168.40.33 | 58500 | 192.168.0.20 | 22 | clark | clark | Shell-SCP | 0 (10 rows)
The the connections view has the following columns. For details of the different columns, see Section 6.3.1, Connection metadata.
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description |
|---|---|---|
| active | bigint | |
| channel_policy | text | The name of the Channel policy that applied to the particular channel of the connection. |
| connection | text | The name of the Connection Policy, as configured on the SCB web interface. |
| connection_id | text | The unique ID of the TCP connection. |
| id | text | The ID of the channel within the connection. |
| protocol | text | Protocol: The protocol used in the connection (SSH, RDP, Telnet, VNC and ICA). |
| remote_username | text | Username on server: The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection. For details on usermapping, see Procedure 8.1, Configuring usermapping policies. |
| session_end | integer | End Time: Date when the channel was closed. |
| session_start | integer | Start Time: Date when the channel was started. |
| src_ip | text | Source IP: The IP address of the client. |
| src_port | integer | Source Port: The port number of the client. |
| username | text | The username used in the client-side connection. |
Table 6.8. Columns of the connections view
This table contains information about the files transferred the connections.
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description | |||
|---|---|---|---|---|---|
| channel_id | integer | This value is a reference to the ID of the channels table where the file transfer occurred. | |||
| details | text | The detailed description of the file transfer. The exact contents of this field depend on the protocol used for the file transfer. | |||
| event | text | The type of the file operation that occurred, for example, Create file. |
|||
| filename | text | The name of the file affected by the file operation. | |||
| path | text | SCP Path: Name and path of the file copied via SCP. Available only for SCP sessions ( SSH channels) if the option is enabled in the Channel Policy of the connection.
|
|||
| id | integer | The unique ID of the entry | |||
| start_time | integer | Start Time: Date when the channel was started. |
Table 6.9. Columns of the file_xfer table
This view collects the commands issued in a connection. The view is defined as follows:
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description | |||
|---|---|---|---|---|---|
| _archive_date | date | Archive date: The date when the connection was archived or cleaned up. |
|||
| _archive_path | text | Archive path: The path where the audit trail was archived on the remote server. |
|||
| _archive_policy | text | ||||
| _archive_server | text | Archive server: The hostname or IP address of the remote server where the audit trail was archived. |
|||
| audit | text | Audit trail: Name and ID of the audit file storing
the traffic of the channel. If the session has an audit trail, a
download icon
|
|||
| auth_method | text | Authentication Method: The authentication method used in the connection. |
|||
| channel_policy | text | Channel Policy: The channel policy applied to the channel opening request. |
|||
| channel_type | text | Channel Type: Type of the channel. |
|||
| _connection_channel_id | text | ||||
| connection_id | text | ||||
| connection | text | Connection Policy: The connection policy applied to the client's connection request. |
|||
| device_name | text | Device Name: The name or ID of the shared device (redirect) used in the RDP connection. |
|||
| dst_ip | text | Destination IP: The IP address of the server as requested by the client. |
|||
| dst_port | integer | Destination Port: The port number of the server as requested by the client. |
|||
| dynamic_channel | text | Dynamic Channel: The name or ID of the dynamic channel opened in the RDP connection. |
|||
| environment | text | Environment: The environment variables sent by the client. |
|||
| exec_cmd | text | Executed Command: The command executed in a channel. |
|||
| four_eyes_authorizer | text | Four-eyes Authorizer: The username of the user who authorized the session. Available only if 4-eyes authorization is required for the channel. For details on 4-eyes authorization, see Section 8.3, Configuring 4-eyes authorization. |
|||
| four_eyes_description | text | Four-eyes Description: The description submitted by the authorizer of the session. |
|||
| id | integer | The unique ID of the entry. | |||
| local_ip | text | Server-local IP: The IP address of SCB used in the server-side connection. |
|||
| local_port | integer | Server-local Port: The port number of SCB used in the server-side connection. |
|||
| originator_addr | text | Port/X11 forward Originator IP: The IP address of the host initiating the channel in and channels. Note that this host is not necessarily the client or the server of the SSH connection. |
|||
| originator_port | integer | Port/X11 forward Originator Port: The number of the forwarded port in and channels. |
|||
| protocol | text | Protocol: The protocol used in the connection (SSH, RDP, Telnet, VNC and ICA). |
|||
| remote_username | text | Username on server: The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection. For details on usermapping, see Procedure 8.1, Configuring usermapping policies. |
|||
| rule_num | text | Rule number: he number of the line in the channel policy applied to the channel. |
|||
| scp_path | text | SCP Path: Name and path of the file copied via SCP. Available only for SCP sessions ( SSH channels) if the option is enabled in the Channel Policy of the connection.
|
|||
| server_ip | text | Server IP: The IP address of the server connected by SCB. |
|||
| server_port | integer | Server Port: The port number of the server connected by SCB. |
|||
| session_end | integer | End Time: Date when the channel was closed. |
|||
| session_id | text | Session ID: ID number of the TCP session. |
|||
| session_start | integer | Start Time: Date when the channel was started. |
|||
| src_ip | text | Source IP: The IP address of the client. |
|||
| src_port | integer | Source Port: The port number of the client. |
|||
| subsystem_name | text | Subsystem Name: Name of the SSH subsystem used in the channel. |
|||
| target_addr | text | Port-forward Target IP: The traffic was forwarded to this IP address in and channels. |
|||
| target_port | integer | Port-forward Target Port: The traffic was forwarded to this port in and channels. |
|||
| username | text | ||||
| verdict | text | Verdict: Indicates if the channel was accepted
(
|
Table 6.10. Columns of the finished_audits table
This view collects data about the audit trails currently being processed by the Audit Player indexer services. The view is defined as follows:
SELECT finished_audits.id, finished_audits.scp_path, finished_audits.subsystem_name, finished_audits.protocol, finished_audits.originator_port, finished_audits.channel_policy, finished_audits.target_addr, finished_audits._archive_path, finished_audits._close_cleanup, finished_audits.dynamic_channel, finished_audits.environment, finished_audits.session_start, finished_audits.remote_username, finished_audits.local_port, finished_audits.four_eyes_authorizer, finished_audits.src_ip, finished_audits.session_end, finished_audits._archive_server, finished_audits.server_port, finished_audits.username, finished_audits._archive_date, finished_audits.server_ip, finished_audits.exec_cmd, finished_audits._archive_policy, finished_audits.four_eyes_description, finished_audits.connection_id, finished_audits._connection_channel_id, finished_audits.rule_num, finished_audits.target_port, finished_audits.src_port, finished_audits.originator_addr, finished_audits.auth_method, finished_audits.audit, finished_audits.local_ip, finished_audits.session_id, finished_audits.device_name, finished_audits.channel_type, finished_audits."connection", finished_audits.verdict, finished_audits.dst_port, finished_audits.dst_ip
FROM ( SELECT f1.id, f1.scp_path, f1.subsystem_name, f1.protocol, f1.originator_port, f1.channel_policy, f1.target_addr, f1._archive_path, f1._close_cleanup, f1.dynamic_channel, f1.environment, f1.session_start, f1.remote_username, f1.local_port, f1.four_eyes_authorizer, f1.src_ip, f1.session_end, f1._archive_server, f1.server_port, f1.username, f1._archive_date, f1.server_ip, f1.exec_cmd, f1._archive_policy, f1.four_eyes_description, f1.connection_id, f1._connection_channel_id, f1.rule_num, f1.target_port, f1.src_port, f1.originator_addr, f1.auth_method, f1.audit, f1.local_ip, f1.session_id, f1.device_name, f1.channel_type, f1."connection", f1.verdict, f1.dst_port, f1.dst_ip
FROM ( SELECT channels.id, channels.scp_path, channels.subsystem_name, channels.protocol, channels.originator_port, channels.channel_policy, channels.target_addr, channels._archive_path, channels._close_cleanup, channels.dynamic_channel, channels.environment, channels.session_start, channels.remote_username, channels.local_port, channels.four_eyes_authorizer, channels.src_ip, channels.session_end, channels._archive_server, channels.server_port, channels.username, channels._archive_date, channels.server_ip, channels.exec_cmd, channels._archive_policy, channels.four_eyes_description, channels.connection_id, channels._connection_channel_id, channels.rule_num, channels.target_port, channels.src_port, channels.originator_addr, channels.auth_method, channels.audit, channels.local_ip, channels.session_id, channels.device_name, channels.channel_type, channels."connection", channels.verdict, channels.dst_port, channels.dst_ip
FROM channels
WHERE channels.audit IS NOT NULL AND channels.audit <> ''::text AND channels.session_end IS NOT NULL) f1
LEFT JOIN channels f2 ON f1.audit = f2.audit AND f2.session_end IS NULL
WHERE f2.id IS NULL) finished_audits
WHERE NOT (finished_audits.audit IN ( SELECT progresses.audit
FROM progresses)) AND NOT (finished_audits.id IN ( SELECT results.channel_id
FROM results))
ORDER BY finished_audits.id;
The the finished_unprocessed_audits view has the following columns. For details of the different columns, see Section 6.3.1, Connection metadata.
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description | |||
|---|---|---|---|---|---|
| _archive_date | date | Archive date: The date when the connection was archived or cleaned up. |
|||
| _archive_path | text | Archive path: The path where the audit trail was archived on the remote server. |
|||
| _archive_policy | text | ||||
| _archive_server | text | Archive server: The hostname or IP address of the remote server where the audit trail was archived. |
|||
| audit | text | Audit trail: Name and ID of the audit file storing
the traffic of the channel. If the session has an audit trail, a
download icon
|
|||
| auth_method | text | Authentication Method: The authentication method used in the connection. |
|||
| channel_policy | text | Channel Policy: The channel policy applied to the channel opening request. |
|||
| channel_type | text | Channel Type: Type of the channel. |
|||
| _close_cleanup | boolean | ||||
| _connection_channel_id | text | ||||
| connection_id | text | ||||
| connection | text | Connection Policy: The connection policy applied to the client's connection request. |
|||
| device_name | text | Device Name: The name or ID of the shared device (redirect) used in the RDP connection. |
|||
| dst_ip | text | Destination IP: The IP address of the server as requested by the client. |
|||
| dst_port | integer | Destination Port: The port number of the server as requested by the client. |
|||
| dynamic_channel | text | Dynamic Channel: The name or ID of the dynamic channel opened in the RDP connection. |
|||
| environment | text | Environment: The environment variables sent by the client. |
|||
| exec_cmd | text | Executed Command: The command executed in a channel. |
|||
| four_eyes_authorizer | text | Four-eyes Authorizer: The username of the user who authorized the session. Available only if 4-eyes authorization is required for the channel. For details on 4-eyes authorization, see Section 8.3, Configuring 4-eyes authorization. |
|||
| four_eyes_description | text | Four-eyes Description: The description submitted by the authorizer of the session. |
|||
| id | integer | ||||
| local_ip | text | Server-local IP: The IP address of SCB used in the server-side connection. |
|||
| local_port | integer | Server-local Port: The port number of SCB used in the server-side connection. |
|||
| originator_addr | text | Port/X11 forward Originator IP: The IP address of the host initiating the channel in and channels. Note that this host is not necessarily the client or the server of the SSH connection. |
|||
| originator_port | integer | Port/X11 forward Originator Port: The number of the forwarded port in and channels. |
|||
| protocol | text | Protocol: The protocol used in the connection (SSH, RDP, Telnet, VNC and ICA). |
|||
| remote_username | text | Username on server: The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection. For details on usermapping, see Procedure 8.1, Configuring usermapping policies. |
|||
| rule_num | text | Rule number: he number of the line in the channel policy applied to the channel. |
|||
| scp_path | text | SCP Path: Name and path of the file copied via SCP. Available only for SCP sessions ( SSH channels) if the option is enabled in the Channel Policy of the connection.
|
|||
| server_ip | text | Server IP: The IP address of the server connected by SCB. |
|||
| server_port | integer | Server Port: The port number of the server connected by SCB. |
|||
| session_end | integer | End Time: Date when the channel was closed. |
|||
| session_id | text | Session ID: ID number of the TCP session. |
|||
| session_start | integer | Start Time: Date when the channel was started. |
|||
| src_ip | text | Source IP: The IP address of the client. |
|||
| src_port | integer | Source Port: The port number of the client. |
|||
| subsystem_name | text | Subsystem Name: Name of the SSH subsystem used in the channel. |
|||
| target_addr | text | Port-forward Target IP: The traffic was forwarded to this IP address in and channels. |
|||
| target_port | integer | Port-forward Target Port: The traffic was forwarded to this port in and channels. |
|||
| username | text | ||||
| verdict | text | Verdict: Indicates if the channel was accepted
(
|
Table 6.11. Columns of the finished_unprocessed_audits table
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description |
|---|---|---|
| end_time | integer | The time when the token (keyword) disappears in the audit trail. |
| id | integer | The unique ID number of the entry. |
| result_id | integer | An ID identifying the occurrence of the token. This value is a reference to the id column of the results table. |
| screenshot | text | A hash of the screenshot used in the report. The actual screenshot is not stored in the database. |
| start_time | integer | The time when the token (keyword) appears in the audit trail. |
Table 6.12. Columns of the occurrences table
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description |
|---|---|---|
| audit | text | Audit trail: Name and ID of the audit file storing
the traffic of the channel. If the session has an audit trail, a
download icon
|
| ap_id | integer | The ID of the Audit Player indexer service that is processing the audit trail. |
| id | integer | The unique ID number of the entry. |
Table 6.13. Columns of the progresses table
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description |
|---|---|---|
| channel_id | integer | The ID of the channel where a token was found. This value is actually a reference to the id column of the channels table. |
| id | integer | The unique ID number of the entry. |
| token | text | The token (search keyword). |
Table 6.14. Columns of the results table
The sphinx function allows you to search the content of full-text-indexed audit trails for a specific keyword and return the IDs of the channels that contain the search keyword. The sphinx function requires four parameters:
search phrase: The keyword or keyphrase you are looking for, for example, a command issued in an SSH session (
exit). The keyphrase can contain the following special operators to be used&(AND),|(OR),!(NOT). Brackets can be used to group parts of the keyphrase.beginning_timestamp: The date in UNIX-timestamp format. Only audit trails created after this date will be queried.
ending_timestamp: The date in UNIX-timestamp format. Only audit trails created before this date will be queried.
empty_string: The fourth parameter is a mandatory empty string (
'').
For example:
select sphinx from sphinx('root', 1287402232, 1318938150, '');
For details on how to use more complex keyphrases, see the Sphinx reference manual.
For details of full-text indexing, see Procedure 6.8.1, Configuring full-text indexing of audit trails.
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description |
|---|---|---|
| channel_id | integer | The ID of the channel. This value is actually a reference to the id column of the channels table. |
| id | integer | The unique ID number of the entry. |
| occasions | integer |
Table 6.15. Columns of the skipped_connections table
This view collects data about the connections which used a usermapping policy. The view is defined as follows:
SELECT channels.id, channels.scp_path, channels.subsystem_name, channels.protocol, channels.originator_port, channels.channel_policy, channels.target_addr, channels._archive_path, channels._close_cleanup, channels.dynamic_channel, channels.environment, channels.session_start, channels.remote_username, channels.local_port, channels.four_eyes_authorizer, channels.src_ip, channels.session_end, channels._archive_server, channels.server_port, channels.username, channels._archive_date, channels.server_ip, channels.exec_cmd, channels._archive_policy, channels.four_eyes_description, channels.connection_id, channels._connection_channel_id, channels.rule_num, channels.target_port, channels.src_port, channels.originator_addr, channels.auth_method, channels.audit, channels.local_ip, channels.session_id, channels.device_name, channels.channel_type, channels."connection", channels.verdict, channels.dst_port, channels.dst_ip FROM channels WHERE channels.remote_username IS NOT NULL AND channels.username <> channels.remote_username;
The the usermapped_channels view has the following columns. For details of the different columns, see Section 6.3.1, Connection metadata.
|
Note |
|---|---|
The structure of these database tables may change in future SCB versions. |
| Column | Type | Description | |||
|---|---|---|---|---|---|
| _archive_date | date | Archive date: The date when the connection was archived or cleaned up. |
|||
| _archive_path | text | Archive path: The path where the audit trail was archived on the remote server. |
|||
| _archive_policy | text | ||||
| _archive_server | text | Archive server: The hostname or IP address of the remote server where the audit trail was archived. |
|||
| audit | text | Audit trail: Name and ID of the audit file storing
the traffic of the channel. If the session has an audit trail, a
download icon
|
|||
| auth_method | text | Authentication Method: The authentication method used in the connection. |
|||
| channel_policy | text | Channel Policy: The channel policy applied to the channel opening request. |
|||
| channel_type | text | Channel Type: Type of the channel. |
|||
| _close_cleanup | boolean | ||||
| _connection_channel_id | text | ||||
| connection_id | text | ||||
| connection | text | Connection Policy: The connection policy applied to the client's connection request. |
|||
| device_name | text | Device Name: The name or ID of the shared device (redirect) used in the RDP connection. |
|||
| dst_ip | text | Destination IP: The IP address of the server as requested by the client. |
|||
| dst_port | integer | Destination Port: The port number of the server as requested by the client. |
|||
| dynamic_channel | text | Dynamic Channel: The name or ID of the dynamic channel opened in the RDP connection. |
|||
| environment | text | Environment: The environment variables sent by the client. |
|||
| exec_cmd | text | Executed Command: The command executed in a channel. |
|||
| four_eyes_authorizer | text | Four-eyes Authorizer: The username of the user who authorized the session. Available only if 4-eyes authorization is required for the channel. For details on 4-eyes authorization, see Section 8.3, Configuring 4-eyes authorization. |
|||
| four_eyes_description | text | Four-eyes Description: The description submitted by the authorizer of the session. |
|||
| id | integer | ||||
| local_ip | text | Server-local IP: The IP address of SCB used in the server-side connection. |
|||
| local_port | integer | Server-local Port: The port number of SCB used in the server-side connection. |
|||
| originator_addr | text | Port/X11 forward Originator IP: The IP address of the host initiating the channel in and channels. Note that this host is not necessarily the client or the server of the SSH connection. |
|||
| originator_port | integer | Port/X11 forward Originator Port: The number of the forwarded port in and channels. |
|||
| protocol | text | Protocol: The protocol used in the connection (SSH, RDP, Telnet, VNC and ICA). |
|||
| remote_username | text | Username on server: The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection. For details on usermapping, see Procedure 8.1, Configuring usermapping policies. |
|||
| rule_num | text | Rule number: he number of the line in the channel policy applied to the channel. |
|||
| scp_path | text | SCP Path: Name and path of the file copied via SCP. Available only for SCP sessions ( SSH channels) if the option is enabled in the Channel Policy of the connection.
|
|||
| server_ip | text | Server IP: The IP address of the server connected by SCB. |
|||
| server_port | integer | Server Port: The port number of the server connected by SCB. |
|||
| session_end | integer | End Time: Date when the channel was closed. |
|||
| session_id | text | Session ID: ID number of the TCP session. |
|||
| session_start | integer | Start Time: Date when the channel was started. |
|||
| src_ip | text | Source IP: The IP address of the client. |
|||
| src_port | integer | Source Port: The port number of the client. |
|||
| subsystem_name | text | Subsystem Name: Name of the SSH subsystem used in the channel. |
|||
| target_addr | text | Port-forward Target IP: The traffic was forwarded to this IP address in and channels. |
|||
| target_port | integer | Port-forward Target Port: The traffic was forwarded to this port in and channels. |
|||
| username | text | ||||
| verdict | text | Verdict: Indicates if the channel was accepted
(
|
Table 6.16. Columns of the usermapped_channels table
SCB periodically creates reports on the activity of the administrators, the system-health information of SCB, as well as the processed traffic. These reports are available in Portable Document (PDF) format by selecting from the Main Menu. The reports are also sent to the e-mail address set at , unless specified otherwise in the configuration of the report.
To access the reports from the SCB web interface, the user must have the appropriate privileges.
|
Note |
|---|---|
If the address is not set, the report is sent to the SCB administrator's e-mail address. |
Reports are generated as follows:
Daily reports are generated every day at 00:01.
Weekly reports are generated every week on Monday at 00:01.
Monthly reports are generated on the first day of every month at 00:01.
|
Tip |
|---|---|
Use the time bar to find reports that contain a particular period. If you select a period (for example click on a bar), only those reports will be displayed that contain information about the selected period. |
The following information is available about the reports:
Download: A link to download the report.
Name: Name of the report.
Interval: The length of the reported period, for example week, month, and so on.
Report from: The start of the reported interval.
Report to: The end of the reported interval.
Generate time: The date when the report was created.
The default report of SCB (called operational-report) contains the following information for the given period:
Configuration changes: Lists the number of SCB configuration changes per page and per user. The frequency of the configuration changes is also displayed on a chart.
-
Main reports: Contains statistics about the total traffic that passed SCB, including the number of sessions that passed for every connection policy, the used usernames, clients, and servers, and so on.
Note Connections that are still in progress when the report is generated are excluded from the report.
Reports by connection: Contains separate statistics about every connection policy configured on SCB.
System health information: Displays information about the filesystem and network use of SCB, as well as the average load.
6.7.2. Procedure – Configuring custom reports
Purpose:
To configure SCB to create custom reports, complete the following steps.
Steps:
-
Login to the SCB web interface, and navigate to Reporting > Configuration.
Click
and enter a name for the custom report.Reports are organized into chapters and subchapters. Select Table of contents > Add Chapter, enter a name for the chapter, then click . Repeat this step to create further chapters if needed.
-
Select to add various reports and statistics to the chapter. The available reports will be displayed in a popup window.
Subchapters created from custom statistics are listed under . For details on creating reports from custom statistics, see Procedure 6.4, Displaying statistics on search results.
Subchapters created from custom database queries are listed under . For details on creating reports from custom queries, see Procedure 6.5, Creating statistics from custom database queries.
Subchapters created from searching the contents of audit trails are listed under . For details on creating reports from audit trail content, see Section 6.8, Indexing and reporting on audit-trail content.
Use the arrows to change the order of the subchapters if needed.
Select how often shall SCB create the report from the Generate this report every field. Weekly reports are created on Mondays, while monthly reports on the first day of the month. If you want to generate the report only manually, leave this field empty.
-
By default, members of the
searchgroup can access the custom reports via the SCB web interface. To change this, enter the name of a different group into the Reports are accessible by the following groups field, or click to grant access to other groups.Note Members of the listed groups will be able to access only these custom reports even if their groups does not have read access to the Reporting > Reports page. However, only those reports will be listed, to which their group has access to.
-
By default, SCB sends out the reports in e-mail to the address set in the Basic Settings > Management > Mail settings > Send reports to field.
Note If this address is not set, the report is sent to the SCB administrator's e-mail address.
To disable e-mail sending, unselect the Send reports in e-mail option.
To e-mail the reports to a different address, select Recipient > Custom address, and enter the e-mail address where the reports should be sent. Click
to list multiple e-mail addresses if needed.
Click .
SCB can send the audit trails to the Audit Player application (AP) to extract the text from the audit trails. SCB creates a comprehensive index from the extracted tokens. That way the contents of the processed audit trails (for example commands typed or texts seen by the user) can be searched from the web interface.
To configure SCB to index the entire content of the audited connections, complete Procedure 6.8.1, Configuring full-text indexing of audit trails.
To monitor the status of the servers indexing the audit trails, see Section 6.8.2, Monitoring the status of AP indexing services.
To create custom reports from the contents of the audit trails, complete Procedure 6.8.3, Creating reports from audit-trail content. Note that creating custom reports does not require full-text indexing.
6.8.1. Procedure – Configuring full-text indexing of audit trails
Purpose:
SCB can send the audit trails to the Audit Player application (AP) for
processing. AP extracts the text from the audit trails and segments it to
tokens. A token is a segment of the text that does not contain whitespace: for example
words, dates (2009-03-14), MAC or IP addresses, and so on.
AP then returns the extracted tokens to SCB, where SCB creates a
comprehensive index from the tokens of the processed audit trails. That way the contents
of the processed audit trails (for example commands typed or texts seen by the user) can
be searched from the web interface. To configure full-text indexing, complete the
following steps.
|
Warning |
|---|---|
Custom reports require a separate server running the Audit Player application in service mode. For details on setting up the service, see Procedure 7.1, Installing the Audit Player application. |
|
Warning |
|---|---|
Full-text indexing is a resource intensive (CPU and hard disk) operation both for SCB and the AP hosts, and depending on the number of processed audit trails and parallel connections passing SCB, may affect the performance of SCB. Test it thoroughly before enabling it in a production environment that is under heavy load. |
|
Note |
|---|---|
Only audit trails created after the full-text indexing has been configured for the connection policy will be processed. It is not possible to process already existing audit trails. |
Steps:
Navigate to the page of the traffic type (for example ), and select the connection policy to index.
Select and click .
Check which channel policy is used in the connection, and navigate to the page.
Select the channel policy used in the connection to index, and verify that the option is selected for the channels you want to index (for example the
Session shellchannel in SSH, or theDrawingchannel in RDP).-
Click .
Tip After that, start a session that uses this connection policy: connect from a client to a server.
When the session is finished, navigate to the page to verify that an AP host is processing the audit trail.
If the audit trails are encrypted, ensure that the required decryption keys are available on the AP hosts.
SCB can cooperate with multiple Audit Player (AP) hosts that process the audit trails. This is needed especially on high-traffic systems, where many audit trails are generated, and also if the audit trails need lot of processing, for example there are many custom reports configured, or full-text indexing is requested for many connections.
The status of the audit-trail processing is displayed on the page. The section lists the hosts that run the AP application in service mode and are currently connected to SCB. The section lists the audit trails waiting to be processed.
6.8.3. Procedure – Creating reports from audit-trail content
Purpose:
SCB can send the audit trails to the Audit Player application (AP) for
processing. AP extracts the text from the audit trails and segments it to
tokens. A token is a segment of the text that does not contain whitespace: for example
words, dates (2009-03-14), MAC or IP addresses, and so on.
AP then returns the extracted tokens to SCB, where SCB creates a
comprehensive index from the tokens of the processed audit trails, and creates statistics of the occurrences of the search
keywords, as well as screenshots from the audit trail. These statistics and screenshots can be included in custom reports as subchapters.
To configure SCB to create reports from the contents of audit trails, complete the following steps.
|
Warning |
|---|---|
|
Processing the contents of audit trails requires a separate server running the Audit Player application in service mode. For details on setting up the service, see Procedure 7.1, Installing the Audit Player application. If the audit trails are encrypted, ensure that the required decryption keys are available on the AP hosts. |
|
Note |
|---|---|
Only audit trails created after the content subchapter has been configured will be processed. It is not possible to create reports from already existing audit trails. |
Steps:
-
Login to the SCB web interface, and navigate to .
Click
and enter a name for the subchapter.-
Enter the search keywords (or parts of the words) into the field. Note that the search is not case sensitive. Wildcards and regular expressions are not supported. To search for an exact phrase or expression, enclose the keywords in double quotes, for example
"program files".Note When using audit-trail reports, AP will extract only the specified search keywords, other texts found in the audit trails will not be indexed. To extract every text from the audit trails, use full-text indexing (for details, see Procedure 6.8.1, Configuring full-text indexing of audit trails). Note that creating content subchapters requires much less resources (hard disk, CPU) than full-text indexing.
-
Configure filters to select the audit trails to index. The following filters are available:
Protocol: Process only audit trails of the specified traffic type (for example SSH).
Connection: Process only audit trails of the specified connection policy.
Channel policy: Process only audit trails of the specified channel policy.
Username: Process only audit trails where the specified username was used in the connection. Available only for protocols where the username is known (for example SSH).
Source: Process only audit trails where the specified client IP address or port was used.
Server: Process only audit trails where the specified server IP address or port was used.
Note If you do not configure any filters, every available audit trail will be processed. Audit trails are created only for channels where the option is enabled for the particular channel in the channel policy.
Click .
-
Navigate to , and add the new subchapter to an existing report, or create a new report. Subchapters created from searching the contents of audit trails are listed under . For details, see Procedure 6.7.2, Configuring custom reports.
SCB records information about the passing sessions into its connection database. Session information can be displayed online from the SCB web interface (for details, see Chapter 6, Browsing log messages and SCB reports and Section 6.3, The SCB connection database). The Audit Player (AP) is a desktop application that can replay recorded audit trails, much like a media player replays movie files.
AP is available for the following 32-bit and 64-bit platforms:
Microsoft Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
The AP application can currently replay the following session types:
SSH terminal sessions
Remote X11 sessions forwarded within the SSH traffic. Note that not the entire desktop is displayed, only the windows of the remotely-accessed application.
The Drawing channel (that is, the desktop) of RDP4, RDP5, RDP6, and RDP7 sessions (except for remote desktops that use the Aero graphical interface)
Telnet and TN3270 terminal sessions
VNC sessions
SCP sessions
SFTP sessions
For details on how to install the Audit Player application, see Procedure 7.1, Installing the Audit Player application.
For details on how to replay audit trails, see Section 7.2, Replaying audit trails.
For details on how to search audit trails, see Section 7.3, Using AP.
For details on how to use AP to automatically download and process audit trails from SCB, see Procedure 7.1, Installing the Audit Player application and Procedure 6.8.1, Configuring full-text indexing of audit trails.
7.1. Procedure – Installing the Audit Player application
Purpose:
To install the Audit Player application, complete the following steps.
|
Warning |
|---|---|
Installing Audit Player requires administrator privileges. The installed Audit Player can be run by restricted users as well if the required privileges are set. |
Steps:
Download the Audit Player application from the BalaBit web site.
Start the downloaded file.
Read the end-user agreement of AP and click I Agree.
Some fonts installed by AP have a separate copyright license. Click I Agree to accept it.
Select the folder where AP will be installed and click Install.
-
The installer can automatically install and register several fonts to improve the processing of X11 audit trails. If you will use AP to replay X11 audit trails, you are recommended to install these fonts.
Note X11 fonts are installed only by Audit Player version 2011.2 and later. Note that installing these fonts automatically opens the
Windows\Fontsfolder in the Windows Explorer. This is normal and needed to avoid having to reboot the host. You can simply close this window. -
If you will run AP in service mode to automatically download and process the audit trails from SCB, complete the following steps. Otherwise, click Save settings
-
Select Enable Audit Indexing Service.
-
Enter the IP address or the hostname of your SCB host into the Server address field.
Warning This address must be the same that appears in the Common Name of SCB's certificate. If it is a hostname, it must be resolvable from the host running AP, either via DNS, or locally from a file.
Enter the Username and Password of the SCB user account AP will use to access SCB. This user must be a member of the
indexinggroup. If LDAP or RADIUS authentication is used on SCB, the user must also exist in the LDAP/RADIUS database.-
To be able to communicate with SCB, install the Server certificate of SCB (the one set in Basic Settings > Management > SSL certificate > Server Certificate of the SCB web interface) or the certificate of the certificate authority that signed the certificate of SCB.
Note The certificate must be in DER format.
Click Save settings.
-
When the installation is finished, click Close.
Note To modify the configuration of the Audit Indexer Service, select Start menu > All Programs > Audit Player > Configure Audit Indexer Service.
On the SCB web interface, navigate to Reporting > Indexer status. The new Audit Player should appear in the list of Registered Audit Players.
-
-
Optional step: If you want to run the Audit Player application without administrator privileges, complete the following steps:
Allow the nonrestricted user to write and modify the
C:\Program Files\Audit Player\varfolder.Allow the nonrestricted user to write and modify the
C:\Program Files\Audit Player\bin\Textract.Logfile. Create the file if it does not exist yet.Allow the nonrestricted user to write and modify the
C:\Program Files\Audit Player\bin\Textract.inifile.
-
Optional step: If you want to run the Audit Player on multicore processor, complete the following steps:
Start regedit.
Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services \APService.Right click the key and select .
-
In the field, after the
.exefile, enter the-Cswitch and the desired value.Example 7.1. Using the -CswitchC:\Program Files\Audit Player\bin\audit-indexer-service.exe -C 4Note To get the optimal performance, set the value to 1-1.5 times of the number of cores.
Click .
To replay an audit trail, the audit trail must be available on the computer running AP, or you must access it on the BalaBit Shell Control Box search interface from a browser on the computer running AP.
For details on how to download an audit trail from SCB, see Procedure 7.2.1, Downloading audit trails from SCB.
For details on how to replay an audit trail with AP, see Procedure 7.2.2, Replaying a session with the Audit Player.
7.2.1. Procedure – Downloading audit trails from SCB
Steps:
Login to the SCB web interface.
Navigate to the page.
Use the Calendar bar or the option and the filters to locate the session you want to replay.
-
Click the
icon in the Audit trail column of the
session to download the audit trail to your computer.If the Audit trail column is not visible, add it to the list of visible columns. For details, see Procedure 6.1.1, Customizing columns.
If the Audit trail column is visible but empty (that is, it does not contain the
icon) then no audit trail was recorded from the session,
because the channel policy did not have auditing enabled. For details, see Procedure 5.1.4, Creating and editing channel policies.Note Downloading audit trails requires the Search > Search in all connections privilege, or that the group of the user be listed in the Access Control section of the connection policy with Audit permission.
Tip To download every audit trail listed in the search results, select the Export Format > Audit Player, and click Export.
7.2.2. Procedure – Replaying a session with the Audit Player
Purpose:
To replay a session, complete the following steps:
Steps:
-
Open an audit trail to replay using one of the following methods:
Start the Audit Player application. Select and select an audit trail file.
Double-click on the audit trail file in Windows Explorer. Note that this method does not work when opening an audit trail that has accented characters in its filename or pathname and the operating system does not natively support accented characters (for example, opening a file called
ellenőrzött-adminisztrátori-kapcsolat.zatwill fail on Windows using English locale).
AP opens the file and displays the sessions stored in the file in the Project Trails panel.
Note To open multiple audit trails, use the Shift and the Control keys.
If the audit trail is encrypted, you must import the private key of the certificate used to encrypt the audit trail before trying to replay the audit trail. For details, see Section 7.3.3, Replaying and processing encrypted audit trails.
The extension of the audit trail files is
.logor.zat. Its name consists ofaudit-scb-protocolname-timestamp-sequencenumber. Double-click on the stream you want to replay. The session will be displayed in a new window.
-
Wait until AP processes the stream. The progress of the processing is indicated on the timeline as an orange bar. Click .
To adjust the replaying speed, adjust the Replay Speed option.
To display the characters (for example commands, passwords, and so on) that the user typed in the session, select Show user input. The user input will be displayed above the time bar. Note that the appropriate decryption keys are needed to display the user input if the upstream traffic is encrypted with a different set of certificates.
7.2.3. Procedure – Replaying SCP and SFTP sessions
Purpose:
To replay SCP and SFTP sessions, complete the following steps:
Steps:
-
Select and select an audit trail file. AP opens the file and displays the sessions stored in the file in the Project Trails panel.
Note SCP and SFTP sessions cannot be searched with .
To filter for filenames, in the SCB Web interface navigate to , click and add to the visible columns. You can then filter for filenames in the filter field of the column.
-
Double-click on the session you want to replay. The session will be displayed in a new window.
The session enlists all file transfer and file management actions (for example file deletion, file uploading, changing attributes and so on) on the remote host.
You can download the uploaded files from the session. These files are marked in the column with a bold or label. To download a file, select it and click .
The main window allows you to sort and organize the audit trails and sessions.
The audit trails loaded into AP are all visible in the Project Trails tab. Audit trails are organized into a tree. The tree has the following levels:
Protocol: The type of the audited protocol: SSH, RDP, X11, VNC, SCP, SFTP or Telnet.
Connection: Name of the connection policy that generated the audit trail.
-
Session: Details of the connection stored in the audit trail, including the date, duration, source, and target of the connection. (Every audit trail contains only a single session.)
Tip To sort the list of streams, click the header of the columns.
Stream: The traffic that can be replayed. A session may contain several streams (for example an SSH connection may include a terminal-session stream and an X-forward stream).
|
Tip |
|---|---|
|
Select View > Show Details to display additional information about the selected stream in a separate Stream Details window. These details include the parameters available in the SCB Search page (for details, see Section 6.3, The SCB connection database) and other parameters like the size of the desktop or the terminal.
|
Organizing the audit trails is simple. Every loaded audit trail is displayed in the Project Trails tab. To open a new tab, select and enter a name for the trailset. After that, you can drag-and-drop the interesting streams to this tab, or right-click a stream and select or .
To remove a stream from a trailset, click on the stream and select from the local menu. Deleting a stream from the Project Trails tab deletes the stream from every trailset.
To filter the audit trails available in a trailset, select , and enter your search keywords into the Text field. To search for special keys or events (for example hitting the Escape key, and so on), use the Key sequence field.
|
Warning |
|---|---|
When searching audit trails of SSH and Telnet terminal sessions, the character encoding set in Edit > Preferences > Terminal encoding can affect the search results: if the session uses a different encoding, special characters might not be recognized and thus will be omitted from the search results. |
To search in the metadata of the trails, select More Options > Trail properties. The following metadata is available for filtering:
Time: Use the From and To fields to filter on the duration of the streams matching the other search criteria.
Protocol: The protocol used in the stream: SSH, RDP or Telnet.
Username: The username used in the session (if available).
Client IP: The IP address of the client computer.
Client Port: The port of the client computer used to establish the connection.
0matches for every port.Server IP: The IP address of the server connected by SCB.
Server Port: The port of the server connected by SCB.
0matches for every port.Channel Policy: The channel policy applied to the session.
Connection: The
session_ididentifying the particular session.Channel Type: The type of channel used in the stream (for example terminal session, drawing, and so on). See the list of supported channel types in the following sections: Section 5.2, SSH-specific settings, Section 5.3, RDP-specific settings, and Section 5.5, Telnet-specific settings.
To save a set of audit files, including all trailsets and search results, select , enter a name for the project, and enter a password. The password is used to encrypt the workspace file as it may contain sensitive data.
|
Warning |
|---|---|
AP does not encrypt the audit trail files, only the workspace file. If the audit trails were not encrypted by SCB, sensitive information may be recovered from them. |
To replay encrypted audit trails, the private key of the certificate used to encrypt the audit trails must be available on the machine running AP. This key must be either imported into the Personal Certificate Store / My Store on Windows, or it must be available on a USB token.
To import a private key, select Edit > Import key, select the file containing the key, and click OK. Then enter the password for the key if needed.
|
Note |
|---|---|
The private key must be in PKCS12 format. |
7.3.3.1. Procedure – Importing certificates with MMC
Purpose:
To process encrypted audit trails with the Audit Player application running in service mode, the appropriate private key must be available in the Private certificate store of the Audit Indexer service. To add a certificate to this store, complete the following steps.
Prerequisites:
The certificate and private key to import in PKCS12 format. The key_usage parameter of the certificate must be AT_SIGNATURE. Certificates with the AT_KEYEXCHANGE value will not work
|
Tip |
|---|---|
To convert a certificate from a different format (for example, |
Steps:
-
Start Microsoft Management Console by executing
mmc.exe( menu ).Note Running
mmc.exerequires administrator privileges. Click on the item of the menu.
Click , select the module, and click .
Select in the displayed window and click .
Select and click .
Select and click .
To import a private key, navigate to .
-
Right-click on the folder and from the appearing menu select . The will be displayed. Click .
Optional step: Certificates used to decrypt the audit trails include a private key. Provide the password for the private key when requested.
Click on the summary window and on the window that marks the successful importing of the certificate.
7.3.3.2. Procedure – Converting certificates using OpenSSL
Purpose:
To convert a certificate and its private key into PKCS12 format (for example, from .pfx) using the OpenSSL software package, complete the following steps.
Steps:
Convert the
.pfxfile into PEM format. Issue the following command in a terminal console: openssl pkcs12 -in <certificate>.pfx -out <certificate>.pem -nodesOpen the
<certificate>.pemfile in a text editor, and copy the certificate and the private key into two separate files, for example,<mycertificate>.pemand<mycertificate>.key.Convert the certificate and the private key into PKCS12 format. Issue the following command: openssl pkcs12 -export -out <mycertificate>.p12 -inkey <mycertificate>.key -in <mycertificate>.pem
If the original
.pfxcertificate was imported into a certificate store, remove it and import the new certificate file (that is,<mycertificate>.p12). Importing certificates is described in Procedure 7.3.3.1, Importing certificates with MMC.
7.3.3.3. Procedure – Converting certificates using Firefox
Purpose:
To convert a certificate and its private key into PKCS12 format (for example, from .pfx) using the Mozilla Firefox web browser, complete the following steps.
Steps:
Start Firefox and select , and import the
.pfx. If needed, enter the password of the private key as well.Select the newly imported certificate, and click .
Select the format and enter a name for the file (for example,
mycertificate).If the original
.pfxcertificate was imported into a certificate store, remove it and import the new certificate file (that is,<mycertificate>.p12). Importing certificates is described in Procedure 7.3.3.1, Importing certificates with MMC.
The Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and X11 protocols transfer most texts displayed by the remote applications as graphical data. To make these texts searchable, AP automatically processes the opened audit trails and performs optical character recognition (OCR) on the streams.
During installation, AP creates a database from the fonts installed on the system, and uses these fonts for the OCR process. This means that the fonts used by the servers and applications accessed using RDP must be installed on the host running AP. Otherwise AP might not correctly recognize every font type, and miss parts of the text.
To add a new font to the AP database, install the font on the host running AP, then select the option in AP.
|
Note |
|---|---|
|
The OCR feature of the Audit Player application currently supports only RDP sessions. Certain accented and other special (non-ASCII) characters might not be recognized correctly. OCR-ing VNC sessions is partially supported, provided that the VNC server is running on Windows. |
This section provides help on solving common problems of the Audit Player application (AP).
By default, the Audit Player application sends error messages to the Application eventlog container. To create more detailed logs that are sometimes needed to troubleshoot a problem, command-line parameters must be specified.
7.4.1.1. Procedure – AP logging in user mode
Purpose:
To create debug logs of AP running in user mode, complete the following steps.
Steps:
Select Start > Run > cmd to open a command prompt.
Navigate to the folder where the Audit Player application is installed, for example cd "C:\Program Files\Audit Player\bin\".
Enter the following command: audit-player.exe --verbose 3 --log-file "audit-player.log". The Audit Player application will start and create the specified log file.
Reproduce the error in AP and check the created log file.
If needed, repeat Step 3 with a higher log level (for example with the
--verbose 7parameter).
7.4.1.2. Procedure – AP logging as an indexer service
Purpose:
To create debug logs of AP running as an indexer service, complete the following steps.
Steps:
Start the service management interface of Windows, for example select Start > Run > mmc, then select File > Add/Remove Snap-in > Add > Services.
Double-click on the Audit Indexer Service and select Stop.
Enter the following parameters into the Start parameters field: -d 3 -f "C:\Program Files\Audit Player\service.log" -D 3 -F "C:\Program Files\Audit Player\audit-player.log".
Select Start. The Audit Indexer Service will start and create the specified log file. Note that the ID of the Indexer Service may be added to the name of the log file as a suffix (
audit-player.log.001).Reproduce the error and check the created log file.
If needed, repeat Steps 2-4 with a higher log level (for example with the
-d 7parameter).If you have finished the troubleshooting, restart the Audit Indexer Service without any parameters to lower the logging level to its default.
The Audit Player application requires encryption keys and certificates to use its various features. The following summarizes where the keys and certificates should be stored on Windows for AP to function properly.
When run by a user as a regular application, AP may need the following:
To connect to SCB and download audit trails, the CA certificate of SCB must be available under Local Computer > Trusted Root Certification Authorities. This CA certificate is also used to validate timestamped audit trails.
To replay encrypted audit trails, the private key of the encrypting certificates must be available under Current User > Personal Certificate Store.
To validate digitally-signed audit trails, the certificates used to sign the audit trail or the respective CA certificates must be available under Local Computer > Trusted Root Certification Authorities.
When running as an indexer service, AP may need the following:
To connect to SCB and download audit trails, the CA certificate of SCB must be available under Local Computer > Trusted Root Certification Authorities. This CA certificate is also used to validate timestamped audit trails.
To replay encrypted audit trails, the private key of the encrypting certificates must be available under Service (Audit Indexer Service) > APService > Personal Certificate Store.
To validate digitally-signed audit trails, the certificates used to sign the audit trail or the respective CA certificates must be available under Local Computer > Trusted Root Certification Authorities.
When loading audit trails containing a very large number of objects (typically, audit trails of X11 traffic), the Audit Player application might stop processing the audit trail and terminate. This is caused by reaching the GDI Object Handle Limit, which is 10000 by default.
To overcome this problem, increase the value of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota registry key (up to the maximum of 65535) and reboot the computer.
This chapter describes the advanced authentication and authorization techniques available in SCB.
For details on creating usermapping policies, see Procedure 8.1, Configuring usermapping policies.
For details on configuring gateway authentication, see Section 8.2, Configuring gateway authentication.
For details on configuring 4-eyes authorization and real-time monitoring, see Section 8.3, Configuring 4-eyes authorization.
For details on configuring Credential Stores, see Section 8.4, Using credential stores for server-side authentication.
8.1. Procedure – Configuring usermapping policies
Purpose:
For SSH, RDP, and Citrix ICA connections, usermapping policies can be defined. A usermapping policy
describes who can use a specific username to access the remote server: only members of
the specified local or LDAP usergroups (for example administrators) can
use the specified username (for example root) on the server. To
configure usermapping, complete the following steps.
|
Warning |
|---|---|
|
In SSH connections, the users must use the following as their username:
gu=yourldapusername@root@example.com |
|
Warning |
|---|---|
|
When configuring ICA connections, also consider the following: If the clients are accessing a remote application or desktop that is shared for Anonymous users (that is, the properties of the application is set to To accomplish this, create a usermapping policy and set the option to |
|
Note |
|---|---|
Starting from SCB version 3.2, usermapping is possible only when gateway authentication is used as well. |
Steps:
-
Navigate to Policies > Usermapping Policies.
Click
to create a new policy, and enter a name for the
policy.Click
and enter the username that can be used to access the
remote server (for example root) into the Username field. SCB will use this username in the server-side connection. To permit any username on the server side, enter an asterisk (*).-
Select Groups >
, and specify who is permitted to use the remote username set in the Username field.-
If you have an LDAP Server set in the connection policy where you will use usermapping, enter the name of the local or LDAP usergroup (for example
admins) whose members will be permitted to use the remote username. For details on LDAP authentication, see Procedure 5.1.7, Authenticating users to an LDAP server.Note The LDAP server configured in the connection policy is not necessarily the same as the LDAP server used to authenticate the users accessing the SCB web interface.
If you do not authenticate the connections to an LDAP server, enter the name of the userlist whose members will be permitted to use the remote username. For details on using userlists, see Procedure 5.1.6, Creating and editing user lists.
Repeat this step to add further groups if needed.
-
Repeat steps 3-4 to add further usernames if needed.
Click Commit.
Navigate to the Connections page of the traffic (for example to SSH Control > Connections), and select the connection policy to modify.
Select the usermapping policy created in Step 2 from the Usermapping policy field.
-
Click Commit.
Note For RDP connections, usermapping is possible only when gateway authentication is used as well. When configuring usermapping for RDP connections, proceed to Procedure 8.2.1, Configuring outband gateway authentication and configure gateway authentication.
When gateway authentication is required for a connection, the user must authenticate on SCB as well. This additional authentication can be performed out-of-band on the SCB web interface for every protocol. For details about the concepts of gateway authentication, see Procedure 2.7, The gateway authentication process.
|
Note |
|---|---|
|
For SSH and RDP connections, gateway authentication can be performed also inband, without having to access the SCB web interface.
|
|
Note |
|---|---|
|
Gateway authentication can be used together with other advanced authentication and authorization techniques like 4-eyes authorization, client- and server-side authentication, and so on. For SSH connections, the gateway authentication can be performed inband within the protocol, without having to access the SCB web interface. |
|
Warning |
|---|---|
If the username used within the procotol is different from the username used to access the SCB web interface to perform gateway authentication, usermapping must be configured for the connection. For details on usermapping, see Procedure 8.1, Configuring usermapping policies. |
8.2.1. Procedure – Configuring outband gateway authentication
Purpose:
To configure gateway authentication, complete the following steps.
|
Warning |
|---|---|
|
Steps:
Navigate to the Connections page of the traffic (for example to SSH Control > Connections), and select the connection policy to modify.
-
Select the Gateway authentication option.
-
To accept the gateway authentication only from the host that initiated the connection, select Require same IP.
Note This option has no effect if the clients are behind a device that performs network address translation (NAT). In such cases, use inband gateway authentication instead.
By default, any user can perform gateway authentication for the connections. To allow only members of a specific group authenticate the connections of this connection policy, select Groups >
, and
enter the name of the group whose members can authenticate the connections.
This group must exist on the page. For details on creating and managing usergroups, see Section 4.4.6, Managing user rights and usergroups. Repeat this step to add further groups if needed.For SSH, RDP, and Citrix ICA connections, you may want to set a usermapping policy in the Usermapping policy field. For details on usermapping policies, see Procedure 8.1, Configuring usermapping policies.
Click Commit. After that, users accessing these connections must perform gateway authentication as described in Procedure 8.2.2, Performing outband gateway authentication on SCB.
-
Optional Step: To restrict the availability of selected channels of the connection based on the username used for gateway authentication, edit the channel policy used in the connection.
Navigate to the channel policy used in the connection (for example, ).
-
Select Gateway Group >
and enter the name of the user group allowed to use this type of the channel. The user group must correspond to the username used for the gateway authentication. Repeat this step until all permitted groups are listed.You may list local user lists as defined in Procedure 5.1.6, Creating and editing user lists, or LDAP groups (for details on accessing LDAP servers from SCB, see Procedure 5.1.7, Authenticating users to an LDAP server). Note the following behavior of SCB:
-
If you list multiple groups, members of any of the groups can access the channel.
Note When listing both a whitelist and blacklist in the section and a username appears on both lists, the user will be able to access the channel.
If a local user list and an LDAP group has the same name and the LDAP server is configured in the connection that uses this channel policy, both the members of the LDAP group and the members of the local user list can access the channel.
-
Click .
8.2.2. Procedure – Performing outband gateway authentication on SCB
Steps:
-
Initiate a connection from a client. If gateway authentication is required for the connection, SCB will pause the connection.
Note For SSH connections, when initiating the connection, you can use the following as your username:
gu=gatewayusername@remoteusername, wheregatewayusernameis the username you will use to login to the SCB web interface (also called gateway user), andremoteusernameis the username you will use on the remote server. -
Open a browser, preferably on the same host you initiated the connection from, and navigate to the login page of SCB.
Warning If the username used within the protocol is different from the username used to access the SCB web interface to perform gateway authentication, usermapping must be configured for the connection. For details on usermapping, see Procedure 8.1, Configuring usermapping policies.
-
Login to SCB, and select Gateway Authentication from the main menu. The list of connections waiting for gateway authentication will be displayed.
Note If users accessing the SCB web interface are authenticated to and LDAP server, the users must successfully authenticate to the LDAP server set on the page.
No other SCB privilege is required to access this page.
Select the connection that you started, and click Assign.
Logout from the SCB web interface.
Continue to authenticate on the server.
8.2.3. Procedure – Performing inband gateway authentication in SSH connections
Steps:
Initiate a connection from a client. If gateway authentication is required for the connection, SCB will pause the connection.
SCB requests the username used for gateway authentication. Enter your gateway username into the prompt. If password authentication is used, provide the password for the gateway user as well.
-
The login prompt for the remote server is displayed. Enter your username used on the remote server into the prompt. If password authentication is used, provide the password for the username as well.
Warning If the username used within the protocol is different from the username used to access the SCB web interface to perform gateway authentication, usermapping must be configured for the connection. For details on usermapping, see Procedure 8.1, Configuring usermapping policies.
Note When initiating the connection, you can use the following as your username:
gu=gatewayusername@remoteusername, wheregatewayusernameis the username you will use to authenticate on SCB andremoteusernameis the username you will use on the remote server. That way you do not have to provide the usernames in the prompt, only the passwords if password authentication is used.If SCB is configured to require client-side authentication, the
gatewayusernameuser must authenticate on the client side.
8.2.4. Procedure – Performing inband gateway authentication in RDP connections
Steps:
Initiate a connection from a client. If gateway authentication is required for the connection, SCB will pause the connection.
-
The graphical login window is displayed.
If the option of your Remote Desktop application is enabled, login to the remote server using your usual credentials. SCB will use these credentials for the gateway authentication on the Domain Controller as well.
-
If the option of your Remote Desktop application is disabled, first you have to authenticate on the SCB gateway. Enter your username and password for the Domain Controller.
If the first authentication is successful, a second login window is displayed. Enter your username and password for the remote server you are trying to access.
-
If SCB is configured to use a Credential Store to login to the target server, enter the following:
-
Into the field, enter the domain name, the
-AUTOsuffix, and your username. For example,Exampledomain-AUTO\Administrator.Note The
-AUTOsuffix is the default value of the option of SCB. If your SCB administrator has changed this option, use the appropriate suffix instead of -AUTO. Enter your username (only the username, without the domain, for example,
Administrator) into the field.
-
If the authentication is successful, the desktop of the remote server is displayed.
If a user initiates a connection and then logs in to the SCB web interface, it might happen that his connection is not shown on the Gateway Authentication page. SCB checks the following points to determine if a pending connection is listed for a user:
|
Warning |
|---|---|
The |
The username used to access the SCB web interface is a member of a group listed in the field of the connection policy.
If SCB knows from the protocol the username that will be used to access the SCB web interface to perform the gateway authentication, the connection is displayed only to this user. Currently this happens only for SSH connections if the client has specified the username for the web interface within the protocol using the
gu=webusername@server-side-username@serverformat.If the option is enabled, the pending connection is displayed only if the user accesses the SCB web interface from the same IP address as the client in the pending connection.
|
Note |
|---|---|
The |
When 4-eyes authorization is required for a connection, a user (called authorizer) must authorize the connection on SCB as well. This authorization is in addition to any authentication or group membership requirements needed for the user to access the remote server. For details about the concepts of 4-eyes authorization, see Procedure 2.8, 4-eyes authorization.
8.3.1. Procedure – Configuring 4-eyes authorization
Purpose:
To require 4-eyes authorization for a connection, complete the following steps.
Steps:
Navigate to the Connections page of the traffic (for example to SSH Control > Connections), and select the connection policy to modify.
-
Navigate to Access Control and click
. Enter the name of the usergroup whose members are permitted to authorize the sessions of the connection policy into the Authorizer field. This group must exist on the page. For details on creating and managing usergroups, see Section 4.4.6, Managing user rights and usergroups.
-
By default, the authorizer can authorize any session of the connection policy.
If the authorizer is permitted to authorize only the sessions of a certain usergroup, select Subject > Only, and enter the name of the userlist whose sessions the authorizer can authorize. If you use 4-eyes authorization without gateway authentication, you can specify an LDAP group instead of a userlist.
Warning If gateway authentication and 4-eyes authorization is used together in a connection policy, the usergroup of the gateway username must be specified, not the group of the remote username. The specified group must be a local or LDAP group.
-
Set the permissions of the usergroup set in the Authorizer field.
If the Authorizer group can authorize (that is, enable) and audit (i,.e monitor in real-time and download the audit trails) the sessions, select Permission > Audit&Authorize.
If the Authorizer group can only authorize (that is, enable) the sessions, select Permission > Authorize.
If the Authorizer group can only audit (that is, monitor in real-time and download the audit trails) the sessions, select Permission > Audit.
Note If the Subject > Only field is set, the auditor can only monitor the sessions of the specified usergroup.
The
adminuser of SCB can audit and authorize every connection. Repeat steps 2-5 to add other authorizers or usergroups if needed.
Click Commit.
-
Navigate to the Channel Policies page of the traffic (for example to SSH Control > Channel Policies), and select the channel policy used in the connection.
-
Enable the option for the channels which should be accessed only using 4-eyes authorization.
Note If a connection uses secondary channels that require 4-eyes authorization — for example, a Remote Desktop connection allows a Drawing channel but requires 4-eyes authorization for a Disk redirection channel — the connection is locked until the the authorizer accepts the channel on the page of SCB, or the 4-eyes request times out. During this time, the client application can become nonresponsive, for example, display the graphical desktop but not react to mouse clicks.
Click Commit. After that, users accessing connections using the modified channel policy must be authorized as described in Procedure 8.3.2, Performing 4-eyes authorization on SCB.
8.3.2. Procedure – Performing 4-eyes authorization on SCB
Steps:
-
When a user initiates a connection from a client and 4-eyes authorization is required for the connection, SCB will pause the connection.
Note 4-eyes authorization can be set separately for every channel. However, if a new channel that requires 4-eyes authorization is opened in an existing connection, the channels already opened are also paused until the 4-eyes authorization is successfully completed.
-
Login to SCB, and select Four Eyes from the main menu. The list of connections waiting for authorization will be displayed.
Note Only those connections will be listed, where your usergroup has the
Authorizeor theAudit&Authorizepermissions. No other SCB privilege is required to access this page. -
Select the connection and click Accept to enable the connection, Reject to deny the connection, or Accept&Follow to enable it and monitor in real-time.
Note Following a session requires the following:
The Audit option must enabled for the specific channel in the Channel policy of the connection.
The Audit Player application must be installed on the computer of the auditor.
If the Audit policy of the connection uses encryption, the appropriate decryption keys must be available on the computer of the auditor.
Enter a note why the connection was accepted/rejected into the appearing dialog box. This description will be stored in the connection database together with other metadata about the connection.
-
If you have to terminate an ongoing connection for some reason, select Active Connections from the main menu. The list of ongoing connections will be displayed.
-
Select the connection to stop, and click Terminate.
Note When following a connection in the Audit Player application, the auditor can also terminate the connection from the Audit Player by clicking .
Credential Stores offer a way to store user credentials (for example, passwords, private keys, certificates) and use them to login to the target server, without the user having access to the credentials. That way, the users only have to perform gateway authentication on SCB with their usual password (or to an LDAP database), and if the user is allowed to access the target server, SCB automatically logs in using the Credential Store. In a sense, using Credential Stores is an improved version of the keymapping available for SSH connections (for details on keymapping, see Procedure 5.2.3.4, How to map keys and certificates). For details on gateway authentication, see Section 8.2, Configuring gateway authentication.
Credential Stores can be stored locally on SCB, or on a remote device. For remote Credential Stores, SCB currently supports the Lieberman Enterprise Random Password Manager (ERPM).
To configure a local Credential Store, see Procedure 8.4.1, Configuring local Credential Stores.
To configure a local, password-protected Credential Store, see Procedure 8.4.2, Configuring password-protected Credential Stores.
To unlock a local, password-protected Credential Store, see Procedure 8.4.3, Unlocking Credential Stores.
To configure a remote Credential Store, see Procedure 8.4.4, Using Lieberman ERPM to authenticate on the target hosts.
8.4.1. Procedure – Configuring local Credential Stores
Purpose:
To configure a local Credential Store that stores the credentials used to login to the target host, complete the following steps.
Prerequisites:
Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on SCB using gateway authentication, therefore gateway authentication must be configured for these connections. For details, see Section 8.2, Configuring gateway authentication.
Steps:
Navigate to Policies > Credential Stores.
Click
and enter a name for the Credential Store.Select .
-
Select . That way the credentials will be encrypted with a built-in password, and the Credential Store is automatically accessible when SCB boots up. To use custom passwords to encrypt the Credential Store, see Procedure 8.4.2, Configuring password-protected Credential Stores.
-
Add credentials to the Credential Store
-
Click
and enter the destination host and the username. For the destination host, you can use hostname, IP address, or subnet as well. Note that:Usernames are case sensitive.
To authenticate users of a Windows domain, enter the name of the domain into the field.
-
Enter the password corresponding to the username, or click
and to upload a private key or a certificate. SCB will use these credentials to login to the destination host if the credential store is selected in a Connection policy. If more than one credential is specified to a host-username pair, SCB will attempt to use the credentials as the destination host requests it.Note If the private key is protected by a passphrase, enter the passphrase. The passphrase is needed only once during the upload, it is not required for the later operation of the Credential Store.
Repeat the previous step to add further credentials to the username as necessary.
-
-
Repeat the previous step to add further hosts or usernames as necessary.
Note Credential Stores can be used together with usermapping policies to simplify the administration of users on the target hosts. For details, see Procedure 8.1, Configuring usermapping policies.
Click .
-
Navigate to the Connection policy where you want to use the Credential Store (for example, to ), select the Credential Store to use in the field, then click .
Note The Connection Policy will ignore the settings for server-side authentication (set under ) if a Credential Store is used in the Connection Policy.
8.4.2. Procedure – Configuring password-protected Credential Stores
Purpose:
To configure a local Credential Store that stores the credentials used to login to the target host, complete the following steps. The Credential Store will be protected by custom passwords; this password must be entered every time SCB is rebooted to make the Credential Store available.
Prerequisites:
Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on SCB using gateway authentication, therefore gateway authentication must be configured for these connections. For details, see Section 8.2, Configuring gateway authentication.
Steps:
Navigate to Policies > Credential Stores.
Click
and enter a name for the Credential Store.Select .
-
Select .
Note The contents of the Credential Store, as well as the passwords are included in the configuration backups of SCB. Make sure to encrypt the configuration backups.
-
Select Master passwords >
.To protect the Credential Store with a single password, select an enter the password into the and fields. Anyone who knows this password and has the Unlock Credential Store privilege will be able to open the Credential Store. Password-protected Credential Stores must be unlocked on the SCB web interface or console after every SCB reboot.
To protect the Credential Store with multiple passwords, select , click
and enter a password. Click to add additional passwords. After finishing listing every password, click . All of these passwords will be needed to unlock the Credential Store.
-
Repeat the previous step to add another single or compound password. That way, different password sets can be defined for the Credential Store. For example, if a single and a compound password is configured, the chief administrator can unlock the Credential Store with a single password, and two of his subordinates can open the Credential Store together if they know one element each of the compound password.
Tip To change the password, just click
to delete the old password. Then add new passwords as needed. -
Add credentials to the Credential Store
-
Click
and enter the destination host and the username. For the destination host, you can use hostname, IP address, or subnet as well. Note that:Usernames are case sensitive.
To authenticate users of a Windows domain, enter the name of the domain into the field.
-
Enter the password corresponding to the username, or click
and to upload a private key or a certificate. SCB will use these credentials to login to the destination host if the credential store is selected in a Connection policy. If more than one credential is specified to a host-username pair, SCB will attempt to use the credentials as the destination host requests it.Note If the private key is protected by a passphrase, enter the passphrase. The passphrase is needed only once during the upload, it is not required for the later operation of the Credential Store.
Repeat the previous step to add further credentials to the username as necessary.
-
-
Repeat the previous step to add further hosts or usernames as necessary.
Note Credential Stores can be used together with usermapping policies to simplify the administration of users on the target hosts. For details, see Procedure 8.1, Configuring usermapping policies.
Click .
Navigate to the Connection policy where you want to use the Credential Store (for example, to ), select the Credential Store to use in the field, then click .
-
Navigate to and enable the and events. That way SCB sends automatic alerts if a Credential Store needs to be unlocked.
Warning Password-protected Credential Stores must be unlocked every time after SCB is rebooted. Connection using a password-protected Credential Store will automatically fail until the Credential Store is locked.
To unlock a Credential Store, users must have the privilege, or editing (read and write) privileges to the particular Credential Store.
8.4.3. Procedure – Unlocking Credential Stores
Purpose:
To unlock a Credential Store and make it available for use, complete the following steps.
Prerequisites:
To unlock a Credential Store, users must have the privilege, or editing (read and write) privileges to the particular Credential Store.
Step:
Login to the SCB web interface.
Navigate to and select the Credential Store to unlock.
Enter the password(s) for the Credential Store. For compound passwords, enter every element of the compound password in the correct order.
Click .
-
Repeat the previous steps for other Credential Stores as needed.
Note Alternatively, Credential Stores can be unlocked also from the SCB Console Menu.
8.4.4. Procedure – Using Lieberman ERPM to authenticate on the target hosts
Purpose:
To configure SCB to retrieve the credentials used to login to the target host from a Lieberman Enterprise Random Password Manager (ERPM) device, complete the following steps.
Prerequisites:
Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on SCB using gateway authentication, therefore gateway authentication must be configured for these connections. For details, see Section 8.2, Configuring gateway authentication.
Steps:
Navigate to Policies > Credential Stores.
Click
and enter a name for the Credential Store.Select .
Enter the hostname or IP address of your Lieberman Enterprise Random Password Manager (ERPM) server into the field.
-
Specify the account SCB should use to login to the ERPM server.
To use always the same account, select and enter the username and the password.
For SSH connections, SCB can use the username and password that the user provided during the gateway authentication process. To use this account, select .
To verify the certificate of the ERPM server, select and select the CA list that contains the CA certificate that signed the certificate of the ERPM server from the field. For details on creating trusted CA lists, see Procedure 5.1.9, Verifying certificates with Certificate Authorities.
The hosts are organized in namespaces in the Lieberman ERPM. The namespace is used when no domain name is given in the username. Enter the default namespace of the accounts into the field, for example [Linux], [LDAP], [IPMI], W2003DOMAIN.
-
Enter the IP address of the DNS servers to use for resolving the hostnames when using Domain mapping into the and fields.
-
If you want to autologin with RDP to a computer with a domain user, map the domain name to the hostname of the domain controller in , so that SCB will search the user password for the appropriate host in Lieberman ERPM. To do this, click
and enter the domain name and the host.
Click .
Navigate to the Connection policy where you want to use the Credential Store (for example, to ), select the Credential Store to use in the field, then click .
This chapter gives step-by-step procedures to configure special aspects of SCB.
If a protected server requires public-key authentication from the users, complete one of the following procedures.
In Procedure 9.1.1, Configuring public-key authentication using local keys, SCB stores the public keys of the users and the private-public keypair used in the server-side connection locally on SCB.
In Procedure 9.1.2, Configuring public-key authentication using an LDAP server and a fixed key, SCB receives the public keys of the users from an LDAP server and uses a locally-stored private-public keypair in the server-side connection.
In Procedure 9.1.3, Configuring public-key authentication using an LDAP server and generated keys, SCB receives the public keys of the users from an LDAP server. SCB generates a keypair that is used in the server-side connection on-the-fly, then uploads the public key of this pair to the LDAP database. That way the server can authenticate SCB to the (newly generated) public key of the user.
9.1.1. Procedure – Configuring public-key authentication using local keys
Purpose:
To store the public keys of the users and the private-public keypair used in the server-side connection locally on SCB, complete the following steps:
Steps:
Navigate to and create a new Authentication Policy.
Select Client authentication backend > Local > Publickey, deselect all other options.
Select Server authentication methods > Publickey > Map, deselect all other options.
Enter the client's username used on the server into the Username field.
Click the
icon in the Client Side field.
A popup window is displayed.Click , select the public key of the user, then click . Alternatively, you can paste the key into the Copy-paste field and click .
Click the
icon in the Server Side field.
A popup window is displayed.-
Click and select the private key of the user, or paste the key into the Copy-paste field. Enter the password for the private key into the Password field and click .
If the private key of the user is not available, click to create a new private key. You can set the size of the key in the Generate key field.In this case, do not forget to export the public key from SCB and import it to the server. To export the key from SCB, just click on the key and save it to your local computer.
Repeat Steps 3-8 to add other users.
Click .
Navigate to and create a new Connection.
Enter the IP addresses of the clients and the servers into the From and To fields.
Select the authentication policy created in Step 1 in the field.
Configure the other options of the connection as necessary.
Click .
To test the above settings, initiate a connection from the client machine to the server.
9.1.2. Procedure – Configuring public-key authentication using an LDAP server and a fixed key
Purpose:
To fetch the public keys of the users from an LDAP server and use a locally-stored private-public keypair in the server-side connection, complete the following steps:
Steps:
Navigate to and create a new Authentication Policy.
Select Client authentication backend > LDAP > Publickey, deselect all other options.
Select Server authentication methods > Publickey > Fix, deselect all other options.
Select Private key >
. A popup window is
displayed.-
Click and select the private key of the user, or paste the key into the Copy-paste field. Enter the password for the private key into the Password field and click .
If the private key of the user is not available, click to create a new private key. You can set the size of the key in the Generate key field.In this case, do not forget to export the public key from SCB and import it to the server. To export the key from SCB, just click on the key and save it to your local computer.
Click on the fingerprint of the key in the field and save the public key. Do not forget to import this public key to the server: all connections that use this new authentication policy will use this keypair on the server side.
Click .
Navigate to and click
to create a new LDAP policy.Enter the parameters of the LDAP server. For details, see Procedure 5.1.7, Authenticating users to an LDAP server.
-
If different from
sshPublicKey, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field.Warning The public keys stored in the LDAP database must be in OpenSSH format.
Navigate to and create a new Connection.
Enter the IP addresses of the clients and the servers into the From and To fields.
Select the authentication policy created in Step 1 from the combobox.
Select the LDAP policy created in Step 7 from the combobox.
If the server accepts a user only from a specific IP address, select the Use original IP address of the client radiobutton from the SNAT field.
Configure the other options of the connection as necessary.
Click .
To test the above settings, initiate a connection from the client machine to the server.
9.1.3. Procedure – Configuring public-key authentication using an LDAP server and generated keys
Purpose:
To fetch the public keys of the users from an LDAP server and have SCB generate a keypair that is used in the server-side connection on-the-fly, and upload the public key of this pair to the LDAP database, complete the following steps:
Steps:
Navigate to and create a new Authentication Policy.
Select Client authentication backend > LDAP > Publickey, deselect all other options.
Select Server authentication methods > Publickey > Publish to LDAP, deselect all other options.
Click .
Navigate to and click
to create a new LDAP policy.Enter the parameters of the LDAP server. For details, see Procedure 5.1.7, Authenticating users to an LDAP server.
-
If different from
sshPublicKey, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field.Warning The public keys stored in the LDAP database must be in OpenSSH format.
Enter the name of the LDAP attribute where SCB shall upload the generated keys into the Generated publickey attribute name field.
Click Commit.
Navigate to and create a new Connection.
Enter the IP addresses of the clients and the servers into the From and To fields.
Select the authentication policy created in Step 1 from the combobox.
Select the LDAP policy created in Step 7 from the combobox.
If the server accepts a user only from a specific IP address, select the Use original IP address of the client radiobutton from the SNAT field.
Configure the other options of the connection as necessary.
Click .
To test the above settings, initiate a connection from the client machine to the server.
When using SCB in Bastion mode, the administrators must address the external interface of SCB to access the protected servers. If an administrator has access to more than one protected server, SCB must be able to determine which server the administrator wants to access. For each protected server, the administrators must address either different ports of the external interface, or different alias IP addresses of the external interface.
9.2.1. Procedure – Organizing connections based on port numbers
Purpose:
To organize connections based on port numbers, complete the following steps:
Organizing connections based on port numbers is advantageous if the external interface of SCB has a public IP address and the protected servers must be administered from the Internet.
Steps:
Navigate to the tab of the menu.
-
Add a new connection. Enter the IP address of the administrators into the From fields, and the IP address and port number of the server into the Target field.
Enter the IP address of the external interface of SCB into the To field, and enter a port number into the Port field.
-
Repeat Steps 2-3 for every protected server, but every time use a different port number in Step 3.
Warning In case you want to use ports
22or443and managing SCB is enabled on the network interface, make sure to create and alias IP address on the interface and use the alias IP in the connection policies. Ports 22 and 443 are reserved to accessing SCB on the main IP addresses of interfaces where management connections are enabled. For details on configuring alias IP addresses, see Section 4.3.1, Network settings. Click . The administrators can access the protected servers by connecting to the IP address of SCB's external interface, and use the port number to select which server they want to access.
9.2.2. Procedure – Organizing connections based on alias IP addresses
Purpose:
Organizing connections based on alias IP addresses is advantageous if the external interface of SCB is connected to a private network and many private IP addresses are available.
Steps:
Navigate to the tab of the menu.
Click
in the External interface section to
add a a new alias IP address to the external interface. Repeat this step for
every protected server. Use a different IP address each time.Navigate to the tab of the menu.
-
Add a new connection. Enter the IP address of the administrators into the From fields, and the IP address and port number of the server into the Target field.
-
Enter an alias IP address of the external interface of SCB into the To field.
Warning Do not use the primary IP address of the external interface if the management interface of SCB is not configured. Using this IP address may make the SSH server of SCB unaccessible.
Repeat Steps 4-5 for every protected server, but every time use a different alias IP address in Step 5.
Click . The administrators can access the protected servers by connecting to an alias IP address of SCB's external interface. The alias IP address determines which server they will access.
If the management interface is not configured, the SCB host can be accessed using SSH only on port 22 of the external interface. But if the primary IP address of the external interface and port 22 is used in a connection policy, the SSH connection targeting SCB is redirected to a protected server, and SCB cannot be accessed using SSH.
Do not use port 22 of the external interface in connection policies: use other port numbers or alias IP addresses instead. For details, see Procedure 9.2.1, Organizing connections based on port numbers and Procedure 9.2.2, Organizing connections based on alias IP addresses. Use these methods if possible.
For details on enabling the SSH server of SCB, see Procedure 4.5.5.2, Enabling SSH access to the SCB host.
9.3. Procedure – Using nontransparent Bastion mode
Purpose:
Nontransparent mode allows you to create a single connection policy and allow users to
access any server by including the name of the target server in their username (for example
ssh username@targetserver@scb_address). To configure
nontransparent mode, complete the following steps.
|
Note |
|---|---|
Nontransparent mode is most commonly used in Bastion mode, but it works with other modes of operation as well. |
Steps:
-
Select the type of connection from the main menu.
To configure a Secure Shell connection, select .
To configure a Remote Desktop connection, select .
Note Nontransparent mode in the Telnet protocol is currently not supported.
Click
and enter a name that will identify the connection (for example
admin_mainserver).Enter the IP address of the client that will be permitted to access the server into the From field. Click
to list additional clients.-
Enter the IP address of SCB's external interface into the To field.
Warning When using SSH connections in nontransparent mode, the clients should not address port 22 of SCB's external interface, as it may make SCB unaccessible for remote maintenance. For details, see Section 9.2.3, Accessing the SCB host in Bastion mode using SSH.
Click
to display the details of the connection and select
Inband destination selection.Enter the IP address or the hostname of the domain name server used to resolve the address of the server extracted from the username into the DNS Server field.
-
If the clients do not include the domain name when addressing the server (for example they use
username@serverinstead ofusername@server1.example.com), SCB can automatically add domain information (for exampleexample.com). Enter the domain name to add into the Append domain field.Note If the Append domain field is filled, SCB will always add this suffix to the hostname. If you set the option, make sure that the clients do not include the domain name in their requests.
Tip Windows RDP clients often send only the first 9 characters of the username to the server, making nontransparent operation difficult. The parameter can be used to complete the missing part. Also, it is not necessary to include the username when starting an RDP connection (for example use only
@server); the user can type the username later in the graphical login screen. -
Click
and enter the addresses of the servers that the users are
permitted to access into the Targets field. Use the IP
address/netmask (for example 192.168.2.16/32) format, or enter the hostname of the server, as addressed by the client. The hostnames may contain the*and?wildcard characters. Do not include the Append domain (DNS Suffix) in the hostname if you have set it in the previous step.If the clients address the server using its IP address, make sure to include the IP address of the server in the Targets list. This is required because SCB resolves the hostnames to IP addresses, but does not reverse-resolve IP addresses to hostnames. So if only the hostname of the server is listed and the client addresses the server using its IP address, SCB will refuse the connection.
Leave the Port field empty if the clients may access any port on the server, or enter the specified port they can access.
Configure other parameters of the connection as needed.
Click .
9.4. Procedure – Restoring SCB configuration and data
Purpose:
The following procedure describes how to restore the configuration and data of SCB from a complete backup, for example, after a hardware replacement.
|
Warning |
|---|---|
|
The upgrade requires a new license file and an SCB reboot. No connections can pass SCB until you upload the new license file, meaning that SCB and its services will not be available for a few minutes, even if you are using an SCB cluster. It is possible to import a configuration exported from SCB 2.0.x into SCB 3 F2, but it is not possible to restore a 2.0.x backup into 3 F2. Therefore, the first backup after the upgrade will be a complete backup of every data stored on SCB. Make sure that there is enough free space on the backup server. |
Steps:
Connect to your backup server and locate the directory where SCB saves the backups. The configuration backups are stored in the
configsubdirectory in timestamped files. Find the latest configuration file (the configuration files are calledSCB-timestamp.config).-
Connect to SCB.
If you have not yet completed the Welcome Wizard, click , select the configuration file, and click .
If you have already completed the Welcome Wizard, navigate to , select the configuration file, and click .
Navigate to Policies > Backup & Archive/Cleanup. Verify that the settings of the target servers and the backup protocols are correct.
Navigate to Basic Settings > Management > System backup, click and wait for the process to finish. Depending on the amount of data stored in the backup and the speed of the connection to the backup server, this may take a long time.
Navigate to SSH Control > Connections, and click Restore ALL. Repeat this step for other traffic types. Depending on the amount of data stored in the backup and the speed of the connection to the backup server, this may take a long time.
This chapter discusses common scenarios for SCB.
10.1. Procedure – SSH usermapping and keymapping in AD with public key
Purpose:
A customer wants to be able to disable password authentication in SSH for admin users on the UNIX servers. However, the customer uses Active Directory, and would not like to enter the username/password at gateway authentication for every login over and over again. Therefore, the customer needs a quasi SSO-like system, with only one group logging in as root and another group as XY user.
Steps:
-
Create an LDAP authentication policy. For details on creating a new authentication policy, see Section 5.2.3, Authentication Policies. In this scenario, only a few important details will be highlighted.
In the field, set the authentication method used on the client-side to . This will be the Active Directory where the gateway will get the public key from, for authentication. Enable only from the and disable all other methods.
In the field, enable and disable all other methods. Under , set the to so that end users will not know the key.
Navigate to the bottom of the policy, and click
.Enter the username in the field (for example:
root). Generate a and upload its public counterpart to the server.
-
Set an LDAP server policy where you setup the active directory. For details on authenticating users to an LDAP server, see Procedure 5.1.7, Authenticating users to an LDAP server. In this scenario, only a few important details will be highlighted.
If the domain name is
DEMO.balabit, then enter the following:DC=DEMO,DC=balabitCN=Administrator,CN=Users,DC=DEMO,DC=balabit<the password of the admin>:
sshPublicKey
-
By default, the active directory does not have any attribute that could store the SSH public key. To solve this, perform the following steps:
-
Enable Schema updates by means of the registry:
Click , click , and then in the box, type:
regedit. Press .Locate and click the following registry key: .
On the menu, click , and then click .
-
Enter the value data when the following registry value is displayed:
Value Name: Schema Update Allowed Data Type: REG_DWORD Base: Binary Value Data: 1
Note Type
1to enable this feature, or0(zero) to disable it. Quit Registry Editor.
-
To install the Schema snap-in, click , click , and then in the box, type:
regsvr32 schmmgmt.dll. Press .
Click , click , and then in the box, type:
MMC. Press .-
Navigate to , select and click .
Expand the Active Directory schema and right click .
-
Click . If a warning appears, click .
In and enter
sshPublicKey.In enter
1.3.6.1.4.1.24552.1.1.1.13.For , select
IA5-String.-
Enable . Click .
Right click and click . If a warning appears, click .
Name the class as
ldapPublicKey.In enter
1.3.6.1.4.1.24552.500.1.1.2.0.-
In enter
top, and in enterAuxiliary.
-
Click . Add
sshPublicKeyto the field. Click .
-
Expand and select . Right click and select . Navigate to , click and add the class. Click .
-
-
The next step is to map the public keys to users. This is not possible in a user editor, use a low-level LDAP utility instead.
-
Create a usermapping policy where you will set those groups from the Active Directory who can become root. For details on creating usermapping policies, see Procedure 8.1, Configuring usermapping policies. In this scenario, only a few important details will be highlighted.
Set the to
rootand select the group you intend to give these rights to.If you intend to allow other users in without usermapping, enable .
The original version of the protocol (SSH-1, dated 1995) has been revised in 1996, and SSH-2 was created offering improved security and new features. The two versions of the protocol are incompatible with each other. Since SSH-1 has inherent design flaws and is vulnerable to attacks, it is now generally considered obsolete and its use should not be permitted. Practically all servers and client application today support SSH-2, use of SSH-1 should be explicitly disabled. Regrettably, software not supporting SSH-2 may still be in use by organizations and it means a considerable security vulnerability to these organizations.
SSH is the main tool used by system administrators for remote system administration tasks. There are several different implementations of the SSH protocol virtually for all kinds of platforms (Windows, Linux, Unix, Mac OS X, BSD, and so on), starting from embedded systems through desktops up to mainframes. Implementations differ in their availability (open source, freeware, commercial) and the level of completeness they offer: some applications implement only certain parts of the protocol, for example WinSCP provides only secure file transfer.
One of the main features of the SSH protocol is that almost the entire communication between the client and the server is encrypted – including the authentication of the user. (Naturally, the negotiation of the encryption method to be used is in plain text). During the initialization of the session server authentication is performed and parameters for encryption, data compression and integrity verification of the data transferred are negotiated. The protocol enforces user authentication and is capable of authenticating the user via various methods: password, RSA key, Challenge/Response schemes like S/Key and OPIE, and so on The typical uses of SSH include the following:
Remote shell: Remotely administer a computer via an interactive terminal console. This is one of the most widespread uses of SSH.
Remote command execution: Execute commands on the remote machine. Remote command execution can result in significant data transfer, for example when performing scheduled or manual tasks such as file copying (scp), data or file synchronization (rsync), creating archive backups (tar), and so on.
TCP IP forwarding (also known as port forwarding): It is possible to tunnel any TCP/IP connection from the client or from the server into the encrypted SSH channel. It can also be used to forward communication otherwise not allowed, such as the access of ports banned by the security policy. This allows to secure any – normally unencrypted – data transfer and is frequently used as an easy way to secure connections between the hosts without the need to set up full VPN connections.
File transfer: Securely transfer files using SFTP.
X11 forwarding: Applications running on the server and requiring graphical interface (X Window) appear on the client's monitor, but run on the server in all other respect, thus it is possible to work with them remotely.
Agent forwarding: Transfer authentication requests to the client machine.
Depending on the server and client application, SSH is able to transfer data of several different channels simultaneously within a single connection, thus for example it is possible to transfer files from the client to the server via SFTP and to manage the server remotely via remote shell using only a single connection.
SCB is able to enforce policies on the various elements of the encrypted SSH communication, such as the MAC, key-exchange, and so on algorithms that are permitted to be used. The parameters can be set separately for the client and for the server side. The attributes are represented as comma-separated strings listing the enabled methods/algorithms, in the order of preference.
The following parameters can be configured:
Key exchange (KEX) algorithms: SCB supports the
diffie-hellman-group14-sha1anddiffie-hellman-group1-sha1algorithms.-
Hostkey algorithms: The supported algorithms are
ssh-rsaandssh-dss.Note To show the clients a hostkey using the above algorithms, the corresponding private key has to be set in the connection policy of SCB.
Cipher algorithms: The following symmetric-cipher algorithms are supported:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc.MAC algorithms: The supported algorithms are:
hmac-sha1andhmac-md5.
Carefully unpack all server components from the packing cartons. The following items should be packaged with the BalaBit Shell Control Box:
A BalaBit Shell Control Box appliance, preinstalled with the latest BalaBit Shell Control Box firmware.
-
BalaBit Shell Control Box accessory kit, including the following:
Delivery note
BalaBit Shell Control Box License Agreement
BalaBit Shell Control Box Certificate (includes the purchased license and support options, BIOS and IPMI passwords, and support contact details)
BalaBit Shell Control Box Hardware Installation Guide
Rackmount
Power cable
This leaflet describes how to set up the BalaBit Shell Control Box (SCB) hardware. Refer to the following documents for step-by-step instructions:
BalaBit Shell Control Box N1000: For details on installing SCB into a rack, see the SC811 CHASSIS Series User's Manual, Chapter 6: Rack Installation. For details on connecting the cables to SCB see the X8SIE/X8SIE-F/X8SIE-LN4/X8SI6-F User's Manual, Section 2-5 Connectors/IO Ports.
BalaBit Shell Control Box N1000d: For details on installing SCB into a rack, see the SC825M CHASSIS Series User's Manual, Chapter 5: Rack Installation. For details on connecting the cables to SCB see the X8DT3/X8DTi/X8DT3-F/X8DTi-F/X8DT3-LN4F/X8DTi-LN4F User's Manual, Section 2-5 Control Panel Connectors/IO Ports.
BalaBit Shell Control Box N10000: For details on installing SCB into a rack, see the SC826 CHASSIS Series User's Manual, Chapter 6: Rack Installation. For details on connecting the cables to SCB see the X8DT3/X8DTi/X8DT3-F/X8DTi-F/X8DT3-LN4F/X8DTi-LN4F User's Manual, Section 2-5 Control Panel Connectors/IO Ports.
The manuals are available online at the BalaBit Hardware Documentation page.
For details on how to install a single SCB unit, see Procedure 3.1, Installing the SCB hardware.
For details on how to install a two SCB units in high availability mode, see Procedure 3.2, Installing two SCB units in HA mode.
3.1. Procedure – Installing the SCB hardware
Purpose:
To install a single SCB unit, complete the following steps.
Steps:
Unpack SCB.
Optional step: Install SCB into a rack with the slide rails. Slide rails are available for all SCB appliances.
-
Connect the cables.
Connect the Ethernet cable facing your LAN to the Ethernet connector labeled as
EXT. This is the external interface of SCB and is used to configure SCB. (For details on the roles of the different interfaces, see Section 2.9, Network interfaces.)Connect the Ethernet cable facing your servers to the Ethernet connector labeled as
INT. This is the internal interface of SCB. (For details on the roles of the different interfaces, see Section 2.9, Network interfaces.)-
Connect an Ethernet cable that you can use to remotely support the SCB hardware to the
IPMIinterface of SCB. For details, see the following documents:The Onboard BMC/IPMI User's Guide, available at the BalaBit Hardware Documentation page.
It is not necessary for the IPMI interface to be accessible from the Internet, but the administrator of SCB must be able to access it for support and troubleshooting purposes in case vendor support is needed.
Warning Access to information available only via the IPMI interface is a not mandatory, but highly recommended to speed up the support and troubleshooting processes.
Optional step: Connect the Ethernet cable to be used for managing SCB after its initial configuration to the Ethernet connector labeled as
MGMT. This is the management interface of SCB. (For details on the roles of the different interfaces, see Section 2.9, Network interfaces.)Optional step: Connect the Ethernet cable connecting SCB to another SCB node to the Ethernet connector labeled as
HA. This is the high availability (HA) interface of SCB. (For details on the roles of the different interfaces, see Section 2.9, Network interfaces.)
Power on the hardware.
Change the BIOS and IPMI passwords on the BalaBit Shell Control Box. The default password is
changeme.-
Connect to the SCB web interface from a client machine and complete the Welcome Wizard. This might require you to configure an alias interface on the client machine. Step 5 is described in detail in Chapter 3, The Welcome Wizard and the first login.
Note The BalaBit Shell Control Box Administrator Guide is available on the SCB on the BalaBit Documentation page.
3.2. Procedure – Installing two SCB units in HA mode
Purpose:
To install SCB with high availability support, complete the following steps.
Steps:
For the first SCB unit, complete Procedure 3.1, Installing the SCB hardware.
For the second SCB unit, complete Steps 1-2 of Procedure 3.1, Installing the SCB hardware.
Connect the two units with an Ethernet cable via the Ethernet connectors labeled as
HA.Power on the second unit.
Connect to the SCB web interface of the first unit from a client machine and enable the high availability mode. Navigate to . Click , then reload the page in your browser.
Reboot the slave unit, then reboot the master unit. Wait a few minutes until the master unit boots, then reload the page in your browser.
Wait until the slave unit synchronizes its disk to the master unit. Depending on the size of the hard disks, this may take several hours. You can increase the speed of the synchronization via the SCB web interface at .
Refer to the Setup Troubleshooting chapter of the respective guide if you encounter any problems. If you still experience problems, contact the BalaBit Support Team via phone or e-mail:
Support e-mail address: <support@balabit.com>.
Support hotline: +36 1 371 0540 (available from 9 AM to 5 PM CET on weekdays)
If you have already registered your product on the MyBalaBit website, submit your support request using the BalaBit Online Support System. This online support service is available 24 hours a day.
This tutorial describes the possibilities and limitations of installing BalaBit Shell Control Box (SCB) 3 F2 as a virtual appliance under a VMware ESXi server.
Version 3 F2 of SCB has no special support for running under VMware. While the basic functionality of SCB is not affected by running as a virtual appliance, the following limitations apply:
SCB can use only the fixed disk space assigned to the virtual host during its installation: it is not possible to modify the size of the disks later, neither can SCB be used in on-demand disk allocation scenarios.
SCB currently does not comply with the VMware Ready program and does not have vmware-tools installed. As a result, SCB does not support VMotion and it is not possible to integrate it into an existing VMware infrastructure.
High availability mode is not supported in VMware.
Hardware-related alerts and status indicators of SCB may display inaccurate information, for example, display degraded RAID status.
The Bridge operation mode of SCB cannot be used in VMware.
4.2. Procedure – Installing SCB under VMware ESXi
Purpose:
To install a new SCB under VMware ESXi, complete the following steps:
|
Warning |
|---|---|
SCB can be installed under VMware ESXi 4.0 or later, earlier VMware versions are not supported. |
Steps:
-
Create the virtual machine for SCB using the following settings:
Guest operating system:
-
Allocate memory for the virtual machine. SCB requires a minimum of 512MB of memory. The recommended size for the memory depends on the exact environment, but consider the following:
The base system requires 256MB
SCB requires about 1-5MB of memory for every active connection, depending on the type of the connection — graphical protocols require more memory.
Using more than 8GB of memory is not supported under VMware, with 4GB being adequate for most tasks.
The hard disk controller must be .
Do not use RAID for the hard disk, a single hard disk is sufficient for the system.
SCB uses a single fixed-sized disk. About 5GB is required for the base system, the remaining disk space is used to store data. Use one of the following disk sizes (in GB):
8, 12, 68, 160, 230, 250, 465, 500, 925, 1029, 2053, 3077, 4101, 4645, 5125, 6149, 7173, 8197, 9205.SCB requires 4 network cards, all of them must be .
-
After creating the virtual machine, edit the settings of the machine. Set the following options:
Under enable the options, otherwise the SCB administrator will not be able to access these functions from the SCB web interface.
Under enable the option. This is required to be able to check the system time (and modify it if needed) before installing SCB.
Under enable the option.
Login to your MyBalaBit account and download the latest BalaBit Shell Control Box installation ISO file. Note that you need to have purchased SCB as a virtual appliance or have partner access to download BalaBit Shell Control Box ISO files. If you are a partner but do not see the ISO files, you can request partner access within MyBalaBit.
Mount the ISO image and boot the virtual machine. Follow the on-screen instructions to install SCB.
(c) BalaBit IT Security Ltd.
This License Contract is entered into by and between BalaBit and Licensee and sets out the terms and conditions under which Licensee and/or Licensee’s Authorized Subsidiaries may use the BalaBit Shell Control Box under this License Contract.
In this License Contract, the following words shall have the following meanings:
Company name: BalaBit IT Security Ltd.
Registered office: H-1117 Budapest, Alíz u. 4.
Company registration number: 01-09-687127
Tax number: HU11996468
| Annexed Software | Any third party software that is a not a BalaBit Product contained in the install media of the BalaBit Product. |
| Authorized Subsidiary | Any subsidiary organization: (i) in which Licensee possesses more than fifty percent (50%) of the voting power and (ii) which is located within the Territory. |
| BalaBit Product | Any software, hardware or service Licensed, sold, or provided by BalaBit including any installation, education, support and warranty services, with the exception of the Annexed Software. |
| License Contract | The present BalaBit Shell Control Box License Contract. |
| Product Documentation | Any documentation referring to the BalaBit Shell Control Box or any module thereof, with special regard to the administration guide, the product description, the installation guide, user guides and manuals. |
| Protected Servers | Host computers located in the zones protected by BalaBit Shell Control Box that have their administrative traffic controlled or audited by BalaBit Shell Control Box. |
| Protected Objects | The entire BalaBit Shell Control Box software including all of its modules, all the related Product Documentation; the source code, the structure of the databases, all registered information reflecting the structure of the BalaBit Shell Control Box and all the adaptation and copies of the Protected Objects that presently exist or that are to be developed in the future, or any product falling under the copyright of BalaBit. |
| BalaBit Shell Control Box | The BalaBit Product designed for controlling and auditing server administration traffic as defined by the Product Description. |
| Warranty Period | The period of twelve (12) months from the date of delivery of the BalaBit Shell Control Box to Licensee. |
| Territory | The countries or areas specified above in respect of which Licensee shall be entitled to install and/or use BalaBit Shell Control Box. |
| End-user Certificate | The document signed by Licensor which contains a) identification data of Licensee; b) configuration of BalaBit Shell Control Box, number of Protected Servers and designation of Licensed modules thereof; c) designation of the Territory; d) declaration of the parties on accepting the terms and conditions of this License Contract; and e) declaration of Licensee that is in receipt of the install media and the hardware appliance. |
Table 5.1. Words and expressions
For the BalaBit Shell Control Box licensed under this License Contract, BalaBit grants to Licensee a non-exclusive, non-transferable, perpetual license to use such BalaBit Product under the terms and conditions of this License Contract and the applicable End-user Certificate.
Licensee shall use the BalaBit Shell Control Box in the in the configuration and in the quantities specified in the End-user Certificate within the Territory.
On the install media (firmware CD-ROM) all modules of the BalaBit Shell Control Box will be presented, however, Licensee shall not be entitled to use any module which was not Licensed to it. Access rights to modules and IP connections are controlled by an “electronic key” accompanying the BalaBit Shell Control Box.
Licensee shall be entitled to make one back-up copy of the install media containing the BalaBit Shell Control Box.
Licensee shall make available the Protected Objects at its disposal solely to its own employees and those of the Authorized Subsidiaries.
Licensee shall take all reasonable steps to protect BalaBit’s rights with respect to the Protected Objects with special regard and care to protecting it from any unauthorized access.
Licensee shall, in 5 working days, properly answer the queries of BalaBit referring to the actual usage conditions of the BalaBit Shell Control Box that may differ or allegedly differs from the License conditions.
Licensee shall not modify the BalaBit Shell Control Box in any way, with special regard to the functions inspecting the usage of the software. Licensee shall install the code permitting the usage of the BalaBit Shell Control Box according to the provisions defined for it by BalaBit. Licensee may not modify or cancel such codes. Configuration settings of the BalaBit Shell Control Box in accordance with the possibilities offered by the system shall not be construed as modification of the software.
Licensee shall only be entitled to analyze the structure of the BalaBit Products (decompilation or reverse- engineering) if concurrent operation with a software developed by a third party is necessary, and upon request to supply the information required for concurrent operation BalaBit does not provide such information within 60 days from the receipt of such a request.
These user actions are limited to parts of the BalaBit Product which are necessary for concurrent operation. Any information obtained as a result of applying the previous Section (i) cannot be used for purposes other than concurrent operation with the BalaBit Product; (ii) cannot be disclosed to third parties unless it is necessary for concurrent operation with the BalaBit Product; (iii) cannot be used for the development, production or distribution of a different software which is similar to the BalaBit Product in its form of expression, or for any other act violating copyright.
For any Annexed Software contained by the same install media as the BalaBit Product, the terms and conditions defined by its copyright owner shall be properly applied. BalaBit does not grant any License rights to any Annexed Software.
Any usage of the BalaBit Shell Control Box exceeding the limits and restrictions defined in this License Contract shall qualify as material breach of the License Contract.
The Number of Protected Servers shall not exceed the amount defined in the End-user Certificate.
Licensee shall have the right to obtain and use content updates only if Licensee concludes a maintenance contract that includes such content updates, or if Licensee has otherwise separately acquired the right to obtain and use such content updates. This License Contract does not otherwise permit Licensee to obtain and use content updates.
Authorized Subsidiaries may also utilize the services of the BalaBit Shell Control Box under the terms and conditions of this License Contract. Any Authorized Subsidiary utilizing any service of the BalaBit Shell Control Box will be deemed to have accepted the terms and conditions of this License Contract.
Licensee agrees that BalaBit owns all rights, titles, and interests related to the BalaBit Shell Control Box and all of BalaBit's patents, trademarks, trade names, inventions, copyrights, know-how, and trade secrets relating to the design, manufacture, operation or service of the BalaBit Products.
The use by Licensee of any of these intellectual property rights is authorized only for the purposes set forth herein, and upon termination of this License Contract for any reason, such authorization shall cease.
The BalaBit Products are Licensed only for internal business purposes in every case, under the condition that such License does not convey any license, expressly or by implication, to manufacture, duplicate or otherwise copy or reproduce any of the BalaBit Products. No other rights than expressly stated herein are granted to Licensee.
Licensee will take appropriate steps with its Authorized Subsidiaries, as BalaBit may request, to inform them of and assure compliance with the restrictions contained in the License Contract.
BalaBit hereby grants to Licensee the non-exclusive right to use the trade marks of the BalaBit Products in the Territory in accordance with the terms and for the duration of this License Contract.
BalaBit makes no representation or warranty as to the validity or enforceability of the trade marks, nor as to whether these infringe any intellectual property rights of third parties in the Territory.
In case of negligent infringement of BalaBit’s rights with respect to the BalaBit Shell Control Box, committed by violating the restrictions and limitations defined by this License Contract, Licensee shall pay liquidated damages to BalaBit. The amount of the liquidated damages shall be twice as much as the price of the BalaBit Product concerned, on BalaBit’s current Price List.
BalaBit shall pay all damages, costs and reasonable attorney’s fees awarded against Licensee in connection with any claim brought against Licensee to the extent that such claim is based on a claim that Licensee’s authorized use of the BalaBit Product infringes a patent, copyright, trademark or trade secret. Licensee shall notify BalaBit in writing of any such claim as soon as Licensee learns of it and shall cooperate fully with BalaBit in connection with the defense of that claim. BalaBit shall have sole control of that defense (including without limitation the right to settle the claim).
If Licensee is prohibited from using any BalaBit Product due to an infringement claim, or if BalaBit believes that any BalaBit Product is likely to become the subject of an infringement claim, BalaBit shall at its sole option, either: (i) obtain the right for Licensee to continue to use such BalaBit Product, (ii) replace or modify the BalaBit Product so as to make such BalaBit Product non-infringing and substantially comparable in functionality or (iii) refund to Licensee the amount paid for such infringing BalaBit Product and provide a pro-rated refund of any unused, prepaid maintenance fees paid by Licensee, in exchange for Licensee’s return of such BalaBit Product to BalaBit.
Notwithstanding the above, BalaBit will have no liability for any infringement claim to the extent that it is based upon: (i) modification of the BalaBit Product other than by BalaBit, (ii) use of the BalaBit Product in combination with any product not specifically authorized by BalaBit to be combined with the BalaBit Product or (iii) use of the BalaBit Product in an unauthorized manner for which it was not designed.
The number of the Protected Servers, the configuration and the modules licensed shall serve as the calculation base of the License fee.
Licensee acknowledges that payment of the License fees is a condition of lawful usage.
License fees do not contain any installation or post charges.
BalaBit warrants that during the Warranty Period, the magnetic or optical media upon which the BalaBit Product is recorded will not be defective under normal use. BalaBit will replace any defective media returned to it, accompanied by a dated proof of purchase, within the Warranty Period at no charge to Licensee. Upon receipt of the allegedly defective BalaBit Product, BalaBit will at its option, deliver a replacement BalaBit Product or BalaBit's current equivalent to Licensee at no additional cost. BalaBit will bear the delivery charges to Licensee for the replacement Product.
In case of installation by BalaBit, BalaBit warrants that during the Warranty Period, the BalaBit Shell Control Box, under normal use in the operating environment defined by BalaBit, and without unauthorized modification, will perform in substantial compliance with the Product Documentation accompanying the BalaBit Product, when used on that hardware for which it was installed, in compliance with the provisions of the user manuals and the recommendations of BalaBit. The date of the notification sent to BalaBit shall qualify as the date of the failure. Licensee shall do its best to mitigate the consequences of that failure. If, during the Warranty Period, the BalaBit Product fails to comply with this warranty, and such failure is reported by Licensee to BalaBit within the Warranty Period, BalaBit’s sole obligation and liability for breach of this warranty is, at BalaBit’s sole option, either: (i) to correct such failure, (ii) to replace the defective BalaBit Product or (iii) to refund the license fees paid by Licensee for the applicable BalaBit Product.
EXCEPT AS SET OUT IN THIS LICENSE CONTRACT, BALABIT MAKES NO WARRANTIES OF ANY KIND WITH RESPECT TO THE BALABIT SHELL CONTROL BOX. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BALABIT EXCLUDES ANY OTHER WARRANTIES, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF SATISFACTORY QUALITY, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS.
SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN UNION, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES AND, THEREFORE, THE FOLLOWING LIMITATION OR EXCLUSION MAY NOT APPLY TO THIS LICENSE CONTRACT IN THOSE STATES AND COUNTRIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET OUT IN THIS LICENSE CONTRACT FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT SHALL BALABIT BE LIABLE TO LICENSEE FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES OR LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE BALABIT SHELL CONTROL BOX EVEN IF BALABIT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO CASE SHALL BALABIT’S TOTAL LIABILITY UNDER THIS LICENSE CONTRACT EXCEED THE FEES PAID BY LICENSEE FOR THE BALABIT SHELL CONTROL BOX LICENSED UNDER THIS LICENSE CONTRACT.
This License Contract shall come into effect on the date of signature of the End-user Certificate by the duly authorized representative of BalaBit.
Licensee may terminate the License Contract at any time by written notice sent to BalaBit and by simultaneously destroying all copies of the Protected Objects licensed under this License Contract.
BalaBit may terminate this License Contract with immediate effect by written notice to Licensee, if Licensee is in material or persistent breach of the License Contract and either that breach is incapable of remedy or Licensee shall have failed to remedy that breach within 30 days after receiving written notice requiring it to remedy that breach.
Save as expressly provided in this License Contract, no amendment or variation of this License Contract shall be effective unless in writing and signed by a duly authorized representative of the parties to it.
The failure of a party to exercise or enforce any right under this License Contract shall not be deemed to be a waiver of that right nor operate to bar the exercise or enforcement of it at any time or times thereafter.
If any part of this License Contract becomes invalid, illegal or unenforceable, the parties shall in such an event negotiate in good faith in order to agree on the terms of a mutually satisfactory provision to be substituted for the invalid, illegal or unenforceable provision which as nearly as possible validly gives effect to their intentions as expressed in this License Contract.
Any notice required to be given pursuant to this License Contract shall be in writing and shall be given by delivering the notice by hand, or by sending the same by prepaid first class post (airmail if to an address outside the country of posting) to the address of the relevant party set out in this License Contract or such other address as either party notifies to the other from time to time. Any notice given according to the above procedure shall be deemed to have been given at the time of delivery (if delivered by hand) and when received (if sent by post).
Headings are for convenience only and shall be ignored in interpreting this License Contract.
This License Contract and the rights granted in this License Contract may not be assigned, sublicensed or otherwise transferred in whole or in part by Licensee without BalaBit’s prior written consent. This consent shall not be unreasonably withheld or delayed.
An independent third party auditor, reasonably acceptable to BalaBit and Licensee, may upon reasonable notice to Licensee and during normal business hours, but not more often than once each year, inspect Licensee’s relevant records in order to confirm that usage of the BalaBit Shell Control Box complies with the terms and conditions of this License Contract. BalaBit shall bear the costs of such audit. All audits shall be subject to the reasonable safety and security policies and procedures of Licensee.
This License Contract constitutes the entire agreement between the parties with regard to the subject matter hereof.
Any modification of this License Contract must be in writing and signed by both parties.
THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.
-
Definitions
"Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.
"Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License.
"Distribute" means to make available to the public the original and copies of the Work through sale or other transfer of ownership.
"Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.
"Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.
"Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.
"You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.
"Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.
"Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.
Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.
-
License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:
to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; and,
to Distribute and Publicly Perform the Work including as incorporated in Collections.
The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats, but otherwise you have no rights to make Adaptations. Subject to 8(f), all rights not expressly granted by Licensor are hereby reserved, including but not limited to the rights set forth in Section 4(d).
-
Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:
You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested.
You may not exercise any of the rights granted to You in Section 3 above in any manner that is primarily intended for or directed toward commercial advantage or private monetary compensation. The exchange of the Work for other copyrighted works by means of digital file-sharing or otherwise shall not be considered to be intended for or directed toward commercial advantage or private monetary compensation, provided there is no payment of any monetary compensation in connection with the exchange of copyrighted works.
If You Distribute, or Publicly Perform the Work or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (for example a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work. The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Collection, at a minimum such credit will appear, if a credit for all contributing authors of Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.
-
For the avoidance of doubt:
Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;
Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License if Your exercise of such rights is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b) and otherwise waives the right to collect royalties through any statutory or compulsory licensing scheme; and,
Voluntary License Schemes. The Licensor reserves the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License that is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b).
Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation.
Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.
Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
Termination
This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.
Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.
-
Miscellaneous
Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.
If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.
This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.
The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.
- 4-eyes authorization
4-eyes authorization is an advanced authorization method where only two administrators logging in simultaneously are permitted to access the server. These administrators can monitor each other's work, reducing the chance of (accidental or intentional) human errors in the server administration process.
- alias IP
An additional IP address assigned to an interface that already has an IP address. The normal and alias IP addresses both refer to the same physical interface.
- auditing policy
The auditing policy determines which events are logged on host running Microsoft Windows operating systems.
- authentication
The process of verifying the authenticity of a user or client before allowing access to a network system or service.
- Authentication Policy
An authentication policy is a list of authentication methods that can be used in a connection. Connection definitions refer to an authentication policy to determine how the client can authenticate to the target server.
- Audit trail
An audit trail is a file storing the recorded activities of the administrators in an encrypted format. Audit trails can be replayed using the Audit Player application.
- Audit Player
Audit Player is a desktop application that can replay recorded audit trails like movie. The Audit Player is available for the Microsoft Windows and GNU/Linux platforms.
- BSD-syslog protocol
The old syslog protocol standard described in RFC 3164 The BSD syslog Protocol. Sometimes also referred to as the legacy-syslog protocol.
- CA
A Certificate Authority (CA) is an institute that issues certificates.
- certificate
A certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA that signed the certificate, and some other data.
- Common Gateway Protocol (CGP)
Reliable connection is also known as Common Gateway Protocol (CGP). It makes reconnection possible to the server in case of a network failure. Default port number is 2598.
- Channel Policy
The channel policy lists the SSH channels (for example terminal session, SCP, and so on) that can be used in a connection. The channel policy can further restrict access to each channel based on the IP address of the client or the server, a user list, or a time policy.
- client mode
In client mode, syslog-ng collects the local logs generated by the host and forwards them through a network connection to the central syslog-ng server or to a relay.
- controlled traffic
SCB audits and controls only the traffic that is configured in the connection and channel policies, all other traffic is forwarded on the packet level without any inspection.
- disk buffer
The Premium Edition of syslog-ng can store messages on the local hard disk if the central log server or the network connection to the server becomes unavailable.
- disk queue
See disk buffer.
- domain name
The name of a network, for example
balabit.com.- External network interface
The external interface (labeled
EXT) is used for general communication between the clients and the servers. If the SCB appliance has only two interfaces, the external interface is used for management purposes as well.- firmware
A firmware is a collection of the software components running on SCB. Individual software components cannot be upgraded on SCB, only the entire firmware. SCB contains two firmwares, an external (or boot) firmware and an internal (or core) firmware. These can be upgraded separately.
- gateway
A device that connect two or more parts of the network, for example your local intranet and the external network (the Internet). Gateways act as entrances into other networks.
- High Availability
High Availability (HA) uses a second SCB unit (called slave node) to ensure that the services are available even if the first unit (called master node) breaks down.
- host
A computer connected to the network.
- hostname
A name that identifies a host on the network. Hostnames can contain only alphanumerical characters (A-Z, a-z, 0-9) and the hyphen (-) character.
- HA network interface
The HA interface (labeled
HA) is an interface reserved for communication between the nodes of SCB clusters.- ICA
The base protocol of Citrix products (default port tcp/1494). It does desktop or application remoting through TCP or other network protocols. Independent Computing Architecture (ICA) is a proprietary protocol for an application server system, designed by Citrix Systems. The protocol lays down a specification for passing data between server and clients, but is not bound to any one platform. ICA is broadly similar in purpose to window servers such as the X Window System. It also provides for the feedback of user input from the client to the server, and a variety of means for the server to send graphical output, as well as other media such as audio, from the running application to the client.
- Internal network interface
The internal interface (labeled
INT) is used exclusively for communication between SCB and the protected servers; incoming connections are not allowed on this interface.- IETF-syslog protocol
The syslog-protocol standard developed by the Internet Engineering Task Force (IETF), described in RFC 5424 The BSD syslog Protocol.
- key pair
A private key and its related public key. The private key is known only to the owner; the public key can be freely distributed. Information encrypted with the private key can only be decrypted using the public key.
- LDAP
The Lightweight Directory Access Protocol (LDAP), is an application protocol for querying and modifying data using directory services running over TCP/IP.
- License
SCB's license determines the number of servers (IP addresses) that SCB protects; the license limits the number of IP addresses accessible on the internal interface.
- log path
A combination of sources, filters, parsers, rewrite rules, and destinations: syslog-ng examines all messages arriving to the sources of the logpath and sends the messages matching all filters to the defined destinations.
- Management network interface
The management interface (labeled
MGMT) is used exclusively for communication between SCB and the auditor or the administrator of the BalaBit Shell Control Box. This includes replaying the audit trails stored on SCB using the Audit Player application (AP).- master node
The active SCB unit that is inspecting the traffic when SCB is used in High Availability mode.
- name server
A network computer storing the IP addresses corresponding to domain names.
- node
An SCB unit running in High Availability mode.
- ping
A command that sends a message from a host to another host over a network to test connectivity and packet loss.
- port
A number ranging from 1 to 65535 that identifies the destination application of the transmitted data. For example: SSH commonly uses port 22, web servers (HTTP) use port 80, and so on.
- Public-key authentication
An authentication method that uses encryption key pairs to verify the identity of a user or a client.
- redundant Heartbeat interface
A redundant Heartbeat interface is a virtual interface that uses an existing interface of the SCB device to detect that the other node of the SCB cluster is still available. The virtual interface is not used to synchronize data between the nodes, only Heartbeat messages are transferred.
- SCB
An abbreviation of the BalaBit Shell Control Box name.
- slave node
The passive SCB unit that replaces the active unit (the master node) if the master becomes unavailable.
- SNMP
Simple Network Management Protocol (SNMP) is an industry standard protocol used for network management. SCB can send SNMP alerts to a central SNMP server.
- split brain
A split brain situation occurs when for some reason (for example the loss of connection between the nodes) both nodes of a SCB cluster become active (master). This might cause that new data (for example audit trails) is created on both nodes without being replicated to the other node. Thus, it is likely in this situation that two diverging sets of data are created, which cannot be trivially merged.
- SSH settings
SSH settings determine the parameters of the connection on the protocol level, including timeout value and greeting message of the connection, as well as the encryption algorithms used.
- syslog-ng
The syslog-ng application is a flexible and highly scalable system logging application, typically used to manage log messages and implement centralized logging.
- syslog-ng client
A host running syslog-ng in client mode.
- syslog-ng Premium Edition
The syslog-ng Premium Edition is the commercial version of the open-source application. It offers additional features, like encrypted message transfer and an agent for Microsoft Windows platforms.
- syslog-ng relay
A host running syslog-ng in relay mode.
- syslog-ng server
A host running syslog-ng in server mode, like SCB.
- Time Policy
The time policy determines which hours of a day can the users access a connection or a channel.
- traceroute
A command that shows all routing steps (the path of a message) between two hosts.
- User List
User lists are white- or blacklists of usernames that allow fine-control over who can access a connection or a channel.
Symbols
A
- accessing SCB using SSH, Accessing the SCB console
- in Bastion mode, Accessing the SCB host in Bastion mode using SSH
- accounting SCB, Listing and searching configuration changes, Changelogs of SCB
- admin password, The Welcome Wizard and the first login
- administrator password, The Welcome Wizard and the first login
- advanced statistics, Browsing log messages and SCB reports
- alias interfaces, Network settings
- alias IP addresses, The initial connection to SCB, Network settings
- AP, Viewing session information and replaying audit trails
- context search in RDP streams, Searching in graphical streams
- encrypted audit trails, Replaying and processing encrypted audit trails
- finding audit trails, Finding specific audit trails
- font types in RDP streams, Searching in graphical streams
- hotkeys, Replaying audit trails
- importing certificates, Replaying and processing encrypted audit trails
- logging in, Logging with the Audit Player
- OCR, Searching in graphical streams
- projects, Using projects
- replaying audit trails, Replaying audit trails
- saving results, Using projects
- saving trailsets, Using projects
- searching in RDP streams, Searching in graphical streams
- archiving, Upgrading SCB
- audit data, Data and configuration archiving and backups
- multiple times a day, Data and configuration archiving and backups
- NetApp devices, Data and configuration archiving and backups, Parameters of the backup protocols
- Audit Player
- certificate location, Keys and certificates
- indexing service configuration, Viewing session information and replaying audit trails
- multicore processor, Viewing session information and replaying audit trails
- running with restricted user, Viewing session information and replaying audit trails
- running without administrator privileges, Viewing session information and replaying audit trails
- supported session types, Viewing session information and replaying audit trails
- audit policies, Audit policies
- audit trail, Viewing session information and replaying audit trails
- replaying, Replaying audit trails
- audit trails, Audit policies, Viewing session information and replaying audit trails
- automatic searches, Indexing and reporting on audit-trail content
- downloading from SCB, Replaying audit trails
- encrypting, Audit policies
- export to PCAP format, Replaying audit trails
- file limit, Audit policies
- finding in AP, Finding specific audit trails
- replaying encrypted audit trails, Replaying and processing encrypted audit trails
- searching in AP, Finding specific audit trails
- signing, Audit policies
- size limit, Audit policies
- timestamping, Timestamping audit trails
- auditing, General connection settings
- auditing configuration changes, Listing and searching configuration changes
- authenticating the users on SCB, Client-side authentication settings
- authenticating to Microsoft Active Directory, User management and access control
- authenticating to RADIUS servers, User management and access control
- authenticating users, User management and access control
- authentication
- Active Directory, General connection settings
- blacklisting users, General connection settings
- credential stores, Using credential stores for server-side authentication
- inband, The concepts of SCB, Configuring gateway authentication
- LDAP, General connection settings
- on the SCB gateway, The concepts of SCB, Advanced authentication and authorization techniques, Configuring gateway authentication
- outband, The concepts of SCB, Advanced authentication and authorization techniques, Configuring gateway authentication
- whitelisting users, General connection settings
- authentication policies, Connecting to a server through SCB
- Authentication Policy, Connecting to a server through SCB, SSH-specific settings, Authentication Policies
- authorization
- 4-eyes, The concepts of SCB, Advanced authentication and authorization techniques, Configuring 4-eyes authorization
- terminating connections, Configuring 4-eyes authorization
- autologon, RDP-specific settings
- automatic searches, Indexing and reporting on audit-trail content
B
- backups, Data and configuration archiving and backups
- encrypting, Data and configuration archiving and backups
- file ownerships, Ownership of the backup files
- file permissions, Ownership of the backup files
- NetApp devices, Data and configuration archiving and backups, Parameters of the backup protocols
- restore, Best practices and configuration examples
- Bastion mode, SCB in Bastion mode, Organizing connections in Bastion mode
- nontransparent, General connection settings, Best practices and configuration examples
- Bridge mode, SCB in Bridge mode
- browser requirements, The initial connection to SCB, Supported web browsers and operating systems
- browsers, The initial connection to SCB, Supported web browsers and operating systems
- supported versions, The initial connection to SCB, Supported web browsers and operating systems
- browsing audit trails, The SCB connection database
- browsing log messages, Using the search interface
- browsing reports, Reports
C
- certificate of the web interface, The Welcome Wizard and the first login, Managing the certificates used on SCB
- certificate verification, General connection settings
- in SSL-encrypted RDP connections, RDP-specific settings
- certificate-mapping, Server-side authentication settings, Authentication Policies, Using credential stores for server-side authentication
- certificates
- accepted formats, Managing the certificates used on SCB
- changing, Managing the certificates used on SCB
- extendedKeyUsage, Managing the certificates used on SCB
- in Audit Player, Keys and certificates
- in SSH connections, SSH-specific settings
- LDAP servers, User management and access control, General connection settings
- managing, Managing the certificates used on SCB
- uploading, Managing the certificates used on SCB
- X509v3 Extended Key Usage, Managing the certificates used on SCB
- changelogs, Listing and searching configuration changes, Changelogs of SCB
- changing certificates
- Timestamping Authority, Managing the certificates used on SCB
- changing log verbosity level, Troubleshooting SCB
- channel policies, Connecting to a server through SCB, Configuring connections, SSH-specific settings, RDP-specific settings, ICA-specific settings
- creating and editing, General connection settings
- channel types
- client-side authentication, Client-side authentication settings
- CNAME records, General connection settings
- collecting debug information, Troubleshooting SCB
- collecting system-state information, Troubleshooting SCB
- commit log, Listing and searching configuration changes
- configuration backups, Data and configuration archiving and backups
- configuration changes, Listing and searching configuration changes
- configuring a connection, The Welcome Wizard and the first login
- general settings, General connection settings
- ICA, ICA-specific settings
- modifying the server address, General connection settings
- modifying the source address, General connection settings
- configuring network interfaces, Network settings
- configuring the AP indexing service, Viewing session information and replaying audit trails
- connecting to a server
- connection, Configuring connections
- connection database cleanup, General connection settings
- connection metadata, General connection settings
- connection permissions
- querying permissions, Displaying the privileges of users and user groups, General connection settings
- connections database, The SCB connection database
- console menu, Using the console menu of SCB
- controlling SCB
- rebooting, Controlling SCB — restart, shutdown
- shutting down, Controlling SCB — restart, shutdown
- converting certificates
- using firefox, Replaying and processing encrypted audit trails
- using openssl, Replaying and processing encrypted audit trails
- core files, Gathering data about system problems
- Credential Stores
- authentication in RDP, Configuring gateway authentication
- credential stores, Using credential stores for server-side authentication
- Lieberman ERPM, Using credential stores for server-side authentication
- local, Using credential stores for server-side authentication
- password-protected, Using credential stores for server-side authentication
- remote, Using credential stores for server-side authentication
- custom queries, Browsing log messages and SCB reports
- custom reports, Reports, Indexing and reporting on audit-trail content
D
- dashboard, Status history and statistics
- database queries, Browsing log messages and SCB reports
- date and time, Date and time configuration
- configuring, Date and time configuration
- debug logging, Troubleshooting SCB
- default reports, Contents of the default reports
- default usergroups, Built-in usergroups of SCB
- deleting audit trails, Data and configuration archiving and backups
- deleting search filters, Using and managing search filters
- deployment scenarios
- destination NAT, DNAT, Connecting to a server through SCB, General connection settings
- DHCP in Bridge mode, SCB in Bridge mode
- digitally signing audit trails, Audit policies
- disabling all RDP traffic, Controlling SCB — restart, shutdown
- disabling all SSH traffic, Controlling SCB — restart, shutdown
- disabling all Telnet traffic, Controlling SCB — restart, shutdown
- disabling all VNC traffic, Controlling SCB — restart, shutdown
- displaying selected messages, Using the search interface
- DLP, General connection settings
- DNS
- CNAME records, General connection settings
- DNS server, Network settings
- domain membership, RDP-specific settings
- downgrading the firmware
- rollback, Updating the SCB firmware
- DRBD
- adjusting synchronization speed, Adjusting the synchronization speed of DRBD
- DRBD status, High Availability status explained
- connected, High Availability status explained
- invalidated, High Availability status explained
- split brain, High Availability status explained, Troubleshooting an SCB cluster
- sync source, High Availability status explained
- sync target, High Availability status explained
- wfconnection, High Availability status explained
E
- e-mail alerts, System logging, SNMP and e-mail alerts, Configuring system monitoring on SCB
- e-mailing reports, System logging, SNMP and e-mail alerts
- encrypting audit trails, Audit policies
- exporting SCB configuration, Upgrading SCB
- exporting search results, Using the search interface
F
- feature releases, Versions and releases of SCB
- file operations in SCP, Supported SSH channel types
- file operations in SFTP, Supported SSH channel types
- filtering search results, Using the search interface
- filters
- available for every user, Using and managing search filters
- global, Using and managing search filters
- predefined, Using and managing search filters
- finding audit trails, The SCB connection database
- finding audit trails in AP, Finding specific audit trails
- finding users or usergroups, Displaying the privileges of users and user groups
- firmware, Firmware in SCB
- high availability, Firmwares and high availability
- rollback, Updating the SCB firmware
- update, Updating the SCB firmware
G
- gateway authentication, Connecting to a server through SCB, The concepts of SCB, Advanced authentication and authorization techniques, Configuring gateway authentication
- inband, Configuring gateway authentication
- troubleshooting, Troubleshooting gateway authentication
- gateway group, General connection settings
- general configuration settings, General connection settings
- generating certificates on-the-fly, General connection settings
- GPG, Data and configuration archiving and backups
- group management
- group memberships, General connection settings
H
- HA address, The Welcome Wizard and the first login, Network settings
- hardware serial number, Out-of-band management of SCB
- high availability, High Availability support in SCB
- installation, BalaBit Shell Control Box Hardware Installation Guide
- High Availability
- adjusting synchronization speed, Adjusting the synchronization speed of DRBD
- log messages, Managing a high availability SCB cluster
- manual takeover, Managing a high availability SCB cluster
- next-hop monitoring, Managing a high availability SCB cluster
- Node HA status, High Availability status explained
- Node HA UUID, High Availability status explained
- reboot cluster, Managing a high availability SCB cluster
- recovery, Troubleshooting an SCB cluster
- redundant Heartbeat interfaces, Managing a high availability SCB cluster, Redundant Heartbeat interface status explained
- status, High Availability status explained
- synchronizing time, Date and time configuration
- high availability mode, Managing a high availability SCB cluster
- history of changes, Changelogs of SCB
- host certificates, SSH hostkeys, Server host keys and certificates
- adding automatically, Server host keys and certificates
- adding manually, Server host keys and certificates
- host keys, SSH-specific settings, Server host keys and certificates
- adding automatically, Server host keys and certificates
- adding manually, Server host keys and certificates
- hostkeys, SSH hostkeys
I
- ICA
- supported protocol versions, Supported protocols and client applications
- ICA channel types, Supported ICA channel types
- ICA connections
- metadata, Connection metadata
- ICA settings, ICA-specific settings
- editing, ICA-specific settings
- IDS, General connection settings
- ILOM, Out-of-band management of SCB
- importing certificates, Managing the certificates used on SCB
- importing SCB configuration, Upgrading SCB
- indexing audit trails, Reports, Indexing and reporting on audit-trail content
- indexing service
- installing
- Integrated Lights Out Management, Out-of-band management of SCB
- Intelligent Platform Management Interface, Out-of-band management of SCB
- intra-day archival, Data and configuration archiving and backups
- IPMI, Out-of-band management of SCB
J
- JavaScript, The initial connection to SCB, Supported web browsers and operating systems
- joining a domain, RDP-specific settings
K
L
- LDAP authentication, User management and access control
- LDAP groups, General connection settings
- LDAP servers, General connection settings
- certificates, User management and access control, General connection settings
- failover, User management and access control, General connection settings
- LDAPS protocol, User management and access control, General connection settings
- Microsoft Active Directory on Windows 2000, User management and access control, General connection settings
- mutual authentication, User management and access control, General connection settings
- Windows 2000, User management and access control, General connection settings
- license, Licenses
- update, Upgrading SCB
- Lieberman ERPM, Using credential stores for server-side authentication
- limit concurrent connections, General connection settings
- local console, Using the console menu of SCB
- local SCB users, User management and access control
- local users
- password management, User management and access control
- usergroups, User management and access control
- lock management, Multiple web users and locking
- log
- debug mode, Troubleshooting SCB
- system state, Troubleshooting SCB
- tailing, Troubleshooting SCB
- viewing, Troubleshooting SCB
- log level, Troubleshooting SCB
- log messages
- browsing, Using the search interface
- exporting search results, Using the search interface
- filtering search results, Using the search interface
- reports, Reports
- searching, Using the search interface
- log verbosity, Troubleshooting SCB
- logging file operations, Supported SSH channel types
- Long Term Supported releases, Versions and releases of SCB
- LTS releases, Versions and releases of SCB
M
- Management Information Base, Configuring system monitoring on SCB
- managing certificates
- Timestamping Authority, Managing the certificates used on SCB
- managing search filters, Using and managing search filters
- Message dialog, Elements of the main workspace
- MIB, Configuring system monitoring on SCB
- Microsoft Active Directory
- LDAPS protocol, User management and access control, General connection settings
- supported platforms, User management and access control, General connection settings
- Microsoft Active Directory Server, General connection settings
- Microsoft Windows Network, Parameters of the backup protocols
- mode of operation, Network settings
- monitoring, System logging, SNMP and e-mail alerts, Configuring system monitoring on SCB
N
- name resolution
- CNAME records, General connection settings
- NetApp, Data and configuration archiving and backups, Parameters of the backup protocols
- network address translation
- destination NAT, DNAT, General connection settings
- source NAT, SNAT, General connection settings
- Network interfaces
- configuring interface speed, Network settings
- external interface, Network interfaces, The initial connection to SCB
- HA interface, Network interfaces
- internal interface, Network interfaces
- IPMI interface, Network interfaces
- management interface, Network interfaces, Network settings
- network interfaces
- alias interfaces, Network settings
- alias IP addresses, Network settings
- configuring, Network settings
- external interface, Network settings
- internal interface, Network settings
- next-hop router monitoring, Managing a high availability SCB cluster
- nontransparent mode, SCB in Nontransparent mode, General connection settings, Best practices and configuration examples
- NTP servers, Date and time configuration
O
- operational-report, Contents of the default reports
- out-of-band management, Out-of-band management of SCB
- outband authentication, The concepts of SCB, Advanced authentication and authorization techniques, Configuring gateway authentication
P
- password
- admin, The Welcome Wizard and the first login
- changing the root, Accessing the SCB console
- root, The Welcome Wizard and the first login, Accessing the SCB console
- password policies, User management and access control
- PCAP, Replaying audit trails
- ping, Troubleshooting SCB
- policies
- channel, General connection settings
- time, General connection settings
- user list, General connection settings
- usermapping, Advanced authentication and authorization techniques
- port forwarding
- disconnects, Supported SSH channel types
- predefined filters, Using and managing search filters
- preferences, The structure of the web interface
- private key
- accepted formats, The Welcome Wizard and the first login, Managing the certificates used on SCB
- protocol-specific settings
- ICA, ICA-specific settings
- RDP, RDP-specific settings
- SSH, SSH-specific settings
- Telnet, Telnet-specific settings
- VMWare View, VMware View connections
- VNC, VNC-specific settings
- Public-key authentication, Authenticating clients using public-key authentication in SSH
- public-key authentication
- configuring, Configuring public-key authentication on SCB
- keymapping, Server-side authentication settings
- using LDAP and a fixed key, Configuring public-key authentication on SCB
- using LDAP and generated keys, Configuring public-key authentication on SCB
- using local keys, Server-side authentication settings, Configuring public-key authentication on SCB
- public-key authentication on SCB, Accessing the SCB console
Q
- querying SCB via SNMP, System logging, SNMP and e-mail alerts
R
- RADIUS authentication, User management and access control
- rate limiting, General connection settings
- RDP
- gateway authentication with Credential Stores, Configuring gateway authentication
- supported protocol versions, Supported protocols and client applications
- RDP channel types, Supported RDP channel types
- RDP connections, Viewing session information and replaying audit trails
- configuring clients for a Terminal Services Gateway, RDP-specific settings
- disabling all traffic, Controlling SCB — restart, shutdown
- metadata, Connection metadata
- pre channel check, RDP-specific settings
- SCB as a Terminal Services Gateway, RDP-specific settings
- SSL encryption, RDP-specific settings
- usernames, Usernames in RDP connections
- RDP settings, Connecting to a server through SCB, RDP-specific settings
- autologon, RDP-specific settings
- compression, RDP-specific settings
- editing, RDP-specific settings
- pre channel check, RDP-specific settings
- reboot, Controlling SCB — restart, shutdown
- redundant Heartbeat interfaces, Managing a high availability SCB cluster, Redundant Heartbeat interface status explained
- redundant Heartbeat status
- releases, Versions and releases of SCB
- Remote Desktop Gateway, RDP-specific settings
- remote group, General connection settings
- reporting, Reports
- audit-trail content, Indexing and reporting on audit-trail content
- content subchapter, Indexing and reporting on audit-trail content
- custom reports, Reports
- reports, Contents of the default reports
- contents, Contents of the default reports
- default, Contents of the default reports
- e-mailing, System logging, SNMP and e-mail alerts
- restart, Controlling SCB — restart, shutdown
- restoring a backup, Best practices and configuration examples
- reverting the firmware version, Updating the SCB firmware
- root password, The Welcome Wizard and the first login, Accessing the SCB console
- Router mode, SCB in Router mode
- using a single interface, SCB in Router mode
- Routing table, Network settings
- management traffic, Network settings
- rsync over SSH, Parameters of the backup protocols
S
- saving filters, Using and managing search filters
- saving search filters, Using and managing search filters
- SCB
- accounting, Listing and searching configuration changes
- administrators, User management and access control
- certificate, Managing the certificates used on SCB
- changelogs, Changelogs of SCB
- configuration changes, Listing and searching configuration changes
- exporting the configuration of, Upgrading SCB
- hostname, Network settings
- importing the configuration of, Upgrading SCB
- installation, BalaBit Shell Control Box Hardware Installation Guide
- logs, Listing and searching configuration changes
- reports, Reports
- web certificate, The Welcome Wizard and the first login
- SCB configuration
- exporting, Upgrading SCB
- importing, Upgrading SCB
- SCP
- listing file operations, Supported SSH channel types
- sealed mode, Sealed mode
- search results
- advanced statistics, Browsing log messages and SCB reports
- custom statistics, Browsing log messages and SCB reports
- exporting, Using the search interface
- filtering, Using and managing search filters
- statistics, Browsing log messages and SCB reports
- searching audit trails in AP, Finding specific audit trails
- searching log messages, Using the search interface
- serial number of SCB, Out-of-band management of SCB
- server certificates, Server host keys and certificates
- server host keys, Server host keys and certificates
- server-side authentication, Server-side authentication settings
- credential stores, Using credential stores for server-side authentication
- server-side RDP connection
- pre channel check, RDP-specific settings
- server-side SSH connection
- pre channel check, SSH-specific settings
- SFTP
- listing file operations, Supported SSH channel types
- shutdown, Controlling SCB — restart, shutdown
- signing audit trails, Audit policies
- signing certificates, General connection settings
- Simple Network Management Protocol, System logging, SNMP and e-mail alerts, Configuring system monitoring on SCB
- SMB/CIFS, Parameters of the backup protocols
- SMTP server, System logging, SNMP and e-mail alerts
- SNMP
- SCB MIB, Configuring system monitoring on SCB
- SNMP alerts, System logging, SNMP and e-mail alerts, Configuring system monitoring on SCB
- SNMP queries, System logging, SNMP and e-mail alerts
- SNMP server, System logging, SNMP and e-mail alerts
- SNMPv3, System logging, SNMP and e-mail alerts
- source NAT, SNAT, Connecting to a server through SCB, General connection settings
- split brain, High Availability status explained, Troubleshooting an SCB cluster
- SSH
- local forwarding, Supported SSH channel types
- remote forwarding, Supported SSH channel types
- supported protocol versions, Supported protocols and client applications
- SSH certificates, SSH-specific settings
- SSH channel types, Supported SSH channel types
- SSH connections, Viewing session information and replaying audit trails
- accessing SCB, Accessing the SCB console, Accessing the SCB host in Bastion mode using SSH
- disabling all traffic, Controlling SCB — restart, shutdown
- in Bastion mode, Organizing connections in Bastion mode
- metadata, Connection metadata
- pre channel check, Connecting to a server through SCB, SSH-specific settings
- SSH console, Using the console menu of SCB
- SSH server certificates, Server host keys and certificates
- SSH server on SCB, Accessing the SCB console
- in Bastion mode, Accessing the SCB host in Bastion mode using SSH
- SSH settings, Connecting to a server through SCB, SSH-specific settings
- editing, SSH-specific settings
- encryption parameters, Configuring encryption parameters
- pre channel check, SSH-specific settings
- stable releases, Versions and releases of SCB
- statistics, Browsing log messages and SCB reports
- status history, Status history and statistics
- status information via SNMP, System logging, SNMP and e-mail alerts
- supported browsers, The initial connection to SCB, Supported web browsers and operating systems
- supported protocol versions, Supported protocols and client applications, Configuring connections
- synchronizing data
- adjusting synchronization speed, Adjusting the synchronization speed of DRBD
- syslog
- TLS encryption, System logging, SNMP and e-mail alerts
- syslog servers
- certificates, System logging, SNMP and e-mail alerts
- mutual authentication, System logging, SNMP and e-mail alerts
- syslog-ng
- TLS encryption, System logging, SNMP and e-mail alerts
- system logs, System logging, SNMP and e-mail alerts
- System monitor, The structure of the web interface
- system statistics, Status history and statistics
T
- Telnet
- supported protocol versions, Supported protocols and client applications
- Telnet and user lists, Telnet-specific settings
- Telnet connections, Viewing session information and replaying audit trails
- disabling all traffic, Controlling SCB — restart, shutdown
- metadata, Connection metadata
- Telnet settings, Telnet-specific settings
- editing, Telnet-specific settings
- Terminal Services Gateway (TS Gateway), RDP-specific settings
- supported clients, RDP-specific settings
- Terminal Services Gateway Server Protocol, RDP-specific settings
- supported protocol versions, Supported protocols and client applications
- throttle, General connection settings
- time policies, Connecting to a server through SCB, General connection settings
- Time Policy
- creating and editing, General connection settings
- time synchronization, Date and time configuration
- in HA mode, Date and time configuration
- timestamping
- timestamping audit trails, Timestamping audit trails
- Timestamping Authority
- certificate of, Managing the certificates used on SCB
- timestamping authority, Timestamping audit trails
- tokenizing, Indexing and reporting on audit-trail content
- traceroute, Troubleshooting SCB
- tracking configuration changes, Listing and searching configuration changes
- traffic forwarding, General connection settings
- troubleshooting, Troubleshooting SCB
- Citrix, Troubleshooting Citrix-related problems
- gateway authentication, Troubleshooting gateway authentication
- port forwarding, Supported SSH channel types
- trusted certificate authorities (CAs), General connection settings
- TSA, Timestamping audit trails
- types of log messages, Browsing log messages and SCB reports
U
- update
- firmware, Updating the SCB firmware
- in high availability, Updating the SCB firmware
- license, Upgrading SCB
- upgrade
- firmware, Updating the SCB firmware
- license, Upgrading SCB
- uploading certificates, Managing the certificates used on SCB
- user groups, User management and access control, General connection settings
- User List, Connecting to a server through SCB, SSH-specific settings
- creating and editing, General connection settings
- user lists, General connection settings
- user management, Built-in usergroups of SCB
- creating usergroups, Managing user rights and usergroups
- finding privileges, Finding specific usergroups
- modifying usergroup privileges, Managing user rights and usergroups
- naming usergroups, How to use usergroups
- searching usergroups, Finding specific usergroups
- user memberships
- finding users or usergroups, Displaying the privileges of users and user groups
- User menu, The structure of the web interface
- user permissions
- connections, Displaying the privileges of users and user groups, General connection settings
- user memberships, Displaying the privileges of users and user groups, General connection settings
- web interface, Displaying the privileges of users and user groups
- user preferences, The structure of the web interface
- usergroups
- usermapping policies, Advanced authentication and authorization techniques
- users
- web interface, User management and access control
- using CRLs, General connection settings
V
- verbosity level, Troubleshooting SCB
- VMware View, VMware View connections
- supported protocol versions, Supported protocols and client applications
- VNC
- supported protocol versions, Supported protocols and client applications
- VNC and user lists, VNC-specific settings
- VNC connections
- disabling all traffic, Controlling SCB — restart, shutdown
- metadata, Connection metadata
- VNC settings, VNC-specific settings
- editing, VNC-specific settings
W
- web browsers, The initial connection to SCB, Supported web browsers and operating systems
- web interface
- querying user permissions, Displaying the privileges of users and user groups
- Welcome Wizard, The Welcome Wizard and the first login
X
- X.509 certificates
- of SSH servers, Server host keys and certificates