BalaBit Shell Control Box 2.0.2 Administrator Guide

Product Marketing and Documentation Department

This guide is published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. See Appendix 6, Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License for details. The latest version is always available at http://www.balabit.com/support/documentation.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

The Zorp™ name and the Zorp™ logo are registered trademarks of BalaBit.

The BalaBit Shell Control Box™ name and the BalaBit Shell Control Box™ logo are registered trademarks of BalaBit.

The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of BalaBit.

The BalaBit™ name and the BalaBit™ logo are registered trademarks of BalaBit.

Linux™ is a registered trademark of Linus Torvalds.

Debian™ is a registered trademark of Software in the Public Interest Inc.

Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, and Server 2008 are registered trademarks of Microsoft Corporation.

MySQL™ is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Oracle™, JD Edwards™, PeopleSoft™, and Siebel™ are registered trademarks of Oracle Corporation and/or its affiliates.

Sun™, Sun Microsystems™, the Sun logo, Sun Fire 4140™, Sun Fire 2100™, Sun Fire 2200™, Sun Fire 4540™, and Sun StorageTek™ are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries. AMD Opteron™ and Opteron™ are trademarks of Advanced Micro Devices, Inc.

All other product names mentioned herein are the trademarks of their respective owners.

Some rights reserved.

DISCLAIMER

BalaBit is not responsible for any third-party Web sites mentioned in this document. BalaBit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaBit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

April 9, 2010

Revision History

Abstract

This document is the primary manual of the BalaBit Shell Control Box 2.0.2.

Table of Contents

Preface

1. Summary of contents

2. Target audience and prerequisites

3. Products covered in this guide

4. Typographical conventions

5. Contact and support information

5.1. Sales contact
5.2. Support contact
5.3. Training

6. About this document

6.1. Version information
6.2. Feedback

1. Introduction

1.1. What SCB is
1.2. What SCB is not
1.3. Why is SCB needed?
1.4. Who uses SCB?
1.5. Public references for BalaBit Shell Control Box

2. The concepts of SCB

2.1. The philosophy of SCB

2.2. Supported protocols and client applications

2.3. Modes of operation

2.3.1. SCB in Bridge mode
2.3.2. SCB in Router mode
2.3.3. SCB in Bastion mode
2.3.4. SCB in Nontransparent mode

2.4. Connecting to a server through SCB

2.5. SSH hostkeys

2.6. Authenticating clients using public-key authentication in SSH

2.7. Gateway authentication

2.8. 4-eyes authorization

2.9. Network interfaces

2.10. High Availability support in SCB

2.11. Firmware in SCB

2.11.1. Firmwares and high availability

2.12. Accessing and configuring SCB

2.13. Licenses

3. The Welcome Wizard and the first login

3.1. The initial connection to SCB
3.2. The Welcome Wizard
3.3. Logging in to SCB and configuring the first connection

4. Configuring and managing SCB

4.1. Supported web browsers

4.2. The structure of the web interface

4.2.1. Elements of the main workspace
4.2.2. Multiple web users and locking

4.3. Basic settings

4.3.1. Network settings
4.3.2. Date and time configuration
4.3.3. System logging, SNMP and e-mail alerts
4.3.4. Configuring system monitoring on SCB
4.3.5. Data and configuration archiving and backups

4.4. User management and access control

4.4.1. Managing SCB users locally
4.4.2. Managing SCB users from an LDAP database
4.4.3. Authenticating users to a RADIUS server
4.4.4. Managing user rights and usergroups
4.4.5. Listing and searching configuration changes

4.5. Managing SCB

4.5.1. Controlling SCB — restart, shutdown
4.5.2. Upgrading SCB
4.5.3. Troubleshooting SCB
4.5.4. Accessing the SCB console
4.5.5. Sealed mode
4.5.6. Changing the certificates used on SCB

5. Configuring connections

5.1. General connection settings

5.1.1. Modifying the destination address
5.1.2. Modifying the source address
5.1.3. Channel Policies
5.1.4. Time Policies
5.1.5. User lists
5.1.6. Authenticating users to an LDAP server
5.1.7. Audit policies
5.1.8. Verifying certificates with Certificate Authorities
5.1.9. Signing certificates on-the-fly
5.1.10. Forwarding traffic to an IDS or DLP system

5.2. SSH-specific settings

5.2.1. Setting the SSH host keys and certificates of the connection
5.2.2. Supported SSH channel types
5.2.3. Authentication Policies
5.2.4. Server host keys and certificates
5.2.5. Protocol-level SSH settings

5.3. RDP-specific settings

5.3.1. Supported RDP channel types
5.3.2. Protocol-level RDP settings
5.3.3. Joining SCB into a domain
5.3.4. Using SSL-encrypted RDP connections
5.3.5. Verifying the certificate of the RDP server in encrypted connections

5.4. Telnet-specific settings

5.4.1. Protocol-level Telnet settings

5.5. VNC-specific settings

5.5.1. Protocol-level VNC settings

6. Browsing log messages and SCB reports

6.1. Using the search interface

6.2. Changelogs of SCB

6.3. SCB reports

6.4. The SCB connection database

6.4.1. Connection metadata
6.4.2. Creating predefined filters

6.5. Configuring custom reports

6.6. Monitoring the status of AP indexing services

6.7. Full-text indexing of audit trails

7. Viewing session information and replaying audit trails

7.1. Installing the Audit Player application

7.2. Replaying audit trails

7.3. Using AP

7.3.1. Finding specific audit trails
7.3.2. Using projects
7.3.3. Replaying and processing encrypted audit trails
7.3.4. Searching in graphical streams

7.4. Troubleshooting the Audit Player

7.4.1. Logging with the Audit Player
7.4.2. Keys and certificates

8. Advanced authentication and authorization techniques

8.1. Usermapping policies
8.2. Configuring gateway authentication
8.3. Configuring 4-eyes authorization

9. Best practices and configuration examples

9.1. Configuring public-key authentication on SCB

9.2. Bastion mode considerations

9.3. Organizing connections in Bastion mode

9.3.1. Accessing the SCB host in Bastion mode using SSH

9.4. Using nontransparent Bastion mode

9.5. RDP connections in Nontransparent mode

9.6. How to restore a backup

9.7. Solving the "double-assign" problem in RDP

9.7.1. Background
9.7.2. Solution

1. About the Secure Shell protocol in a nutshell

1.1. The basic operation of SSH
1.2. Configuring encryption parameters

2. Package contents inventory

3. BalaBit Shell Control Box Hardware Installation Guide

3.1. Installing the SCB hardware
3.2. Installing two SCB units in HA mode

4. BalaBit Shell Control Box Software Installation Guide

5. BalaBit Shell Control Box End User License Agreement

5.1. 1. SUBJECT OF THE LICENSE CONTRACT
5.2. 2. DEFINITIONS
5.3. 3. LICENSE GRANTS AND RESTRICTIONS
5.4. 4. SUBSIDIARIES
5.5. 5. INTELLECTUAL PROPERTY RIGHTS
5.6. 6. TRADE MARKS
5.7. 7. NEGLIGENT INFRINGEMENT
5.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION
5.9. 9. LICENSE FEE
5.10. 10. WARRANTIES
5.11. 11. DISCLAIMER OF WARRANTIES
5.12. 12. LIMITATION OF LIABILITY
5.13. 13. DURATION AND TERMINATION
5.14. 14. AMENDMENTS
5.15. 15. WAIVER
5.16. 16. SEVERABILITY
5.17. 17. NOTICES
5.18. 18. MISCELLANEOUS

6. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License

Glossary

Index

List of Procedures

2.1. Connecting to a server through SCB using SSH
2.2. Connecting to a server through SCB using RDP
2.3. The gateway authentication process
2.4. The 4-eyes authorization process
3.1. Creating an alias IP address (Microsoft Windows)
3.2. Creating an alias IP address (Linux)
3.3. The initial configuration of SCB
3.4. Configuring a simple session
4.1. Configuring the management interface
4.2. Routing management traffic to the management interface
4.3. Configuring a time (NTP) server
4.4. Configuring system logging
4.5. Configuring e-mail alerts
4.6. Configuring SNMP alerts
4.7. Querying SCB status information using agents
4.8. Configuring monitoring
4.9. Creating configuration and data backups
4.10. Archiving the collected data
4.11. Encrypting configuration backups with GPG
4.12. Parameters of the Rsync over SSH method
4.13. Parameters of the SMB protocol
4.14. Configuring NFS on the remote server
4.15. Creating local users
4.16. Setting password policies
4.17. Creating local groups
4.18. Configuring LDAP authentication
4.19. Configuring RADIUS authentication
4.20. Modifying group privileges
4.21. Creating new usergroups for the SCB web interface
4.22. Recovering SCB if both nodes broke down
4.23. Recovering from a split brain situation
4.24. Disabling controlled traffic
4.25. Disabling controlled traffic permanently
4.26. Updating SCB and managing the firmware
4.27. Upgrading both the core and the boot firmware of a high-availability system
4.28. Reverting to an older firmware version
4.29. Updating the SCB license
4.30. Exporting the configuration of SCB
4.31. Importing the configuration of SCB
4.32. Executing troubleshooting commands
4.33. Viewing the logs
4.34. Changing the verbosity level
4.35. Collecting debug information
4.36. Displaying custom connection statistics
4.37. Enabling SSH access to the SCB host
4.38. Changing the root password of SCB
4.39. Disabling sealed mode
4.40. Generating certificates for SCB
4.41. Uploading external certificates to SCB
5.1. Configuring connections
5.2. Creating and editing channel policies
5.3. Creating and editing time policies
5.4. Creating and editing user lists
5.5. Configuring LDAP Server policies
5.6. Encrypting audit trails
5.7. Built-in timestamping service
5.8. External timestamping service
5.9. Digitally signing audit trails
5.10. Limiting audit trails
5.11. Creating Trusted CA lists
5.12. Configuring certificate signing on SCB
5.13. Configuring traffic-forwarding to IDS systems
5.14. Setting the host keys of the connection
5.15. Local client-side authentication
5.16. How to map keys and certificates
5.17. Automatically adding the host keys and host certificates of a server to SCB
5.18. Manually adding the host key or host certificate of a server
5.19. Creating and editing SSH settings
5.20. Creating and editing RDP settings
5.21. Joining a domain
5.22. Enabling SSL-encrypted RDP connections
5.23. Verifying the certificate of the RDP server in encrypted connections
5.24. Creating and editing Telnet settings
5.25. Creating and editing VNC settings
6.1. Displaying information about connections
6.2. Configuring custom reports
6.3. Configuring full-text indexing
7.1. Installing AP
7.2. Downloading audit trails from SCB
7.3. Replaying a session with the Audit Player
7.4. Importing certificates with MMC
7.5. AP logging in user mode
7.6. AP logging as an indexer service
8.1. Configuring usermapping poicies
8.2. Configuring gateway authentication
8.3. Performing gateway authentication on SCB
8.4. Configuring 4-eyes authorization
8.5. Performing 4-eyes authorization on SCB
9.1. Configuring public-key authentication using local keys
9.2. Configuring public-key authentication using an LDAP server and a fixed key
9.3. Configuring public-key authentication using an LDAP server and generated keys
9.4. Organizing connections based on port numbers
9.5. Organizing connections based on alias IP addresses
9.6. Using nontransparent Bastion mode
9.7. Restoring SCB configuration and data
9.8. Solving the "double-assign" problem in RDP
3.1. Installing the SCB hardware
3.2. Installing two SCB units in HA mode
4.1. Installing the SCB software

Preface

Welcome to the BalaBit Shell Control Box 2.0.2 Administrator Guide!

This document describes how to configure and manage the BalaBit Shell Control Box (SCB). Background information for the technology and concepts used by the product is also discussed.

1. Summary of contents

Chapter 1, Introduction describes the main functionality and purpose of the BalaBit Shell Control Box.

Chapter 2, The concepts of SCB discusses the technical concepts and philosophies behind SCB.

Chapter 3, The Welcome Wizard and the first login describes what to do after assembling SCB — it is a step-by-step guide for the initial configuration.

Chapter 4, Configuring and managing SCB provides detailed description on configuring and managing SCB as a host.

Chapter 5, Configuring connections discusses how to configure and audit SSH, RDP, and Telnet connections.

Chapter 7, Viewing session information and replaying audit trails describes how to search and display audit trails, generate reports, and replay the audited sessions.

Chapter 8, Advanced authentication and authorization techniques describes how to configure gateway authentication and 4-eyes authorization for the connections.

Chapter 9, Best practices and configuration examples gives step-by-step procedures to configure special aspects of SCB.

Appendix 1, About the Secure Shell protocol in a nutshell is a brief introduction into the Secure Shell protocol.

Appendix 2, Package contents inventory lists the contents of the package you receive with the BalaBit Shell Control Box.

Appendix 3, BalaBit Shell Control Box Hardware Installation Guide describes how to set up the BalaBit Shell Control Box (SCB) hardware.

Appendix 4, BalaBit Shell Control Box Software Installation Guide describes how to install the BalaBit Shell Control Box on a new Sun Fire server.

Appendix 5, BalaBit Shell Control Box End User License Agreement includes the text of the End User License Agreement applicable to SCB products.

The Glossary provides definitions of important terms used in this guide.

The Index provides cross-references to important terms used in this guide.

2. Target audience and prerequisites

This guide is intended for auditors, consultants, and security experts responsible for securing, auditing, and monitoring server administration processes, especially remote server management. It is also useful for IT decision makers looking for a tool to improve the security and auditability of their servers, or to facilitate compliance to the Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Basel II, or the Payment Card Industry (PCI) standard.

The following skills and knowledge are necessary for a successful SCB administrator:

At least basic system administration knowledge.
An understanding of networks, TCP/IP protocols, and general network terminology.
Working knowledge of the UNIX or Linux operating system is not mandatory but highly useful.
In-depth knowledge of various server applications is required for forensics situations.

3. Products covered in this guide

This guide describes the use of the BalaBit Shell Control Box version 2.0.2.

4. Typographical conventions

Before you start using this guide, it is important to understand the terms and typographical conventions used in the documentation. For more information on specialized terms and abbreviations used in the documentation, see the Glossary at the end of this document.

The following kinds of text formatting and icons identify special information in the document.

	Tip
	Tips provide best practices and recommendations.

	Note
	Notes provide additional information on a topic, and emphasize important facts and considerations.

	Warning
	Warnings mark situations where loss of data or misconfiguration of the device is possible if the instructions are not obeyed.

Command: Commands you have to execute.
Emphasis: Reference items, additional readings.
/path/to/file: File names.
Parameters: Parameter and attribute names.
Label: GUI output messages or dialog labels.
Menu: A submenu or menu item in the menu bar.
Button: Buttons in dialog windows.

5. Contact and support information

The BalaBit Shell Control Box is developed and maintained by BalaBit IT Security Ltd. We are located in Budapest, Hungary. Our address is:

         BalaBit IT Security Ltd.
         1464 Budapest P.O. BOX 1279
         Hungary
         Tel: +36 1 371-0540
         Fax: +36 1 208-0875
         E-mail: info@balabit.com
         Web: http://www.balabit.com/

5.1. Sales contact

You can directly contact us with sales related topics at the e-mail address <sales@balabit.com>.

5.2. Support contact

You can register your copy of BalaBit SCB online on the BalaBit website or by sending the filled registration form. Registration is a prerequisite for all support services. Your product can be registered online at the http://www.balabit.com/support/registration/ website.

E-mail and telephone support is available for registered users, please write or call us for details.

Support e-mail address: <support@balabit.com>.

Support hotline: +36 1 371 0540 (available from 9 AM to 5 PM CET on weekdays)

The BalaBit Online Support System is available at https://boss.balabit.com/ and offers 24 hours technical support. This system is available only for registered users.

5.3. Training

BalaBit IT Security Ltd. holds courses for system administrators. Our experienced system engineers give lectures on Zorp Gateway, SCB, and syslog-ng administration.

6. About this document

6.1. Version information

This document is a work-in-progress document with new versions appearing periodically.

The latest version of this document can be downloaded from the BalaBit website at http://www.balabit.com/support/documentation.

6.2. Feedback

Any feedback is greatly appreciated, especially on what else this document should cover. General comments, errors found in the text, and any suggestions about how to improve the documentation is welcome at <documentation@balabit.com>.

Chapter 1. Introduction

This chapter introduces the BalaBit Shell Control Box (SCB) in a non-technical manner, discussing how and why is it useful, and what additional security it offers to an existing IT infrastructure.

1.1. What SCB is

SCB is a device that controls, monitors, and audits remote administrative access to servers. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB — it integrates smoothly into the existing infrastructure.

SCB logs all administrative traffic (including configuration changes, executed commands, etc.) into audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. In case of any problems (server misconfiguration, database manipulation, unexpected shutdown) the circumstances of the event are readily available in the audit trails, thus the cause of the incident can be easily identified. The recorded audit trails can be displayed like a movie – recreating all actions of the administrator. All audit trails are indexed on a separate indexing-server, enabling fast forwarding during replay, searching for events (e.g., mouse clicks, pressing the Enter key) and texts seen by the administrator. Reports and automatic searches can be configured as well. To protect the sensitive information included in the communication, the two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys, thus sensitive information like passwords are displayed only when necessary.

SCB can also remove the encryption from the traffic and forward the unencrypted traffic to an Intrusion Detection System (IDS), making it possible to analyze the contents of the encrypted traffic. That way traffic that was so far unaccessible for IDS analyzes can be inspected real-time. Other protocols tunneled in SSH can be inspected as well. Similarly, the list of files transferred and accessed in the encrypted protocols can be sent to a Data Leakage Prevention (DLP) system.

SCB has full control over the SSH, RDP, Telnet, TN3270, and VNC connections, giving a framework (with solid boundaries) for the work of the administrators. The most notable features of SCB are the following:

Disable unwanted channels and features (e.g., TCP port forwarding, file transfer, VPN, etc.)
Enforce the use of the selected authentication methods (password, publickey, etc.)
Require outband authentication on the SCB gateway
Enforce 4-eyes authorization with real-time monitoring and auditing capabilities
Audit the selected channels into encrypted and timestamped , and digitally signed audit trails
Retrieve group memberships of the user from an LDAP database
Verify the hostkeys and host certificates of the accessed servers

SCB is configured and managed from any modern web browser that supports HTTPS connections, JavaScript, and cookies.

1.2. What SCB is not

SCB is not a firewall. Although it uses advanced firewall technologies, it is an access controlling and auditing device focusing on server administration processes. Actually, it is a device that controls, monitors and audits remote administrative access to servers.

SCB monitors only the passing traffic of administrators accessing the servers remotely. Consequently, it cannot protect the server from local access, nor can it detect such events. If someone has access to a protected server from a local console, then anything he does is beyond the capabilities of SCB.

SCB can be used to control administrative access to the servers. In case of large server farms, it provides a simple way to change or restrict access policies, for example, to disable password-based authentication in SSH, control RDP channels, or to deny the account of an administrator, without having to modify the configuration of each server one-by-one. However, SCB does not and should not be used to replace the proper configuration of the servers, as perfunctory server configuration inevitably introduces security risk beyond the scope of SCB.

1.3. Why is SCB needed?

Server administration must be audited in order to record all important events about a server. However, — for security reasons — servers are almost exclusively administered using encrypted protocols, making system administration difficult to monitor and audit. To achieve reliable auditing, the data collection has to be transparent and independent from the client and the server. Otherwise, a skilled administrator (or attacker) could manipulate the logs to mask the traces of his actions or other events. SCB solves exactly these problems by transparently monitoring the encrypted channels used in administration and introducing a separate auditor layer to oversee system administrators.

The RDP and VNC-auditing capabilities of SCB is beneficial to record and archive the actions performed on thin-client applications, and helpdesks.

The Telnet-auditing capability of SCB is useful to record and archive the administration of networking devices.

1.4. Who uses SCB?

SCB is useful for everyone who has a server and has to control and audit the activities of the administrators. In particular, SCB is invaluable for:

Policy compliance: Certain regulations — such as the Sarbanes-Oxley Act (SOX) or Basel II — require the financial director of an organization to certify that all financial data they provide to the authorities is accurate and has not been modified. Other industries have similar regulations (like the Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry (PCI)) about protecting personal or credit card information. Such data is usually stored in a database on a central server, and is accessible only via dedicated applications, such as the accounting software. These applications always create the logs and reports necessary for policy compliance. However, these applications are aware only of legitimate accesses to the database. The server storing the database has to be accessible also by server administrators for maintenance reasons. Having superuser privileges on the server, these administrators have the possibility to directly access and manipulate the database, and also to erase the traces of such actions from the server logs. However, SCB can audit the actions of the administrators, complementing the logs and reports of other applications.
Organizations having outsourced IT: Many organizations hire external companies to configure, maintain, and oversee their servers and IT services. This essentially means that the organization is willing to trust the administrators of this external company with all their data (e.g., private and business e-mails, customer information, etc.), or even with business-critical services like the operation of their online shop. Obviously, in such situations it is reassuring to have an independent device that can reliably log all administrative activities. SCB does exactly this — it provides detailed information about any problems with the server, making it easy to find those responsible. Using the 4-eyes authorization method, SCB provides real-time control over the remote server access and the administrative actions.
Organizations offering remote management: Organizations on the other end of the outsourcing line — like server- and webhosting companies — can equally benefit from SCB. It gives them the possibility to oversee and audit the administrators, and is also a great tool to evaluate their effectiveness. The recorded audit trails can also be used as evidence to settle any issues about the remotely administered servers. SCB also improves the control over Service Level Agreements (SLA), as the fulfillment of the services can be verified using the recorded audit trails and access reports.
Organizations using thin-client infrastructures: SCB can audit the channels used in popular thin-client solutions, providing an application-independent way to record and monitor the activities of every client.
Real-time file transfer and file access monitoring: SCB can send the list of accessed and transferred files to an external Data Leakage Prevention (DLP) system that can recognize, track and alert on the access (data at rest) and transfer (data in motion) of sensitive data. That way the DLP policy of the organization can be extended to the – so far uncontrolled – encrypted protocols like SSH and SFTP.
Organizations in need to control SSH: Many organizations have to permit outgoing SSH connections, but do not wish to do so without control, as virtually any other protocol can be tunneled into SSH. SCB can control what type of traffic is permitted in an SSH connection, and can separately enable the different traffic types like terminal connections, SFTP file transfers, port- and X11 forwarding, or agent-forwarding.
Organizations using jump hosts: Many organizations use jump hosts to access remote servers or services. SCB can be used to authenticate and audit every access to the jump hosts. Since SCB can supports strong authentication methods (for example, X.509 certification based authentication) and authentication to user directories (e.g., Microsoft Active Directory and other LDAP databases), it can greatly simplify the key and password management of the hosts. This is especially useful if an organization has to access very many remote hosts, or has lots of jump hosts.

1.5. Public references for BalaBit Shell Control Box

The following is a list of public references — companies who use SCB in their production environment:

Dubai Islamic Bank PJS (http://www.dib.ae/)
FIDUCIA IT AG (http://www.fiducia.de/)
Hungarian Post Co. Ltd. (http://www.posta.hu)
Svenska Handelsbanken AB (http://www.handelsbanken.com/)
Wilo AG (http://www.wilo.de/)

Chapter 2. The concepts of SCB

This chapter discusses the technical concepts of SCB.

2.1. The philosophy of SCB

SCB is a device that examines Secure Shell (SSH), Remote Desktop (RDP), Telnet, and VNC connections, ignoring and simply forwarding all other type of traffic. SCB uses man-in-the-middle techniques to decrypt and terminate the inspected connections. It separates the connections into two parts (client — SCB, SCB — server) and inspects all traffic, so that no data can be directly transferred between the server and the client.

	Note
	SCB is built on application level technology, especially the SSH, RDP, and Telnet proxies of the Zorp Application Level Gateway. For more information on Zorp and this technology, visit BalaBit's website at http://www.balabit.com/.

Figure 2.1. Inspecting SSH traffic with SCB

The traffic is inspected on the application level, that is Layer 7 or the application layer of the OSI model. All communication must conform to the standards of the respective protocol, SCB rejects all protocol violations and anomalies to protect the servers from attacks. That way the servers are protected even from unknown attacks exploiting vulnerabilities of the server applications.

SCB has full control over the initial negotiation phase of the connection, when the client and the server decide the parameters of the encryption to be used in the communication. SCB can restrict the use of the various algorithms, forbidding the use of weak ones — an effective shield against downgrade attacks.

Since SCB isolates the client-server connection into two separate connections, the permitted algorithms can be different on the client and the server side.

SCB controls the connections right from the beginning — including user authentication. That way it is easy to mandate strong authentication for protocols where user information is available (e.g., SSH), because SCB can limit the allowed authentication methods and also the users permitted to access the servers.

SCB uses various policies to restrict who, when, and how can access a connection or a specific channel of the protocol. These policies (based on username, authentication method used, etc.) can be applied to connections between particular clients and servers, or also to specific channels of a connection (e.g., only to terminal-sessions in SSH, or desktop-sharing in RDP).

Figure 2.2. Controlling protocol channels

SCB is configured by an administrator or auditor using a web browser.

2.2. Supported protocols and client applications

SCB supports the following protocols and clients. As a general rule, client applications not specifically tested but conforming to the relevant protocol standards should work with SCB.

Secure Shell Protocol: SCB supports only the SSHv2 protocol (RFCs 4251-54). The older and insecure v1 version is not supported. Supported client applications: OpenSSH, Tectia®, and PuTTY.
Remote Desktop Protocol: RDP versions 4-6.1 are supported. Supported client applications: the built-in clients of the Windows XP, Windows Server 2003, Windows Vista, and Windows 2008 Server platforms.
Telnet: Telnet traffic must conform RFC 854, and to various extensions described in RFCs 856-861, 652-658, 698, 726-27, 732-736, 749, 779, 885, 927, 933, 1041, 1043, 1053, 1073, 1079, 1091, 1096-97, 1184, 1372, 1408, 1572, 2066, 2217, 2840, 2941, and 2946.
Virtual Network Computing: VNC versions 3.3-3.8 are supported. Supported client applications: RealVNC, UltraVNC.

2.3. Modes of operation

SCB has three modes of operation: Bridge, Router, and Bastion. Which one is used depends on the layout of the network.

	Tip
	It is recommended to design the network topology so that only management and server administration traffic passes SCB. This ensures that the services and applications running on the servers are accessible even in case SCB breaks down, so SCB cannot become a single point of failure.

SCB supports also a nontransparent mode that works with any of the above three operation modes, but is most often used together with Bastion mode.

2.3.1. SCB in Bridge mode

In Bridge mode, SCB acts as a network switch, and connects the network segment of the administrators to the segment of the protected servers at the data link layer (Layer 2 in the OSI model).

Figure 2.3. SCB in Bridge mode

All traffic passing SCB originates from the MAC address of SCB's bridge interface. SCB replaces all MAC addresses in the ARP replies with its own MAC address. That way all traffic must pass SCB.

Use Layer 3 devices (routers or firewalls) on both sides of SCB.

Using Bridge mode is recommended in the following network topologies:

Figure 2.4. Recommended topologies for Bridge mode

Figure 2.5. Recommended topologies for Bridge mode

Bridge mode in SCB uses a routing table. Use the routing table if more than one subnets are connected to SCB on the opposite side of the default gateway. See Section 4.3.1.1, Routing management traffic to the management interface for details.

Figure 2.6. When routing is needed in Bridge mode

	Warning
	Use dedicated switches on both sides of SCB when using bridge mode and high-availablity together. Do not connect other devices to these switches.

Figure 2.7. Using Bridge mode with high availability

2.3.2. SCB in Router mode

In Router mode, SCB acts as a transparent router connecting the network segment of the administrators to the segment of the protected servers at the network layer (Layer 3 in the OSI model). All connections must pass SCB to reach the servers — SCB is a proxy gateway, completely separating the protected servers from the rest of the network. Controlled connections and traffic are inspected on the application level, while other types of connections are simply forwarded on the packet level.

Figure 2.8. SCB in Router mode

	Warning
	Routing mode does not support multicast traffic.

2.3.3. SCB in Bastion mode

In this mode SCB acts as a bastion host — administrators can address only SCB, the administered servers cannot be targeted directly. The firewall of the network has to be configured to ensure that only connections originating from SCB can access the servers. SCB determines which server to connect based on the parameters of the incoming connection (the IP address of the administrator and the target IP and port).

Bastion mode inherently ensures that only the controlled (management and server administration) traffic reaches SCB. This ensures that the services and applications running on the servers are accessible even in case SCB breaks down, so SCB cannot become a single point of failure. The firewall or router before the servers must be configured to direct the controlled SSH, RDP, Telnet, and VNC traffic to SCB. This can be accomplished on the IP level.

Figure 2.9. SCB in Bastion mode

	Tip
	Bastion mode is useful if the general (not inspected) traffic is very high and could not be forwarded by SCB.

Bastion mode is often used together with the Nontransparent mode (see Section 2.3.4, SCB in Nontransparent mode).

For using SCB in Bastion mode without high-availability, see Section 9.2, Bastion mode considerations.

2.3.4. SCB in Nontransparent mode

Nontransparent mode allows you to create a single connection policy and allow users to access any server by including the name of the target server in their username (e.g., ssh username@targetserver:port@scb_address). SCB can extract the address from the username and direct the connection to the target server.

Figure 2.10. SCB in Nontransparent mode

Since some client applications do not permit the @ and : characters in the username, the % and ! characters may also be used instead, e.g., username%targetserver!port@scb_address.

Windows RDP clients often send only the first 9 characters of the username to the server, making nontransparent operation difficult. When using the RDP4 or RDP5 protocols, it is not necessary to include the username when starting an RDP connection (e.g., use only @server); the user can type the username later in the graphical login screen. However, the username must be specified for RDP6 connections.

2.4. Connecting to a server through SCB

When a client initiates a connection to a server, SCB performs one of the procedures detailed below, depending on the protocol used in the connection.

For SSH connections, see Procedure 2.1, Connecting to a server through SCB using SSH.
For RDP and other connections, see Procedure 2.2, Connecting to a server through SCB using RDP.

Procedure 2.1. Connecting to a server through SCB using SSH

The client tries to connect the server. SCB receives the connection request and establishes the TCP connection with the client.

SCB examines the connection request: it checks the IP address of the client and the IP address and port number of the intended destination server. If these parameters of the request match with a connection policy configured on SCB, SCB inspects the connection in detail. Other connections are ignored by SCB; they are simply forwarded on the packet level.

The selected connection policy determines all settings and parameters of the connection.

	Note
	SCB compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. The first connection policy completely matching the connection request is applied to the connection. See Procedure 5.1, Configuring connections for details.

Optionally, before establishing the server-side connection, SCB can evaluate the connection and channel policies to determine if the connection might be permitted at all, e.g., it is not denied by a Time Policy. See Section 5.2.5, Protocol-level SSH settings for details.
SCB selects the destination server based on the Target parameter of the connection policy. Network address translation of the target address can be performed at this step. See Section 5.1.1, Modifying the destination address for details.
SCB selects the source address used in the server-side connection based on the SNAT parameter of the connection policy. See Section 5.1.2, Modifying the source address for details.
SCB establishes the TCP connection to the server.
SCB negotiates the protocol parameters of the connection (e.g., SSH encryption parameters) according to the Protocol settings of the connection policy. The SSH handshake is performed simultaneously on the server- and the client-side.

SCB displays an SSH hostkey to the client. This hostkey is either generated on SCB, or it is the hostkey of the server (if it is available on SCB). The connection policy determines the hostkey shown to the client.

	Warning
	If the SSH Settings of the connection enable only RSA keys in the connection, the RSA key shown to the client must be set in the connection policy. Similarly, if only DSA keys are permitted, the DSA key must be set.

SCB verifies the hostkey of the server. If the server has not been contacted before, SCB can accept and store the hostkey of the server. Alternatively, the hostkey of the server can be manually uploaded to SCB. See Section 5.2.4, Server host keys and certificates for details.
The client authenticates itself using an authentication method permitted by the Authentication Policy set in SCB. Different connections can use different authentication policies, thus allow different authentication methods. The Authentication policy also restricts which users can connect the server if public-key authentication is used.

If the authentication is successful, SCB checks whether the particular user is allowed to access the connection by consulting the User list assigned to the connection policy. If needed, SCB connects the LDAP servers set in the LDAP Servers policy to resolve the group memberships of the user.

	Warning
	User Lists are white- or blacklists of usernames that determine who can access the server remotely. However, this cannot prevent a user from accessing the server from a local terminal.

SCB performs the authentication on the server, using the data received from the client in Step 8.
Both the server and the client side connections have been established. From this step, the client can try to open any type and any number of channels in the connection.
SCB consults the Channel Policy assigned to the connection for each channel opening request to see if the channel type (e.g., TCP forward or terminal session in SSH) requested by the client is permitted in the connection. Channel policies may impose restrictions on the availability of certain channels.
SCB consults the Time Policy assigned to the channel policy. Channels may be opened only within the allowed period.

Tip

Time policies are a good way to ensure that the server can be accessed only within the specified timeframe.
If gateway authentication is set for the connection policy, the SSH session of the client is paused until the client successfully completes the gateway authentication on SCB. The server-side connection is established only after the gateway authentication is completed. See Section 2.7, Gateway authentication for details.
If the Authentication Policy of the SSH connection policy requires separate authentication on the client and the server side, the client performs the client-side authentication.
If the Authentication Policy of the SSH connection policy requires separate authentication on the client and the server side, the client performs the server-side authentication.
If 4-eyes authorization is set in the Channel Policy, the SSH session of the client is paused until the authorizer permits the client to connect to the server. See Section 2.8, 4-eyes authorization for details.
The client starts to work on the server. SCB records the entire communication into digitally encrypted audit trails if auditing is enabled in the Channel Policy. See Section 5.1.3, Channel Policies for details.

Procedure 2.2. Connecting to a server through SCB using RDP

The client tries to connect the server. SCB receives the connection request and establishes the TCP connection with the client.

The selected connection policy determines all settings and parameters of the connection.

	Note
	SCB compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. The first connection policy completely matching the connection request is applied to the connection. See Procedure 5.1, Configuring connections for details.

SCB selects the destination server based on the Target parameter of the connection policy. Network address translation of the target address can be performed at this step. See Section 5.1.1, Modifying the destination address for details.
SCB selects the source address used in the server-side connection based on the SNAT parameter of the connection policy. See Section 5.1.2, Modifying the source address for details.
SCB establishes the TCP connection to the server.
SCB checks the protocol parameters of the connection (e.g., version of the RDP protocol used ) according to the Protocol settings of the connection policy. The RDP handshake is performed simultaneously on the server- and the client-side.
The server opens a Drawing channel for the user to perform authentication.
SCB consults the Channel Policy assigned to the connection to check if the Drawing channel is enabled.
SCB consults the Time Policy assigned to the connection. Connections are accepted only within the allowed period.

Tip

Time policies are a good way to ensure that the configuration of the server is modified only during maintenance hours.
If gateway authentication is set for the connection policy, the session of the client is paused until the client successfully completes the gateway authentication on SCB. The server-side connection is established only after the gateway authentication is completed. See Section 2.7, Gateway authentication for details.
The client authenticates on the server.
If 4-eyes authorization is set in the Channel Policy, the session of the client is paused until the authorizer permits the client to connect to the server. See Section 2.8, 4-eyes authorization for details.
Both the server and the client side connections have been established. From this step, the server can open any type and any number of channels in the connection. (In RDP, the client requests a channel, and the server opens the channels towards the client.) SCB consults the Channel Policy assigned to the connection to check if the particular channel is enabled in the connection.
The client starts to work on the server. SCB records the entire communication into digitally encrypted audit trails if auditing is enabled in the Channel Policy. See Section 5.1.3, Channel Policies for details.

2.5. SSH hostkeys

The SSH communication authenticates the remote SSH server using public-key cryptography, either using plain hostkeys, or X.509 certificates. Client authentication can also use public-key cryptography. The identity of the remote server can be verified by inspecting its hostkey or certificate. When trying to connect a server via SCB, the client sees a hostkey (or certificate) shown by SCB. This key is either the hostkey of SCB, or the original hostkey of the server, provided that the private key of the server has been uploaded to SCB. In the latter case the client will not notice any difference and have no knowledge that he is not communicating directly with the server, but with SCB.

2.6. Authenticating clients using public-key authentication in SSH

Public-key authentication requires a private and a public key (or an X.509 certificate) to be available on SCB. First, the public key of the user is needed to verify the user's identity in the client-side SSH connection: the key presented by the client is compared to the one stored on SCB. SCB uses a private key to authenticate itself to the sever in the server-side connection. SCB can use the private key of the user if it is uploaded to SCB. Alternatively, SCB can generate a new keypair, and use its private key for the server-side authentication, or use agent-forwarding, and authenticate the client with its own key.

	Warning
	If SCB generates the private key for the server-side authentication, then the public part of the keypair must be imported to the server; otherwise the authentication will fail. Alternatively, SCB can upload the public key (or a generated X.509 certificate) into an LDAP database.

2.7. Gateway authentication

When gateway authentication is required for a connection, the user must authenticate on SCB as well. This additional authentication can be performed on the SCB web interface, so it provides a protocol-independent, outband authentication method. That way the connections can be authenticated to the central authentication database (e.g., LDAP or RADIUS), even if the protocol itself does not support authentication databases. Also, connections using general usernames (e.g., root, Administrator, etc.) can be connected to real user accounts.

Figure 2.11. Gateway authentication

Technically, the process of gateway authentication is the following:

Procedure 2.3. The gateway authentication process

The user initiates a connection from a client.
If gateway authentication is required for the connection, SCB pauses the connection.
The user logs in to the SCB web interface, selects the connection from the list of paused connections, and enables it. It is possible to require that the authenticated session and the web session originate from the same client IP address.
The user performs the authentication on the server.

Note

Gateway authentication can be used together with other advanced authentication and authorization techniques like 4-eyes authorization, client- and server-side authentication, etc.

For SSH connections, the gateway authentication can be performed inband, within the SSH protocol, without having to access the SCB web interface.

2.8. 4-eyes authorization

When 4-eyes authorization is required for a connection, a user (called authorizer) must authorize the connection on SCB as well. This authorization is in addition to any authentication or group membership requirements needed for the user to access the remote server. Any connection can use 4-eyes authorization, so it provides a protocol-independent, outband authorization and monitoring method.

The authorizer has the possibility to terminate the connection any time, and also to monitor real-time the events of the authorized connections: SCB can stream the traffic to the Audit Player application, where the authorizer (or a separate auditor) can watch exactly what the user does on the server, just like watching a movie.

	Note
	The auditor can only see the events if the required decryption keys are available on the host running the Audit Player application.

Figure 2.12. 4-eyes authorization

Technically, the process of 4-eyes authorization is the following:

Procedure 2.4. The 4-eyes authorization process

The user initiates a connection from a client.
If 4-eyes authorization is required for the connection, SCB pauses the connection.
The authorizer logs in to the SCB web interface, selects the connection from the list of paused connections, and enables it.
The user performs the authentication on the server.
The auditor (who can be the authorizer, but is it possible to separate the roles) watches the actions of the user real-time.

	Note
	4-eyes authorization can be used together with other advanced authentication and authorization techniques like gateway authentication , client- and server-side authentication, etc.

2.9. Network interfaces

The SCB hardware has four network interfaces, out of which the following three are used: the external, the management, and the HA interface. The exact location of the labeled interfaces is pictured in the Sun Fire™ X2200 M2 Server Installation Guide, the Sun Fire™ X4140 M2 Server Installation Guide, or the Sun Fire™ X4540 M2 Server Installation Guide you received with SCB.

The internal interface is used exclusively for communication between SCB and the protected servers. The internal interface uses the Ethernet connector labeled as LAN2.

The external interface is used for communication between SCB and the clients: the controlled connections of the clients (e.g., the SSH connections of the system administrators managing the servers) accessing the protected servers enter via this interface. Also, the initial configuration of SCB is always performed using the external interface (see Section 3.2, The Welcome Wizard for details on the initial configuration). The external interface is used for management purposes if the management interface is not configured. The external interface uses the Ethernet connector labeled as LAN0.

The management interface is used exclusively for communication between SCB and the auditors or the administrators of SCB. Incoming connections are accepted only to access the SCB web interface, other connections targeting this interface are rejected. The management interface uses the Ethernet connector labeled as LAN1.

The routing rules determine which interface is used for transferring remote backups and syslog messages of SCB.

	Tip
	It is recommended to direct backups, syslog and SNMP messages, and e-mail alerts to the management interface. See Section 4.3.1.1, Routing management traffic to the management interface for details.

If the management interface is not configured, the external interface takes the role of the management interface.

The HA interface is an interface reserved for communication between the nodes of SCB clusters. The HA interface uses the Ethernet connector labeled as LAN3. See Section 2.10, High Availability support in SCB for details on high availability.

2.10. High Availability support in SCB

In high availability (HA) mode two SCB units (called master and slave nodes) having identical configuration are operating simultaneously. The master shares all data with the slave node, and if the master node stops functioning, the other one becomes immediately active, so the servers are continuously accessible. The slave node takes over the MAC addresses of the interfaces of the master node.

	Warning
	If the two nodes cannot communicate, the slave assumes that the master node broke down and becomes active. This may result in both nodes being active at the same time, a situation that should be avoided.

The slave node automatically synchronizes its hard disk with the master via the HA network interface. The disks must be synchronized for the HA support to operate correctly.

	Warning
	When using the management interface and high availability together, do not forget to connect the management interface of both SCB nodes to the network. Otherwise you will not be able to remotely access SCB if a takeover occurs.

2.11. Firmware in SCB

The SCB firmware is separated into two parts: an external and an internal firmware.

The external firmware (also called boot firmware) boots up SCB, provides the high availability support, and starts the internal firmware. The external firmware changes very rarely.
The internal firmware (also called core firmware) handles everything else: provides the web interface, manages the connections, etc. The internal firmware is updated regularly as new features are added to SCB.

Both firmwares can be updated from the SCB web interface. See Section 4.5.2, Upgrading SCB for details.

2.11.1. Firmwares and high availability

When powering on the SCB nodes in high availability mode, both nodes boot and start the boot firmware. The boot firmwares then determine which unit is the master: the core firmware is started only on the master node.

Upgrading the SCB firmware via the web interface automatically upgrades the firmware on both nodes.

2.12. Accessing and configuring SCB

SCB has a web interface and is configured from a browser. The users of SCB can be authenticated using local, LDAP, or RADIUS databases. The privileges of the users are determined by group memberships; this can be managed either locally on SCB, or centrally in an LDAP database. Assigning privileges to groups is based on ACLs. It is also possible to match groups existing in the LDAP database to a set of SCB privileges. The access control in SCB is very detailed, it is possible to define exactly who can access which parts of the interface and of the stored data.

Figure 2.13. Authenticating the users of SCB

2.13. Licenses

SCB's license determines the number of servers (IP addresses) that SCB protects; the license limits the number of IP addresses that SCB can connect on the internal interface. License expansion packs are available for all SCB appliances.

BalaBit Shell Control Box n1025: Available with license for 10 IP addresses; can be expanded up to 25 IP addresses.
BalaBit Shell Control Box n2500 and n2500d: Available with license for 25 IP addresses; can be expanded up to unlimited IP addresses.
BalaBit Shell Control Box n5000: Available with license for 50 IP addresses; can be expanded up to unlimited IP addresses.

Contact BalaBit or your local distributor for details. For details on installing a new license, see Section 4.5.2.2, Updating the SCB license.

Chapter 3. The Welcome Wizard and the first login

This chapter describes the initial steps of configuring SCB. Before completing the steps below, unpack, assemble, and power on the hardware. Connect at least the external network interface to the local network, or directly to the computer from which SCB will be configured.

	Note
	Refer to Appendix 3, BalaBit Shell Control Box Hardware Installation Guide for details on unpacking and assembling the hardware, and to Section 3.2, Installing two SCB units in HA mode to create a high-availability SCB cluster.

3.1. The initial connection to SCB

SCB can be connected from a client machine using any modern web browser.

Supported web browsers

	Supported web browsers
The browser must support HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled. Supported browsers: Mozilla Firefox 2.0 or newer and Microsoft Internet Explorer 7 and 8. Supported operating systems: Microsoft Windows XP, Windows 2003 Server, Windows Vista, Windows 2008 Server, and Linux. SCB displays a warning message if your browser is not supported or JavaScript is disabled. The SCB web interface can be accessed only using SSLv3 or TLSv1 encryption and strong cipher algorithms. Note that when using Internet Explorer 7 on Windows 2008 to access SCB you must enable active scripting for the Internet Zone, otherwise the SCB web interface will not operate properly. This is not required on other platforms or browser versions. To accomplish this, select Tools > Internet Options > Security > Internet Zone > Custom level, and set the Active scripting field to `Enabled`.

The browser must support HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled. Supported browsers: Mozilla Firefox 2.0 or newer and Microsoft Internet Explorer 7 and 8. Supported operating systems: Microsoft Windows XP, Windows 2003 Server, Windows Vista, Windows 2008 Server, and Linux. SCB displays a warning message if your browser is not supported or JavaScript is disabled.

The SCB web interface can be accessed only using SSLv3 or TLSv1 encryption and strong cipher algorithms.

Note that when using Internet Explorer 7 on Windows 2008 to access SCB you must enable active scripting for the Internet Zone, otherwise the SCB web interface will not operate properly. This is not required on other platforms or browser versions. To accomplish this, select Tools > Internet Options > Security > Internet Zone > Custom level, and set the Active scripting field to Enabled.

SCB can be accessed from the local network — it is listening for HTTPS connections on the 192.168.1.1 IP address via its external interface (LAN0, see Section 2.9, Network interfaces for details on the network interfaces). The 192.168.1.0/24 subnet must be accessible from the client. If the client machine is in a different subnet (e.g., its IP address is 192.168.10.X), but in the same network segment, the easiest way is to assign an alias IP address to the client machine. Creating an alias IP on the client machine virtually puts both the client and SCB into the same subnet, so that they can communicate. To create an alias IP complete the following steps.

On Microsoft Windows, see Procedure 3.1, Creating an alias IP address (Microsoft Windows).
On Linux, see Procedure 3.2, Creating an alias IP address (Linux).

	Warning
	The Welcome Wizard can be accessed only using the external network interface of SCB, as the management interface is not configured yet.

Procedure 3.1. Creating an alias IP address (Microsoft Windows)

This procedure describes how to assign an alias IP address to a network interface on Microsoft Windows platforms.

Figure 3.1.

Open the Start menu and select the Network Connections item of the Settings menu.
Figure 3.2.

Double click on the Local Area Connection and click on the Properties button.
Figure 3.3.

Select the Internet Protocol (TCP/IP) component in the list and click on the Properties button.
Figure 3.4.

Click on the Advanced button to display the Advanced TCP/IP Settings window.
Figure 3.5.

Select the IP Settings tab and click on the Add button of the IP Addresses section of the window.

Enter 192.168.1.2 into the IP Address field and 255.255.255.0 into the Netmask field.

	Warning
	If your internal network uses the `192.168.1.0/24` IP range, the `192.168.1.1` and `192.168.1.2` addresses might already be in use. In this case, disconnect SCB from the network, and connect directly a computer to its external interface using a standard cross-link cable.

Click Add to complete the procedure.

Procedure 3.2. Creating an alias IP address (Linux)

This procedure describes how to assign an alias IP address to a network interface on Linux platforms.

Start a terminal console (e.g., gnome-terminal, konsole, xterm, etc.)
Issue the following command as root:

ifconfig ethX:0 192.168.1.2

ethX is the ID of the network interface of the client, usually eth0 or eth1.
Issue the ifconfig command. The ethX:0 interface should appear in the output, having inet addr:192.168.1.2 .
Issue the ping -c 3 192.168.1.1 command to verify that SCB is accessible. A similar result should be displayed:

user@computer:~$ ping -c 3 192.168.1.1
                    PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
                    64 bytes from 192.168.1.1: icmp-seq=1 ttl=63 time=0.357 ms
                    64 bytes from 192.168.1.1: icmp-seq=2 ttl=63 time=0.306 ms
                    64 bytes from 192.168.1.1: icmp-seq=3 ttl=63 time=0.314 ms

                    --- 192.168.1.1 ping statistics ---
                    3 packets transmitted, 3 received, 0% packet loss, time 2013ms
                    rtt min/avg/max/mdev = 0.306/0.325/0.357/0.030 ms

Open the page https://192.168.1.1 from your browser and accept the certificate shown. The Welcome Wizard of SCB appears.

	Note
	If SCB is accessible via the network (it responds to ping messages), but the Welcome Wizard is not available, you have to perform a recovery installation using the SCB Recovery CD. See Appendix 4, BalaBit Shell Control Box Software Installation Guide for details.

3.2. The Welcome Wizard

The Welcome Wizard guides you through the basic configuration steps of SCB. All parameters can be modified before the last step by using the Back button of the wizard, or later via the web interface of SCB.

Procedure 3.3. The initial configuration of SCB

Open the page https://192.168.1.1 in your browser and accept the certificate shown. The Welcome Wizard of SCB appears.

Figure 3.6. The Welcome Wizard

When configuring SCB for the first time, click Next.

It is also possible to import an existing configuration from a backup file. Use this feature to restore a backup configuration after a recovery, or to migrate an existing SCB configuration to a new device.

Click Browse and select the configuration file to import.
Enter the passphrase used when the configuration was exported into the Encryption passphrase field.

Click Import.

	Warning
	If you use the Import function to copy a configuration from one SCB to another, do not forget to configure the IP addresses of the second SCB. Having two devices with identical IP addresses on the same network leads to errors.

Accept the End User License Agreement and install the SCB license

Figure 3.7. The EULA and the license key
1. Read the End User License Agreement and select Accept.
2. Click Browse, select the SCB license file received with SCB, then click Upload.
3. Click Next.
Figure 3.8. Initial networking configuration

Fill the fields to configure networking. The meaning of each field is described below. The background of unfilled required fields is red. All parameters can later be modified using the regular interface of SCB.
1. Hostname: Name of the machine running SCB (e.g., SCB).
2. Domain name: Name of the domain used on the network.
3. DNS server: IP address of the name server used for domain name resolution.
4. NTP server: The IP address or the hostname of the NTP server.
5. Syslog server: The IP address or the hostname of the syslog server.
6. SMTP server: The IP address or the hostname of the SMTP server used to deliver e-mails.
7. Administrator's e-mail: E-mail address of the SCB administrator.
8. Timezone: The timezone where the SCB is located.
9. External interface — IP address: IP address of the external interface of SCB (e.g., 192.168.1.1). The IP address can be chosen from the range of the corresponding physical subnet. Clients will connect the external interface, therefore it must be accessible to them.
  
  Note
  
  The IP address of the SCB host must not fall into the following ranges: 1.2.0.0/16, 127.0.0.0/8.
10. External interface — Netmask: The IP netmask of the given range in IP format. For example, general class C networks have the 255.255.255.0 netmask.
11. When configuring SCB for Router mode, enter the IP address and Netmask for the internal interface as well. SCB connects to the servers via the internal interface.
12. Default gateway: IP address of the default gateway. When using several network cards, the default gateway is usually in the direction of the external interface.
13. HA address: The IP address of the high-availability (HA) interface. Leave this field on auto unless specifically requested by the support team.
14. Click Next.
Enter the passwords used to access SCB.

Figure 3.9. Passwords

Note

SCB passwords can contain the following special characters: !"#$%&'()*+,-./:;<=>?@[\]^-`{|}
1. Admin password: The password of the admin user who can access the web interface of SCB.
2. Root password: The password of the root user, required to access SCB via SSH or from the local console.
  
  Note
  
  Accessing SCB using SSH is rarely needed, and recommended only for advanced users for troubleshooting situations.
3. If you want to prevent users from accessing SCB remotely via SSH or changing the root password of SCB, select the Activate sealed mode option. Sealed mode can be activated later from the web interface as well. See Section 4.5.5, Sealed mode for details.
4. Click Next.
Upload or create a certificate for the SCB web interface. This SSL certificate will be shown by SCB to authenticate administrative HTTPS connections to the web interface.

Figure 3.10. Creating a certificate for SCB

To create a self-signed certificate, fill the fields of the Generate new self-signed certificate section and click Generate. The certificate will be self-signed by the SCB appliance; the hostname of SCB will be used as the issuer and common name.
1. Country: Select the country where SCB is located (e.g., HU-Hungary).
2. Locality: The city where SCB is located (e.g., Budapest).
3. Organization: The company who owns SCB (e.g., Example Inc.).
4. Organization unit: The division of the company who owns SCB (e.g., IT Security Department).
5. State or Province: The state or province where SCB is located.
6. Click Generate.
If you want to use a certificate that is signed by an external Certificate Authority, click the icon in the Server X.509 certificate field to upload the certificate.

Figure 3.11. Uploading a certificate for SCB

Then click the icon in the Server private key field, upload the private key, and enter the password protecting the private key.

Figure 3.12. Uploading a private key

Note

SCB accepts private keys in PEM (RSA and DSA), PUTTY, and SSHCOM/Tectia format. Password-protected private keys are also supported.
Review the data entered in the previous steps. This page also displays the certificate generated in the last step; the RSA SSH key of SCB, and information about the license file.

Figure 3.13. Review configuration data

Click Finish if all information is correct.

Warning

The configuration takes effect immediately after clicking Finish. Incorrect network configuration data can render SCB unaccessible.

This was the last step of the Welcome Wizard; SCB is now accessible from the regular web interface via the IP address of its external interface.
Figure 3.14. Logging in to SCB

Your browser will be automatically redirected to the IP address set as the external interface of SCB, where you can login to the web interface of SCB using the admin username and the password you set for this user in the Welcome Wizard.

3.3. Logging in to SCB and configuring the first connection

After finishing the initial configuration of SCB using the Welcome Wizard, connections must be configured between the clients and the servers. SCB inspects only the connections that are configured from the web interface; all other connections are forwarded without any inspection. The procedure below describes how to enable a simple SSH terminal or a Remote Desktop session.

Procedure 3.4. Configuring a simple session

Login to SCB's web interface.

Figure 3.15. The first login
1. Open the https://IP-address-of-the-external-interface/ page from your browser to access the web interface of SCB. Replace the IP-address-of-the-external-interface string with the IP set for the external interface in Step Step Step 4.j of the Welcome Wizard (e.g., 192.168.1.1).
2. The certificate created in Step Step 6 of the Welcome Wizard is displayed. Accept it.
3. Login to the SCB web interface using the displayed login screen.
  - Enter admin into the Login field.
  - Enter the password set in Step Step 5 for the admin user into the Password field.
  - Click Login. The main page of the SCB administration interface is displayed.

Configure a new connection. This connection will allow any user to connect to a specified server from a specific client machine.

- To configure an SSH connection, click on the Secure Shell Control item of the Main Menu. Only terminal sessions will be permitted.
- To configure an RDP connection, click on the RDP Control item of the Main Menu. Only basic Remote Desktop sessions will be permitted (i.e, no clipboard or file-sharing).
Click on the icon on the left to create a new connection.

Enter a name into the Name field that will identify the connection (e.g., admin-mainserver).

	Tip
	It is recommended to use descriptive names that give information about the connection, e.g., refer to the name of the accessible server, the allowed users, etc.

Bastion mode: Enter the IP addresses defining the connection. Skip this step if SCB is set to Router or Bridge mode.

Figure 3.16. A connection in Bastion mode
- Enter the IP address of the client that will be permitted to access the server into the From field.
- Enter the IP address of SCB's external interface into the To field.
- Enter a port number into the Port field.
- Enter the IP address of the server into the Use fix address field of the Target section.
- Enter the port number where the server is accepting connections into the Port field of the Target section.
Router mode and Bridge mode: Enter the IP addresses defining the connection. Skip this step if SCB is set to Bastion mode.

Figure 3.17. A connection in Router mode
- Enter the IP address of the client that will be permitted to access the server into the From field.
- Enter the IP address of the server into the To field.
- Enter the port number where the server is accepting connections into the Port field.
Click Commit.

This connection allows any user from the client machine to connect to the specified server, but permits only terminal sessions — other SSH channels like TCP forwarding are disabled.

Test the new configuration: try to initiate an SSH or and RDP connection from the client to the server. Note that in Bastion mode the client addresses SCB's external IP address and the port set in Step Step Step 2.d, while IP address of the the server set in Step Step Step 2.e in Router mode.

Chapter 4. Configuring and managing SCB

SCB is configured via the web interface. Configuration changes take effect automatically after clicking the button. Only the modifications of the current page or tab are activated — each page and tab must be committed separately.

This chapter describes how to configure, manage, and maintain SCB.

For details about the supported browsers, see Section 4.1, Supported web browsers.
To learn how to use the web interface of SCB, see Section 4.2, The structure of the web interface.
To configure the basic settings of the SCB host like network settings, system monitoring, and backup settings, see Section 4.3, Basic settings.
To manage user accounts and privileges see Section 4.4, User management and access control.
To control, reboot, update, and troubleshoot SCB, see Section 4.5, Managing SCB.

4.1. Supported web browsers

The SCB web interface can be accessed only using SSLv3 or TLSv1 encryption and strong cipher algorithms.

4.2. The structure of the web interface

The web interface consists of the following main sections:

Figure 4.1. Structure of the web interface 1.

Main menu: Each menu item displays its options in the main workspace on one or more tabs. Clicking the icon in front of the main menu item displays the list of available tabs.
Figure 4.2. Structure of the web interface 2.

Main workspace: Displays the configuration options related to the selected main menu item. The workplace can consist of multiple tabs.
Figure 4.3. Structure of the web interface 3.

Message window: This popup window displays the responses of SCB to the user's actions, e.g., Configuration saved successfully. Error messages are also displayed here. All messages are included in the system log. See the Troubleshooting tab of the Basic menu for detailed system logs (including message history). To make the window appear only for failed actions, enable the Autoclose successful commit messages option in the Preferences of the User menu.
Figure 4.4. Structure of the web interface 4.

User menu: Provides possibilities to change your SCB password; to log out; and disable confirmation dialogs and tooltips using the Preferences option.
User info: Provides information about the currently logged in user, including username, IP address of the user's computer (Host), and date and IP address of the user's last login.
Figure 4.5. Structure of the web interface 5.

System monitor: Displays accessibility and system health information about SCB, including the following:
- System date and time.
- The time remaining before the session to the web interface times out.
- Indicators if SSH, RDP, Telnet, and VNC traffic is permitted to the protected servers.
- The number of active SSH, RDP, Telnet, and VNC connections.
- License information if the license is not valid, or a demo license is installed.
- The status of the RAID devices, if synchronization between the disks is in progress.
- The HA status and the ID of the active node if two SCB units are running in a high availability cluster. If the nodes of the cluster are synchronizing data between each other, the progress and the time remaining from the synchronization process is also displayed.
- Average system load during the last minute and the last fifteen minutes.
- CPU, memory, hard disk, and swap use. Hover the mouse above the graphical bars to receive a more details in a tooltip, or visit the Basic Settings > Dashboard page for detailed reports.
- The number of running processes.
The System monitor displays current information about the state of SCB. To display a history of these parameters, go to Basic Settings > Dashboard. See Section 4.5.3.6, Status history and statistics for details.

4.2.1. Elements of the main workspace

The main workspace displays the configuration settings related to the selected main menu item grouped into one or more tabs. Related parameters of a tab are organized into labeled groups or sections, marked with blue outline .

Each page includes one or more orange action buttons. The most common action button is the Commit, which saves and activates the changes of the page.
/ Show/Hide Details: Displays or hides additional configuration settings and options.
, Create entry: Create a new row or entry (e.g., an IP address or a policy).
, Delete entry: Delete a row or an entry (e.g., an IP address or a policy).
, Open/collapse lists: Open or close a list of options (e.g., the list of available reports).
Modify entries or upload files: Edit an entry (e.g., a host key, a list, etc.), or upload a file (e.g., a private key). These actions open a popup window where the actual modification can be performed.
, Position an item in a list: Modify the order of items in a list. The order of items in a list (e.g., the order of connections, permitted channels in a channel policy, etc.) is important because when SCB is looking for a policy, it evaluates the list from top to down, and selects the first item completely matching the search criteria. For example, when a client initiates a connection to a protected server, SCB selects the first connection policy matching the client's IP address, the server's IP address, and the target port (the From, To, and Port fields of the connection).

4.2.2. Multiple web users and locking

Multiple administrators can access the SCB web interface simultaneously, but only one of them can modify the configuration. This means that the configuration of SCB is automatically locked when the first administrator who can modify the configuration accesses a configuration page (e.g., the Basic Settings, AAA, or Logs menu). The username and IP address of the administrator locking the configuration is displayed in the System Monitor field. Other administrators must wait until the locking administrator logs out, or the session of the administrator times out. However, it is possible to access the Search and Reporting menus,and to perform gateway authentication and 4-eyes authorization or browse the configuration with only View rights (see Section 4.4.4, Managing user rights and usergroups).

	Note
	If an administrator logs in to SCB using the local console or a remote SSH connection, access via the web interface is completely blocked. Inactive local and SSH connections timeout just like web connections. See Section 4.5.4, Accessing the SCB console for details.

4.3. Basic settings

Use the Basic Settings option of the main menu to configure the SCB host. The exact options are described in the following sections.

To configure the network interfaces, name resolution, and other networking-related settings, see Section 4.3.1, Network settings.
To control (e.g., reboot) SCB, upload a new firmware or license, export the current configuration, or stop the incoming syslog traffic, see Section 4.3.1, Network settings.
To set the system time and automatic time synchronization to an NTP server, see Section 4.3.2, Date and time configuration.
To configure where SNMP and e-mail alerts are sent, see Section 4.3.3, System logging, SNMP and e-mail alerts.
To configure system monitoring and alerts, see Section 4.3.4, Configuring system monitoring on SCB.
To configure data archiving and backups, see Section 4.3.5, Data and configuration archiving and backups.

4.3.1. Network settings

The Network tab contains the network interface and naming settings of SCB.

Figure 4.6. Network settings

Operation mode: SCB can operate in Bastion, Router, or Bridge mode. See Section 2.3, Modes of operation for details.
Internal interface: The IP address and Netmask of the SCB network interface that connects to the protected servers. The internal interface is available only in Router mode.

To enable access to the SCB web interface from the internal interface (even if the management interface is configured), select the Enable management option.

External interface: The IP address and Netmask of the SCB network interface that receives client connections. Click the and icons to add new alias IP addresses (also called alias interfaces) or delete existing ones. At least one external interface must be configured. If the management interface is disabled, the SCB web interface can be accessed via the external interface. When multiple external interfaces are configured, the first one refers to the physical network interface, all others are alias interfaces. The SCB web interface can be accessed from all external interfaces (if no management interface is configured).

Optionally, you can enable access to the SCB web interface even if the management interface is configured by selecting the Enable management option.

	Note
	The speed of the interface is displayed for every interface. To explicitly set the speed of the interface, select the desired speed from the Speed field. Modifying the speed of the interface is recommended only for advanced users. Also note that changing the interface speed might not take effect if the network card of SCB has been replaced with one different from the original.

Management interface: The IP address and Netmask of the SCB network interface used to access the SCB web interface. If the management interface is configured, the web interface can be accessed only via this interface, unless access from other interfaces is explicitly enabled.

To activate the interface, complete the following steps.

Procedure 4.1. Configuring the management interface

Figure 4.7. Configuring the management interface

Navigate to Basic Settings > Network > Interfaces.
Select Enable management interface in the Management interface field.
Enter the IP address of SCB's management interface into the IP Address field.
Enter the netmask related to the IP address into the Netmask field.

Warning

After clicking Commit, the web interface will be available only via the management interface — it will not be accessible using the current (external) interface, unless the Management enabled option is selected for the external interface.

Make sure that the Ethernet cable is plugged and the management interface is connected to the network; this is indicated by a green check icon in the Link field. When using high availability, make sure that the management interface of both SCB units is connected to the network.

The HA interface section indicates if a link is detected on the high-availability interface.

Click Commit.

HA address: The IP address of the high-availability (HA) interface. Leave this field on Auto negotiation unless specifically requested by the support team.

Note

As of SCB version 2.0.2, when both nodes of a cluster boot up in parallel, the node with the 1.2.4.1 HA IP address will become the master node.
Routing table: When sending a packet to a remote network, SCB consults the routing table to determine the path it should be sent. If there is no information in the routing table then the packet is sent to the default gateway. Use the routing table to define static routes to specific hosts or networks. You have to use the routing table if the internal interface is connected to multiple subnets, because the default gateway is (usually) towards the external interface. Click the and icons to add new routes or delete existing ones. A route means that messages sent to the Address/Netmask network should be delivered to Gateway.

See Section 4.3.1.1, Routing management traffic to the management interface for detailed examples.
Hostname: Name of the machine running SCB.
DNS search domain: Name of the domain used on the network. When resolving the domain names of the audited connections, SCB will use this domain to resolve the target hostname if the append domain entry is of a target address is empty.
Primary DNS server: IP address of the name server used for domain name resolution.
Secondary DNS server: IP address of the name server used for domain name resolution if the primary server is unaccessible.

4.3.1.1. Routing management traffic to the management interface

For security reasons — and also to reduce network usage on the external and internal interfaces — it is recommended to direct all management-related traffic of SCB towards the management network interface. Such traffic includes access to the web interface, backups and archiving, syslog messages , and e-mail or SNMP alerts sent to the administrator.

	Warning
	Complete the following procedure only if the management interface is configured; otherwise the data sent by SCB will be lost. See Procedure 4.1, Configuring the management interface for details on configuring the management interface.

Procedure 4.2. Routing management traffic to the management interface

Figure 4.8. Routing

Navigate to Basic Settings > Network and click in the Routing table field to add a new routing entry.
Enter the IP address of the backup server (as set in Procedure 4.9, Creating configuration and data backups) into the Address field.
Enter the related netmask into the Netmask field.
Enter the IP address of the gateway used on that subnetwork into the Gateway field.
Click Commit.
Repeat Steps 1-5 and create a routing entry for other backup servers if needed.
Repeat Steps 1-5 and create a routing entry for the syslog server (as set in Section 4.3.3, System logging, SNMP and e-mail alerts).
Repeat Steps 1-5 and create a routing entry for the SMTP server (as set in Section 4.3.3, System logging, SNMP and e-mail alerts).

4.3.2. Date and time configuration

Date and time related settings of SCB can be configured on the Date & Time tab of the Basic page.

Figure 4.9. Date and time management

Warning

It is essential to correctly set the date and time on SCB, otherwise the date information of the logs and audit trails will be inaccurate.

SCB displays a warning on this page and sends an alert if the time becomes out of sync.

To explicitly set the date and time on SCB, enter the current date into respective fields of the Date & Time Settings group and click Set Date & Time.

To retrieve the date automatically from a time server, complete the following steps.

Procedure 4.3. Configuring a time (NTP) server

Select your timezone in the Timezone field.
Enter the IP address of an NTP time server into the Address field.
Click Commit.
Click the and icons to add new servers or delete existing ones.

Note

If the time setting of SCB is very inaccurate (i.e., the difference between the system time and the actual time is great), it might take a long time to retrieve the date from the NTP server. In this case, click Sync now to sync the time immediately using SNTP.

When two SCB units are operating in high-availability mode, the Sync now button is called Sync Master, and synchronizes the time of the master node to the NTP server. To synchronize the time between the master and the slave nodes, click Sync Slave to Master.

4.3.3. System logging, SNMP and e-mail alerts

E-mail alerts and system logging can be configured on the Basic Settings > Management page.

Figure 4.10. Configuring system logging and e-mail alerts

Procedure 4.4. Configuring system logging

SCB can send its system log messages to remote syslog servers. To configure logging to a remote server, complete the following steps:

Navigate to Basic Settings > Management.
Click in the Syslog receivers field to add a new syslog server.
Enter the IP address and port of the syslog server into the respective fields.

Select the network protocol used to transfer the messages in the Protocol field. The legacy- prefix corresponds to the legacy BSD-syslog protocol described in RFC3164, while the ietf- prefix corresponds to the new IETF-syslog protocol described in RFC5424. Note that not every syslog server supports the IETF protocol yet.

Select TCP+TLS to send the log messages using a TLS-encrypted connection.

Tip

Transferring the syslog messages using TCP ensures that the server receives them.

Transferring the syslog messages using TLS encryption ensures that third parties cannot read the messages. However, not every syslog server accepts encrypted connections. The syslog-ng Premium Edition and Open Source Edition applications, and the syslog-ng Store Box (which is a log-collector appliance similar to SCB) support both encrypted connections and the new IETF-syslog protocol as well. See http://www.balabit.com/network-security/syslog-ng/central-syslog-server/ and http://www.balabit.com/network-security/syslog-ng/log-server-appliance/ for details on these products.

To display separate hostnames for syslog messages sent by the nodes of a SCB HA cluster, select the Include node ID in hostname in boot firmware messages option. The node ID included in the hostname filed of the syslog message is the MAC address of the node's HA interface. (Messages of the core firmware are always sent by the master node.)

If you have selected the TCP+TLS protocol, complete the following steps. Otherwise, click Commit.

If you want SCB to verify the certificate of the syslog server, select Required trusted in the Server key check field and proceed to the next step.

If you want SCB to simply accept any certificate shown by the server, select Optional untrusted in the Server key check field.

Note

Alternatively, you can use the following, less strict options to check the certificate of the server:

Optional trusted: If the server sends a certificate, SCB checks if it is valid (not expired) and that the Common Name of the certificate contains the domain name or the IP address of the server. If these checks fail, SCB rejects the connection. However, SCB accepts the connection if the server does not send a certificate.
Request untrusted: SCB requests a certificate from the server, and rejects the connection if no certificate is received, if the certificate is not valid (expired), or if the Common Name of the certificate does not contain the domain name or the IP address of the server.

Click the icon in the CA X.509 certificate field. A popup window is displayed.

Click Browse, select the certificate of the Certificate Authority (CA) that issued the certificate of the syslog server, then click Upload. Alternatively, you can paste the certificate into the Copy-paste field and click Upload.

SCB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.
If the syslog server requires mutual authentication, i.e., it expects a certificate from SCB, generate and sign a certificate for SCB, then click the icon in the Client X.509 certificate field to upload the certificate. After that, click the icon in the Client key field and upload the private key corresponding to the certificate.
Click Commit.

Click the and icons to add new servers or delete existing ones.

To configure e-mail alerts, complete the following steps:

Procedure 4.5. Configuring e-mail alerts

Navigate to Basic Settings > Management.
Figure 4.11. Configuring e-mail sending

Enter the IP address or the hostname of the mail server into the SMTP server address field of the Mail settings group.
Enter the e-mail address of the administrator into the Administrator's e-mail address field. SCB sends notifications related to system-events (but not alerts and reports) to this address.
Enter the e-mail address of the administrator into the Send e-mail alerts to field. SCB sends monitoring alerts to this address.
Enter the e-mail address the person who should receive traffic reports from SCB into the Send reports to field. For details on reports, see Section 6.3, SCB reports.
Click Commit.
Click Test to send a test message.

If the test message does not arrive to the server, check if SCB can access the server. See Section 4.5.3, Troubleshooting SCB for details.
Navigate to the Alerting & Monitoring tab of the Basic page, and select in which situations should SCB send an e-mail alert. See Section 4.3.4, Configuring system monitoring on SCB for details.
Click Commit.

SCB can send alerts to a central monitoring server via SNMP (Simple Network Management Protocol). To configure SNMP alerts, complete the following steps:

Procedure 4.6. Configuring SNMP alerts

Navigate to Basic Settings > Management > SNMP trap settings.
Figure 4.12. Configuring SNMP alerts

Enter the IP address or the hostname of the SNMP server into the SNMP server address field of the SNMP settings group.
Select the SNMP protocol to use.
- To use the SNMP v2c protocol for SNMP queries, select SNMP v2c, and enter the community to use into the Community field.
- To use the SNMP v3 protocol, select SNMP v3 and complete the following steps:
  
  Figure 4.13. Configuring SNMP alerts using SNMPv3
1. Enter the username to use into the Username field.
2. Enter the engine ID to use into the Engine ID field. The engine ID is a hexadecimal number at least 10 digits long, starting with 0x. e.g., 0xABABABABAB.
3. Select the authentication method (MD5, SHA1) to use from the Authentication method field.
4. Enter the password to use into the Authentication password field.
5. Select the encryption method (Disabled, DES, AES) to use from the Encryption method field.
6. Enter the encryption password to use into the Encryption password field.
Click Commit.
Navigate to the Alerting & Monitoring tab of the Basic page, and select in which situations should SCB send an SNMP alert. See Section 4.3.4, Configuring system monitoring on SCB for details.
Click Commit.

External SNMP agents can query the status information of SCB. To configure which clients can query this information, complete the following steps:

Procedure 4.7. Querying SCB status information using agents

Figure 4.14. Configuring SNMP agent access

Navigate to Basic Settings > Management > SNMP agent settings.
The status of SCB can be queried dynamically via SNMP. By default, the status can be queried from any host. To restrict access to these data to a single host, enter the IP address of the host into the SNMP client address field.
Optionally, you can enter the details of the SNMP server into the System location, System contact, and System description fields.
Select the SNMP protocol to use.
- To use the SNMP v2c protocol for SNMP queries, select SNMP v2c, and enter the community to use into the Community field.
- To use the SNMP v3 protocol, select SNMP v3 and complete the following steps:
1. Enter the username used by the SNMP agent into the Username field.
2. Select the authentication method (MD5, SHA1) to use from the Authentication method field.
3. Enter the password used by the SNMP agent into the Auth. password field.
4. Select the encryption method (Disabled, DES, AES) to use from the Encryption method field.
5. Enter the encryption password to use into the Encryption password field.
6. To add other agents, click .
Click Commit.

4.3.4. Configuring system monitoring on SCB

SCB continuously monitors a number of parameters of the SCB hardware and its environment. If a parameter reaches a critical level (set in its respective Maximum field), SCB sends e-mail and SNMP messages to alert the administrator.

SCB sends SNMP alerts using the management network interface by default, or using the external interface if the management interface is disabled. SCB supports the SNMPv2c and SNMPv3 protocols. The SNMP server set on the Management tab can query status information from SCB.

Tip

In order have your central monitoring system to recognize the SNMP alerts sent by SCB, import the SCB-specific Management Information Base (MIB) into your monitoring system. Download both MIB from the following locations and import them into your monitoring system. See the documentation of your monitoring system for details. http://www.balabit.com/sites/default/files/SCB-SNMP-MIB.txt , http://www.balabit.com/sites/default/files/BALABIT-SNMP-MIB.txt, and http://www.balabit.com/sites/default/files/XCB-SNMP-MIB.txt.

Figure 4.15. Configuring SNMP and e-mail alerting

To configure monitoring, complete the following steps:

Procedure 4.8. Configuring monitoring

Navigate to the Basic Settings > Alerting & Monitoring page.
The default threshold values of the parameters are suitable for most situations. Adjust the thresholds only if needed.
Click Commit.
Navigate to the Basic Settings > Management page and verify that the SNMP settings and Mail settings of SCB are correct. SCB sends alerts only to the alert e-mail address and to the SNMP server.

Warning

Sending alerts fails if these settings are incorrect.

The following sections describe the parameters you can receive alerts on.

For health-monitoring alerts, see Section 4.3.4.1, Health-monitoring alerts.
For system-monitoring alerts, see Section 4.3.4.2, System-related alerts.
For traffic-monitoring alerts, see Section 4.3.4.3, Traffic-related alerts.

4.3.4.1. Health-monitoring alerts

Disk utilization: Ratio of free space available on the hard disk. SCB sends an alert if the audit trails use more space than the set value. Archive the audit trails to a backup server to free disk space. See Procedure 4.10, Archiving the collected data for details.

Note

The alert message includes the actual disk usage, not the limit set on the web interface. For example, you set SCB to alert if the disk usage increases above 10 percent. If the disk usage of SCB increases above this limit (e.g., to 17 percent), you receive the following alert message: less than 90% free (= 17%). This means that the amount of used disk space increased above 10% (what you set as a limit, so it is less than 90%), namely to 17%.

Load: The average load of SCB during the last one, five, or 15 minutes.
Swap utilization: Ratio of the swap space used by SCB. SCB sends an alert if it uses more swap space than the set value.

4.3.4.2. System-related alerts

SCB access: Successful and failed login attempts and logouts from SCB, including both the web interface and the console (local or remote). SNMP alert IDs: xcbLogin, xcbLoginFailure, xcbLogout.
Configuration change: Any modifications of SCB's configuration. SNMP alert ID: xcbConfigChange.

Alerts and Errors: General alerts and error messages occurring on SCB. SNMP alert IDs: xcbAlert, xcbError.

Note

Alerts on general alerts and errors are sent whenever there is an alert or error level message in the SCB system log. These messages are very verbose and mainly useful only for debugging purposes.

Enabling these alerts may result in multiple e-mails or SNMP traps sent about the same event.

Failed backups and archiving: Alerts if the backup or archiving procedure is unsuccessful. SNMP alert IDs: xcbBackupFailed, xcbArchiveFailed.
Database error occurred: An error occurred in the database where SCB stores the connection metadata. Contact our support team (see Section 5, Contact and support information for contact information). SNMP alert ID: xcbDBError.
Destination address limit reached: The number of protected servers reached the limit set in the SCB license. Clients cannot connect to new servers using SCB. SNMP alert ID: xcbLimitReached.
HA node state changed: A node of the SCB cluster changed its state, for example, a takeover occurred. SNMP alert ID: xcbHaNodeChanged.
Timestamping error occurred: An error occurred during the timestaming process, e.g., the timestamping server did not respond. SNMP alert ID: xcbTimestampError.
Time sync lost: The system time became out of sync. SNMP alert ID: xcbTimeSyncLost.
Raid status changed: The status of the node's RAID device changed its state. SNMP alert ID: xcbRaidStatus.
Hardware error occured: SCB detected a hardware error. SNMP alert ID: xcbHWError.

4.3.4.3. Traffic-related alerts

Channel opening denied: A user attempted to open a channel not permitted by the channel policy. SNMP alert ID: scbChannelDenied.
Connection denied: A user attempted to connect a server not permitted in the connection policies. SNMP alert ID: scbConnectionDenied.
User successfully authenticated: A user successfully authenticated on a protected server using an SSH connection. SNMP alert ID: scbAuthSuccess.
User authentication failed: A user failed to complete the authentication on a protected server using an SSH connection. SNMP alert ID: scbAuthFailure.
SSH host key mismatch: The SSH host key of a server did not match the key stored on SCB. SNMP alert ID: scbSshHostKeyMismatch.
New SSH host key learned: SCB learned a new SSH host key. SNMP alert ID: scbHostKeyLearned.
Connection timed out: A connection to a protected server timed out. SNMP alert ID: scbConnectionTimedout.
Connection to the server failed: A connection to a protected server failed. SNMP alert ID: scbConnectionFailed.
Audit trail rate limit exceeded: The growth of an audit trail exceeded the rate limit set in the Global Options of the protocol. This may have been caused by an a deliberate attack. SNMP alert ID: scbAuditRateLimit.
Audit trail size limit exceeded: The size of an audit trail exceeded the file limit set in the Global Options of the protocol. SNMP alert ID: scbAuditSizeLimit.
User successfully authenticated on the gateway: A user has successfully authenticated a connection on SCB as part of a gateway-authentication process. SNMP alert ID: scbGWAuthSuccess.
User authentication failed on the gateway: The gateway-authentication of a connection has failed. SNMP alert ID: scbGWAuthFailure.
User mapping failed on the gateway: A usermapping policy did not find a suitable mapping for the connection. SNMP alert ID: scbUserMappingFailure.

4.3.5. Data and configuration archiving and backups

The BalaBit Shell Control Box can create automatic backups of its configuration and the stored audit-trails to a remote server. Backups and archiving is controlled using backup and archiving policies that define the protocol to use, the address of the backup server, and other parameters.

To configure automatic configuration backups, complete the following steps:

Figure 4.16. Configuring backups and archiving

Procedure 4.9. Creating configuration and data backups

Create a backup policy.

Navigate to Policies > Backup & Archive/Cleanup and click in the Backup policies section to create a new backup policy.
Enter a name for the backup policy (e.g., config-backup).
Enter the time when the backup process should start into the Start time field in HH:MM format (e.g., 23:00).
Enter the IP address or the hostname of the remote server into the Target server field (e.g., backup.example.com).
Figure 4.17. Configuring backups and archiving

SCB can access the remote server via different protocols. Select the one to use from the available protocols:
- Rsync over SSH: Execute the rsync command via the Secure Shell protocol. Note that the backup server must run rsync version 3.0 or newer.
- SMB/CIFS: Server Message Block protocol used on Microsoft Windows Network.
- NFS: Network File System protocol.
Provide the protocol-specific parameters for the selected method. The protocol-specific parameters are described in Section 4.3.5.2, Parameters of the backup protocols.

To receive e-mail notification of the backup, select the Send notification on errors only or the Send notification on all events option. Notifications are sent to the administrator e-mail address set on the Management tab, and include the list of the files that were backed up.

	Note
	This e-mail notification is different from the one set on the Alerting & Monitoring tab. This notification is sent to the administrator's e-mail address, while the alerts are sent to the alert e-mail address (see Section 4.3.4, Configuring system monitoring on SCB).

Click Commit.

Figure 4.18. Configuring system backups

To use this policy to create configuration backups, navigate to Basic Settings > Management > System backup, and select the backup policy you want to use for backing up the configuration of SCB in the System backup policy field.

To use this policy to create data backups, navigate to Connections, select the connection you want to backup, and select a backup policy in the Backup policy field.

Click Commit.

Tip

To create an immediate backup of SCB's configuration to your machine (not to the backup server), select Basic Settings > System > Export configuration.

Note that the configuration export contains only the system settings and configuration files (including changelogs). System backups includes additional information like reports and alerts, and also the connection database.

	Note
	Backup is different from archiving: the purpose of backup is to create a snapshot of SCB's configuration or the data stored on SCB that can be used for recovery in case of errors. Backup deletes all other data from the target directory; while restoring a backup deletes all other data from SCB.

Tip

To start the backup process immediately, click Backup now. The Backup now functionality works only after a backup policy has been selected.

To restore the stored data (audit trails, logs, reports, etc.), click Restore now. Note that the Restore now function does not restore the configuration files of SCB. See Section 9.6, How to restore a backup for a detailed recovery procedure.

To configure data archiving, complete the following steps.

Procedure 4.10. Archiving the collected data

Create an archive policy.

Navigate to Policies > Backup & Archive/Cleanup and click in the Archive/Cleanup policies section to create a new archive policy.
Figure 4.19. Configuring backups and archiving

Enter a name for the archive policy.
Enter the time when the backup process should start into the Start time field in HH:MM format (e.g., 23:00).
Enter the IP address or the hostname of the remote server into the Target server field (e.g., backup.example.com).
Fill the Retention time in days field. Only audit data older than this value is archived to the external server.

Note

The archived data is deleted from SCB.

Connection metadata is not deleted. Log files are not deleted at this point, but are rotated on a weekly basis.

SCB organizes the audit trails into directories based on the date or the protocol. The subdirectories are created directly into the archive directory. Select one of the following directory structures:

Protocol/Connection/Archive Date/
Archive Date/Connection/Protocol/
Connection Date/Protocol/Connection/
Archive Date/
Connection Date/

For example, Protocol/Connection/Archive Date template will have create subdirectories for the audited protocols (i.e., ssh, rdp, telnet, vnc), for the name of the connection policy, and finally, for the date (YEAR-MONTH-DAY in YYYY-MM-DD format).

	Note
	Connection Date refers to the time the connection started, while Archive Date to the time it was archived. The difference between the two dates depends on the retention time set for the archiving policy.

SCB can access the remote server via different protocols. Select the one to use from the available protocols:

Only cleanup, no archiving: Do not archive data to a server, simply delete the data that is older than Retention time in days.

	Warning
	No archiving permanently deletes all audit trails and data that is older than Retention time in days without creating a backup copy or an archive. Such data is irrecoverably lost. Use this option with care.

SMB/CIFS: Server Message Block protocol used on Microsoft Windows Network.
NFS: Network File System protocol.

Provide the protocol-specific parameters for the selected method. The protocol-specific parameters are described in Section 4.3.5.2, Parameters of the backup protocols.

	Note
	This e-mail notification is different from the one set on the Alerting & Monitoring tab. This notification is sent to the administrator's e-mail address, while the alerts are sent to the alert e-mail address (see Section 4.3.4, Configuring system monitoring on SCB).

Click Commit.

To use this policy to archive the data of a connection policy, navigate to the connection (e.g., to SSH Control > Connections, select the connection to archive the recorded audit trails from, and select the archive policy you want to use in the Archive/Cleanup policy field.

Click Commit.

	Tip
	To start the archiving process immediately, click Archive now. The Archive now functionality works only after the archiving has been configured.

4.3.5.1. Encrypting backups

The configuration file of SCB during system-backups, upload the public-part of a GPG key. To enable GPG-encryption, complete the following steps:

	Warning
	The regular backups of SCB contain other information (e.g., databases), but only the configuration file is encrypted. Note that system-backups do not contain data like audit-trails.

Procedure 4.11. Encrypting configuration backups with GPG

Navigate to Basic > System > Management > System backup.
Select Encrypt configuration.

Select .

To upload a key file, click Browse, select the file containing the public GPG key, and click Upload. SCB accepts both binary and ASCII-armored GPG keys.
To copy-paste the key from the clipboard, paste it into the Key field and click Set.

	Note
	The GPG key you upload must be permitted to encrypt data. Keys that can be used only for signing cannot be used to encrypt the configuration file.

Click Commit.

4.3.5.2. Parameters of the backup protocols

This section describes the details of the protocols used for data backup and archiving. Parameters of the NFS protocol are described below.

For details on using Rsync, see the section called “Configuring Rsync over SSH”.
For details on using the Samba protocol, see the section called “Configuring SMB”.
For details on using NFS, see the section called “Configuring NFS”.

Configuring Rsync over SSH

The Rsync over SSH backup method connects the target server with SSH and executes the rsync UNIX command to copy the data to the remote server. SCB authenticates itself with a public key — password-based authentication is not supported. To configure this method, complete the following steps.

	Warning
	The backup server must run rsync version 3.0 or newer.

Procedure 4.12. Parameters of the Rsync over SSH method

Select Rsync over SSH from the Methods radio buttons.

Figure 4.20. Configuring backups using rsync
Enter the username used to logon to the remote server into the Username field.
Click the icon in the Authentication key field. A popup window is displayed.
Generate a new keypair or upload or paste an existing one. This key will be used to authenticate SCB on the remote server. The public key of this keypair must be imported to the remote server.
Click the icon in the Server host key field. A popup window is displayed.
Figure 4.21. Configuring SSH keys

Click Query to download the host key of the server, or upload or paste the host key manually. SCB will compare the host key shown by the server to this key, and connect only if the two keys are identical.
Enter the port number of the SSH server running on the remote machine into the Port field.
Enter the path to the backup directory on the target server into the Path field (e.g., /backups). SCB saves all data into this directory, automatically creating the subdirectories. Backups of audit-trails are stored in the data, configuration backups in the config subdirectory.
Click Commit.

Configuring SMB

The SMB/CIFS backup method connects to a share on the target server with Server Message Block protocol. SMB/CIFS is mainly used on Microsoft Windows Networks. To configure this method, complete the following steps:

Procedure 4.13. Parameters of the SMB protocol

Select SMB/CIFS from the Methods radio buttons.

Figure 4.22. Configuring backups via SMB/CIFS
Enter the username used to logon to the remote server into the Username field, or select the Anonymous option.
Enter the password corresponding to the username into the Password field.
Enter the name of the share into the Share field.

SCB saves all data into this directory, automatically creating the subdirectories. Backups of audit-trails are stored in the data, configuration backups in the config subdirectory.
Enter the domain name of the target server into the Domain field.
Click Commit.

Configuring NFS

The NFS backup method connects to a shared directory of the target server with the Network File Share protocol. To configure this method, enter the name of the NFS export into the Export field. SCB saves all data into this directory, automatically creating the subdirectories. Audit-trail backups are stored in the data, configuration backups in the config subdirectory.

Figure 4.23. Configuring NFS backups

Note that the backup server must also be configured to accept backups from SCB. Complete the following steps:

Procedure 4.14. Configuring NFS on the remote server

	Note
	These steps must be performed on the remote server, not on SCB.

Add a line that corresponds to the settings of SCB to the /etc/exports file of the backup server. This line should contain the following parameters:
- The path to the backup directory as set in the Export field of the SCB backup or archiving policy.
- The IP address of the SCB interface that is used to access the remote server (i.e., the address of the external interface, or the address of the management interface if it is enabled and the routing table of SCB is correctly configured — see Section 4.3.1, Network settings for details).
- The following parameters: (rw,no_root_squash,sync).
For example, if SCB connects the remote server from the 192.168.1.15 IP address and the data is saved into the /var/backups/SCB directory, add the following line to the /etc/exports file:
```
/var/backups/SCB 192.168.1.15(rw,no_root_squash,sync)
```
Execute the following command: exportfs -a
Verify that the rpc portmapper and rpc.statd applications are running.

4.3.5.3. Ownership of the backup files

The different backup protocols assign different file ownerships to the files saved on the backup server. The owners of the backup files created using the different protocols are the following:

rsync: The user provided on the web interface.
SMB: www-data
NFS: root with no-root-squash, nobody otherwise.

	Warning
	SCB cannot modify the ownership of a file that already exists on the remote server. If you change the backup protocol but you use the same directory of the remote server to store the backups, make sure to adjust the ownership of the existing files according to the new protocol. Otherwise SCB cannot overwrite the files and the backup procedure fails.

4.4. User management and access control

The AAA menu (Authentication, Authorization, and Accounting) allows you to control the authentication, authorization, and accounting settings of the users accessing SCB. The following will be discussed in the next sections:

How to authenticate locally on SCB — see Section 4.4.1, Managing SCB users locally.
How to authenticate users using an external LDAP (e.g., Microsoft Active Directory) database — see Section 4.4.2, Managing SCB users from an LDAP database.
How to authenticate users using an external RADIUS server — see Section 4.4.3, Authenticating users to a RADIUS server.
How to control the privileges of users and usergroups — see Section 4.4.4, Managing user rights and usergroups.
How to display the history of changes of SCB configuration — see Section 4.4.5, Listing and searching configuration changes.

4.4.1. Managing SCB users locally

By default, SCB users are managed locally on SCB. To create and delete local users, modify the group membership of local users, or to modify the password of a user, complete the following procedure.

Note

The admin user is available by default and has all possible privileges. It is not possible to delete this user.

Local users cannot be managed when LDAP authentication is used (see Section 4.4.2, Managing SCB users from an LDAP database). When LDAP authentication is enabled, the accounts of local users is disabled, they are not displayed on the AAA > Local Users page, but they are not deleted,

When using RADIUS authentication together with local users, the users are authenticated to the RADIUS server, only their group memberships must be managed locally on SCB. See Section 4.4.3, Authenticating users to a RADIUS server for details.

Procedure 4.15. Creating local users

Figure 4.24. Creating local users

Navigate to AAA > Local Users and click .
Enter the username into the User field.

Note

The following characters cannot be used in usernames: \\/[]:;|=,+*?<>
Enter a password for the user into the Password and Verify password fields.

The strength of the password is indicated below the Password field as you type. To set a policy for password strength, see Section 4.4.1.1, Setting password policies for local users. The user can change the password later from the SCB web interface.
Click in the Groups section and select a group that the user will be member of. Repeat this step to add the user to multiple groups. See Section 4.4.4, Managing user rights and usergroups for details about the different groups.
- To remove a user from a group, click the icon located next to the group.
- To delete a user, click the icon located at the right edge of the screen.
Click Commit.

4.4.1.1. Setting password policies for local users

SCB can use password policies to enforce minimal password strength and password expiry. To create a password policy, complete the following steps.

	Warning
	When running the Audit Player application in service mode, the Audit Player application needs a valid user account to access SCB. When using password expiry, ensure that the password of this user is changed in time, and that it is changed also on the Audit Player hosts.

Note

Password policies apply only for locally managed users, it has no effect if you manage your users from an LDAP database, or if you authenticate your users to a RADIUS server.

Password policies do not apply to the built-in admin user.

Procedure 4.16. Setting password policies

Figure 4.25. Configuring password policies

Navigate to AAA > Settings.
Verify that the Authentication method is set to Password provided by database and that the User database is set to Local.

Note

If the setting of these fields is different (e.g., LDAP or RADIUS), then SCB is not configured to manage passwords locally.
Set how long the passwords are valid in the Password expiration field. After this period, SCB users will have to change their password. To disable password expiry, enter 0.
To prevent password-reuse (e.g., when a user has two password and instead of changing to a new password only switches between the two), set how many different passwords must the user use before reusing an old password.

To enforce the use of strong password, select the level of password-complexity from the Minimal password strength field.

Note

The strength of the password is determined by its entropy: the variety of numbers, letters, capital letters, and special characters used, not only by its length.

The Enable cracklib option executes some simple dictionary-based attacks to find weak passwords.

Click Commit.

	Note
	Changes to the password policy do not affect existing passwords. However, setting password expiry will require every user to change their passwords after the expiry date, and the new passwords must comply with the strength requirements set in the password policy.

4.4.1.2. Managing local usergroups

To display which users belong to a particular local usergroup, select AAA > Group Management. You can edit the group memberships here as well.

You can use local groups to control the privileges of SCB local and LDAP users — who can view and configure what.

For the description of built-in groups, see Section 4.4.4.3, Built-in usergroups of SCB. To create a new group, complete the following steps:

Procedure 4.17. Creating local groups

Figure 4.26. Creating local users

Navigate to AAA > Group Management and click .
Enter a name for the group.
Enter the names of the users belonging to the group. Click to add more users.
Click Commit.

4.4.2. Managing SCB users from an LDAP database

The SCB web interface can authenticate users to an external LDAP database to simplify the integration of SCB to your existing infrastructure. You can also specify multiple LDAP servers; if the first server is unavailable, SCB will try to connect to the second server. To enable LDAP authentication, complete the following steps.

Note

The admin user is available by default and has all privileges. It is not possible to delete this user.

The admin user can login to SCB even if LDAP authentication is used.

Enabling LDAP authentication automatically disables the access of every local user except for admin.

SCB accepts both pre-win2000-style and Win2003-style account names (User Principal Names). User Principal Names (UPNs) consist of a username, the at (@) character, and a domain name, e.g., administrator@example.com.

The following characters cannot be used in usernames and group names: /\[]:;|=,+*)?<>@"

When using RADIUS authentication together with LDAP users, the users are authenticated to the RADIUS server, only their group memberships must be managed in LDAP. See Section 4.4.3, Authenticating users to a RADIUS server for details.

Procedure 4.18. Configuring LDAP authentication

Figure 4.27. Configuring LDAP authentication

Navigate to AAA > Settings > Authentication settings.

Select the LDAP option and enter the parameters of your LDAP server.

Figure 4.28. Configuring LDAP authentication

Enter the IP address or hostname and port of the LDAP server into the Server Address field.

To add multiple servers, click and enter the address of the next server. If a server is unreachable, SCB will try to connect to the next server in the list in failover fashion.

	Warning
	If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (e.g., `ldap.example.com`) in the Server Address field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.

Select the type of your LDAP server in the Type field. Select Active Directory to connect to Microsoft Active Directory servers, or Posix to connect to servers that use the POSIX LDAP scheme (e.g., Novell e-directory).
Enter the name of the DN to be used as the base of the queries into the Base DN field (e.g., DC=demodomain,DC=exampleinc).

Enter the name of the DN where SCB should bind to before accessing the database into the Bind DN field (e.g., CN=Administrator,CN=Users,DC=demodomain,DC=exampleinc).

	Note
	SCB accepts both pre-win2000-style and Win2003-style account names (User Principal Names), e.g., `administrator@example.com` is also accepted.

Enter the password to use when binding to the LDAP server into the Bind Password field.

If you want to encrypt the communication between SCB and the LDAP server, select the Use StartTLS option and complete the following steps:

Note

TLS-encrypted connection to Microsoft Active Directory is supported only on Windows 2003 Server and newer platforms. Windows 2000 Server is not supported.

Only the STARTTLS method is supported to encrypt the communication between the LDAP server and SCB. The LDAPS protocol is not supported.

If you want SCB to verify the certificate of the server, click the icon in the CA X.509 certificate field. A popup window is displayed.

Click Browse, select the certificate of the Certificate Authority (CA) that issued the certificate of the LDAP server, then click Upload. Alternatively, you can paste the certificate into the Copy-paste field and click Set.

SCB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.

If you want SCB to simply accept any certificate shown by the LDAP server, select Required untrusted in the Server key check field.

Note

Alternatively, you can use the following options to check the certificate of the LDAP server:

None: Do not request a certificate from the remote host, and accept any certificate if the host sends one.
Optional trusted: If the remote host sends a certificate, SCB checks if it is valid (not expired) and that the Common Name of the certificate contains the domain name or the IP address of the host. If these checks fail, SCB rejects the connection. However, SCB accepts the connection if the host does not send a certificate.
Optional untrusted:Accept any certificate shown by the remote host. Note that the host must show a certificate.
Required trusted: Verify the certificate of the remote host. Only valid certificates signed by a trusted certificate authority are accepted. See Procedure 4.41, Uploading external certificates to SCB for details on importing CA certificates. Note that the Common Name of the certificate must contain the domain name or the IP address of the host.
Request untrusted: SCB requests a certificate from the remote host, and rejects the connection if no certificate is received; if the certificate is not valid (expired); or if the Common Name of the certificate does not contain the domain name or the IP address of the host.

	Warning
	If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (e.g., `ldap.example.com`) in the Server Address field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.

If the LDAP server requires mutual authentication, i.e., it expects a certificate from SCB, generate and sign a certificate for SCB, then click the icon in the Client X.509 certificate field to upload the certificate. After that, click the icon in the Client key field and upload the private key corresponding to the certificate.

If you have modified the Server key check field or the keys used in the connections, perform the following steps:

	Warning
	This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.

To activate the new settings, navigate to Basic Settings > System > System control, and click All services > Restart.

Click Commit.
Click Test to test the connection. Note that the testing of SSL-encrypted connections is currently not supported.

4.4.3. Authenticating users to a RADIUS server

SCB can authenticate its users to an external RADIUS server. Group memberships of the users must be managed either locally on SCB or in an LDAP database.

	Warning
	The challenge/response authentication methods is currently not supported. Other authentication methods (e.g., password, SecureID) should work.

Procedure 4.19. Configuring RADIUS authentication

To authenticate SCB users to a RADIUS server, complete the following steps:

Figure 4.29. Configuring RADIUS authentication

Navigate to AAA > Settings.
Set the Authentication method field to Radius.
Enter the IP address or domain name of the RADIUS server into the Address field.
Enter the password that SCB can use to access the server into the Shared secret field.
To add more RADIUS servers, click and repeat Steps 2-4.

Repeat this step to add multiple servers. If a server is unreachable, SCB will try to connect to the next server in the list in failover fashion.

	Warning
	After clicking Commit, the SCB web interface will be available only after successfully authenticating to the RADIUS server. Note that the default `admin` account of SCB will be able to login normally, even if the RADIUS server is unaccessible.

Click Commit.

4.4.4. Managing user rights and usergroups

In SCB, user rights can be assigned to usergroups. SCB has numerous usergroups defined by default, but custom user groups can be defined as well. Every group has a set of privileges: which pages of the SCB web interface it can access, and whether it can only view (read) or also modify (read & write/perform) those pages or perform certain actions.

	Note
	Every group has either read or read & write/perform privileges to a set of pages.

For details on modifying existing groups, see Procedure 4.20, Modifying group privileges.
To create a new usergroup, see Procedure 4.21, Creating new usergroups for the SCB web interface.
To find usergroups that have a specific privilege, see Section 4.4.4.1, Finding specific usergroups.
For tips on using usergroups, see Section 4.4.4.2, How to use usergroups.
For a detailed description about the privileges of the built-in usergroups, see Section 4.4.4.3, Built-in usergroups of SCB.

Figure 4.30. Managing SCB users

To modify the privileges of an existing group, complete the following steps:

Procedure 4.20. Modifying group privileges

Navigate to AAA > Access Control.
Find the group you want to modify and click . The list of available privileges is displayed.

Figure 4.31. Modifying group privileges

Select the privileges (pages of the SCB interface) to which the group will have access to and click Save.

	Warning
	Assigning the Search privilege to a user on the AAA page automatically enables the Search in all connections privilege, and grants the user access to every audit trail, even if the user is not a member of the groups listed in the Access control option of the particular connection policy.

Select the type of access (read or read & write) from the Type field.
Click Commit.

To create a new group, complete the following steps:

Procedure 4.21. Creating new usergroups for the SCB web interface

Navigate to AAA > Access Control and click .
Enter a name for the group. See Section 4.4.4.2, How to use usergroups for details on how you should name your groups.
Click the icon located next to the name of the group. The list of available privileges is displayed.
Select the privileges (pages of the SCB interface) to which the group will have access to and click Save.
Select the type of access (read or read & write) from the Type field.
Click Commit.

Note

To export the configuration of SCB, the Export configuration privilege is required.

To import a configuration to SCB, the Import configuration privilege is required.

To update the firmware and set the active firmware, the Firmware privilege is required.

The admin user is available by default and has all privileges. It is not possible to delete this user.

4.4.4.1. Finding specific usergroups

The Filter ACLs section of the AAA > Access Control page provides you with a simple searching and filtering interface to search the names and privileges of usergroups.

Figure 4.32. Finding specific usergroups

To select usergroups starting with a specific string, enter the beginning of the name of the group into the Group field and select Search.
To select usergroups who have a specific privilege, click , select the privilege or privileges you are looking for, and click Search.
To filter for read or write access, use the Type option.

4.4.4.2. How to use usergroups

How you should name usergroups depends on the way you manage your SCB users.

Local users: If you use only local users, create or modify your usergroups on the AAA > Access Control page and add users to the groups on the AAA > Local Users or the AAA > Group Managementpage.
LDAP users and LDAP groups: If you manage your users from LDAP, and also have LDAP groups that match the way you want to group your SCB users, create or modify your usergroups on the AAA > Access Control page and ensure that the name of your LDAP group and the SCB usergroup is the same. For example, to make members of the admins LDAP group be able to use SCB, create a usergroup called admins on the AAA > Access Control page and edit the privileges of the group as needed.
RADIUS users and local groups: This is the case when you manage users from RADIUS, but you cannot or do not want to create groups in LDAP. Create your local groups on the AAA > Access Control page, and add your RADIUS users to these groups on the AAA > Group Management page.

4.4.4.3. Built-in usergroups of SCB

SCB has the following usergroups by default:

Figure 4.33. Built-in usergroups of SCB

basic-view: View the settings in the Basic Settings menu, including the system logs of SCB. Members of this group can also execute commands on the Troubleshooting tab.
basic-write: Edit the settings in the Basic Settings menu. Members of this group can manage SCB as a host.
auth-view: View the names and privileges of the SCB administrators, the configured usergroups, and the authentication settings in the AAA menu. Members of this group can also view the history of configuration changes.

auth-write: Edit authentication settings and manage users and usergroups.

Warning

Members of the auth-write group, or any other group with write privileges to the AAA menu are essentially equivalent to system administrators of SCB, because they can give themselves any privilege. Users with limited rights should never have such privileges.

If a user with write privileges to the AAA menu gives himself new privileges (e.g., gives himself group membership to a new group), then he has to relogin to the SCB web interface to activate the new privilege.

search: Browse and download various logs and alerts in the Search menu. The members of this group have access to the audit trail files as well. Note that to open encrypted audit trail files, the proper encryption keys are required.

	Note
	In SCB version 1.x, a separate privilege was required to view and download audit trail files. Now members of the search group automatically have these privileges.

changelog: View the history of SCB configuration changes in the AAA > Accounting menu.
policies-view: View the policies and settings in the Policies menu.
policies-write: Edit the policies and settings in the Policies menu.
ssh-view: View all connection and policy settings in the SSH Control menu.
ssh-write: Edit all connection and policy settings in the SSH Control menu.
rdp-view: View all connection and policy settings in the RDP Control menu.
rdp-write: Edit all connection and policy settings in the RDP Control menu.
telnet-view: View all connection and policy settings in the Telnet Control menu.
telnet-write: Edit all connection and policy settings in the Telnet Control menu.
vnc-view: View all connection and policy settings in the VNC Control menu.
vnc-write: Edit all connection and policy settings in the VNC Control menu.
indexing: Allows host running the Audit Player application to access and download audit trails for automatic indexing. Note that the members of this group can access the SCB web interface as well, and download any audit trail directly.

4.4.5. Listing and searching configuration changes

SCB automatically tracks every change of its configuration. To display the history of changes, select AAA > Accounting. The changes are organized as log messages, and can be browsed and searched using the regular SCB search interface (see Chapter 6, Browsing log messages and SCB reports for details. The following information is displayed about every modification:

Figure 4.34. Browsing configuration changes

Timestamp: The date of the modification.
Author: Username of the administrator who modified the configuration of SCB.
Page: The menu item that was modified.
Field name: The name of the field or option that was modified.
New value: The new value of the configuration parameter.
Message: The changelog or commit log that the administrator submitted. This field is available only if the Require commit log option is enabled (see below).
Old value: The old value of the configuration parameter.

To request the administrators to write an explanation to every configuration change, navigate to AAA > Settings > Accounting settings and select the Require commit log option.

4.5. Managing SCB

4.5.1. Controlling SCB — restart, shutdown

To restart or shut down SCB, navigate to Basic Settings > System > High availability & Nodes and click the . After that, click the respective action button of the node you want to restart or shutdown.

	Note
	Web sessions to the SCB interface are persistent and remain open after rebooting SCB, so you do not have to relogin after a reboot.

Figure 4.35. Performing basic management

The High availability & Nodes section of the System page provides the following information about SCB:

	Note
	Refer to Section 3.2, Installing two SCB units in HA mode of Appendix 3, BalaBit Shell Control Box Hardware Installation Guide for details creating a high-availability SCB cluster.

Status: Indicates whether SCB is running in High Availability or Standalone mode.
Node ID: The MAC address of the HA (LAN3) interface of the node. This address is also printed on a label on the top cover of the SCB unit.
Node HA state: Indicates whether the SCB node is running in High Availability or Standalone mode.
Node HA UUID: A unique identifier of the node. Only available in High Availability mode.
DRBD status: The status of data stored on SCB. The status must be Consistent on the active node to prevent data loss.
RAID status: The status of the RAID device of the node.

The active (master) SCB node is labeled as This node, this unit inspects the SSH traffic and provides the web interface. The SCB unit labeled as Other node is the slave node that is activated if the master node becomes unavailable.

	Note
	For SCB clusters, the ID of the node (the MAC address of its HA interface) sending the message is included in the log messages. Note that if the central log server is a syslog-ng server, the `keep-hostname` option should be enabled on the syslog-ng server.

To activate the other node and disable the currently active node, click the Activate slave action button.

	Warning
	Activating the slave node terminates all connections of SCB and might result in data loss. The slave node becomes active after about 60 seconds, during which the protected servers cannot be accessed.

4.5.1.1. High Availability status explained

This section explains the possible statuses of the SCB nodes and the DRBD data storage system. SCB displays this information in the High availability & Nodes section on the System tab of the Basic Settings menu.

The Status field indicates whether the SCB nodes recognize each other properly and if are configured to operate in high availability mode. The status of the individual SCB nodes is indicated in the Node HA status field of the each node. The following statuses can occur:

Standalone: There is only one SCB unit running in standalone mode, or the units have not been converted to a cluster (the Node HA status of both nodes is standalone). Click the Convert to Cluster action button to enable High Availability mode.
HA: The two SCB nodes are running in high availability mode. Node HA status is HA on both nodes, and the Node HA UUID is the same on both nodes.
Half: High Availability mode is not configured properly, one node is in standalone, the other one in HA mode. Connect to the node in HA mode, and click the Join HA action button to enable High Availability mode.
Broken: The two SCB nodes are running in high availability mode. Node HA status is HA on both nodes, but the Node HA UUID is different. Contact the BalaBit Support Team for help. See Section 5, Contact and support information for contact details.
Degraded: SCB was running in high availability mode, but one of the nodes has disappeared (for example, broken down, or removed from the network). Power on, reconnect, or repair the missing node.
Degraded Sync: Two SCB units were joined to high availability mode, and the first-time synchronization of the disks is currently in progress. Wait for the synchronization to complete. Note that in case of large disks with lots of stored data, synchronizing the disks can take several hours.

Split brain: The two nodes lost the connection to each other, with the possibility of both nodes being active (master) for a time.

	Warning
	In this case, valuable audit trails might be available on both SCB nodes, so special care must be taken to avoid data loss. See Section 4.5.1.3, Recovering from a split brain situation for details solving this problem

Invalidated: The data on one of the nodes is considered out-of-sync and should be updated with data from the other node. This state usually occurs during the recovery of a split-brain situation when the DRBD is manually invalidated.

	Note
	If you experience problems because the nodes of the HA cluster do not find each other during system startup, select Basic Settings > System > High availability & Nodes > Make HA IP permanent. That way the IP address of the HA interfaces of the nodes will be fix, which helps if the HA connection between the nodes is slow.

The DRBD status field indicates whether the latest data (including SCB configuration, audit trails, log files, etc.) is available on both SCB nodes. The master node (this node) must always be in consistent status to prevent data loss. Inconsistent status means that the data on the node is not up-to-date, and should be synchronized from the node having the latest data.

The DRBD status field also indicates the connection between the disk system of the SCB nodes. The following statuses are possible:

Connected: Both nodes are functioning properly.
Invalidated: The data on one of the nodes is considered out-of-sync and should be updated with data from the other node. This state usually occurs during the recovery of a split-brain situation when the DRBD is manually invalidated.

Sync source or Sync target: One node (Sync target) is downloading data from the other node (Sync source).

Note

When the two nodes are synchronizing data, it is not possible to reboot or shutdown the master node. If you absolutely must shutdown SCB in such a situation, shutdown the slave node first, and then the master node.

When synchronizing data, the progress and the remaining time is displayed in the System monitor.

Split brain: The two nodes lost the connection to each other, with the possibility of both nodes being active (master) for a time.

	Warning
	In this case, valuable audit trails might be available on both SCB nodes, so special care must be taken to avoid data loss. See Section 4.5.1.3, Recovering from a split brain situation for details solving this problem

WFConnection: One node is waiting for the other node; the connection between the nodes has not been established yet.

4.5.1.2. Recovering two SCB nodes

It can happen that both nodes break down simultaneously (e.g., because of a power failure), or the slave node breaks down before the original master node recovers. To properly recover SCB, complete the following steps:

	Note
	As of SCB version 2.0.2, when both nodes of a cluster boot up in parallel, the node with the `1.2.4.1` HA IP address will become the master node.

Procedure 4.22. Recovering SCB if both nodes broke down

Power off both nodes by pressing and releasing the power button.

	Warning
	If SCB does not shut off, press and hold the power button for approximately 4 seconds. This method terminates connections passing SCB and might result in data loss.

Power on the node that was the master before SCB broke down. Consult the system logs to find out which node was the master before the incident: when a node boots as master, or when a takeover occurs, SCB sends a log message identifying the master node.

	Tip
	Configure remote logging to send the log messages of SCB to a remote server where the messages are available even if the logs stored on SCB become unaccessible. See Section 4.3.3, System logging, SNMP and e-mail alerts for details on configuring remote logging.

Wait until this node finishes the boot process.
Power on the other node.

4.5.1.3. Recovering from a split brain situation

A split brain situation is caused by a temporary failure of the network link between the cluster nodes, resulting in both nodes switching to the active (master) role while disconnected. This might cause that new data (e.g., audit trails) is created on both nodes without being replicated to the other node. Thus, it is likely in this situation that two diverging sets of data have been created, which cannot be trivially merged.

	Warning
	In a split brain situation, valuable audit trails might be available on both SCB nodes, so special care must be taken to avoid data loss.

The nodes of the SCB cluster automatically recognize the split brain situation once the connection between the nodes is reestablished, and do not perform any data synchronization to prevent data loss. When a split brain situation is detected, it is visible on the SCB system monitor, in the system logs (Split-Brain detected, dropping connection!), and SCB sends an alert as well.

Procedure 4.23. Recovering from a split brain situation

To recover an SCB cluster from a split brain situation, complete the following steps.

	Warning
	Do NOT shut down the nodes.

Temporarily disable all traffic going through SCB. Navigate to Basic Settings > System > System control and click on the Stop button in the All traffic field.

If the web interface is not accessible or unstable, complete the following steps:
1. Login to SCB as root locally (or remotely using SSH) to access the Console menu.
2. Select Shells > Core Shell, and issue the zorpctl stop command.
3. Issue the date and check the system date and time. If it is incorrect (e.g., it shows 2000 January), replace the system battery. See the service manual of the Sun Fire server for details.
4. Repeat the above steps on the other SCB node.
Optional step for data recovery: Check the audit trails saved on the SCB nodes.
1. Login to the node from a local console.
2. Select Shells > Core shell and enter cd /var/lib/zorp/audit. The audit trails are located under this directory.
3. Find which files were modified since the split brain situation occurred. Use the find +mtime n to find the files modified during the last n*24 hours, or the find +mmin n to find the files modified during the last n minutes.

Decide which node should be the master node from now on, then perform the following steps on the to-be-slave node:

Login to the node from a local console.
Optional step for data recovery: Select Shells > Core shell and enter cd /var/lib/zorp/audit. The audit trails are located under this directory.

Optional step for data recovery: Backup the audit trails that were modified since the split brain situation occurred.

	Warning
	This data will be deleted from the SCB node when the split-brain situation is resolved There is no way to import this data back into the database of SCB; it will be available only for offline use.

Optional step for data recovery: To save the corresponding information that can be seen on the Search page, export the connection database using the su postgres -c pg_dump scb /tmp/database.sql command, then backup the /tmp/database.sql file.
Optional step for data recovery: Type exit to return to the console menu.
Select Shells > Boot shell. If the to-be-slave node is not already the slave node, fail over the cluster to the other node manually by issuing the /usr/lib/heartbeat/hb_standby command.
Stop the core firmware. Issue the /etc/init.d/boot-xcb stop command.
Invalidate the DRBD. Issue the following commands:

/sbin/drbdsetup /dev/drbd0 disconnect

/sbin/drbdsetup /dev/drbd0 invalidate.

Reboot the to-be-slave node.
Reboot the to-be-master node. The SCB cluster will be now functional, accepting traffic as before.
After both nodes reboot, the cluster should be in Degraded Sync state, the master being SyncSource and the slave being SyncTarget. The master node should start synchronizing its data to the slave node. Depending on the amount of data, this can take a long time. To adjust the speed of the synchronization, see Section 4.5.1.4, Adjusting the synchronization speed of DRBD.

4.5.1.4. Adjusting the synchronization speed of DRBD

When operating two SCB units in high availability mode, every incoming data copied from the master (active) node to the slave (passive) node. Since synchronizing data can take up significant system-resources, the maximal speed of the synchronization is limited, by default, to 10 MB/sec. However, this means that synchronizing large amount of data can take very long time, so it is useful to increase the synchronization speed in certain situations — for example, when synchronizing the disks after converting a single node to a high-availability cluster.

Figure 4.36. Adjusting DRBD synchronization speed

To change the limit of the DRBD synchronization rate, select Basic Settings > System > High availability & Nodes > DRBD sync rate limit, and select the desired value.

	Note
	Setting the sync rate to a high value is not recommended if the load of SCB is very high, because increasing the resources used by the synchronization process may degrade the general performance of SCB.

4.5.1.5. Disabling the controlled traffic

To temporarily disable some or all of the controlled traffic to the protected servers, complete the following steps:

Figure 4.37. Disabling the controlled traffic

Procedure 4.24. Disabling controlled traffic

	Warning
	Disabling traffic that way is only temporary; connections will be enabled again after committing any other change from the SCB web interface. To permanently disable a type of traffic, see Procedure 4.25, Disabling controlled traffic permanently.

	Note
	Disabling the traffic affects only the traffic configured in the Connection policies, other traffic can pass SCB even if the all traffic is disabled. See Chapter 5, Configuring connections for details on configuring Connection policies.

Navigate to the Basic Settings > System > System control.
- To disable SSH traffic, click on the Stop button in the SSH traffic field. Note that this also stops all other traffic forwarded in SSH, e.g., X11.
- To disable RDP traffic, click on the Stop button in the RDP traffic field.
- To disable Telnet and TN3270 traffic, click on the Stop button in the Telnet traffic field.
- To disable VNC traffic, click on the Stop button in the VNC traffic field.
- To disable all types of traffic, click on the Stop button in the All traffic field.
The System monitor displays the status of all types of traffic.

Procedure 4.25. Disabling controlled traffic permanently

	Note
	Disabling the traffic affects only the traffic configured in the Connection policies, other traffic can pass SCB even if the all traffic is disabled. See Chapter 5, Configuring connections for details on configuring Connection policies.

Figure 4.38. Disabling the controlled traffic persistently

Navigate to the Global Options page of the traffic type you want to disable, e.g., to SSH Control > Global Options to disable SSH traffic.
Set the Traffic field to disabled.
Click Commit.

4.5.2. Upgrading SCB

The following sections describe how to keep SCB up to date, and how to install a new license file if needed.

To upgrade SCB, see Section 4.5.2.1, Updating the SCB firmware.
To upgrade the firmware of an SCB cluster, see Procedure 4.27, Upgrading both the core and the boot firmware of a high-availability system.
To install a new license file, see Section 4.5.2.2, Updating the SCB license.
To import or export the configuration of SCB, see Section 4.5.2.3, Importing and exporting SCB configuration.

4.5.2.1. Updating the SCB firmware

SCB can be updated when a new firmware version is available. Information of the firmware currently running on SCB is displayed in the SCB version details section on the System tab of the Basic page. The following information is displayed:

Figure 4.39. Managing the firmwares

Version: The version number of the firmwares currently running on SCB (e.g., 2.0).
Build date: The date when the currently running firmware was created.

Updating SCB is described in the following sections.

Warning

Before uploading a new firmware image, backup the configuration of SCB. See Section 4.5.2.3, Importing and exporting SCB configuration for details.

Always read the release notes of the firmware before updating SCB, because the release notes may include special instructions specific to the firmware version. The release notes are available at http://www.balabit.com/network-security/scb/upgrades/ .

To upgrade a standalone SCB unit, complete Procedure 4.26, Updating SCB and managing the firmware.
To upgrade the firmware of an SCB cluster, complete Procedure 4.27, Upgrading both the core and the boot firmware of a high-availability system.
To revert to an older firmware version (if possible), see the section called “Reverting to an older firmware”.

Procedure 4.26. Updating SCB and managing the firmware

Visit the BalaBit website and download the latest firmware from http://www.balabit.com/network-security/scb/upgrades/ .
Navigate to the Basic Settings > System page.
To update the internal (core) firmware, select Core firmwares.

To update the external (boot) firmware, select Boot firmwares.

For details on the different firmwares, see Section 2.11, Firmware in SCB.
Select the firmware file using the Browse button. The extension of firmware files is .bin
Click Upload. The new firmware will be added to the Available firmwares list.
Click the icon in the After reboot column of the new firmware.

Select High availability & Nodes > Reboot.

	Tip
	When SCB boots, it sends a message into the system log that includes the version numbers of both booted firmwares.

	Note
	If you experience any problems on the BalaBit Shell Control Box web interface after performing the upgrade, first empty the cache of your browser, or click the Reload button of your browser while holding the Shift key.

Procedure 4.27. Upgrading both the core and the boot firmware of a high-availability system

If an SCB release requires the upgrading of both the boot firmware and the core (internal) firmware, complete the following steps:

Download both the core (internal) and the boot (external) firmware.
Update the core firmware of the SSB using the web interface.
1. Navigate to Basic Settings > System > Core firmwares and upload the new core firmware.
2. When the upload is finished, select the After reboot option for the new firmware.
  
  Warning
  
  DO NOT REBOOT SCB AFTER UPGRADING THE CORE FIRMWARE.
Repeat the previous step with the Boot firmware.
Select High Availability and Nodes > Other Node > Reboot to restart the passive node.
Wait until the passive node reboots. When the passive node becomes available again, the version of the updated firmware will be displayed in the High Availability and Nodes > Other Node > Active firmware field.

Select High Availability and Nodes > This Node > Reboot to restart the active node. The passive node will take over the role of this node.

	Warning
	As this step terminates all active connections, perform it only during maintenance hours to prevent data loss.

	Note
	If you experience any problems on the BalaBit Shell Control Box web interface after performing the upgrade, empty the cache of your browser, or click the Reload button of your browser while holding the Shift key.

Reverting to an older firmware

SCB can store up to five different firmware versions, any of them can be booted if required. The available firmwares are displayed on the Basic Settings > System > Boot firmware and Basic Settings > System > Core firmware pages. The list shows the detailed version of each firmware, including the version number, the revision number, and the build date. The firmware running on SCB is marked with the icon in the Current column. The firmware that will be run after the next SCB reboot is marked with the icon in the After reboot column.

To boot an older firmware, complete the following steps:

Warning

When upgrading SCB, it is possible that the configuration file is updated as well. In such cases, simply rebooting with the old firmware will not result in a complete downgrade, because the old firmware may not be able to read the new configuration file. If this happens, access the console menu of SCB, and select the Revert Configuration option to restore the configuration file to its state before the firmware was upgraded. See Section 4.5.4.1, Using the console menu of SCB for details on using the console menu.

Procedure 4.28. Reverting to an older firmware version

Navigate to Basic Settings > System > Boot firmware.
Select the firmware version to use, and click the icon in the After reboot column.
Navigate to Basic Settings > System > Core firmware.
Select the firmware version to use, and click the icon in the Boot column.
Select System Control > This node > Reboot to reboot SCB.

If you are running an SCB cluster, select Basic Settings > High Availability > Reboot Cluster.

4.5.2.2. Updating the SCB license

The SCB license must be updated before the existing license expires or when you purchase a new license. Information of the current license of SCB is displayed on the Basic Settings > System > License page. The following information is displayed:

Figure 4.40. Updating the license

Customer: The company permitted to use the license (e.g., Example Ltd.).
Serial: The unique serial number of the license.
Host limit: The number of servers that can be connected through SCB (e.g., 25.).

SCB gives an automatic alert one week before the license expires. An alert is sent also when the number of protected servers exceeds 60% of the number of servers set in the Host limit parameter of the license.

To update the license, complete the following steps:

	Warning
	Before uploading a new license, you are recommended to backup the configuration of SCB. See Section 4.5.2.3, Importing and exporting SCB configuration for details.

Procedure 4.29. Updating the SCB license

Navigate to Basic Settings > System > License.
Click Browse and select the new license file.
Click Upload, then Commit.

	Warning
	This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.

To activate the new license, select System control > All traffic > Restart.

4.5.2.3. Importing and exporting SCB configuration

The configuration of SCB can be imported and exported (for manual archiving, or to migrate it to another SCB unit) from the Basic Settings > System page. Use the respective action buttons to perform the desired operation.

Figure 4.41. Exporting and importing the SCB configuration

Procedure 4.30. Exporting the configuration of SCB

Navigate to Basic Settings > System > Export configuration.

Select how to encrypt the configuration.

To export the configuration file without encryption, select No encryption.

	Warning
	Exporting the SCB configuration without encyption is not recommended, as it contains sensitive information such as password hashes and private keys.

To encrypt the configuration file with a simple password, select Encrypt with password and enter the password into the Encryption password and Confirm password fields.
To encrypt the configuration file with GPG, select GPG encryption. Note that this option uses the same GPG key that is used to encrypt automatic system backups, and is only available if you have uploaded the public part of a GPG key to SCB at Basic > System > Management > System backup. See Section 4.3.5.1, Encrypting backups for details.

Click Export.

Note

The exported file is a gzip-compressed archive. On Windows platforms, it can be decomressed with common archive managers such as the free 7-Zip tool (http://7-zip.org).

The name of the exported file is <hostname_of_SCB>-YYYMMDDTHHMM.config; the -encrypted or -gpg suffix is added for password-encrypted and GPG-encrypted files, respectively.

Procedure 4.31. Importing the configuration of SCB

Navigate to Basic Settings > System > Import configuration.
Click Browse and select the configuration file to import.
Enter the password into the Encryption password field and click Upload.

4.5.3. Troubleshooting SCB

This section describes the tools to detect networking problems, and also how to collect core files and view the system logs of SCB.

4.5.3.1. Network troubleshooting

The Troubleshooting menu provides a number of diagnostic commands to resolve networking issues. Logfiles of SCB can also be displayed here — see Section 4.5.3.3, Viewing logs on SCB for details.

Figure 4.42. Network troubleshooting with SCB

The following commands are available:

ping: Sends a simple message to the specified host to test network connectivity.
traceroute: Sends a simple message from SCB to the specified host and displays all hosts on the path of the message. It is used to trace the path the message travels between the hosts.
connect: Attempts to connect the specified host using the specified port. It is used to test the availability or status of an application on the target host.

To execute one of the above commands, complete the following steps:

Procedure 4.32. Executing troubleshooting commands

Navigate to Basic Settings > Troubleshooting.
Enter the IP address or the hostname of the target host into the Hostname field of the respective command. For the Connect command, enter the target port into the Port field.
Click the respective action button to execute the command.
Check the results in the popup window. Log files are displayed in a separate browser window.

4.5.3.2. Gathering data about system problems

SCB automatically generates core files if an important software component (e.g., Zorp) of the system crashes for some reason. These core files can be of great help to the BalaBit Support Team to identify problems. When a core file is generated, the SCB administrator receives an alerting e-mail, and an SNMP trap is generated if alerting is properly configured (see Section 4.3.4, Configuring system monitoring on SCB and Section 4.3.3, System logging, SNMP and e-mail alerts for details). If monitoring is not configured, you can display a list of alerts by selecting Search > Alerts.

The generated core files are listed and can be downloaded at Basic Settings > Troubleshooting > Core files.

By default, core files are deleted after 14 days. This can be set at Basic Settings > Management > Core files.

	Warning
	In the current version of SCB, core files are automatically deleted if the system is rebooted.

4.5.3.3. Viewing logs on SCB

The Troubleshooting menu provides an interface to view the logs generated by the various components of SCB.

	Note
	Because of performance reasons, log files larger than 2 Megabytes are not displayed in the web interface. To access these logs, download the file instead.

Procedure 4.33. Viewing the logs

Navigate to Basic Settings > Troubleshooting.
Use the Logtype combobox to select the message type.
- SCB: Logs of the SCB web interface.
- syslog: All system logs of the SCB host.
- ssh: Logs of the SSH connections passing SCB.
- rdp: Logs of the RDP connections passing SCB.
- telnet: Logs of the Telnet connections passing SCB.
- vnc: Logs of the VNC connections passing SCB.
- To download the log file, click Download.
- To follow the current log messages real-time, click Tail.
- To display the log messages, click View.

To display log messages of the last seven days, select the desired day from the Days field and click View.

To display older log messages, enter the desired date in YYYY-MM-DD format into the Search pattern field. (E.g., January 12, 2009 becomes 2009-01-12.)

Tip

To display only the messages of a selected host or process, enter the name of the host or process into the Search pattern field.

The Search pattern field acts as a generic filter: enter a keyword or a regular expression to display only messages that contain the keyword or match the expression.

4.5.3.4. Changing log verbosity level of SCB

The logging level of SCB can be set separately for every protocol. To change the verbosity level of SCB, complete the following steps:

	Note
	The Basic Settings > Management > Debug logging > Enable debug logs option is not related to the verbosity of traffic logs: it increases the log level of the non-network-related events, e.g., adds the commands executed by the SCB web interface to the logs, etc.

Figure 4.43. Changing the verbosity level

Procedure 4.34. Changing the verbosity level

Navigate to the Global Options page of the traffic you want to change the log level of; e.g., to SSH Control > Global Options to change the log level of SSH traffic, RDP Control > Global Options for remote desktop traffic, etc.

Select the desired log level from the Verbosity level field.

Note

The verbosity level ranges from 1 (no logging) to 10 (extremely detailed), with level 4 being the default normal level. To debug complex problems, you might have to increase the verbosity level to 6. Higher level is needed only in extreme cases.

Note that high verbosity levels generate very large amount of log messages.

4.5.3.5. Collecting logs and system information for error reporting

To track down support requests, the BalaBit Support Team might request you to collect system-state and debugging information. This information is collected automatically, and contains log files, the configuration file of SCB, and various system-statistics.

Note

Sensitive data like key files and passwords are automatically removed from the files.

The Basic Settings > Management > Debug logging > Enable debug logs option is not related to the verbosity of log messages: it adds the commands executed by the SCB web interface to the log.

To collect system-state information, navigate to Basic Settings > Troubleshooting > System debug and click Collect and save current system state info, then save the created zip file. The name of the file uses the debug_info-<hostname>YYYYMMDDHHMM format.

To collect information for a specific error, complete the following steps:

Procedure 4.35. Collecting debug information

Figure 4.44. Collecting debug information

Navigate to Basic Settings > Troubleshooting > System debug.
Click Start.

Note

Starting debug mode increases the log level of SCB, and might cause performance problems if the system is under a high load.
Reproduce the event that causes the error, e.g., connect to a server.
Click Stop.
Click Save the collected debug info and save the created zip file. The name of the file uses the debug_info-<hostname>YYYYMMDDHHMM format.
Attach the file to your support ticket.

4.5.3.6. Status history and statistics

SCB displays various statistics and status history of system data and performance on the dashboard at Basic Settings > Dashboard. The dashboard is essentially an extension of the system monitor: the system monitor displays only the current values, while the dashboard creates graphs and statistics of the system parameters.

The dashboard consists of different modules. Every module displays the history of a system parameter for the current day. To display the graph for a longer period (last week, last month, or last year), select the Week, Month, or Year options, respectively. Hovering the mouse over a module enlarges the graph and displays the color code used on the graph.

To display statistics of a module as a table for the selected period, click on the graph.

Figure 4.45. The dashboard

The following modules are displayed on the dashboard of SCB:

Connection statistics: Number of active connections per protocol.
Memory: The memory used by the system.
Disk: Filesystem usage for the different partitions.
CPU: CPU usage.
Network connections: Number of network connections.
External interface: Traffic on the external interface.
Internal interface: Traffic on the internal interface.
Management interface: Traffic on the management interface.
Load average: Average load of the system.
Processes: The number of running processes.

Browsing connection statistics

To display statistics of a specific connection policy, complete the following procedure:

Procedure 4.36. Displaying custom connection statistics

Navigate to Basic Settings > Dashboard > Zorp statistics.
To display the statistics of a connection policy, enter the name of the policy into the Connection.
Select the time period to display from the Select resolution field.
Click View graph.

4.5.4. Accessing the SCB console

This section describes how to use the console menu of SCB, how to enable remote SSH access to SCB, and how to change the root password from the web interface.

4.5.4.1. Using the console menu of SCB

Connecting to the BalaBit Shell Control Box locally or remotely using Secure Shell (SSH) allows you to access the console menu of SCB. The console menu provides access to the most basic configuration and management settings of SCB. It is mainly used for troubleshooting purposes; the primary interface of SCB is the web interface.

The console menu is accessible to the root user using the password set during completing the Welcome Wizard.

Figure 4.46. The console menu

The console menu provides allows you to perform the following actions:

Select the active core and boot firmwares, and delete unneeded firmwares. Accessing the firmware management is useful if after an update the new firmware does not operate properly and the web interface is not available to activate the previous firmware.
Start backup processes.
Change the passwords of the root and admin users.
Access the local shells of the core and boot firmwares. This is usually not recommended and only required in certain troubleshooting situations.
Access the network-troubleshooting functions and display the available log files.
Reboot and shutdown the system.
Enable and disable sealed mode. See Section 4.5.5, Sealed mode for details.
Revert the configuration file. See the section called “Reverting to an older firmware” for details.
Set the IP address of the HA interface.

	Note
	Note that logging in to the console menu automatically locks the SCB interface, meaning that users cannot access the web interface while the console menu is used. The console menu can be accessed only if there are no users accessing the web interface. The connection of web-interface users can be terminated to force access to the console menu.

4.5.4.2. Accessing the SCB host using SSH

Exclusively for troubleshooting purposes, you can access the SCB host using SSH. Completing the Welcome Wizard automatically disables SSH access. To enable it again, complete the following steps:

	Warning
	Accessing the SCB host directly using SSH is not recommended nor supported, except for troubleshooting purposes. In such case, the BalaBit Support Team will give you exact instructions on what to do to solve the problem.

Enabling the SSH server allows you to connect remotely to the SCB host and login using the root user. The password of the root user is the one you had to provide in the Welcome wizard. To change the root password from the web interface, see Section 4.5.4.3, Changing the root password of SCB

Procedure 4.37. Enabling SSH access to the SCB host

Figure 4.47. Enabling remote SSH access to SCB

Navigate to Basic Settings > Management > SSH settings.
Select the Enable remote SSH access option.

Note

Remote SSH access is automatically disabled if Sealed mode is enabled. See Section 4.5.5, Sealed mode for details.
Set the authentication method for the remote SSH connections.
- To enable password-based authentication, select the Enable password authentication option.
- To enable public-key authentication, click in the Authorized keys field, click and upload the private keys of the users who can access and manage SCB remotely via SSH.
Click Commit.

The SSH server of SCB accepts connections only on the management interface if the management interface is configured. If the management interface is not configured, the SSH server accepts connections on the external interface. If possible, avoid enabling the SSH server of SCB when the management interface is not configured. See Procedure 4.1, Configuring the management interface for details on enabling the management connection.

If you use SCB in Bastion mode and the management interface is not configured, read Section 9.3.1, Accessing the SCB host in Bastion mode using SSH for details on accessing the SCB host using SSH.

4.5.4.3. Changing the root password of SCB

The root password is required to access SCB locally, or remotely via an SSH connection. Note that the password of the root user can be changed from the console menu as well. See Section 4.5.4, Accessing the SCB console for details.

Procedure 4.38. Changing the root password of SCB

Figure 4.48. Changing the root password of SCB

Navigate to Basic Settings > Management > Change root password.
Enter the new password into the New root password and Confirm password fields.

Note

SCB passwords can contain the following special characters: !"#$%&'()*+,-./:;<=>?@[\]^-`{|}
Click Commit.

4.5.5. Sealed mode

When sealed mode is enabled, the following settings are automatically applied:

SCB cannot be accessed remotely via SSH for maintenance;
the root password of SCB cannot be changed in sealed mode;
Sealed mode can be disabled only from the local console. See Procedure 4.39, Disabling sealed mode for details.

To enable sealed mode use one of the following methods:

Select the Sealed mode option during the Welcome Wizard.
Select Basic Settings > System > Sealed mode > Activate sealed mode on the SCB web interface.
Login to SCB as root using SSH or the local console, and select Sealed mode > Enable from the console menu.

To disable sealed mode, complete the following steps:

Procedure 4.39. Disabling sealed mode

Go to the SCB appliance and access the local console.
Login as root.
From the console menu, select Sealed mode > Disable
Select Back to Main menu > Logout.

4.5.6. Changing the certificates used on SCB

Figure 4.49. Changing the web certificate of SCB

SCB uses a number of certificates for different tasks that can be managed from the Basic Settings > Management > SSL certificates menu. The following certificates can be modified here:

CA certificate: The certificate of the internal Certificate Authority of SCB. This CA has a self-signed certificate and is used to sign the other certificates generated on SCB, e.g., the certificate of the web interface (see Server certificate) and the internal Timestamping Authority (TSA certificate).
Server certificate: The certificate of the SCB web interface, used to encrypt the communication between SCB and the administrators.

Note

If this certificate is changed, the browser of SCB users will display a warning stating that the certificate of the site has changed.
TSA certificate: The certificate of the internal Timestamping Authority that provides the timestamps used when creating encrypted audit-trails.

For every certificate, the distinguished name (DN) of the X.509 certificate and the fingerprint of the private key is displayed. To display the entire certificate click on the DN; to display the public part of the private key, click on the fingerprint. It is not possible to download the private key itself from the SCB web interface, but the certificate can be downloaded in different formats (e.g., PEM, OpenSSH, Tectia).

	Note
	Other parts of SCB may use additional certificates that are not managed here.

To change a certificate, you can generate new certificates on SCB, or you can upload certificates generated using an external PKI.

To generate certificates and keys on SCB, complete Procedure 4.40, Generating certificates for SCB.
To upload certificates and keys created with an external PKI, complete Procedure 4.41, Uploading external certificates to SCB.

	Note
	Generate certificates using your own PKI solution and upload them to SCB whenever possible. Certificates generated on SCB cannot be revoked, and can become a security risk if they are somehow compromised.

Procedure 4.40. Generating certificates for SCB

Navigate to Basic Settings > Management > SSL certificates.
Fill the fields of the new certificate:
1. Country: Select the country where SCB is located (e.g., HU - Hungary).
2. Locality: The city where SCB is located (e.g., Budapest).
3. Organization: The company who owns SCB (e.g., Example Inc.).
4. Organization unit: The division of the company who owns SCB (e.g., IT Security Department).
5. State or Province: The state or province where SCB is located.

To create a new certificate for the SCB web interface, select Generate Server certificate.

To create a new certificate for the Timestamping Authority, select Generate TSA certificate.

To create a new certificate for the internal Certificate Authority of SCB, select Generate All. Note that in this case new certificates are created automatically for the server and TSA certificates as well.

	Note
	When generating new certificates, the server and TSA certificates are signed using the certificate of the CA. If you have uploaded an external CA certificate, it will be used to create the new server and TSA certificates.

Click Commit.

Procedure 4.41. Uploading external certificates to SCB

Navigate to Basic Settings > Management > SSL certificates.
To upload a new certificate, click the icon next to the certificate you want to modify. A popup window is displayed.

Figure 4.50. Uploading certificates

Select Browse, select the file containing the certificate, and click Upload. Alternatively, you can also copy-paste the certificate into the Key field and click Set.

Note

SCB accepts certificates in PEM format. The DER format is currently not supported.
To upload the private key corresponding to the certificate, click the icon next to the private key you want to modify. A popup window is displayed.

Select Browse, select the file containing the certificate, and click Upload. Alternatively, you can also copy-paste the certificate into the Key field and click Set.

Note

SCB accepts private keys in PEM (RSA and DSA), PUTTY, and SSHCOM/Tectia format. Password-protected private keys are also supported.

Chapter 5. Configuring connections

Connections determine if a server can be accessed from a particular client. The policies used in the connection definition can restrict the availability of the connection based on the username, time, authentication method, etc. Channel policies (see Section 5.1.3, Channel Policies) determine if a particular channel can be used within an already established connection. The policies used in the channel policy can restrict the availability of the channel based on the server and the client IP address, username, etc. The types of policies available in a connection depend on the protocol (SSH, RDP, etc.) enabled in the connection.

SCB supports the following protocols:

Secure Shell version 2 (SSHv2)
RDP versions 4-6
Telnet and TN3270, as described by the relevant RFCs
The Virtual Networking (VNC) protocol versions 3.3-3.8

5.1. General connection settings

This section describes how to configure connections, and details the general configuration options and policies that apply to every type of connection that SCB can control: SSH, RDP, Telnet, and VNC.

Protocol-specific configuration options are described in their respective sections: Section 5.2, SSH-specific settings, Section 5.3, RDP-specific settings, Section 5.4, Telnet-specific settings, and Section 5.5, VNC-specific settings.

To configure a connection, complete the following steps.

Procedure 5.1. Configuring connections

Select the type of connection from the main menu.
- To configure a Secure Shell connection, select SSH Control.
- To configure a Remote Desktop connection, select RDP Control.
- To configure a Telnet connection, select Telnet Control.
- To configure a VNC connection, select VNC Control.

Figure 5.1. Configuring connections

Click to define a new connection and enter a name that will identify the connection (e.g., admin_mainserver).

	Tip
	It is recommended to use descriptive names that give information about the connection, e.g., refer to the name of the accessible server, the allowed clients, etc.

Enter the IP address of the client that will be permitted to access the server into the From field. Click to list additional clients.
Enter the IP address that the clients will request into the To field.
- In Bastion mode, enter the IP address of SCB's external interface. If the audited connection is initiated on a protected server, enter the IP address of SCB's internal interface.
- In Bridge mode, enter the IP address of the target server.
- In Router mode, enter the IP address of the target server.
Click to list additional IP addresses.
If the clients use a custom port to address the server instead of the default port used by the protocol, enter the port number that the clients will request into the Port field. Click to list additional port numbers.
Bastion mode: Enter the IP address and port number of the target server into the Target field. SCB will connect all incoming client-side connections to this server. See Section 9.3.1, Accessing the SCB host in Bastion mode using SSH for details on organizing connections in Bastion mode.
Configure advanced settings if needed, like network address translation, channel policy, gateway authentication, various policies, or other settings.
Click Commit to save the connection.

Tip

To temporarily disable a connection, deselect the checkbox before the name of the connection.

Depending on your needs and environment, you may want to set further settings for your connections.

To modify the destination or source addresses of the connections, see Section 5.1.1, Modifying the destination address and Section 5.1.2, Modifying the source address.

Select a Backup Policy and an Archiving Policy for the audit trails and indexes of the connection. See Section 4.3.5, Data and configuration archiving and backups for details.

	Note
	The backup and archive policies set for the connection operate only on the audit trails and indexes of the connection. General data about the connections that is displayed on the Search page is archived and backed up as part of the system-backup process of SCB.

If you are auditing the connection, set an Audit Policy. See Section 5.1.7, Audit policies for details.
To require the users to authenticate themselves not only on the target server, but on SCB as well, see Section 8.2, Configuring gateway authentication.
To require 4-eyes authorization on the connections, with the possibility of an auditor monitoring the connection in real-time, see Section 8.3, Configuring 4-eyes authorization.
Certain connections and scenarios (e.g., SSH authentication, gateway authentication, RDP6 connections) SCB can authenticate the user to an LDAP database, or retrieve the group memberships of the user. To use these features, select an LDAP Server. See Section 5.1.6, Authenticating users to an LDAP server for details.
To limit the number of connection requests accepted from a single client IP address, enter the maximal number of accepted connections into the Connection rate limit field.

	Note
	Protocol-specific configuration options are described in their respective sections: Section 5.2, SSH-specific settings, Section 5.3, RDP-specific settings, Section 5.4, Telnet-specific settings, and Section 5.5, VNC-specific settings.

5.1.1. Modifying the destination address

The destination address is the address of the server where the clients finally connect to. To modify the destination address of a connection, complete the following steps.

Navigate to the Connections tab storing the connection and click to display the details of the connection.

Figure 5.2. Configuring connections

The Target section allows you to configure Network Address Translation (NAT) on the server side of SCB. Destination NAT determines the target IP address of the server-side connection. Set the destination address as required. The following options are available:

	Note
	It is not possible to direct the traffic to the IP addresses belonging to SCB.

Use the original target address of the client: Connect to the IP address targeted by the client. This is the default behavior of the connection. (This option is not available in Bastion mode.)
NAT destination address: Perform a network address translation on the target address. Enter the target address in IP address/Netmask format.
Use fix address: Enter the IP address and port number of the server. The connection will connect always to this address, redirecting the clients to the server.

Inband destination selection: Extract the address of the server from the username. This method is most commonly used in nontransparent Bastion mode (see Section 9.4, Using nontransparent Bastion mode for a detailed example). Enter the IP address or the hostname of the domain name server used to resolve the address of the server into the DNS Server field.

If the clients do not include the domain name when addressing the server (e.g., they use username@server instead of username@server1.example.com), SCB can automatically add domain information (e.g., example.com). Enter the domain name to add into the Append domain field.

	Note
	Inband destination selection is not available for Telnet and VNC connections.

SCB can also resolve CNAME records.

	Note
	If the Append domain field is filled, SCB will always add this suffix to the hostname. If you specify a DNS suffix, make sure that the clients do not include the domain name in their requests.

Enter the addresses of the servers that the users are permitted to access into the Targets field. Use the IP address/netmask (e.g., 192.168.2.16/32) format, or enter the hostname of the server. The hostnames may contain the * and ? wildcard characters. If the clients address the server using its IP address, make sure to include the IP address of the server in the Targets list. This is required because SCB resolves the hostnames to IP addresses, but does not reverse-resolve IP addresses to hostnames.

	Warning
	If only the hostname of the server is listed and the client addresses the server using its IP address, SCB will refuse the connection.

Leave the Port field empty if the clients may access any port on the server, or enter the specified port they can access.

Click Commit.

5.1.2. Modifying the source address

The source address is the address that SCB uses to connect the server. The server sees this address as the source of the connection. To modify the source address of a connection, complete the following steps.

Navigate to the Connections tab storing the connection and click to display the details of the connection.

Figure 5.3. Configuring connections

The SNAT section allows you to configure Source Network Address Translation (SNAT) on the server side of SCB. SNAT determines the IP address SCB uses in the server-side connection. The target server will see the connection coming from this address. The following options are available:

Use the IP address of SCB: Server-side connections will originate from SCB's internal interface in Router and Bridge mode, and from the external interface in Bastion mode. This is the default behavior of the connection.
Use the original IP address of the client: Server-side connections will originate from the client's IP address, as seen by SCB's external interface. This option not available in Bastion mode.

Use fix address: Enter the IP address that will be used as the source address in server-side connections.

	Warning
	Do not forget to properly configure routers and other network devices when using the Use fix address option: messages sent by the server to this address must reach SCB.

Click Commit.

5.1.3. Channel Policies

The channel policy lists the channels (e.g., terminal session, SCP in SSH; Drawing, Clipboard in RDP) that can be used in a connection. The channel policy can further restrict access to each channel based on the IP address of the client or the server, a user list, or a time policy. For example, all clients may access the servers defined in a connection via SSH terminal, but the channel policy may restrict SCP access only to a single client. The policies set in the channel policy are checked when the user attempts to open a particular channel type in the connection.

Complete the following procedure to create a new channel policy or edit an existing one:

Figure 5.4. Configuring channel policies

Procedure 5.2. Creating and editing channel policies

Channel policies are configured individually for every protocol. Navigate to the Channel Policies tab of the respective protocol and click to create a new channel policy. Enter a name for the list into the Channel Policy field (e.g., shell_and_backup).
Click to add a new channel.
Select the channel to be enabled in the connection from the Type field. All restrictions set in the following steps will be effective on this channel type. The available channels are different for every protocol. See the following sections for their descriptions:
- Section 5.2.2, Supported SSH channel types for the Secure Shell protocol
- Section 5.3.1, Supported RDP channel types for the Remote Desktop Protocol.
- The Telnet protocol has only one channel type with no special configuration options.
- The VNC protocol has only one channel type with no special configuration options.
To restrict the availability of the channel only to certain clients, click in the From field and enter the IP address of the client allowed to use this type of the channel. Repeat this step until all required client IPs are listed.

To restrict the availability of the channel only to certain servers, click in the Target field and enter the IP address of the server allowed to use this type of the channel. Repeat this step until all required server IPs are listed.

	Note
	Use the real IP address of the server, which may be different from the one addressed by the clients, specified in the Target field of the connection policy.

To restrict the availability of the channel only to certain users, click in the Group field and enter the name of the user group allowed to use this type of the channel. Repeat this step until all permitted groups are listed.

You may list local user lists as defined in Section 5.1.5, User lists, or LDAP groups (see Section 5.1.6, Authenticating users to an LDAP server for details on accessing LDAP servers from SCB). Note the following behavior of SCB:

If you list multiple groups, members of any of the groups can access the channel.

	Note
	When listing both a whitelist and blacklist in the Group section and a username appears on both lists, the user will be able to access the channel.

If a local user list and an LDAP group has the same name and the LDAP server is configured in the connection that uses this channel policy, both the members of the LDAP group and the members of the local user list can access the channel.

	Note
	User lists and LDAP support is currently available only for the SSH and RDP protocols. For other protocols, see Section 8.2, Configuring gateway authentication.

Select a time policy to narrow the availability of the channel. If the time policy of the channel policy is set to 7x24, the channel is always available. See Section 5.1.4, Time Policies for details.
Some channel types require additional parameters, e.g., port forwarding in SSH needs the IP addresses and ports of the source and destination machines. Click in the Details field and enter the required parameters. See Section 5.2.2, Supported SSH channel types and Section 5.3.1, Supported RDP channel types for a list of parameters used by the different channels.
Select the Audit option to record the activities of the channel into audit trails. Typically large file-transfers (e.g., system backups, SFTP channels) are not audited because they result in very large audit trails. Check regularly the free hard disk space available on SCB if you do audit such channels.
Select the 4-eyes option to require 4-eyes authorization to access the channel. See Section 8.3, Configuring 4-eyes authorization for details.
Select the IDS option to forward the contents of the channel to an IDS or DLP system. See Section 5.1.10, Forwarding traffic to an IDS or DLP system for details.
Repeat Steps 2-11 to add other channels to the policy.
Click Commit to save the list.

5.1.4. Time Policies

The time policy determines the timeframe when the users are permitted to access a particular channel. By default, there is no time-based restriction, all channels are available 7x24. Complete the following procedure to create a time policy or edit an existing one:

Figure 5.5. Configuring time policies

Procedure 5.3. Creating and editing time policies

Navigate to the Time Policies tab of the Policies menu item and click to create a new time policy. Enter a name for the policy into the Time Policy field (e.g., workhoursonly).
Click to display the days of the week and the allowed intervals.
Enter the intervals for each day when the users are allowed to access the connection. Use the hh:mm format (e.g., from 08:00 to 16:00).
To add multiple intervals for a day, click .
Click Commit.
To actually restrict access to a connection or a channel based on the policy created in the previous steps:
- Select this policy in the Time Policy field of the channel policy.
- Click Commit.

5.1.5. User lists

User lists are white- or blacklists of usernames that allow fine-control over who can access a connection or a channel. Complete the following procedure to create a new user list or edit an existing one:

Figure 5.6. Configuring user lists

Procedure 5.4. Creating and editing user lists

Navigate to the User Lists tab of the Policies menu and click to create a new user list. Enter a name for the list into the User List field (e.g., serveradmins).
Click to display the list of users.
Select the default policy of the user list. Select Reject for a whitelist, i.e. to allow access only to the members of the list. Select Accept for a blacklist, i.e. to allow access to everyone except the members of the list.
Click and enter a username into the displayed field. Repeat this step until all required usernames are listed.
Click Commit to save the list.

To actually restrict access to a channel based on the user list created in the previous steps:

Navigate to the Channel Policies tab of the type of connection you want to control and click to display the details of the policy.

Click in the Group section to add a new group to the policy and enter the name of the group. Repeat this step to add other groups.

Note

When listing more groups, users of any of the listed groups can access the channel. See Procedure 5.2, Creating and editing channel policies for details.

When listing both a whitelist and blacklist in the Group section and a username appears on both lists, the user will be able to access the channel.

Click Commit.

5.1.6. Authenticating users to an LDAP server

	Note
	This feature is currently available only for SSH and RDP connections. For other protocols, see Section 8.2, Configuring gateway authentication.

SCB can authenticate the users of the controlled connections to LDAP databases. To authenticate the users to an LDAP database, complete the following steps.

Figure 5.7. Configuring LDAP Server policies

Procedure 5.5. Configuring LDAP Server policies

Navigate to Policies > LDAP Servers and click to create a new LDAP policy.
Enter a name for the policy into the LDAP Policy field (e.g., ldapservers).

Figure 5.8. Configuring LDAP authentication

Enter the IP address or hostname and port of the LDAP server into the Server Address field.

To add multiple servers, click and enter the address of the next server. If a server is unreachable, SCB will try to connect to the next server in the list in failover fashion.

	Warning
	If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (e.g., `ldap.example.com`) in the Server Address field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.

Select the type of your LDAP server in the Type field. Select Active Directory to connect to Microsoft Active Directory servers, or Posix to connect to servers that use the POSIX LDAP scheme (e.g., Novell e-directory).
Enter the name of the DN to be used as the base of the queries into the Base DN field (e.g., DC=demodomain,DC=exampleinc).

Enter the name of the DN where SCB should bind to before accessing the database into the Bind DN field (e.g., CN=Administrator,CN=Users,DC=demodomain,DC=exampleinc).

	Note
	SCB accepts both pre-win2000-style and Win2003-style account names (User Principal Names), e.g., `administrator@example.com` is also accepted.

Enter the password to use when binding to the LDAP server into the Bind Password field.

Skip this step if you use passwords to authenticate the users.
- If you use public-key authentication and receive the public key of the users from the LDAP database, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field. See Section 9.1, Configuring public-key authentication on SCB for details on using public-key authentication with the LDAP database.
- If you use X.509 certificate for authentication and receive the certificates of the users from the LDAP database, enter the name of the LDAP attribute that stores the certificates of the users into the Certificate attribute name field.
Skip this step if you use passwords to authenticate the users.
- If you use public-key authentication and want SCB to generate server-side encryption keys on-the-fly and store them in a separate attribute on the LDAP server, enter the name of the attribute into the Generated publickey attribute name field.
- If you use certificate authentication and want SCB to generate server-side certificates on-the-fly and store them in a separate attribute on the LDAP server, enter the name of the attribute into the Generated certificate attribute name field.

If you want to encrypt the communication between SCB and the LDAP server, select the Use StartTLS option and complete the following steps:

Note

TLS-encrypted connection to Microsoft Active Directory is supported only on Windows 2003 Server and newer platforms. Windows 2000 Server is not supported.

Only the STARTTLS method is supported to encrypt the communication between the LDAP server and SCB. The LDAPS protocol is not supported.

If you want SCB to verify the certificate of the server, click the icon in the CA X.509 certificate field. A popup window is displayed.

SCB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.

If you want SCB to simply accept any certificate shown by the LDAP server, select Required untrusted in the Server key check field.

Note

Alternatively, you can use the following options to check the certificate of the LDAP server:

None: Do not request a certificate from the remote host, and accept any certificate if the host sends one.
Optional trusted: If the remote host sends a certificate, SCB checks if it is valid (not expired) and that the Common Name of the certificate contains the domain name or the IP address of the host. If these checks fail, SCB rejects the connection. However, SCB accepts the connection if the host does not send a certificate.
Optional untrusted:Accept any certificate shown by the remote host. Note that the host must show a certificate.
Required trusted: Verify the certificate of the remote host. Only valid certificates signed by a trusted certificate authority are accepted. See Procedure 4.41, Uploading external certificates to SCB for details on importing CA certificates. Note that the Common Name of the certificate must contain the domain name or the IP address of the host.
Request untrusted: SCB requests a certificate from the remote host, and rejects the connection if no certificate is received; if the certificate is not valid (expired); or if the Common Name of the certificate does not contain the domain name or the IP address of the host.

	Warning
	If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (e.g., `ldap.example.com`) in the Server Address field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.

If the LDAP server requires mutual authentication, i.e., it expects a certificate from SCB, generate and sign a certificate for SCB, then click the icon in the Client X.509 certificate field to upload the certificate. After that, click the icon in the Client key field and upload the private key corresponding to the certificate.

If you have modified the Server key check field or the keys used in the connections, perform the following steps:

	Warning
	This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.

To activate the new settings, open the System control section, click Disable all traffic, then Enable all traffic.

5.1.7. Audit policies

An audit trail is a file storing the recorded activities of the administrators. Audit trails can be replayed using the Audit Player application (see Chapter 7, Viewing session information and replaying audit trails for details ). The audit trails are automatically compressed, and can be optionally encrypted, timestamped, and signed as well. Note that audit trails are not created automatically for every connection, auditing must be enabled manually in the channel policy used in the connection.

	Tip
	By default, every connection uses the built-in default audit policy. Unless you use a custom audit policy, modifying the default audit policy will affect every audited channel of the connections passing SCB.

	Note
	In SCB 1.x it was possible to compress the audit trail files, and also to set the level of compression. Starting from version 2.0, the audit trails are automatically compressed.

To configure audit trail encryption, see Section 5.1.7.1, Encrypting audit trails.
To configure timestamping, see Section 5.1.7.2, Timestamping audit trails.
To configure audit trail signing, see Section 5.1.7.3, Digitally signing audit trails.
To configure other audit trail options, see Section 5.1.7.4, Other audit trail settings.

5.1.7.1. Encrypting audit trails

SCB can encrypt the audit trails to prevent unauthorized access to the audit trail files. Encryption requires one or more X.509 certificates. Note that SCB itself cannot create the certificates used to encrypt the audit trails.

SCB has the following different ways to encrypt the audit trails:

Encrypt the audit trails with a single certificate. This is the most simple approach: SCB uses one certificate to encrypt the audit trails; anyone who has the private key of that certificate can replay the audit trails. If that key is lost, there is no way to open the audit trails.
Encrypt the audit trails separately with multiple certificates. SCB uses two or more certificates separately to encrypt the audit trails; anyone who has the private key of one of the encryption certificates can replay the audit trails.
Encrypt the audit trails jointly with two certificates. SCB uses two certificates together (a certificate-pair) to encrypt the audit trails. The private keys of both encryption certificates are needed to replay the audit trails. This is a kind of "4-eyes in auditing".
Use a separate certificate to encrypt the upstream traffic. SCB can use a different certificate to encrypt the upstream traffic that contains sensitive information, e.g., the passwords typed by the user in a connection are visible in the upstream traffic. The upstream traffic will be displayed only if the private key of this certificate is available.

Note

Even if the upstream traffic is encrypted with a separate certificate, only one audit trail file is created to as session.

Note

You can combine the different encryption methods, so for example it is possible to encrypt the audit trails with multiple certificate-pairs, and to replay the trails only if the private keys of a certificate-pair are available. This is true for encrypting the upstream traffic as well. At the extreme, you will need four private keys to fully replay an audit trail: two to open the normal traffic, and two more to display the upstream traffic.

For details on uploading certificates to SCB, see Procedure 4.41, Uploading external certificates to SCB.

	Tip
	If two certificates are displayed in a row, they are a certificate-pair and you need the private key of both to replay the audit trails. If two certificates are displayed in separate rows, you need the one of the private keys to replay the audit trails. If there are multiple rows containing two certificates, you need the private keys of the certificate(s) listed in any of the rows.

Procedure 5.6. Encrypting audit trails

Figure 5.9. Encrypting audit trails

Navigate to Policies > Audit Policies and select the audit policy you will use in your connections.

Tip

To encrypt every audited connection, select the default policy.
Select the Enable encryption option.
Click in the Encryption X.509 certificates field. A new row is displayed.
Click on the left icon and upload a certificate to SCB. This certificate will be used to encrypt the audit trails, and it must not include the private key.

Note

To replay the audit trails, you will need the private key of the certificate on the computer running the Audit Player application.
Optional step: To encrypt the audit trails jointly with another certificate, click on the right icon and upload a certificate to SCB. Note that the private key of both certificates will be required to replay the audit trails.
Optional step: Repeat Steps 3-4 (and optionally Step 5) to encrypt the audit trails separately with additional certificates.
Optional step: To use a separate certificate to encrypt the upstream traffic, complete the following steps:
1. Select Different encryption certificates for upstream.
2. Click the left icon in the Upstream encryption X.509 certificates field and upload a certificate.
3. Optional steps: If needed, add further certificate to jointly or separately encrypt the upstream traffic with.
Click Commit.

5.1.7.2. Timestamping audit trails

SCB can add timestamps to the audit trails.

To use the built-in timestamping service of SCB, see Procedure 5.7, Built-in timestamping service.
To use an external Timestamping Authority, see Procedure 5.8, External timestamping service.

Procedure 5.7. Built-in timestamping service

To use the built-in timestamping service of SCB, complete the following steps:

Navigate to Policies > Audit Policies and select the audit policy you will use in your connections.

Tip

To add timestamping for every audited connection, select the default policy.
Figure 5.10. Timestamping audit trails

Select the Enable timestamping option.
Click Commit. SCB will automatically add timestamps to the audit trails of every connection that is audited and uses this audit policy.

Note

To change the certificate used for timestamping, see Section 4.5.6, Changing the certificates used on SCB.
Repeat the above steps for other audit policies if needed.

Procedure 5.8. External timestamping service

To request timestamps from a remote Timestamping Authority (TSA) , complete the following steps:

Figure 5.11. Configuring a remote TSA

Navigate to SSH Control > Global Options > Timestamping and select Remote.
Enter the address of the timestamping server into the URL field. Note that currently only plain HTTP services are supported, password-protected and HTTPS services are not supported at.
If the Timestamping Server has timestamping policies configured, enter the OID of the policy to use into the Timestamping policy field. SCB will include this ID in the timestamping requests sent to the TSA.
Click Commit.
Repeat the above steps for other protocols if needed.
Navigate to Policies > Audit Policies and select the audit policy you will use in your connections.

Tip

To add timestamping for every audited connection, select the default policy.
Select the Timestamping option.
Click Commit. SCB will automatically add timestamps to the audit trails of every connection that is audited and uses this audit policy.
Repeat the above steps for other audit policies if needed.

5.1.7.3. Digitally signing audit trails

SCB can digitally sign the audit trails to prevent the manipulation of the audit trail files. This requires an X.509 certificate and also the private key of the certificate. Note that SCB can generate a private key that you can use to create a certificate, but SCB itself cannot create the certificate used to sing the audit trails.

Procedure 5.9. Digitally signing audit trails

Figure 5.12. Signing audit trails

Navigate to Policies > Audit Policies and select the audit policy you will use in your connections.

Tip

To sign every audited connection, select the default policy.
Select the Signing option.
Upload a certificate and the corresponding private key to SCB. See Procedure 4.41, Uploading external certificates to SCB for details.

To generate a key-pair on SCB and use it to create a certificate in your PKI system, complete the following steps:
1. Click the icon in the Private key field. A popup window opens.
2. Select the length of the key in the Generate key field.
3. Set the type of the key (RSA or DSA) in the Key type field.
4. Click Generate. The fingerprint of the new private key is displayed in the Private key field.
5. Click Commit.
6. Click the fingerprint and select a format to download the public part of the key. Currently the key can be downloaded in the following formats: OpenSSH, Tectia, PEM, DER.
7. Use your PKI system to create a certificate request with the downloaded key, and sign it with your Certificate Authority (CA).
8. Click in the X.509 certificate field and upload the certificate to SCB.
Click Commit. SCB will automatically sign the audit trails of every connection that is audited and uses this audit policy.
Repeat the above steps for other audit policies if needed.

5.1.7.4. Other audit trail settings

To impose limits on the audit trail files, complete the following steps:

Procedure 5.10. Limiting audit trails

The followings must be set for every controlled protocol separately.

Navigate to Control > Global options > Audit.
Adjust the Audit trail rate limit option if needed. If the size of an audit trail is increasing faster than this rate, SCB can send an alert to the administrator. Such connections may sign Denial of Service (DOS) attacks. Different protocols can have different rate limits.
Adjust the Audit trail file limit option if needed. The size of audit trail files is maximized to prevent a single connection from filling SCB's hard drive, causing a Denial of Service (DOS). The maximal size of the Audit trail file limit can be 4GB.
Enable the Terminate connection on file limit option to terminate any connection if the size of its audit trail reaches limit specified in Audit trail file limit. If the Terminate connection on file limit option is disabled, the connection will not be terminated, but SCB will not further audit the connection. Different protocols can have different size limits.
Click Commit.

To activate any changes in the audit trail settings, complete the following steps:

	Warning
	This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.

To activate the new settings, select Basic Settings > System > System control > Disable all traffic.
Click Enable all traffic.

5.1.8. Verifying certificates with Certificate Authorities

SCB can check the validity of certificates using the certificates and certificate-revocation lists of the certificate authorities that issued the certificates. This can be used for example to verify the certificates of the servers in SSH/RDP connections. To create a list of CA certificates to use during the certificate validation, complete the following steps:

Procedure 5.11. Creating Trusted CA lists

Figure 5.13. Creating Trusted CA lists

Navigate to Policies > Trusted CA Lists and click to create a new list.
Enter a name for the CA list into the topmost field.
Click in the Certificate field, and upload the certificate of the Certificate Authority (CA) that will be used to validate the certificates. See Procedure 4.41, Uploading external certificates to SCB for details on uploading certificates.
Enter the URL of the Certificate Revocation List of the CA into the CRL field. Certificates appearing on the CRL list will be automatically rejected.
To further limit which certificates are accepted, you may use the following options:
- Strict hostname check: Select this option to accept only certificates when the Common Name of the certificate contains the hostname or the IP address of the host showing the certificate.
- Use DNS to lookup hostnames: Select this option to use the domain name server set on Basic Settings > Network > Naming to resolve the hostnames and IP addresses for certificate validation. If you have enabled the Strict hostname check option, you probably want to enable this option as well.
- To restrict the accepted certificates based on the content of the certificate, enter the required value into the appropriate field of the User certificate validation section. For example, to accept only certificates that contain Example Inc. in their Organization Name field, enter Example Inc. in to the Organization Name field. In the Common name, E-mail address, and Alternative e-mail address fields you can use the $username macro to refer to the username used in the connection. This macro makes it possible to check that the user is using his own certificate.
Click Commit.

5.1.9. Signing certificates on-the-fly

At a number of places, SCB can generate the server-side certificates on the fly. This technique is used for example in SSL-encrypted RDP sessions, RDP sessions that use Network Layer Authentication (CredSSP), or SSH connections that use X.509-based authentication. To create a signing CA, complete the following steps:

	Note
	Signing CAs require a CA certificate permitted to sign certificates, and also the corresponding private key.

	Note
	These CAs cannot be used to sign audit trails. To configure the certificates used to sign audit trails, see Section 5.1.7.3, Digitally signing audit trails.

Procedure 5.12. Configuring certificate signing on SCB

Figure 5.14. Creating Signing CAs

Navigate to Policies > Signing CAs and click .
Enter a name for the CA into the topmost field.
To upload a CA certificate and its private key, complete the following steps. Skip this step if you want to generate a CA on SCB.
1. Click in the CA X.509 certificate field and upload the certificate of the certificate authority.
2. Click in the CA private key field and upload the private key of the certificate authority. See Procedure 4.41, Uploading external certificates to SCB for details.
3. Click Commit.
To generate a CA certificate on SCB, complete the following steps:
1. Enter the Common Name for the CA certificate into the Common Name field. This name will be visible in the Issued By field of the certificates signed by this CA.
2. Fill the other fields as required, then click Generate private key and certificate.
3. Click Commit.

5.1.10. Forwarding traffic to an IDS or DLP system

SCB can forward the contents of the traffic to an Intrusion Detection System (IDS) or a Data Leak Prevention (DLP) system for further analysis. The IDS or DLP system and SCB must be on the same network segment (connected to the same network switch). SCB does not modify the traffic, only forwards the unencrypted traffic to the IDS/DLP. For example, if HTTP traffic is tunneled in SSH, the IDS will receive only the HTTP traffic. That way, the IDS/DLP system can inspect the contents of the encrypted traffic. To configure traffic forwarding, complete the following steps.

Procedure 5.13. Configuring traffic-forwarding to IDS systems

Figure 5.15. Configuring IDS-forwarding

Navigate to the type of traffic to forward (e.g., SSH Control), and select the Global Options page.
Select IDS > Interface, and select which interface of SCB is connected to the same network segment (i.e., to the same switch) as the IDS. Note that the HA interface of SCB cannot be used for this purpose.
Enter the MAC address of the network card of the IDS system into the Destination MAC address field.
Click Commit.
Figure 5.16. Enabling IDS-forwarding

Select Channel Policies page, and select the channel policy you use in the connections that you want to forward to the IDS. Click .
Select the IDS option for the channels you want to forward to the IDS.
Repeat the Steps 5-6 for other channel policies if needed.
Navigate to Basic Settings > System > System Control, and click Restart for this type of traffic.
Repeat the above steps for other types of traffic if needed.

5.2. SSH-specific settings

The following sections describe configuration settings available only for the SSH protocol. Use the following policies to control who, when, and how can access the SSH connection.

Hostkeys and host certificates: SCB allows you to set how the identity of the client hosts and servers is verified. See Section 5.2.1, Setting the SSH host keys and certificates of the connection for details.
Authentication Policy: Authentication policies describe the authentication methods allowed in a connection. Different methods can be used for the client and server-side connections. See Section 5.2.3, Authentication Policies for details.
User List: A user list is a list of usernames permitted to use — or forbidden from using — the connection. Essentially it is a blacklist or a whitelist. All users matching the other requirements of the connection are accepted by default. See Section 5.1.5, User lists for details.
Channel Policy: The channel policy determines which SSH channels (e.g., terminal session, SCP, etc.) can be used in the connection, and whether they are audited or not. The different channels may be available only under certain restrictions, as set in the channel policy. See Section 5.1.3, Channel Policies for details.
SSH settings: SSH settings determine the parameters of the connection on the protocol level, including timeout value and greeting message of the connection. The following parameters determine which algorithms are used in the connections, and can be set independently for the client and the server side: key exchange, host key, cipher, MAC, and compression algorithms. The default values include all possible algorithms. See Section 5.2.5, Protocol-level SSH settings for details.

5.2.1. Setting the SSH host keys and certificates of the connection

By default, SCB accepts and stores the host key or certificate of the server when the connection is first established. To manually set the SSH keys and certificates used and accepted in the connection, complete the following steps.

Procedure 5.14. Setting the host keys of the connection

Figure 5.17. Configuring SSH host keys of the connection

Navigate to SSH Control > Connections and click to display the details of the connection.
To verify the identity of the servers based on their hostkeys, select Server-side hostkey settings > Allow plain host keys.
- Select Accept the key for the first time to automatically record the key shown by the server on the first connection. SCB will accept only this key from the server in later connections. This is the default behavior of SCB.
- Select Only accept trusted keys if the key of the server is already available on SCB. SCB will accept only the stored key from the server. See Section 5.2.4, Server host keys and certificates for further information on setting the host keys of the server.
To verify the identity of the servers based on their X.509 host certificates, select Server-side hostkey settings > Allow X.509 host certificates.
- Select Accept certificate for the first time to automatically record the certificate shown by the server on the first connection. SCB will accept only this certificate from the server in later connections.
- Select Only accept uploaded certificates if the certificate of the server is already available on SCB. SCB will accept only the stored certificate from the server. See Section 5.2.4, Server host keys and certificates for further information on setting the host certificate of the server.
- Select Only accept certificates authenticated by the trusted CA list to verify the host certificate of the server to a CA certificate, and select the Trusted CA list to use in the Trusted CA list field. For details on creating CA lists, see Section 5.1.8, Verifying certificates with Certificate Authorities.
  
  Note
  
  By default, SCB accepts only plain hostkeys, and accepts them for the first time.
To set the RSA and DSA host keys that SCB shows to the clients, select Client side hostkey settings > Allow plain host keys, and click the icon in the RSA host key or the DSA host key fields to set the RSA and DSA host keys, respectively. It is possible to upload or paste a key or to generate a new one. Click on the fingerprint to display the public part of the key.
To enable SCB to show an X.509 certificate to the clients, select Client side hostkey settings > Allow X.509 host certificates.
- To always use the same certificate, select Use the same certificate for every connection and upload a private key and a certificate.
- To generate a new certificate for the connection policy (not for every session), select Generate certificates on-the-fly, and set the CA to use for signing the certificate in the Signing CA field. For details about creating signing CAs, see Section 5.1.9, Signing certificates on-the-fly.
Click Commit.

5.2.2. Supported SSH channel types

The available SSH channel types and their functionalities are described below. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.

Agent: Forwards the SSH authentication agent from the client to the server.

X11 Forward: Forwards the graphical X-server session from the server to the client. Enter the address of the client into the Details > Target address field to permit X11-forwarding only to the specified clients. Specify IP addresses or networks (in IP address/Netmask format).

	Note
	Certain client applications send the Target address as a hostname, while others as an IP address. If you are using a mix of different client applications, you might have to duplicate the channel rules and create IP-address and hostname versions of the same rule.

Figure 5.18. Local TCP forwarding

Local Forward: Forwards traffic arriving to a local port of the client to a remote host. To enable forwarding only between selected hosts, enter their IP addresses into the Details field. If the Details field is empty, local forwarding is enabled without restriction, the client may forward any traffic to the remote host. Enter the source of the forwarded traffic into the Originator, the target of the traffic into the Target field. Specify IP addresses or networks (in IP address/Netmask format). These parameters are the end-points of the forwarded traffic (i.e., the local host that sends data to the remote host), and not the SSH server or the client. For example, to enable forwarding from the 192.168.20.20 host to the remote host 192.168.50.50, enter 192.168.20.20 into the Originator, and 192.168.50.50 into the Target field.

	Note
	Certain client applications send the Originator and Target addresses as hostnames, while others as IP addresses. If you are using a mix of different client applications, you might have to duplicate the channel rules and create IP-address and hostname versions of the same rule.

Figure 5.19. Remote TCP forwarding

Remote Forward: Forwards traffic arriving a remote port of the server to the client. To enable forwarding only between selected hosts, enter their IP addresses into the Details field. If the Details field is empty, remote forwarding is enabled without restriction, the SSH server may forward any traffic to the client. Enter the source of the forwarded traffic into the Originator, the target of the traffic into the Target field. Specify IP addresses or networks (in IP address/Netmask format). These parameters are the end-points of the forwarded traffic (i.e., the remote host that sends data to the client), and not the SSH server. For example, to enable forwarding from the 192.168.20.20 remote host to the client 192.168.50.50, enter 192.168.20.20 into the Originator, and 192.168.50.50 into the Target field.

	Note
	Certain client applications send the Originator and Target addresses as hostnames, while others as IP addresses. If you are using a mix of different client applications, you might have to duplicate the channel rules and create IP-address and hostname versions of the same rule.

Session Exec: Execute a remote command (e.g., rsync) without opening a session shell. Enter the permitted command into the Details field. Regular expressions may be used to specify the commands.

	Warning
	Restricting the commands available in Session Exec channels does not guarantee that no other commands can be executed. Commands can be renamed, or executed from shell scripts to circumvent such restrictions.

Session Exec SCP: Transfers files using the Secure Copy (SCP) protocol.
Session Subsystem: Use a subsystem. Enter the name of the permitted subsystem into the Details field.
Session SFTP: Transfers files using the Secure File Transfer Protocol (SFTP).
Session Shell: The traditional remote terminal session.

5.2.3. Authentication Policies

An authentication policy is a list of authentication methods that can be used in a connection. Connection definitions refer to an authentication policy to determine how the client can authenticate to the target server. Separate authentication methods can be used on the client and the server-side of the connection.

Figure 5.20. Authentication policies

To create a new authentication policy, follow the steps below:

Figure 5.21. Configuring authentication policies

Navigate to SSH Control > Authentication Policies, and click .
Enter a name for the policy into the Name field.
Select the authentication method used on the client-side in the Client authentication backends field. For details on the client-side authentication settings, see Section 5.2.3.1, Client-side authentication settings.
Select the authentication method used on the server-side in the Server authentication methods field. For details on the server-side authentication settings, see Section 5.2.3.2, Server-side authentication settings.

Click Commit.

Note

The client-side authentication is independent from the gateway authentication that can be required by the connection policy. Gateway authentication can be used together with authentication policies. In an extreme setting, this would mean that the user has to perform three authentications: a client-side authentication on SCB, a gateway authentication on SCB, and a final authentication on the server.

5.2.3.1. Client-side authentication settings

For the client-side connection (between the client and SCB), the following authentication methods are available:

Figure 5.22. Configuring authentication policies

LDAP: SCB will authenticate the client to the LDAP database set in the LDAP Server of the connection policy. To use LDAP authentication on the client side, select Client authentication backends > LDAP, and select the permitted authentication methods (Password, Public key, X.509 certificate). More than one method can be permitted.

Note

The public keys of the users stored in the LDAP database must be in OpenSSH format.
Local: Authenticate the client locally on SCB. See Procedure 5.15, Local client-side authentication for details.
RADIUS: SCB will authenticate the client to the specified RADIUS server. Select Client authentication backends > RADIUS, enter the IP address or hostname of the RADIUS server into the Address field, and the shared secret of the RADIUS server into the Shared secret field. Only password-authentication is supported (including one-time passwords), challenge-response based authentication is not.
Server: Do not perform client-side authentication, the client will authenticate only on the target server.

Procedure 5.15. Local client-side authentication

To perform authentication locally on SCB for client-side connections, complete the following steps:

Note

The users can be authenticated to their public-keys or X.509 certificates uploaded to SCB. It is not possible to perform password-based authentication.

The accounts created to access the SCB web interface cannot be used to authenticate SSH connections.

Navigate to SSH Control > Authentication Policies, and select the authentication policy to modify.
Select Client authentication backends > Local, and select the permitted authentication methods (Public key, X.509 certificate).
Navigate to the bottom of the policy, and click .

Enter the name of the user into the Username field.

	Note
	If you also use Usermapping policies, enter the username that the client will use on the server side. If you also use gateway authentication, the gateway username can be used as well.

Depending on the authentication method selected, upload the public key or X.509 certificate of the client by clicking the icons in the Client Side (public key/certificate) field.
Repeat Steps 3-5 to add other users as required.
Click Commit.

5.2.3.2. Server-side authentication settings

For the server-side connection (between SCB and the target server), the following authentication methods are available:

Password: Authentication based on username and password. The server will request a password from the user, even if a password-based authentication was already successful on the client-side.
Keyboard Interactive: Authentication based on exchanging messages between the user and the server. This method includes authentication schemes like S/Key or TIS authentication.

Public Key: Authentication based on public-private encryption keypairs. SCB supports the following public-key authentication scenarios:

Agent: Allow the client to use agent-forwarding, and use its own keypair on the server-side.

	Warning
	If agent-based authentication is enabled, the client must use agent authentication, no other authentication method can be used. Note that for agent-based authentication to work, the `Agent-forwading` channel must be enabled in the channel policy used by the connection.

Fix: Use the specified private key in the server-side connection. Select Server authentication methods > Server side private and public key > Public key > Fix, and click to upload the private key.
Map: SCB stores the public key of the user and a keypair for every user. This keypair is used in the server-side connection. See Section 5.2.3.3, How to map keys and certificates for details.
Publish to LDAP: SCB generates a keypair, and uses this keypair in the server-side connection. The public key of this keypair is also uploaded to the LDAP database set in the LDAP Server of the connection policy. That way the server can authenticate the client to the generated public key stored under the user's username in the LDAP database. Select Server authentication methods > Server side certificate > Publish to LDAP.

Note

SCB generates a keypair for every user of the connection policy, not for every session.

X.509 certificate: Authentication based on X.509 certificates. SCB supports the following certificate-based authentication scenarios:

Agent: Allow the client to use agent-forwarding, and use its own certificate on the server-side.

	Warning
	If agent-based authentication is enabled, the client must use agent authentication, no other authentication method can be used. Note that for agent-based authentication to work, the `Agent-forwading` channel must be enabled in the channel policy used by the connection.

Fix: Use the specified private key and certificate in the server-side connection. Select Server authentication methods > Server side certificate > Fix, and click to upload the private key and the certificate.

	Note
	It is also possible to generate a private key on SCB, create a certificate upload request (CSR) with it, sign the certificate using an external PKI system, and upload the certificate to SCB.

Map: SCB stores an X.509 certificate and the corresponding private key for the user, and uses the stored certificate in the server-side connection. See Section 5.2.3.3, How to map keys and certificates for details.
Generate: SCB generates an X.509 certificate and the corresponding private key for every connection policy, and uses this certificate in the server-side connections. Select Server authentication methods > Server side certificate > Generate, and select the certificate authority to use for signing the generated certificates with from the Signing CA field. For details on configuring signing CAs, see Section 5.1.9, Signing certificates on-the-fly.
Publish to LDAP: SCB generates an X.509 certificate and the corresponding private key for every connection policy, and uses this certificate in the server-side connections. The certificate is also uploaded to the LDAP database set in the LDAP Server of the connection policy. That way the server can authenticate the client to the generated certificate stored under the user's username in the LDAP database. Select Server authentication methods > Server side certificate > Publish to LDAP, and select the certificate authority to use for signing the generated certificates with from the Signing CA field. For details on configuring signing CAs, see Section 5.1.9, Signing certificates on-the-fly.

Note

SCB generates a certificate for every connection policy, not for every session.

5.2.3.3. How to map keys and certificates

Procedure 5.16. How to map keys and certificates

Navigate to SSH Control > Authentication Policies, and select the authentication policy to modify.
Figure 5.23. Mapping keys and certificates

Navigate to the bottom of the policy, and click .

Enter the name of the user into the Username field.

	Note
	If you also use Usermapping policies, enter the username that the client will use on the server side. If you also use gateway authentication, the gateway username can be used as well.

- If you use public-key based authentication on the client side, click the icon in the Client Side (public key/certificate) > Public keys field, and upload the public key of the client.
- If you use certificate-based authentication on the client side, click the icon in the Client Side (public key/certificate) > Certificates field, and upload the certificate of the client.

If you use public-key based authentication on the serve side, click the icon in the Server Side (public key/certificate) > Private key field, and upload the private key of the client, or generate a new key.
If you use certificate-based authentication on the server side, click the icon in the Server Side (public key/certificate) > Private key for server-side certificate field, and upload the private key for the certificate of the client. Then upload the certificate that will be used on the server side.

	Note
	It is also possible to generate a private key on SCB, create a certificate upload request (CSR) with it, sign the certificate using an external PKI system, and upload the certificate to SCB.

Repeat Steps 2-5 to add other users as required.
Click Commit.

5.2.4. Server host keys and certificates

The host keys and X.509 certificates of the trusted servers can be managed using the Server Host Keys tab of the Secure Shell Control menu item. When a client tries to connect to a server, SCB verifies the host key or the certificate of the server. SCB allows connections only the servers listed on this page, unless the Accept key for the first time or the Accept certificate for the first time option is enabled in the connection policy.

Figure 5.24. Server host keys

The host keys and host certificates of the servers can be added either automatically or manually. To add the host key or certificates automatically, complete the following steps:

Procedure 5.17. Automatically adding the host keys and host certificates of a server to SCB

Navigate to the SSH Control > Connections.

Configure a connection: fill the From, To, and Port fields. If SCB is set to Bastion mode, fill the Target field as well.

	Note
	Enter the IP address of the server into the To field if SCB is set to Router, and into the Target field if SCB is set to Bastion mode.

Click to display the advanced settings and verify that the Server side hostkey settings > Plain host key check option is set to Accept key for the first time.

If the servers use X.509 certificates, select Allow X.509 host certificates, and verify that the X.509 host certificate check option is set to Accept certificate for the first time.

Click Commit.
Initiate an SSH connection from the client to the server. SCB will automatically record the host key of the server — the server's IP address and the host key will be listed on the SSH Control > Server Host Keys page.

To add the host key or host certificate manually, complete the following steps:

Procedure 5.18. Manually adding the host key or host certificate of a server

Navigate to the SSH Control > Server Host Keys and click .
Enter the IP address and port of the server into the Address and Port fields.
To set the host key of the server, complete the following steps:
1. - To add the RSA fingerprint of the server, click in the Public key (RSA) field.
  - To add the DSA fingerprint of the server, click in the Public key (DSA) field.
  A popup window is displayed.
2. Figure 5.25. Uploading server host keys
  - Select Query to retrieve the host key from the server.
  - To upload the host key manually, select Browse, select the file, and click Upload. Optionally, you can also paste the key into the Copy-paste key section and select Upload.
    
    Select Close to close the window.
To set the host certificates of the server, complete the following steps:
1. - To add the RSA certificate of the server, click in the X.509 certificate (RSA) field.
  - To add the DSA certificate of the server, click in the X.509 certificate (DSA) field.
  A popup window is displayed.
2. To upload the host key manually, select Browse, select the file, and click Upload. Optionally, you can also paste the key into the Copy-paste key section and select Upload.
  
  Select Close to close the window.
Click Commit.

5.2.5. Protocol-level SSH settings

SSH settings determine the parameters of the connection on the protocol level, including when the server-side connection is built, as well as the timeout value and greeting message of the connection. The following parameters determine which algorithms are used in the connections, and can be set independently for the client and the server side: key exchange, host key, cipher, MAC, and compression algorithms. Complete the following procedure to create a new SSH settings profile or edit an existing one:

	Warning
	Modifying the SSH settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing.

Figure 5.26. SSH settings

Procedure 5.19. Creating and editing SSH settings

Navigate to the SSH Control > Settings and click to create an SSH setting profile. Enter a name for the profile into the SSH Settings field (e.g., strongencryption).
Click to display the parameters of the SSH connection.
Modify the parameters as needed. The parameters can be set independently for the client- and the server-side connection. See Section 1.2, Configuring encryption parameters for a list of the available parameters.
To check the protocol-level parameters of the connections very strictly, select the Strict mode option. When this option is enabled, SCB will reject connections that use unrealistic parameters (e.g., terminals of thousand by thousand characters). Note that this option can interfere with certain client or server applications.
Before establishing the server-side connection, SCB can evaluate the connection and channel policies to determine if the connection might be permitted at all, e.g., it is not denied by a Time Policy. To enable this function, select the Enable pre channel check option. That way SCB establishes the server-side connection only if the evaluated policies permit the client to access the server.
Click Commit.
Select this settings profile in the SSH Settings field of your connections.

5.3. RDP-specific settings

The following sections describe configuration settings available only for the RDP protocol. Use the following policies to control who, when, and how can access the RDP connection.

Channel Policy: The channel policy determines which RDP channels (e.g., clipboard, file-sharing, etc.) can be used in the connection, and whether they are audited or not. The different channels may be available only under certain restrictions, as set in the channel policy. See Section 5.1.3, Channel Policies for details.
RDP settings: RDP settings determine the parameters of the connection on the protocol level, including timeout value, display parameters, and the version of RDP permitted. See Section 5.3.2, Protocol-level RDP settings for details.
Domain membership: When using Network Layer Authentication (CredSSP) SCB must be a member of the domain. See Section 5.3.3, Joining SCB into a domain for details.
SSL-encrypted connections: To setup SSL-encrypted RDP connections, see Section 5.3.4, Using SSL-encrypted RDP connections and Section 5.3.5, Verifying the certificate of the RDP server in encrypted connections.

5.3.1. Supported RDP channel types

The available RDP channel types and their functionalities are described below. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.

Drawing: Enables access to the server's desktop (screen). This channel must be enabled for RDP to work.
Clipboard: Enable access to the server's clipboard: the clipboard of the remote desktop can be pasted into local applications (and vice-versa). Note that SCB can audit the clipboard channel, but the Audit Player currently cannot search or display its contents. The content of this channel is not simply text or images; RDP uses a separate protocol to transfer the clipboard contents.
Redirects: Enables access to every device redirections available in RDP, like file-sharing, printer sharing, device (e.g., CD-ROM) sharing, etc. To enable only specific types of redirections, use the following channels:
- Serial redirect: Enables access to serial-port redirections.
  
  Parallel redirect: Enables access to parallel-port redirections.
  
  Printer redirect: Enables access to shared printers.
  
  Disk redirect: Enables access to shared disk drives.
  
  SCard redirect: Enables access to shared SCard devices.
To permit only specific redirections, enter the unique name of the redirection into the Details field. For example, if you want to enable access only to the shared disk drive C:\, enable the Disk redirect channel and enter C:\ into the Details field. Note that the name of the device comes from the device itself, so it is case sensitive, and may not always be reliable from a security point of view.
Sound: Enable access to the sound device of the server.
Custom: Applications can open custom channels to the clients connecting remotely to the server. Enabling the Custom channel allows the clients to access all of these custom channels. To permit only specific channels, enter the unique names of the channel into the Details field.
Seamless: Enable seamless channels that run a single application on the RDP server, instead of accessing the entire desktop.
Dynamic virtual channel: Enable the server to open channels back to the client dynamically. To restrict which dynamic channels are permitted, select Channel details > , and enter the name of the permitted channel.

5.3.2. Protocol-level RDP settings

RDP settings determine the parameters of the connection on the protocol level, including timeout value, the version of RDP permitted in the connection, and display parameters. Complete the following procedure to create a new RDP settings profile or edit an existing one:

Figure 5.27. RDP settings

	Warning
	Modifying the RDP settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing.

Procedure 5.20. Creating and editing RDP settings

Navigate to RDP Control > Settings and click to create an RDP setting profile. Enter a name for the profile into the RDP Settings field (e.g., rdp5only).
Click to display the parameters of the RDP connection.
Modify the parameters as needed. The following parameters are available:
- Timeout: Timeout value for the connection in milliseconds. Negative numbers (e.g., -1) set the timeout to unlimited.
- Maximum display width: The maximum allowed width of the remote desktop in pixels (e.g., 1024).
- Maximum display height: The maximum allowed height of the remote desktop in pixels (e.g., 768).
- Maximum display depth: The maximum allowed color depth the remote desktop in bits (e.g., 24). The following values are valid: 8, 15, 16, 24, 32.
- Enable RDP4: Select this option to enable the version 4 of the Remote Desktop Protocol.
- Enable RDP5: Select this option to enable the version 5 of the Remote Desktop Protocol.
- Enable RDP6: Select this option to enable the use of Credential Security Service Provider (CredSSP, also called Network Layer Authentication). Note that: SSL-encrypted connections (even in RDP6) do not require this option, it is only needed for Network Layer Authentication. If you enable this option, you also have to configure SCB to join your domain. See Section 5.3.3, Joining SCB into a domain for details. Also note that Smartcard authentication cannot be used when this option is enabled.
  
  Warning
  
  To access hosts running Windows 2008 Server R2 using RDP6, select the Enable RDP4 style authentication option as well.
- Enable RDP4 style authentication: Select this option to enable RDP4 authentication within the RDP5 protocol. This might be needed for compatibility reasons with certain client applications.
- Enable pre channel check: Select this option to evaluate the connection and channel policies before establishing the server-side connection. That way if the connection is not permitted at all SCB does not establish the server-side connection.
Click Commit.
Select this settings profile in the RDP Settings field of your connections.

5.3.3. Joining SCB into a domain

Procedure 5.21. Joining a domain

Navigate to RDP Control > Domain membership.
Figure 5.28. Joining a domain

Enter the name of the domain (e.g., mydomain) into the Domain field.

Enter the name of the realm (e.g., mydomain.example.com) into the Full domain name field.

	Note
	Ensure that your DNS settings are correct and that the full domain name can be resolved from SCB. To check this, navigate to Basic Settings > Troubleshooting > Ping, enter the full domain name into the Hostname field, and select Ping host.

Click Join domain. A popup window is displayed.

SCB requires an account to your domain to be able to join the domain. Enter the name of the user into the Username field, and the corresponding password into the Password field.

Optionally, you can enter the name of your domain controller into the Domain controller field. If you leave this field blank, SCB will try to find the domain controller automatically.

	Note
	Ensure that your DNS settings are correct and that the hostname of the domain controller can be resolved from SCB. To check this, navigate to Basic Settings > Troubleshooting > Ping, enter the name of the domain controller into the Hostname field, and select Ping host.

Click Join domain.

5.3.4. Using SSL-encrypted RDP connections

RDP5 and RDP6 connections may use SSL encryption to encrypt the communication between the client and the server. If both the client and the server supports SSL encryption, the connection will be encrypted.

Note

Using Network Layer Authentication (CredSSP) automatically uses SSL-encryption, but does not require a signing CA.

To enable SSL encryption, the Enable RDP5 option must be enabled in the protocol settings of the connection. In the default setting, this is enabled. To enable Network Layer Authentication (CredSSP) the Enable RDP6 option must be enabled in the protocol settings of the connection. In the default setting, this is not enabled. See Section 5.3.2, Protocol-level RDP settings for details.

When the RDP connection is SSL-encrypted, SCB has to show a certificate to the client. To set the certificate authority used to sign these certificates, complete the following steps.

Procedure 5.22. Enabling SSL-encrypted RDP connections

Create a certificate authority that will be used to sign the certificates that SCB shows to the client. See Section 5.1.9, Signing certificates on-the-fly for details.
Navigate to RDP Control > Connections and select the connection policy to modify.

Figure 5.29. Using SSL-encryption in RDP connections

In the Signing CA field, select the certificate authority to use.

	Warning
	SSL-encrypted RDP connections will be automatically rejected if no signing CA is selected.

	Note
	Connections using Network Layer Authentication (CredSSP) do not need a signing CA, because they use self-signed certificates that are created automatically.

Click Commit.

5.3.5. Verifying the certificate of the RDP server in encrypted connections

By default, SCB accepts any certificate shown by the server. To accept only verified certificates, complete the following steps:

Procedure 5.23. Verifying the certificate of the RDP server in encrypted connections

Create a list of trusted CA certificates that will be used to verify the certificate of the server. See Section 5.1.8, Verifying certificates with Certificate Authorities for details.
Navigate to RDP Control > Connections and select the connection policy to modify.
Figure 5.30. Using SSL-encryption in RDP connections

Select Verify server certificate.
Select the CA list to use for verifying the certificate of the server from the Trusted CA list field.
Click Commit.

5.4. Telnet-specific settings

The following sections describe configuration settings available only for the Telnet protocol. Use the following policies to control who, when, and how can access the Telnet connection. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.

Telnet settings: Telnet settings determine the parameters of the connection on the protocol level, including timeout value, etc. See Section 5.4.1, Protocol-level Telnet settings for details.
User lists in Channel Policies: User lists affect Telnet connections only when they are used together with Gateway Authentication. See Section 8.2, Configuring gateway authentication for details.

5.4.1. Protocol-level Telnet settings

Telnet settings determine the parameters of the connection on the protocol level, including timeout value, etc. Complete the following procedure to create a new Telnet settings profile or edit an existing one:

	Warning
	Modifying the Telnet settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing.

Procedure 5.24. Creating and editing Telnet settings

Navigate to the Settings tab of the Telnet Control menu item and click to create a Telnet setting profile. Enter a name for the profile into the Telnet Settings field (e.g., telnet_special).
Click to display the parameters of the Telnet connection.
Modify the parameters as needed. The following parameters are available:
- Timeout: Timeout value for the connection in milliseconds. Negative numbers (e.g., -1) set the timeout to unlimited.
- Enable pre channel check: Select this option to evaluate the connection and channel policies before establishing the server-side connection. That way if the connection is not permitted at all SCB does not establish the server-side connection.
Click Commit.
Select this settings profile in the Telnet Settings field of your connections.

5.5. VNC-specific settings

The following sections describe configuration settings available only for the Virtual Networking (VNC) protocol. Use the following policies to control who, when, and how can access the VNC connections. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.

VNC settings: VNC settings determine the parameters of the connection on the protocol level, including timeout value, etc. See Section 5.5.1, Protocol-level VNC settings for details.
User lists in Channel Policies: User lists affect VNC connections only when they are used together with Gateway Authentication. See Section 8.2, Configuring gateway authentication for details.

5.5.1. Protocol-level VNC settings

VNC settings determine the parameters of the connection on the protocol level, including timeout value, etc. Complete the following procedure to create a new VNC settings profile or edit an existing one:

	Warning
	Modifying the VNC settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing.

Procedure 5.25. Creating and editing VNC settings

Navigate to VNC Control > Settings and click to create a VNC setting profile. Enter a name for the profile into the VNC Settings field (e.g., vnc_special).
Modify the parameters as needed. The following parameters are available:
- Timeout: Timeout value for the connection in milliseconds. Negative numbers (e.g., -1) set the timeout to unlimited.
- Enable pre channel check: Select this option to evaluate the connection and channel policies before establishing the server-side connection. That way if the connection is not permitted at all SCB does not establish the server-side connection.
Click Commit.
Select this settings profile in the VNC Settings field of your connections.

Chapter 6. Browsing log messages and SCB reports

This section describe how to browse the various types of log messages and audit trails on SCB and exactly what kind of information do they contain.

6.1. Using the search interface

SCB has a uniform interface for browsing SCB configuration changes, reports, and audit trails. This search interface consists of two main parts: a calendar bar and a table.

Figure 6.1. Using the search interface

The calendar bar displays the number of log messages in the selected interval. Use the , icons to zoom, and the arrows to display the previous or the next intervals. To explicitly select a date, select Jump to and set the date in the calendar. Use the Scale option to select the length of the displayed interval.

Hovering the mouse above a calendar bar displays the number of entries and the start and end date of the period that the bar represents. Click a calendar bar to display the entries of that period in the table. Use Shift+Click to select multiple calendar bars. The Selected field shows the starting and ending date of the period listed in the table.

SCB records several parameters of every log message. To select the data displayed, complete the following steps:

Procedure 6.1. Displaying information about connections

Navigate to the database you want to browse, e.g., select Search.
Select Customize Columns. A popup window containing the list of available information is displayed.

Figure 6.2. Displaying search information
To display a parameter, select the corresponding checkbox.
Use the arrow icons to adjust the order of the columns.
Click Apply all changes. The selected information is displayed.

The table can be filtered for any parameter, or a combination of parameters. To filter the list, simply enter the filter expression into the text box of the respective column. For example, to display only changes performed by a specific user, enter the username into the Author field and press Enter. Clicking on a field of a specific parameter automatically filters the list with the parameter stored in the field.

When typing search expressions, you can also use the AND, OR, and NOT operations. Note that whitespace is interpreted as AND, and NOT can be used only together with other operators (e.g., adm AND NOT admin).

	Note
	When you use filters, the calendar bar displays the statistics of the filtered results.

Filtering displays also partial matches: e.g., filtering Author for adm will display all changes performed by users whose username contains the adm string.

To save the table of search results as a file, click the Export as CSV action button. This saves the table as a text file containing comma-separated values.

To save the audit trail of a session, click the icon in the Audit trail column.

To restore the original table, click Clear all Filters.

	Tip
	Use the SSH, RDP, and Telnet buttons to quickly filter the list for a single protocol.

6.2. Changelogs of SCB

SCB automatically records the activity of its users and administrators. These activities are displayed at AAA > Accounting. The following information is available:

Figure 6.3. Displaying configuration changes

Timestamp: The date when the modification was committed in YEAR-MONTH-DAY HOUR:MINUTE:SECOND format.
Author: The SCB user who performed the modification.
Page: The main menu item that was modified (e.g., Basic Settings > Management).
Field name: The name of the field on the page that was modified.
New value: The new value of the field after the modification.
Description: The changelog entered by the SCB administrator. Changelogs are available only if the AAA > Settings > Require commit log option was enabled at the time of the change.
Old value: The original value of the field.
Swap: Signs if the order of objects was modified on the page (e.g., the order of two policies in the list).

6.3. SCB reports

SCB periodically creates reports on the activity of the administrators, the system-health information of SCB, as well as the processed traffic. These reports are available in Portable Document (PDF) format by selecting Reporting > Reports from the Main Menu. The reports are also sent to the e-mail address set at Basic Settings > Management > Mail settings > Send reports to.

	Note
	If this address is not set, the report is sent to the SCB administrator's e-mail address.

Figure 6.4. Browsing reports

Reports are generated as follows:

Daily reports are generated every day at 00:01.
Weekly reports are generated every week on Monday at 00:01.
Monthly reports are generated on the first day of every month at 00:01.

	Tip
	Use the time bar to find reports that contain a particular period. If you select a period (e.g., click on a bar), only those reports will be displayed that contain information about the selected period.

The reports are available in Adobe Portable Document Format (PDF), and contain the following information for the given period:

Configuration changes: Lists the number of SCB configuration changes per page and per user. The frequency of the configuration changes is also displayed on a chart.
Main reports: Contains statistics about the total traffic that passed SCB, including the number of sessions that passed for every connection policy, the used usernames, clients, and servers, etc.

Note

Connections that are still in progress when the report is generated are excluded from the report.
Reports by connection: Contains separate statistics about every connection policy configured on SCB.
System health information: Displays information about the filesystem and network use of SCB, as well as the average load.

The following information is available about the reports:

Download: A link to download the report.
Name: Name of the report.
Interval: The length of the reported period, e.g., week, month, etc.
Report from: The start of the reported interval.
Report to: The end of the reported interval.
Generate time: The date when the report was created.

6.4. The SCB connection database

The connection database detailing the various meta-information about connections and connection-requests is available on the Search > Search page.

Warning

Only users with the required privileges can access the Search page. The following users can access the Search page:

Members of groups who have the Search privilege set.
Members of groups who have the Audit or Audit&Authorize permission set in the Access Control field of a connection policy. These users can access only the audit trails of the respective connections. Unless modified by the administrator of SCB, members of the search group can access every audit trail by default.
The admin user.

In addition to the regular search interface of SCB, the following features are also available:

Figure 6.5. Browsing the connections database

The search results can be exported as a comma-separated text file. Select Export format > CSV, and click Export.
To process the search results later with the Audit Player application, the search results can be exported in a special format. Select Export format > Audit Player, and click Export. When you open this file in the Audit Player application, SCB will download the audit trails corresponding to the search results.
Create filters. See Section 6.4.2, Creating predefined filters for details.
Search in the content of the indexed audit trails. Enter your search keywords into the Trail content field, and click Filter. Note that the search is case insensitive. This feature is available only if auditing and full-text indexing was requested for the connection. See Section 6.7, Full-text indexing of audit trails for details.

6.4.1. Connection metadata

SCB stores the following parameters about the connections:

Audit trail: Name and ID of the audit file storing the traffic of the channel. If the session has an audit trail and the SCB user has the View audit trails privilege, a download icon is displayed. Note that a the following letters may appear on the download icon:
- C: The audit trail has been cleaned up and is not available any more.
- A: The audit trail has been archived. SCB will try to retrieve it from the archive server.
- X: The audit trail is not available for some reason.
Authentication Method: The authentication method used in the connection.
Channel Policy: The channel policy applied to the channel opening request.
Channel Type: Type of the channel.
Connection Policy: The connection policy applied to the client's connection request.
End Time: Date when the channel was closed.
Environment Variables: The environment variables sent by the client.
Destination IP: The IP address of the server as requested by the client.
Destination Port: The port number of the server as requested by the client.
Executed Command: The command executed in a Session exec channel.
Port-forward Target IP: The traffic was forwarded to this IP address in Remote Forward and Local Forward channels.
Port-forward Target Port: The traffic was forwarded to this port in Remote Forward and Local Forward channels.
Port/X11 forward Originator IP: The IP address of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection.
Port/X11 forward Originator Port: The number of the forwarded port in Remote Forward and Local Forward channels.
Protocol: The protocol used in the connection (SSH, RDP, or Telnet).
Rule number: The number of the line in the channel policy applied to the channel.
SCP Path: Name and path of the file copied via SCP (available for Session exec SCP SSH channels).
Server IP: The IP address of the server connected by SCB.
Server-local IP: The IP address of SCB used in the server-side connection.
Server-local Port: The port number of SCB used in the server-side connection.
Server Port: The port number of the server connected by SCB.
Session ID: ID number of the TCP session.
Source IP: The IP address of the client.
Source Port: The port number of the client.
Start Time: Date when the channel was started.
Subsystem Name: Name of the SSH subsystem used in the channel.
Username: The username of the client.
Verdict: Indicates if the channel was accepted (ACCEPT), denied DENY, or failed (FAILED) for some reason. It can also indicate that the connection was rejected (CONN-DENY), failed (i.e., it was allowed to pass SCB but timed out on the server — CONN-FAIL), the user authentication failed (CONN-AUTH-FAIL), or that the public-key authentication failed in SSH (CONN-KEY-FAIL).

6.4.2. Creating predefined filters

To save the currently selected filter conditions for later use, complete the following steps:

Navigate to the Search > Search page, and set the filters you need.
Select Predefined filter conditions > Save As. A popup window is displayed.
Enter a name for the filter into the Name field.
To modify the timeframe of the search, select Interval, and set the beginning and ending date and time of the search.

By default, the filter is available only for the user who created it. To make it available for others, select Scope > Global, click , and enter the name of the group whose members may use the filter. Repeat this step to add other groups if needed.

	Note
	Filters cannot be modified later, only deleted. A filter can be deleted by the user who created it, and by users whose group has the Search > Manage global filters privilege.

Click OK.

6.5. Configuring custom reports

SCB can send the audit trails to the Audit Player application (AP) for processing. AP extracts the text from the audit trails and segments it to tokens. A token is a segment of the text that does not contain whitespace: e.g., words, dates (2009-03-14), MAC or IP addresses, etc. AP then returns the extracted tokens to SCB, where SCB creates a comprehensive index from the tokens of the processed audit trails, and creates reports from the results. The reports include statistics of the occurrences of the search keywords, as well as screenshots from the audit trail.

To configure SCB to create custom reports, complete the following steps.

Warning

Custom reports require a separate server running the Audit Player application in service mode. See Section 7.1, Installing the Audit Player application for details on setting up the service.

If the audit trails are encrypted, ensure that the required decryption keys are available on the AP hosts.

Procedure 6.2. Configuring custom reports

Figure 6.6. Configuring custom reports

Login to the SCB web interface, and navigate to Reports > Custom configuration.
Click and enter a name for the custom report.

Enter the search keywords (or parts of the words) into the Search word(s) field. Note that the search is not case sensitive. Wildcards and regular expressions are not supported. To search for an exact phrase or expression, enclose the keywords in double quotes, e.g., "program files".

	Note
	When using custom reports, AP will extract only the specified search keywords, other texts found in the audit trails will not be indexed. To extract every text from the audit trails, use full-text indexing (see Section 6.7, Full-text indexing of audit trails). Note that custom reports require much less resources (hard disk, CPU) than full-text indexing.

Configure filters to select the audit trails to index. The following filters are available:

in an used in certain RDP6 connections.

Protocol: Process only audit trails of the specified traffic type (e.g., SSH).
Connection: Process only audit trails of the specified connection policy.
Channel policy: Process only audit trails of the specified channel policy.
Username: Process only audit trails where the specified username was used in the connection. Available only for protocols where the username is known (e.g., SSH).
Source: Process only audit trails where the specified client IP address or port was used.
Server: Process only audit trails where the specified server IP address or port was used.

	Note
	If you do not configure any filters, every available audit trail will be processed. Audit trails are created only for channels where the Audit option is enabled for the particular channel in the channel policy.

Select how often shall SCB create tin an used in certain RDP6 connections.he report from the Frequency field. Weekly reports are created on Mondays, while monthly reports on the first day of the month.

By default, members of the search group can access the custom reports via the SCB web interface. To change this, enter the name of a different group into the Reports are accessible by the following groups field, or click to grant access to other groups.

	Note
	Members of the listed groups will be able to access only these custom reports even if their groups does not have read access to the Reporting > Reports page. However, only those reports will be listed, to which their group has access to.

By default, SCB sends out the reports in e-mail to the address set in the Basic Settings > Management > Mail settings > Send reports to field.

Note

If this address is not set, the report is sent to the SCB administrator's e-mail address.
- To disable e-mail sending, unselect the Send reports in e-mail option.
- To receive e-mails only when at least one audit trail matching the search criteria was found, unselect the Send even empty reports option.
- To e-mail the reports to a different address, select Recipient > Custom address, and enter the e-mail address where the reports should be sent.
Click Commit.

	Note
	Only audit trails created after the custom report has been configured will be processed. It is not possible to create reports from already existing audit trails.

6.6. Monitoring the status of AP indexing services

SCB can cooperate with multiple Audit Player (AP) hosts that process the audit trails. This is needed especially on high-traffic systems, where many audit trails are generated, and also if the audit trails need lot of processing, e.g., there are many custom reports configured, or full-text indexing is requested for many connections.

Figure 6.7. Indexing and audit trail processing

The status of the audit-trail processing is displayed on the Reporting > Indexer status page. The Registered Audit Players section lists the hosts that run the AP application in service mode and are currently connected to SCB. The Remaining tasks section lists the audit trails waiting to be processed.

Figure 6.8. Monitoring the status of the Audit Player clients

6.7. Full-text indexing of audit trails

SCB can send the audit trails to the Audit Player application (AP) for processing. AP extracts the text from the audit trails and segments it to tokens. A token is a segment of the text that does not contain whitespace: e.g., words, dates (2009-03-14), MAC or IP addresses, etc. AP then returns the extracted tokens to SCB, where SCB creates a comprehensive index from the tokens of the processed audit trails. That way the contents of the processed audit trails (e.g., commands typed or texts seen by the user) can be searched from the web interface. To configure full-text indexing, complete the following steps.

	Warning
	Custom reports require a separate server running the Audit Player application in service mode. See Section 7.1, Installing the Audit Player application for details on setting up the service.

	Warning
	Full-text indexing is a resource intensive (CPU and hard disk) operation both for SCB and the AP hosts, and depending on the number of processed audit trails and parallel connections passing SCB, may affect the performance of SCB. Test it thoroughly before enabling it in a production environment that is under heavy load.

	Note
	Only audit trails created after the full-text indexing has been configured for the connection policy will be processed. It is not possible to process already existing audit trails.

Procedure 6.3. Configuring full-text indexing

Navigate to the Control page of the traffic type (e.g., SSH Control), and select the connection policy to index.
Select Enable indexing and click Commit.
Check which channel policy is used in the connection, and navigate to the Connection policies page.
Select the channel policy used in the connection to index, and verify that the Audit option is selected for the channels you want to index (e.g., the Session shell channel in SSH, or the Drawing channel in RDP).

Click Commit.

Tip

After that, start a session that uses this connection policy: connect from a client to a server.

When the session is finished, navigate to the Reporting > Indexer status page to verify that an AP host is processing the audit trail.

If the audit trails are encrypted, ensure that the required decryption keys are available on the AP hosts.

Chapter 7. Viewing session information and replaying audit trails

SCB records information about the passing sessions into its connection database. Session information can be displayed online from the SCB web interface (see Chapter 6, Browsing log messages and SCB reports and Section 6.4, The SCB connection database for details). The Audit Player (AP) is a desktop application that can replay recorded audit trails, much like a media player replays movie files.

AP is available for the following platforms:

Microsoft Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008

The AP application can currently replay the following session types:

SSH terminal sessions
Remote X11 sessions forwarded within the SSH traffic. Note that not the entire desktop is displayed, only the windows of the remotely-accessed application.
The Drawing channel (i.e., the desktop) of RDP4, RDP5, and RDP6 sessions
Telnet and TN3270 terminal sessions
VNC sessions

To install the Audit Player application, see Section 7.1, Installing the Audit Player application.
To replay audit trails, see Section 7.2, Replaying audit trails.
To search audit trails, see Section 7.3, Using AP.
To use AP to automatically download and process audit trails from SCB, see Section 7.1, Installing the Audit Player application and Section 6.7, Full-text indexing of audit trails.

7.1. Installing the Audit Player application

To install the Audit Player application, complete the following steps.

	Warning
	Installing Audit Player requires administrator privileges. The installed Audit Player can be run by restricted users as well if the required privileges are set.

Procedure 7.1. Installing AP

Download the Audit Player application from the BalaBit web site at http://www.balabit.com/network-security/scb/upgrades/.
Start the downloaded file.
Read the end-user agreement of AP and click I Agree.
Some fonts installed by AP have a separate copyright license. Click I Agree to accept it.
Select the folder where AP will be installed and click Install.

If you will run AP in service mode to automatically download and process the audit trails from SCB, complete the following steps. Otherwise, click Save settings

Select Enable Audit Indexing Service.

Figure 7.1. Configuring service mode in AP

Enter the IP address or the hostname of your SCB host into the Server address field.

	Warning
	This address must be the same that appears in the Common Name of SCB's certificate. If it is a hostname, it must be resolvable from the host running AP, either via DNS, or locally from a file.

Enter the Username and Password of the SCB user account AP will use to access SCB. This user must be a member of the indexing group. If LDAP or RADIUS authentication is used on SCB, the user must also exist in the LDAP/RADIUS database.
To be able to communicate with SCB, install the Server certificate of SCB (the one set in Basic Settings > Management > SSL certificate > Server Certificate of the SCB web interface) or the certificate of the certificate authority that signed the certificate of SCB.

Note

The certificate must be in DER format.
Click Save settings.

When the installation is finished, click Close.

	Note
	To modify the configuration of the Audit Indexer Service, select Start menu > All Programs > Audit Player > Configure Audit Indexer Service.

On the SCB web interface, navigate to Reporting > Indexer status. The new Audit Player should appear in the list of Registered Audit Player.

Optional step: If you want to run the Audit Player application without administrator privileges, complete the following steps:
1. Allow the nonrestricted user to write and modify the C:\Program Files\Audit Player\var folder.
2. Allow the nonrestricted user to write and modify the C:\Program Files\Audit Player\bin\Textract.Log file. Create the file if it does not exist yet.
3. Allow the nonrestricted user to write and modify the C:\Program Files\Audit Player\bin\Textract.ini file.

7.2. Replaying audit trails

To replay an audit trail, the audit trail must be available on the computer running AP.

To download an audit trail from SCB, see Procedure 7.2, Downloading audit trails from SCB.
To replay an audit trail with AP, see Procedure 7.3, Replaying a session with the Audit Player.

Procedure 7.2. Downloading audit trails from SCB

Login to the SCB web interface.
Navigate to the Search > Search page.
Use the Calendar bar or the Jump to option and the filters to locate the session you want to replay.

Click the icon in the Audit trail column of the session to download the audit trail to your computer.

If the Audit trail column is not visible, click Show columns and select its checkbox.

If the Audit trail column is visible but empty (i.e., it does not contain the icon) then no audit trail was recorded from the session, because the channel policy did not have auditing enabled. See Section 5.1.3, Channel Policies for details.

	Note
	Downloading audit trails requires the Search > Search in all connections privilege, or that the group of the user be listed in the Access Control section of the connection policy with Audit permission.

	Tip
	To download every audit trail listed in the search results, select the Export Format > Audit Player, and click Export.

To replay a session, complete the following steps:

Procedure 7.3. Replaying a session with the Audit Player

Figure 7.2. Replaying an audit trail

Select File > Add Audit Trail and select an audit trail file. AP opens the file and displays the sessions stored in the file in the Project Trails panel.

Note

To open multiple audit trails, use the Shift and the Control keys.

If the audit trail is encrypted, select the file containing the private key of the certificate used to encrypt the audit trail.

The extension of the audit trail files is .log or .zat. Its name consists of audit-scb-protocolname-timestamp-sequencenumber.

Double-click on the stream you want to replay. The session will be displayed in a new window.

Wait until AP processes the stream. The progress of the processing is indicated on the bottom-right progress bar. Click Play.

To adjust the replaying speed, adjust the Replay Speed option.

Figure 7.3. Displaying user input

To display the characters (e.g., commands, passwords, etc.) that the user typed in the session, select Show user input. The user input will be displayed above the time bar. Note that the appropriate decryption keys are needed to display the user input if the upstream traffic is encrypted with a different set of certificates.

	Tip
	The following hotkeys are available during playback: Page Up / Page Down: Jump forward/backward one fifth of the stream. Home / End: Jump to the beginning/end of the stream. Shift + Left / Shift + Right: Jump forward/backward one tenth of the stream.

	Tip
	To export a session into packet capture (PCAP) format, select the session, then select Export to PCAP from the local menu.

7.3. Using AP

The main window allows you to sort and organize the audit trails and sessions.

Figure 7.4. The main window of Audit Player

The audit trails loaded into AP are all visible in the Project Trails tab. Audit trails are organized into a tree. The tree has the following levels:

Protocol: The type of the audited protocol: SSH, RDP, or Telnet.
Connection: Name of the connection policy that generated the audit trail.
Session: Details of the connection stored in the audit trail, including the date, duration, source, and target of the connection. (Every audit trail contains only a single session.)

Tip

To sort the list of streams, click the header of the columns.
Stream: The traffic that can be replayed. A session may contain several streams (e.g., an SSH connection may include a terminal-session stream and an X-forward stream). Where applicable, the resolution of the terminal (in characters) or the desktop (in pixels) is displayed.

Tip

Select View > Show Details to display additional information about the selected stream in a separate Stream Details window. These details include the parameters available in the SCB Search page (see Section 6.4, The SCB connection database) and other parameters like the size of the desktop or the terminal.

Figure 7.5. The AP Stream Details window

7.3.1. Finding specific audit trails

Organizing the audit trails is simple. Every loaded audit trail is displayed in the Project Trails tab. To open a new tab, select File > New Trailset and enter a name for the trailset. After that, you can drag-and-drop the interesting streams to this tab, or right-click a stream and select Copy to another set or Move to another set.

To remove a stream from a trailset, click on the stream and select Delete from the local menu. Deleting a stream from the Project Trails tab deletes the stream from every trailset.

To filter the audit trails available in a trailset, select Edit > Find, and enter your search keywords into the Text field. To search for special keys or events (e.g., hitting the Escape key, etc.), use the Key sequence field.

	Warning
	When searching audit trails of SSH and Telnet terminal sessions, the character encoding set in Edit > Preferences > Terminal encoding can affect the search results: if the session uses a different encoding, special characters might not be recognized and thus will be omitted from the search results.

Figure 7.6. Searching audit trails with AP

To search in the metadata of the trails, select More Options > Trail properties. The following metadata is available for filtering:

Time: Use the From and To fields to filter on the duration of the streams matching the other search criteria.
Protocol: The protocol used in the stream: SSH, RDP, or Telnet.
Username: The username used in the session (if available).
Client IP: The IP address of the client computer.
Client Port: The port of the client computer used to establish the connection. 0 matches for every port.
Server IP: The IP address of the server connected by SCB.
Server Port: The port of the server connected by SCB. 0 matches for every port.
Channel Policy: The channel policy applied to the session.
Connection: The session_id identifying the particular session.
Channel Type: The type of channel used in the stream (e.g., terminal session, drawing, etc.). See the list of supported channel types in the following sections: Section 5.2, SSH-specific settings, Section 5.3, RDP-specific settings, and Section 5.4, Telnet-specific settings.

7.3.2. Using projects

To save a set of audit files, including all trailsets and search results, select File > Save Project, enter a name for the project, and enter a password. The password is used to encrypt the workspace file as it may contain sensitive data.

	Warning
	AP does not encrypt the audit trail files, only the workspace file. If the audit trails were not encrypted by SCB, sensitive information may be recovered from them.

7.3.3. Replaying and processing encrypted audit trails

To replay encrypted audit trails, the private key of the certificate used to encrypt the audit trails must be available on the machine running AP. This key must be either imported into the Personal Certificate Store / My Store on Windows, or it must be available on a USB token.

To import a private key, select Edit > Import key, select the file containing the key, and click OK. Then enter the password for the key if needed.

	Note
	The private key must be in PKCS12 format.

To process encrypted audit trails with the Audit Player application running in service mode, the appropriate private key must be available in the Private certificate store of the Audit Indexer service. To add a certificate to this store, complete the following steps.

Procedure 7.4. Importing certificates with MMC

Start Microsoft Management Console by executing mmc.exe (Start menu Run application).

Note

Running mmc.exe requires administrator privileges.
Click on the Add/Remove snap-in item of the File menu.
Click Add, select the Certificates module, and click Add.
Select System account in the displayed window and click Next.
Select Audit Indexer and click Next.
Select Local computer and click Close.
To import a private key, navigate to Console Root > Certificates > Audit Indexer > Personal.
Right-click on the Certificates folder and from the appearing menu select All tasks > Import. The Certificate Import Wizard will be displayed. Click Next.

Optional step: Certificates used to decrypt the audit trails include a private key. Provide the password for the private key when requested.
Click Finish on the summary window and Yes on the window that marks the successful importing of the certificate.

7.3.4. Searching in graphical streams

The Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and X11 protocols transfer most texts displayed by the remote applications as graphical data. To make these texts searchable, AP automatically processes the opened audit trails and performs optical character recognition (OCR) on the streams.

During installation, AP creates a database from the fonts installed on the system, and uses these fonts for the OCR process. This means that the fonts used by the servers and applications accessed using RDP must be installed on the host running AP. Otherwise AP might not correctly recognize every font type, and miss parts of the text.

To add a new font to the AP database, install the font on the host running AP, then select the Edit > Rebuild OCR database option in AP.

Note

The OCR feature of the Audit Player application currently supports only RDP sessions. Certain accented and other special (non-ASCII) characters might not be recognized correctly.

OCR-ing VNC sessions is partially supported, provided that the VNC server is running on Windows.

7.4. Troubleshooting the Audit Player

This section provides help on solving common problems of the Audit Player application (AP).

7.4.1. Logging with the Audit Player

By default, the Audit Player application sends error messages to the Application eventlog container. To create more detailed logs that are sometimes needed to troubleshoot a problem, command-line parameters must be specified.

To create debug logs of AP running in user mode, complete the following steps.

Procedure 7.5. AP logging in user mode

Select Start > Run > cmd to open a command prompt.
Navigate to the folder where the Audit Player application is installed, e.g., cd "C:\Program Files\Audit Player\bin\".
Enter the following command: audit-player.exe --verbose 3 --log-file "audit-player.log". The Audit Player application will start and create the specified log file.
Reproduce the error in AP and check the created log file.
If needed, repeat Step 3 with a higher log level (e.g., with the --verbose 7 parameter).

To create debug logs of AP running as an indexer service, complete the following steps.

Procedure 7.6. AP logging as an indexer service

Start the service management interface of Windows, e.g., select Start > Run > mmc, then select File > Add/Remove Snap-in > Add > Services.
Double-click on the Audit Indexer Service and select Stop.
Enter the following parameters into the Start parameters field: -d 3 -f "C:\Program Files\Audit Player\audit-player.log".
Select Start. The Audit Indexer Service will start and create the specified log file. Note that the ID of the Indexer Service may be added to the name of the log file as a suffix (audit-player.log.001).
Reproduce the error and check the created log file.
If needed, repeat Steps 2-4 with a higher log level (e.g., with the -d 7 parameter).
If you have finished the troubleshooting, restart the Audit Indexer Service without any parameters to lower the logging level to its default.

7.4.2. Keys and certificates

The Audit Player application requires encryption keys and certificates to use its various features. The following summarizes where the keys and certificates should be stored on Windows for AP to function properly.

When run by a user as a regular application, AP may need the following:

To connect to SCB and download audit trails, the CA certificate of SCB must be available under Local Computer > Trusted Root Certification Authorities. This CA certificate is also used to validate timestamped audit trails.
To replay encrypted audit trails, the private key of the encrypting certificates must be available under Current User > Personal Certificate Store.
To validate digitally-signed audit trails, the certificates used to sign the audit trail or the respective CA certificates must be available under Local Computer > Trusted Root Certification Authorities.

When running as an indexer service, AP may need the following:

To connect to SCB and download audit trails, the CA certificate of SCB must be available under Local Computer > Trusted Root Certification Authorities. This CA certificate is also used to validate timestamped audit trails.
To replay encrypted audit trails, the private key of the encrypting certificates must be available under Service (Audit Indexer Service) > APService > Personal Certificate Store.
To validate digitally-signed audit trails, the certificates used to sign the audit trail or the respective CA certificates must be available under Local Computer > Trusted Root Certification Authorities.

Chapter 8. Advanced authentication and authorization techniques

This chapter describes the advanced authentication and authorization techniques available in SCB.

For details on creating usermapping policies, see Section 8.1, Usermapping policies.
For details on configuring gateway authentication, see Section 8.2, Configuring gateway authentication.
For details on configuring 4-eyes authorization and real-time monitoring, see Section 8.3, Configuring 4-eyes authorization.

8.1. Usermapping policies

For SSH and RDP connections, usermapping policies can be defined. A usermapping policy describes who can use a specific username to access the remote server: only members of the specified local or LDAP usergroups (e.g., administrators) can use the specified username (e.g., root) on the server. To configure usermapping, complete the following steps.

Warning

In SSH connections, the users must use the following as their username: gu=username@remoteusername, where username is the username used in the LDAP directory, SCB will use this username to determine their group memberships, and remoteusername is the username they will use on the remote server. For example, if to access the example.com server as root, use:

gu=yourldapusername@root@example.com

Procedure 8.1. Configuring usermapping poicies

Figure 8.1. Configuring gateway authentication

Navigate to Policies > Usermapping Policies.
Click to create a new policy, and enter a name for the policy.
Click and enter the username that can be used to access the remote server (e.g., root) into the Username field.
Select Groups > , and enter the name of the local or LDAP usergroup (e.g., admins) whose members are permitted to use the remote username set in the Username field. Repeat this step to add further groups if needed.
Repeat steps 3-4 to add further usernames if needed.
Click Commit.
Navigate to the Connections page of the traffic (e.g., to SSH Control > Connections), and select the connection policy to modify.
Select the usermapping policy created in Step 2 from the Usermapping policy field.
Click Commit.

8.2. Configuring gateway authentication

When gateway authentication is required for a connection, the user must authenticate on SCB as well. This additional authentication can be performed out-of-band on the SCB web interface, or — for SSH connections — inband. For details about the concepts of gateway authentication, see Section 2.7, Gateway authentication.

To configure gateway authentication, complete the following steps.

Procedure 8.2. Configuring gateway authentication

Navigate to the Connections page of the traffic (e.g., to SSH Control > Connections), and select the connection policy to modify.
Figure 8.2. Configuring gateway authentication

Select the Gateway authentication option.
To accept the gateway authentication only from the host that initiated the connection, select Require same IP.
By default, any user can perform gateway authentication for the connections. To allow only members of a specific group authenticate the connections of this connection policy, select Groups > , and enter the name of the group whose members can authenticate the connections. Repeat this step to add further groups if needed.
For SSH and RDP connections, you may want to set a usermapping policy in the Usermapping policy field. For details on usermapping policies, see Section 8.1, Usermapping policies.
Click Commit. After that, users accessing these connections must perform gateway authentication as described in Procedure 8.3, Performing gateway authentication on SCB.

Note

Gateway authentication can be used together with other advanced authentication and authorization techniques like 4-eyes authorization, client- and server-side authentication, etc.

For SSH connections, the gateway authentication can be performed inband, within the SSH protocol, without having to access the SCB web interface.

Procedure 8.3. Performing gateway authentication on SCB

Initiate a connection from a client. If gateway authentication is required for the connection, SCB will pause the connection.

Warning

In SSH connections, use the following as your username: gu=SCBusername@remoteusername, where SCBusername is the username you will use to login to the SCB web interface (also called gateway user), and remoteusername is the username you will use on the remote server. For example, if you are accessing the example.com server as root, and your username on SCB (or in your LDAP directory) is Joe, then you can start an SSH session like:

gu=Joe@root@example.com

Open a browser, preferably on the same host you initiated the connection from, and navigate to the login page of SCB.
Figure 8.3. Performing gateway authentication

Login to SCB, and select Gateway Authentication from the main menu. The list of connections waiting for gateway authentication will be displayed.

Note

No other SCB privilege is required to access this page.
Select the connection that you started, and click Accept.
Logout from the SCB web interface.
Continue to authenticate on the server.

8.3. Configuring 4-eyes authorization

When 4-eyes authorization is required for a connection, a user (called authorizer) must authorize the connection on SCB as well. This authorization is in addition to any authentication or group membership requirements needed for the user to access the remote server. For details about the concepts of 4-eyes authorization, see Section 2.8, 4-eyes authorization.

To 4-eyes authorization, complete the following steps.

Procedure 8.4. Configuring 4-eyes authorization

Navigate to the Connections page of the traffic (e.g., to SSH Control > Connections), and select the connection policy to modify.
Figure 8.4. Configuring 4-eyes authorization

Navigate to Access Control and click .
Enter the local or LDAP usergroup whose members are permitted to authorize the sessions of the connection policy into the Authorizer field.

By default, the authorizer can authorize any session of the connection policy. If the authorizer is permitted to authorize only the sessions of a certain usergroup, select Subject > Only, and enter the name of the group whose sessions the authorizer can authorize.

	Warning
	If gateway authentication and 4-eyes authorization is used together in a connection policy, the usergroup of the gateway username must be specified, not the group of the remote username.

Set the permissions of the usergroup set in the Authorizer field.

If the Authorizer group can authorize (i.e., enable) and audit (i,.e monitor in real-time and download the audit trails) the sessions, select Permission > Audit&Authorize.
If the Authorizer group can only authorize (i.e., enable) the sessions, select Permission > Authorize.
If the Authorizer group can only audit (i,.e monitor in real-time and download the audit trails) the sessions, select Permission > Audit.

Note

If the Subject > Only field is set, the auditor can only monitor the sessions of the specified usergroup.

The admin user of SCB can audit and authorize every connection.

Repeat steps 2-5 to add other authorizers or usergroups if needed.
Click Commit. After that, users accessing these connections must be authorized as described in Procedure 8.5, Performing 4-eyes authorization on SCB.

Procedure 8.5. Performing 4-eyes authorization on SCB

When a user initiates a connection from a client and 4-eyes authorization is required for the connection, SCB will pause the connection.

	Note
	4-eyes authorization can be set separately for every channel. However, if a new channel that requires 4-eyes authorization is opened in an existing connection, the channels already opened are also paused until the 4-eyes authorization is successfully completed.

Figure 8.5. Performing 4-eyes authorization

Login to SCB, and select Four Eyes from the main menu. The list of connections waiting for authorization will be displayed.

	Note
	Only those connections will be listed, where your usergroup has the `Authorize` or the `Audit&Authorize` permissions. No other SCB privilege is required to access this page.

Select the connection and click Accept to enable the connection, Reject to deny the connection, or Accept&Follow to enable it and monitor in real-time.

	Note
	Following a session is requires the following: The Audit option must enabled for the specific channel in the Channel policy of the connection. The Audit Player application must be installed on the computer of the auditor. If the Audit policy of the connection uses encryption, the appropriate decryption keys must be available on the computer of the auditor.

Enter a note why the connection was accepted/rejected into the appearing dialog box. This description will be stored in the connection database together with other metadata about the connection.
Figure 8.6. Displaying active connections

If you have to terminate an ongoing connection for some reason, select Active Connections from the main menu. The list of ongoing connections will be displayed.
Select the connection to stop, and click Terminate.

Note

When following a connection in the Audit Player application, the auditor can also terminate the connection from by clicking Terminate.

Figure 8.7. Terminating a connection in AP

Chapter 9. Best practices and configuration examples

This chapter gives step-by-step procedures to configure special aspects of SCB.

9.1. Configuring public-key authentication on SCB

If a protected server requires public-key authentication from the users, complete one of the following procedures.

Procedure 9.1, Configuring public-key authentication using local keys stores the public keys of the users and the private-public keypair used in the server-side connection locally on SCB.
Procedure 9.2, Configuring public-key authentication using an LDAP server and a fixed key receives the public keys of the users from an LDAP server and uses a locally-stored private-public keypair in the server-side connection.
Procedure 9.3, Configuring public-key authentication using an LDAP server and generated keys receives the public keys of the users from an LDAP server generates a keypair that is used in the server-side connection on-the-fly, and uploads the public key of this pair to the LDAP database. That way the server can authenticate SCB to the (newly generated) public key of the user.

Procedure 9.1. Configuring public-key authentication using local keys

Navigate to SSH Control > Authentication Policies and create a new Authentication Policy.
Select Client authentication backend > Local > Publickey, deselect all other options.
Select Server authentication methods > Publickey > Map, deselect all other options.
Enter the client's username used on the server into the Username field.
Click the icon in the Client Side field. A popup window is displayed.
Click Browse, select the public key of the user, then click Upload. Alternatively, you can paste the key into the Copy-paste field and click Upload.
Click the icon in the Server Side field. A popup window is displayed.
Click Browse and select the private key of the user, or paste the key into the Copy-paste field. Enter the password for the private key into the Password field and click Upload.

If the private key of the user is not available, click Generate to create a new private key. You can set the size of the key in the Generate key field.In this case, do not forget to export the public key from SCB and import it to the server. To export the key from SCB, just click on the key and save it to your local computer.
Repeat Steps 3-8 to add other users.
Click Commit.
Navigate to SSH Control > Connections and create a new Connection.
Enter the IP addresses of the clients and the servers into the From and To fields.
Select the authentication policy created in Step 1 in the Authentication Policy field.
Configure the other options of the connection as necessary.
Click Commit.
To test the above settings, initiate a connection from the client machine to the server.

Procedure 9.2. Configuring public-key authentication using an LDAP server and a fixed key

Navigate to SSH Control > Authentication Policies and create a new Authentication Policy.
Select Client authentication backend > Local > Publickey, deselect all other options.
Select Server authentication methods > Publickey > Fix, deselect all other options.
Select Private key > . A popup window is displayed.
Click Browse and select the private key of the user, or paste the key into the Copy-paste field. Enter the password for the private key into the Password field and click Upload.

If the private key of the user is not available, click Generate to create a new private key. You can set the size of the key in the Generate key field.In this case, do not forget to export the public key from SCB and import it to the server. To export the key from SCB, just click on the key and save it to your local computer.
Click on the fingerprint of the key in the Server side (private-public keypair) field and save the public key. Do not forget to import this public key of to the server: all connections that use this new authentication policy will use this keypair on the server side.
Click Commit.
Navigate to Policies > LDAP Servers and click to create a new LDAP policy.
Enter the parameters of the LDAP server. See Section 5.1.6, Authenticating users to an LDAP server for details.
If different from sshPublicKey, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field.

Warning

The public keys stored in the LDAP database must be in OpenSSH format.
Navigate to SSH Control > Connections and create a new Connection.
Enter the IP addresses of the clients and the servers into the From and To fields.
Select the authentication policy created in Step 1 from the Authentication Policy combobox.
Select the LDAP policy created in Step 7 from the LDAP Server combobox.
If the server accepts a user only from a specific IP address, select the Use original IP address of the client radiobutton from the SNAT field.
Configure the other options of the connection as necessary.
Click Commit.
To test the above settings, initiate a connection from the client machine to the server.

Procedure 9.3. Configuring public-key authentication using an LDAP server and generated keys

Navigate to SSH Control > Authentication Policies and create a new Authentication Policy.
Select Client authentication backend > Local > Publickey, deselect all other options.
Select Server authentication methods > Publickey > Publish to LDAP, deselect all other options.
Click Commit.
Navigate to Policies > LDAP Servers and click to create a new LDAP policy.
Enter the parameters of the LDAP server. See Section 5.1.6, Authenticating users to an LDAP server for details.
If different from sshPublicKey, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field.

Warning

The public keys stored in the LDAP database must be in OpenSSH format.
Enter the name of the LDAP attribute where SCB shall upload the generated keys into the Generated publickey attribute name field.
Click Commit.
Navigate to SSH Control > Connections and create a new Connection.
Enter the IP addresses of the clients and the servers into the From and To fields.
Select the authentication policy created in Step 1 from the Authentication Policy combobox.
Select the LDAP policy created in Step 7 from the LDAP Server combobox.
If the server accepts a user only from a specific IP address, select the Use original IP address of the client radiobutton from the SNAT field.
Configure the other options of the connection as necessary.
Click Commit.
To test the above settings, initiate a connection from the client machine to the server.

9.2. Bastion mode considerations

When SCB is deployed in Bastion mode, there are some things to consider for proper operation and continuous availability of the protected servers.

When using SCB in Bastion mode, all traffic to the protected servers that should be audited should pass SCB. For example, if you want to audit all SSH access to the servers, the clients should not be able to bypass SCB and access the servers directly using SSH. This is normally achieved by configuring the firewall of the network to permit traffic to be audited only via SCB. However, if a single SCB unit is used in such a scenario, it becomes a single point of failure, making it impossible to access the servers in case of a hardware error, for example. You have the following options to overcome this problem.

Deploy two SCB units in high-availability mode.
In case you must use a single SCB unit in Bastion mode, develop a recovery mechanism to make the servers accessible if needed. In SCB fails, the firewall should have a fast and easy way to allow direct connections to the protected servers.
If SCB authenticates on the servers using a key or certificate that is not available for the users, the users cannot login directly. For such cases you can create an emergency user on the servers who can login using password. This user will be able to access the server only in case SCB is unavailable if you disable the password authentication method for the connection policies in SCB.
Consider your own environment for similar cases and develop recovery mechanisms as needed.

9.3. Organizing connections in Bastion mode

When using SCB in Bastion mode, the administrators must address the external interface of SCB to access the protected servers. If an administrator has access to more than one protected server, SCB must be able to determine which server the administrator wants to access. For each protected server, the administrators must address either different ports of the external interface, or different alias IP addresses of the external interface.

To organize connections based on port numbers, complete the following steps:

Procedure 9.4. Organizing connections based on port numbers

Organizing connections based on port numbers is advantageous if the external interface of SCB has a public IP address and the protected servers must be administered from the Internet.

Navigate to the Connections tab of the Secure Shell Control menu.
Add a new connection. Enter the IP address of the administrators into the From fields, and the IP address and port number of the server into the Target field.
Enter the IP address of the external interface of SCB into the To field, and enter a port number into the Port field.

Repeat Steps 2-3 for every protected server, but every time use a different port number in Step 2.

	Warning
	Do not use ports `22` and `443` if the management interface of SCB is not configured. Using these ports may make the web interface and the SSH server of SCB unaccessible.

Click Commit. The administrators can access the protected servers by connecting to the IP address of SCB's external interface, and use the port number to select which server they want to access.

Procedure 9.5. Organizing connections based on alias IP addresses

Organizing connections based on alias IP addresses is advantageous if the external interface of SCB is connected to a private network and many private IP addresses are available.

Navigate to the Network tab of the Basic Settings menu.
Click in the External interface section to add a a new alias IP address to the external interface. Repeat this step for every protected server. Use a different IP address each time.
Navigate to the Connections tab of the Secure Shell Control menu.
Add a new connection. Enter the IP address of the administrators into the From fields, and the IP address and port number of the server into the Target field.

Enter an alias IP address of the external interface of SCB into the To field.

	Warning
	Do not use the primary IP address of the external interface if the management interface of SCB is not configured. Using this IP address may make the SSH server of SCB unaccessible.

Repeat Steps 4-5 for every protected server, but every time use a different alias IP address in Step 4.
Click Commit. The administrators can access the protected servers by connecting to an alias IP address of SCB's external interface. The alias IP address determines which server they will access.

9.3.1. Accessing the SCB host in Bastion mode using SSH

If the management interface is not configured, the SCB host can be accessed using SSH only on port 22 of the external interface. But if the primary IP address of the external interface and port 22 is used in a connection policy, the SSH connection targeting SCB is redirected to a protected server, and SCB cannot be accessed using SSH.

Do not use port 22 of the external interface in connection policies: use other port numbers or alias IP addresses instead. See Procedure 9.4, Organizing connections based on port numbers and Procedure 9.5, Organizing connections based on alias IP addresses for details. Use this method if possible.

See Section 4.5.4.2, Accessing the SCB host using SSH for details on enabling the SSH server of SCB.

9.4. Using nontransparent Bastion mode

Nontransparent mode allows you to create a single connection policy and allow users to access any server by including the name of the target server in their username (e.g., ssh username@targetserver@scb_address). To configure nontransparent mode, complete the following steps.

	Note
	Nontransparent mode is most commonly used in Bastion mode, but it works with other modes of operation as well.

Procedure 9.6. Using nontransparent Bastion mode

Select the type of connection from the main menu.

To configure a Secure Shell connection, select Secure Shell Control.

To configure a Remote Desktop connection, select RDP Control.

Note

Nontransparent mode in the Telnet protocol is currently not supported.
Click and enter a name that will identify the connection (e.g., admin_mainserver).
Enter the IP address of the client that will be permitted to access the server into the From field. Click to list additional clients.

Enter the IP address of SCB's external interface into the To field.

	Warning
	When using SSH connections in nontransparent mode, the clients should not address port 22 of SCB's external interface, as it may make SCB unaccessible for remote maintenance. See Section 9.3.1, Accessing the SCB host in Bastion mode using SSH for details.

Click to display the details of the connection and select Inband destination selection.
Enter the IP address or the hostname of the domain name server used to resolve the address of the server extracted from the username into the DNS Server field.

	Note
	If the DNS Suffix field is filled, SCB will always add this suffix to the hostname. If you specify a DNS suffix, make sure that the clients do not include the domain name in their requests.

Tip

Windows RDP clients often send only the first 9 characters of the username to the server, making nontransparent operation difficult. The DNS Suffix parameter can be used to complete the missing part. Also, it is not necessary to include the username when starting an RDP connection (e.g., use only @server); the user can type the username later in the graphical login screen. See Section 9.5, RDP connections in Nontransparent mode for other tips.

Click and enter the addresses of the servers that the users are permitted to access into the Targets field. Use the IP address/netmask (e.g., 192.168.2.16/32) format, or enter the hostname of the server, as addressed by the client. The hostnames may contain the * and ? wildcard characters. Do not include the DNS Suffix in the hostname if you have set it in the previous step.

If the clients address the server using its IP address, make sure to include the IP address of the server in the Targets list. This is required because SCB resolves the hostnames to IP addresses, but does not reverse-resolve IP addresses to hostnames. So if only the hostname of the server is listed and the client addresses the server using its IP address, SCB will refuse the connection.
Leave the Port field empty if the clients may access any port on the server, or enter the specified port they can access.
Configure other parameters of the connection as needed.
Click Commit.

9.5. RDP connections in Nontransparent mode

Windows RDP clients often send only the first 9 characters of the username to the server, making nontransparent operation difficult. A workaround using the DNS suffix option of SCB is described in Section 9.4, Using nontransparent Bastion mode, but this requires using short name (short CNAME records). However, you should also consider the following:

For large organizations having lots of servers, it can be difficult to have short names for every server.
This method heavily relies on the DNS, and only one DNS server per can be set per connection policy. Therefore, the DNS server must be deployed in high-availability mode, otherwise the target servers become unaccessible if the DNS fails for some reason. (The IP address of the server cannot be used, because it is always than 8 characters.)
SCB can append only one domain per connection policy, so all servers must belong to the same domain.
This method does not work with CredSSP, because the client must specify the real username before the connection is established.

Beside this limitations, this is the recommended way to handle inband destination selection for RDP connections.

9.6. How to restore a backup

The following procedure describes how to restore the configuration and data of SCB from a complete backup, for example, after a hardware replacement.

Procedure 9.7. Restoring SCB configuration and data

Connect to your backup server and locate the directory where SCB saves the backups. The configuration backups are stored in the config subdirectory in timestamped files. Find the latest configuration file (the configuration files are called SCB-timestamp.config).
Connect to SCB.

If you have not yet completed the Welcome Wizard, click Browse, select the configuration file, and click Import.

If you have already completed the Welcome Wizard, navigate to Basic Settings > System > Import configuration > Browse, select the configuration file, and click Import.
Navigate to Policies > Backup & Archive/Cleanup. Verify that the settings of the target servers and the backup protocols are correct.
Navigate to Basic Settings > Management > System backup, click Restore now and wait for the process to finish. Depending on the amount of data stored in the backup and the speed of the connection to the backup server, this may take a long time.
Navigate to SSH Control > Connections, and click Restore ALL. Repeat this step for other traffic types. Depending on the amount of data stored in the backup and the speed of the connection to the backup server, this may take a long time.

9.7. Solving the "double-assign" problem in RDP

In certain environments when using an RDP connection together with the gateway authentication feature of SCB, after initiating a connection the user has to click the Gateway Authentication > Assign button twice or more on the SCB web interface to allow the client to connect.

9.7.1. Background

When connecting to the remote Terminal Server, the RDP client application (e.g., mstsc.exe) attempts to use several different protocol-extensions. If the particular extension is not supported, the TCP connection is dropped, and the client attempts to connect without using extension. For example, the following extensions may be used: SSL, CredSSP. The CredSSP extension is not enabled on the Windows clients by default, so the client usually connects to the server using the SSL extension. If SSL connections are not enabled on SCB for RDP connections, the client will disconnect and connect again without the SSL extension, so the user has to click Assign once more.

To avoid this, the following requirements must be met:

SSL-support for RDP connections must be enabled on SCB;
A certificate and its private key must be available on the Terminal Server.

9.7.2. Solution

To overcome this issue, complete the following steps:

Procedure 9.8. Solving the "double-assign" problem in RDP

Create a Signing CA in SCB. See Section 5.1.9, Signing certificates on-the-fly for details.

Figure 9.1. Creating a Signing CA
Navigate to RDP Control > Connections and select the RDP connection used to access the Terminal Servel in question.
Select the CA created in Step 1 from the Signing CAs field.

Figure 9.2. Selecting a Signing CA

Obtain a certificate for your terminal server. To obtain a certificate, use one of the following methods:

Visit the Web site for your certification authority. For example, visit http://servername/certsrv.
Run the Windows Server 2003 Certificate Request Wizard or the Windows 2000 Server Certificate Request Wizard.
Obtain a certificate from a third-party certification authority, and then manually install the certificate.

	Note
	If you want to obtain a certificate by using the Microsoft Certificate Services Web page, or by using the Certificate Request Wizard, a public key infrastructure (PKI) must be configured correctly to issue SSL-compatible X.509 certificates to the terminal server.

Each certificate must be configured as follows:

The certificate must be a computer certificate.
The intended purpose of the certificate must be for server authentication.
The certificate must have a corresponding private key.
The certificate must be stored in the computer account certificate store on the terminal server.

Note

You can view this store by using the Microsoft Management Console (MMC) Certificates snap-in.
The certificate must have a cryptographic service provider (CSP) that can be used for the TLS protocol. For example, the certificate must use a cryptographic service provider such as the Microsoft RSA SChannel Cryptographic Provider.

Tip

For more information about Microsoft cryptographic service providers, visit the Microsoft Web site.

On the Terminal Server, import the certificate and its private key into the Local Computer/Personal certificate store.

Figure 9.3. Importing Certificates
Select this certificate for Terminal Services and set the Security Layer to Negotiate.

Figure 9.4. Setting security negotiation
After completing the above steps, try to connect to the Terminal Server. The client should be able to connect immediately after the Assign button is pressed.

Note

These Terminal Server settings allow the clients to connect without using SSL-encryption, making older or non-Microsoft clients able to connect as well.

Appendix 1. About the Secure Shell protocol in a nutshell

The original version of the protocol (SSH-1, dated 1995) has been revised in 1996, and SSH-2 was created offering improved security and new features. The two versions of the protocol are incompatible with each other. Since SSH-1 has inherent design flaws and is vulnerable to attacks, it is now generally considered obsolete and its use should not be permitted. Practically all servers and client application today support SSH-2, use of SSH-1 should be explicitly disabled. Regrettably, software not supporting SSH-2 may still be in use by organizations and it means a considerable security vulnerability to these organizations.

SSH is the main tool used by system administrators for remote system administration tasks. There are several different implementations of the SSH protocol virtually for all kinds of platforms (Windows, Linux, Unix, Mac OS X, BSD, etc.), starting from embedded systems through desktops up to mainframes. Implementations differ in their availability (open source, freeware, commercial) and the level of completeness they offer: some applications implement only certain parts of the protocol, e.g., WinSCP provides only secure file transfer.

1.1. The basic operation of SSH

One of the main features of the SSH protocol is that almost the entire communication between the client and the server is encrypted – including the authentication of the user. (Naturally, the negotiation of the encryption method to be used is in plain text). During the initialization of the session server authentication is performed and parameters for encryption, data compression and integrity verification of the data transferred are negotiated. The protocol enforces user authentication and is capable of authenticating the user via various methods: password, RSA key, Challenge/Response schemes like S/Key and OPIE, etc. The typical uses of SSH include the following:

Remote shell: Remotely administer a computer via an interactive terminal console. This is one of the most widespread uses of SSH.
Remote command execution: Execute commands on the remote machine. Remote command execution can result in significant data transfer, for example when performing scheduled or manual tasks such as file copying (scp), data or file synchronization (rsync), creating archive backups (tar), etc.
TCP IP forwarding (also known as port forwarding): It is possible to tunnel any TCP/IP connection from the client or from the server into the encrypted SSH channel. It can also be used to forward communication otherwise not allowed, such as the access of ports banned by the security policy. This allows to secure any – normally unencrypted – data transfer and is frequently used as an easy way to secure connections between the hosts without the need to set up full VPN connections.
File transfer: Securely transfer files using SFTP.
X11 forwarding: Applications running on the server and requiring graphical interface (X Window) appear on the client's monitor, but run on the server in all other respect, thus it is possible to work with them remotely.
Agent forwarding: Transfer authentication requests to the client machine.

Depending on the server and client application, SSH is able to transfer data of several different channels simultaneously within a single connection, thus for example it is possible to transfer files from the client to the server via SFTP and to manage the server remotely via remote shell using only a single connection.

1.2. Configuring encryption parameters

SCB is able to enforce policies on the various elements of the encrypted SSH communication, such as the MAC, key-exchange, etc. algorithms that are permitted to be used. The parameters can be set separately for the client and for the server side. The attributes are represented as comma-separated strings listing the enabled methods/algorithms, in the order of preference.

The following parameters can be configured:

Key exchange (KEX) algorithms: SCB supports the diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1 algorithms.
Hostkey algorithms: The supported algorithms are ssh-rsa and ssh-dss.

Note

To show the clients a hostkey using the above algorithms, the corresponding private key has to be set in the connection policy of SCB.
Cipher algorithms: The following symmetric-cipher algorithms are supported: aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192-cbc, aes256-cbc.
MAC algorithms: The supported algorithms are: hmac-sha1 and hmac-md5.

Appendix 2. Package contents inventory

Carefully unpack all server components from the packing cartons. The following items should be packaged with the BalaBit Shell Control Box:

Sun Fire X2100 M2 server or Sun Fire X2200 M2 server, preinstalled with the latest BalaBit Shell Control Box firmware.
BalaBit Shell Control Box accessory kit, including the following:
- Delivery note
- BalaBit Shell Control Box License Agreement
- BalaBit Shell Control Box Certificate (includes the purchased license and support options, BIOS and Embedded LOM passwords, and support contact details)
- USB pendrive (includes the BalaBit Shell Control Box license file)
- BalaBit Shell Control Box Hardware Installation Guide
Sun Fire X2200 M2, Sun Fire X4140, or Sun Fire X4540 server accessory kit, including the following:
- Welcome Letter
- Sun Fire X2200 M2, Sun Fire X4140, or Sun Fire X4540 Server Installation Guide
- Additional license, safety, and registration documentation
- Sun Fire X2200 M2, Sun Fire X4140, or Sun Fire X4540 Server Tools and Drivers CD (includes drivers and diagnostics software)
Rackmount
Power cable

Appendix 3. BalaBit Shell Control Box Hardware Installation Guide

This leaflet describes how to set up the BalaBit Shell Control Box (SCB) hardware. Refer to the following documents for step-by-step instructions:

BalaBit Shell Control Box N1025, N2500: The Sun Fire™ X2200 M2 Installation Guide
BalaBit Shell Control Box N2500d: The Sun Fire™ X4140 Server Installation Guide
BalaBit Shell Control Box N5000st: The Sun Fire™ X4540 Server Installation Guide

The print version of the respective guide is packaged with SCB.

To install a single SCB unit, see Section 3.1, Installing the SCB hardware.
To install a two SCB units in high availability mode, see Section 3.2, Installing two SCB units in HA mode.

3.1. Installing the SCB hardware

To install a single SCB unit, complete the following steps.

Procedure 3.1. Installing the SCB hardware

Unpack SCB.
Optional step: Install SCB into a rack with the slide rails. Slide rails are available for all SCB appliances.

Connect the cables.

Connect the Ethernet cable facing your LAN to the Ethernet connector labeled as LAN0. This is the external interface of SCB and is used to configure SCB. (See Section 2.9, Network interfaces in the BalaBit Shell Control Box Administrator Guide for details on the roles of the different interfaces.)
Connect the Ethernet cable facing your servers to the Ethernet connector labeled as LAN2. This is the internal interface of SCB. (See Section 2.9, Network interfaces in the BalaBit Shell Control Box Administrator Guide for details on the roles of the different interfaces.)

Connect an Ethernet cable that you can use to remotely support the SCB hardware to the ELOM/ILOM interface of the Sun Fire server. See the following documents for details:

Embedded Lights Out Manager Administration Guide For the Sun Fire™ X2200 M2 and Sun Fire X2100 M2 Servers — Accessing the Service Processor
Sun Fire™ X4140, X4240, and X4440 Servers Installation Guide — Connecting to the Service Processor For Configuration
Sun™ Integrated Lights Out Manager 2.0 User’s Guide — Establish Initial Communication With ILOM

It is not necessary for the ILOM interface to be accessible from the Internet, but the administrator of SCB must be able to access it for support and troubleshooting purposes in case vendor support is needed.

	Warning
	Access to information available only via the ILOM interface is a prerequisite for any hardware-warranty claims.

Note

On some Sun Fire servers, the ILOM and the management interface of SCB are physical the same. However, only the cable is shared and they use different MAC and IP addresses. In such cases, it is not possible to modify the ILOM interface, but it is possible to disable the management interface of SCB and enable connections to the SCB web interface on other interfaces (e.g., on the external interface).

Optional step: Connect the Ethernet cable to be used for managing SCB after its initial configuration to the Ethernet connector labeled as LAN1. This is the management interface of SCB. (See Section 2.9, Network interfaces in the BalaBit Shell Control Box Administrator Guide for details on the roles of the different interfaces.)
Optional step: Connect the Ethernet cable connecting SCB to another SCB node to the Ethernet connector labeled as LAN3. This is the high availability (HA) interface of SCB. (See Section 2.9, Network interfaces in the BalaBit Shell Control Box Administrator Guide for details on the roles of the different interfaces.)

Power on the hardware.

Connect to the SCB web interface from a client machine and complete the Welcome Wizard. This might require you to configure an alias interface on the client machine. Step 5 is described in detail in Chapter 3, The Welcome Wizard and the first login in the BalaBit Shell Control Box Administrator Guide.

	Note
	The BalaBit Shell Control Box Administrator Guide is available on the SCB CD-ROM received with the SCB hardware, and on the BalaBit website: http://www.balabit.com/support/documentation

3.2. Installing two SCB units in HA mode

To install SCB with high availability support, complete the following steps.

Procedure 3.2. Installing two SCB units in HA mode

Complete Section 3.1, Installing the SCB hardware for the first SCB unit.
Complete Steps 1-3 of Section 3.1, Installing the SCB hardware for the second SCB unit.
Connect the two units with an Ethernet cable via the Ethernet connectors labeled as LAN3.
Power on the second unit.
Connect to the SCB web interface of the first unit from a client machine and enable the high availability mode. Navigate to the High Availability & Nodes section on the Systems tab of the Basic Settings menu. Click the Convert to Cluster action button, then reload the page in your browser.
Reboot the slave unit, then reboot the master unit. Wait a few minutes until the master unit boots, then reload the page in your browser.
Wait until the slave unit synchronizes its disk to the master unit. Depending on the size of the hard disks, this may take several hours. You can increase the speed of the synchronization via the SCB web interface at Basic Settings > System > High availability & Nodes > DRBD sync rate limit.

Refer to the Setup Troubleshooting chapter of the respective guide if you encounter any problems. If you still experience problems, contact the BalaBit Support Team via phone or e-mail:

Support e-mail address: <support@balabit.com>.

Support hotline: +36 1 371 0540 (available from 9 AM to 5 PM CET on weekdays)

If you have already registered your product on the http://www.balabit.com/mybalabit/ website, submit your support request using the BalaBit Online Support System at https://boss.balabit.com/. This online support service is available 24 hours a day.

Appendix 4. BalaBit Shell Control Box Software Installation Guide

This leaflet describes how to install the BalaBit Shell Control Box (SCB) software on a certified hardware. SCB supports the following hardware:

Sun Fire X2200 M2 Server
Sun Fire X4140 Server
Sun Fire X4540 Server

To install a new SCB on a server, complete the following steps:

Procedure 4.1. Installing the SCB software

Login to your MyBalaBit account (https://www.balabit.com/mybalabit) and download the latest BalaBit Shell Control Box installation ISO file. Note that you need to have partner access to download BalaBit Shell Control Box ISO files. If you are a partner but do not see the ISO files, you can request partner access within MyBalaBit.
Mount the ISO image, or burn it to a CD-ROM.
Connect your computer to the ELOM/ILOM interface of the Sun Fire server. See the following documents for details:
- Embedded Lights Out Manager Administration Guide For the Sun Fire™ X2200 M2 and Sun Fire X2100 M2 Servers — Accessing the Service Processor
- Sun Fire™ X4140, X4240, and X4440 Servers Installation Guide — Connecting to the Service Processor For Configuration
- Sun™ Integrated Lights Out Manager 2.0 User’s Guide — Establish Initial Communication With ILOM
Power on the server.
Login to the ELOM/ILOM web interface, and boot the BalaBit Shell Control Box installation CD on the server using a virtual CD-ROM. See the following documents for details:
- Embedded Lights Out Manager Administration Guide For the Sun Fire™ X2200 M2 and Sun Fire X2100 M2 Servers > Using the Remote Control Screens > Installing an Operating System on a Remote Server
- Sun Fire X4140, X4240, and X4440 Servers Operating System Installation Guide
- Sun™ Integrated Lights Out Manager 2.0 User’s Guide > Remote Management of x64 Servers Using the Sun ILOM Remote Console > CD and Diskette Redirection Operation Scenarios
When the BalaBit Shell Control Box installer starts, select Install, press Enter, and wait until the server finishes the boot process.
Select Install a new SCB and press Enter to start the installation process. Depending on the size of the disks, the installation process takes from a few minutes to an hour to complete. The progress of the installation is indicated in the Installation Steps window.
The installer displays the MAC addresses of the network interfaces found in the SCB unit. Record these addresses and compare them to the MAC addresses found on the label attached to the SCB unit. The address of eth0 should match the address of LAN0, and so on. If the displayed MAC addresses and the labels do not match, contact the BalaBit Support Team. See Section 5, Contact and support information for details.
During the Finishing the Setup step, the installer performs raid synchronization. Raid synchronization is a two-step process, the progress of the active step is indicated on the progress bar. Wait until both steps are completed. Depending on the size of the disks, raid synchronization takes from 30 minutes to about 3 hours.
After the installation is finished, press Enter to return to the main menu.
Select Reboot and press Enter to restart the system. Wait until the system reboots.
Connect your computer to the LAN0 interface of the Sun Fire server. Create an alias IP address for your computer that falls into the 192.168.1.0/24 subnet (e.g., 192.168.1.10). See Chapter 3 in the BalaBit Shell Control Box Administrator Guide for details.
Open the http://192.168.1.1 URL in your web browser and verify that the Welcome Wizard of the BalaBit Shell Control Box is available.
Power off the system.

Appendix 5. BalaBit Shell Control Box End User License Agreement

5.1. 1. SUBJECT OF THE LICENSE CONTRACT

1.1 This License Contract is entered into by and between BalaBit and Licensee and sets out the terms and conditions under which Licensee and/or Licensee's Authorized Subsidiaries may use the BalaBit Shell Control Box under this License Contract.

5.2. 2. DEFINITIONS

In this License Contract, the following words shall have the following meanings:

2.1 BalaBit

Company name: BalaBit IT Security Ltd.

Registered office: H-1115 Budapest, Bártfai Str. 54.

Company registration number: 01-09-687127

Tax number: HU11996468-2-43

2.2. Words and expressions

Annexed Software

Any third party software that is a not a BalaBit Product contained in the install media of the BalaBit Product.

Authorized Subsidiary

Any subsidiary organization: (i) in which Licensee possesses more than fifty percent (50%) of the voting power and (ii) which is located within the Territory.

BalaBit Product

Any software, hardware or service licensed, sold, or provided by BalaBit including any installation, education, support and warranty services, with the exception of the Annexed Software.

License Contract

The present BalaBit Shell Control Box License Contract.

Product Documentation

Any documentation referring to the BalaBit Shell Control Box or any module thereof, with special regard to the reference guide, the administration guide, the product description, the installation guide, user guides and manuals.

Protected Hosts

Host computers located in the zones protected by BalaBit Shell Control Box, that means any computer bounded to network and capable to establish IP connections through the firewall.

Protected Objects

The entire BalaBit Shell Control Box including all of its modules, all the related Product Documentation; the source code, the structure of the databases, all registered information reflecting the structure of the BalaBit Shell Control Box and all the adaptation and copies of the Protected Objects that presently exist or that are to be developed in the future, or any product falling under the copyright of BalaBit.

BalaBit Shell Control Box

Application software BalaBit Product designed for securing computer networks as defined by the Product Description.

Warranty Period

The period of twelve (12) months from the date of delivery of the BalaBit Shell Control Box to Licensee.

Territory

The countries or areas specified above in respect of which Licensee shall be entitled to install and/or use BalaBit Shell Control Box.

Take Over Protocol

The document signed by the parties which contains

a) identification data of Licensee;

b) ordered options of BalaBit Shell Control Box, number of Protected Hosts and designation of licensed modules thereof;

c) designation of the Territory;

d) declaration of the parties on accepting the terms and conditions of this License Contract; and

e) declaration of Licensee that is in receipt of the install media.

5.3. 3. LICENSE GRANTS AND RESTRICTIONS

3.1. For the BalaBit Shell Control Box licensed under this License Contract, BalaBit grants to Licensee a non-exclusive,

non-transferable, perpetual license to use such BalaBit Product under the terms and conditions of this License Contract and the applicable Take Over Protocol.

3.2. Licensee shall use the BalaBit Shell Control Box in the in the configuration and in the quantities specified in the Take Over Protocol within the Territory.

3.3. On the install media all modules of the BalaBit Shell Control Box will be presented, however, Licensee shall not be entitled to use any module which was not licensed to it. Access rights to modules and IP connections are controlled by an "electronic key" accompanying the BalaBit Shell Control Box.

3.4. Licensee shall be entitled to make one back-up copy of the install media containing the BalaBit Shell Control Box.

3.5. Licensee shall make available the Protected Objects at its disposal solely to its own employees and those of the Authorized Subsidiaries.

3.6. Licensee shall take all reasonable steps to protect BalaBit's rights with respect to the Protected Objects with special regard and care to protecting it from any unauthorized access.

3.7. Licensee shall, in 5 working days, properly answer the queries of BalaBit referring to the actual usage conditions of the BalaBit Shell Control Box, that may differ or allegedly differs from the license conditions.

3.8. Licensee shall not modify the BalaBit Shell Control Box in any way, with special regard to the functions inspecting the usage of the software. Licensee shall install the code permitting the usage of the BalaBit Shell Control Box according to the provisions defined for it by BalaBit. Licensee may not modify or cancel such codes. Configuration settings of the BalaBit Shell Control Box in accordance with the possibilities offered by the system shall not be construed as modification of the software.

3.9. Licensee shall only be entitled to analyze the structure of the BalaBit Products (decompilation or reverse- engineering) if concurrent operation with a software developed by a third party is necessary, and upon request to supply the information required for concurrent operation BalaBit does not provide such information within 60 days from the receipt of such a request. These user actions are limited to parts of the BalaBit Product which are necessary for concurrent operation.

3.10. Any information obtained as a result of applying the previous Section

(i) cannot be used for purposes other than concurrent operation with the BalaBit Product;

(ii) cannot be disclosed to third parties unless it is necessary for concurrent operation with the BalaBit Product;

(iii) cannot be used for the development, production or distribution of a different software which is similar to the Balabit Product

in its form of expression, or for any other act violating copyright.

3.11. For any Annexed Software contained by the same install media as the BalaBit Product, the terms and conditions defined by its copyright owner shall be properly applied. BalaBit does not grant any license rights to any Annexed Software.

3.12. Any usage of the BalaBit Shell Control Box exceeding the limits and restrictions defined in this License Contract shall qualify as material breach of the License Contract.

3.13. The Number of Protected Hosts shall not exceed the amount defined in the Take Over Protocol.

3.14. Licensee shall have the right to obtain and use content updates only if Licensee concludes a maintenance contract that includes such content updates, or if Licensee has otherwise separately acquired the right to obtain and use such content updates. This License Contract does not otherwise permit Licensee to obtain and use content updates.

5.4. 4. SUBSIDIARIES

4.1 Authorized Subsidiaries may also utilize the services of the BalaBit Shell Control Box under the terms and conditions of this License Contract. Any Authorized Subsidiary utilizing any service of the BalaBit Shell Control Box will be deemed to have accepted the terms and conditions of this License Contract.

5.5. 5. INTELLECTUAL PROPERTY RIGHTS

5.1. Licensee agrees that BalaBit owns all rights, titles, and interests related to the BalaBit Shell Control Box and all of BalaBit's patents, trademarks, trade names, inventions, copyrights, know-how, and trade secrets relating to the design, manufacture, operation or service of the BalaBit Products.

5.2. The use by Licensee of any of these intellectual property rights is authorized only for the purposes set forth herein, and upon termination of this License Contract for any reason, such authorization shall cease.

5.3. The BalaBit Products are licensed only for internal business purposes in every case, under the condition that such license does not convey any license, expressly or by implication, to manufacture, duplicate or otherwise copy or reproduce any of the BalaBit Products.

No other rights than expressly stated herein are granted to Licensee.

5.4. Licensee will take appropriate steps with its Authorized Subsidiaries, as BalaBit may request, to inform them of and assure compliance with the restrictions contained in the License Contract.

5.6. 6. TRADE MARKS

6.1. BalaBit hereby grants to Licensee the non-exclusive right to use the trade marks of the BalaBit Products in the Territory in accordance with the terms and for the duration of this License Contract.

6.2. BalaBit makes no representation or warranty as to the validity or enforceability of the trade marks, nor as to whether these infringe any intellectual property rights of third parties in the Territory.

5.7. 7. NEGLIGENT INFRINGEMENT

7.1. In case of negligent infringement of BalaBit's rights with respect to the BalaBit Shell Control Box, committed by violating the restrictions and limitations defined by this License Contract, Licensee shall pay liquidated damages to BalaBit. The amount of the liquidated damages shall be twice as much as the price of the BalaBit Product concerned, on BalaBit's current Price List.

5.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION

8.1. BalaBit shall pay all damages, costs and reasonable attorney's fees awarded against Licensee in connection with any claim brought against Licensee to the extent that such claim is based on a claim that Licensee's authorized use of the BalaBit Product infringes a patent, copyright, trademark or trade secret. Licensee shall notify BalaBit in writing of any such claim as soon as Licensee learns of it and shall cooperate fully with BalaBit in connection with the defense of that claim. BalaBit shall have sole control of that defense (including without limitation the right to settle the claim).

8.2. If Licensee is prohibited from using any BalaBit Product due to an infringement claim, or if BalaBit believes that any BalaBit Product is likely to become the subject of an infringement claim, BalaBit shall at its sole option, either: (i) obtain the right for Licensee to continue to use such BalaBit Product, (ii) replace or modify the BalaBit Product so as to make such BalaBit Product non-infringing and substantially comparable in functionality or (iii) refund to Licensee the amount paid for such infringing BalaBit Product and provide a pro-rated refund of any unused, prepaid maintenance fees paid by Licensee, in exchange for Licensee's return of such BalaBit Product to BalaBit.

8.3. Notwithstanding the above, BalaBit will have no liability for any infringement claim to the extent that it is based upon:

(i) modification of the BalaBit Product other than by BalaBit,

(ii) use of the BalaBit Product in combination with any product not specifically authorized by BalaBit to be combined with the BalaBit Product or

(iii) use of the BalaBit Product in an unauthorized manner for which it was not designed.

5.9. 9. LICENSE FEE

9.1. The number of the Protected Hosts (including the server as one host), the configuration and the modules licensed shall serve as the calculation base of the license fee.

9.2. Licensee acknowledges that payment of the license fees is a condition of lawful usage.

9.3. License fees do not contain any installation or post charges.

5.10. 10. WARRANTIES

10.1. BalaBit warrants that during the Warranty Period, the optical media upon which the BalaBit Product is recorded will not be defective under normal use. BalaBit will replace any defective media returned to it, accompanied by a dated proof of purchase, within the Warranty Period at no charge to Licensee. Upon receipt of the allegedly defective BalaBit Product, BalaBit will at its option, deliver a replacement BalaBit Product or BalaBit's current equivalent to Licensee at no additional cost. BalaBit will bear the delivery charges to Licensee for the replacement Product.

10.2. In case of installation by BalaBit, BalaBit warrants that during the Warranty Period, the BalaBit Shell Control Box, under normal use in the operating environment defined by BalaBit, and without unauthorized modification, will perform in substantial compliance with the Product Documentation accompanying the BalaBit Product, when used on that hardware for which it was installed, in compliance with the provisions of the user manuals and the recommendations of BalaBit. The date of the notification sent to BalaBit shall qualify as the date of the failure. Licensee shall do its best to mitigate the consequences of that failure. If, during the Warranty Period, the BalaBit Product fails to comply with this warranty, and such failure is reported by Licensee to BalaBit within the Warranty Period, BalaBit's sole obligation and liability for breach of this warranty is, at BalaBit's sole option, either:

(i) to correct such failure,

(ii) to replace the defective BalaBit Product or

(iii) to refund the license fees paid by Licensee for the applicable BalaBit Product.

5.11. 11. DISCLAIMER OF WARRANTIES

11.1. EXCEPT AS SET OUT IN THIS LICENSE CONTRACT, BALABIT MAKES NO WARRANTIES OF ANY KIND WITH RESPECT TO THE BalaBit Shell Control Box. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BALABIT EXCLUDES ANY OTHER WARRANTIES, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF SATISFACTORY QUALITY, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS.

5.12. 12. LIMITATION OF LIABILITY

12.1. SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN UNION, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES AND, THEREFORE, THE FOLLOWING LIMITATION OR EXCLUSION MAY NOT APPLY TO THIS LICENSE CONTRACT IN THOSE STATES AND COUNTRIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET OUT IN THIS LICENSE CONTRACT FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT SHALL BALABIT BE LIABLE TO LICENSEE FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES OR LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE BalaBit Shell Control Box EVEN IF BALABIT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12.2. IN NO CASE SHALL BALABIT'S TOTAL LIABILITY UNDER THIS LICENSE CONTRACT EXCEED THE FEES PAID BY LICENSEE FOR THE BalaBit Shell Control Box LICENSED UNDER THIS LICENSE CONTRACT.

5.13. 13. DURATION AND TERMINATION

13.1. This License Contract shall come into effect on the date of signature of the Take Over Protocol by the duly authorized

representatives of the parties.

13.2. Licensee may terminate the License Contract at any time by written notice sent to BalaBit and by simultaneously destroying all copies of the BalaBit Shell Control Box licensed under this License Contract.

13.3. BalaBit may terminate this License Contract with immediate effect by written notice to Licensee, if Licensee is in material or persistent breach of the License Contract and either that breach is incapable of remedy or Licensee shall have failed to remedy that breach within 30 days after receiving written notice requiring it to remedy that breach.

5.14. 14. AMENDMENTS

14.1. Save as expressly provided in this License Contract, no amendment or variation of this License Contract shall be effective unless in writing and signed by a duly authorised representative of the parties to it.

5.15. 15. WAIVER

15.1. The failure of a party to exercise or enforce any right under this License Contract shall not be deemed to be a waiver of that right nor operate to bar the exercise or enforcement of it at any time or times thereafter.

5.16. 16. SEVERABILITY

16.1. If any part of this License Contract becomes invalid, illegal or unenforceable, the parties shall in such an event negotiate in good faith in order to agree on the terms of a mutually satisfactory provision to be substituted for the invalid, illegal or unenforceable

provision which as nearly as possible validly gives effect to their intentions as expressed in this License Contract.

5.17. 17. NOTICES

17.1. Any notice required to be given pursuant to this License Contract shall be in writing and shall be given by delivering the notice by hand, or by sending the same by prepaid first class post (airmail if to an address outside the country of posting) to the address of the relevant party set out in this License Contract or such other address as either party notifies to the other from time to time. Any notice given according to the above procedure shall be deemed to have been given at the time of delivery (if delivered by hand) and when received (if sent by post).

5.18. 18. MISCELLANEOUS

18.1. Headings are for convenience only and shall be ignored in interpreting this License Contract.

18.2. This License Contract and the rights granted in this License Contract may not be assigned, sublicensed or otherwise transferred in whole or in part by Licensee without BalaBit's prior written consent. This consent shall not be unreasonably withheld or delayed.

18.3. An independent third party auditor, reasonably acceptable to BalaBit and Licensee, may upon reasonable notice to Licensee and during normal business hours, but not more often than once each year, inspect Licensee's relevant records in order to confirm that usage of the BalaBit Shell Control Box complies with the terms and conditions of this License Contract. BalaBit shall bear the costs of such audit. All audits shall be subject to the reasonable safety and security policies and procedures of Licensee.

18.4. This License Contract constitutes the entire agreement between the parties with regard to the subject matter hereof. Any modification of this License Contract must be in writing and signed by both parties.

Appendix 6. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License

THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.

Definitions
1. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.
2. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License.
3. "Distribute" means to make available to the public the original and copies of the Work through sale or other transfer of ownership.
4. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.
5. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.
6. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.
7. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.
8. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.
9. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.
Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.
License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:
1. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; and,
2. to Distribute and Publicly Perform the Work including as incorporated in Collections.
The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats, but otherwise you have no rights to make Adaptations. Subject to 8(f), all rights not expressly granted by Licensor are hereby reserved, including but not limited to the rights set forth in Section 4(d).
Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:
1. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested.
2. You may not exercise any of the rights granted to You in Section 3 above in any manner that is primarily intended for or directed toward commercial advantage or private monetary compensation. The exchange of the Work for other copyrighted works by means of digital file-sharing or otherwise shall not be considered to be intended for or directed toward commercial advantage or private monetary compensation, provided there is no payment of any monetary compensation in connection with the exchange of copyrighted works.
3. If You Distribute, or Publicly Perform the Work or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work. The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Collection, at a minimum such credit will appear, if a credit for all contributing authors of Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.
4. For the avoidance of doubt:
  1. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;
  2. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License if Your exercise of such rights is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b) and otherwise waives the right to collect royalties through any statutory or compulsory licensing scheme; and,
  3. Voluntary License Schemes. The Licensor reserves the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License that is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b).
5. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation.
Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.
Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Termination
1. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.
2. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.
Miscellaneous
1. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.
2. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
3. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.
4. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.
5. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.

Glossary

4-eyes authorization: 4-eyes authorization is an advanced authorization method where only two administrators logging in simultaneously are permitted to access the server. These administrators can monitor each other's work, reducing the chance of (accidental or intentional) human errors in the server administration process.
alias IP: An additional IP address assigned to an interface that already has an IP address. The normal and alias IP addresses both refer to the same physical interface.
auditing policy: The auditing policy determines which events are logged on host running Microsoft Windows operating systems.
authentication: The process of verifying the authenticity of a user or client before allowing access to a network system or service.
Authentication Policy: An authentication policy is a list of authentication methods that can be used in a connection. Connection definitions refer to an authentication policy to determine how the client can authenticate to the target server.
Audit trail: An audit trail is a file storing the recorded activities of the administrators in an encrypted format. Audit trails can be replayed using the Audit Player application.
Audit Player: Audit Player is a desktop application that can replay recorded audit trails like movie. The Audit Player is available for the Microsoft Windows and GNU/Linux platforms.
BSD-syslog protocol: The old syslog protocol standard described in RFC 3164 http://www.ietf.org/rfc/rfc3164.txt. Sometimes also referred to as the legacy-syslog protocol.
CA: A Certificate Authority (CA) is an institute that issues certificates.
certificate: A certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA that signed the certificate, and some other data.
Channel Policy: The channel policy lists the SSH channels (e.g., terminal session, SCP, etc.) that can be used in a connection. The channel policy can further restrict access to each channel based on the IP address of the client or the server, a user list, or a time policy.
client mode: In client mode, syslog-ng collects the local logs generated by the host and forwards them through a network connection to the central syslog-ng server or to a relay.
controlled traffic: SCB audits and controls only the traffic that is configured in the connection and channel policies, all other traffic is forwarded on the packet level without any inspection.
disk buffer: The Premium Edition of syslog-ng can store messages on the local hard disk if the central log server or the network connection to the server becomes unavailable.
disk queue: See disk buffer.
domain name: The name of a network, e.g., balabit.com.
External network interface: The external interface (labeled LAN0) is used for general communication between the clients and the servers. If the SCB appliance has only two interfaces, the external interface is used for management purposes as well.
firmware: A firmware is a collection of the software components running on SCB. Individual software components cannot be upgraded on SCB, only the entire firmware. SCB contains two firmwares, an external (or boot) firmware and an internal (or core) firmware. These can be upgraded separately.
gateway: A device that connect two or more parts of the network, e.g., your local intranet and the external network (the Internet). Gateways act as entrances into other networks.
high availability: High availability uses a second SCB unit (called slave node) to ensure that the services are available even if the first unit (called master node) breaks down.
host: A computer connected to the network.
hostname: A name that identifies a host on the network. Hostnames can contain only alphanumerical characters (A-Z, a-z, 0-9) and the hyphen (-) character.
HA network interface: The HA interface (labeled LAN3) is an interface reserved for communication between the nodes of SCB clusters.
Internal network interface: The internal interface (labeled LAN2) is used exclusively for communication between SCB and the protected servers; incoming connections are not allowed on this interface.
IETF-syslog protocol: The syslog-protocol standard developed by the Internet Engineering Task Force (IETF), described in RFC 5424 http://www.ietf.org/rfc/rfc3164.txt.
key pair: A private key and its related public key. The private key is known only to the owner; the public key can be freely distributed. Information encrypted with the private key can only be decrypted using the public key.
License: SCB's license determines the number of servers (IP addresses) that SCB protects; the license limits the number of IP addresses accessible on the internal interface.
log path: A combination of sources, filters, parsers, rewrite rules, and destinations: syslog-ng examines all messages arriving to the sources of the logpath and sends the messages matching all filters to the defined destinations.
Management network interface: The management interface (labeled LAN1) is used exclusively for communication between SCB and the auditor or the administrator of the BalaBit Shell Control Box. This includes replaying the audit trails stored on SCB using the Audit Player application (AP).
master node: The active SCB unit that is inspecting the traffic when SCB is used in High Availability mode.
name server: A network computer storing the IP addresses corresponding to domain names.
node: An SCB unit running in High Availability mode.
ping: A command that sends a message from a host to another host over a network to test connectivity and packet loss.
port: A number ranging from 1 to 65535 that identifies the destination application of the transmitted data. E.g.: SSH commonly uses port 22, web servers (HTTP) use port 80, etc.
Public-key authentication: An authentication method that uses encryption key pairs to verify the identity of a user or a client.
SCB: An abbreviation of the BalaBit Shell Control Box name.
slave node: The passive SCB unit that replaces the active unit (the master node) if the master becomes unavailable.
SNMP: Simple Network Management Protocol (SNMP) is an industry standard protocol used for network management. SCB can send SNMP alerts to a central SNMP server.
SSH settings: SSH settings determine the parameters of the connection on the protocol level, including timeout value and greeting message of the connection, as well as the encryption algorithms used.
syslog-ng: The syslog-ng application is a flexible and highly scalable system logging application, typically used to manage log messages and implement centralized logging.
syslog-ng client: A host running syslog-ng in client mode.
syslog-ng Premium Edition: The syslog-ng Premium Edition is the commercial version of the open-source application. It offers additional features, like encrypted message transfer and an agent for Microsoft Windows platforms.
syslog-ng relay: A host running syslog-ng in relay mode.
syslog-ng server: A host running syslog-ng in server mode, like SCB.
Time Policy: The time policy determines which hours of a day can the users access a connection or a channel.
traceroute: A command that shows all routing steps (the path of a message) between two hosts.
User List: User lists are white- or blacklists of usernames that allow fine-control over who can access a connection or a channel.

Index

Symbols

4-eyes authorization, Connecting to a server through SCB, 4-eyes authorization, Channel Policies, Advanced authentication and authorization techniques, Configuring 4-eyes authorization

A

accessing SCB using SSH, Accessing the SCB host using SSH

in Bastion mode, Accessing the SCB host in Bastion mode using SSH

accounting SCB, Listing and searching configuration changes, Changelogs of SCB

admin password, The Welcome Wizard

administrator password, The Welcome Wizard

alias interfaces, Network settings

alias IP addresses, The initial connection to SCB, Network settings

AP, Viewing session information and replaying audit trails

context search in RDP streams, Searching in graphical streams
encrypted audit trails, Replaying and processing encrypted audit trails
finding audit trails, Finding specific audit trails
font types in RDP streams, Searching in graphical streams
hotkeys, Replaying audit trails
importing certificates, Replaying and processing encrypted audit trails
installing, Installing the Audit Player application
logging in, Logging with the Audit Player
OCR, Searching in graphical streams
projects, Using projects
replaying audit trails, Replaying audit trails
saving results, Using projects
saving trailsets, Using projects
searching in RDP streams, Searching in graphical streams
troubleshooting, Troubleshooting the Audit Player

archiving, Importing and exporting SCB configuration

audit data, Data and configuration archiving and backups

Audit Player

certificate location, Keys and certificates
indexing service configuration, Installing the Audit Player application
running with restricted user, Installing the Audit Player application
running without administrator privileges, Installing the Audit Player application
supported session types, Viewing session information and replaying audit trails

audit policies, Audit policies

audit trail, Viewing session information and replaying audit trails

replaying, Replaying audit trails

audit trails, Audit policies, Viewing session information and replaying audit trails

automatic searches, Configuring custom reports
downloading from SCB, Replaying audit trails
encrypting, Encrypting audit trails
export to PCAP format, Replaying audit trails
file limit, Other audit trail settings
finding in AP, Finding specific audit trails
replaying encrypted audit trails, Replaying and processing encrypted audit trails
searching in AP, Finding specific audit trails
signing, Digitally signing audit trails
size limit, Other audit trail settings
timestamping, Timestamping audit trails

auditing, Channel Policies

auditing configuration changes, Listing and searching configuration changes

authenticating to Microsoft Active Directory, User management and access control, Managing SCB users from an LDAP database

authenticating to RADIUS servers, Authenticating users to a RADIUS server

authenticating users, User management and access control, Managing SCB users from an LDAP database

authentication

Active Directory, Authenticating users to an LDAP server
blacklisting users, User lists
LDAP, Authenticating users to an LDAP server
on the SCB gateway, Gateway authentication, Advanced authentication and authorization techniques, Configuring gateway authentication
outband, Gateway authentication, Advanced authentication and authorization techniques, Configuring gateway authentication
whitelisting users, User lists

authentication policies, Connecting to a server through SCB

Authentication Policy, Connecting to a server through SCB, SSH-specific settings, Authentication Policies

authorization

4-eyes, 4-eyes authorization, Advanced authentication and authorization techniques, Configuring 4-eyes authorization
terminating connections, Configuring 4-eyes authorization

automatic searches, Configuring custom reports

B

backups, Data and configuration archiving and backups

encrypting, Encrypting backups
file ownerships, Ownership of the backup files
file permissions, Ownership of the backup files
restore, How to restore a backup

Bastion mode, SCB in Bastion mode, Bastion mode considerations, Organizing connections in Bastion mode

nontransparent, Modifying the destination address, Using nontransparent Bastion mode

Bridge mode, SCB in Bridge mode

browser requirements, The initial connection to SCB, Supported web browsers

browsers, The initial connection to SCB, Supported web browsers

supported versions, The initial connection to SCB, Supported web browsers

browsing audit trails, The SCB connection database

browsing log messages, Using the search interface

browsing reports, SCB reports

C

certificate of the web interface, The Welcome Wizard, Changing the certificates used on SCB

certificate verification, Verifying certificates with Certificate Authorities

in SSL-encrypted RDP connections, Verifying the certificate of the RDP server in encrypted connections

certificate-mapping, Server-side authentication settings, How to map keys and certificates

certificates

accepted formats, Changing the certificates used on SCB
changing, Changing the certificates used on SCB
in Audit Player, Keys and certificates
in SSH connections, Setting the SSH host keys and certificates of the connection
LDAP servers, Managing SCB users from an LDAP database, Authenticating users to an LDAP server
uploading, Changing the certificates used on SCB

changelogs, Listing and searching configuration changes, Changelogs of SCB

changing certificates

Timestamping Authority, Changing the certificates used on SCB

changing log verbosity level, Changing log verbosity level of SCB

channel policies, Connecting to a server through SCB, Configuring connections, Channel Policies, SSH-specific settings, RDP-specific settings

creating and editing, Channel Policies

channel types

RDP, Channel Policies, Supported RDP channel types
SSH, Channel Policies, Supported SSH channel types

client-side authentication, Client-side authentication settings

CNAME records, Modifying the destination address

collecting debug information, Collecting logs and system information for error reporting

collecting system-state information, Collecting logs and system information for error reporting

commit log, Listing and searching configuration changes

configuration backups, Data and configuration archiving and backups

configuration changes, Listing and searching configuration changes

configuring a connection, Logging in to SCB and configuring the first connection

general settings, General connection settings
modifying the server address, Modifying the destination address
modifying the source address, Modifying the source address

configuring network interfaces, Network settings

configuring the AP indexing service, Installing the Audit Player application

connecting to a server

RDP, Connecting to a server through SCB
SSH, Connecting to a server through SCB

connection, Configuring connections

connections database, The SCB connection database

console menu, Using the console menu of SCB

controlling SCB

rebooting, Controlling SCB — restart, shutdown
shutting down, Controlling SCB — restart, shutdown

core files, Gathering data about system problems

custom reports, Configuring custom reports

D

dashboard, Status history and statistics

date and time, Date and time configuration

configuring, Date and time configuration

debug logging, Collecting logs and system information for error reporting

default usergroups, Built-in usergroups of SCB

deleting audit trails, Data and configuration archiving and backups

destination NAT, DNAT, Connecting to a server through SCB, Modifying the destination address

digitally signing audit trails, Digitally signing audit trails

disabling all RDP traffic, Disabling the controlled traffic

disabling all SSH traffic, Disabling the controlled traffic

disabling all Telnet traffic, Disabling the controlled traffic

disabling all VNC traffic, Disabling the controlled traffic

displaying selected messages, Using the search interface

DLP, Forwarding traffic to an IDS or DLP system

DNS

CNAME records, Modifying the destination address

DNS server, Network settings

domain membership, Joining SCB into a domain

downgrading the firmware

rollback, Reverting to an older firmware

DRBD

adjusting synchronization speed, Adjusting the synchronization speed of DRBD

DRBD status, High Availability status explained

connected, High Availability status explained
invalidated, High Availability status explained
split brain, High Availability status explained, Recovering from a split brain situation
sync source, High Availability status explained
sync target, High Availability status explained
wfconnection, High Availability status explained

E

e-mail alerts, System logging, SNMP and e-mail alerts, Configuring system monitoring on SCB
e-mailing reports, System logging, SNMP and e-mail alerts
encrypting audit trails, Encrypting audit trails
exporting SCB configuration, Importing and exporting SCB configuration
exporting search results, Using the search interface

F

filtering search results, Using the search interface

filters

predefined, Creating predefined filters

finding audit trails, The SCB connection database

finding audit trails in AP, Finding specific audit trails

firmware, Firmware in SCB

high availability, Firmwares and high availability
rollback, Reverting to an older firmware
update, Updating the SCB firmware

G

gateway authentication, Connecting to a server through SCB, Gateway authentication, Advanced authentication and authorization techniques, Configuring gateway authentication

general configuration settings, General connection settings

generating certificates on-the-fly, Signing certificates on-the-fly

GPG, Encrypting backups

group management

local, Managing local usergroups

group memberships, Channel Policies

H

HA address, The Welcome Wizard, Network settings

high availability, High Availability support in SCB

adjusting synchronization speed, Adjusting the synchronization speed of DRBD
installation, Installing two SCB units in HA mode
log messages, Controlling SCB — restart, shutdown
manual takeover, Controlling SCB — restart, shutdown
Node HA status, High Availability status explained
Node HA UUID, High Availability status explained
recovery, Recovering two SCB nodes
status, High Availability status explained
synchronizing time, Date and time configuration

history of changes, Changelogs of SCB

host certificates, SSH hostkeys, Server host keys and certificates

adding automatically, Server host keys and certificates
adding manually, Server host keys and certificates

host keys, Setting the SSH host keys and certificates of the connection, Server host keys and certificates

adding automatically, Server host keys and certificates
adding manually, Server host keys and certificates

hostkeys, SSH hostkeys

I

IDS, Channel Policies, Forwarding traffic to an IDS or DLP system

importing certificates, Changing the certificates used on SCB

importing SCB configuration, Importing and exporting SCB configuration

indexing audit trails, Configuring custom reports

indexing service

configuring, Installing the Audit Player application

installing

SCB, Installing the SCB hardware

limit concurrent connections, General connection settings

local console, Using the console menu of SCB

local SCB users, Managing SCB users locally

local users

password management, Setting password policies for local users
usergroups, Managing local usergroups

lock management, Multiple web users and locking

log

debug mode, Collecting logs and system information for error reporting
system state, Collecting logs and system information for error reporting
tailing, Viewing logs on SCB
viewing, Viewing logs on SCB

log level, Changing log verbosity level of SCB

log messages

browsing, Using the search interface
exporting search results, Using the search interface
filtering search results, Using the search interface
reports, SCB reports
searching, Using the search interface

log verbosity, Changing log verbosity level of SCB

M

Management Information Base, Configuring system monitoring on SCB

Message dialog, The structure of the web interface

MIB, Configuring system monitoring on SCB

Microsoft Active Directory

LDAPS protocol, Managing SCB users from an LDAP database, Authenticating users to an LDAP server
supported platforms, Managing SCB users from an LDAP database, Authenticating users to an LDAP server

Microsoft Active Directory Server, Authenticating users to an LDAP server

Microsoft Windows Network, Parameters of the backup protocols

mode of operation, Network settings

monitoring, System logging, SNMP and e-mail alerts, Configuring system monitoring on SCB

MIB, Configuring system monitoring on SCB

N

name resolution

CNAME records, Modifying the destination address

network address translation

destination NAT, DNAT, Modifying the destination address
source NAT, SNAT, Modifying the source address

Network interfaces

configuring interface speed, Network settings
external interface, Network interfaces, The initial connection to SCB
HA interface, Network interfaces
internal interface, Network interfaces
management interface, Network interfaces, Network settings, Routing management traffic to the management interface

network interfaces

alias interfaces, Network settings
alias IP addresses, Network settings
configuring, Network settings
external interface, Network settings
internal interface, Network settings

nontransparent mode, SCB in Nontransparent mode, Modifying the destination address, Using nontransparent Bastion mode, RDP connections in Nontransparent mode

NTP servers, Date and time configuration

O

outband authentication, Gateway authentication, Advanced authentication and authorization techniques, Configuring gateway authentication

P

password

admin, The Welcome Wizard
changing the root, Changing the root password of SCB
root, The Welcome Wizard, Accessing the SCB host using SSH

password policies, Setting password policies for local users

PCAP, Replaying audit trails

ping, Network troubleshooting

policies

channel, Channel Policies
time, Time Policies
user list, User lists
usermapping, Advanced authentication and authorization techniques, Usermapping policies

preferences, The structure of the web interface

private key

accepted formats, The Welcome Wizard, Changing the certificates used on SCB

protocol-specific settings

RDP, RDP-specific settings
SSH, SSH-specific settings
Telnet, Telnet-specific settings
VNC, VNC-specific settings

Public-key authentication, Authenticating clients using public-key authentication in SSH

public-key authentication

configuring, Configuring public-key authentication on SCB
keymapping, Server-side authentication settings
using LDAP and a fixed key, Configuring public-key authentication on SCB
using LDAP and generated keys, Configuring public-key authentication on SCB
using local keys, Server-side authentication settings, Configuring public-key authentication on SCB

public-key authentication on SCB, Accessing the SCB host using SSH

Q

querying SCB via SNMP, System logging, SNMP and e-mail alerts

R

RADIUS authentication, Authenticating users to a RADIUS server

rate limiting, General connection settings

RDP channel types, Supported RDP channel types

RDP connections, Viewing session information and replaying audit trails

disabling all traffic, Disabling the controlled traffic
metadata, Connection metadata
nontransparent mode, RDP connections in Nontransparent mode
pre channel check, Protocol-level RDP settings
SSL encryption, Using SSL-encrypted RDP connections, Verifying the certificate of the RDP server in encrypted connections

RDP settings, Connecting to a server through SCB, RDP-specific settings, Protocol-level RDP settings

editing, Protocol-level RDP settings
pre channel check, Protocol-level RDP settings

reboot, Controlling SCB — restart, shutdown

reporting, SCB reports

custom reports, Configuring custom reports

reports

e-mailing, System logging, SNMP and e-mail alerts

restart, Controlling SCB — restart, shutdown

restoring a backup, How to restore a backup

reverting the firmware version, Reverting to an older firmware

root password, The Welcome Wizard, Accessing the SCB host using SSH, Changing the root password of SCB

Router mode, SCB in Router mode

Routing table, Network settings

management traffic, Routing management traffic to the management interface

rsync over SSH, Parameters of the backup protocols

S

saving filters, Creating predefined filters

SCB

accounting, Listing and searching configuration changes
administrators, User management and access control
certificate, Changing the certificates used on SCB
changelogs, Changelogs of SCB
configuration changes, Listing and searching configuration changes
exporting the configuration of, Importing and exporting SCB configuration
hostname, Network settings
importing the configuration of, Importing and exporting SCB configuration
installation, Installing the SCB hardware
logs, Listing and searching configuration changes
reports, SCB reports
web certificate, The Welcome Wizard

SCB configuration

exporting, Importing and exporting SCB configuration
importing, Importing and exporting SCB configuration

sealed mode, Sealed mode

searching audit trails in AP, Finding specific audit trails

searching log messages, Using the search interface

server certificates, Server host keys and certificates

server host keys, Server host keys and certificates

server-side authentication, Server-side authentication settings

server-side RDP connection

pre channel check, Protocol-level RDP settings

server-side SSH connection

pre channel check, Protocol-level SSH settings

shutdown, Controlling SCB — restart, shutdown

signing audit trails, Digitally signing audit trails

signing certificates, Signing certificates on-the-fly

Simple Network Management Protocol, System logging, SNMP and e-mail alerts, Configuring system monitoring on SCB

SMB/CIFS, Parameters of the backup protocols

SMTP server, System logging, SNMP and e-mail alerts

SNMP

SCB MIB, Configuring system monitoring on SCB

SNMP alerts, System logging, SNMP and e-mail alerts, Configuring system monitoring on SCB

SNMP queries, System logging, SNMP and e-mail alerts

SNMP server, System logging, SNMP and e-mail alerts

SNMPv3, System logging, SNMP and e-mail alerts

source NAT, SNAT, Connecting to a server through SCB, Modifying the source address

split brain, High Availability status explained, Recovering from a split brain situation

SSH

local forwarding, Supported SSH channel types
remote forwarding, Supported SSH channel types

SSH certificates, Setting the SSH host keys and certificates of the connection

SSH channel types, Supported SSH channel types

SSH connections, Viewing session information and replaying audit trails

accessing SCB, Accessing the SCB host using SSH, Accessing the SCB host in Bastion mode using SSH
disabling all traffic, Disabling the controlled traffic
in Bastion mode, Bastion mode considerations, Organizing connections in Bastion mode
metadata, Connection metadata
pre channel check, Connecting to a server through SCB, Protocol-level SSH settings

SSH console, Using the console menu of SCB

SSH server certificates, Server host keys and certificates

SSH server on SCB, Accessing the SCB host using SSH

in Bastion mode, Accessing the SCB host in Bastion mode using SSH

SSH settings, Connecting to a server through SCB, SSH-specific settings, Protocol-level SSH settings

editing, Protocol-level SSH settings
encryption parameters, Configuring encryption parameters
pre channel check, Protocol-level SSH settings

status history, Status history and statistics

status information via SNMP, System logging, SNMP and e-mail alerts

supported browsers, The initial connection to SCB, Supported web browsers

supported protocol versions, Supported protocols and client applications, Configuring connections

synchronizing data

adjusting synchronization speed, Adjusting the synchronization speed of DRBD

syslog

TLS encryption, System logging, SNMP and e-mail alerts

syslog servers

certificates, System logging, SNMP and e-mail alerts
mutual authentication, System logging, SNMP and e-mail alerts

syslog-ng

TLS encryption, System logging, SNMP and e-mail alerts

system logs, System logging, SNMP and e-mail alerts

System monitor, The structure of the web interface

system statistics, Status history and statistics

T

Telnet and user lists, Telnet-specific settings

Telnet connections, Viewing session information and replaying audit trails

disabling all traffic, Disabling the controlled traffic
metadata, Connection metadata

Telnet settings, Telnet-specific settings, Protocol-level Telnet settings

editing, Protocol-level Telnet settings

throttle, General connection settings

time policies, Connecting to a server through SCB, Time Policies

Time Policy

creating and editing, Time Policies

time synchronization, Date and time configuration

in HA mode, Date and time configuration

timestamping

OID, Timestamping audit trails

timestamping audit trails, Timestamping audit trails

Timestamping Authority

certificate of, Changing the certificates used on SCB

timestamping authority, Timestamping audit trails

tokenizing, Configuring custom reports

traceroute, Network troubleshooting

tracking configuration changes, Listing and searching configuration changes

traffic forwarding, Forwarding traffic to an IDS or DLP system

troubleshooting, Network troubleshooting

AP, Troubleshooting the Audit Player

trusted certificate authorities (CAs), Verifying certificates with Certificate Authorities

TSA, Timestamping audit trails

U

update, Updating the SCB license

firmware, Updating the SCB firmware
in high-availability, Updating the SCB firmware
license, Updating the SCB license

upgrade

firmware, Updating the SCB firmware
license, Updating the SCB license

uploading certificates, Changing the certificates used on SCB

user groups, User management and access control, Channel Policies

User List, Connecting to a server through SCB, SSH-specific settings

creating and editing, User lists

user lists, Channel Policies, User lists

user management, Built-in usergroups of SCB

creating usergroups, Managing user rights and usergroups
finding privileges, Finding specific usergroups
modifying usergroup privileges, Managing user rights and usergroups
naming usergroups, How to use usergroups
searching usergroups, Finding specific usergroups

User menu, The structure of the web interface

user preferences, The structure of the web interface

usergroups

local, Managing local usergroups

usermapping policies, Advanced authentication and authorization techniques, Usermapping policies

users

web interface, User management and access control, Managing SCB users locally, Managing SCB users from an LDAP database

using CRLs, Verifying certificates with Certificate Authorities

V

verbosity level, Changing log verbosity level of SCB

VNC and user lists, VNC-specific settings

VNC connections

disabling all traffic, Disabling the controlled traffic
metadata, Connection metadata

VNC settings, VNC-specific settings, Protocol-level VNC settings

editing, Protocol-level VNC settings

W

web browsers, The initial connection to SCB, Supported web browsers
Welcome Wizard, The Welcome Wizard

X

X.509 certificates

of SSH servers, Server host keys and certificates

	Tip
	Time policies are a good way to ensure that the server can be accessed only within the specified timeframe.

	Note
	The IP address of the SCB host must not fall into the following ranges: `1.2.0.0/16`, `127.0.0.0/8`.

	Note
	SCB passwords can contain the following special characters: !"#$%&'()+,-./:;<=>?@[\]^-`{\|}*

	Note
	Accessing SCB using SSH is rarely needed, and recommended only for advanced users for troubleshooting situations.

	Note
	SCB accepts private keys in PEM (RSA and DSA), PUTTY, and SSHCOM/Tectia format. Password-protected private keys are also supported.

	Warning
	The configuration takes effect immediately after clicking Finish. Incorrect network configuration data can render SCB unaccessible.

	Warning
	Sending alerts fails if these settings are incorrect.

	Note
	If the setting of these fields is different (e.g., LDAP or RADIUS), then SCB is not configured to manage passwords locally.

	Note
	Starting debug mode increases the log level of SCB, and might cause performance problems if the system is under a high load.

	Note
	Remote SSH access is automatically disabled if Sealed mode is enabled. See Section 4.5.5, Sealed mode for details.

	Note
	If this certificate is changed, the browser of SCB users will display a warning stating that the certificate of the site has changed.

	Note
	SCB accepts certificates in PEM format. The DER format is currently not supported.

	Tip
	To temporarily disable a connection, deselect the checkbox before the name of the connection.

	Note
	Even if the upstream traffic is encrypted with a separate certificate, only one audit trail file is created to as session.

	Tip
	To encrypt every audited connection, select the default policy.

	Note
	To replay the audit trails, you will need the private key of the certificate on the computer running the Audit Player application.

	Tip
	To add timestamping for every audited connection, select the default policy.

	Note
	To change the certificate used for timestamping, see Section 4.5.6, Changing the certificates used on SCB.

	Tip
	To sign every audited connection, select the default policy.

	Note
	By default, SCB accepts only plain hostkeys, and accepts them for the first time.

	Note
	The public keys of the users stored in the LDAP database must be in OpenSSH format.

	Note
	SCB generates a keypair for every user of the connection policy, not for every session.

	Note
	SCB generates a certificate for every connection policy, not for every session.

	Warning
	To access hosts running Windows 2008 Server R2 using RDP6, select the Enable RDP4 style authentication option as well.

	Note
	Connections that are still in progress when the report is generated are excluded from the report.

	Tip
	To sort the list of streams, click the header of the columns.

	Note
	When following a connection in the Audit Player application, the auditor can also terminate the connection from by clicking Terminate.

	Warning
	The public keys stored in the LDAP database must be in OpenSSH format.

	Note
	Nontransparent mode in the Telnet protocol is currently not supported.

	Note
	You can view this store by using the Microsoft Management Console (MMC) Certificates snap-in.