Other formats |
Share

The Balabit Shell Control Box 4 LTS Administrator Guide

Copyright © 2017 Balabit SA. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balabit.

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (https://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

This product uses Botan cryptographic library. The library was released under the BSD-2 license. For details about the Botan license, see Botan cryptographic library license.

The Balabit™ name and the Balabit™ logo are registered trademarks of Balabit SA.

The Balabit Shell Control Box™ name and the Balabit Shell Control Box™ logo are registered trademarks of Balabit.

Citrix®, ICA® and XenApp™ are trademarks or registered trademarks of Citrix Systems, Inc.

Linux™ is a registered trademark of Linus Torvalds.

Sun™, Sun Microsystems™, the Sun logo, Sun Fire 4140™, Sun Fire 2100™, Sun Fire 2200™, Sun Fire 4540™, and Sun StorageTek™ are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries.

The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of Balabit.

VMware™, VMware ESX™ and VMware View™ are trademarks or registered trademarks of VMware, Inc. and/or its affiliates.

Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008, 7, 8, and Server 2012 are registered trademarks of Microsoft Corporation.

The Zorp™ name and the Zorp™ logo are registered trademarks of BalaSys IT Ltd.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER. Balabit is not responsible for any third-party websites mentioned in this document. Balabit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Balabit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

Botan cryptographic library license. 

Botan http://botan.randombit.net/ is distributed under these terms:

Copyright ©

  • 1999-2013,2014 Jack Lloyd

  • 2001 Peter J Jones

  • 2004-2007 Justin Karneges

  • 2004 Vaclav Ovsik

  • 2005 Matthew Gregan

  • 2005-2006 Matt Johnston

  • 2006 Luca Piccarreta

  • 2007 Yves Jerschow

  • 2007-2008 FlexSecure GmbH

  • 2007-2008 Technische Universitat Darmstadt

  • 2007-2008 Falko Strenzke

  • 2007-2008 Martin Doering

  • 2007 Manuel Hartl

  • 2007 Christoph Ludwig

  • 2007 Patrick Sona

  • 2010 Olivier de Gaalon

  • 2012 Vojtech Kral

  • 2012-2014 Markus Wanner

  • 2013 Joel Low

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF USE, DATA, OR PROFITS, OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

May 08, 2017

This document is the primary manual of the Balabit Shell Control Box 4 LTS.


Table of Contents

Preface
1. Summary of contents
2. Target audience and prerequisites
3. Products covered in this guide
4. Typographical conventions
5. Contact and support information
5.1. Sales contact
5.2. Support contact
5.3. Training
6. About this document
6.1. Summary of changes
6.2. Feedback
1. Introduction
1.1. What SCB is
1.2. What SCB is not
1.3. Why is SCB needed?
1.4. Who uses SCB?
1.5. Public references
2. The concepts of SCB
2.1. The philosophy of SCB
2.2. Supported protocols and client applications
2.3. Modes of operation
2.3.1. Bridge mode
2.3.2. Router mode
2.3.3. Single-interface router mode
2.3.4. Bastion mode
2.3.5. Nontransparent mode
2.4. Connecting to a server through SCB
2.4.1. Connecting to a server through SCB using SSH
2.4.2. Connecting to a server through SCB using RDP
2.4.3. Connecting to a server through SCB using a RD Gateway
2.5. SSH hostkeys
2.6. Authenticating clients using public-key authentication in SSH
2.7. The gateway authentication process
2.8. Four-eyes authorization
2.9. Network interfaces
2.10. High Availability support in SCB
2.11. Firmware in SCB
2.11.1. Firmwares and high availability
2.12. Versions and releases of SCB
2.13. Accessing and configuring SCB
2.14. Licenses
2.14.1. Licensing benefits
2.14.2. Licensing model
2.14.3. License types
2.14.4. Licensing examples
3. The Welcome Wizard and the first login
3.1. The initial connection to SCB
3.1.1. Creating an alias IP address (Microsoft Windows)
3.1.2. Creating an alias IP address (Linux)
3.1.3. Modifying the IP address of SCB
3.2. Configuring SCB with the Welcome Wizard
3.3. Logging in to SCB and configuring the first connection
4. Basic settings
4.1. Supported web browsers and operating systems
4.2. The structure of the web interface
4.2.1. Elements of the main workspace
4.2.2. Multiple web users and locking
4.2.3. Web interface timeout
4.3. Network settings
4.3.1. Configuring the management interface
4.3.2. Configuring the routing table
4.4. Configuring date and time
4.5. System logging, SNMP and e-mail alerts
4.5.1. Configuring system logging
4.5.2. Configuring e-mail alerts
4.5.3. Configuring SNMP alerts
4.5.4. Querying SCB status information using agents
4.6. Configuring system monitoring on SCB
4.6.1. Configuring monitoring
4.6.2. Health monitoring
4.6.3. Preventing disk space fill up
4.6.4. System related traps
4.6.5. Traffic related traps
4.7. Data and configuration backups
4.7.1. Creating a backup policy using Rsync over SSH
4.7.2. Creating a backup policy using SMB/CIFS
4.7.3. Creating a backup policy using NFS
4.7.4. Creating configuration backups
4.7.5. Creating data backups
4.7.6. Encrypting configuration backups with GPG
4.8. Archiving and cleanup
4.8.1. Creating a cleanup policy
4.8.2. Creating an archive policy using SMB/CIFS
4.8.3. Creating an archive policy using NFS
4.8.4. Archiving or cleaning up the collected data
5. User management and access control
5.1. Managing SCB users locally
5.2. Setting password policies for local users
5.3. Managing local usergroups
5.4. Managing SCB users from an LDAP database
5.5. Authenticating users to a RADIUS server
5.6. Authenticating users with X.509 certificates
5.7. Managing user rights and usergroups
5.7.1. Modifying group privileges
5.7.2. Creating new usergroups for the SCB web interface
5.7.3. Finding specific usergroups
5.7.4. How to use usergroups
5.7.5. Built-in usergroups of SCB
5.8. Listing and searching configuration changes
5.8.1. Using the internal search interface
5.9. Displaying the privileges of users and user groups
6. Managing SCB
6.1. Controlling SCB — reboot, shutdown
6.1.1. Disabling controlled traffic
6.1.2. Disabling controlled traffic permanently
6.2. Managing a high availability SCB cluster
6.2.1. Adjusting the synchronization speed
6.2.2. Redundant heartbeat interfaces
6.2.3. Next-hop router monitoring
6.3. Upgrading SCB
6.3.1. Upgrade checklist
6.3.2. Upgrading SCB (single node)
6.3.3. Upgrading an SCB cluster
6.3.4. Troubleshooting
6.3.5. Reverting to an older firmware version
6.3.6. Updating the SCB license
6.3.7. Exporting the configuration of SCB
6.3.8. Importing the configuration of SCB
6.4. Accessing the SCB console
6.4.1. Using the console menu of SCB
6.4.2. Enabling SSH access to the SCB host
6.4.3. Changing the root password of SCB
6.5. Sealed mode
6.5.1. Disabling sealed mode
6.6. Out-of-band management of SCB
6.6.1. Configuring the IPMI interface
6.7. Managing the certificates used on SCB
6.7.1. Generating certificates for SCB
6.7.2. Uploading external certificates to SCB
6.7.3. Generating TSA certificate with Windows Certificate Authority
7. General connection settings
7.1. Configuring connections
7.2. Modifying the destination address
7.3. Configuring inband destination selection
7.4. Modifying the source address
7.5. Creating and editing channel policies
7.6. Real-time content monitoring with Content Policies
7.6.1. Creating a new content policy
7.7. Configuring time policies
7.8. Creating and editing user lists
7.9. Authenticating users to an LDAP server
7.10. Audit policies
7.10.1. Encrypting audit trails
7.10.2. Timestamping audit trails with built-in timestamping service
7.10.3. Timestamping audit trails with external timestamping service
7.10.4. Digitally signing audit trails
7.10.5. Limiting audit trails
7.11. Verifying certificates with Certificate Authorities
7.12. Signing certificates on-the-fly
7.13. Creating a Local User Database
7.14. Forwarding traffic to an IDS or DLP system
7.15. Configuring cleanup for the SCB connection database
8. HTTP-specific settings
8.1. Limitations in handling HTTP connections
8.2. SCB deployment scenarios in HTTP environment
8.2.1. Interacting with HTTP proxies
8.3. Setting up HTTP connections
8.3.1. Setting up a transparent HTTP connection
8.3.2. Enabling SCB to act as a HTTP proxy
8.3.3. Enabling SSL encryption in HTTP
8.3.4. Configuring half-sided SSL encryption in HTTP
8.4. Session-handling in HTTP
8.5. Creating and editing protocol-level HTTP settings
9. ICA-specific settings
9.1. Setting up ICA connections
9.2. Supported ICA channel types
9.3. Creating and editing protocol-level ICA settings
9.4. SCB deployment scenarios in a Citrix environment
9.5. Troubleshooting Citrix-related problems
10. RDP-specific settings
10.1. Supported RDP channel types
10.2. Creating and editing protocol-level RDP settings
10.3. Joining SCB into a domain
10.4. Using SCB across multiple domains
10.5. Using SSL-encrypted RDP connections
10.6. Verifying the certificate of the RDP server in encrypted connections
10.7. Using SCB as a Terminal Services Gateway
10.8. Configuring Remote Desktop clients for gateway authentication
10.9. Usernames in RDP connections
10.10. Saving login credentials for RDP on Windows
10.11. Configuring RemoteApps
11. SSH-specific settings
11.1. Setting the SSH host keys and certificates of the connection
11.2. Supported SSH channel types
11.3. Authentication Policies
11.3.1. Creating a new authentication policy
11.3.2. Client-side authentication settings
11.3.3. Relayed authentication methods
11.3.4. Configuring your Kerberos environment
11.3.5. Kerberos authentication settings
11.4. Server host keys and certificates
11.4.1. Automatically adding the host keys and host certificates of a server to SCB
11.4.2. Manually adding the host key or host certificate of a server
11.5. Creating and editing protocol-level SSH settings
11.6. Supported encryption algorithms
12. Telnet-specific settings
12.1. Enabling TLS-encryption for Telnet connections
12.2. Creating a new authentication policy
12.3. Extracting username from Telnet connections
12.4. Creating and editing protocol-level Telnet settings
12.5. Inband destination selection in Telnet connections
13. VMware View connections
13.1. SCB deployment scenarios in a VMware environment
14. VNC-specific settings
14.1. Enabling TLS-encryption for VNC connections
14.2. Creating and editing protocol-level VNC settings
15. Browsing audit trails
15.1. Searching audit trails — the SCB connection database
15.1.1. Connection details
15.1.2. Replaying encrypted audit trails in your browser
15.1.3. Using wildcards in content search
15.1.4. Connection metadata
15.1.5. Using and managing search filters
15.2. Displaying statistics on search results
15.3. Indexing and reporting on audit-trail content
15.3.1. Configuring full-text indexing of audit trails
15.3.2. Monitoring the status of the indexer services
15.3.3. Creating reports from audit trail content
16. Viewing session information and replaying audit trails
16.1. Installing and configuring Audit Player
16.1.1. Installing the Audit Player application
16.1.2. Enabling the Audit Indexing Service
16.1.3. Running Audit Player without administrator privileges
16.1.4. Running Audit Player on multicore processors
16.2. Replaying audit trails
16.2.1. Downloading audit trails from SCB
16.2.2. Replaying a session with the Audit Player
16.2.3. Replaying SCP and SFTP sessions
16.2.4. Replaying HTTP sessions
16.3. Using AP
16.3.1. Finding specific audit trails
16.3.2. Using projects
16.3.3. Replaying and processing encrypted audit trails
16.3.4. Searching in graphical streams
16.3.5. Adding a new font to the OCR database
16.3.6. Adding a new font for displaying X11 trails
16.3.7. HTTP indexing and search
16.4. Troubleshooting the Audit Player
16.4.1. Logging with the Audit Player
16.4.2. Keys and certificates
16.4.3. Keyframe building errors
17. Advanced authentication and authorization techniques
17.1. Configuring usermapping policies
17.2. Configuring gateway authentication
17.2.1. Configuring outband gateway authentication
17.2.2. Performing outband gateway authentication on SCB
17.2.3. Performing inband gateway authentication in SSH and Telnet connections
17.2.4. Performing inband gateway authentication in RDP connections
17.2.5. Troubleshooting gateway authentication
17.3. Configuring 4-eyes authorization
17.3.1. Configuring four-eyes authorization
17.3.2. Performing four-eyes authorization on SCB
17.4. Using credential stores for server-side authentication
17.4.1. Configuring local Credential Stores
17.4.2. Performing gateway authentication to RDP servers using local Credential Store and NLA
17.4.3. Configuring password-protected Credential Stores
17.4.4. Unlocking Credential Stores
17.4.5. Using Lieberman ERPM to authenticate on the target hosts
17.4.6. Using a custom Credential Store plugin to authenticate on the target hosts
17.4.7. Creating a custom Credential Store plugin
17.5. Integrating ticketing systems
17.5.1. Using a Ticketing plugin to authorize connections to the target hosts
17.5.2. Performing authentication with ticketing integration in terminal connections
17.5.3. Performing authentication with ticketing integration in Remote Desktop connections
18. Reports
18.1. Contents of the operational reports
18.2. Configuring custom reports
18.3. Creating statistics from custom database queries
18.4. Database tables available for custom queries
18.4.1. The alerting table
18.4.2. The aps table
18.4.3. The archives table
18.4.4. The audit_trail_downloads table
18.4.5. The channels table
18.4.6. The closed_connection_audit_channels view
18.4.7. The closed_not_indexed_audit_channels view
18.4.8. The connection_events view
18.4.9. The connection_occurrences view
18.4.10. The events table
18.4.11. The connections view
18.4.12. The file_xfer view
18.4.13. The http_req_resp_pair table
18.4.14. Querying trail content with the lucene-search function
18.4.15. The occurrences table
18.4.16. The progresses table
18.4.17. The results table
18.4.18. Querying trail content with the sphinx function
18.4.19. The skipped_connections table
18.4.20. The usermapped_channels view
18.5. Generating partial reports
19. The SCB RPC API
19.1. Requirements for using the RPC API
19.2. RPC client requirements
19.3. Locking SCB configuration from the RPC API
19.4. Documentation of the RPC API
19.5. Enabling RPC API access to SCB
20. Best practices and configuration examples
20.1. Configuring public-key authentication on SCB
20.1.1. Configuring public-key authentication using local keys
20.1.2. Configuring public-key authentication using an LDAP server and a fixed key
20.1.3. Configuring public-key authentication using an LDAP server and generated keys
20.2. Organizing connections in Bastion mode
20.2.1. Organizing connections based on port numbers
20.2.2. Organizing connections based on alias IP addresses
20.2.3. Accessing the SCB host in Bastion mode using SSH
20.3. Configuring nontransparent Bastion mode
20.4. Using nontransparent Bastion mode
20.4.1. Using inband destination selection with PuTTY
20.4.2. Using inband destination selection with OpenSSH
20.4.3. Using inband selection and nonstandard ports with PuTTY
20.4.4. Using inband selection and nonstandard ports with OpenSSH
20.4.5. Using inband destination selection and gateway authentication with PuTTY
20.4.6. Using inband destination selection and gateway authentication with OpenSSH
21. SCB scenarios
21.1. SSH usermapping and keymapping in AD with public key
22. Troubleshooting SCB
22.1. Network troubleshooting
22.2. Gathering data about system problems
22.3. Viewing logs on SCB
22.4. Changing log verbosity level of SCB
22.5. Collecting logs and system information for error reporting
22.6. Status history and statistics
22.6.1. Displaying custom connection statistics
22.7. Troubleshooting an SCB cluster
22.7.1. Understanding SCB cluster statuses
22.7.2. Recovering SCB if both nodes broke down
22.7.3. Recovering from a split brain situation
22.7.4. Replacing a HA node in an SCB cluster
22.7.5. Resolving an IP conflict between cluster nodes
22.8. Understanding SCB RAID status
22.9. Restoring SCB configuration and data
A. Package contents inventory
B. Balabit Shell Control Box Hardware Installation Guide
B.1. Installing the SCB hardware
B.2. Installing two SCB units in HA mode
C. Hardware specifications
D. Balabit Shell Control Box Software Installation Guide
D.1. Installing the SCB software
E. Balabit Shell Control Box VMware Installation Guide
E.1. Limitations of SCB under VMware
E.2. Installing SCB under VMware ESXi/ESX
E.3. Modifying the virtual disk size under VMware
F. Balabit Shell Control Box Hyper-V Installation Guide
F.1. Limitations of SCB under Hyper-V
F.2. Installing SCB under Hyper-V
G. Configuring external devices
G.1. Configuring advanced routing on Linux
G.2. Configuring advanced routing on Cisco routers
G.3. Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls
H. Using SCP with agent-forwarding
I. Security checklist for configuring SCB
J. Licenses
K. END USER LICENSE AGREEMENT FOR BALABIT PRODUCT (EULA)
Glossary
Index
List of SCB web interface labels

List of Procedures

2.4.1. Connecting to a server through SCB using SSH
2.4.2. Connecting to a server through SCB using RDP
2.4.3. Connecting to a server through SCB using a RD Gateway
2.7. The gateway authentication process
2.8. Four-eyes authorization
3.1.1. Creating an alias IP address (Microsoft Windows)
3.1.2. Creating an alias IP address (Linux)
3.1.3. Modifying the IP address of SCB
3.2. Configuring SCB with the Welcome Wizard
3.3. Logging in to SCB and configuring the first connection
4.3.1. Configuring the management interface
4.3.2. Configuring the routing table
4.4. Configuring date and time
4.5.1. Configuring system logging
4.5.2. Configuring e-mail alerts
4.5.3. Configuring SNMP alerts
4.5.4. Querying SCB status information using agents
4.6.1. Configuring monitoring
4.6.3. Preventing disk space fill up
4.7.1. Creating a backup policy using Rsync over SSH
4.7.2. Creating a backup policy using SMB/CIFS
4.7.3. Creating a backup policy using NFS
4.7.4. Creating configuration backups
4.7.5. Creating data backups
4.7.6. Encrypting configuration backups with GPG
4.8.1. Creating a cleanup policy
4.8.2. Creating an archive policy using SMB/CIFS
4.8.3. Creating an archive policy using NFS
4.8.4. Archiving or cleaning up the collected data
5.1. Managing SCB users locally
5.2. Setting password policies for local users
5.3. Managing local usergroups
5.4. Managing SCB users from an LDAP database
5.5. Authenticating users to a RADIUS server
5.6. Authenticating users with X.509 certificates
5.7.1. Modifying group privileges
5.7.2. Creating new usergroups for the SCB web interface
5.8.1.3. Customizing columns of the internal search interface
6.1.1. Disabling controlled traffic
6.1.2. Disabling controlled traffic permanently
6.2.2. Redundant heartbeat interfaces
6.2.3. Next-hop router monitoring
6.3.2. Upgrading SCB (single node)
6.3.3. Upgrading an SCB cluster
6.3.5. Reverting to an older firmware version
6.3.6. Updating the SCB license
6.3.7. Exporting the configuration of SCB
6.3.8. Importing the configuration of SCB
6.4.2. Enabling SSH access to the SCB host
6.4.3. Changing the root password of SCB
6.5.1. Disabling sealed mode
6.6.1. Configuring the IPMI interface
6.7.1. Generating certificates for SCB
6.7.2. Uploading external certificates to SCB
6.7.3. Generating TSA certificate with Windows Certificate Authority
7.1. Configuring connections
7.2. Modifying the destination address
7.3. Configuring inband destination selection
7.4. Modifying the source address
7.5. Creating and editing channel policies
7.6.1. Creating a new content policy
7.7. Configuring time policies
7.8. Creating and editing user lists
7.9. Authenticating users to an LDAP server
7.10.1. Encrypting audit trails
7.10.2. Timestamping audit trails with built-in timestamping service
7.10.3. Timestamping audit trails with external timestamping service
7.10.4. Digitally signing audit trails
7.10.5. Limiting audit trails
7.11. Verifying certificates with Certificate Authorities
7.12. Signing certificates on-the-fly
7.13. Creating a Local User Database
7.14. Forwarding traffic to an IDS or DLP system
7.15. Configuring cleanup for the SCB connection database
8.3.1. Setting up a transparent HTTP connection
8.3.2. Enabling SCB to act as a HTTP proxy
8.3.3. Enabling SSL encryption in HTTP
8.3.4. Configuring half-sided SSL encryption in HTTP
8.5. Creating and editing protocol-level HTTP settings
9.3. Creating and editing protocol-level ICA settings
10.2. Creating and editing protocol-level RDP settings
10.3. Joining SCB into a domain
10.5. Using SSL-encrypted RDP connections
10.6. Verifying the certificate of the RDP server in encrypted connections
10.7. Using SCB as a Terminal Services Gateway
10.8. Configuring Remote Desktop clients for gateway authentication
10.10. Saving login credentials for RDP on Windows
10.11. Configuring RemoteApps
11.1. Setting the SSH host keys and certificates of the connection
11.3.1. Creating a new authentication policy
11.3.2.1. Local client-side authentication
11.3.4. Configuring your Kerberos environment
11.3.5. Kerberos authentication settings
11.4.1. Automatically adding the host keys and host certificates of a server to SCB
11.4.2. Manually adding the host key or host certificate of a server
11.5. Creating and editing protocol-level SSH settings
12.1. Enabling TLS-encryption for Telnet connections
12.2. Creating a new authentication policy
12.3. Extracting username from Telnet connections
12.4. Creating and editing protocol-level Telnet settings
14.1. Enabling TLS-encryption for VNC connections
14.2. Creating and editing protocol-level VNC settings
15.1.2. Replaying encrypted audit trails in your browser
15.1.5.1. Creating and saving filters for later use
15.2. Displaying statistics on search results
15.3.1. Configuring full-text indexing of audit trails
15.3.3. Creating reports from audit trail content
16.1.1. Installing the Audit Player application
16.1.2. Enabling the Audit Indexing Service
16.1.3. Running Audit Player without administrator privileges
16.1.4. Running Audit Player on multicore processors
16.2.1. Downloading audit trails from SCB
16.2.2. Replaying a session with the Audit Player
16.2.3. Replaying SCP and SFTP sessions
16.2.4. Replaying HTTP sessions
16.3.3.1. Importing certificates with MMC
16.3.3.3. Converting certificates using OpenSSL
16.3.3.4. Converting certificates using Firefox
16.3.5. Adding a new font to the OCR database
16.3.6. Adding a new font for displaying X11 trails
16.4.1.1. AP logging in user mode
16.4.1.2. AP logging as an indexer service
16.4.1.3. AP core dump as an indexer service
17.1. Configuring usermapping policies
17.2.1. Configuring outband gateway authentication
17.2.2. Performing outband gateway authentication on SCB
17.2.3. Performing inband gateway authentication in SSH and Telnet connections
17.2.4. Performing inband gateway authentication in RDP connections
17.3.1. Configuring four-eyes authorization
17.3.2. Performing four-eyes authorization on SCB
17.4.1. Configuring local Credential Stores
17.4.2. Performing gateway authentication to RDP servers using local Credential Store and NLA
17.4.3. Configuring password-protected Credential Stores
17.4.4. Unlocking Credential Stores
17.4.5. Using Lieberman ERPM to authenticate on the target hosts
17.4.6. Using a custom Credential Store plugin to authenticate on the target hosts
17.5.1. Using a Ticketing plugin to authorize connections to the target hosts
17.5.2. Performing authentication with ticketing integration in terminal connections
17.5.3. Performing authentication with ticketing integration in Remote Desktop connections
18.2. Configuring custom reports
18.3. Creating statistics from custom database queries
18.5. Generating partial reports
19.5. Enabling RPC API access to SCB
20.1.1. Configuring public-key authentication using local keys
20.1.2. Configuring public-key authentication using an LDAP server and a fixed key
20.1.3. Configuring public-key authentication using an LDAP server and generated keys
20.2.1. Organizing connections based on port numbers
20.2.2. Organizing connections based on alias IP addresses
20.3. Configuring nontransparent Bastion mode
20.4.1. Using inband destination selection with PuTTY
20.4.2. Using inband destination selection with OpenSSH
20.4.3. Using inband selection and nonstandard ports with PuTTY
20.4.4. Using inband selection and nonstandard ports with OpenSSH
20.4.5. Using inband destination selection and gateway authentication with PuTTY
20.4.6. Using inband destination selection and gateway authentication with OpenSSH
21.1. SSH usermapping and keymapping in AD with public key
22.1. Network troubleshooting
22.3. Viewing logs on SCB
22.4. Changing log verbosity level of SCB
22.5. Collecting logs and system information for error reporting
22.6.1. Displaying custom connection statistics
22.7.2. Recovering SCB if both nodes broke down
22.7.3. Recovering from a split brain situation
22.7.4. Replacing a HA node in an SCB cluster
22.7.5. Resolving an IP conflict between cluster nodes
22.9. Restoring SCB configuration and data
B.1. Installing the SCB hardware
B.2. Installing two SCB units in HA mode
D.1. Installing the SCB software
E.2. Installing SCB under VMware ESXi/ESX
E.3. Modifying the virtual disk size under VMware
F.2. Installing SCB under Hyper-V
G.1. Configuring advanced routing on Linux
G.2. Configuring advanced routing on Cisco routers
G.3. Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls