The Balabit’s Privileged Session Management, Shell Control Box 4 LTS Administrator Guide

Copyright © 2018 Balabit, a One Identity business. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balabit.

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

The Balabit™ name and the Balabit™ logo are registered trademarks of Balabit SA.

The Balabit Shell Control Box™ name and the Balabit Shell Control Box™ logo are registered trademarks of Balabit.

Citrix®, ICA® and XenApp™ are trademarks or registered trademarks of Citrix Systems, Inc.

Linux™ is a registered trademark of Linus Torvalds.

Sun™, Sun Microsystems™, the Sun logo, Sun Fire 4140™, Sun Fire 2100™, Sun Fire 2200™, Sun Fire 4540™, and Sun StorageTek™ are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries.

The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of Balabit.

VMware™, VMware ESX™ and VMware View™ are trademarks or registered trademarks of VMware, Inc. and/or its affiliates.

Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008, 7, 8, and Server 2012 are registered trademarks of Microsoft Corporation.

The Zorp™ name and the Zorp™ logo are registered trademarks of BalaSys IT Ltd.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER. Balabit is not responsible for any third-party websites mentioned in this document. Balabit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Balabit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( This product includes cryptographic software written by Eric Young ([email protected])

This product includes open source software components. For details on the licenses and availability of these software components, see ????.

March 01, 2018

This document is the primary manual of the Balabit’s Privileged Session Management, Shell Control Box 4 LTS.

Table of Contents

1. Summary of contents
2. Target audience and prerequisites
3. Products covered in this guide
4. Typographical conventions
5. Contact and support information
5.1. Sales contact
5.2. Support contact
5.3. Training
6. About this document
6.1. Summary of changes
6.2. Feedback
1. Introduction
1.1. What PSM is
1.2. What PSM is not
1.3. Why is PSM needed?
1.4. Who uses PSM?
2. The concepts of PSM
2.1. The philosophy of PSM
2.2. Supported protocols and client applications
2.3. Modes of operation
2.3.1. Bridge mode
2.3.2. Router mode
2.3.3. Single-interface router mode
2.3.4. Bastion mode
2.3.5. Nontransparent mode
2.4. Connecting to a server through PSM
2.4.1. Connecting to a server through PSM using SSH
2.4.2. Connecting to a server through PSM using RDP
2.4.3. Connecting to a server through PSM using a RD Gateway
2.5. SSH hostkeys
2.6. Authenticating clients using public-key authentication in SSH
2.7. The gateway authentication process
2.8. Four-eyes authorization
2.9. Network interfaces
2.10. High Availability support in PSM
2.11. Firmware in PSM
2.11.1. Firmwares and high availability
2.12. Versions and releases of PSM
2.13. Accessing and configuring PSM
2.14. Licenses
2.14.1. Licensing benefits
2.14.2. Licensing model
2.14.3. License types
2.14.4. Licensing examples
3. The Welcome Wizard and the first login
3.1. The initial connection to PSM
3.1.1. Creating an alias IP address (Microsoft Windows)
3.1.2. Creating an alias IP address (Linux)
3.1.3. Modifying the IP address of PSM
3.2. Configuring PSM with the Welcome Wizard
3.3. Logging in to PSM and configuring the first connection
4. Basic settings
4.1. Supported web browsers and operating systems
4.2. The structure of the web interface
4.2.1. Elements of the main workspace
4.2.2. Multiple web users and locking
4.2.3. Web interface timeout
4.3. Network settings
4.3.1. Configuring the management interface
4.3.2. Configuring the routing table
4.4. Configuring date and time
4.5. System logging, SNMP and e-mail alerts
4.5.1. Configuring system logging
4.5.2. Configuring e-mail alerts
4.5.3. Configuring SNMP alerts
4.5.4. Querying PSM status information using agents
4.6. Configuring system monitoring on PSM
4.6.1. Configuring monitoring
4.6.2. Health monitoring
4.6.3. Preventing disk space fill up
4.6.4. System related traps
4.6.5. Traffic related traps
4.7. Data and configuration backups
4.7.1. Creating a backup policy using Rsync over SSH
4.7.2. Creating a backup policy using SMB/CIFS
4.7.3. Creating a backup policy using NFS
4.7.4. Creating configuration backups
4.7.5. Creating data backups
4.7.6. Encrypting configuration backups with GPG
4.8. Archiving and cleanup
4.8.1. Creating a cleanup policy
4.8.2. Creating an archive policy using SMB/CIFS
4.8.3. Creating an archive policy using NFS
4.8.4. Archiving or cleaning up the collected data
5. User management and access control
5.1. Managing PSM users locally
5.2. Setting password policies for local users
5.3. Managing local usergroups
5.4. Managing PSM users from an LDAP database
5.5. Authenticating users to a RADIUS server
5.6. Authenticating users with X.509 certificates
5.7. Managing user rights and usergroups
5.7.1. Modifying group privileges
5.7.2. Creating new usergroups for the PSM web interface
5.7.3. Finding specific usergroups
5.7.4. How to use usergroups
5.7.5. Built-in usergroups of PSM
5.8. Listing and searching configuration changes
5.8.1. Using the internal search interface
5.9. Displaying the privileges of users and user groups
6. Managing PSM
6.1. Controlling PSM — reboot, shutdown
6.1.1. Disabling controlled traffic
6.1.2. Disabling controlled traffic permanently
6.2. Managing a high availability PSM cluster
6.2.1. Adjusting the synchronization speed
6.2.2. Redundant heartbeat interfaces
6.2.3. Next-hop router monitoring
6.3. Upgrading PSM
6.3.1. Upgrade checklist
6.3.2. Upgrading PSM (single node)
6.3.3. Upgrading an PSM cluster
6.3.4. Troubleshooting
6.3.5. Reverting to an older firmware version
6.3.6. Updating the PSM license
6.3.7. Exporting the configuration of PSM
6.3.8. Importing the configuration of PSM
6.4. Accessing the PSM console
6.4.1. Using the console menu of PSM
6.4.2. Enabling SSH access to the PSM host
6.4.3. Changing the root password of PSM
6.5. Sealed mode
6.5.1. Disabling sealed mode
6.6. Out-of-band management of PSM
6.6.1. Configuring the IPMI interface
6.7. Managing the certificates used on PSM
6.7.1. Generating certificates for PSM
6.7.2. Uploading external certificates to PSM
6.7.3. Generating TSA certificate with Windows Certificate Authority
7. General connection settings
7.1. Configuring connections
7.2. Modifying the destination address
7.3. Configuring inband destination selection
7.4. Modifying the source address
7.5. Creating and editing channel policies
7.6. Real-time content monitoring with Content Policies
7.6.1. Creating a new content policy
7.7. Configuring time policies
7.8. Creating and editing user lists
7.9. Authenticating users to an LDAP server
7.10. Audit policies
7.10.1. Encrypting audit trails
7.10.2. Timestamping audit trails with built-in timestamping service
7.10.3. Timestamping audit trails with external timestamping service
7.10.4. Digitally signing audit trails
7.10.5. Limiting audit trails
7.11. Verifying certificates with Certificate Authorities
7.12. Signing certificates on-the-fly
7.13. Creating a Local User Database
7.14. Forwarding traffic to an IDS or DLP system
7.15. Configuring cleanup for the PSM connection database
8. HTTP-specific settings
8.1. Limitations in handling HTTP connections
8.2. PSM deployment scenarios in HTTP environment
8.2.1. Interacting with HTTP proxies
8.3. Setting up HTTP connections
8.3.1. Setting up a transparent HTTP connection
8.3.2. Enabling SCB to act as a HTTP proxy
8.3.3. Enabling SSL encryption in HTTP
8.3.4. Configuring half-sided SSL encryption in HTTP
8.4. Session-handling in HTTP
8.5. Creating and editing protocol-level HTTP settings
9. ICA-specific settings
9.1. Setting up ICA connections
9.2. Supported ICA channel types
9.3. Creating and editing protocol-level ICA settings
9.4. PSM deployment scenarios in a Citrix environment
9.5. Troubleshooting Citrix-related problems
10. RDP-specific settings
10.1. Supported RDP channel types
10.2. Creating and editing protocol-level RDP settings
10.3. Joining PSM into a domain
10.4. Using PSM across multiple domains
10.5. Using SSL-encrypted RDP connections
10.6. Verifying the certificate of the RDP server in encrypted connections
10.7. Using PSM as a Terminal Services Gateway
10.8. Configuring Remote Desktop clients for gateway authentication
10.9. Usernames in RDP connections
10.10. Saving login credentials for RDP on Windows
10.11. Configuring RemoteApps
11. SSH-specific settings
11.1. Setting the SSH host keys and certificates of the connection
11.2. Supported SSH channel types
11.3. Authentication Policies
11.3.1. Creating a new authentication policy
11.3.2. Client-side authentication settings
11.3.3. Relayed authentication methods
11.3.4. Configuring your Kerberos environment
11.3.5. Kerberos authentication settings
11.4. Server host keys and certificates
11.4.1. Automatically adding the host keys and host certificates of a server to PSM
11.4.2. Manually adding the host key or host certificate of a server
11.5. Creating and editing protocol-level SSH settings
11.6. Supported encryption algorithms
12. Telnet-specific settings
12.1. Enabling TLS-encryption for Telnet connections
12.2. Creating a new authentication policy
12.3. Extracting username from Telnet connections
12.4. Creating and editing protocol-level Telnet settings
12.5. Inband destination selection in Telnet connections
13. VMware View connections
13.1. PSM deployment scenarios in a VMware environment
14. VNC-specific settings
14.1. Enabling TLS-encryption for VNC connections
14.2. Creating and editing protocol-level VNC settings
15. Browsing audit trails
15.1. Searching audit trails — the PSM connection database
15.1.1. Connection details
15.1.2. Replaying encrypted audit trails in your browser
15.1.3. Using wildcards in content search
15.1.4. Connection metadata
15.1.5. Using and managing search filters
15.2. Displaying statistics on search results
15.3. Indexing and reporting on audit-trail content
15.3.1. Configuring full-text indexing of audit trails
15.3.2. Monitoring the status of the indexer services
15.3.3. Creating reports from audit trail content
16. Viewing session information and replaying audit trails
16.1. Installing and configuring Audit Player
16.1.1. Installing the Audit Player application
16.1.2. Enabling the Audit Indexing Service
16.1.3. Running Audit Player without administrator privileges
16.1.4. Running Audit Player on multicore processors
16.2. Replaying audit trails
16.2.1. Downloading audit trails from PSM
16.2.2. Replaying a session with the Audit Player
16.2.3. Replaying SCP and SFTP sessions
16.2.4. Replaying HTTP sessions
16.3. Using AP
16.3.1. Finding specific audit trails
16.3.2. Using projects
16.3.3. Replaying and processing encrypted audit trails
16.3.4. Searching in graphical streams
16.3.5. Adding a new font to the OCR database
16.3.6. Adding a new font for displaying X11 trails
16.3.7. HTTP indexing and search
16.4. Troubleshooting the Audit Player
16.4.1. Logging with the Audit Player
16.4.2. Keys and certificates
16.4.3. Keyframe building errors
17. Advanced authentication and authorization techniques
17.1. Configuring usermapping policies
17.2. Configuring gateway authentication
17.2.1. Configuring outband gateway authentication
17.2.2. Performing outband gateway authentication on PSM
17.2.3. Performing inband gateway authentication in SSH and Telnet connections
17.2.4. Performing inband gateway authentication in RDP connections
17.2.5. Troubleshooting gateway authentication
17.3. Configuring 4-eyes authorization
17.3.1. Configuring four-eyes authorization
17.3.2. Performing four-eyes authorization on PSM
17.4. Using credential stores for server-side authentication
17.4.1. Configuring local Credential Stores
17.4.2. Performing gateway authentication to RDP servers using local Credential Store and NLA
17.4.3. Configuring password-protected Credential Stores
17.4.4. Unlocking Credential Stores
17.4.5. Using Lieberman ERPM to authenticate on the target hosts
17.4.6. Using a custom Credential Store plugin to authenticate on the target hosts
17.4.7. Creating a custom Credential Store plugin
17.5. Integrating ticketing systems
17.5.1. Using a Ticketing plugin to authorize connections to the target hosts
17.5.2. Performing authentication with ticketing integration in terminal connections
17.5.3. Performing authentication with ticketing integration in Remote Desktop connections
18. Reports
18.1. Contents of the operational reports
18.2. Configuring custom reports
18.3. Creating statistics from custom database queries
18.4. Database tables available for custom queries
18.4.1. The alerting table
18.4.2. The aps table
18.4.3. The archives table
18.4.4. The audit_trail_downloads table
18.4.5. The channels table
18.4.6. The closed_connection_audit_channels view
18.4.7. The closed_not_indexed_audit_channels view
18.4.8. The connection_events view
18.4.9. The connection_occurrences view
18.4.10. The events table
18.4.11. The connections view
18.4.12. The file_xfer view
18.4.13. The http_req_resp_pair table
18.4.14. Querying trail content with the lucene-search function
18.4.15. The occurrences table
18.4.16. The progresses table
18.4.17. The results table
18.4.18. Querying trail content with the sphinx function
18.4.19. The skipped_connections table
18.4.20. The usermapped_channels view
18.5. Generating partial reports
19.1. Requirements for using the RPC API
19.2. RPC client requirements
19.3. Locking PSM configuration from the RPC API
19.4. Documentation of the RPC API
19.5. Enabling RPC API access to PSM
20. Best practices and configuration examples
20.1. Configuring public-key authentication on PSM
20.1.1. Configuring public-key authentication using local keys
20.1.2. Configuring public-key authentication using an LDAP server and a fixed key
20.1.3. Configuring public-key authentication using an LDAP server and generated keys
20.2. Organizing connections in Bastion mode
20.2.1. Organizing connections based on port numbers
20.2.2. Organizing connections based on alias IP addresses
20.2.3. Accessing the PSM host in Bastion mode using SSH
20.3. Configuring nontransparent Bastion mode
20.4. Using nontransparent Bastion mode
20.4.1. Using inband destination selection with PuTTY
20.4.2. Using inband destination selection with OpenSSH
20.4.3. Using inband selection and nonstandard ports with PuTTY
20.4.4. Using inband selection and nonstandard ports with OpenSSH
20.4.5. Using inband destination selection and gateway authentication with PuTTY
20.4.6. Using inband destination selection and gateway authentication with OpenSSH
21. PSM scenarios
21.1. SSH usermapping and keymapping in AD with public key
22. Troubleshooting PSM
22.1. Network troubleshooting
22.2. Gathering data about system problems
22.3. Viewing logs on PSM
22.4. Changing log verbosity level of PSM
22.5. Collecting logs and system information for error reporting
22.6. Status history and statistics
22.6.1. Displaying custom connection statistics
22.7. Troubleshooting an PSM cluster
22.7.1. Understanding PSM cluster statuses
22.7.2. Recovering PSM if both nodes broke down
22.7.3. Recovering from a split brain situation
22.7.4. Replacing a HA node in an PSM cluster
22.7.5. Resolving an IP conflict between cluster nodes
22.8. Understanding PSM RAID status
22.9. Restoring PSM configuration and data
A. Package contents inventory
B. Balabit’s Privileged Session Management, Shell Control Box Hardware Installation Guide
B.1. Installing the PSM hardware
B.2. Installing two PSM units in HA mode
C. Hardware specifications
D. Balabit’s Privileged Session Management, Shell Control Box Software Installation Guide
D.1. Installing the PSM software
E. Balabit’s Privileged Session Management, Shell Control Box VMware Installation Guide
E.1. Limitations of PSM under VMware
E.2. Installing PSM under VMware ESXi/ESX
E.3. Modifying the virtual disk size under VMware
F. Balabit’s Privileged Session Management, Shell Control Box Hyper-V Installation Guide
F.1. Limitations of PSM under Hyper-V
F.2. Installing PSM under Hyper-V
G. Configuring external devices
G.1. Configuring advanced routing on Linux
G.2. Configuring advanced routing on Cisco routers
G.3. Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls
H. Using SCP with agent-forwarding
I. Security checklist for configuring PSM
J. Licenses
List of PSM web interface labels