The Balabit’s Privileged Session Management, Shell Control Box 5 LTS Administrator Guide

Copyright © 2018 Balabit, a One Identity business. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balabit.

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

The Balabit™ name and the Balabit™ logo are registered trademarks of Balabit SA.

The Balabit Shell Control Box™ name and the Balabit Shell Control Box™ logo are registered trademarks of Balabit.

Citrix®, ICA® and XenApp™ are trademarks or registered trademarks of Citrix Systems, Inc.

Linux™ is a registered trademark of Linus Torvalds.

Sun™, Sun Microsystems™, the Sun logo, Sun Fire 4140™, Sun Fire 2100™, Sun Fire 2200™, Sun Fire 4540™, and Sun StorageTek™ are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries.

The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of Balabit.

VMware™, VMware ESX™ and VMware View™ are trademarks or registered trademarks of VMware, Inc. and/or its affiliates.

Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008, 7, 8, and Server 2012 are registered trademarks of Microsoft Corporation.

The Zorp™ name and the Zorp™ logo are registered trademarks of BalaSys IT Ltd.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER. Balabit is not responsible for any third-party websites mentioned in this document. Balabit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Balabit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( This product includes cryptographic software written by Eric Young ([email protected])

This product includes open source software components. For details on the licenses and availability of these software components, see Appendix E, Open source licenses.

March 01, 2018

Administrator Guide for Balabit’s Privileged Session Management, Shell Control Box (PSM, formerly called SCB)

Table of Contents

1. Summary of contents
2. Contact and support information
2.1. Sales contact
2.2. Support contact
2.3. Training
3. About this document
3.1. Summary of changes
3.2. Feedback
1. Introduction
1.1. What PSM is
1.2. What PSM is not
1.3. Why is PSM needed?
1.4. Who uses PSM?
2. The concepts of PSM
2.1. The philosophy of PSM
2.2. Policies
2.3. Credential Stores
2.4. Plugin framework
2.5. Indexing
2.6. Supported protocols and client applications
2.7. Modes of operation
2.7.1. Transparent mode
2.7.2. Single-interface transparent mode
2.7.3. Non-transparent mode
2.7.4. Inband destination selection
2.8. Connecting to a server through PSM
2.8.1. Connecting to a server through PSM using SSH
2.8.2. Connecting to a server through PSM using RDP
2.8.3. Connecting to a server through PSM using an RD Gateway
2.9. Maximizing the scope of auditing
2.10. IPv6 in PSM
2.11. SSH hostkeys
2.12. Authenticating clients using public-key authentication in SSH
2.13. The gateway authentication process
2.14. Four-eyes authorization
2.15. Network interfaces
2.16. High Availability support in PSM
2.16.1. Firmware and high availability
2.17. Versions and releases of SCB
2.18. Accessing and configuring PSM
2.19. Licenses
2.19.1. Licensing benefits
2.19.2. Licensing model
2.19.3. License types
2.19.4. Licensing examples
3. The Welcome Wizard and the first login
3.1. The initial connection to PSM
3.1.1. Creating an alias IP address (Microsoft Windows)
3.1.2. Creating an alias IP address (Linux)
3.1.3. Modifying the IP address of PSM
3.1.4. Accessing the Welcome Wizard from a non-standard interface
3.2. Configuring PSM with the Welcome Wizard
3.3. Logging in to PSM and configuring the first connection
4. Basic settings
4.1. Supported web browsers and operating systems
4.2. The structure of the web interface
4.2.1. Elements of the main workspace
4.2.2. Multiple users and locking
4.2.3. Web interface timeout
4.2.4. Preferences
4.3. Network settings
4.3.1. Configuring user and administrator login addresses
4.3.2. Managing logical interfaces
4.3.3. Routing uncontrolled traffic between logical interfaces
4.3.4. Configuring the routing table
4.4. Configuring date and time
4.5. System logging, SNMP and e-mail alerts
4.5.1. Configuring system logging
4.5.2. Configuring e-mail alerts
4.5.3. Configuring SNMP alerts
4.5.4. Querying PSM status information using agents
4.5.5. Customize system logging in PSM
4.6. Configuring system monitoring on PSM
4.6.1. Configuring monitoring
4.6.2. Health monitoring
4.6.3. Preventing disk space fill up
4.6.4. System related traps
4.6.5. Traffic related traps
4.7. Data and configuration backups
4.7.1. Creating a backup policy using Rsync over SSH
4.7.2. Creating a backup policy using SMB/CIFS
4.7.3. Creating a backup policy using NFS
4.7.4. Creating configuration backups
4.7.5. Creating data backups
4.7.6. Encrypting configuration backups with GPG
4.8. Archiving and cleanup
4.8.1. Creating a cleanup policy
4.8.2. Creating an archive policy using SMB/CIFS
4.8.3. Creating an archive policy using NFS
4.8.4. Archiving or cleaning up the collected data
5. User management and access control
5.1. Managing PSM users locally
5.1.1. Creating local users in PSM
5.1.2. Deleting a local user from PSM
5.2. Setting password policies for local users
5.3. Managing local usergroups
5.4. Managing PSM users from an LDAP database
5.5. Authenticating users to a RADIUS server
5.6. Authenticating users with X.509 certificates
5.7. Managing user rights and usergroups
5.7.1. Assigning privileges to usergroups for the PSM web interface
5.7.2. Modifying group privileges
5.7.3. Finding specific usergroups
5.7.4. How to use usergroups
5.7.5. Built-in usergroups of PSM
5.8. Listing and searching configuration changes
5.8.1. Using the internal search interface
5.9. Displaying the privileges of users and user groups
6. Managing PSM
6.1. Controlling PSM — reboot, shutdown
6.1.1. Disabling controlled traffic
6.1.2. Disabling controlled traffic permanently
6.2. Managing a high availability PSM cluster
6.2.1. Adjusting the synchronization speed
6.2.2. Redundant heartbeat interfaces
6.2.3. Next-hop router monitoring
6.3. Upgrading PSM
6.3.1. Upgrade checklist
6.3.2. Upgrading PSM (single node)
6.3.3. Upgrading a PSM cluster
6.3.4. Troubleshooting
6.3.5. Exporting the configuration of PSM
6.3.6. Importing the configuration of PSM
6.4. Managing the PSM license
6.4.1. Updating the PSM license
6.5. Accessing the PSM console
6.5.1. Using the console menu of PSM
6.5.2. Enabling SSH access to the PSM host
6.5.3. Changing the root password of PSM
6.5.4. Firmware update using SSH
6.5.5. Exporting and importing the configuration of PSM using the console
6.6. Sealed mode
6.6.1. Disabling sealed mode
6.7. Out-of-band management of PSM
6.7.1. Configuring the IPMI interface
6.8. Managing the certificates used on PSM
6.8.1. Generating certificates for PSM
6.8.2. Uploading external certificates to PSM
6.8.3. Generating TSA certificate with Windows Certificate Authority on Windows Server 2008
6.8.4. Generating TSA certificate with Windows Certificate Authority on Windows Server 2012
7. General connection settings
7.1. Configuring connections
7.2. Modifying the destination address
7.3. Configuring inband destination selection
7.4. Modifying the source address
7.5. Creating and editing channel policies
7.6. Real-time content monitoring with Content Policies
7.6.1. Creating a new content policy
7.7. Configuring time policies
7.8. Creating and editing user lists
7.9. Authenticating users to an LDAP server
7.10. Audit policies
7.10.1. Encrypting audit trails
7.10.2. Timestamping audit trails with built-in timestamping service
7.10.3. Timestamping audit trails with external timestamping service
7.10.4. Digitally signing audit trails
7.11. Verifying certificates with Certificate Authorities
7.12. Signing certificates on-the-fly
7.13. Creating a Local User Database
7.14. Configuring cleanup for the PSM connection database
8. HTTP-specific settings
8.1. Limitations in handling HTTP connections
8.2. Authentication in HTTP and HTTPS
8.3. Setting up HTTP connections
8.3.1. Setting up a transparent HTTP connection
8.3.2. Enabling PSM to act as a HTTP proxy
8.3.3. Enabling SSL encryption in HTTP
8.3.4. Configuring half-sided SSL encryption in HTTP
8.4. Session-handling in HTTP
8.5. Creating and editing protocol-level HTTP settings
9. ICA-specific settings
9.1. Setting up ICA connections
9.2. Supported ICA channel types
9.3. Creating and editing protocol-level ICA settings
9.4. PSM deployment scenarios in a Citrix environment
9.5. Troubleshooting Citrix-related problems
10. RDP-specific settings
10.1. Supported RDP channel types
10.2. Creating and editing protocol-level RDP settings
10.3. Network Level Authentication (NLA) with PSM
10.3.1. Network Level Authentication (NLA) with domain membership
10.3.2. Using PSM across multiple domains
10.3.3. Network Level Authentication without domain membership
10.4. Using SSL-encrypted RDP connections
10.5. Verifying the certificate of the RDP server in encrypted connections
10.6. Using PSM as a Remote Desktop Gateway
10.7. Configuring Remote Desktop clients for gateway authentication
10.8. Inband destination selection in RDP connections
10.9. Usernames in RDP connections
10.10. Saving login credentials for RDP on Windows
10.11. Configuring RemoteApps
11. SSH-specific settings
11.1. Setting the SSH host keys and certificates of the connection
11.2. Supported SSH channel types
11.3. Authentication Policies
11.3.1. Creating a new authentication policy
11.3.2. Client-side authentication settings
11.3.3. Relayed authentication methods
11.3.4. Configuring your Kerberos environment
11.3.5. Kerberos authentication settings
11.4. Server host keys and certificates
11.4.1. Automatically adding the host keys and host certificates of a server to PSM
11.4.2. Manually adding the host key or host certificate of a server
11.5. Creating and editing protocol-level SSH settings
11.6. Supported encryption algorithms
12. Telnet-specific settings
12.1. Enabling TLS-encryption for Telnet connections
12.2. Creating a new authentication policy
12.3. Extracting username from Telnet connections
12.4. Creating and editing protocol-level Telnet settings
12.5. Inband destination selection in Telnet connections
13. VMware Horizon View connections
13.1. PSM deployment scenarios in a VMware environment
14. VNC-specific settings
14.1. Enabling TLS-encryption for VNC connections
14.2. Creating and editing protocol-level VNC settings
15. Indexing audit trails
15.1. Configuring the internal indexer
15.2. Configuring external indexers
15.2.1. Prerequisites and limitations
15.2.2. Hardware requirements for the external indexer host
15.2.3. Configuring PSM to use external indexers
15.2.4. Installing the external indexer
15.2.5. Configuring the external indexer
15.2.6. Uploading decryption keys to the external indexer
15.2.7. Customizing the indexing of HTTP traffic
15.2.8. Starting the external indexer
15.2.9. Disabling indexing on PSM
15.2.10. Managing the indexers
15.2.11. Troubleshooting external indexers
15.3. Monitoring the status of the indexer services
15.4. HTTP indexer configuration format
16. Browsing and replaying audit trails on PSM
16.1. Searching audit trails — the PSM connection database
16.1.1. Connection details
16.1.2. Replaying audit trails in your browser
16.1.3. Replaying encrypted audit trails in your browser
16.1.4. Using the content search
16.1.5. Connection metadata
16.1.6. Using and managing search filters
16.1.7. The search and filter process
16.2. Displaying statistics on search results
17. Advanced authentication and authorization techniques
17.1. Configuring usermapping policies
17.2. Configuring gateway authentication
17.2.1. Configuring out-of-band gateway authentication
17.2.2. Performing out-of-band gateway authentication on PSM
17.2.3. Performing inband gateway authentication in SSH and Telnet connections
17.2.4. Performing inband gateway authentication in RDP connections
17.2.5. Troubleshooting gateway authentication
17.3. Configuring 4-eyes authorization
17.3.1. Configuring four-eyes authorization
17.3.2. Performing four-eyes authorization on PSM
17.4. Using credential stores for server-side authentication
17.4.1. Configuring local Credential Stores
17.4.2. Performing gateway authentication to RDP servers using local Credential Store and NLA
17.4.3. Configuring password-protected Credential Stores
17.4.4. Unlocking Credential Stores
17.4.5. Using Lieberman ERPM to authenticate on the target hosts
17.4.6. Using a custom Credential Store plugin to authenticate on the target hosts
17.4.7. Creating a custom Credential Store plugin
17.5. Integrating ticketing systems
17.5.1. Performing authentication with ticketing integration in terminal connections
17.5.2. Performing authentication with ticketing integration in Remote Desktop connections
17.6. Integrating external authentication and authorization systems
17.6.1. How Authentication and Authorization plugins work
17.6.2. Authorizing connections to the target hosts with a PSM plugin
17.6.3. Performing authentication with AA plugin in terminal connections
17.6.4. Performing authentication with AA plugin in Remote Desktop connections
18. Reports
18.1. Contents of the operational reports
18.2. Configuring custom reports
18.3. Creating reports from audit trail content
18.4. Creating statistics from custom database queries
18.5. Database tables available for custom queries
18.5.1. The alerting table
18.5.2. The aps table
18.5.3. The archives table
18.5.4. The audit_trail_downloads table
18.5.5. The channels table
18.5.6. The closed_connection_audit_channels view
18.5.7. The closed_not_indexed_audit_channels view
18.5.8. The connection_events view
18.5.9. The connection_occurrences view
18.5.10. The connections view
18.5.11. The events table
18.5.12. The file_xfer table
18.5.13. The http_req_resp_pair table
18.5.14. The indexer_jobs table
18.5.15. The occurrences table
18.5.16. The progresses table
18.5.17. The results table
18.5.18. The skipped_connections table
18.5.19. The usermapped_channels view
18.5.20. Querying trail content with the lucene-search function
18.6. Generating partial reports
18.7. Creating PCI DSS reports
18.8. Contents of PCI DSS reports
19.1. Requirements for using the RPC API
19.2. RPC client requirements
19.3. Locking PSM configuration from the RPC API
19.4. Documentation of the RPC API
19.5. Enabling RPC API access to PSM
21. PSM scenarios
21.1. Configuring public-key authentication on PSM
21.1.1. Configuring public-key authentication using local keys
21.1.2. Configuring public-key authentication using an LDAP server and a fixed key
21.1.3. Configuring public-key authentication using an LDAP server and generated keys
21.2. Organizing connections in non-transparent mode
21.2.1. Organizing connections based on port numbers
21.2.2. Organizing connections based on alias IP addresses
21.3. Using inband destination selection in SSH connections
21.3.1. Using inband destination selection with PuTTY
21.3.2. Using inband destination selection with OpenSSH
21.3.3. Using inband selection and nonstandard ports with PuTTY
21.3.4. Using inband selection and nonstandard ports with OpenSSH
21.3.5. Using inband destination selection and gateway authentication with PuTTY
21.3.6. Using inband destination selection and gateway authentication with OpenSSH
21.4. SSH usermapping and keymapping in AD with public key
22. Troubleshooting PSM
22.1. Network troubleshooting
22.2. Gathering data about system problems
22.3. Viewing logs on PSM
22.4. Changing log verbosity level of PSM
22.5. Collecting logs and system information for error reporting
22.6. Status history and statistics
22.6.1. Connection statistics
22.6.2. Memory
22.6.3. Disk
22.6.4. CPU
22.6.5. Network connections
22.6.6. Interface
22.6.7. Load average
22.6.8. Number of processes
22.6.9. Displaying custom connection statistics
22.7. Troubleshooting a PSM cluster
22.7.1. Understanding PSM cluster statuses
22.7.2. Recovering PSM if both nodes broke down
22.7.3. Recovering from a split brain situation
22.7.4. Replacing a HA node in a PSM cluster
22.7.5. Resolving an IP conflict between cluster nodes
22.8. Understanding PSM RAID status
22.9. Restoring PSM configuration and data
22.10. VNC is not working with TLS
A. Configuring external devices
A.1. Configuring advanced routing on Linux
A.2. Configuring advanced routing on Cisco routers
A.3. Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls
B. Using SCP with agent-forwarding
C. Security checklist for configuring PSM
D. Jumplists for in-product help
D.1. Basic Settings > Management
D.2. Basic Settings > Local Services
D.3. Basic Settings > System
D.4. <Protocol name> Control > Global Options
E. Open source licenses
E.1. GNU General Public License v2
E.1.1. Preamble
E.1.3. How to Apply These Terms to Your New Programs
E.2. GNU Lesser General Public License version 3
E.3. GNU Lesser General Public License v2.1
E.3.1. Preamble
E.3.3. How to Apply These Terms to Your New Libraries
E.4. GNU Library General Public License version 2
E.4.2. Preamble
E.4.5. How to Apply These Terms to Your New Libraries
E.5. License attributions
List of PSM web interface labels