The Balabit’s Privileged Session Management, Shell Control Box 5 F3 Administrator Guide

Copyright © 2017 Balabit SA. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balabit.

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (https://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

This product uses Botan cryptographic library. The library was released under the BSD-2 license. For details about the Botan license, see Botan cryptographic library license.

The Balabit™ name and the Balabit™ logo are registered trademarks of Balabit SA.

The Balabit Shell Control Box™ name and the Balabit Shell Control Box™ logo are registered trademarks of Balabit.

Citrix®, ICA® and XenApp™ are trademarks or registered trademarks of Citrix Systems, Inc.

Linux™ is a registered trademark of Linus Torvalds.

Sun™, Sun Microsystems™, the Sun logo, Sun Fire 4140™, Sun Fire 2100™, Sun Fire 2200™, Sun Fire 4540™, and Sun StorageTek™ are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries.

The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of Balabit.

VMware™, VMware ESX™ and VMware View™ are trademarks or registered trademarks of VMware, Inc. and/or its affiliates.

Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008, 7, 8, and Server 2012 are registered trademarks of Microsoft Corporation.

The Zorp™ name and the Zorp™ logo are registered trademarks of BalaSys IT Ltd.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER. Balabit is not responsible for any third-party websites mentioned in this document. Balabit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Balabit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

Botan cryptographic library license. 

Botan http://botan.randombit.net/ is distributed under these terms:

Copyright ©

  • 1999-2013,2014 Jack Lloyd

  • 2001 Peter J Jones

  • 2004-2007 Justin Karneges

  • 2004 Vaclav Ovsik

  • 2005 Matthew Gregan

  • 2005-2006 Matt Johnston

  • 2006 Luca Piccarreta

  • 2007 Yves Jerschow

  • 2007-2008 FlexSecure GmbH

  • 2007-2008 Technische Universitat Darmstadt

  • 2007-2008 Falko Strenzke

  • 2007-2008 Martin Doering

  • 2007 Manuel Hartl

  • 2007 Christoph Ludwig

  • 2007 Patrick Sona

  • 2010 Olivier de Gaalon

  • 2012 Vojtech Kral

  • 2012-2014 Markus Wanner

  • 2013 Joel Low

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF USE, DATA, OR PROFITS, OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

October 18, 2017

Administrator Guide for Balabit’s Privileged Session Management, Shell Control Box (PSM, formerly called SCB)


Table of Contents

Preface
1. Summary of contents
2. Contact and support information
2.1. Sales contact
2.2. Support contact
2.3. Training
3. About this document
3.1. Summary of changes
3.2. Feedback
1. Introduction
2. The concepts of PSM
2.1. The philosophy of PSM
2.2. Policies
2.3. Credential Stores
2.4. Plugin framework
2.5. Indexing
2.6. Supported protocols and client applications
2.7. Modes of operation
2.7.1. Transparent mode
2.7.2. Single-interface transparent mode
2.7.3. Non-transparent mode
2.7.4. Inband destination selection
2.8. Connecting to a server through PSM
2.8.1. Connecting to a server through PSM using SSH
2.8.2. Connecting to a server through PSM using RDP
2.8.3. Connecting to a server through PSM using an RD Gateway
2.9. Maximizing the scope of auditing
2.10. IPv6 in PSM
2.11. SSH hostkeys
2.12. Authenticating clients using public-key authentication in SSH
2.13. The gateway authentication process
2.14. Four-eyes authorization
2.15. Network interfaces
2.16. High Availability support in PSM
2.16.1. Firmware and high availability
2.17. Versions and releases of PSM
2.18. Accessing and configuring PSM
2.19. Licenses
2.19.1. Licensing benefits
2.19.2. Licensing model
2.19.3. License types
2.19.4. Licensing examples
3. The Welcome Wizard and the first login
3.1. The initial connection to PSM
3.1.1. Creating an alias IP address (Microsoft Windows)
3.1.2. Creating an alias IP address (Linux)
3.1.3. Modifying the IP address of PSM
3.1.4. Accessing the Welcome Wizard from a non-standard interface
3.2. Configuring PSM with the Welcome Wizard
3.3. Logging in to PSM and configuring the first connection
4. Basic settings
4.1. Supported web browsers and operating systems
4.2. The structure of the web interface
4.2.1. Elements of the main workspace
4.2.2. Multiple users and locking
4.2.3. Web interface timeout
4.2.4. Preferences
4.3. Network settings
4.3.1. Configuring user and administrator login addresses
4.3.2. Managing logical interfaces
4.3.3. Routing uncontrolled traffic between logical interfaces
4.3.4. Configuring the routing table
4.4. Configuring date and time
4.5. System logging, SNMP and e-mail alerts
4.5.1. Configuring system logging
4.5.2. Configuring e-mail alerts
4.5.3. Configuring SNMP alerts
4.5.4. Querying PSM status information using agents
4.5.5. Customize system logging in PSM
4.6. Configuring system monitoring on PSM
4.6.1. Configuring monitoring
4.6.2. Health monitoring
4.6.3. Preventing disk space fill up
4.6.4. System related traps
4.6.5. Traffic related traps
4.7. Data and configuration backups
4.7.1. Creating a backup policy using Rsync over SSH
4.7.2. Creating a backup policy using SMB/CIFS
4.7.3. Creating a backup policy using NFS
4.7.4. Creating configuration backups
4.7.5. Creating data backups
4.7.6. Encrypting configuration backups with GPG
4.8. Archiving and cleanup
4.8.1. Creating a cleanup policy
4.8.2. Creating an archive policy using SMB/CIFS
4.8.3. Creating an archive policy using NFS
4.8.4. Archiving or cleaning up the collected data
5. User management and access control
5.1. Managing PSM users locally
5.1.1. Creating local users in PSM
5.1.2. Deleting a local user from PSM
5.2. Setting password policies for local users
5.3. Managing local usergroups
5.4. Managing PSM users from an LDAP database
5.5. Authenticating users to a RADIUS server
5.6. Authenticating users with X.509 certificates
5.7. Managing user rights and usergroups
5.7.1. Assigning privileges to usergroups for the PSM web interface
5.7.2. Modifying group privileges
5.7.3. Finding specific usergroups
5.7.4. How to use usergroups
5.7.5. Built-in usergroups of PSM
5.8. Listing and searching configuration changes
5.8.1. Using the internal search interface
5.9. Displaying the privileges of users and user groups
6. Managing PSM
6.1. Controlling PSM — reboot, shutdown
6.1.1. Disabling controlled traffic
6.1.2. Disabling controlled traffic permanently
6.2. Managing a high availability PSM cluster
6.2.1. Adjusting the synchronization speed
6.2.2. Redundant heartbeat interfaces
6.2.3. Next-hop router monitoring
6.3. Upgrading PSM
6.3.1. Upgrade checklist
6.3.2. Upgrading PSM (single node)
6.3.3. Upgrading a PSM cluster
6.3.4. Troubleshooting
6.3.5. Reverting to an older firmware version
6.3.6. Exporting the configuration of PSM
6.3.7. Importing the configuration of PSM
6.4. Managing the PSM license
6.4.1. Updating the PSM license
6.5. Accessing the PSM console
6.5.1. Using the console menu of PSM
6.5.2. Enabling SSH access to the PSM host
6.5.3. Changing the root password of PSM
6.5.4. Firmware update using SSH
6.5.5. Exporting and importing the configuration of PSM using the console
6.6. Sealed mode
6.6.1. Disabling sealed mode
6.7. Out-of-band management of PSM
6.7.1. Configuring the IPMI interface from the console
6.7.2. Configuring the IPMI interface from the BIOS
6.8. Managing the certificates used on PSM
6.8.1. Generating certificates for PSM
6.8.2. Uploading external certificates to PSM
6.8.3. Generating TSA certificate with Windows Certificate Authority on Windows Server 2008
6.8.4. Generating TSA certificate with Windows Certificate Authority on Windows Server 2012
7. General connection settings
7.1. Configuring connections
7.2. Modifying the destination address
7.3. Configuring inband destination selection
7.4. Modifying the source address
7.5. Creating and editing channel policies
7.6. Real-time content monitoring with Content Policies
7.6.1. Creating a new content policy
7.7. Configuring time policies
7.8. Creating and editing user lists
7.9. Authenticating users to an LDAP server
7.10. Audit policies
7.10.1. Encrypting audit trails
7.10.2. Timestamping audit trails with built-in timestamping service
7.10.3. Timestamping audit trails with external timestamping service
7.10.4. Digitally signing audit trails
7.11. Verifying certificates with Certificate Authorities
7.12. Signing certificates on-the-fly
7.13. Creating a Local User Database
7.14. Configuring cleanup for the PSM connection database
8. HTTP-specific settings
8.1. Limitations in handling HTTP connections
8.2. Authentication in HTTP and HTTPS
8.3. Setting up HTTP connections
8.3.1. Setting up a transparent HTTP connection
8.3.2. Enabling PSM to act as a HTTP proxy
8.3.3. Enabling SSL encryption in HTTP
8.3.4. Configuring half-sided SSL encryption in HTTP
8.4. Session-handling in HTTP
8.5. Creating and editing protocol-level HTTP settings
9. ICA-specific settings
9.1. Setting up ICA connections
9.2. Supported ICA channel types
9.3. Creating and editing protocol-level ICA settings
9.4. PSM deployment scenarios in a Citrix environment
9.5. Troubleshooting Citrix-related problems
10. RDP-specific settings
10.1. Supported RDP channel types
10.2. Creating and editing protocol-level RDP settings
10.3. Network Level Authentication (NLA) with PSM
10.3.1. Network Level Authentication (NLA) with domain membership
10.3.2. Using PSM across multiple domains
10.3.3. Network Level Authentication without domain membership
10.4. Using SSL-encrypted RDP connections
10.5. Verifying the certificate of the RDP server in encrypted connections
10.6. Enabling TLS-encryption for RDP connections
10.7. Using PSM as a Remote Desktop Gateway
10.8. Configuring Remote Desktop clients for gateway authentication
10.9. Inband destination selection in RDP connections
10.10. Usernames in RDP connections
10.11. Saving login credentials for RDP on Windows
10.12. Configuring RemoteApps
11. SSH-specific settings
11.1. Setting the SSH host keys and certificates of the connection
11.2. Supported SSH channel types
11.3. Authentication Policies
11.3.1. Creating a new authentication policy
11.3.2. Client-side authentication settings
11.3.3. Relayed authentication methods
11.3.4. Configuring your Kerberos environment
11.3.5. Kerberos authentication settings
11.4. Server host keys and certificates
11.4.1. Automatically adding the host keys and host certificates of a server to PSM
11.4.2. Manually adding the host key or host certificate of a server
11.5. Creating and editing protocol-level SSH settings
11.6. Supported encryption algorithms
12. Telnet-specific settings
12.1. Enabling TLS-encryption for Telnet connections
12.2. Creating a new authentication policy
12.3. Extracting username from Telnet connections
12.4. Creating and editing protocol-level Telnet settings
12.5. Inband destination selection in Telnet connections
12.6. Limitations of using TN5250 protocol with IBM iSeries Access for Windows
13. VMware Horizon View connections
13.1. PSM deployment scenarios in a VMware environment
14. VNC-specific settings
14.1. Enabling TLS-encryption for VNC connections
14.2. Creating and editing protocol-level VNC settings
15. Indexing audit trails
15.1. Configuring the internal indexer
15.2. Configuring external indexers
15.2.1. Prerequisites and limitations
15.2.2. Hardware requirements for the external indexer host
15.2.3. Configuring PSM to use external indexers
15.2.4. Installing the external indexer
15.2.5. Configuring the external indexer
15.2.6. Uploading decryption keys to the external indexer
15.2.7. Customizing the indexing of HTTP traffic
15.2.8. Starting the external indexer
15.2.9. Disabling indexing on PSM
15.2.10. Managing the indexers
15.2.11. Troubleshooting external indexers
15.3. Monitoring the status of the indexer services
15.4. HTTP indexer configuration format
16. Browsing and replaying audit trails on PSM
16.1. Searching audit trails — the PSM connection database
16.1.1. Connection details
16.1.2. Replaying audit trails in your browser
16.1.3. Replaying encrypted audit trails in your browser
16.1.4. Using the content search
16.1.5. Connection metadata
16.1.6. Using and managing search filters
16.1.7. The search and filter process
16.2. Displaying statistics on search results
17. Replaying audit trails with Audit Player
17.1. Installing and configuring Audit Player
17.1.1. Installing the Audit Player application
17.1.2. Running Audit Player without administrator privileges
17.1.3. Running Audit Player on multicore processors
17.2. Replaying audit trails
17.2.1. Downloading audit trails from PSM
17.2.2. Replaying a session with the Audit Player
17.2.3. Replaying SCP and SFTP sessions
17.2.4. Replaying HTTP sessions
17.3. Using AP
17.3.1. Finding specific audit trails
17.3.2. Using projects
17.3.3. Replaying and processing encrypted audit trails
17.3.4. Searching in graphical streams
17.3.5. Adding a new font to the OCR database
17.3.6. Adding a new font for displaying X11 trails
17.3.7. HTTP indexing and search
17.4. Troubleshooting the Audit Player
17.4.1. Logging with the Audit Player
18. Advanced authentication and authorization techniques
18.1. Configuring usermapping policies
18.2. Configuring gateway authentication
18.2.1. Configuring out-of-band gateway authentication
18.2.2. Performing out-of-band gateway authentication on PSM
18.2.3. Performing inband gateway authentication in SSH and Telnet connections
18.2.4. Performing inband gateway authentication in RDP connections
18.2.5. Troubleshooting gateway authentication
18.3. Configuring 4-eyes authorization
18.3.1. Configuring four-eyes authorization
18.3.2. Performing four-eyes authorization on PSM
18.4. Using credential stores for server-side authentication
18.4.1. Configuring local Credential Stores
18.4.2. Performing gateway authentication to RDP servers using local Credential Store and NLA
18.4.3. Configuring password-protected Credential Stores
18.4.4. Unlocking Credential Stores
18.4.5. Using Lieberman ERPM to authenticate on the target hosts
18.4.6. Using a custom Credential Store plugin to authenticate on the target hosts
18.5. Integrating external authentication and authorization systems
18.5.1. How Authentication and Authorization plugins work
18.5.2. Authorizing connections to the target hosts with a PSM plugin
18.5.3. Performing authentication with AA plugin in terminal connections
18.5.4. Performing authentication with AA plugin in Remote Desktop connections
18.5.5. Integrating ticketing systems
18.6. Creating a custom plugin
18.6.1. The available Python environment
18.6.2. File structure of a plugin
18.6.3. Plugin versioning
18.6.4. Troubleshooting plugins
19. Reports
19.1. Contents of the operational reports
19.2. Configuring custom reports
19.3. Creating reports from audit trail content
19.4. Creating statistics from custom database queries
19.5. Database tables available for custom queries
19.5.1. The alerting table
19.5.2. The aps table
19.5.3. The archives table
19.5.4. The audit_trail_downloads table
19.5.5. The channels table
19.5.6. The closed_connection_audit_channels view
19.5.7. The closed_not_indexed_audit_channels view
19.5.8. The connection_events view
19.5.9. The connection_occurrences view
19.5.10. The connections view
19.5.11. The events table
19.5.12. The file_xfer table
19.5.13. The http_req_resp_pair table
19.5.14. The indexer_jobs table
19.5.15. The occurrences table
19.5.16. The progresses table
19.5.17. The results table
19.5.18. The skipped_connections table
19.5.19. The usermapped_channels view
19.5.20. Querying trail content with the lucene-search function
19.6. Generating partial reports
19.7. Creating PCI DSS reports
19.8. Contents of PCI DSS reports
20. The PSM RPC API
20.1. Requirements for using the RPC API
20.2. RPC client requirements
20.3. Locking PSM configuration from the RPC API
20.4. Documentation of the RPC API
20.5. Enabling RPC API access to PSM
21. The PSM REST API
22. PSM scenarios
22.1. Configuring public-key authentication on PSM
22.1.1. Configuring public-key authentication using local keys
22.1.2. Configuring public-key authentication using an LDAP server and a fixed key
22.1.3. Configuring public-key authentication using an LDAP server and generated keys
22.2. Organizing connections in non-transparent mode
22.2.1. Organizing connections based on port numbers
22.2.2. Organizing connections based on alias IP addresses
22.3. Using inband destination selection in SSH connections
22.3.1. Using inband destination selection with PuTTY
22.3.2. Using inband destination selection with OpenSSH
22.3.3. Using inband selection and nonstandard ports with PuTTY
22.3.4. Using inband selection and nonstandard ports with OpenSSH
22.3.5. Using inband destination selection and gateway authentication with PuTTY
22.3.6. Using inband destination selection and gateway authentication with OpenSSH
22.4. SSH usermapping and keymapping in AD with public key
23. Troubleshooting PSM
23.1. Network troubleshooting
23.2. Gathering data about system problems
23.3. Viewing logs on PSM
23.4. Changing log verbosity level of PSM
23.5. Collecting logs and system information for error reporting
23.6. Status history and statistics
23.6.1. Displaying custom connection statistics
23.7. Troubleshooting a PSM cluster
23.7.1. Understanding PSM cluster statuses
23.7.2. Recovering PSM if both nodes broke down
23.7.3. Recovering from a split brain situation
23.7.4. Replacing a HA node in a PSM cluster
23.7.5. Resolving an IP conflict between cluster nodes
23.8. Understanding PSM RAID status
23.9. Restoring PSM configuration and data
23.10. VNC is not working with TLS
23.11. Configuring the IPMI interface from the BIOS after losing IPMI password
A. Configuring external devices
A.1. Configuring advanced routing on Linux
A.2. Configuring advanced routing on Cisco routers
A.3. Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls
B. Using SCP with agent-forwarding
C. Security checklist for configuring PSM
D. Jumplists for in-product help
D.1. Basic Settings > Management
D.2. Basic Settings > Local Services
D.3. Basic Settings > System
D.4. <Protocol name> Control > Global Options
E. Licenses
F. END USER LICENSE AGREEMENT FOR BALABIT PRODUCT (EULA)
Glossary
Index
List of PSM web interface labels

List of Procedures

2.8.1. Connecting to a server through PSM using SSH
2.8.2. Connecting to a server through PSM using RDP
2.8.3. Connecting to a server through PSM using an RD Gateway
2.13. The gateway authentication process
2.14. Four-eyes authorization
3.1.1. Creating an alias IP address (Microsoft Windows)
3.1.2. Creating an alias IP address (Linux)
3.1.3. Modifying the IP address of PSM
3.1.4. Accessing the Welcome Wizard from a non-standard interface
3.2. Configuring PSM with the Welcome Wizard
3.3. Logging in to PSM and configuring the first connection
4.3.1. Configuring user and administrator login addresses
4.3.2. Managing logical interfaces
4.3.3. Routing uncontrolled traffic between logical interfaces
4.3.4. Configuring the routing table
4.4. Configuring date and time
4.5.1. Configuring system logging
4.5.2. Configuring e-mail alerts
4.5.3. Configuring SNMP alerts
4.5.4. Querying PSM status information using agents
4.6.1. Configuring monitoring
4.6.3. Preventing disk space fill up
4.7.1. Creating a backup policy using Rsync over SSH
4.7.2. Creating a backup policy using SMB/CIFS
4.7.3. Creating a backup policy using NFS
4.7.4. Creating configuration backups
4.7.5. Creating data backups
4.7.6. Encrypting configuration backups with GPG
4.8.1. Creating a cleanup policy
4.8.2. Creating an archive policy using SMB/CIFS
4.8.3. Creating an archive policy using NFS
4.8.4. Archiving or cleaning up the collected data
5.1.1. Creating local users in PSM
5.1.2. Deleting a local user from PSM
5.2. Setting password policies for local users
5.3. Managing local usergroups
5.4. Managing PSM users from an LDAP database
5.5. Authenticating users to a RADIUS server
5.6. Authenticating users with X.509 certificates
5.7.1. Assigning privileges to usergroups for the PSM web interface
5.7.2. Modifying group privileges
5.8.1.3. Customizing columns of the internal search interface
6.1.1. Disabling controlled traffic
6.1.2. Disabling controlled traffic permanently
6.2.2. Redundant heartbeat interfaces
6.2.3. Next-hop router monitoring
6.3.2. Upgrading PSM (single node)
6.3.3. Upgrading a PSM cluster
6.3.5. Reverting to an older firmware version
6.3.6. Exporting the configuration of PSM
6.3.7. Importing the configuration of PSM
6.4.1. Updating the PSM license
6.5.2. Enabling SSH access to the PSM host
6.5.3. Changing the root password of PSM
6.5.4. Firmware update using SSH
6.5.5. Exporting and importing the configuration of PSM using the console
6.6.1. Disabling sealed mode
6.7.1. Configuring the IPMI interface from the console
6.7.2. Configuring the IPMI interface from the BIOS
6.8.1. Generating certificates for PSM
6.8.2. Uploading external certificates to PSM
6.8.3. Generating TSA certificate with Windows Certificate Authority on Windows Server 2008
6.8.4. Generating TSA certificate with Windows Certificate Authority on Windows Server 2012
7.1. Configuring connections
7.2. Modifying the destination address
7.3. Configuring inband destination selection
7.4. Modifying the source address
7.5. Creating and editing channel policies
7.6.1. Creating a new content policy
7.7. Configuring time policies
7.8. Creating and editing user lists
7.9. Authenticating users to an LDAP server
7.10.1. Encrypting audit trails
7.10.2. Timestamping audit trails with built-in timestamping service
7.10.3. Timestamping audit trails with external timestamping service
7.10.4. Digitally signing audit trails
7.11. Verifying certificates with Certificate Authorities
7.12. Signing certificates on-the-fly
7.13. Creating a Local User Database
7.14. Configuring cleanup for the PSM connection database
8.3.1. Setting up a transparent HTTP connection
8.3.2. Enabling PSM to act as a HTTP proxy
8.3.3. Enabling SSL encryption in HTTP
8.3.4. Configuring half-sided SSL encryption in HTTP
8.5. Creating and editing protocol-level HTTP settings
9.3. Creating and editing protocol-level ICA settings
10.2. Creating and editing protocol-level RDP settings
10.3.1. Network Level Authentication (NLA) with domain membership
10.3.3. Network Level Authentication without domain membership
10.4. Using SSL-encrypted RDP connections
10.5. Verifying the certificate of the RDP server in encrypted connections
10.6. Enabling TLS-encryption for RDP connections
10.7. Using PSM as a Remote Desktop Gateway
10.8. Configuring Remote Desktop clients for gateway authentication
10.11. Saving login credentials for RDP on Windows
10.12. Configuring RemoteApps
11.1. Setting the SSH host keys and certificates of the connection
11.3.1. Creating a new authentication policy
11.3.2.1. Local client-side authentication
11.3.4. Configuring your Kerberos environment
11.3.5. Kerberos authentication settings
11.4.1. Automatically adding the host keys and host certificates of a server to PSM
11.4.2. Manually adding the host key or host certificate of a server
11.5. Creating and editing protocol-level SSH settings
12.1. Enabling TLS-encryption for Telnet connections
12.2. Creating a new authentication policy
12.3. Extracting username from Telnet connections
12.4. Creating and editing protocol-level Telnet settings
14.1. Enabling TLS-encryption for VNC connections
14.2. Creating and editing protocol-level VNC settings
15.1. Configuring the internal indexer
15.2.3. Configuring PSM to use external indexers
15.2.4. Installing the external indexer
15.2.5. Configuring the external indexer
15.2.6. Uploading decryption keys to the external indexer
15.2.7. Customizing the indexing of HTTP traffic
15.2.8. Starting the external indexer
15.2.9. Disabling indexing on PSM
16.1.2. Replaying audit trails in your browser
16.1.3. Replaying encrypted audit trails in your browser
16.1.6.1. Creating and saving filters for later use
16.2. Displaying statistics on search results
17.1.1. Installing the Audit Player application
17.1.2. Running Audit Player without administrator privileges
17.1.3. Running Audit Player on multicore processors
17.2.1. Downloading audit trails from PSM
17.2.2. Replaying a session with the Audit Player
17.2.3. Replaying SCP and SFTP sessions
17.2.4. Replaying HTTP sessions
17.3.3.1. Certificates and Audit Player
17.3.3.2. Converting certificates using OpenSSL
17.3.3.3. Converting certificates using Firefox
17.3.5. Adding a new font to the OCR database
17.3.6. Adding a new font for displaying X11 trails
17.4.1. Logging with the Audit Player
18.1. Configuring usermapping policies
18.2.1. Configuring out-of-band gateway authentication
18.2.2. Performing out-of-band gateway authentication on PSM
18.2.3. Performing inband gateway authentication in SSH and Telnet connections
18.2.4. Performing inband gateway authentication in RDP connections
18.3.1. Configuring four-eyes authorization
18.3.2. Performing four-eyes authorization on PSM
18.4.1. Configuring local Credential Stores
18.4.2. Performing gateway authentication to RDP servers using local Credential Store and NLA
18.4.3. Configuring password-protected Credential Stores
18.4.4. Unlocking Credential Stores
18.4.5. Using Lieberman ERPM to authenticate on the target hosts
18.4.6. Using a custom Credential Store plugin to authenticate on the target hosts
18.5.2. Authorizing connections to the target hosts with a PSM plugin
18.5.3. Performing authentication with AA plugin in terminal connections
18.5.4. Performing authentication with AA plugin in Remote Desktop connections
18.5.5.1. Performing authentication with ticketing integration in terminal connections
18.5.5.2. Performing authentication with ticketing integration in Remote Desktop connections
19.2. Configuring custom reports
19.3. Creating reports from audit trail content
19.4. Creating statistics from custom database queries
19.6. Generating partial reports
19.7. Creating PCI DSS reports
20.5. Enabling RPC API access to PSM
22.1.1. Configuring public-key authentication using local keys
22.1.2. Configuring public-key authentication using an LDAP server and a fixed key
22.1.3. Configuring public-key authentication using an LDAP server and generated keys
22.2.1. Organizing connections based on port numbers
22.2.2. Organizing connections based on alias IP addresses
22.3.1. Using inband destination selection with PuTTY
22.3.2. Using inband destination selection with OpenSSH
22.3.3. Using inband selection and nonstandard ports with PuTTY
22.3.4. Using inband selection and nonstandard ports with OpenSSH
22.3.5. Using inband destination selection and gateway authentication with PuTTY
22.3.6. Using inband destination selection and gateway authentication with OpenSSH
22.4. SSH usermapping and keymapping in AD with public key
23.1. Network troubleshooting
23.3. Viewing logs on PSM
23.4. Changing log verbosity level of PSM
23.5. Collecting logs and system information for error reporting
23.6.1. Displaying custom connection statistics
23.7.2. Recovering PSM if both nodes broke down
23.7.3. Recovering from a split brain situation
23.7.4. Replacing a HA node in a PSM cluster
23.7.5. Resolving an IP conflict between cluster nodes
23.9. Restoring PSM configuration and data
23.11. Configuring the IPMI interface from the BIOS after losing IPMI password
A.1. Configuring advanced routing on Linux
A.2. Configuring advanced routing on Cisco routers
A.3. Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls