2.7.3. Non-transparent mode

In non-transparent mode, PSM acts as a bastion host — administrators can address only PSM, the administered servers cannot be targeted directly. The firewall of the network has to be configured to ensure that only connections originating from PSM can access the servers. PSM determines which server to connect based on the parameters of the incoming connection (the IP address of the administrator and the target IP and port).

Non-transparent mode inherently ensures that only the controlled (management and server administration) traffic reaches PSM. Services and applications running on the servers are accessible even in case PSM breaks down, so PSM cannot become a single point of failure.


Non-transparent mode is useful if the general (not inspected) traffic is very high and could not be forwarded by PSM.


In case there is a high number of target devices, do not use fix address rules in non-transparent mode as configuration validation might fail. Consider using one of the dynamic configuration options, such as inband destination selection or transparent mode.

Figure 2.10. PSM in non-transparent mode

PSM in non-transparent mode

Non-transparent mode is often used together with inband destination selection. For details, see Section 2.7.4, Inband destination selection).