7.1. Procedure – Configuring connections

Purpose: 

To configure a connection, complete the following steps.

Note

Avoid using the IP address configured for administrator or user login on PSM when configuring HTTP or SSH connections.

Steps: 

  1. Select the type of connection from the main menu.

    • To configure a HTTP connection, select HTTP Control > Connections.

    • To configure an ICA connection, select ICA Control > Connections.

    • To configure a Remote Desktop connection, select RDP Control > Connections.

    • To configure a Secure Shell connection, select SSH Control > Connections.

    • To configure a Telnet connection, select Telnet Control > Connections.

    • To configure a VNC connection, select VNC Control > Connections.

  2. Click to define a new connection and enter a name that will identify the connection (for example admin_mainserver).

    Tip

    It is recommended to use descriptive names that give information about the connection, for example refer to the name of the accessible server, the allowed clients, and so on.

    Figure 7.1. <Protocol name> Control > Connections — Configuring connections

    <Protocol name> Control > Connections — Configuring connections
    <Protocol name> Control > Connections — Configuring connections
  3. Enter the IP address of the client that will be permitted to access the server into the From field. Click to list additional clients.

    You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

    You can also enter a hostname instead of the IP address, and PSM automatically resolves the hostname to IP address. Note the following limitations:

    • PSM uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

    • Only IPv4 addresses are supported.

    • If the Domain Name Server returns multiple IP addresses, PSM selects randomly from the list.

  4. Enter the IP address that the clients will request into the To field.

    You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

    You can also enter a hostname instead of the IP address, and PSM automatically resolves the hostname to IP address. Note the following limitations:

    • PSM uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

    • Only IPv4 addresses are supported.

    • If the Domain Name Server returns multiple IP addresses, PSM selects randomly from the list.

    • In non-transparent mode, enter the IP address of a PSM logical interface.

      For more information on setting up logical network interfaces on PSM, see Procedure 4.3.2, Managing logical interfaces.

    • In transparent mode, enter the IP address of the protected server.

    Click to add additional IP addresses.

  5. If the clients use a custom port to address the server instead of the default port used by the protocol, enter the port number that the clients will request into the Port field. Click to list additional port numbers.

    Note

    PSM can handle a maximum of 15 unique ports per connection policy. If you wish to specify more than 15 custom ports, create additional connection policies.

  6. Non-transparent mode: Enter the IP address and port number of the target server into the Target field. PSM will connect all incoming client-side connections to this server. For details on organizing connections in non-transparent mode, see Section 22.2, Organizing connections in non-transparent mode.

    Figure 7.2. <Protocol name> Control > Connections — Configuring non-transparent connections

    <Protocol name> Control > Connections — Configuring non-transparent connections
  7. Configure advanced settings if needed, like network address translation, channel policy, gateway authentication, various policies, or other settings.

  8. Click to save the connection.

    Tip

    To temporarily disable a connection, deselect the checkbox before the name of the connection.

  9. If needed, reorder the list of the connection policies. You can move connection policies by clicking the and buttons.

    PSM compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. The first connection policy completely matching the connection request is applied to the connection.

  10. Depending on your needs and environment, you may want to set further settings for your connections.

    • To modify the destination or source addresses of the connections, see Procedure 7.2, Modifying the destination address and Procedure 7.4, Modifying the source address.

    • Select a Backup Policy and an Archiving Policy for the audit trails and indexes of the connection.

      You can find more information on creating backup and archive policies in Section 4.7, Data and configuration backups and Section 4.8, Archiving and cleanup.

      If you have indexed trails, the index itself is also archived:

      When using the Indexer service: Every 30 days, unless the Backup & Archive/Cleanup > Archive/Cleanup policies > Retention time in days is configured to occur less frequently (more than 30 days). For example, if the Retention time in days is 60 days, the index will be archived every 60 days. The content of the archived index will be the content that was available X days before the archival date, where X is the number in the Retention time in days field.

      Warning

      Hazard of data loss!

      Make sure you also backup your data besides archiving (for details, see Section 4.7, Data and configuration backups). If a system crash occurs, you can lose up to 30 days of index, since the index is only archived in every 30 days.

      Note

      The backup and archive policies set for the connection operate only on the audit trails and indexes of the connection. General data about the connections that is displayed on the Search page is archived and backed up as part of the system-backup process of PSM.

    • If you want to timestamp, encrypt, or sign the audit trails, configure an Audit Policy to suit your needs. For details, see Section 7.10, Audit policies.

      Warning

      In RDP connections, if the client uses the Windows login screen to authenticate on the server, the password of the client is visible in the audit trail. To avoid displaying the password when replaying the audit trail, you are recommended to encrypt the upstream traffic in the audit trail using a separate certificate from the downstream traffic. For details, see Procedure 7.10.1, Encrypting audit trails.

    • To require the users to authenticate themselves not only on the target server, but on PSM as well, see Section 18.2, Configuring gateway authentication.

    • To require four-eyes authorization on the connections, with the possibility of an auditor monitoring the connection in real-time, see Section 18.3, Configuring 4-eyes authorization.

    • In the case of certain connections and scenarios (for example SSH authentication, gateway authentication, Network Level Authentication (NLA) connections), PSM can authenticate the user to an LDAP database, or retrieve the group memberships of the user. To use these features, select an LDAP Server. For details, see Procedure 7.9, Authenticating users to an LDAP server.

      Note

      To display the usergroups that can access a specific Connection Policy, open the Connection Policy, then select Show connection permissions > Show on the Connections page.

    • To limit the number of new connection requests accepted from a single client IP address per minute, enter the maximal number of accepted connections into the Connection rate limit field.

  11. If your clients and servers support it, configure the connection to use strong encryption.

  12. For graphical connections, adjust the settings of your servers for optimal performance:

    • For optimal performance and text recognition in graphical protocols, disable antialiasing on your servers. Antialiased text in the audit trails of RDP, VNC, and X11 connections is not recognized by the OCR engine of the Audit Player. The indexer service recognizes antialiased text, but its accuracy depends on the exact antialiasing settings. Disable antialiasing in order to properly index the trails of these connections. Note that antialiasing is enabled by default on Windows Vista and newer. Antialiasing is also called font smoothing. ClearType is an antialiasing technology used on Microsoft Windows, and should be disabled for optimal performance.

    • When processing RDP connections, PSM attempts to extract the username from the connection. To ensure that your users can access the target servers only when their username is recorded, see Section 10.10, Usernames in RDP connections.

    • If you are using Audit Player (AP) to OCR graphical audit trails, configure your servers to use the Tahoma or MS Sans Serif fonts on the user interface for optimal performance.