7.3. Procedure – Configuring inband destination selection


With inband destination selection, you can create a single connection policy and allow users to access any server by including the name of the target server in their username (for example, ssh [email protected]@scb_address, or username%@targetserver%scb_address). To configure a Connection Policy to extract the address of the server from the username, complete the following steps.



  1. Navigate to the Connection policy you want to modify, for example, to SSH Control > Connections.

  2. Select Inband destination selection.

    Figure 7.4. <Protocol name> Control > Connections — Configuring inband destination selection

    <Protocol name> Control > Connections — Configuring inband destination selection
  3. Optional Step: Enter the IP address or the hostname of the domain name server used to resolve the address of the target server into the DNS Server field.

    If you do not set the DNS Server field, PSM will use the global DNS server (set on the Basic Settings > Networking page) to resolve the hostnames in this connection.

  4. Optional Step: Configure domain names and CNAME records.

    If the clients do not include the domain name when addressing the server (for example they use [email protected] instead of [email protected], or username%server for RDP connections), PSM can automatically add domain information (for example example.com). Enter the domain name to add into the Append domain field.

    PSM can also resolve CNAME records.

    To enter more domain names (for example because connections extend through subnets), click . In case of more domain names in the Append domain field, PSM appends the first domain name in the list that the target can be resolved with.

  5. Enter the addresses of the servers that the users are permitted to access into the Targets field. Note the following points:

    • Use the IP address/prefix (for example, or format. Alternatively, you can use the FQDN of the server. To permit access to any server, enter *.

    • For FQDN, you can use the * and ? wildcard characters.


      If only the hostname of the server is listed and the client targets the server using its IP address, PSM refuses the connection.

    • If the clients target the server using its IP address, include the IP address of the server in the Targets > Domain list. This is required because PSM resolves the hostnames to IP addresses, but does not reverse-resolve IP addresses to hostnames.

    • If the clients target the server using its hostname, then the hostname-from-the-client-request + the-value-of-the-Append-domain-option must appear in the Targets > Domain list. Alternatively, you must include the IP address of the hostname-from-the-client-request + the-value-of-the-Append-domain-option host.

    Example 7.1. Hostnames and inband destination selection

    For example, you have set Append domain to example.com, and your clients use the username%servername request, then you must include either the servername.example.com host or its IP address in theTargets > Domain list.

  6. If the clients can access only a specified port on the server, enter it into the Port field. If the Port is not set, the clients may access any port on the server.

  7. If there are any servers that the users cannot target using inband destination selection, add them to the Exceptions field.

  8. To use inband destination selection with RDP connections without using PSM as a Remote Desktop Gateway (or RD Gateway), you must use SSL-encrypted RDP connections (see Procedure 10.5, Enabling TLS-encryption for RDP connections).

  9. Click .

    Expected result: 

    The connection policy will extract the address of the destination server from the protocol information.


    For examples on using inband destination selection to establish an SSH connection, including scenarios where non-standard ports or gateway authentication is used, see Section 22.3, Using inband destination selection in SSH connections.