SSH Tectia® Guardian 1.1

Administrator Manual

SSH Communications Security Corp.

Copyright © 2009 SSH Communications Security Corp.

This software is protected by international copyright laws. All rights reserved. ssh® and Tectia® are registered trademarks of SSH Communications Security Corp in the United States and in certain other jurisdictions. The SSH and Tectia logos are trademarks of SSH Communications Security Corp and may be registered in certain jurisdictions. All other names and marks are property of their respective owners.

No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, for any purpose, without the prior written permission of SSH Communications Security Corp.

THERE IS NO WARRANTY OF ANY KIND FOR THE ACCURACY OR USEFULNESS OF THIS INFORMATION EXCEPT AS REQUIRED BY APPLICABLE LAW OR EXPRESSLY AGREED IN WRITING.

19 May 2009

Table of Contents

1. About This Document

Target audience and prerequisites
Products covered in this manual
Typographical conventions
Contact and support information

2. Introduction

What SSH Tectia Guardian is
What SSH Tectia Guardian is not
Why is SSH Tectia Guardian needed?
Who uses SSH Tectia Guardian?

3. The concepts of SSH Tectia Guardian

The philosophy of SSH Tectia Guardian

Modes of operation

SSH Tectia Guardian in Bridge mode
SSH Tectia Guardian in Router mode
SSH Tectia Guardian in Bastion mode
SSH Tectia Guardian in Nontransparent mode

Connecting to a server through SSH Tectia Guardian

SSH hostkeys

Authenticating clients using public-key authentication in SSH

Network interfaces

High Availability support in SSH Tectia Guardian

Firmware in SSH Tectia Guardian

Firmwares and high availability

4. The Welcome Wizard and the first login

The initial connection to SSH Tectia Guardian
The Welcome Wizard
Logging in to SSH Tectia Guardian and configuring the first connection

5. Configuring and managing SSH Tectia Guardian

The structure of the web interface

Elements of the main workspace

Basic settings

Network settings
Date and time configuration
System logging, SNMP and e-mail alerts
Configuring system monitoring on SSH Tectia Guardian
Data and configuration archiving and backups
Audit trail settings

User management

Managing SSH Tectia Guardian

Controlling SSH Tectia Guardian — restart, shutdown
Updating the SSH Tectia Guardian firmware
Updating the SSH Tectia Guardian license
Importing and exporting SSH Tectia Guardian configuration
Network troubleshooting
Viewing logs on SSH Tectia Guardian
Disabling the controlled traffic
Changing log verbosity level of SSH Tectia Guardian
Accessing the SSH Tectia Guardian host using SSH
Changing the root password of SSH Tectia Guardian
Changing the certificate of the SSH Tectia Guardian web interface

6. Configuring connections

General connection settings

Modifying the destination address
Modifying the source address
Channel Policies
Time Policies
User lists
Authenticating users to an LDAP server

SSH-specific settings

Setting the SSH host keys of the connection
Supported SSH channel types
Authentication Policies
Server Host Keys
Protocol-level SSH settings
4-eyes authorization

RDP-specific settings

Supported RDP channel types
Protocol-level RDP settings

Telnet-specific settings

Protocol-level Telnet settings

7. Viewing session information and replaying audit trails

Browsing the connections database

Generating reports

The BalaBit Audit Player

Replaying audit trails
Using BAP

8. Best practices and configuration examples

Configuring public-key authentication on SSH Tectia Guardian

Routing management traffic to the management interface

Organizing connections in Bastion mode

Accessing the SSH Tectia Guardian host in Bastion mode using SSH

Using nontransparent Bastion mode

How to restore a backup

A. About the Secure Shell protocol in a nutshell

The basic operation of SSH
Configuring encryption parameters

B. Installing SSH Tectia Guardian Hardware

C. Installing SSH Tectia Guardian Software