SSH Tectia

Defining SSH Tectia Connector Settings (SSH Tectia Connector)

SSH Tectia Connector settings are defined entirely in the SSH Tectia Configuration tool. See Defining General Settings for Connector and Defining Filter Rules.

Defining General Settings for Connector

On the General page, you can define general settings for SSH Tectia Connector.

Defining general settings for SSH Tectia Connector

Figure 4.31. Defining general settings for SSH Tectia Connector

Defining Applications for Pass-Through

Applications that are passed through are defined in the General Settings view.

  • Select the Pass-through when engine down check box to have connections passed through when the SSH Tectia Connector engine is not operational. This option can be activated if it is necessary to temporarily deactivate SSH Tectia Connector so that it does not block network communications. If users should only access the network using secure communications, leave this option disabled.

  • Use the Pass-through apps text box to enter the process names of the applications that are allowed to pass through. Comparing the application name to the applications listed in this field is case-insensitive. The process names should include the file extension (the correct name format can be checked from Windows Task Manager). Use commas to separate entries, for example: ssh-client-g3.exe,nslookup.exe,ping.exe

    The pass-through settings are not stored in the ssh-broker-config.xml file but directly in the Windows Registry, under HKEY_LOCAL_MACHINE\SOFTWARE\SSH Communications Security\SSH Tectia Connector

Defining Pseudo IPs

Pseudo IP numbers are used when accessing an internal network from the outside because name resolution for the machines in the internal network is not available from the outside. If specified in the filter rule, pseudo IP numbers are used when an IP address cannot be resolved by the Connection Broker. In this case, SSH Tectia Server resolves the real IP address.

Specify an IP address (using the dotted decimal notation) in the Pseudo IP start text box. This address is used as the base for the pseudo IP addresses that will be generated for connections.

Settings

When the Show security notification check box is selected, a notification is briefly displayed when a new application is secured. A list of currently tunneled applications is shown in the Connector icon tray menu.

Security notification

Figure 4.32. Security notification

Select the Enable Connector check box to use Connector. The text Connector enabled is shown in the tray menu. When SSH Tectia Connector is enabled, it can be temporarily disabled from the tray menu by clicking the Connector enabled menu command. To disable Connector also in the future sessions, clear the Enable Connector check box.

Defining Filter Rules

On the Filters page, you can define the SSH Tectia Connector filter rules.

Filter rules

Figure 4.33. Filter rules

Type an application name in the Application to tunnel field or click Browse... to locate an application.

Click the Add... button to define a new filter rule in the Filter Rule dialog box. Click Edit... to modify and Delete to remove.

Defining a filter rule

Figure 4.34. Defining a filter rule

  • Any host or IP address: The rule is used for all addresses.

  • Hostname: The rule is used for connections to the defined DNS address(es). The engine will resolve the IP address using a DNS query. This value can be a regular expression. See Appendix B.

  • IP address: The rule is used for connections to the defined IP address(es). This value can be a regular expression. See Appendix B.

  • Ports: Select a single port or a port range and define port numbers for the captured connections. If this is undefined, the rule will be used for all ports.

  • Action: Select one of the following:

    DIRECT

    The connection is made directly to the host without tunneling, using the host's IP address if it can be resolved. If it cannot be resolved, the connection fails.

    BLOCK

    The connection is blocked. Applications usually inform the user that the connection is refused.

    TUNNEL

    The connection is tunneled through the selected profile. If the connection is made using a DNS name, the tunnel is created with the DNS name. This means that the actual DNS name resolution is done at the remote end, which enables tunneling connections to hosts that are not visible to the local machine. If the port does not match a port or port range, the connection is direct.

  • Select a server profile to tunnel through from the second drop-down list.

  • Fall back to DIRECT if secure connection cannot be established: If creating the tunnel fails (or the connection to the Secure Shell server fails) the Connection Broker will normally return a "host not reachable" error. However, when this check box is selected a direct (unsecured) connection is used instead.

  • Use pseudo IP: When this check box is selected and a captured application attempts connection using a hostname, SSH Tectia Connector assigns a pseudo IP address for the host instead of doing a DNS query. When the check box is not selected, a normal DNS query is made.

    The fallback and pseudo IP options cannot be enabled at the same time. If they are, and the secure connection fails, the application will try a direct connection with the pseudo IP, which will not work.

When an application connects to a host, filters are used to determine the correct action to apply to the connection. The filter list is scanned through to find a filter that matches the connection. The first filter that matches the DNS or IP address of the connection is used. Filters are evaluated from top down. Use the arrow buttons to organize the list.