SSH Tectia

Tunneling Policy Rules

SSH Tectia Connector tunneling policy rules

Figure 8.22. SSH Tectia Connector tunneling policy rules

To add a new tunneling policy rule:

  1. Select Configurations → Connector configurations and click Edit.

  2. To add a new tunneling rule, click Add.

  3. In the Edit tunneling policy rule view, Source field, select the host or host groups to which the tunneling rule will apply. The rule is deployed to the hosts that have SSH Tectia Connector installed when the configurations are deployed. If the All hosts value is used, the rule applies to all managed hosts when deployed. See Figure 8.23.

  4. In the Destination field, select a host, host group or a pattern used in the connections of the applications to be tunneled. The pattern * matches any connection. If you use a pattern instead of a specific host group, you must define a gateway as the Tunnel end point. Tunneled applications must use the hostname reported by the managed host in their configuration, or the filter rules do not match (the hostname in the Management Server host info for the host).

  5. Select an application, or click Edit to add a new one.

    Editing a tunneling policy rule

    Figure 8.23. Editing a tunneling policy rule

  6. In the Action to perform field, select the action to be performed to the TCP connections that match the Destination and Source criteria. Encrypt enables a secure connection, Direct allows connections as plaintext, and Block denies outbound connections.

  7. Select the tunneling parameters, or click Edit to add new parameters.

  8. In the Tunnel end point field, use the destination host as the tunneling host, whenever possible, to enable end-to-end encryption. Select a gateway host only if the destination host is not accessible from the source hosts and nested tunnels cannot be used, or the SSH Tectia Server cannot be installed on the destination host.

    If the desired gateway host is not managed by SSH Tectia Manager, click Unmanaged and enter the hostname. Note that the public host key of the unmanaged host must be available on the SSH Tectia Connector hosts in "C:\Documents and Settings\All Users\Application Data\SSH\HostKeys" as key_22_<unmanaged_host>.pub.

    Defining tunneling and nested tunnels

    Figure 8.24. Defining tunneling and nested tunnels


    Important: When a gateway host is used, the connection is unencrypted (plaintext) between the gateway host and the destination host.

  9. Define a server-side username.

    When tunneling from a client to a server, the client must be able to login to an existing user account on the server. There are two alternatives: either use the same username on both the client machine and the server machine, or log in using a fixed, shared user account. In both cases, the user should be restricted to tunneling services only, whenever possible.

    If the server-side username is not defined, the Windows login name is used also as the server-side login name, and users have to authenticate themselves to the server using the authentication method(s) configured in the SSH Tectia Server.

    If the tunneled applications provide sufficient user authentication, it is possible to configure SSH Tectia products to use a shared user account, for example, with a shared password, which does not require user interaction.

    Note that if the Destination for the tunneling rule refers to multiple hosts, each of the hosts must have the same user account with the same shared password.


    It is very important that the shared user account is properly configured on the server, not restricted only in the SSH Tectia Server configuration but also on the operating-system level. The user should be denied terminal access, and the file system permissions should be restricted. It is also recommended to deny the user file transfer services and any other services.

  10. Specify the shared password corresponding to the server-side user account used for tunneling. Note that the shared password is stored unencrypted (plaintext) in a configuration file on the SSH Tectia Connector hosts. An empty password cannot be used as a shared password.

  11. If the Destination host is not accessible from the source hosts directly and the connections should be encrypted end to end, click Add nested tunnel. The Nested tunnel settings define an additional Secure Shell connection used to tunnel the connections of the tunneling rule. See Figure 8.24. The nested tunnel settings are specific to the tunneling rule in question:

    1. Select the tunneling parameters, or click Edit to add new parameters.

    2. In the Nested tunnel server field, select the host, or click Unmanaged. Enter the name of the host to which a Secure Shell connection is first established in order to connect to the destination host(s). Note that the public host key of the unmanaged host must be available on the SSH Tectia Connector hosts in "C:\Documents and Settings\All Users\Application Data\SSH\HostKeys" as key_22_<unmanaged_host>.pub.

    3. Define the Server-side username and Server-side user password to be used for connecting to the nested tunnel server. Note that the server-side user password is not supported by G3 SSH Tectia. Configure the server to use no authentication instead.

    The information on the Secure-Shell-specific settings described above for the tunneling rule apply also to the nested tunnel settings. Note that the nested tunnel settings are supported for SSH Tectia Connector versions 4.2.0 and later. If a tunneling rule that contains nested tunnel(s) is deployed to older versions, the nested tunnel settings are omitted from the tunneling rule.

  12. Click OK to return to the Edit tunneling policy rule view.

  13. Ensure that the policy rules are in the intended order and correctly enabled. See example in Figure 8.22. The rules are evaluated in top-down order. The first matching rule is used and the rest are ignored. If none of the rules match, the traffic is passed through as plaintext.

  14. Click Save to save the rules into the database.

SSH Tectia Connector configurations are deployed the same way as other configurations in Configurations → Deploy configurations.


When you want to deploy SSH Tectia Connector 5.x configurations, define also the SSH Tectia 5.x Client Configuration sets and Common settings, and use the Assign Configurations menu to assign the configuration sets to the hosts. See Configuration Task Flow and Assigning Configurations per Group.

If you create an SSH Tectia Connector configuration without defining SSH Tectia 5.x Client settings, the configuration is deployed only to SSH Tectia Connector 4.x versions.