SSH Tectia

Global Settings

The global tunneling settings define SSH Tectia Connector options common to the whole environment.

Pass-through applications

Specifies the applications that are always allowed direct connections. The applications defined as executables are never captured and forwarded according to the filter rules in the Connector configuration, instead communication is in plaintext (unless the application itself performs encryption).

Note that the Management Agent ssh-mgmt-sysmonitor.exe should always be defined as a pass-through application, or otherwise the host might not be able to connect to the Management Server.

Executable file name

Specifies the executable file name, without a path name, including the .exe suffix as a Pass-through application. Case is ignored. Examples of executables:

  • ssh-mgmt-sysmonitor.exe (Management Agent)

  • ssh-cmpclient.exe (CMP certificate enrollment client)

  • sshclient.exe (SSH Tectia Client 4.x - GUI)

  • ssh2.exe (SSH Tectia Client 4.x - command line)

  • iexplore.exe (Internet Explorer)

  • netscp.exe (Netscape)

  • outlook.exe (MS Outlook)

Pass-through when Connector is not running

Specifies whether connections are direct (plaintext) or blocked when Connector is not running. By default, the connections are direct if Connector is not running, so that connections are possible to the application servers if Connector becomes disabled for some reason. If connections should always be encrypted for increased security over availability, disable this option to prevent outbound plaintext connections.

Note that if this option is disabled, all connections are blocked, even those that would normally be direct according to the Connector configuration, excluding the connections defined as pass-through applications.

Pass-through always

Specifies whether connections are always direct (plaintext) or captured and forwarded according to the filter rules in the Connector configuration. By default, pass-through is disabled. This option overrides any Connector configuration option.

This option should be enabled only as an "emergency override" that will restore the IT infrastructure into a functional state as quickly as possible in case a configuration error in Connector or a problem with SSH Tectia Server prevents connections to the application servers.

Enable Pseudo IP numbers

Specifies whether Pseudo IP numbers are used by SSH Tectia Connector to ensure that name resolving is done at the remote end.

This option should be disabled if name resolution can always be done in the local end.

Pseudo IP start

Specifies the first IP address used internally to ensure that name resolving is done at the remote end. The address must be a routable IP address in order for the tunneled applications to function correctly. If the default IP 180.0.0.1 is used in your network, specify another routable IP address as the pseudo IP address.

FIPS mode (version 4.x only)

Specifies whether to use the FIPS (U.S. Federal Information Processing Standard) 140-2 certified SSH Cryptographic Library. By default, the standard SSH Cryptographic Library is used.

This setting is applicable to SSH Tectia Connector 4.x only. SSH Tectia Connector uses the crypto library defined under Edit configurations → SSH Tectia G3 → Client.

Show server banner messages (version 4.x only)

Specifies whether to display the "banner message" of the server hosts to the user prior to login whenever a new connection is established to SSH Tectia Server. By default, the server banner messages are not shown to the user, as typically the login to SSH Tectia Server is non-interactive when Connector is used. If server banner messages are used to inform users of legal constraints prior to login, this option should be enabled and Connector configured to perform user authentication interactively.

This setting is applicable to SSH Tectia Connector 4.x only. SSH Tectia Connector uses the ciphers defined under Edit configurations → SSH Tectia G3 → Client.

Show security notification (version 4.x only)

Specifies whether to display the "Application protected" message when the application is tunneled. By default, the security notifications are shown to the user.

This setting is applicable to SSH Tectia Connector 4.x only. SSH Tectia Connector uses the crypto library defined under Edit configurations → SSH Tectia G3 → Client.

Show exit and enable/disable in tray menu (version 4.x only)

Specifies whether the Connector tray menu items Exit and Enabled are available for users. By default, the items are shown. If this option is disabled, the items are not shown to the users, which prevents users from disabling Connector accidentally on their workstations.

This setting is applicable to SSH Tectia Connector 4.x only. SSH Tectia Connector uses the crypto library defined under Edit configurations → SSH Tectia G3 → Client.