Tectia

Client

The settings for Tectia Client and ConnectSecure can be edited under Configurations → Edit configurations → Tectia → Client.

For more information on the configuration options, see Tectia Client User Manual and Tectia ConnectSecure Administrator Manual.

General

The General page contains general settings for Tectia Client and Tectia ConnectSecure.

Configuration name

Name of the configuration.

Description

Description of the configuration, for example to let users know what it is used for.

Crypto library mode

Define the cryptographic library mode to be used. Either the standard version or the FIPS 140-2 certified version of the crypto library can be used.

Hash algorithms

Define whether all or only the SHA2-compliant algorithms are allowed in the configurations. When the SHA2 option is selected, all non-SHA2 algorithms will be omitted from the configurations. This option affects the settings of macs, kexs and host key algorithms in the configuration, because they include hash algorithms.

[Note]Note

Only SHA2-compliant hash algorithms is not supported with 6.1.x or earlier Tectia configurations.

Proxy rules

Define rules for HTTP or SOCKS proxy servers the client will use for connections.

For a description of the format of the proxy scheme, see Tectia Client User Manual.

Idle timeout

This setting specifies how long idle time in seconds (after all connection channels are closed) is allowed for a connection before automatically closing the connection.

The default setting is 5 seconds. Setting a longer time allows the connection to the server to remain open even after a session (for example, sshg3) is closed. During this time, a new session to the server can be initiated without re-authentication. Setting the time to 0 (zero) terminates the connection immediately when the last channel to the server is closed.

TCP connection timeout

Select whether Tectia Client/ConnectSecure uses a specific TCP connection timeout. If you select Disabled, the system-specific default TCP connection timeout will be used.

When you select Enabled, also define the timeout in seconds. When this setting is enabled, connection attempts to an Secure Shell server are stopped after the defined time if the remote host is down or unreachable. This timeout overrides the default system TCP timeout, and this timeout setting can be overridden by profile-specific timeout settings, and all configured TCP connection timeouts can be overridden with command line settings.

Keepalive interval

Select whether keepalive messages are sent to the Secure Shell server. When you select Enabled, also define an interval (in seconds) for sending the keepalive messages.

Exclusive connections

Define whether a new connection is opened for each new channel. By default the exclusive connection type is not selected, and open connections are reused for new channels requested by a client.

Show server banners

Define whether the server banner message file (if it exists) is visible to the user before login. The default is yes.

Strict host key checking

Enables strict host key checking. If it is enabled, Tectia Client/ConnectSecure never adds host keys to the user's .ssh2/hostkeys directory upon connection, and refuses to connect to hosts whose key has changed. This provides maximum protection against man-in-the-middle attacks. This also means that before connecting to a new host, you must obtain and save the host key using some other method.

Always ask about host key

Define whether Tectia Client/ConnectSecure should prompt the user to accept the proposed host key even if it is already known.

Accept unknown host keys

Define whether Tectia Client/ConnectSecure will always accept the proposed host key without saving the key. It is the equivalent of automatically answering "Once" to all accept-host-key prompts.

Enabling this setting takes effect only when both Strict host key checking and Always ask about host key are disabled.

[Caution]Caution

Consider carefully before enabling this option. Disabling the host-key checks can make you vulnerable to man-in-the-middle attacks.

Known hosts directories

Add one or several directories that contain the public-key data or public-key files of known server hosts. Define also whether the host names will be in hashed or plain format.

Show authentication success message

Select whether the AuthenticationSuccessMsg messages are output. The default is yes, meaning that the messages are output and logged.

SFTP compatibility mode

Select the compatibility mode for sftpg3 operations. The values have these effects:

  • tectia (the default) - sftpg3 fransfers files recursively, meaning that files from the current directory and all its subdirectories are transferred.

  • ftp - the get/put commands are executed as sget/sput meaning that they transfer a single file; and commands mget/mput have recursion depth set to 1 meaning that they only transfer files from the specified directory, not from subdirectories.

  • openssh - commands get/put/mget/mput behave alike, and the recursion depth is set to 1, meaning that only files from the specified directory are transferred, not from subdirectories.

The mode set here can can be overridden by environment variable: SSH_SFTP_CMD_GETPUT_MODE.

Hide tray icon (Windows only)

Select whether to hide the Tectia tray icon from users. By default, the icon is not hidden.

Show Exit button (Windows only)

Select whether to show the Exit button in the Tectia tray icon shortcut menu, allowing the users to terminate the Connection Broker. By default, the button is shown.

Show Configuration button (Windows only)

Select whether to show the Configuration button in the Tectia tray icon shortcut menu, allowing the users to edit Tectia Client/ConnectSecure settings. By default when the host is managed by Tectia Manager, the button is not shown to users.

[Note]Note

Even though the Configuration button is hidden from users, they are still able to start the Tectia Configuration GUI from the Windows Start menu.

PKI

The PKI page contains the certificate validation settings used for server authentication.

CA list

Specify one or more certification authorities (CAs) trusted by the Tectia Client and Tectia ConnectSecure in server authentication.

To add a trusted CA, click Add.

To edit a trusted CA, click Edit next to the CA.

To delete a trusted CA, click Delete next to the CA.

CA certificate

Specify the BER- or PEM-encoded X.509 certificate of the trusted CA (certification authority).

Disable CRL checking

The CRL (certificate revocation list) checking should be disabled only for testing purposes.

Use expired CRLs

Set a number of seconds an expired CRL is used. The default is 0 (do not use expired CRLs).

Default domain

This setting can be used when the end-point identity check is enabled. It specifies the default domain part of the remote system name and it is used if only the base part of the system name is available. The Default domain is appended to the system name if it does not contain a dot (.).

Endpoint identity check

Specify whether to check the hostname or IP if used for connecting against the Subject Name and Subject Alternative Name DNS or IP fields in the server's certificate.

[Caution]Caution

If identity check is disabled, any certificate issued by a trusted CA is acceptable in server authentication and the validation relies solely on the CRL check.

Socks server URL

Specify the firewall settings used to access the LDAP, HTTP, and OCSP services during certificate validation. The settings are specified in URL format, first the SOCKS server address, and after that the networks that are connected directly, separated by commas.

Example URL (a SOCKS server with directly connected networks):

socks://fw.example.com:1080/127.0.0.0/8,192.168.0.0/16
HTTP proxy URL

Specify the proxy settings used to access the LDAP, HTTP, and OCSP services during certificate validation. The settings are specified in URL format, first the HTTP proxy server address, and after that the networks that are connected directly, separated by commas.

LDAP Server URL

Specify a comma-separated list of LDAP Servers used to retrieve CRLs and intermediate CA certificates in case the certificate itself does not contain a valid Authority Info Access extension and/or CRL Distribution Point extension.

The LDAP server address must be in the URL format, for example:

ldap://pki.example.com:389
OCSP Responder URL

Specify an OCSP (Online Certificate Status Protocol) Responder service in the URL format in case the certificate itself does not contain a valid Authority Info Access extension with the OCSP Responder URL, and OCSP should be used instead of CRLs.

Note that in order for the OCSP validation to succeed, both the end entity certificate and OCSP Responder certificate must be issued by the same CA.

Enable DOD PKI compliance mode

Specify whether to require Digital Signature to be set in Key Usage in the end entity certificate. By default, this is not required.

Logging

On the Logging page, you can set the severity and facility of different logging events. The events have reasonable default values, which are used if no explicit logging settings are made.

To add customized values for events:

  1. Click Add. A list of log events is shown.

    When you click Add, the events that already have customized values are not shown on the list. When you click Replace, all events are shown on the list.

  2. Select the event(s) you want to customize from the list, and select whether to log the event(s) and select the Facility and Severity for the event(s).

  3. Click Add event(s) when finished.

    The customized events are now shown on the Logging page.

To delete a log event from the customized events, click Delete. The event will revert to using the default values.

For more information on the events and their default values, see Tectia Client User Manual, Appendix: Audit Messages.

Connections

The Connections page contains the default settings for Secure Shell connections, such as ciphers and authentication methods that the client will request. If a connection profile is used, settings defined in the profile may override these settings. See Profiles.

Rekey data interval

Specify the number of megabytes after which the key exchange is done again.

The default is 1000 MB. The value 0 (zero) turns rekey requests off. This does not prevent the server from requesting rekeys.

Ciphers

Define the ciphers that the client will propose to the server. Select a cipher from the list, and use the arrow buttons (<< and >>) to move the cipher to the used (enabled) list or to the available (disabled) list.

The ciphers are proposed to the server in order. Use the Up and Down buttons to change the order of the ciphers.

MACs

Define the MACs that the client will propose to the server. Select a MAC from the list and use the arrow buttons (<< and >>) to move the MAC to the used (enabled) list or to the available (disabled) list.

The MACs are proposed to the server in order. Use the Up and Down buttons to change the order of the MACs.

KEXs

Define the key exchange methods that the client will propose to the server. The algorithms will be tried in the order they are specified. Use the Up and Down buttons to change the order of the KEXs in the list.

Due to issues in OpenSSL, the following KEXs cannot operate in the FIPS mode: diffie-hellman-group15-sha256@ssh.com and diffie-hellman-group15-sha384@ssh.com.

By default, the server allows diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1.

Host key algorithms

Define the host key algorithms that the client will propose to the server. The algorithms will be tried in the order they are specified. Use the Up and Down buttons to change the order of the algorithms.

The following host key signature algorithms are available: ssh-dss, ssh-dss-sha224@ssh.com, ssh-dss-sha256@ssh.com, ssh-dss-sha384@ssh.com, ssh-dss-sha512@ssh.com, ssh-rsa, ssh-rsa-sha224@ssh.com, ssh-rsa-sha256@ssh.com, ssh-rsa-sha384@ssh.com, ssh-rsa-sha512@ssh.com, x509v3-sign-dss, x509v3-sign-dss-sha224@ssh.com, x509v3-sign-dss-sha256@ssh.com, x509v3-sign-dss-sha384@ssh.com, x509v3-sign-dss-sha512@ssh.com, x509v3-sign-rsa, x509v3-sign-rsa-sha224@ssh.com, x509v3-sign-rsa-sha256@ssh.com, x509v3-sign-rsa-sha384@ssh.com, and x509v3-sign-rsa-sha512@ssh.com.

When setting Only SHA2 hash algorithm allowed is selected in the General section, the following algorithms are allowed: ssh-dss-sha224@ssh.com, ssh-dss-sha256@ssh.com, ssh-dss-sha384@ssh.com, ssh-dss-sha512@ssh.com, ssh-rsa-sha224@ssh.com, ssh-rsa-sha256@ssh.com, ssh-rsa-sha384@ssh.com, ssh-rsa-sha512@ssh.com, x509v3-sign-dss-sha224@ssh.com, x509v3-sign-dss-sha256@ssh.com, x509v3-sign-dss-sha384@ssh.com, x509v3-sign-dss-sha512@ssh.com, x509v3-sign-rsa-sha224@ssh.com, x509v3-sign-rsa-sha256@ssh.com, x509v3-sign-rsa-sha384@ssh.com, and x509v3-sign-rsa-sha512@ssh.com.

Transport distribution

Define the number of transport channels used by the Secure Shell connection. Using more than one transport may increase the throughput over low bandwidth connections.

Compression

Enables or disables compression. When Zlib compression is selected, define also the compression level.

Authentication methods

Define the authentication methods that are requested by the client. Select a method from the list and use the arrow buttons (<< and >>) to move the method to the used (enabled) list or to the available (disabled) list.

The authentication methods are tried in order. This means that the least interactive methods should be placed first. Use the Up and Down buttons to change the order of the methods.

Enable X11 forwarding

Define whether X11 forwarding is allowed on the client side.

The forwarding can be set On, Off, or Denied. If X11 forwarding is set as Denied, the user cannot enable it on the command-line.

Enable agent forwarding

Define whether agent forwarding is allowed on the client side.

The forwarding can be set On, Off, or Denied. If agent forwarding is set as Denied, the user cannot enable it on the command-line.

Transparent Tunneling

The Transparent Tunneling page contains the settings for transparent tunnels and FTP-SFTP conversion.

  • Transparent TCP tunneling is available as an optional feature with Tectia Client on Windows platforms, and as a normal feature with Tectia ConnectSecure on all platforms.

  • Transparent FTP tunneling is available with Tectia ConnectSecure.

  • FTP-SFTP conversion is available with Tectia ConnectSecure.

[Note]Note

The configuration deployment verifies the Tectia software versions on the target host, but it does not verify the actual installed sub-components. For example, if transparent tunneling or FTP-SFTP conversion filter rules have been defined in Tectia Client configuration, the configuration is deployed to all selected Tectia Client/ConnectSecure hosts, regardless of whether they have the transparent tunneling and/or FTP-SFTP conversion component installed. In that case, Tectia Client/ConnectSecure simply ignores the filter rules that do not apply to the installed software.

Enable transparent tunneling

Select whether to enable transparent TCP and FTP tunneling.

Pseudo IP start address

Specifies the first IP address used internally to ensure that name resolving is done at the remote end. The address must be a routable IP address in order for the tunneled applications to function correctly. If the default IP 180.0.0.1 is used in your network, specify another routable IP address as the pseudo IP address.

FTP filter @ signs

With Tectia ConnectSecure, the Filter @ signs option can be used with FTP-SFTP conversion when scripts are used to open a connection directly from the FTP/SFTP client to the SFTP server, bypassing any proxies. This attribute defines that Tectia ConnectSecure uses the FTP user name, FTP server name, and FTP server password sent by the FTP application.

The FTP script is expected to specify the username in format ftp-user@proxy-user@ftp-server and the password in format ftp-password@proxy-password. The @ sign is used to extract the relevant data from the strings.

When this option is enabled, Tectia ConnectSecure cuts the username string at the first @ sign to extract the ftp-user and at the last @ sign to extract the ftp-server, and the rest of the string is ignored. Likewise, the passwords string is cut at the last @ sign and the first part is used as the password on the SFTP server.

Direct connection when Broker down (Windows only)

Specifies whether connections are direct (plaintext) or blocked when Tectia Client/ConnectSecure is not running. By default, the connections are direct if Tectia Client/ConnectSecure is not running, so that connections are possible to the application servers if Tectia Client/ConnectSecure becomes disabled for some reason. If connections should always be encrypted for increased security over availability, disable this option to prevent outbound plaintext connections.

Note that if this option is disabled, all connections are blocked, even those that would normally be direct according to the filter rules, excluding the connections defined as always using direct connection.

Always use direct connection for specified applications (Windows only)

Specifies the applications that are always allowed direct connections. The applications defined as executables are never captured and forwarded according to the filter rules in the Tectia Client/ConnectSecure configuration, instead communication is in plaintext (unless the application itself performs encryption).

[Note]Note

the Management Agent sshmgmtagent.exe should always be defined as a pass-through application, or otherwise the host might not be able to connect to the Management Server.

Show security notifications (Windows only)

Select whether to show security notifications when transparent TCP tunnels are created on Windows.

Transparent tunnels

With the Transparent tunnels setting, you can define filter rules for FTP-SFTP conversion, transparent FTP tunneling, and transparent TCP tunneling for Tectia Client/ConnectSecure.

To add a filter rule for transparent tunneling or FTP-SFTP conversion, click Add.

To edit a filter rule, click Edit next to the rule.

To delete a filter rule, click Delete next to the rule.

Application to capture

Specify the application to which the filter rule is applied. This can be a regular expression.

Filter by address

Define whether the filtering should be done based on the address the application is connecting to.

To capture connections to all addresses, select Any.

To capture connections only to specific addresses, you can specify either a Host name in domain name format or an IP address. The value can be a regular expression.

Filter by port

Define whether the filtering should be done based on the port the application is connecting to.

To capture connections to all ports, select Any.

To capture connections only to specific ports, you can specify a Single port or a Port range.

Action

Select the action to perform when the filter rule matches.

  • Direct causes the connection to be made directly as plaintext without tunneling or FTP-SFTP conversion.

  • Block causes the connection to be blocked.

  • TCP tunnel causes the connection to be redirected through a secure TCP tunnel via a Secure Shell server.

  • FTP tunnel causes the connection to be redirected through a secure FTP tunnel via a Secure Shell server.

  • FTP-SFTP conversion causes the FTP-SFTP conversion to start and a connection to be made to the Secure Shell SFTP server.

Tunnel through profile

Specify the connection profile that is used for opening the tunnel or FTP-SFTP conversion.

None can be selected if the username and/or destination are extracted from the application (Use destination from application must be selected).

Use username from application

Define whether the username for the Secure Shell server should be extracted from the data sent by the application. This setting can be used with FTP tunneling and FTP-SFTP conversion. If a profile is referred to under Tunnel through profile, this setting overrides the username defined in the profile.

Use destination from application

Define whether the address of the Secure Shell server should be extracted from the data sent by the application.

With this setting, it is no longer necessary to create a separate connection profile for each destination host. However, if a profile is referred to under Tunnel through profile, this setting overrides the destination host defined in the profile.

Fallback to direct if tunneling fails

This setting can be used to define whether a direct (unsecured) connection is used if creating the tunnel fails or the connection to the Secure Shell server fails. Normally, when the secured connection fails when applying a filter rule, the Connection Broker will return a "host not reachable" error.

Connection from public to private (use pseudo IP)

Specifies whether the connection is made from a public to private network, and hence whether pseudo IP numbers are used by Tectia Client/ConnectSecure to ensure that name resolving is done at the remote end.

This option should be disabled if name resolution can always be done in the local end.

[Note]Note

Do not enable the Fallback to direct and Connection from public to private options at the same time. If they both are enabled, and a secure connection fails, the application will try a direct connection with the pseudo IP, which will not work.

Automatic Tunneling

The Automatic Tunneling page contains the settings for automatic tunnels.

Automatic tunnels (TCP and FTP) are available with Tectia Client and Tectia ConnectSecure.

Automatic tunnels

With the Automatic tunnels setting, you can create listeners for local tunnels automatically when the Connection Broker starts up. The actual tunnel is formed the first time a connection is made to the listener port. If the connection to the server is not open at that time, it will be opened automatically as well.

To add an automatic tunnel, click Add.

To edit an automatic tunnel, click Edit next to the tunnel entry.

To delete an automatic tunnel, click Delete next to the tunnel entry.

Tunnel type

The tunnel type can be either TCP or FTP.

Listen port

Define the local port that is listened.

Allow only local connections

Specify whether to allow connections to the listened port from outside the client host. By default, only local connections are allowed.

Host

Define the destination address for the tunneled connection. The default is 127.0.0.1 (localhost = server host).

Port

Define the destination port for the tunneled connection.

Tunnel using profile

Specify the connection profile that is used for opening the tunnel.

Profiles

Tectia Client and Tectia ConnectSecure connection profiles can be added, edited, and removed from the Profiles page. Settings in a connection profile override the default settings defined in General and Connections.

To add a new connection profile, click Add. After you fill in the Profile name and click OK, a new profile object will appear in the tree view.

To edit a connection profile, click Edit next to the connection profile. You can also edit a profile directly on its subpages. See Connection and Services for the available settings.

To delete a connection profile, click Delete next to the connection profile.

Profile name

A unique name for the connection profile.

Hostname

The remote hostname must be given. The hostname can be either an IP address or a domain name. An asterisk (*) can be used to ask the user for the hostname.

Username

Specify the username on the remote host. %USERNAME% can be used to set the username to the current user. An asterisk (*) can be used to ask the user for the username.

Port

Define the port of the Secure Shell on the remote host. The default port is 22.

Tunnel using profile

This setting defines that a connection with this profile will be tunneled through another profile.

Connect on startup

Select the check box to make the connection specified by the profile automatically at reboot.

Profile-specific proxy rules

Define the proxy settings used with this profile.

Connection

The Connection page contains the profile-specific connection settings, such as ciphers and authentication methods that the client will request.

Ciphers

Define the ciphers that the client will propose to the server when using this profile. Select a cipher from the list, and use the arrow buttons (<< and >>) to move the cipher to the used (enabled) list or to the available (disabled) list.

The ciphers are proposed to the server in order. Use the Up and Down buttons to change the order of the ciphers.

MACs

Define the MACs that the client will propose to the server when using this profile. Select a MAC from the list and use the arrow buttons (<< and >>) to move the MAC to the used (enabled) list or to the available (disabled) list.

The MACs are proposed to the server in order. Use the Up and Down buttons to change the order of the MACs.

Authentication Methods

Define the authentication methods that are requested by the client when using this profile. Select a method from the list and use the arrow buttons (<< and >>) to move the method to the used (enabled) list or to the available (disabled) list.

The authentication methods are tried in order. This means that the least interactive methods should be placed first. Use the Up and Down buttons to change the order of the methods.

Compression

Define the compression settings used with this profile.

Transport Distribution

Define the transport distribution settings used with this profile. Using more than one transport may increase the throughput over low bandwidth connections.

Idle timeout

Define the idle timeout settings used with this profile.

The default setting is 5 seconds. Setting a longer time allows the connection to the server to remain open even after a session (for example, sshg3) is closed. During this time, a new session to the server can be initiated without re-authentication. Setting the time to 0 (zero) terminates the connection immediately when the last channel to the server is closed.

TCP connection timeout

Select whether a profile-specific TCP connection timeout is used. Select Use defaults, if you want that this profile inherites the Client Default setting.

When you select Enabled, also define the timeout in seconds. When this setting is enabled, connection attempts to an Secure Shell server are stopped after the defined time if the remote host is down or unreachable. This timeout can be overridden by using a different connection timeout with a command line command.

Keepalive interval

Select whether keepalive messages are sent to the Secure Shell server. Select Use defaults if you want that this profile inherites the Client Default setting. When you select Enabled, also define an interval (in seconds) for sending the keepalive messages.

Exclusive connection

Select whether this profile should open a new connection for each new channel, or use the setting made in the Client Default view. When this setting is disabled, any open connections are reused for new channels requested by a client.

Services

The Services page contains the profile-specific settings for server banners, forwarding, and the tunnels opened when the profile is used.

Show server banners

Define whether server banners are shown with this profile.

Enable X11 forwarding

Define whether X11 forwarding is allowed with this profile.

Enable agent forwarding

Define whether agent forwarding is allowed with this profile.

Local tunnels

Define the local tunnels that are opened when a connection with this profile is made.

To add a local tunnel, click Add.

To edit a local tunnel, click Edit next to the tunnel entry.

To delete a local tunnel, click Delete next to the tunnel entry.

  • Tunnel type: The tunnel type can be either TCP or FTP.

  • Listen port: Define the local port that is listened.

  • Allow only local connections: Specify whether to allow connections to the listened port from outside the client host. By default, only local connections are allowed.

  • Dst host: Define the destination address for the tunneled connection. The default is 127.0.0.1 (localhost = server host).

  • Dst port: Define the destination port for the tunneled connection.

Remote tunnels

Define the remote tunnels that are opened when a connection with this profile is made.

To add a remote tunnel, click Add.

To edit a remote tunnel, click Edit next to the tunnel entry.

To delete a remote tunnel, click Delete next to the tunnel entry.

  • Tunnel type: The tunnel type can be either TCP or FTP.

  • Listen port: Define the port on the remote server that is listened.

  • Allow only local connections: Specify whether to allow connections to the listened port from outside the server host. By default, only local connections (originating from the server) are allowed.

  • Dst host: Define the destination address for the tunneled connection. The default is 127.0.0.1 (localhost = client host).

  • Dst port: Define the destination port for the tunneled connection.