profiles At least one profile
element must be defined.
The profile id
must be a unique identifier that does not change during the lifetime of the profile.
An additional name
can be given to the profile. This is a free-form text string.
The host
attribute defines the address of the Secure Shell server host. If it is left empty and/or under the filter-engine/rule
element hostname-from-app="yes"
, the Secure Shell connection is opened to the destination host given in the SOCKS request. Otherwise the Secure Shell connection is opened to the host specified in the profile and in FTP tunneling, FTP connections are forwarded to the requested hosts.
The port
attribute specifies the Secure Shell server port. The default port is 22
.
The user
attribute specifies the username on the Secure Shell server. If it is left empty, the username given by the FTP client is used when opening the Secure Shell connection.
static-tunnels At least one tunnel
element must be defined.
For transparent tunneling, the tunnel type
must be set as "socks-proxy
and the port
as "1080"
.
The listen-address
is usually the loopback address "127.0.0.1"
, but can be an address of any local interface that will be listened.
The dst-port
attribute is set to 0
and the profile
attribute is left empty when transparent tunneling and FTP-SFTP conversion are used.
filter-engine At least one rule
element must be defined.
The ip-address
attribute specifies the target host IP address to be filtered. It can be a regular expression. Connections to the specified address are captured. With transparent FTP tunneling and FTP-SFTP conversion, this can be usually set to capture all connections (".*"
), as the connections are already filtered by the SOCKS Proxy settings.
The ports
attribute specifies the ports to be filtered. It can be a single port or a range. A range is specified with a dash between two integers (such as "21-25"
).
The action
attribute specifies the action to be done when a filter is used. For transparent FTP tunneling, the action is "ftp-tunnel"
. For FTP-SFTP conversion, the action is "ftp-proxy"
.
The profile-id
attribute is a reference to a profile
element and should contain the same value as the id
attribute of the profile.
The hostname-from-app
attribute defines whether the SOCKS Proxy should extract the Secure Shell server's host name from data sent by the application, or use a Secure Shell server defined by the connection profile in profile-id
. With SSH Tectia SOCKS Proxy on z/OS, this is usually set to "yes"
. Note that this requires that a Secure Shell server is installed to each destination server (or that fallback-to-plain
is enabled to allow direct connections to those servers that do not have Secure Shell installed).
The username-from-app
attribute defines whether the FTP tunneling or FTP-SFTP conversion extracts the user name from data sent by the FTP application. With SSH Tectia SOCKS Proxy on z/OS, this is usually set to "yes"
. This setting will override any user name settings made in a related connection profile.
When applying the filter rule, if creating the tunnel fails or the connection to the Secure Shell server fails, the SOCKS Proxy will normally return a "host not reachable" error. However, if the fallback-to-plain
attribute is set to "yes"
, a direct (unsecured) connection is used instead.