The Balabit Shell Control Box 4 F3 Administrator Guide

May 05, 2017

Abstract

This document is the primary manual of the Balabit Shell Control Box 4 F3.


Table of Contents

Preface
1. Summary of contents
2. Target audience and prerequisites
3. Products covered in this guide
4. Typographical conventions
5. Contact and support information
5.1. Sales contact
5.2. Support contact
5.3. Training
6. About this document
6.1. Summary of changes
6.2. Feedback
1. Introduction
1.1. What SCB is
1.2. What SCB is not
1.3. Why is SCB needed?
1.4. Who uses SCB?
1.5. Public references
2. The concepts of SCB
2.1. The philosophy of SCB
2.2. Supported protocols and client applications
2.3. Modes of operation
2.3.1. Transparent mode
2.3.2. Single-interface router mode
2.3.3. Non-transparent mode
2.3.4. Inband destination selection
2.4. Connecting to a server through SCB
2.4.1. Connecting to a server through SCB using SSH
2.4.2. Connecting to a server through SCB using RDP
2.4.3. Connecting to a server through SCB using a RD Gateway
2.5. IPv6 in SCB
2.6. SSH hostkeys
2.7. Authenticating clients using public-key authentication in SSH
2.8. The gateway authentication process
2.9. Four-eyes authorization
2.10. Network interfaces
2.11. High Availability support in SCB
2.12. Firmware in SCB
2.12.1. Firmwares and high availability
2.13. Versions and releases of SCB
2.14. Accessing and configuring SCB
2.15. Licenses
3. The Welcome Wizard and the first login
3.1. The initial connection to SCB
3.1.1. Creating an alias IP address (Microsoft Windows)
3.1.2. Creating an alias IP address (Linux)
3.1.3. Modifying the IP address of SCB
3.2. Configuring SCB with the Welcome Wizard
3.3. Logging in to SCB and configuring the first connection
4. Basic settings
4.1. Supported web browsers and operating systems
4.2. The structure of the web interface
4.2.1. Elements of the main workspace
4.2.2. Multiple web users and locking
4.2.3. Web interface timeout
4.3. Network settings
4.3.1. Configuring user and administrator login addresses
4.3.2. Managing logical interfaces
4.3.3. Routing uncontrolled traffic between logical interfaces
4.3.4. Configuring the routing table
4.4. Configuring date and time
4.5. System logging, SNMP and e-mail alerts
4.5.1. Configuring system logging
4.5.2. Configuring e-mail alerts
4.5.3. Configuring SNMP alerts
4.5.4. Querying SCB status information using agents
4.6. Configuring system monitoring on SCB
4.6.1. Configuring monitoring
4.6.2. Health monitoring
4.6.3. Preventing disk space fill up
4.6.4. System related traps
4.6.5. Traffic related traps
4.7. Data and configuration backups
4.7.1. Creating a backup policy using Rsync over SSH
4.7.2. Creating a backup policy using SMB/CIFS
4.7.3. Creating a backup policy using NFS
4.7.4. Creating configuration backups
4.7.5. Creating data backups
4.7.6. Encrypting configuration backups with GPG
4.8. Archiving and cleanup
4.8.1. Creating a cleanup policy
4.8.2. Creating an archive policy using SMB/CIFS
4.8.3. Creating an archive policy using NFS
4.8.4. Archiving or cleaning up the collected data
5. User management and access control
5.1. Managing SCB users locally
5.2. Setting password policies for local users
5.3. Managing local usergroups
5.4. Managing SCB users from an LDAP database
5.5. Authenticating users to a RADIUS server
5.6. Authenticating users with X.509 certificates
5.7. Managing user rights and usergroups
5.7.1. Modifying group privileges
5.7.2. Creating new usergroups for the SCB web interface
5.7.3. Finding specific usergroups
5.7.4. How to use usergroups
5.7.5. Built-in usergroups of SCB
5.8. Listing and searching configuration changes
5.8.1. Using the internal search interface
5.9. Displaying the privileges of users and user groups
6. Managing SCB
6.1. Controlling SCB — reboot, shutdown
6.1.1. Disabling controlled traffic
6.1.2. Disabling controlled traffic permanently
6.2. Managing a high availability SCB cluster
6.2.1. Adjusting the synchronization speed
6.2.2. Redundant heartbeat interfaces
6.2.3. Next-hop router monitoring
6.3. Upgrading SCB
6.3.1. Upgrade checklist
6.3.2. Upgrading SCB (single node)
6.3.3. Upgrading an SCB cluster
6.3.4. Troubleshooting
6.3.5. Reverting to an older firmware version
6.3.6. Exporting the configuration of SCB
6.3.7. Importing the configuration of SCB
6.4. Managing the SCB license
6.4.1. Updating the SCB license
6.5. Accessing the SCB console
6.5.1. Using the console menu of SCB
6.5.2. Enabling SSH access to the SCB host
6.5.3. Changing the root password of SCB
6.6. Sealed mode
6.6.1. Disabling sealed mode
6.7. Out-of-band management of SCB
6.7.1. Configuring the IPMI interface
6.8. Managing the certificates used on SCB
6.8.1. Generating certificates for SCB
6.8.2. Uploading external certificates to SCB
6.8.3. Generating TSA certificate with Windows Certificate Authority
7. General connection settings
7.1. Configuring connections
7.2. Modifying the destination address
7.3. Configuring inband destination selection
7.4. Modifying the source address
7.5. Creating and editing channel policies
7.6. Real-time content monitoring with Content Policies
7.6.1. Creating a new content policy
7.7. Configuring time policies
7.8. Creating and editing user lists
7.9. Authenticating users to an LDAP server
7.10. Audit policies
7.10.1. Encrypting audit trails
7.10.2. Timestamping audit trails with built-in timestamping service
7.10.3. Timestamping audit trails with external timestamping service
7.10.4. Digitally signing audit trails
7.11. Verifying certificates with Certificate Authorities
7.12. Signing certificates on-the-fly
7.13. Creating a Local User Database
7.14. Configuring cleanup for the SCB connection database
8. HTTP-specific settings
8.1. Limitations in handling HTTP connections
8.2. Authentication in HTTP and HTTPS
8.3. Setting up HTTP connections
8.3.1. Setting up a transparent HTTP connection
8.3.2. Enabling SCB to act as a HTTP proxy
8.3.3. Enabling SSL encryption in HTTP
8.3.4. Configuring half-sided SSL encryption in HTTP
8.4. Session-handling in HTTP
8.5. Creating and editing protocol-level HTTP settings
9. ICA-specific settings
9.1. Setting up ICA connections
9.2. Supported ICA channel types
9.3. Creating and editing protocol-level ICA settings
9.4. SCB deployment scenarios in a Citrix environment
9.5. Troubleshooting Citrix-related problems
10. RDP-specific settings
10.1. Supported RDP channel types
10.2. Creating and editing protocol-level RDP settings
10.3. Network Level Authentication (NLA) with SCB
10.3.1. Network Level Authentication (NLA) with domain membership
10.3.2. Using SCB across multiple domains
10.3.3. Network Level Authentication without domain membership
10.4. Using SSL-encrypted RDP connections
10.5. Verifying the certificate of the RDP server in encrypted connections
10.6. Using SCB as a Terminal Services Gateway
10.7. Configuring Remote Desktop clients for gateway authentication
10.8. Inband destination selection in RDP connections
10.9. Usernames in RDP connections
10.10. Saving login credentials for RDP on Windows
10.11. Configuring RemoteApps
11. SSH-specific settings
11.1. Setting the SSH host keys and certificates of the connection
11.2. Supported SSH channel types
11.3. Authentication Policies
11.3.1. Creating a new authentication policy
11.3.2. Client-side authentication settings
11.3.3. Relayed authentication methods
11.3.4. Configuring your Kerberos environment
11.3.5. Kerberos authentication settings
11.4. Server host keys and certificates
11.4.1. Automatically adding the host keys and host certificates of a server to SCB
11.4.2. Manually adding the host key or host certificate of a server
11.5. Creating and editing protocol-level SSH settings
11.6. Supported encryption algorithms
12. Telnet-specific settings
12.1. Enabling TLS-encryption for Telnet connections
12.2. Creating a new authentication policy
12.3. Extracting username from Telnet connections
12.4. Creating and editing protocol-level Telnet settings
12.5. Inband destination selection in Telnet connections
13. VMware View connections
13.1. SCB deployment scenarios in a VMware environment
14. VNC-specific settings
14.1. Enabling TLS-encryption for VNC connections
14.2. Creating and editing protocol-level VNC settings
15. Indexing audit trails
15.1. Configuring the internal indexer
15.2. Configuring external indexers
15.2.1. Prerequisites and limitations
15.2.2. Hardware requirements for the external indexer host
15.2.3. Configuring SCB to use external indexers
15.2.4. Installing the external indexer
15.2.5. Configuring the external indexer
15.2.6. Uploading decryption keys to the external indexer
15.2.7. Starting the external indexer
15.2.8. Disabling indexing on SCB
15.2.9. Managing the indexers
15.2.10. Troubleshooting external indexers
15.3. Monitoring the status of the indexer services
16. Browsing and replaying audit trails on SCB
16.1. Searching audit trails — the SCB connection database
16.1.1. Connection details
16.1.2. Replaying audit trails in your browser
16.1.3. Replaying encrypted audit trails in your browser
16.1.4. Using the content search
16.1.5. Connection metadata
16.1.6. Using and managing search filters
16.2. Displaying statistics on search results
17. Replaying audit trails with Audit Player
17.1. Installing and configuring Audit Player
17.1.1. Installing the Audit Player application
17.1.2. Enabling the Audit Indexing Service
17.1.3. Running Audit Player without administrator privileges
17.1.4. Running Audit Player on multicore processors
17.2. Replaying audit trails
17.2.1. Downloading audit trails from SCB
17.2.2. Replaying a session with the Audit Player
17.2.3. Replaying SCP and SFTP sessions
17.2.4. Replaying HTTP sessions
17.3. Using AP
17.3.1. Finding specific audit trails
17.3.2. Using projects
17.3.3. Replaying and processing encrypted audit trails
17.3.4. Searching in graphical streams
17.3.5. Adding a new font to the OCR database
17.3.6. Adding a new font for displaying X11 trails
17.3.7. HTTP indexing and search
17.4. Troubleshooting the Audit Player
17.4.1. Logging with the Audit Player
17.4.2. Keys and certificates
17.4.3. Keyframe building errors
18. Advanced authentication and authorization techniques
18.1. Configuring usermapping policies
18.2. Configuring gateway authentication
18.2.1. Configuring outband gateway authentication
18.2.2. Performing outband gateway authentication on SCB
18.2.3. Performing inband gateway authentication in SSH and Telnet connections
18.2.4. Performing inband gateway authentication in RDP connections
18.2.5. Troubleshooting gateway authentication
18.3. Configuring 4-eyes authorization
18.3.1. Configuring four-eyes authorization
18.3.2. Performing four-eyes authorization on SCB
18.4. Using credential stores for server-side authentication
18.4.1. Configuring local Credential Stores
18.4.2. Performing gateway authentication to RDP servers using local Credential Store and NLA
18.4.3. Configuring password-protected Credential Stores
18.4.4. Unlocking Credential Stores
18.4.5. Using Lieberman ERPM to authenticate on the target hosts
18.4.6. Using a custom Credential Store plugin to authenticate on the target hosts
18.4.7. Creating a custom Credential Store plugin
18.5. Integrating ticketing systems
18.5.1. Using a Ticketing plugin to authorize connections to the target hosts
18.5.2. Performing authentication with ticketing integration in terminal connections
18.5.3. Performing authentication with ticketing integration in Remote Desktop connections
18.6. Integrating external authentication and authorization systems
18.6.1. How Authentication and Authorization plugins work
18.6.2. Using an AA plugin to authorize RDP connections to the target hosts
18.6.3. Performing authentication with AA plugin in terminal connections
18.6.4. Performing authentication with AA plugin in Remote Desktop connections
19. Reports
19.1. Contents of the operational reports
19.2. Configuring custom reports
19.3. Creating reports from audit trail content
19.4. Creating statistics from custom database queries
19.5. Database tables available for custom queries
19.5.1. The alerting table
19.5.2. The aps table
19.5.3. The archives table
19.5.4. The audit_trail_downloads table
19.5.5. The channels table
19.5.6. The closed_connection_audit_channels view
19.5.7. The closed_not_indexed_audit_channels view
19.5.8. The connection_events view
19.5.9. The connection_occurrences view
19.5.10. The connections view
19.5.11. The events table
19.5.12. The file_xfer table
19.5.13. The http_req_resp_pair table
19.5.14. The indexer_jobs table
19.5.15. The occurrences table
19.5.16. The progresses table
19.5.17. The results table
19.5.18. The skipped_connections table
19.5.19. The usermapped_channels view
19.5.20. Querying trail content with the sphinx function
19.5.21. Querying trail content with the lucene-search function
19.6. Generating partial reports
19.7. Creating PCI DSS reports
19.8. Contents of PCI DSS reports
20. The SCB RPC API
20.1. Requirements for using the RPC API
20.2. RPC client requirements
20.3. Locking SCB configuration from the RPC API
20.4. Documentation of the RPC API
20.5. Enabling RPC API access to SCB
21. The SCB REST API
22. SCB scenarios
22.1. Configuring public-key authentication on SCB
22.1.1. Configuring public-key authentication using local keys
22.1.2. Configuring public-key authentication using an LDAP server and a fixed key
22.1.3. Configuring public-key authentication using an LDAP server and generated keys
22.2. Organizing connections in non-transparent mode
22.2.1. Organizing connections based on port numbers
22.2.2. Organizing connections based on alias IP addresses
22.3. Using inband destination selection in SSH connections
22.3.1. Using inband destination selection with PuTTY
22.3.2. Using inband destination selection with OpenSSH
22.3.3. Using inband selection and nonstandard ports with PuTTY
22.3.4. Using inband selection and nonstandard ports with OpenSSH
22.3.5. Using inband destination selection and gateway authentication with PuTTY
22.3.6. Using inband destination selection and gateway authentication with OpenSSH
22.4. SSH usermapping and keymapping in AD with public key
23. Troubleshooting SCB
23.1. Network troubleshooting
23.2. Gathering data about system problems
23.3. Viewing logs on SCB
23.4. Changing log verbosity level of SCB
23.5. Collecting logs and system information for error reporting
23.6. Status history and statistics
23.6.1. Displaying custom connection statistics
23.7. Troubleshooting an SCB cluster
23.7.1. Understanding SCB cluster statuses
23.7.2. Recovering SCB if both nodes broke down
23.7.3. Recovering from a split brain situation
23.7.4. Replacing a HA node in an SCB cluster
23.7.5. Resolving an IP conflict between cluster nodes
23.8. Understanding SCB RAID status
23.9. Restoring SCB configuration and data
23.10. VNC is not working with TLS
A. Package contents inventory
B. Balabit Shell Control Box Hardware Installation Guide
B.1. Installing the SCB hardware
B.2. Installing two SCB units in HA mode
C. Hardware specifications
D. Balabit Shell Control Box Software Installation Guide
D.1. Installing the SCB software
E. Balabit Shell Control Box VMware Installation Guide
E.1. Limitations of SCB under VMware
E.2. Installing SCB under VMware ESXi/ESX
E.3. Modifying the virtual disk size under VMware
F. Balabit Shell Control Box Hyper-V Installation Guide
F.1. Limitations of SCB under Hyper-V
F.2. Installing SCB under Hyper-V
G. Deploying Balabit Shell Control Box from the Azure Marketplace
G.1. Prerequisites
G.2. Limitations
G.3. Deploy Balabit Shell Control Box from the Microsoft Azure Marketplace
G.4. High Availability and redundancy in Microsoft Azure
H. Installing Balabit Shell Control Box as a Kernel-based Virtual Machine
H.1. Limitations of SCB under KVM
H.2. Installing SCB as a Kernel-based Virtual Machine
I. Configuring external devices
I.1. Configuring advanced routing on Linux
I.2. Configuring advanced routing on Cisco routers
I.3. Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls
J. Using SCP with agent-forwarding
K. Security checklist for configuring SCB
L. Licenses
M. END USER LICENSE AGREEMENT FOR BALABIT PRODUCT (EULA)
Glossary
Index
List of SCB web interface labels

List of Examples

4.1. Configuring NFS on the remote server
4.2. Configuring NFS on the remote server
7.1. Hostnames and inband destination selection
7.2. Sample regular expressions for content policies
7.3. Sample content policies using Ignore rules
16.1. Searching for exact matches
16.2. Combining keywords in search
16.3. Using parentheses in search
16.4. Using wildcard ? in search
16.5. Using wildcard * in search
16.6. Using combined wildcards in search
16.7. Searching for special characters
16.8. Searching in commands and window titles
16.9. Searching for fuzzy matches
16.10. Proximity search
16.11. Adjusting the relevance of search terms
17.1. Using the -C switch
17.2. Filtering for HTTP exchanges in AP
I.1. Setting up a connection mark for Linux policy routing
I.2. Configuring an ACL entry for Cisco policy routing
I.3. Configuring an ACL entry for reply packets with Cisco policy routing

List of Procedures

2.4.1. Connecting to a server through SCB using SSH
2.4.2. Connecting to a server through SCB using RDP
2.4.3. Connecting to a server through SCB using a RD Gateway
2.8. The gateway authentication process
2.9. Four-eyes authorization
3.1.1. Creating an alias IP address (Microsoft Windows)
3.1.2. Creating an alias IP address (Linux)
3.1.3. Modifying the IP address of SCB
3.2. Configuring SCB with the Welcome Wizard
3.3. Logging in to SCB and configuring the first connection
4.3.1. Configuring user and administrator login addresses
4.3.2. Managing logical interfaces
4.3.3. Routing uncontrolled traffic between logical interfaces
4.3.4. Configuring the routing table
4.4. Configuring date and time
4.5.1. Configuring system logging
4.5.2. Configuring e-mail alerts
4.5.3. Configuring SNMP alerts
4.5.4. Querying SCB status information using agents
4.6.1. Configuring monitoring
4.6.3. Preventing disk space fill up
4.7.1. Creating a backup policy using Rsync over SSH
4.7.2. Creating a backup policy using SMB/CIFS
4.7.3. Creating a backup policy using NFS
4.7.4. Creating configuration backups
4.7.5. Creating data backups
4.7.6. Encrypting configuration backups with GPG
4.8.1. Creating a cleanup policy
4.8.2. Creating an archive policy using SMB/CIFS
4.8.3. Creating an archive policy using NFS
4.8.4. Archiving or cleaning up the collected data
5.1. Managing SCB users locally
5.2. Setting password policies for local users
5.3. Managing local usergroups
5.4. Managing SCB users from an LDAP database
5.5. Authenticating users to a RADIUS server
5.6. Authenticating users with X.509 certificates
5.7.1. Modifying group privileges
5.7.2. Creating new usergroups for the SCB web interface
5.8.1.3. Customizing columns of the internal search interface
6.1.1. Disabling controlled traffic
6.1.2. Disabling controlled traffic permanently
6.2.2. Redundant heartbeat interfaces
6.2.3. Next-hop router monitoring
6.3.2. Upgrading SCB (single node)
6.3.3. Upgrading an SCB cluster
6.3.5. Reverting to an older firmware version
6.3.6. Exporting the configuration of SCB
6.3.7. Importing the configuration of SCB
6.4.1. Updating the SCB license
6.5.2. Enabling SSH access to the SCB host
6.5.3. Changing the root password of SCB
6.6.1. Disabling sealed mode
6.7.1. Configuring the IPMI interface
6.8.1. Generating certificates for SCB
6.8.2. Uploading external certificates to SCB
6.8.3. Generating TSA certificate with Windows Certificate Authority
7.1. Configuring connections
7.2. Modifying the destination address
7.3. Configuring inband destination selection
7.4. Modifying the source address
7.5. Creating and editing channel policies
7.6.1. Creating a new content policy
7.7. Configuring time policies
7.8. Creating and editing user lists
7.9. Authenticating users to an LDAP server
7.10.1. Encrypting audit trails
7.10.2. Timestamping audit trails with built-in timestamping service
7.10.3. Timestamping audit trails with external timestamping service
7.10.4. Digitally signing audit trails
7.11. Verifying certificates with Certificate Authorities
7.12. Signing certificates on-the-fly
7.13. Creating a Local User Database
7.14. Configuring cleanup for the SCB connection database
8.3.1. Setting up a transparent HTTP connection
8.3.2. Enabling SCB to act as a HTTP proxy
8.3.3. Enabling SSL encryption in HTTP
8.3.4. Configuring half-sided SSL encryption in HTTP
8.5. Creating and editing protocol-level HTTP settings
9.3. Creating and editing protocol-level ICA settings
10.2. Creating and editing protocol-level RDP settings
10.3.1. Network Level Authentication (NLA) with domain membership
10.3.3. Network Level Authentication without domain membership
10.4. Using SSL-encrypted RDP connections
10.5. Verifying the certificate of the RDP server in encrypted connections
10.6. Using SCB as a Terminal Services Gateway
10.7. Configuring Remote Desktop clients for gateway authentication
10.10. Saving login credentials for RDP on Windows
10.11. Configuring RemoteApps
11.1. Setting the SSH host keys and certificates of the connection
11.3.1. Creating a new authentication policy
11.3.2.1. Local client-side authentication
11.3.4. Configuring your Kerberos environment
11.3.5. Kerberos authentication settings
11.4.1. Automatically adding the host keys and host certificates of a server to SCB
11.4.2. Manually adding the host key or host certificate of a server
11.5. Creating and editing protocol-level SSH settings
12.1. Enabling TLS-encryption for Telnet connections
12.2. Creating a new authentication policy
12.3. Extracting username from Telnet connections
12.4. Creating and editing protocol-level Telnet settings
14.1. Enabling TLS-encryption for VNC connections
14.2. Creating and editing protocol-level VNC settings
15.1. Configuring the internal indexer
15.2.3. Configuring SCB to use external indexers
15.2.4. Installing the external indexer
15.2.5. Configuring the external indexer
15.2.6. Uploading decryption keys to the external indexer
15.2.7. Starting the external indexer
15.2.8. Disabling indexing on SCB
16.1.2. Replaying audit trails in your browser
16.1.3. Replaying encrypted audit trails in your browser
16.1.6.1. Creating and saving filters for later use
16.2. Displaying statistics on search results
17.1.1. Installing the Audit Player application
17.1.2. Enabling the Audit Indexing Service
17.1.3. Running Audit Player without administrator privileges
17.1.4. Running Audit Player on multicore processors
17.2.1. Downloading audit trails from SCB
17.2.2. Replaying a session with the Audit Player
17.2.3. Replaying SCP and SFTP sessions
17.2.4. Replaying HTTP sessions
17.3.3.1. Importing certificates with MMC
17.3.3.3. Converting certificates using OpenSSL
17.3.3.4. Converting certificates using Firefox
17.3.5. Adding a new font to the OCR database
17.3.6. Adding a new font for displaying X11 trails
17.4.1.1. AP logging in user mode
17.4.1.2. AP logging as an indexer service
17.4.1.3. AP core dump as an indexer service
18.1. Configuring usermapping policies
18.2.1. Configuring outband gateway authentication
18.2.2. Performing outband gateway authentication on SCB
18.2.3. Performing inband gateway authentication in SSH and Telnet connections
18.2.4. Performing inband gateway authentication in RDP connections
18.3.1. Configuring four-eyes authorization
18.3.2. Performing four-eyes authorization on SCB
18.4.1. Configuring local Credential Stores
18.4.2. Performing gateway authentication to RDP servers using local Credential Store and NLA
18.4.3. Configuring password-protected Credential Stores
18.4.4. Unlocking Credential Stores
18.4.5. Using Lieberman ERPM to authenticate on the target hosts
18.4.6. Using a custom Credential Store plugin to authenticate on the target hosts
18.5.1. Using a Ticketing plugin to authorize connections to the target hosts
18.5.2. Performing authentication with ticketing integration in terminal connections
18.5.3. Performing authentication with ticketing integration in Remote Desktop connections
18.6.2. Using an AA plugin to authorize RDP connections to the target hosts
18.6.3. Performing authentication with AA plugin in terminal connections
18.6.4. Performing authentication with AA plugin in Remote Desktop connections
19.2. Configuring custom reports
19.3. Creating reports from audit trail content
19.4. Creating statistics from custom database queries
19.6. Generating partial reports
19.7. Creating PCI DSS reports
20.5. Enabling RPC API access to SCB
22.1.1. Configuring public-key authentication using local keys
22.1.2. Configuring public-key authentication using an LDAP server and a fixed key
22.1.3. Configuring public-key authentication using an LDAP server and generated keys
22.2.1. Organizing connections based on port numbers
22.2.2. Organizing connections based on alias IP addresses
22.3.1. Using inband destination selection with PuTTY
22.3.2. Using inband destination selection with OpenSSH
22.3.3. Using inband selection and nonstandard ports with PuTTY
22.3.4. Using inband selection and nonstandard ports with OpenSSH
22.3.5. Using inband destination selection and gateway authentication with PuTTY
22.3.6. Using inband destination selection and gateway authentication with OpenSSH
22.4. SSH usermapping and keymapping in AD with public key
23.1. Network troubleshooting
23.3. Viewing logs on SCB
23.4. Changing log verbosity level of SCB
23.5. Collecting logs and system information for error reporting
23.6.1. Displaying custom connection statistics
23.7.2. Recovering SCB if both nodes broke down
23.7.3. Recovering from a split brain situation
23.7.4. Replacing a HA node in an SCB cluster
23.7.5. Resolving an IP conflict between cluster nodes
23.9. Restoring SCB configuration and data
B.1. Installing the SCB hardware
B.2. Installing two SCB units in HA mode
D.1. Installing the SCB software
E.2. Installing SCB under VMware ESXi/ESX
E.3. Modifying the virtual disk size under VMware
F.2. Installing SCB under Hyper-V
G.3. Deploy Balabit Shell Control Box from the Microsoft Azure Marketplace
H.2. Installing SCB as a Kernel-based Virtual Machine
I.1. Configuring advanced routing on Linux
I.2. Configuring advanced routing on Cisco routers
I.3. Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls

Preface

Welcome to the Balabit Shell Control Box 4 F3 Administrator Guide!

This document describes how to configure and manage the Balabit Shell Control Box (SCB). Background information for the technology and concepts used by the product is also discussed.

1. Summary of contents

Chapter 1, Introduction describes the main functionality and purpose of the Balabit Shell Control Box.

Chapter 2, The concepts of SCB discusses the technical concepts and philosophies behind SCB.

Chapter 3, The Welcome Wizard and the first login describes what to do after assembling SCB — it is a step-by-step guide for the initial configuration.

Chapter 4, Basic settings describes the basic configuration settings of SCB.

Chapter 5, User management and access control discusses the authentication, authorization, and accounting settings of the users accessing SCB.

Chapter 6, Managing SCB provides detailed description on managing SCB as a host.

Chapter 7, General connection settings discusses general connection configuration settings.

Chapter 8, HTTP-specific settings describes configuration settings available only for the HTTP protocol.

Chapter 9, ICA-specific settings describes configuration settings available only for the ICA protocol.

Chapter 10, RDP-specific settings describes configuration settings available only for the RDP protocol.

Chapter 11, SSH-specific settings describes configuration settings available only for the SSH protocol.

Chapter 12, Telnet-specific settings describes configuration settings available only for the Telnet protocol.

Chapter 13, VMware View connections describes how to use SCB to control and audit VMware View connections.

Chapter 14, VNC-specific settings describes configuration settings available only for the Virtual Networking (VNC) protocol.

Chapter 16, Browsing and replaying audit trails on SCB describes how to browse the various types of log messages and audit trails on SCB and exactly what kind of information do they contain.

Chapter 17, Replaying audit trails with Audit Player describes how to search and display audit trails, generate reports, and replay the audited sessions.

Chapter 18, Advanced authentication and authorization techniques describes how to configure gateway authentication and four-eyes authorization for the connections.

Chapter 20, The SCB RPC API discusses the details of accessing SCB with the RPC API.

Chapter 22, SCB scenarios discusses common scenarios for SCB.

Chapter 23, Troubleshooting SCB describes troubleshooting and maintenance procedures of Balabit Shell Control Box (SCB).

Appendix A, Package contents inventory lists the contents of the package you receive with the Balabit Shell Control Box.

Appendix B, Balabit Shell Control Box Hardware Installation Guide describes how to set up the Balabit Shell Control Box (SCB) hardware.

Appendix C, Hardware specifications describes the hardware specifications of the SCB appliance.

Appendix D, Balabit Shell Control Box Software Installation Guide describes how to install SCB on certified hardware.

Appendix E, Balabit Shell Control Box VMware Installation Guide describes how to install Balabit Shell Control Box (SCB) as a VMware virtual appliance.

Appendix F, Balabit Shell Control Box Hyper-V Installation Guide describes how to install Balabit Shell Control Box (SCB) as a Hpyer-V virtual appliance.

Appendix I, Configuring external devices describes scenarios about configuring external devices to redirect selected traffic to SCB.

Appendix J, Using SCP with agent-forwarding provides solutions for using scp with agent-forwarding.

Appendix L, Licenses includes the text of the Botan cryptographic library license.

Appendix M, END USER LICENSE AGREEMENT FOR BALABIT PRODUCT (EULA) includes the text of the End User License Agreement applicable to SCB products.

The Glossary provides definitions of important terms used in this guide.

2. Target audience and prerequisites

This guide is intended for auditors, consultants, and security experts responsible for securing, auditing, and monitoring server administration processes, especially remote server management. It is also useful for IT decision makers looking for a tool to improve the security and auditability of their servers, or to facilitate compliance to the Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Basel II, or the Payment Card Industry (PCI) standard.

The following skills and knowledge are necessary for a successful SCB administrator:

  • At least basic system administration knowledge.

  • An understanding of networks, TCP/IP protocols, and general network terminology.

  • Working knowledge of the UNIX or Linux operating system is not mandatory but highly useful.

  • In-depth knowledge of various server applications is required for forensics situations.

3. Products covered in this guide

This guide describes the use of the Balabit Shell Control Box version 4 F3.

4. Typographical conventions

Before you start using this guide, it is important to understand the terms and typographical conventions used in the documentation. For more information on specialized terms and abbreviations used in the documentation, see the Glossary at the end of this document.

The following kinds of text formatting and icons identify special information in the document.

Tip

Tips provide best practices and recommendations.

Note

Notes provide additional information on a topic, and emphasize important facts and considerations.

Warning

Warnings mark situations where loss of data or misconfiguration of the device is possible if the instructions are not obeyed.

Command

Commands you have to execute.

Emphasis

Reference items, additional readings.

/path/to/file

File names.

Parameters

Parameter and attribute names.

Label

GUI output messages or dialog labels.

Menu

A submenu or menu item in the menu bar.

Button

Buttons in dialog windows.

5. Contact and support information

This product is developed and maintained by Balabit-Europe. We are located in Budapest, Hungary. Our address is:

Balabit-Europe2 Alíz StreetH-1117BudapestHungaryTel: +36 1 398-6700Fax: +36 1 208-0875
         E-mail: 
         Web: http://www.balabit.com/
       

5.1. Sales contact

You can directly contact us with sales related topics at the e-mail address , or leave us your contact information and we call you back.

5.2. Support contact

To access the BalaBit Online Support System (BOSS), sign up for an account at the MyBalabit page and request access to the BalaBit Online Support System (BOSS). Online support is available 24 hours a day.

BOSS is available only for registered users with a valid support package.

Support e-mail address: .

Support hotline: +36 1 398 6700 (available from 9 AM to 5 PM CET on weekdays)

5.3. Training

Balabit-Europe holds courses on using its products for new and experienced users. For dates, details, and application forms, visit the http://www.balabit.com/support/trainings/ webpage.

6. About this document

This guide is a work-in-progress document with new versions appearing periodically.

The latest version of this document can be downloaded from the BalaBit website here.

6.1. Summary of changes

6.1.1. Version 4 F2 - 4 F3

Changes in product: 

Changes in documentation: 

6.1.2. Version 4 F1 - 4 F2

Changes in product: 

Changes in documentation: 

6.1.3. Version 4 LTS - 4 F1

Changes in product: 

Changes in documentation: 

6.2. Feedback

Any feedback is greatly appreciated, especially on what else this document should cover. General comments, errors found in the text, and any suggestions about how to improve the documentation is welcome at [email protected]

Chapter 1. Introduction

This chapter introduces the Balabit Shell Control Box (SCB) in a non-technical manner, discussing how and why is it useful, and what additional security it offers to an existing IT infrastructure.

1.1. What SCB is

SCB is a device that controls, monitors, and audits remote administrative access to servers. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB — it integrates smoothly into the existing infrastructure.

SCB logs all administrative traffic (including configuration changes, executed commands, and so on) into audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. In case of any problems (server misconfiguration, database manipulation, unexpected shutdown) the circumstances of the event are readily available in the audit trails, thus the cause of the incident can be easily identified. The recorded audit trails can be displayed like a movie – recreating all actions of the administrator. All audit trails can be indexed, enabling fast forwarding during replay, searching for events (for example mouse clicks, pressing the Enter key) and texts seen by the administrator. Reports and automatic searches can be configured as well. To protect the sensitive information included in the communication, the two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys, thus sensitive information like passwords are displayed only when necessary.

SCB has full control over the SSH, RDP, Telnet, TN3270, TN5250, Citrix ICA, and VNC connections, giving a framework (with solid boundaries) for the work of the administrators. The most notable features of SCB are the following:

  • Disable unwanted channels and features (for example TCP port forwarding, file transfer, VPN, and so on)

  • Enforce the use of the selected authentication methods (password, publickey, and so on)

  • Require outband authentication on the SCB gateway

  • Enforce four-eyes authorization with real-time monitoring and auditing capabilities

  • Audit the selected channels into encrypted and timestamped, and digitally signed audit trails

  • Retrieve group memberships of the user from an LDAP database

  • Verify the hostkeys and host certificates of the accessed servers

SCB is configured and managed from any modern web browser that supports HTTPS connections, JavaScript, and cookies.

1.2. What SCB is not

SCB is not a firewall. Although it uses advanced firewall technologies, it is an access controlling and auditing device focusing on server administration processes. Actually, it is a device that controls, monitors and audits remote administrative access to servers.

SCB monitors only the passing traffic of administrators accessing the servers remotely. Consequently, it cannot protect the server from local access, nor can it detect such events. If someone has access to a protected server from a local console, then anything he does is beyond the capabilities of SCB.

SCB can be used to control administrative access to the servers. In case of large server farms, it provides a simple way to change or restrict access policies, for example, to disable password-based authentication in SSH, control RDP channels, or to deny the account of an administrator, without having to modify the configuration of each server one-by-one. However, SCB does not and should not be used to replace the proper configuration of the servers, as perfunctory server configuration inevitably introduces security risk beyond the scope of SCB.

1.3. Why is SCB needed?

Server administration must be audited in order to record all important events about a server. However, — for security reasons — servers are almost exclusively administered using encrypted protocols, making system administration difficult to monitor and audit. To achieve reliable auditing, the data collection has to be transparent and independent from the client and the server. Otherwise, a skilled administrator (or attacker) could manipulate the logs to mask the traces of his actions or other events. SCB solves exactly these problems by transparently monitoring the encrypted channels used in administration and introducing a separate auditor layer to oversee system administrators.

The RDP (including VMware View), Citrix ICA, and VNC-auditing capabilities of SCB are beneficial to record and archive the actions performed on thin-client applications, and helpdesks.

Auditing SSH, Telnet, TN3270, and HTTP with SCB is useful to record and archive the administration of networking devices.

1.4. Who uses SCB?

SCB is useful for everyone who has a server and has to control and audit the activities of the administrators. In particular, SCB is invaluable for:

  • Policy compliance: Certain regulations — such as the Sarbanes-Oxley Act (SOX) or Basel II — require the financial director of an organization to certify that all financial data they provide to the authorities is accurate and has not been modified. Other industries have similar regulations (like the Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry (PCI)) about protecting personal or credit card information. Such data is usually stored in a database on a central server, and is accessible only via dedicated applications, such as the accounting software. These applications always create the logs and reports necessary for policy compliance. However, these applications are aware only of legitimate accesses to the database. The server storing the database has to be accessible also by server administrators for maintenance reasons. Having superuser privileges on the server, these administrators have the possibility to directly access and manipulate the database, and also to erase the traces of such actions from the server logs. However, SCB can audit the actions of the administrators, complementing the logs and reports of other applications.

  • Organizations having outsourced IT: Many organizations hire external companies to configure, maintain, and oversee their servers and IT services. This essentially means that the organization is willing to trust the administrators of this external company with all their data (for example private and business e-mails, customer information, and so on), or even with business-critical services like the operation of their online shop. Obviously, in such situations it is reassuring to have an independent device that can reliably log all administrative activities. SCB does exactly this — it provides detailed information about any problems with the server, making it easy to find those responsible. Using the four-eyes authorization method, SCB provides real-time control over the remote server access and the administrative actions.

  • Organizations offering remote management: Organizations on the other end of the outsourcing line — like server- and webhosting companies — can equally benefit from SCB. It gives them the possibility to oversee and audit the administrators, and is also a great tool to evaluate their effectiveness. The recorded audit trails can also be used as evidence to settle any issues about the remotely administered servers. SCB also improves the control over Service Level Agreements (SLA), as the fulfillment of the services can be verified using the recorded audit trails and access reports.

  • Organizations using thin-client infrastructures: SCB can audit the channels used in popular thin-client solutions, providing an application-independent way to record and monitor the activities of every client.

  • Organizations in need to control SSH: Many organizations have to permit outgoing SSH connections, but do not wish to do so without control, as virtually any other protocol can be tunneled into SSH. SCB can control what type of traffic is permitted in an SSH connection, and can separately enable the different traffic types like terminal connections, SFTP file transfers, port- and X11 forwarding, or agent-forwarding.

  • Organizations using jump hosts: Many organizations use jump hosts to access remote servers or services. SCB can be used to authenticate and audit every access to the jump hosts. Since SCB supports strong authentication methods (for example, X.509 certification based authentication) and authentication to user directories (for example Microsoft Active Directory and other LDAP databases), it can greatly simplify the key and password management of the hosts. This is especially useful if an organization has to access very many remote hosts, or has lots of jump hosts.

Chapter 2. The concepts of SCB

This chapter discusses the technical concepts of SCB.

2.1. The philosophy of SCB

SCB is a device that examines Secure Shell (SSH, including forwarded X11 traffic), Secure Copy (SCP), SSH File Transfer Protocol (SFTP), Remote Desktop (RDP), HTTP, Independent Computing Architecture (Citrix ICA), Telnet, VMware View, and VNC connections, ignoring and simply forwarding all other type of traffic. SCB uses man-in-the-middle techniques to decrypt and terminate the inspected connections. It separates the connections into two parts (client — SCB, SCB — server) and inspects all traffic, so that no data can be directly transferred between the server and the client.

Note

SCB is built on application level technology, especially the SSH, RDP, and Telnet proxies of the Zorp Application Level Gateway. For more information on Zorp and this technology, visit BalaBit's website.

Figure 2.1. Inspecting SSH traffic with SCB

Inspecting SSH traffic with SCB

The traffic is inspected on the application level, that is Layer 7 or the application layer of the OSI model. All communication must conform to the standards of the respective protocol, SCB rejects all protocol violations and anomalies to protect the servers from attacks. That way the servers are protected even from unknown attacks exploiting vulnerabilities of the server applications.

SCB has full control over the initial negotiation phase of the connection, when the client and the server decide the parameters of the encryption to be used in the communication. SCB can restrict the use of the various algorithms, forbidding the use of weak ones — an effective shield against downgrade attacks.

Since SCB isolates the client-server connection into two separate connections, the permitted algorithms can be different on the client and the server side.

SCB controls the connections right from the beginning — including user authentication. That way it is easy to mandate strong authentication for protocols where user information is available (for example SSH), because SCB can limit the allowed authentication methods and also the users permitted to access the servers.

SCB uses various policies to restrict who, when, and how can access a connection or a specific channel of the protocol. These policies (based on username, authentication method used, and so on) can be applied to connections between particular clients and servers, or also to specific channels of a connection (for example only to terminal-sessions in SSH, or desktop-sharing in RDP).

Figure 2.2. Controlling protocol channels

Controlling protocol channels

SCB is configured by an administrator or auditor using a web browser.

2.2. Supported protocols and client applications

SCB supports the following protocols and clients. As a general rule, client applications not specifically tested but conforming to the relevant protocol standards should work with SCB.

HTTP: 

SCB supports the HTTP 1.0 and 1.1 standards.

Secure Shell Protocol: 

SCB supports only the SSHv2 protocol. The older and insecure v1 version is not supported.

Supported client and server applications:

  • OpenSSH (client and server)

    Client tested with version OpenSSH_6.6.1p1, and OpenSSL 1.0.1e-fips 11 Feb 2013.

    Server tested with version OpenSSH_7.1p2, and OpenSSL 1.0.2e-fips 3 Dec 2015.

  • OpenSSH (client and server) with X.509 patch

    Client and server tested with a weekly build of the latest available version.

  • Dropbear (client and server)

    Tested with version 2015.67.

  • SecureCRT (Windows, client)

    Tested with version 3.7.

  • PUTTY (client)

    Tested with version 0.65.

Remote Desktop Protocol: 

Supported Windows client applications:

The built-in applications of the Windows Server 2003 SP2, Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows 10 platforms.

Supported Mac OS X client applications:

The Royal TSX client application, tested with Royal TSX 2.0 on Mac OS X Yosemite.

Supported server (target) applications:

The built-in applications of Windows Server 2003 SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows 10 platforms.

Accessing Remote Desktop Services (RemoteApp programs) is also supported.

Note

Other Remote Desktop clients are not explicitly supported, but may be compatible with SCB. When using an alternative client application, note the following limitations:

  • The rdesktop application and other client applications (for example, JAVA clients) that build on the rdesktop codebase do not support RDP shadowing and Terminal Services Gateway connections.

  • The Remote Desktop Connection Client for Mac application does not support RDP shadowing.

ICA: 

SCB is certified for the following server versions:

  • XenApp 6.0 64-bit

  • XenApp 7.0

  • XenApp 6.5 on Windows 2008 R2

  • XenApp 7.1

  • XenApp 7.5

  • XenApp 7.6

  • XenDesktop 7.0

  • XenDesktop 7.1

  • XenDesktop 7.5

  • XenDesktop 7.6

For details on the deployment scenarios that support XenDesktop, see Section 9.4, SCB deployment scenarios in a Citrix environment.

For the list of supported clients, contact the Balabit Support Team.

Telnet: 

Telnet traffic must conform RFC 854, and to various extensions described in RFCs 856-861, 652-658, 698, 726-27, 732-736, 749, 779, 885, 927, 933, 1041, 1043, 1053, 1073, 1079, 1091, 1096-97, 1184, 1372, 1408, 1572, 2066, 2217, 2840, 2941, and 2946.

TN3270: Telnet 3270 terminal protocol.

TN5250: Telnet 5250 terminal protocol, as described in RFC2877.

Terminal Services Gateway Server Protocol: 

SCB can act as a Terminal Services Gateway and transfer the incoming connections to RDP connections.

Virtual Network Computing: 

VNC versions 3.3-3.8 are supported. Supported client and server applications: RealVNC, UltraVNC, TightVNC, KVM, Vino.

VMware View: 

VMware View Clients using the Remote Desktop (RDP) display protocol to access remote servers are supported. For details, see Chapter 13, VMware View connections.

2.3. Modes of operation

SCB can be configured to monitor both transparent and non-transparent connections.

It is recommended to design the network topology so that only management and server administration traffic passes SCB. This ensures that the services and applications running on the servers are accessible even in case SCB breaks down, so SCB cannot become a single point of failure.

2.3.1. Transparent mode

In transparent mode, SCB acts as a transparent router connecting the network segment of the administrators to the segment of the protected servers at the network layer (Layer 3 in the OSI model). All connections must pass SCB to reach the servers — SCB is a proxy gateway, completely separating the protected servers from the rest of the network. Controlled connections and traffic are inspected on the application level, while other types of connections are simply forwarded on the packet level.

SCB can also be configured to act as a single-interface transparent router. For details, see Section 2.3.2, Single-interface router mode.

Warning

Transparent mode does not support multicast traffic.

Figure 2.3. SCB in transparent mode

SCB in transparent mode

2.3.2. Single-interface router mode

Single-interface router mode is similar to transparent mode, but both the client-side and server-side traffic uses the same interface. An external device — typically a firewall or a router — is required that actively redirects the audited traffic to SCB. To accomplish this, the external device must support advanced routing (also called policy-based routing). For details on configuring an external devices to work operate with SCB in single-interface router mode, see Appendix I, Configuring external devices.

Figure 2.4. SCB in single-interface router mode

SCB in single-interface router mode

Advantages: 

The advantages of using the single-interface router mode are:

  • Totally transparent for the clients, no need to modify their configuration

  • The network topology is not changed

  • Only the audited traffic is routed to SCB, production traffic is not

Disadvantages: 

The disadvantages of using the single-interface router mode are:

  • SCB acts as a man-in-the-middle regarding the connection between the client and the target server. Instead of a single client-server connection, there are two separate connections: the first between the client and SCB, and a second between SCB and the server. Depending on how you configure SCB, the source IP in the SCB-server connection can be the IP address of SCB, or the IP address of the client. In the latter case — when operating in transparent mode (including single-interface router mode) — SCB performs IP spoofing. Consult the security policy of your organization to see if it permits IP spoofing on your network.

  • Traffic must be actively routed to SCB using an external device, consequently a network administrator can disable SCB by changing routing rules.

  • When adding a new port or subnet to the list of audited connections, the configuration of the external device must be modified as well.

2.3.3. Non-transparent mode

In non-transparent mode, SCB acts as a bastion host — administrators can address only SCB, the administered servers cannot be targeted directly. The firewall of the network has to be configured to ensure that only connections originating from SCB can access the servers. SCB determines which server to connect based on the parameters of the incoming connection (the IP address of the administrator and the target IP and port).

Non-transparent mode inherently ensures that only the controlled (management and server administration) traffic reaches SCB. Services and applications running on the servers are accessible even in case SCB breaks down, so SCB cannot become a single point of failure.

Tip

Non-transparent mode is useful if the general (not inspected) traffic is very high and could not be forwarded by SCB.

Note

In case there is a high number of target devices, do not use fix address rules in non-transparent mode. Consider using one of the dynamic configuration options, such as inband destination selection or transparent mode.

Figure 2.5. SCB in non-transparent mode

SCB in non-transparent mode

Non-transparent mode is often used together with inband destination selection. For details, see Section 2.3.4, Inband destination selection).

2.3.4. Inband destination selection

Inband destination selection allows you to create a single connection policy and allow users to access any server by including the name of the target server in their username (for example ssh [email protected]:[email protected]_address). SCB can extract the address from the username and direct the connection to the target server.

Figure 2.6. Inband destination selection

Inband destination selection

Since some client applications do not permit the @ and : characters in the username, therefore alternative characters can be used as well:

  • To separate the username and the target server, use the @ or % characters, for example: username%[email protected]_address

  • To separate the target server and the port number, use the :, +, or / characters, for example: username%[email protected]_address

You can use both IPv4 and IPv6 addresses with inband destination selection. For IPv6 addresses, add square brackets to separate the address and the port number:

[email protected][targetserver_ipv6]:[email protected][scb_address_ipv6]:port

Windows RDP clients often send only the first 9 characters of the username to the server, making inband destination selection difficult. When using the RDP4 or RDP5 protocols, it is not necessary to include the username when starting an RDP connection (for example use only @server); the user can type the username later in the graphical login screen. However, the username must be specified for RDP6 connections.

You can find examples of using inband destination selection in Section 22.3, Using inband destination selection in SSH connections.

2.4. Connecting to a server through SCB

When a client initiates a connection to a server, SCB performs a procedure similar to the ones detailed below. The exact procedure depends on the protocol used in the connection.

2.4.1. Procedure – Connecting to a server through SCB using SSH

Purpose: 

This procedure illustrates what happens when a client connects a server through SCB and how the different configuration options and policies of SCB affect this process. Note that this procedure does not cover the scenarios when inband destination selection or inband gateway authentication is used.

Steps: 

  1. The client tries to connect the server. SCB receives the connection request and establishes the TCP connection with the client.

  2. SCB examines the connection request: it checks the IP address of the client and the IP address and port number of the intended destination server. If these parameters of the request match with a connection policy configured on SCB, SCB inspects the connection in detail. Other connections are ignored by SCB; they are simply forwarded on the packet level.

    The selected connection policy determines all settings and parameters of the connection.

    Note

    SCB compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. The first connection policy completely matching the connection request is applied to the connection.

    For details, see Procedure 7.1, Configuring connections.

  3. SCB selects the destination server based on the Target parameter of the connection policy. Network address translation of the target address can be performed at this step. For details, see Procedure 7.2, Modifying the destination address.

  4. SCB selects the source address used in the server-side connection based on the SNAT parameter of the connection policy. For details, see Procedure 7.4, Modifying the source address.

  5. SCB establishes the TCP connection to the server.

  6. If a Ticketing policy is set in the Connection policy, SCB displays a prompt to the user. The connection will be accepted only if the user enters a valid ticket ID, that SCB verifies in the issue tracking system of your company. For details, see Section 18.5, Integrating ticketing systems.

  7. The client authenticates itself using an authentication method permitted by the Authentication policy set in the Connection policy. Different connections can use different authentication policies, thus allow different authentication methods. The Authentication policy also restricts which users can connect the server if public-key authentication is used. SCB can authenticate the user to a Local User Database, or to a remote LDAP (for example, Microsoft Active Directory) or RADIUS server. The username used in this authentication step is referred to as the Gateway username and is used to determine the Gateway group memberships of the user. For details, see Section 11.3, Authentication Policies.

  8. If the Gateway authentication option is set in the Connection policy, SCB pauses the connection until the user completes a gateway authentication on the SCB web interface. This is an outband authentication, since it is performed in an independent connection. For details, see Procedure 2.8, The gateway authentication process.

  9. If the Usermapping policy option is set in the Connection policy, SCB checks if the Usermapping policy permits the users of the gateway group to access the username used in the server-side connection (the remote username, for example, root).

  10. Before establishing the server-side connection, SCB can evaluate the channel policy to determine if the connection might be permitted at all, for example, it is not denied by a Time policy. SCB performs this check if the SSH Control > Settings > Enable pre channel check option is enabled. For details, see Procedure 11.5, Creating and editing protocol-level SSH settings.

    For the SSH protocol, SCB checks the From (client address), Gateway group, and Time policy restrictions set in the Channel policy of the Connection policy.

  11. Server-side connection. 

    1. SCB establishes the TCP connection to the server.

    2. SCB negotiates the protocol parameters of the connection (for example SSH encryption parameters) according to the SSH Control > Settings of the connection policy.

    3. SCB displays an SSH hostkey to the client. This hostkey is either generated on SCB, or it is the hostkey of the server (if it is available on SCB). The connection policy determines the hostkey shown to the client.

      Warning

      If the SSH Settings of the connection enable only RSA keys in the connection, the RSA key shown to the client must be set in the connection policy. Similarly, if only DSA keys are permitted, the DSA key must be set.

    4. SCB verifies the hostkey or the certificate of the server according to the Server side hostkey setting option of the Connection policy (in general, you can manage the server hostkeys on the SSH Control > Server Host Keys page). If the server has not been contacted before, SCB can accept and store the hostkey of the server. Alternatively, the hostkey of the server can be manually uploaded to SCB. For details, see Section 11.4, Server host keys and certificates.

  12. SCB performs the authentication on the server, using the data received from:

  13. SCB authorizes the connection based on the Channel policy. It checks:

    • If the Channel policy includes a User List restriction for the Gateway group or Remote group, SCB checks if the user can access the server. If needed, SCB connects the LDAP servers set in the LDAP Servers policy to resolve the group memberships of the user. For details, see Procedure 7.8, Creating and editing user lists.

    • SCB consults the Time policy assigned to the channel policy. Channels may be opened only within the allowed period.

      Tip

      Time policies are a good way to ensure that the server can be accessed only within the specified timeframe.

  14. Both the server and the client side connections have been established. From this step, the client can try to open any type and any number of channels in the connection.

  15. If 4-eyes authorization is set in the Channel policy, the SSH session of the client is paused until the authorizer permits the client to connect to the server. Who can authorize the session depends on the Access Control settings of the Connection policy. For details, see Procedure 2.9, Four-eyes authorization.

  16. The client starts to work on the server. Information about the connection is now available on the Search > Search page.

    If the user opens another channel within the same connection, SCB consults the Channel policy of the connection to see if the channel is permitted, and processes it accordingly.

  17. Post-processing the connection. 

    1. After the client closes the connection, or it is terminated for some reason (for example, it times out, or a Content policy or a 4-eyes auditor terminates it), SCB indexes the contents of the audit trail (if the Audit option of the Channel policy, and the Enable indexing option of the Connection policy are enabled).

    2. SCB creates a backup of the data and the audit trail of the connection, and archives it to a remote server, if a Backup policy and an Archive policy is set in the Connection policy.

    3. When the Channel database cleanup period expires, SCB deletes all data about the connection from its database.

2.4.2. Procedure – Connecting to a server through SCB using RDP

Purpose: 

This procedure illustrates what happens when a client connects a server through SCB and how the different configuration options and policies of SCB affect this process.

Steps: 

  1. The client tries to connect the server. SCB receives the connection request and establishes the TCP connection with the client.

  2. SCB examines the connection request: it checks the IP address of the client and the IP address and port number of the intended destination server. If these parameters of the request match with a connection policy configured on SCB, SCB inspects the connection in detail. Other connections are ignored by SCB; they are simply forwarded on the packet level.

    The selected connection policy determines all settings and parameters of the connection.

    Note

    SCB compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. The first connection policy completely matching the connection request is applied to the connection.

    For details, see Procedure 7.1, Configuring connections.

  3. SCB selects the destination server based on the Target parameter of the connection policy. Network address translation of the target address can be performed at this step. For details, see Procedure 7.2, Modifying the destination address.

  4. SCB selects the source address used in the server-side connection based on the SNAT parameter of the connection policy. For details, see Procedure 7.4, Modifying the source address.

  5. SCB checks if the client uses a version of the RDP protocol that is enabled in the Protocol settings of the Connection policy. Depending on the protocol version, different encryption is used in the connection, and different parameters are required in the Connection policy.

  6. Before establishing the server-side connection, SCB can evaluate the channel policy to determine if the connection might be permitted at all, for example, it is not denied by a Time policy. SCB performs this check if the RDP Control > Settings > Enable pre channel check option is enabled. For details, see Procedure 10.2, Creating and editing protocol-level RDP settings.

  7. Server-side connection. 

    1. SCB establishes the TCP connection to the server.

    2. SCB checks the protocol parameters of the connection (for example, the version of the RDP protocol used ) according to the Protocol settings of the Connection policy. The RDP handshake is performed simultaneously on the server- and the client-side.

  8. The server opens a Drawing channel for the user to perform authentication.

  9. SCB authorizes the connection based on the Channel policy. It checks:

    • If the Channel policy includes a User List restriction for the Gateway group or Remote group, SCB checks if the user can access the server. If needed, SCB connects the LDAP servers set in the LDAP Servers policy to resolve the group memberships of the user. For details, see Procedure 7.8, Creating and editing user lists.

    • SCB consults the Time policy assigned to the channel policy. Channels may be opened only within the allowed period.

      Tip

      Time policies are a good way to ensure that the server can be accessed only within the specified timeframe.

  10. If the Gateway authentication option is set in the Connection policy, SCB pauses the connection until the user completes a gateway authentication on the SCB web interface. This is an outband authentication, since it is performed in an independent connection. For details, see Procedure 2.8, The gateway authentication process.

  11. SCB performs the authentication on the server, using the data received from:

  12. SCB establishes the server-side connection and authenticates the client on the server. If the authentication fails for any reason, SCB terminates the client-side connection as well. This is required to verify the username of the client when it attempts to access the server again.

  13. If 4-eyes authorization is set in the Channel policy, the SSH session of the client is paused until the authorizer permits the client to connect to the server. Who can authorize the session depends on the Access Control settings of the Connection policy. For details, see Procedure 2.9, Four-eyes authorization.

  14. The client starts to work on the server. Information about the connection is now available on the Search > Search page.

    If the user opens another channel within the same connection, SCB consults the Channel policy of the connection to see if the channel is permitted, and processes it accordingly.

  15. Post-processing the connection. 

    1. After the client closes the connection, or it is terminated for some reason (for example, it times out, or a Content policy or a 4-eyes auditor terminates it), SCB indexes the contents of the audit trail (if the Audit option of the Channel policy, and the Enable indexing option of the Connection policy are enabled).

    2. SCB creates a backup of the data and the audit trail of the connection, and archives it to a remote server, if a Backup policy and an Archive policy is set in the Connection policy.

    3. When the Channel database cleanup period expires, SCB deletes all data about the connection from its database.

2.4.3. Procedure – Connecting to a server through SCB using a RD Gateway

Purpose: 

This procedure illustrates what happens when a client connects a server through SCB using a Terminal Services Gateway (also called Remote Desktop Gateway or RD Gateway), and how the different configuration options and policies of SCB affect this process. For details on the configuration process, see Procedure 10.6, Using SCB as a Terminal Services Gateway.

Steps: 

  1. The client connects to port 443 of the Terminal Services Gateway configured in the Remote Desktop software. The address of the Terminal Services Gateway is an alias IP address of SCB. To process the connection request, SCB must have a Connection policy that is configured to handle RDP connection requests on the alias IP, and that has the Act as a TS gateway option enabled.

  2. The client authenticates on Terminal Services Gateway (that is, on SCB). Technically, this is an inband gateway authentication on the Domain Controller of SCB's domain (SCB must be the member of a domain, for details, see Procedure 10.3.1, Network Level Authentication (NLA) with domain membership). The username used in this authentication step is referred to as the Gateway username and is used to determine the Gateway group memberships of the user.

  3. The client tries to connect the server. From this point, this connection is processed as described in Procedure 2.4.2, Connecting to a server through SCB using RDP.

2.5. IPv6 in SCB

SCB supports IPv6 for monitoring connections only. You can define both IPv4 and IPv6 addresses for its logical network interfaces, and configure connections between IPv4 and IPv6 networks (for example, from a client with an IPv4 address to a target with an IPv6 address). You can also use IPv6 addresses with inband destination selection.

Note

IPv6 support in ICA connections is currently experimental only.

When configuring IPv6 addresses, SCB shortens the address to its canonical form (omitting leading zeroes, and replacing consecutive sections of zeroes with a double colon). Take the following address as example:

2001:0db8:0000:0000:0000:ff00:0042:8329

SCB shortens the address to its canonical form:

[2001:db8::ff00:42:8329]

Additionally, where the IP address and the port is displayed together, IPv6 addresses are shown between brackets. For example, the same address with a port number of 443 is displayed as:

[2001:db8::ff00:42:8329]:443

You can search for both the initial (full) and the canonical form on the SCB Search page. For searches performed using the RPC API, you have to use the canonical form.

To provide the network range for IPv6 addresses, use network prefixes. Pay attention to the differences between IPv4 and IPv6 network ranges: for IPv4, you can limit the address range to a single address with a prefix of /32, but to achieve the same on an IPv6 network you have to use set the prefix to /128.

2.6. SSH hostkeys

The SSH communication authenticates the remote SSH server using public-key cryptography, either using plain hostkeys, or X.509 certificates. Client authentication can also use public-key cryptography. The identity of the remote server can be verified by inspecting its hostkey or certificate. When trying to connect a server via SCB, the client sees a hostkey (or certificate) shown by SCB. This key is either the hostkey of SCB, or the original hostkey of the server, provided that the private key of the server has been uploaded to SCB. In the latter case the client will not notice any difference and have no knowledge that he is not communicating directly with the server, but with SCB.

2.7. Authenticating clients using public-key authentication in SSH

Public-key authentication requires a private and a public key (or an X.509 certificate) to be available on SCB. First, the public key of the user is needed to verify the user's identity in the client-side SSH connection: the key presented by the client is compared to the one stored on SCB. SCB uses a private key to authenticate itself to the sever in the server-side connection. SCB can use the private key of the user if it is uploaded to SCB. Alternatively, SCB can generate a new keypair, and use its private key for the server-side authentication, or use agent-forwarding, and authenticate the client with its own key.

Warning

If SCB generates the private key for the server-side authentication, then the public part of the keypair must be imported to the server; otherwise the authentication will fail. Alternatively, SCB can upload the public key (or a generated X.509 certificate) into an LDAP database.

2.8. Procedure – The gateway authentication process

Purpose: 

When gateway authentication is required for a connection, the user must authenticate on SCB as well. This additional authentication can be performed on the SCB web interface, so it provides a protocol-independent, outband authentication method. That way the connections can be authenticated to the central authentication database (for example LDAP or RADIUS), even if the protocol itself does not support authentication databases. Also, connections using general usernames (for example root, Administrator, and so on) can be connected to real user accounts.

Note

For SSH and RDP connections, gateway authentication can be performed also inband, without having to access the SCB web interface.

Figure 2.7. Gateway authentication

Gateway authentication

Technically, the process of gateway authentication is the following:

Steps: 

  1. The user initiates a connection from a client.

  2. If gateway authentication is required for the connection, SCB pauses the connection.

  3. The user logs in to the SCB web interface, selects the connection from the list of paused connections, and enables it. It is possible to require that the authenticated session and the web session originate from the same client IP address.

  4. The user performs the authentication on the server.

    Note

    Gateway authentication can be used together with other advanced authentication and authorization techniques like four-eyes authorization, client- and server-side authentication, and so on.

2.9. Procedure – Four-eyes authorization

Purpose: 

When four-eyes authorization is required for a connection, a user (called authorizer) must authorize the connection on SCB as well. This authorization is in addition to any authentication or group membership requirements needed for the user to access the remote server. Any connection can use four-eyes authorization, so it provides a protocol-independent, outband authorization and monitoring method.

The authorizer has the possibility to terminate the connection any time, and also to monitor real-time the events of the authorized connections: SCB can stream the traffic to the Audit Player application, where the authorizer (or a separate auditor) can watch exactly what the user does on the server, just like watching a movie.

Note

The auditor can only see the events if the required decryption keys are available on the host running the Audit Player application.

Figure 2.8. Four-eyes authorization

Four-eyes authorization

Technically, the process of four-eyes authorization is the following:

Steps: 

Note

Four-eyes authorization can be used together with other advanced authentication and authorization techniques like gateway authentication , client- and server-side authentication, and so on.

  1. The user initiates a connection from a client.

  2. If four-eyes authorization is required for the connection, SCB pauses the connection.

  3. The authorizer logs in to the SCB web interface, selects the connection from the list of paused connections, and enables it.

  4. The user performs the authentication on the server.

  5. The auditor (who can be the authorizer, but is it possible to separate the roles) watches the actions of the user real-time.

2.10. Network interfaces

The SCB hardware has five network interfaces: three physical interfaces for handling traffic, the HA interface for communicating with other nodes in a High Availability cluster, and the IPMI interface. For details on hardware installation, see Appendix B, Balabit Shell Control Box Hardware Installation Guide.

You can assign any number of logical interfaces (alias IP addresses and netmasks) to a physical interface, and each logical interface can have its own VLAN ID. For more information on managing logical interfaces, see Procedure 4.3.2, Managing logical interfaces.

The routing rules determine which interface is used for transferring remote backups and syslog messages of SCB.

Tip

It is recommended to direct backups, syslog and SNMP messages, and e-mail alerts to a dedicated interface. For details, see Procedure 4.3.4, Configuring the routing table.

The HA interface is an interface reserved for communication between the nodes of SCB clusters. The HA interface uses the Ethernet connector labeled as 4 (or HA). For details on high availability, see Section 2.11, High Availability support in SCB.

The Intelligent Platform Management Interface (IPMI) interface allows system administrators to monitor system health and to manage SCB events remotely. IPMI operates independently of the operating system of SCB.

2.11. High Availability support in SCB

High availability clusters can stretch across long distances, such as nodes across buildings, cities or even continents. The goal of HA clusters is to support enterprise business continuity by providing location-independent load balancing and failover.

In high availability (HA) mode two SCB units (called master and slave nodes) having identical configuration are operating simultaneously. The master shares all data with the slave node, and if the master node stops functioning, the other one becomes immediately active, so the servers are continuously accessible.

You can find more information on managing a high availability SCB cluster in Section 6.2, Managing a high availability SCB cluster.

Balabit recommends using high availability SCB clusters instead of a standalone SCB appliance. A standalone SCB appliance can become a single point of failure (SPOF), and its failure can severely impact your business.

2.12. Firmware in SCB

The SCB firmware is separated into two parts: an external and an internal firmware.

  • The external firmware (also called boot firmware) boots up SCB, provides the high availability support, and starts the internal firmware. The external firmware changes very rarely.

  • The internal firmware (also called core firmware) handles everything else: provides the web interface, manages the connections, and so on. The internal firmware is updated regularly as new features are added to SCB.

The firmwares can be updated jointly from the web interface, using the latest SCB firmware ISO. For details, see Section 6.3, Upgrading SCB.

2.12.1. Firmwares and high availability

When powering on the SCB nodes in high availability mode, both nodes boot and start the boot firmware. The boot firmwares then determine which unit is the master: the core firmware is started only on the master node.

Upgrading the SCB firmware via the web interface automatically upgrades the firmware on both nodes.

2.13. Versions and releases of SCB

As of June 2011, the following release policy applies to Balabit Shell Control Box:

  • Long Term Supported or LTS releases (for example, SCB 4 LTS) are supported for 3 years after their original publication date and for 1 year after the next LTS release is published (whichever date is later). The second digit of the revisions of such releases is 0 (for example, SCB 4.0.1). Maintenance releases to LTS releases contain only bugfixes and security updates.

  • Feature releases (for example, SCB 4 F1) are supported for 6 months after their original publication date and for 2 months after succeeding Feature or LTS Release is published (whichever date is later). Feature releases contain enhancements and new features, presumably 1-3 new features per release. Only the last feature release is supported (for example, when a new feature release comes out, the last one becomes unsupported within 2 months).

For a full description on stable and feature releases, see Version Policy.

Warning

Downgrading from a feature release is not supported. If you upgrade from an LTS release (for example, 4.0) to a feature release (4.1), you have to keep upgrading with each new feature release until the next LTS version (in this case, 5.0) is published.

2.14. Accessing and configuring SCB

SCB has a web interface and is configured from a browser. The users of SCB can be authenticated using local, LDAP, or RADIUS databases. The privileges of the users are determined by group memberships; this can be managed either locally on SCB, or centrally in an LDAP database. Assigning privileges to groups is based on ACLs. It is also possible to match groups existing in the LDAP database to a set of SCB privileges. The access control in SCB is very detailed, it is possible to define exactly who can access which parts of the interface and of the stored data.

Figure 2.9. Authenticating the users of SCB

Authenticating the users of SCB

2.15. Licenses

The SCB license determines the number of servers (IP addresses) that SCB protects, that is, it limits the number of IP addresses that SCB can connect to.

  • Balabit Shell Control Box T1: Software license to audit 10 servers, can be expanded up to 500 servers.

  • Balabit Shell Control Box T4: Software license to audit 10 servers, can be expanded up to 5000 servers.

  • Balabit Shell Control Box T10: Software license to audit 100 servers, can be expanded up to unlimited servers.

  • Balabit Shell Control Box VA: Software license to audit 10 servers, can be expanded up to unlimited servers. For virtual appliances, you can buy an annual subscription-based license.

Contact Balabit or your local distributor for details. For details on installing a new license, see Procedure 6.4.1, Updating the SCB license.

Chapter 3. The Welcome Wizard and the first login

This chapter describes the initial steps of configuring SCB. Before completing the steps below, unpack, assemble, and power on the hardware. Connect interface 1 (labelled 1 or EXT) to the local network, or directly to the computer from which SCB will be configured.

Note

For details on unpacking and assembling the hardware, see Appendix B, Balabit Shell Control Box Hardware Installation Guide. For details on how to create a high availability SCB cluster, see Procedure B.2, Installing two SCB units in HA mode.

3.1. The initial connection to SCB

SCB can be connected from a client machine using any modern web browser.

Note

For details on supported browsers, see Section 4.1, Supported web browsers and operating systems

SCB can be accessed from the local network. Starting with version 3.1 , SCB attempts to receive an IP address automatically via DHCP. If it fails to obtain an automatic IP address, it starts listening for HTTPS connections on the 192.168.1.1 IP address. Note that certain switch configurations and security settings can interfere with SCB receiving an IP address via DHCP. SCB accepts connections via its interface 1 (labelled 1 or EXT). For details on the network interfaces, see Section 2.10, Network interfaces).

Tip

The SCB console displays the IP address on which interface 1 is listening.

If SCB is listening on the 192.168.1.1 address, note that the 192.168.1.0/24 subnet must be accessible from the client. If the client machine is in a different subnet (for example, its IP address is 192.168.10.X), but in the same network segment, the easiest way is to assign an alias IP address to the client machine. Creating an alias IP on the client machine virtually puts both the client and SCB into the same subnet, so that they can communicate. To create an alias IP complete the following steps.

Warning

The Welcome Wizard can be accessed only using interface 1, as the other network interfaces are not configured yet.

3.1.1. Procedure – Creating an alias IP address (Microsoft Windows)

Purpose: 

This procedure describes how to assign an alias IP address to a network interface on Microsoft Windows platforms.

Steps: 

  1. Navigate to Start menu > Settings > Network Connections.

    Figure 3.1. 


  2. Double click on the Local Area Connection and then click Properties.

    Figure 3.2. 


  3. Select the Internet Protocol (TCP/IP) component in the list and click Properties.

    Figure 3.3. 


  4. To display the Advanced TCP/IP Settings window, click Advanced.

    Figure 3.4. 


  5. Select the IP Settings tab and in the IP Addresses section, click Add.

    Figure 3.5. 


  6. Into the IP Address field, enter 192.168.1.2. Into the Netmask field, enter 255.255.255.0.

    Warning

    If your internal network uses the 192.168.1.0/24 IP range, the 192.168.1.1 and 192.168.1.2 addresses might already be in use. In this case, disconnect SCB from the network, and connect directly a computer to interface 1 (labelled 1 or EXT) using a standard cross-link cable.

  7. To complete the procedure, click Add .

3.1.2. Procedure – Creating an alias IP address (Linux)

Purpose: 

This procedure describes how to assign an alias IP address to a network interface on Linux platforms.

Steps: 

  1. Start a terminal console (for example, gnome-terminal, konsole, xterm, and so on).

  2. Issue the following command as root:

    ifconfig <ethX>:0 192.168.1.2

    where <ethX> is the ID of the network interface of the client, usually eth0 or eth1.

  3. Issue the ifconfig command. The <ethX>:0 interface appears in the output, having inet addr:192.168.1.2 .

  4. Issue the ping -c 3 192.168.1.1 command to verify that SCB is accessible. A similar result is displayed:

    [email protected]:~$ ping -c 3 192.168.1.1
    PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
    64 bytes from 192.168.1.1: icmp-seq=1 ttl=63 time=0.357 ms
    64 bytes from 192.168.1.1: icmp-seq=2 ttl=63 time=0.306 ms
    64 bytes from 192.168.1.1: icmp-seq=3 ttl=63 time=0.314 ms
    
    --- 192.168.1.1 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2013ms
    rtt min/avg/max/mdev = 0.306/0.325/0.357/0.030 ms

Open the page https://192.168.1.1 from your browser and accept the certificate shown. The Welcome Wizard of SCB appears.

3.1.3. Procedure – Modifying the IP address of SCB

Purpose: 

To configure SCB to listen for connections on a custom IP address, complete the following steps.

Warning

Use this procedure only before the initial configuration of SCB, that is, before completing the Welcome Wizard. For details on changing the IP address or other network settings of a configured SCB system, see Section 4.3, Network settings.

Steps: 

  1. Access SCB from the local console, and log in with username root and password default.

  2. In the Console Menu, select Shells > Core shell.

  3. Change the IP address of SCB:

    ifconfig eth0 <IP-address> netmask 255.255.255.0

    Replace <IP-address> with an IPv4 address suitable for your environment.

  4. Set the default gateway using the following command:

    route add default gw <IP-of-default-gateway>

    Replace <IP-of-default-gateway> with the IP address of the default gateway.

  5. Type exit, then select Logout from the Console Menu.

  6. Open the page https://<IP-address-you-set-for-SCB> from your browser and accept the certificate shown. The Welcome Wizard of SCB appears.

3.2. Procedure – Configuring SCB with the Welcome Wizard

Purpose: 

The Welcome Wizard guides you through the basic configuration steps of SCB. All parameters can be modified before the last step by using the Back button of the wizard, or later via the web interface of SCB.

Steps: 

  1. Open the https://<IP-address-of-SCB-interface> page in your browser and accept the displayed certificate. The Welcome Wizard of SCB appears.

    Tip

    The SCB console displays the IP address the interface is listening on. SCB either receives an IP address automatically via DHCP, or if a DHCP server is not available, listens on the 192.168.1.1 IP address.

  2. When configuring SCB for the first time, click Next.

    Figure 3.6. The Welcome Wizard

    The Welcome Wizard

    You can import an existing configuration from a backup file. Use this feature to restore a backup configuration after a recovery, or to migrate an existing SCB configuration to a new device.

    Warning

    Do not export or import configuration between a physical SCB deployment and a virtual one. Because of the differences and limitations between physical and virtual appliances, configure the virtual appliance from scratch to ensure proper functionality. When you migrate a virtual SCB to another one, you can export and import the configuration.

    1. Click Browse and select the configuration file to import.

      Note

      It is not possible to directly import a GPG-encrypted configuration into SCB, it has to be decrypted locally first.

    2. Enter the passphrase used when the configuration was exported into the Encryption passphrase field.

      For details on restoring configuration from a configuration backup, see Procedure 23.9, Restoring SCB configuration and data

    3. Click Import.

      Warning

      If you use the Import function to copy a configuration from one SCB to another, do not forget to configure the IP addresses of the second SCB. Having two devices with identical IP addresses on the same network leads to errors.

  3. Accept the End User License Agreement and install the SCB license

    Figure 3.7. The EULA and the license key

    The EULA and the license key

    1. Read the End User License Agreement and select Accept. The License Agreement covers both the traditional license, and subscription-based licensing as well. Clicking Accept means that you accept the agreement that corresponds to the license you purchased (for details on subscription-based licensing, see Section 2.15, Licenses). After the installation is complete, you can read the End User License Agreement at Basic Settings > System > License.

    2. Click Browse, select the SCB license file received with SCB, then click Upload.

      Note

      It is not required to manually decompress the license file. Compressed licenses (for example .zip archives) can also be uploaded.

    3. Click Next.

  4. Configure networking. All settings can be modified later using the web interface of SCB.

    Figure 3.8. Initial networking configuration

    Initial networking configuration

    1. Physical interface EXT or 1 — IP address: The IP address of interface 1 (or EXT, for older hardware) of SCB (for example, 192.168.1.1). The IP address can be chosen from the range of the corresponding physical subnet. Clients will connect to this interface, therefore it must be accessible to them.

      Use an IPv4 address.

      Note

      Do not use IP addresses that fall into the following ranges:

      • 1.2.0.0/16 (reserved for communication between SCB cluster nodes)

      • 127.0.0.0/8 (localhost IP addresses)

    2. Physical interface EXT or 1 — Prefix: The IP prefix of the given range. For example, general class C networks have the /24 prefix.

    3. Physical interface EXT or 1 — VLAN ID: The VLAN ID of interface 1 (or EXT). Optional.

    4. Default GW: IP address of the default gateway.

      Use an IPv4 address.

    5. Hostname: Name of the machine running SCB (for example, SCB).

    6. Domainname: Name of the domain used on the network.

    7. DNS server: The IP address of the name server used for domain name resolution.

      Use an IPv4 address.

    8. NTP server: The IP address or the hostname of the NTP server.

      Use an IPv4 address.

    9. Syslog server: The IP address or the hostname of the syslog server.

      Use an IPv4 address.

    10. SMTP server: The IP address or the hostname of the SMTP server used to deliver e-mails.

      Use an IPv4 address.

    11. Administrator's email: E-mail address of the SCB administrator.

    12. Timezone: The timezone where the SCB is located.

    13. HA address: The IP address of the high availability (HA) interface. Leave this field on auto unless specifically requested by the support team.

    14. Click Next.

  5. Enter the passwords used to access SCB.

    Figure 3.9. Passwords

    Passwords

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

    1. Admin password: The password of the admin user who can access the web interface of SCB.

    2. Root password: The password of the root user, required to access SCB via SSH or from the local console.

      Note

      Accessing SCB using SSH is rarely needed, and recommended only for advanced users for troubleshooting situations.

    3. If you want to prevent users from accessing SCB remotely via SSH or changing the root password of SCB, select the Seal the box checkbox. Sealed mode can be activated later from the web interface as well. For details, see Section 6.6, Sealed mode.

    4. Click Next.

  6. Upload or create a certificate for the SCB web interface. This SSL certificate will be displayed by SCB to authenticate administrative HTTPS connections to the web interface.

    Figure 3.10. Creating a certificate for SCB

    Creating a certificate for SCB

    To create a self-signed certificate, fill the fields of the Generate new self-signed certificate section and click Generate. The certificate will be self-signed by the SCB appliance; the hostname of SCB will be used as the issuer and common name.

    1. Country: Select the country where SCB is located (for example, HU-Hungary).

    2. Locality: The city where SCB is located (for example, Budapest).

    3. Organization: The company who owns SCB (for example, Example Inc.).

    4. Organization unit: The division of the company who owns SCB (for example, IT Security Department).

    5. State or Province: The state or province where SCB is located.

    6. Click Generate.

    If you want to use a certificate that is signed by an external Certificate Authority, in the Server X.509 certificate field, click to upload the certificate.

    Figure 3.11. Uploading a certificate for SCB

    Uploading a certificate for SCB

    Then in the Server private key field click , upload the private key, and enter the password protecting the private key.

    Figure 3.12. Uploading a private key

    Uploading a private key

    Note

    SCB accepts private keys in PEM (RSA and DSA), and PUTTY format. Password-protected private keys are also supported.

    Balabit recommends using 2048-bit RSA keys (or stronger).

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  7. Review the data entered in the previous steps. This page also displays the certificate generated in the last step; the RSA SSH key of SCB, and information about the license file.

    Figure 3.13. Review configuration data

    Review configuration data

    If all information is correct, click Finish.

    Warning

    The configuration takes effect immediately after clicking Finish. Incorrect network configuration data can render SCB unaccessible.

    SCB is now accessible from the regular web interface via the IP address of interface 1 (or EXT).

  8. Your browser is automatically redirected to the IP address set for interface 1 (or EXT) of SCB, where you can login to the web interface of SCB using the admin username and the password you set for this user in the Welcome Wizard.

3.3. Procedure – Logging in to SCB and configuring the first connection

Purpose: 

After finishing the initial configuration of SCB using the Welcome Wizard, connections must be configured between the clients and the servers. SCB inspects only the connections that are configured from the web interface; all other connections are forwarded without any inspection. The procedure below describes how to enable a simple SSH terminal or a Remote Desktop session over a transparent and a non-transparent connection.

Steps: 

  1. Login to SCB's web interface.

    Figure 3.14. The first login

    The first login

    1. Open the https://IP-address-of-interface-1/ page from your browser to access the web interface of SCB. Replace the IP-address-of-the-interface-1 string with the IP set for interface 1 in Configuring interface 1 of the Welcome Wizard (for example, 192.168.1.1).

    2. The certificate created in Creating the web interface certificate of the Welcome Wizard is displayed. Accept it.

    3. Login to the SCB web interface using the displayed login screen.

      • Enter admin into the Login field.

      • Enter the password set in Setting the administrator password for the admin user into the Password field.

      • Click Login. The main page of the SCB administration interface is displayed.

  2. Configure a new transparent connection.

      • To configure an SSH connection, select SSH Control > Connections from the Main Menu. Only terminal sessions will be permitted.

      • To configure an RDP connection, click on the RDP Control > Connections from the Main Menu. Only basic Remote Desktop sessions will be permitted (no file-sharing).

    1. Click on the icon on the right to create a new connection.

    2. Enter a name into the Name field that will identify the connection (for example, admin-server-transparent).

      Tip

      It is recommended to use descriptive names that give information about the connection: refer to the name of the accessible server, the allowed users, and so on.

    3. Enter the IP addresses defining the connection:

      Figure 3.15. Configuring an SSH connection in transparent mode

      Configuring an SSH connection in transparent mode

      • Enter the IP address of the client that will be permitted to access the server into the From field.

        You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

      • Enter the IP address of the server into the To field.

        You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

      • Enter the port number where the server is accepting connections into the Port field.

    4. Select Enable indexing.

    5. Click .

      This connection allows any user from the client machine to connect to the specified server, but permits only terminal sessions — other SSH channels like TCP forwarding are disabled.

  3. Configure a new non-transparent connection.

      • To configure an SSH connection, select SSH Control > Connections from the Main Menu. Only terminal sessions will be permitted.

      • To configure an RDP connection, click on the RDP Control > Connections from the Main Menu. Only basic Remote Desktop sessions will be permitted (that is, no clipboard or file-sharing).

    1. Click on the icon on the right to create a new connection.

    2. Enter a name into the Name field that will identify the connection (for example, admin-server-nontransparent).

      Tip

      It is recommended to use descriptive names that give information about the connection: refer to the name of the accessible server, the allowed users, and so on.

    3. Enter the IP addresses defining the connection:

      Figure 3.16. Configuring an SSH connection in non-transparent mode

      Configuring an SSH connection in non-transparent mode

      • Enter the IP address of the client that will be permitted to access the server into the From field.

        You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

      • Enter the IP address of SCB's physical interface 1 into the To field.

        You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

      • Enter a port number into the Port field.

      • Enter the IP address of the server into the Use fix address field of the Target section.

        You can use an IPv4 or an IPv6 address.

      • Enter the port number where the server is accepting connections into the Port field of the Target section.

    4. Select Enable indexing.

    5. Click .

      This connection allows any user from the client machine to connect to the specified server, but permits only terminal sessions — other SSH channels like TCP forwarding are disabled.

  4. Test the new configuration: try to initiate an SSH or and RDP connection from the client to the server.

  5. After successfully connecting to the server, do something in the connection, for example, execute a simple command in SSH (for example, ls /tmp), or launch an application in RDP (for example, the Windows Explorer), then disconnect from the server.

  6. Navigate to Search > Search on the SCB web interface. Your sessions are displayed in the list of connections. Note that for the transparent connection, the client addresses the target server, while the non-transparent connection addresses SCB.

  7. Click the icon. A summary will be displayed about the connection. Enter a text that was displayed in the connection into the search box, for example, the command you executed in SSH, or a menu item or other text you have seen in RDP (for example, Start). SCB will automatically generate a screenshot showing when the text was displayed in the connection.

  8. Click to generate a video file from the audit trail that you can replay. Depending on the load of the indexer and the length and type of the audit trail, this can take several minutes (to cancel processing the audit trail, click ). The Video status field shows the progress of the this process.

    When the video is available, the icon changes to .

    Figure 3.17. Audit trail details

    Audit trail details

  9. To replay the video, click . The Player window opens.

  10. Play the audit trail, and review your actions.

Chapter 4. Basic settings

SCB is configured via the web interface. Configuration changes take effect automatically after clicking . Only the modifications of the current page or tab are activated — each page and tab must be committed separately.

4.1. Supported web browsers and operating systems

Supported browsers: the current version of Mozilla Firefox and Google Chrome, Microsoft Edge, and Microsoft Internet Explorer 9 or newer. The browser must support TLS-encrypted HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.

Warning

Since the official support of Internet Explorer 9 and 10 ended in January, 2016, they are not supported in SCB version 4 F3 and later.

Warning

Even though the SCB web interface supports Internet Explorer 9 in general, to replay audit trails you need to use Internet Explorer 10, and install the Google WebM Video for Microsoft Internet Explorer plugin. If you cannot install Internet Explorer 10 or another supported browser on your computer, use the Audit Player application (for details, see Chapter 17, Replaying audit trails with Audit Player). For details, see Procedure 16.1.2, Replaying audit trails in your browser.

Note

SCB displays a warning message if your browser is not supported or JavaScript is disabled.

Supported operating systems: Windows 2003 Server, Windows Vista, Windows 2008 Server, Windows 7, Windows 2012 Server, Windows 8, Windows 8.1, Windows 10, and Linux.

The SCB web interface can be accessed only using TLS encryption and strong cipher algorithms.

Opening the web interface in multiple browser windows or tabs is not supported.

4.2. The structure of the web interface

The web interface consists of the following main sections:

Main menu: Each menu item displays its options in the main workspace on one or more tabs. Click in front of a main menu item to display the list of available tabs.

Figure 4.1. Structure of the web interface

Structure of the web interface

User menu: Provides possibilities to upload your security passphrase and permanent or temporary keys, to change your SCB password; to log out; and disable confirmation dialogs and tooltips using the Preferences option.

User info: Provides information about the user currently logged in:

  • User: username

  • Host: IP address of the user's computer

  • Last login: date and IP address of the user's last login

Figure 4.2. User menu and user info

User menu and user info

System monitor: Displays accessibility and system health information about SCB, including the following:

Figure 4.3. System monitor

System monitor

  • Time: System date and time.

  • Remaining time: The time remaining before the session to the web interface times out.

    Note

    To change timeout settings, navigate to Basic Settings > Management > Web interface timeout and enter the timeout value in minutes.

  • Locked: Indicates that the interface is locked by another administrator (for details, see Section 4.2.2, Multiple web users and locking).

  • Indicators if HTTP, ICA, RDP, SSH, Telnet, and VNC traffic is permitted to the protected servers.

  • Connections: The number of active ICA, RDP, SSH, Telnet, and VNC connections. For HTTP, the number of active HTTP sessions is displayed.

  • License: License information if the license is not valid, or an evaluation version license has expired.

  • The status of the RAID devices, if synchronization between the disks is in progress.

  • HA: The HA status and the ID of the active node if two SCB units are running in a High Availability cluster. If there are redundant Heartbeat interfaces configured, their status is displayed as well. If the nodes of the cluster are synchronizing data between each other, the progress and the time remaining from the synchronization process is also displayed.

  • Protected hosts or Concurrent sessions: Displays license usage, that is, the number of hosts that have been accessed via SCB in case of host-based licensing, or the number of active sessions in case of session-based licensing.

  • Average system load during the

    • Load 1: last minute

    • Load 15: last fifteen minutes

  • CPU, memory, hard disk, and swap use. Hover the mouse above the graphical bars to receive a more details in a tooltip, or navigate to Basic Settings > Dashboard for detailed reports.

The System monitor displays current information about the state of SCB. To display a history of these parameters, go to Basic Settings > Dashboard. For details, see Section 23.6, Status history and statistics.

4.2.1. Elements of the main workspace

The main workspace displays the configuration settings related to the selected main menu item grouped into one or more tabs. Related parameters of a tab are organized into labeled groups or sections, marked with blue outline .

Figure 4.4. Main workspace

Main workspace

  • Each page includes one or more orange action buttons. The most common action button is the , which saves and activates the changes of the page.

  • /Show/Hide Details: Displays or hides additional configuration settings and options.

  • , Create entry: Create a new row or entry (for example an IP address or a policy).

  • , Delete entry: Delete a row or an entry (for example an IP address or a policy).

  • , Open/collapse lists: Open or close a list of options (for example the list of available reports).

  • Modify entries or upload files: Edit an entry (for example a host key, a list, and so on), or upload a file (for example a private key). These actions open a pop-up window where the actual modification can be performed.

  • , Position an item in a list: Modify the order of items in a list. The order of items in a list (for example the order of connections, permitted channels in a channel policy, and so on) is important because when SCB is looking for a policy, it evaluates the list from top to down, and selects the first item completely matching the search criteria. For example, when a client initiates a connection to a protected server, SCB selects the first connection policy matching the client's IP address, the server's IP address, and the target port (the From, To, and Port fields of the connection).

Message window: This pop-up window displays the responses of SCB to the user's actions, for example Configuration saved successfully. Error messages are also displayed here. All messages are included in the system log. For detailed system logs (including message history), see the Troubleshooting tab of the Basic Settings. To make the window appear only for failed actions, navigate to User menu > Preferences and enable the Autoclose successful commit messages option.

Figure 4.5. Message window

Message window

4.2.2. Multiple web users and locking

Multiple administrators can access the SCB web interface simultaneously, but only one of them can modify the configuration. This means that the configuration of SCB is automatically locked when the first administrator who can modify the configuration accesses a configuration page (for example the Basic Settings or the AAA menu). The username and IP address of the administrator locking the configuration is displayed in the System Monitor field. Other administrators must wait until the locking administrator logs out, or the session of the administrator times out. However, it is possible to access the Search and Reporting menus,and to perform gateway authentication and 4-eyes authorization or browse the configuration with only View rights (for details, see Section 5.7, Managing user rights and usergroups).

Accessing SCB using the REST or the RPC API locks the configuration similarly to accessing SCB from the web interface.

Note

If an administrator logs in to SCB using the local console or a remote SSH connection, access via the web interface is completely blocked. Inactive local and SSH connections timeout just like web connections. For details, see Section 6.5, Accessing the SCB console.

4.2.3. Web interface timeout

By default, SCB terminates the web session of a user after ten minutes of inactivity. To change value of this timeout, adjust the Basic Settings > Management > Web interface timeout option.

Figure 4.6. Web interface timeout

Web interface timeout

4.3. Network settings

The Network tab contains the network interface and naming settings of SCB.

Figure 4.7. Network settings

Network settings

  • Interfaces: Lists all of the logical interfaces (VLAN IDs, IP addresses, netmasks, and names) assigned to the three physical interfaces of SCB. For more information on managing logical interfaces, see Procedure 4.3.2, Managing logical interfaces.

    Speed is displayed for every physical interface. To explicitly set the speed of the interface, select the new value from the Speed field. Modifying the speed of an interface is recommended only for advanced users.

  • Routing table: When sending a packet to a remote network, SCB consults the routing table to determine the path it should be sent. If there is no information in the routing table then the packet is sent to the default gateway. Use the routing table to define static routes to specific hosts or networks. You have to use the routing table if SCB interfaces are connected to multiple subnets.

    Click the and icons to add new routes or delete existing ones. A route means that messages sent to the Address/Netmask network should be delivered to Gateway.

    For detailed examples, see Procedure 4.3.4, Configuring the routing table.

  • IP forwarding: You can enable routing between logical interfaces, which allows you to direct uncontrolled traffic through SCB. For more information, see Procedure 4.3.3, Routing uncontrolled traffic between logical interfaces.

    To mimic the functionality of the deprecated Router mode, configure a logical interface for each physical interface you want to connect, and enable IP forwarding between them.

  • Naming > Hostname: Name of the machine running SCB.

  • Naming > Nick name: The nickname of SCB. Use it to distinguish the devices. It is displayed in the core and boot login shells.

  • Naming > DNS search domain: Name of the domain used on the network. When resolving the domain names of the audited connections, SCB will use this domain to resolve the target hostname if the appended domain entry of a target address is empty.

  • Naming > Primary DNS server: IP address of the name server used for domain name resolution.

  • Naming > Secondary DNS server: IP address of the name server used for domain name resolution if the primary server is unaccessible.

4.3.1. Procedure – Configuring user and administrator login addresses

Purpose: 

You can configure two separate login addresses for accessing the web interface of SCB:

  • Web login for administrators and users: On this address, users can, depending on their access privileges, modify the configuration of SCB, and perform authentication-related activities (gateway authentication, 4-eyes authorization).

    If you run the Audit Player as an indexer service, it also attempts to connect to this address.

  • Web login for users only: The configuration of SCB cannot be viewed or altered from this address; users (even ones with administrator privileges) can only perform gateway authentication and 4-eyes authorization.

Note

You can find more information about gateway authentication and 4-eyes authorization in Chapter 18, Advanced authentication and authorization techniques.

Both login addresses can be configured to restricts connections to a configured set of IP addresses only.

Note

Avoid using the IP address configured for administrator or user login on SCB when configuring HTTP or SSH connections.

The login addresses are, by default, protected against brute-force attacks: after five unsuccessful login attempts, all following attempts are denied for increasing periods of time. You can turn this off by unselecting the Protect against brute-force attacks option for the web login addresses.

Steps: 

  1. Navigate to Basic Settings > Local Services > Web login.

    Figure 4.8. Configuring web login address

    Configuring web login address

  2. In the Listening addresses field, choose .

  3. Into the Address field, choose the IP address to use for connecting to SCB's user interface.

    The available addresses correspond to the interface addresses configured in Basic Settings > Network > Interfaces. Only IPv4 addresses can be selected.

  4. Into the HTTP field, enter the port number for HTTP connections.

  5. Into the HTTPS field, enter the port number for HTTPS connections.

    If you use the Audit Player as an indexer service, verify that the port number is set to 443.

  6. Optional step: To permit access to the SCB web interface only from selected subnets or IP addresses, select Restrict clients, click and enter the IP address and netmask of the allowed clients. Note that these settings do not affect the SSH access to SCB.

    Warning

    Permit administrative access to SCB only from trusted networks. If possible, monitored connections and administrative access to the SCB web interface should originate from separate networks.

    After comitting the changes, the web interface will be available only from the configured subnets or IP addresses.

    Use an IPv4 address.

  7. Recommended: configure a separate login address for user connections in Web login (user only). The configuration settings of SCB cannot be viewed or modified from this address.

  8. Click .

4.3.2. Procedure – Managing logical interfaces

Purpose: 

You can assign logical interfaces to a physical interface. Each logical interface must have its own VLAN ID, and can have its own set of (alias) IP addresses and prefixes. The configured name for each logical interface is visible on SCB's user interface only.

You can configure IPv4 and IPv6 addresses as well. IPv6 is intended for configuring monitored connections, local services (including the web login) require IPv4 addresses. An interface can have multiple IP addresses, including a mix of IPv4 and IPv6 addresses.

Note

SCB does not support scenarios with two hosts using the same IP address on different VLAN groups.

Steps: 

  1. Navigate to Basic Settings > Network > Interfaces.

    Figure 4.9. Managing the logical interfaces

    Managing the logical interfaces

  2. If necessary, use the label on the SCB hardware to identify the physical interface to which you want to assign a logical interface.

  3. Choose to add a new logical interface. Provide the following:

    • VLAN: The VLAN ID of the logical interface. Optional.

    • Address: The IP address of the logical interface.

      You can also enter a hostname instead of the IP address, and SCB automatically resolves the hostname to IP address. Note the following limitations:

      • SCB uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

      • Only IPv4 addresses are supported.

      • If the Domain Name Server returns multiple IP addresses, SCB selects randomly from the list.

      Note

      Do not use IP addresses that fall into the following ranges:

      • 1.2.0.0/16 (reserved for communication between SCB cluster nodes)

      • 127.0.0.0/8 (localhost IP addresses)

    • Prefix: The IP range of the logical interface.

    • Optional: To add additional (alias) IP addresses and prefixes to a logical interface, click . To remove an alias IP address, click the corresponding .

    • Name: The name of the logical interface. This name is is visible on SCB's user interface only.

    To remove a logical interface, choose the on the right side.

  4. Click .

4.3.3. Procedure – Routing uncontrolled traffic between logical interfaces

Purpose: 

You can enable routing between logical interfaces, which allows you to direct uncontrolled traffic through SCB.

Steps: 

  1. Navigate to Basic Settings > Network > IP forwarding.

    Figure 4.10. IP forwarding between interfaces

    IP forwarding between interfaces

  2. To add a new forwarding rule, choose and select the two logical interfaces to connect. You can select the same interface in both fields to use that logical interface in single-interface router mode.

    To delete an existing rule, choose .

  3. Click .

4.3.4. Procedure – Configuring the routing table

Purpose: 

The routing table contains the network destinations SCB can reach. You have to make sure that both the monitored connections, and the local services of SCB (including connections made to the backup and archive servers, the syslog server, and the SMTP server) are routed properly.

You can add multiple IPv4 and IPv6 addresses and address ranges along with their respective gateways.

Steps: 

  1. To add a new routing entry, navigate to Basic Settings > Network > Interfaces and in the Routing table field, click .

    Figure 4.11. Routing

    Routing

  2. Enter the IP address and the network prefix into the Network field.

  3. Enter the IP address of the gateway used on that subnetwork into the Gateway field.

  4. Click .

4.4. Procedure – Configuring date and time

Date and time related settings of SCB can be configured on the Date & Time tab of the Basic Settings menu.

Figure 4.12. Date and time management

Date and time management

Warning

It is essential to set the date and time correctly on SCB, otherwise the date information of the logs and audit trails will be inaccurate.

SCB displays a warning on this page and sends an alert if the time becomes out of sync.

To explicitly set the date and time on SCB, enter the current date into respective fields of the Date & Time settings group and click Set Date & Time.

When two SCB units are operating in high availability mode, the slave nodes automatically synchronizes its time and date to the master node. To manually synchronize the time between the nodes, click Sync Master (available only in high availability mode).

To retrieve the date automatically from a time server, complete the following steps:

  1. Select your timezone in the Timezone field.

  2. Enter the IP address of an NTP time server into the Address field.

    Use an IPv4 address.

  3. Click .

  4. Click the and icons to add new servers or delete existing ones.

  5. Optional: If the time setting of SCB is very inaccurate (that is, the difference between the system time and the actual time is great), it might take a long time to retrieve the date from the NTP server. In this case, click Sync Now or Sync Master to sync the time immediately using SNTP.

4.5. System logging, SNMP and e-mail alerts

E-mail alerts and system logging can be configured on the Basic Settings > Management page.

4.5.1. Procedure – Configuring system logging

Purpose: 

SCB can send its system log messages to remote syslog servers, for example, syslog-ng Premium Edition, syslog-ng Store Box, Splunk, or HPE ArcSight Data Platform. To configure logging to a remote server, complete the following steps.

Figure 4.13. Configuring system logging

Configuring system logging

Steps: 

  1. Navigate to Basic Settings > Management.

  2. Click in the Syslog > Syslog receivers field to add a new syslog server.

  3. Enter the IP address and port of the syslog server into the respective fields.

    Use an IPv4 address.

  4. Select the network protocol used to transfer the messages in the Protocol field. The legacy- prefix corresponds to the legacy BSD-syslog protocol described in RFC3164, while the syslog- prefix corresponds to the new IETF-syslog protocol described in RFC5424. Note that not every syslog server supports the IETF protocol yet.

    Select TCP+TLS to send the log messages using a TLS-encrypted connection.

    Tip

    Transferring the syslog messages using TCP ensures that the server receives them.

    Transferring the syslog messages using TLS encryption ensures that third parties cannot read the messages. However, not every syslog server accepts encrypted connections. The syslog-ng Premium Edition and Open Source Edition applications, and the syslog-ng Store Box (which is a log-collector appliance similar to SCB) support both encrypted connections and the new IETF-syslog protocol as well. For details on these products, see syslog-ng Premium Edition and syslog-ng Store Box.

  5. To display separate hostnames for syslog messages sent by the nodes of a SCB HA cluster, select the Include node ID in hostname in boot firmware messages option. The node ID included in the hostname filed of the syslog message is the MAC address of the node's HA interface. (Messages of the core firmware are always sent by the master node.)

    You can find more information about the boot and the core firmware in Section 2.12, Firmware in SCB.

  6. If you have selected the TCP+TLS protocol, complete the following steps. Otherwise, click .

    1. If you want SCB to verify the certificate of the syslog server, select Required trusted in the Server key check field and proceed to the next step.

      If you want SCB to simply accept any certificate shown by the server, select Optional untrusted in the Server key check field.

      Note

      Alternatively, you can use the following, less strict options to check the certificate of the server:

      • Optional trusted: If the server sends a certificate, SCB checks if it is valid (not expired) and that the Common Name of the certificate contains the domain name or the IP address of the server. If these checks fail, SCB rejects the connection. However, SCB accepts the connection if the server does not send a certificate.

      • Required untrusted: SCB requests a certificate from the server, and rejects the connection if no certificate is received, if the certificate is not valid (expired), or if the Common Name of the certificate does not contain the domain name or the IP address of the server.

    2. Click the icon in the CA X.509 certificate field. A pop-up window is displayed.

      Click Browse, select the certificate of the Certificate Authority (CA) that issued the certificate of the syslog server, then click Upload. Alternatively, you can paste the certificate into the Copy-paste field and click Upload.

      SCB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.

    3. If the syslog server requires mutual authentication, that is, it expects a certificate from SCB, generate and sign a certificate for SCB, then click the icon in the Client X.509 certificate field to upload the certificate. After that, click the icon in the Client key field and upload the private key corresponding to the certificate.

    4. Click .

  7. Click the and icons to add new servers or delete existing ones.

    Note

    To reduce the risk of the syslog server not receiving log messages from SCB because of a network outage or other problem with the syslog server, SCB buffers up to 10 Megabytes of log messages to its hard disk in case the syslog server becomes unaccessible.

4.5.2. Procedure – Configuring e-mail alerts

Purpose: 

To configure e-mail alerts, complete the following steps:

Steps: 

  1. Navigate to Basic Settings > Management > Mail settings.

  2. If you want to encrypt the communication between SCB and the SMTP server, in Encryption, select the STARTTLS option and complete the following steps:

    • If you want SCB to verify the certificate of the server, select Only accept certificates authenticated by the specified CA certificate and click the icon in the CA X.509 certificate field. A pop-up window is displayed.

      Click Browse, select the certificate of the Certificate Authority (CA) that issued the certificate of the SMTP server, then click Upload. Alternatively, you can paste the certificate into the Copy-paste field and click Set.

      SCB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.

    • If the SMTP server requires mutual authentication, that is, it expects a certificate from SCB, enable Authenticate as client. Generate and sign a certificate for SCB, then click in the Client X.509 certificate field to upload the certificate. After that, click in the Client key field and upload the private key corresponding to the certificate.

    Balabit recommends using 2048-bit RSA keys (or stronger).

  3. If you want SCB to authenticate to the SMTP server, in Authentication, select the Enabled option. Enter the Username to authenticate with.

    To configure or change the password to use to authenticate to the SMTP server, click Change and enter the password. Click Update. Click .

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  4. Enter the IP address or the hostname of the mail server into the SMTP server address field.

    Use an IPv4 address.

    Figure 4.14. Configuring e-mail sending

    Configuring e-mail sending

  5. Enter the e-mail address where you want to receive e-mails from into the Send e-mails as field. This can be useful for e-mail filtering purposes. SCB sends e-mails from the address provided here. If no e-mail address is entered, e-mails will be sent from the default e-mail address.

  6. Enter the e-mail address of the administrator into the Administrator's e-mail address field. SCB sends notifications related to system-events (but not alerts and reports) to this address.

  7. Enter the e-mail address of the administrator into the Send e-mail alerts to field. SCB sends monitoring alerts to this address.

  8. Enter the e-mail address the person who should receive traffic reports from SCB into the Send reports to field. For details on reports, see Chapter 19, Reports.

  9. Click .

  10. Click Test to send a test message.

    If the test message does not arrive to the server, check if SCB can access the server. For details, see Chapter 23, Troubleshooting SCB.

  11. Navigate to Basic Settings > Alerting & Monitoring and select in which situations should SCB send an e-mail alert. For details, see Section 4.6, Configuring system monitoring on SCB.

  12. Click .

4.5.3. Procedure – Configuring SNMP alerts

Purpose: 

SCB can send alerts to a central monitoring server via SNMP (Simple Network Management Protocol). To configure SNMP alerts, complete the following steps:

Steps: 

  1. Navigate to Basic Settings > Management > SNMP trap settings.

  2. Enter the IP address or the hostname of the SNMP server into the SNMP server address field.

    Use an IPv4 address.

    Figure 4.15. Configuring SNMP alerts

    Configuring SNMP alerts

  3. Select the SNMP protocol to use.

    • To use the SNMP v2c protocol for SNMP queries, select SNMP v2c, and enter the community to use into the Community field.

    • To use the SNMP v3 protocol, select SNMP v3 and complete the following steps:

      Figure 4.16. Configuring SNMP alerts using SNMPv3

      Configuring SNMP alerts using SNMPv3

    1. Enter the username to use into the Username field.

    2. Enter the engine ID to use into the Engine ID field. The engine ID is a hexadecimal number at least 10 digits long, starting with 0x. For example 0xABABABABAB.

    3. Select the authentication method (MD5 or SHA1) to use from the Authentication method field.

    4. Enter the password to use into the Authentication password field.

    5. Select the encryption method (Disabled, DES or AES) to use from the Encryption method field.

    6. Enter the encryption password to use into the Encryption password field.

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  4. Click .

  5. Navigate to Basic Settings > Alerting & Monitoring and select in which situations should SCB send an SNMP alert. For details, see Section 4.6, Configuring system monitoring on SCB.

  6. Click .

4.5.4. Procedure – Querying SCB status information using agents

Purpose: 

External SNMP agents can query the basic status information of SCB. To configure which clients can query this information, complete the following steps:

Steps: 

  1. Navigate to Basic Settings > Local Services > SNMP server settings.

    Figure 4.17. Configuring SNMP agent access

    Configuring SNMP agent access

  2. Enable the SNMP server.

  3. Optionally, you can enter the details of the SNMP server into the System location, System contact, and System description fields.

  4. To use the SNMP v2c protocol for SNMP queries, enable SNMP v2c agent, and enter the community to use into the Community field.

  5. To use the SNMP v3 protocol, select SNMP v3 agent and complete the following steps:

    1. Click

    2. Enter the username used by the SNMP agent into the Username field.

    3. Select the authentication method (MD5 or SHA1) to use from the Auth. method field.

    4. Enter the password used by the SNMP agent into the Auth. password field.

    5. Select the encryption method (Disabled, DES or AES) to use from the Encryption method field.

    6. Enter the encryption password to use into the Encryption password field.

    7. To add other agents, click .

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  6. In the Listening addresses field, choose and select the IP address and port for the SNMP server.

    The available addresses correspond to the interface addresses configured in Basic Settings > Network > Interfaces. Only IPv4 addresses can be selected.

    Repeat this step to add multiple addresses.

  7. Optional step: To permit access to the SNMP server only from selected subnets or IP addresses, select Restrict clients, click and enter the IP address and netmask of the allowed clients.

    Use an IPv4 address.

    Repeat this step to add multiple addresses.

  8. Click .

4.6. Configuring system monitoring on SCB

SCB supports the SNMPv2c and SNMPv3 protocols. The SNMP server set on the Management tab can query status information from SCB.

Tip

In order have your central monitoring system to recognize the SNMP alerts sent by SCB, import the SCB-specific Management Information Base (MIB) into your monitoring system. Download all MIBs by navigating to Basic Settings > Alerting & Monitoring and clicking Download MIBs and import them into your monitoring system. For details, see the documentation of your monitoring system.

Figure 4.18. Configuring SNMP and e-mail alerting

Configuring SNMP and e-mail alerting

4.6.1. Procedure – Configuring monitoring

Purpose: 

To configure monitoring, complete the following steps:

Steps: 

  1. Navigate to Basic Settings > Alerting & Monitoring.

  2. The default threshold values of the parameters are suitable for most situations. Adjust the thresholds only if needed.

  3. Click .

  4. Navigate to Basic Settings > Management and verify that the SNMP settings and Mail settings of SCB are correct. SCB sends alerts only to the alert e-mail address and to the SNMP server.

    Warning

    Sending alerts fails if these settings are incorrect.

The following sections describe the parameters you can receive alerts on.

4.6.2. Health monitoring

SCB continuously monitors a number of parameters of the SCB hardware and its environment. If a parameter reaches a critical level (set in its respective Maximum field), SCB sends e-mail or SNMP messages to alert the administrator.

  • Disk utilization maximum: Ratio of free space available on the hard disk. SCB sends an alert if the audit trails use more space than the set value. Archive the audit trails to a backup server to free disk space. For details, see Section 4.8, Archiving and cleanup.

    Note

    The alert message includes the actual disk usage, not the limit set on the web interface. For example, you set SCB to alert if the disk usage increases above 10 percent. If the disk usage of SCB increases above this limit (for example to 17 percent), you receive the following alert message: less than 90% free (= 17%). This means that the amount of used disk space increased above 10% (what you set as a limit, so it is less than 90%), namely to 17%.

  • Load average: The average load of SCB during the last one, five, or 15 minutes.

  • Swap utilization maximum: Ratio of the swap space used by SCB. SCB sends an alert if it uses more swap space than the set value.

4.6.3. Procedure – Preventing disk space fill up

Purpose: 

To prevent disk space from filling up, complete the following steps.

Note

This is highly recommended if SCB is hosted in a virtual environment.

Steps: 

  1. Navigate to Basic Settings > Management > Disk space fill up prevention.

  2. Set the limit of maximum disk utilization in percents in the respective field. When disk space is used above the set limit, SCB disconnects all clients. Entering 0 turns the feature off. The default value is 0.

  3. Optional step: Enable the Automatically start archiving option to automatically start all configured archiving/cleanup jobs when disk usage goes over the limit.

    For more information on configuring an archiving policy, see Section 4.8, Archiving and cleanup.

    Note

    If there is no archiving policy set, enabling this option will not trigger automatic archiving.

  4. Navigate to Basic Settings > Alerting & Monitoring > Health monitoring and enable alert Disk utilization maximum.

  5. Click .

4.6.4. System related traps

SCB can send the following system related alerts in e-mail or as SNMP trap. To configure these alerts, see Procedure 4.5.2, Configuring e-mail alerts and Procedure 4.5.3, Configuring SNMP alerts.

Note

Configure Disk space fill up prevention, and configure SCB to send an alert if the free space on the disks of SCB is low. For details, see Procedure 4.6.3, Preventing disk space fill up.

Configure SCB to send an alert if a user fails to login to SCB. For details, see the Login failed alert in Section 4.6.4, System related traps.

Name SNMP alert ID Description
Login failed xcbLoginFailure Failed login attempts from SCB web interface.
Successful login xcbLogin Successful login attempts into SCB web interface.
Logout xcbLogout Logouts from SCB web interface.
Configuration changed xcbConfigChange Any modification of SCB's configuration.
General alert xcbAlert

General alerts and error messages occurring on SCB.

Note, that alerts on general alerts and errors are sent whenever there is an alert or error level message in the SCB system log. These messages are very verbose and mainly useful only for debugging purposes.

Enabling these alerts may result in multiple e-mails or SNMP traps sent about the same event.

General error xcbError
Data and configuration backup failed xcbBackupFailed Alerts if the backup procedure is unsuccessful.
Data archiving failed xcbArchiveFailed Alerts if the archiving procedure is unsuccessful.
Database error occurred xcbDBError An error occurred in the database where SCB stores the connection metadata. Contact our support team (see Section 5, Contact and support information for contact information).
License limit reached xcbLimitReached The number of protected servers (or concurrent sessions) reached the limit set in the SCB license. Clients cannot connect to new servers using SCB.
HA node state changed xcbHaNodeChanged A node of the SCB cluster changed its state, for example, a takeover occurred.
Timestamping error occurred xcbTimestampError An error occurred during the timestaming process, for example the timestamping server did not respond.
Time sync lost xcbTimeSyncLost The system time became out of sync.
Raid status changed xcbRaidStatus The status of the node's RAID device changed its state.
Hardware error occurred xcbHWError SCB detected a hardware error.
Firmware is tainted xcbFirmwareTainted A user has locally modified a file from the console.
Too many login attempts xcbBruteforceAttempt SCB has detected a possible brute-force attack.
License expires soon xcbLicenseAlmostExpired Your SCB license will expire within 60 days.

Table 4.1. System related traps


4.6.5. Traffic related traps

SCB can send the following traffic related alerts in e-mail or as SNMP trap. To configure these alerts, see Procedure 4.5.2, Configuring e-mail alerts and Procedure 4.5.3, Configuring SNMP alerts.

Name SNMP alert ID Description
Channel opening denied scbChannelDenied A user attempted to open a channel not permitted by the channel policy.
Connection denied scbConnectionDenied A user attempted to connect a server not permitted in the connection policies.
User successfully authenticated scbAuthSuccess A user successfully authenticated on a protected server using an SSH connection.
User authentication failed scbAuthFailure A user failed to complete the authentication on a protected server using an SSH connection.
SSH host key mismatch scbSshHostKeyMismatch The SSH host key of a server did not match the key stored on SCB.
New SSH host key learned scbHostKeyLearned SCB learned a new SSH host key.
Connection timed out scbConnectionTimedout A connection to a protected server timed out.
Protocol violation scbProtocolViolation A connection violated the protocol as specified in the RFC or protocol documentation. This may have been caused by an incompatible application or a deliberate attack.
Connection to the server failed scbConnectionFailed A connection to a protected server failed.
User successfully authenticated on the gateway scbGWAuthSuccess A user has successfully authenticated a connection on SCB as part of a gateway-authentication process.
User authentication failed on the gateway scbGWAuthFailure The gateway-authentication of a connection has failed.
User mapping failed on the gateway scbUserMappingFailure A usermapping policy did not find a suitable mapping for the connection.
Decryption of a credential store failed scbCredStoreDecrpytError SCB could not unlock a password-protected Credential Store. Navigate to Unlock Credential Store and enter the password(s) to open the Credential Store.
The requested credential store is closed scbCredStoreClosed A user attempted to access a connection policy that uses a password-protected Credential Store, and the Credential Store has not been unlocked. Navigate to Unlock Credential Store and enter the password(s) to open the Credential Store.
Failed to unlock credential store scbCredStoreUnlockFailure A user attempted to unlock a password-protected Credential Store with an incorrect password. Navigate to Unlock Credential Store and enter the correct password(s) to open the Credential Store.
Real time audit event detected scbRealTimeAlert A real-time audit event has occurred.

Table 4.2. Traffic related traps


4.7. Data and configuration backups

Backups create a snapshot of SCB's configuration or the data which can be used for recovery in case of errors. SCB can create automatic backups of its configuration and the stored audit-trails to a remote server.

To configure backups, you first have to create a backup policy. Backup policies define the address of the backup server, which protocol to use to access it, and other parameters. SCB can be configured to use the Rsync, SMB/CIFS, and NFS protocols to access the backup server:

The different backup protocols assign different file ownerships to the files saved on the backup server. The owners of the backup files created using the different protocols are the following:

  • Rsync: The user provided on the web interface.

  • SMB/CIFS: The user provided on the web interface.

  • NFS: root with no-root-squash, nobody otherwise.

Warning

SCB cannot modify the ownership of a file that already exists on the remote server. If you change the backup protocol but you use the same directory of the remote server to store the backups, make sure to adjust the ownership of the existing files according to the new protocol. Otherwise SCB cannot overwrite the files and the backup procedure fails.

Once you have configured a backup policy, set it as a system backup policy (for configuration backups) or data backup policy (for connections backups):

Note

Backup deletes all other data from the target directory; restoring a backup deletes all other data from SCB. For details on restoring configuration and data from backup, see Procedure 23.9, Restoring SCB configuration and data.

4.7.1. Procedure – Creating a backup policy using Rsync over SSH

The Rsync over SSH backup method connects the target server with SSH and executes the rsync UNIX command to copy the data to the remote server. SCB authenticates itself with a public key — password-based authentication is not supported.

Warning

The backup server must run rsync version 3.0 or newer.

Steps: 

  1. Navigate to Policies > Backup & Archive/Cleanup and click in the Backup policies section to create a new backup policy.

    Figure 4.19. Configuring backups

    Configuring backups

  2. Enter a name for the backup policy (for example config-backup).

  3. Enter the time when the backup process should start into the Start time field in HH:MM format (for example 23:00).

  4. Enter the IP address or the hostname of the remote server into the Target server field (for example backup.example.com).

    Use an IPv4 address.

  5. Select Rsync over SSH from the Target settings radio buttons.

    Figure 4.20. Configuring backups using rsync

    Configuring backups using rsync

  6. Enter the username used to logon to the remote server into the Username field.

  7. Click in the Authentication key field. A popup window is displayed.

  8. Generate a new keypair by clicking Generate or upload or paste an existing one. This key will be used to authenticate SCB on the remote server. The public key of this keypair must be imported to the remote server.

  9. Click in the Server host key field. A popup window is displayed.

  10. Click Query to download the host key of the server, or upload or paste the host key manually. SCB will compare the host key shown by the server to this key, and connect only if the two keys are identical.

    Figure 4.21. Configuring SSH keys

    Configuring SSH keys

  11. Enter the port number of the SSH server running on the remote machine into the Port field.

  12. Enter the path to the backup directory on the target server into the Path field (for example /backups).

    SCB saves all data into this directory, automatically creating the subdirectories. Backups of audit-trails are stored in the data, configuration backups in the config subdirectory.

  13. To receive e-mail notification of the backup, select the Send notification on errors only or the Send notification on all events option. Notifications are sent to the administrator e-mail address set on the Management tab.

    To include the list of files in the e-mail, select Send notification on all events and enable the Include file list option. However, note that if list is very long (for example, SCB stores over 20000 audit trails), the SCB web interface might become unaccessible. In this case, set the Maximum number of files in notification lower. After this number has been reached, file names will be omitted from the notification.

    Note

    This e-mail notification is different from the one set on the Alerting & Monitoring tab. This notification is sent to the administrator's e-mail address, while the alerts are sent to the alert e-mail address (see Section 4.6, Configuring system monitoring on SCB).

  14. Click .

  15. To assign the backup policy to a connection, see Procedure 4.7.5, Creating data backups.

4.7.2. Procedure – Creating a backup policy using SMB/CIFS

The SMB/CIFS backup method connects to a share on the target server with Server Message Block protocol. SMB/CIFS is mainly used on Microsoft Windows Networks.

When deployed from the Azure Marketplace, you can use Azure File storage shares in your for Backup and Archive Policies. This is very useful as the quota for the files storage can be changed dynamically, so the cumulative size of the audit trails is not limited to the OS disk size. You can set up this share as a normal SMB shares in your Backup and Archive policies. The parameters for the policy can be obtained from the Azure portal.

Warning

When you try to create backups and archives from SCB to NetApp devices using the CIFS protocol, the operation may fail with a similar error message: /opt/scb/mnt/14719217504d41370514043/reports/2010": Permission denied (13) '2010/day/' rsync: failed to set times on.

To overcome this problem, grant the SCB user "Full Control" access rights to the CIFS share on the NetApp device.

Warning

When using the CIFS protocol to backup or archive files to a target server running Windows 2008 R2 that uses NTLMv2 authentication, the operation may fail with a similar error message:

CIFS VFS: Unexpected SMB signature
Status code returned 0xc000000d NT_STATUS_INVALID_PARAMETER
CIFS VFS: Send error in SessSetup = -22
CIFS VFS: cifs_mount failed w/return code = -22
CIFS VFS: Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags.
CIFS VFS: cifs_mount failed w/return code = -95
CIFS VFS: Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags.
CIFS VFS: cifs_mount failed w/return code = -95

To overcome this problem, either:

  • use the NFS protocol to access your Windows 2008 R2 servers, or

  • edit the registry of the Windows 2008 R2 server or apply a hotfix. For details, see Article 957441 in the Microsoft® Support site.

  1. Navigate to Policies > Backup & Archive/Cleanup and click in the Backup policies section to create a new backup policy.

    Figure 4.22. Configuring backups

    Configuring backups

  2. Enter a name for the backup policy (for example config-backup).

  3. Enter the time when the backup process should start into the Start time field in HH:MM format (for example 23:00).

  4. Enter the IP address or the hostname of the remote server into the Target server field (for example backup.example.com).

    Use an IPv4 address.

  5. Select SMB/CIFS from the Target settings radio buttons.

    Figure 4.23. Configuring backups via SMB/CIFS

    Configuring backups via SMB/CIFS

  6. Enter the username used to logon to the remote server into the Username field, or select the Anonymous option.

    Usernames can contain space.

  7. Enter the password corresponding to the username into the Password field.

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  8. Enter the name and directory path of the share into the Share field. Use the following format:

    share_name/path/to/directory

    You can use backslashes and forward slashes as well.

    SCB saves all data into this directory, automatically creating the subdirectories. Backups of audit-trails are stored in the data, configuration backups in the config subdirectory.

  9. Enter the domain name of the target server into the Domain field.

  10. To receive e-mail notification of the backup, select the Send notification on errors only or the Send notification on all events option. Notifications are sent to the administrator e-mail address set on the Management tab.

    To include the list of files in the e-mail, select Send notification on all events and enable the Include file list option. However, note that if list is very long (for example, SCB stores over 20000 audit trails), the SCB web interface might become unaccessible. In this case, set the Maximum number of files in notification lower. After this number has been reached, file names will be omitted from the notification.

    Note

    This e-mail notification is different from the one set on the Alerting & Monitoring tab. This notification is sent to the administrator's e-mail address, while the alerts are sent to the alert e-mail address (see Section 4.6, Configuring system monitoring on SCB).

  11. Click .

  12. To assign the backup policy to a connection, see Procedure 4.7.5, Creating data backups.

4.7.3. Procedure – Creating a backup policy using NFS

The NFS backup method connects to a shared directory of the target server with the Network File Share protocol.

  1. Navigate to Policies > Backup & Archive/Cleanup and click in the Backup policies section to create a new backup policy.

    Figure 4.24. Configuring backups

    Configuring backups

  2. Enter a name for the backup policy (for example config-backup).

  3. Enter the time when the backup process should start into the Start time field in HH:MM format (for example 23:00).

  4. Enter the IP address or the hostname of the remote server into the Target server field (for example backup.example.com).

    Use an IPv4 address.

  5. Select NFS from the Target settings radio buttons.

    Figure 4.25. Configuring NFS backups

    Configuring NFS backups

  6. Enter the domain name of the remote server into the Target server field.

  7. Enter the name of the NFS export into the Export field.

    SCB saves all data into this directory, automatically creating the subdirectories. Audit-trail backups are stored in the data, configuration backups in the config subdirectory.

  8. The remote server must also be configured to accept backups from SCB.

    Add a line that corresponds to the settings of SCB to the /etc/exports file of the backup server. This line should contain the following parameters:

    • The path to the backup directory as set in the Export field of the SCB backup policy.

    • The IP address of the SCB interface that is used to access the remote server. For more information on the network interfaces of SCB, see Section 4.3, Network settings.

      Use an IPv4 address.

    • The following parameters: (rw,no_root_squash,sync).

    Example 4.1. Configuring NFS on the remote server

    For example, if SCB connects the remote server from the 192.168.1.15 IP address and the data is saved into the /var/backups/SCB directory, add the following line to the /etc/exports file:

    /var/backups/SCB 192.168.1.15(rw,no_root_squash,sync)
  9. On the remote server, execute the following command:

    exportfs -a

    Verify that the rpc portmapper and rpc.statd applications are running.

  10. To receive e-mail notification of the backup, select the Send notification on errors only or the Send notification on all events option. Notifications are sent to the administrator e-mail address set on the Management tab.

    To include the list of files in the e-mail, select Send notification on all events and enable the Include file list option. However, note that if list is very long (for example, SCB stores over 20000 audit trails), the SCB web interface might become unaccessible. In this case, set the Maximum number of files in notification lower. After this number has been reached, file names will be omitted from the notification.

    Note

    This e-mail notification is different from the one set on the Alerting & Monitoring tab. This notification is sent to the administrator's e-mail address, while the alerts are sent to the alert e-mail address (see Section 4.6, Configuring system monitoring on SCB).

  11. Click .

  12. To assign the backup policy to a connection, see Procedure 4.7.5, Creating data backups.

4.7.4. Procedure – Creating configuration backups

Purpose: 

To create a configuration backup, assign a backup policy as the System backup policy of SCB.

Tip

To create an immediate backup of SCB's configuration to your machine (not to the backup server), select Basic Settings > System > Export configuration. Note that the configuration export contains only the system settings and configuration files (including changelogs). System backups includes additional information like reports and alerts, and also the connection database.

When exporting the configuration of SCB, or creating configuration backups, always use encryption. Handle the exported data with care, as it contains sensitive information, including credentials. For details on encrypting the configuration, see Procedure 4.7.6, Encrypting configuration backups with GPG.

To encrypt your configuration backups, see Procedure 4.7.6, Encrypting configuration backups with GPG.

Prerequisites: 

You have to configure a backup policy before starting this procedure. For details, see Section 4.7, Data and configuration backups.

Steps: 

  1. Navigate to Basic Settings > Management > System backup.

    Figure 4.26. Configuring system backups

    Configuring system backups

  2. Select the backup policy you want to use for backing up the configuration of SCB in the System backup policy field.

  3. Click .

  4. Optional: To start the backup process immediately, click Backup now. The Backup now functionality works only after a backup policy has been selected and committed.

4.7.5. Procedure – Creating data backups

To configure data backups, assign a backup policy to the connection.

Note

When exporting the configuration of SCB, or creating configuration backups, always use encryption. Handle the exported data with care, as it contains sensitive information, including credentials. For details on encrypting the configuration, see Procedure 4.7.6, Encrypting configuration backups with GPG.

Prerequisites: 

Steps: 

  1. Navigate to Connections.

  2. Select the connection you want to back up.

  3. Select a backup policy in the Backup policy field.

  4. Click .

  5. Optional: To start the backup process immediately, click Backup or Backup ALL. The Backup and Backup ALL functionalities work only after a backup policy has been selected and committed.

4.7.6. Procedure – Encrypting configuration backups with GPG

Purpose: 

You can encrypt the configuration file of SCB during system backups using the public-part of a GPG key. The system backups of SCB contain other information as well (for example, databases), but only the configuration file is encrypted. Note that system backups do not contain audit-trail data.

When exporting the configuration of SCB, or creating configuration backups, always use encryption. Handle the exported data with care, as it contains sensitive information, including credentials. For details on encrypting the configuration, see Procedure 4.7.6, Encrypting configuration backups with GPG.

For details on restoring configuration from a configuration backup, see Procedure 23.9, Restoring SCB configuration and data.

Note

It is not possible to directly import a GPG-encrypted configuration into SCB, it has to be decrypted locally first.

Prerequisites: 

You have to configure a backup policy before starting this procedure. For details, see Section 4.7, Data and configuration backups.

You need a GPG key which must be permitted to encrypt data. Keys that can be used only for signing cannot be used to encrypt the configuration file.

Steps: 

  1. Navigate to Basic > System > Management > System backup.

  2. Select Encrypt configuration.

  3. Select .

    • To upload a key file, click Browse, select the file containing the public GPG key, and click Upload. SCB accepts both binary and ASCII-armored GPG keys.

    • To copy-paste the key from the clipboard, paste it into the Key field and click Set.

  4. Click .

4.8. Archiving and cleanup

Archiving transfers data from SCB to an external storage solution, cleanup removes (deletes) old files. Archived data can be accessed and searched, but cannot be restored (moved back) to the SCB appliance. Only those closed audit-trail files are archived where the retention time has already elapsed.

To configure archiving and cleanup, you first have to create an archive/cleanup policy. Archive/cleanup policies define the retention time, the address of the remote backup server, which protocol to use to access it, and other parameters. SCB can be configured to use the SMB/CIFS and NFS protocols to access the backup server:

Warning

If you modify the connection protocol of an existing policy (for example, from NFS to SMB/CIFS), the old archives will become inaccessible. To avoid this, create a new archive policy instead, using the new connection protocol, and configure it for all affected connections (<connection type> > Connections > >Archive/Cleanup policy). This way, both the old and the new archived trails will be accessible.

The different protocols assign different file ownerships to the files saved on the remote server. The owners of the archives created using the different protocols are the following:

  • SMB/CIFS: The user provided on the web interface.

  • NFS: root with no-root-squash, nobody otherwise.

Warning

SCB cannot modify the ownership of a file that already exists on the remote server.

Once you have configured an archive/cleanup policy, assign it to the connection you want to archive. For details, see Procedure 4.8.4, Archiving or cleaning up the collected data.

Data about archived connections can be automatically deleted from the connection database. For details, see Procedure 7.14, Configuring cleanup for the SCB connection database.

4.8.1. Procedure – Creating a cleanup policy

Cleanup permanently deletes all audit trails and data that is older than Retention time in days without creating a backup copy or an archive. Such data is irrecoverably lost. Use this option with care.

Note

This policy does not delete existing archives from an external CIFS or NFS server.

  1. Navigate to Policies > Backup & Archive/Cleanup and click in the Archive/Cleanup policies section to create a new cleanup policy.

  2. Enter a name for the cleanup policy.

  3. Enter the time when the cleanup process should start into the Start time field in HH:MM format (for example 23:00).

  4. To cleanup the data collected on SCB more than once a day, click . You can schedule multiple cleanup times.

    Note

    In case a cleanup process is not finished before the next one would start, the next cleanup process waits for the previous process to be completed.

  5. Fill the Retention time in days field. Data older than this value is deleted from SCB.

  6. To receive e-mail notifications, select the Send notification on errors only or the Send notification on all events option. Notifications are sent to the administrator e-mail address set on the Management tab, and include the list of the files that were backed up.

    Note

    This e-mail notification is different from the one set on the Alerting & Monitoring tab. This notification is sent to the administrator's e-mail address, while the alerts are sent to the alert e-mail address (see Section 4.6, Configuring system monitoring on SCB).

  7. Click .

  8. To assign the cleanup policy to the connection you want to clean up, see Procedure 4.8.4, Archiving or cleaning up the collected data.

4.8.2. Procedure – Creating an archive policy using SMB/CIFS

The SMB/CIFS archive method connects to a share on the target server with Server Message Block protocol. SMB/CIFS is mainly used on Microsoft Windows Networks.

When deployed from the Azure Marketplace, you can use Azure File storage shares in your for Backup and Archive Policies. This is very useful as the quota for the files storage can be changed dynamically, so the cumulative size of the audit trails is not limited to the OS disk size. You can set up this share as a normal SMB shares in your Backup and Archive policies. The parameters for the policy can be obtained from the Azure portal.

Warning

When you try to create backups and archives from SCB to NetApp devices using the CIFS protocol, the operation may fail with a similar error message: /opt/scb/mnt/14719217504d41370514043/reports/2010": Permission denied (13) '2010/day/' rsync: failed to set times on.

To overcome this problem, grant the SCB user "Full Control" access rights to the CIFS share on the NetApp device.

Warning

When using the CIFS protocol to backup or archive files to a target server running Windows 2008 R2 that uses NTLMv2 authentication, the operation may fail with a similar error message:

CIFS VFS: Unexpected SMB signature
Status code returned 0xc000000d NT_STATUS_INVALID_PARAMETER
CIFS VFS: Send error in SessSetup = -22
CIFS VFS: cifs_mount failed w/return code = -22
CIFS VFS: Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags.
CIFS VFS: cifs_mount failed w/return code = -95
CIFS VFS: Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags.
CIFS VFS: cifs_mount failed w/return code = -95

To overcome this problem, either:

  • use the NFS protocol to access your Windows 2008 R2 servers, or

  • edit the registry of the Windows 2008 R2 server or apply a hotfix. For details, see Article 957441 in the Microsoft® Support site.

  1. Navigate to Policies > Backup & Archive/Cleanup and click in the Archive/Cleanup policies section to create a new archive policy.

    Figure 4.27. Configuring cleanup and archiving

    Configuring cleanup and archiving

  2. Enter a name for the archive policy.

  3. Enter the time when the archive process should start into the Start time field in HH:MM format (for example 23:00).

  4. To archive the data collected on SCB more than once a day, click . You can schedule multiple archive times.

    Note

    In case an archive process is not finished before the next one would start, the next archive process waits for the previous process to be completed.

  5. Select SMB/CIFS from the Target settings radio buttons.

  6. Enter the username used to logon to the remote server into the Username field, or select the Anonymous option.

    Usernames can contain space.

  7. Enter the password corresponding to the username into the Password field.

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  8. Enter the name and directory path of the share into the Share field. Use the following format:

    share_name/path/to/directory

    You can use backslashes and forward slashes as well.

    SCB saves all data into this directory, automatically creating the subdirectories. Archives of audit-trails are stored in the data, configuration backups in the config subdirectory.

  9. Enter the domain name of the target server into the Domain field.

  10. SCB organizes the audit trails into directories based on the date or the protocol. The subdirectories are created directly into the archive directory. Select one of the following directory structures:

    • Protocol/Connection/Archive Date/

    • Archive Date/Connection/Protocol/

    • Connection Date/Protocol/Connection/

    • Archive Date/

    • Connection Date/

    For example, the Protocol/Connection/Archive Date template will have create subdirectories for the audited protocols (that is, ssh, rdp, telnet, vnc), for the name of the connection policy, and finally, for the date (YEAR-MONTH-DAY in YYYY-MM-DD format).

    Note

    Connection Date refers to the time the connection started, while Archive Date to the time it was archived. The difference between the two dates depends on the retention time set for the archiving policy.

  11. Fill the Retention time in days field. Data older than this value is archived to the external server.

    Note

    The archived data is deleted from SCB.

  12. To receive e-mail notifications, select the Send notification on errors only or the Send notification on all events option. Notifications are sent to the administrator e-mail address set on the Management tab, and include the list of the files that were backed up.

    Note

    This e-mail notification is different from the one set on the Alerting & Monitoring tab. This notification is sent to the administrator's e-mail address, while the alerts are sent to the alert e-mail address (see Section 4.6, Configuring system monitoring on SCB).

  13. Click .

  14. To assign the archive policy to the connection you want to archive, see Procedure 4.8.4, Archiving or cleaning up the collected data.

4.8.3. Procedure – Creating an archive policy using NFS

The NFS archive method connects to a shared directory of the target server with the Network File Share protocol.

  1. Navigate to Policies > Backup & Archive/Cleanup and click in the Archive/Cleanup policies section to create a new archive policy.

    Figure 4.28. Configuring cleanup and archiving

    Configuring cleanup and archiving

  2. Enter a name for the archive policy.

  3. Enter the time when the archive process should start into the Start time field in HH:MM format (for example 23:00).

  4. To archive the data collected on SCB more than once a day, click . You can schedule multiple archive times.

    Note

    In case an archive process is not finished before the next one would start, the next archive process waits for the previous process to be completed.

  5. Select NFS from the Target settings radio buttons.

  6. Enter the domain name of the remote server into the Target server field.

  7. Enter the name of the NFS export into the Export field.

    SCB saves all data into this directory, automatically creating the subdirectories.

  8. The remote server must also be configured to accept connections from SCB.

    Add a line that corresponds to the settings of SCB to the /etc/exports file of the remote server. This line should contain the following parameters:

    • The path to the archive directory as set in the Export field of the SCB archive policy.

    • The IP address of the SCB interface that is used to access the remote server. For more information on the network interfaces of SCB, see Section 4.3, Network settings.

      Use an IPv4 address.

    • The following parameters: (rw,no_root_squash,sync).

    Example 4.2. Configuring NFS on the remote server

    For example, if SCB connects the remote server from the 192.168.1.15 IP address and the data is saved into the /var/backups/SCB directory, add the following line to the /etc/exports file:

    /var/backups/SCB 192.168.1.15(rw,no_root_squash,sync)
  9. On the remote server, execute the following command:

    exportfs -a

    Verify that the rpc portmapper and rpc.statd applications are running.

  10. SCB organizes the audit trails into directories based on the date or the protocol. The subdirectories are created directly into the archive directory. Select one of the following directory structures:

    • Protocol/Connection/Archive Date/

    • Archive Date/Connection/Protocol/

    • Connection Date/Protocol/Connection/

    • Archive Date/

    • Connection Date/

    For example, the Protocol/Connection/Archive Date template will have create subdirectories for the audited protocols (that is, ssh, rdp, telnet, vnc), for the name of the connection policy, and finally, for the date (YEAR-MONTH-DAY in YYYY-MM-DD format).

    Note

    Connection Date refers to the time the connection started, while Archive Date to the time it was archived. The difference between the two dates depends on the retention time set for the archiving policy.

  11. Fill the Retention time in days field. Data older than this value is archived to the external server.

    Note

    The archived data is deleted from SCB.

  12. To receive e-mail notifications, select the Send notification on errors only or the Send notification on all events option. Notifications are sent to the administrator e-mail address set on the Management tab, and include the list of the files that were backed up.

    Note

    This e-mail notification is different from the one set on the Alerting & Monitoring tab. This notification is sent to the administrator's e-mail address, while the alerts are sent to the alert e-mail address (see Section 4.6, Configuring system monitoring on SCB).

  13. Click .

  14. To assign the archive policy to the connection you want to archive, see Procedure 4.8.4, Archiving or cleaning up the collected data.

4.8.4. Procedure – Archiving or cleaning up the collected data

To configure data archiving/cleanup, assign an archive/cleanup policy to the connection.

Prerequisites: 

You have to configure an archive/cleanup policy before starting this procedure. For details, see Section 4.8, Archiving and cleanup.

Steps: 

  1. Navigate to the connection (for example to SSH Control > Connections).

  2. Select the connection.

  3. Select the archive/cleanup policy you want to use in the Archive/Cleanup policy field.

  4. Click .

  5. Optional: To start the archiving or clean up process immediately, click Archive now. This functionality works only after a corresponding policy has been configured.

Chapter 5. User management and access control

The AAA menu (Authentication, Authorization, and Accounting) allows you to control the authentication, authorization, and accounting settings of the users accessing SCB. The following will be discussed in the next sections:

5.1. Procedure – Managing SCB users locally

Purpose: 

By default, SCB users are managed locally on SCB. To create and delete local users, modify the group membership of local users, or to modify the password of a user, complete the following procedure.

Note

The admin user is available by default and has all possible privileges. It is not possible to delete this user.

Local users cannot be managed when LDAP authentication is used (see Procedure 5.4, Managing SCB users from an LDAP database). When LDAP authentication is enabled, the accounts of local users is disabled, they are not displayed on the AAA > Local Users page, but they are not deleted,

When using RADIUS authentication together with local users, the users are authenticated to the RADIUS server, only their group memberships must be managed locally on SCB. For details, see Procedure 5.5, Authenticating users to a RADIUS server.

Steps: 

  1. Navigate to AAA > Local Users and click .

    Figure 5.1. Creating local users

    Creating local users

  2. Enter the username into the User field.

    Note

    For the username of SSH users, only valid UTF-8 strings are allowed.

    The following characters cannot be used in usernames: \/[]:;|=,+*?<>

  3. Enter a password for the user into the Password and Verify password fields.

    The strength of the password is indicated below the Password field as you type. To set a policy for password strength, see Procedure 5.2, Setting password policies for local users. The user can change the password later from the SCB web interface.

    Use strong passwords: at least 8 characters that include numbers, letters, special characters, and capital letters. For local SCB users, require the use of strong passwords (set AAA > Settings > Minimal password strength to strong). For details, see Procedure 5.2, Setting password policies for local users.

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  4. Click in the Groups section and select a group that the user will be member of. Repeat this step to add the user to multiple groups. For details about the different groups, see Section 5.7, Managing user rights and usergroups.

    • To remove a user from a group, click next to the group.

    • To delete a user, click at the right edge of the screen.

  5. Click .

5.2. Procedure – Setting password policies for local users

Purpose: 

SCB can use password policies to enforce minimal password strength and password expiry. To create a password policy, complete the following steps.

Limitations: 

Note the following important points about password policies.

  • Password policies do not apply to the built-in admin user.

  • Password policies apply only for locally managed users, and have no effect if you manage your users from an LDAP database, or if you authenticate your users to a RADIUS server.

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  • When running the Audit Player application in service mode, the Audit Player application needs a valid user account to access SCB. When using password expiry, ensure that the password of this user is changed in time, and that it is changed also on the Audit Player hosts.

Steps: 

  1. Navigate to AAA > Settings.

    Figure 5.2. Configuring password policies

    Configuring password policies

  2. Verify that the Authentication method is set to Password provided by database and that the User database is set to Local.

    Note

    If the setting of these fields is different (for example LDAP or RADIUS), then SCB is not configured to manage passwords locally.

  3. Set how long the passwords are valid in the Password expiration field. After this period, SCB users will have to change their password. To disable password expiry, enter 0.

  4. To prevent password-reuse (for example when a user has two password and instead of changing to a new password only switches between the two), set how many different passwords must the user use before reusing an old password.

  5. To enforce the use of strong password, select the level of password-complexity from the Minimal password strength field.

    Note

    The strength of the password is determined by its entropy: the variety of numbers, letters, capital letters, and special characters used, not only by its length.

    The Enable cracklib option executes some simple dictionary-based attacks to find weak passwords.

  6. Click .

    Note

    Changes to the password policy do not affect existing passwords. However, setting password expiry will require every user to change their passwords after the expiry date, and the new passwords must comply with the strength requirements set in the password policy.

5.3. Procedure – Managing local usergroups

Purpose: 

To display which users belong to a particular local usergroup, navigate to AAA > Group Management. You can edit the group memberships here as well.

You can use local groups to control the privileges of SCB local and LDAP users — who can view and configure what.

For the description of built-in groups, see Section 5.7.5, Built-in usergroups of SCB. To create a new group, complete the following steps:

Steps: 

  1. Navigate to AAA > Group Management and click .

    Figure 5.3. Group management

    Group management

  2. Enter a name for the group.

  3. Enter the names of the users belonging to the group. Click to add more users.

  4. Click .

5.4. Procedure – Managing SCB users from an LDAP database

Purpose: 

The SCB web interface can authenticate users to an external LDAP database to simplify the integration of SCB to your existing infrastructure. You can also specify multiple LDAP servers; if the first server is unavailable, SCB will try to connect to the second server. To enable LDAP authentication, complete the following steps.

Note

The admin user is available by default and has all privileges. It is not possible to delete this user.

The admin user can login to SCB even if LDAP authentication is used.

Enabling LDAP authentication automatically disables the access of every local user except for admin.

SCB accepts both pre-win2000-style and Win2003-style account names (User Principal Names). User Principal Names (UPNs) consist of a username, the at (@) character, and a domain name, for example [email protected].

For the username of SSH users, only valid UTF-8 strings are allowed.

The following characters cannot be used in usernames and group names: /\[]:;|=,+*)?<>@"

When using RADIUS authentication together with LDAP users, the users are authenticated to the RADIUS server, only their group memberships must be managed in LDAP. For details, see Procedure 5.5, Authenticating users to a RADIUS server.

Warning

A user can belong to a maximum of 10,000 groups; further groups are ignored.

Warning

By default, SCB uses nested groups when querying the LDAP server. Nested groups are mostly useful when authenticating the users to Microsoft Active Directory, but can slow down the query and cause the connection to timeout if the LDAP tree is very large. In this case, disable the Enable nested groups option.

Steps: 

  1. Navigate to AAA > Settings > Authentication settings.

  2. Select the LDAP option and enter the parameters of your LDAP server.

    Figure 5.4. Configuring LDAP authentication

    Configuring LDAP authentication

    1. Enter the IP address or hostname and port of the LDAP server into the Server Address field. If you want to encrypt the communication between SCB and the LDAP server, in case of TLS, enter 636 as the port number, or in case of STARTTLS, enter 389 as the port number.

      Use an IPv4 address.

      To add multiple servers, click and enter the address of the next server. If a server is unreachable, SCB will try to connect to the next server in the list in failover fashion.

      Warning

      If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example ldap.example.com) in the Server Address field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.

    2. Select the type of your LDAP server in the Type field. Select Active Directory to connect to Microsoft Active Directory servers, or Posix to connect to servers that use the POSIX LDAP scheme.

    3. Enter the name of the DN to be used as the base of the queries into the Base DN field (for example DC=demodomain,DC=exampleinc).

    4. Enter the name of the DN where SCB should bind to before accessing the database into the Bind DN field.

      For example: CN=Administrator,CN=Users,DC=demodomain,DC=exampleinc.

      Note

      SCB accepts both pre-win2000-style and Win2003-style account names (User Principal Names), for example [email protected] is also accepted.

      Note

      Do not use sAMAccountName, as the bind DN expects a CN.

    5. To configure or change the password to use when binding to the LDAP server, click Change and enter the password. Click Update. Click .

      Note

      SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

    6. Optional step: Only use this option if you have an LDAP schema where the user groups can only be determined from a user attribute that contains the group DNs.

      In the User attr. of group DNs field, enter the name of the user attribute (for example in case of Active Directory: memberOf).

      Warning

      Using this option significantly slows down logon to the SCB web interface if you have too many groups.

  3. If you want to encrypt the communication between SCB and the LDAP server, in Encryption, select the TLS or the STARTTLS option and complete the following steps:

    Note

    TLS-encrypted connection to Microsoft Active Directory is supported only on Windows 2003 Server and newer platforms. Windows 2000 Server is not supported.

    • If you want SCB to verify the certificate of the server, select Only accept certificates authenticated by the specified CA certificate and click the icon in the CA X.509 certificate field. A pop-up window is displayed.

      Click Browse, select the certificate of the Certificate Authority (CA) that issued the certificate of the LDAP server, then click Upload. Alternatively, you can paste the certificate into the Copy-paste field and click Set.

      SCB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.

      Warning

      If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example ldap.example.com) in the Server Address field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.

    • If the LDAP server requires mutual authentication, that is, it expects a certificate from SCB, enable Authenticate as client. Generate and sign a certificate for SCB, then click in the Client X.509 certificate field to upload the certificate. After that, click in the Client key field and upload the private key corresponding to the certificate.

    Balabit recommends using 2048-bit RSA keys (or stronger).

  4. Optional Step: If your LDAP server uses a custom POSIX LDAP scheme, you might need to set which LDAP attributes store the username, or the attributes that set group memberships. For example, if your LDAP scheme does not use the uid attribute to store the usernames, set the Username (userid) attribute name option. You can customize group-membership attributes using the POSIX group membership attribute name and GroupOfUniqueNames membership attribute name options.

    Note that SCB treats the retrieved usernames and group names as case sensitive.

  5. If you have modified the Server certificate check field or the keys used in the connections, perform the following steps:

    Warning

    This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.

  6. Click .

    Note

    You also have to configure the usergroups in SCB and possibly in your LDAP database. For details on using usergroups, see Section 5.7.4, How to use usergroups.

  7. Click Test to test the connection.

5.5. Procedure – Authenticating users to a RADIUS server

Purpose: 

SCB can authenticate its users to an external RADIUS server. Group memberships of the users must be managed either locally on SCB or in an LDAP database.

Warning

The challenge/response authentication methods is currently not supported. Other authentication methods (for example password, SecureID) should work.

To authenticate SCB users to a RADIUS server, complete the following steps:

Steps: 

  1. Navigate to AAA > Settings.

    Figure 5.5. Configuring RADIUS authentication

    Configuring RADIUS authentication

  2. Set the Authentication method field to RADIUS.

  3. Enter the IP address or domain name of the RADIUS server into the Address field.

    Use an IPv4 address.

  4. Enter the password that SCB can use to access the server into the Shared secret field.

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  5. To add more RADIUS servers, click and repeat Steps 2-4.

    Repeat this step to add multiple servers. If a server is unreachable, SCB will try to connect to the next server in the list in failover fashion.

  6. When configuring RADIUS authentication with a local user database, complete the following steps.

    1. Set Password expiration to 0.

    2. Set Number of passwords to remember to 0.

    3. Set Minimal password strength to disabled.

    4. Set Cracklib check on password to disabled.

  7. Warning

    After clicking , the SCB web interface will be available only after successfully authenticating to the RADIUS server. Note that the default admin account of SCB will be able to login normally, even if the RADIUS server is unaccessible.

    Click .

5.6. Procedure – Authenticating users with X.509 certificates

Purpose: 

SCB provides a method to authenticate the users of the web interface with X.509 client certificates. The client certificate is validated against a CA list, and the username is exported from the client certificate for identification. Balabit recommends using 2048-bit RSA keys (or stronger).

To authenticate SCB users with X.509 client certificates, complete the following steps:

Steps: 

  1. Navigate to AAA > Settings > Authentication settings.

    Figure 5.6. Configuring X.509 authentication

    Configuring X.509 authentication

  2. Select X.509.

  3. Select the trusted CA list in Authentication CA. For details on creating a trusted CA list, see Procedure 7.11, Verifying certificates with Certificate Authorities.

  4. Enter the DN field name of the username in X.509 DN field name of username field (in most cases, CN or UID. This field is case-sensitive, so make sure that you use the proper case.

  5. To allow the admin user to be able to log in without using X.509 authorization, select Enable fallback for admin. This will fallback to password authentication.

  6. Click .

5.7. Managing user rights and usergroups

In SCB, user rights can be assigned to usergroups. SCB has numerous usergroups defined by default, but custom user groups can be defined as well. Every group has a set of privileges: which pages of the SCB web interface it can access, and whether it can only view (read) or also modify (read & write/perform) those pages or perform certain actions.

Note

Every group has either read or read & write/perform privileges to a set of pages.

Figure 5.7. Managing SCB users

Managing SCB users

5.7.1. Procedure – Modifying group privileges

Purpose: 

To modify the privileges of an existing group, complete the following steps:

Steps: 

  1. Navigate to AAA > Access Control.

  2. Find the group you want to modify and click . The list of available privileges is displayed.

  3. Select the privileges (pages of the SCB interface) to which the group will have access to and click Save.

    Figure 5.8. Modifying group privileges

    Modifying group privileges

    Warning

    Assigning the Search privilege to a user on the AAA page automatically enables the Search in all connections privilege, and grants the user access to every audit trail, even if the user is not a member of the groups listed in the Access Control option of the particular connection policy.

  4. Select the type of access (read or read & write) from the Type field.

  5. Click .

5.7.2. Procedure – Creating new usergroups for the SCB web interface

Purpose: 

To create a new group, complete the following steps:

Steps: 

  1. Navigate to AAA > Access Control and click .

  2. Enter a name for the group. For details on how you should name your groups, see Section 5.7.4, How to use usergroups.

  3. Click located next to the name of the group. The list of available privileges is displayed.

  4. Select the privileges (pages of the SCB interface) to which the group will have access to and click Save.

    Note

    To export the configuration of SCB, the Export configuration privilege is required.

    To import a configuration to SCB, the Import configuration privilege is required.

    To update the firmware and set the active firmware, the Firmware privilege is required.

  5. Select the type of access (read or read & write) from the Type field.

  6. Click .

The admin user is available by default and has all privileges. It is not possible to delete this user.

5.7.3. Finding specific usergroups

The Filter ACLs section of the AAA > Access Control page provides you with a simple searching and filtering interface to search the names and privileges of usergroups.

Figure 5.9. Finding specific usergroups

Finding specific usergroups

  • To select usergroups starting with a specific string, enter the beginning of the name of the group into the Group field and select Search.

  • To select usergroups who have a specific privilege, click , select the privilege or privileges you are looking for, and click Search.

  • To filter for read or write access, use the Type option.

5.7.4. How to use usergroups

How you should name usergroups depends on the way you manage your SCB users.

  • Local users: If you use only local users, create or modify your usergroups on the AAA > Access Control page and add users to the groups on the AAA > Local Users or the AAA > Group Management page.

  • LDAP users and LDAP groups: If you manage your users from LDAP, and also have LDAP groups that match the way you want to group your SCB users, create or modify your usergroups on the AAA > Access Control page and ensure that the name of your LDAP group and the SCB usergroup is the same. For example, to make members of the admins LDAP group be able to use SCB, create a usergroup called admins on the AAA > Access Control page and edit the privileges of the group as needed.

    Warning

    A user can belong to a maximum of 10,000 groups; further groups are ignored.

  • RADIUS users and local groups: This is the case when you manage users from RADIUS, but you cannot or do not want to create groups in LDAP. Create your local groups on the AAA > Access Control page, and add your RADIUS users to these groups on the AAA > Group Management page.

5.7.5. Built-in usergroups of SCB

SCB has the following usergroups by default:

Figure 5.10. Built-in usergroups of SCB

Built-in usergroups of SCB

Warning

If you use LDAP authentication on the SCB web interface and want to use the default usergroups, you have to create these groups in your LDAP database and assign users to them. For details on using usergroups, see Section 5.7.4, How to use usergroups.

  • basic-view: View the settings in the Basic Settings menu, including the system logs of SCB. Members of this group can also execute commands on the Troubleshooting tab.

  • basic-write: Edit the settings in the Basic Settings menu. Members of this group can manage SCB as a host.

  • auth-view: View the names and privileges of the SCB administrators, the configured usergroups, and the authentication settings in the AAA menu. Members of this group can also view the history of configuration changes.

  • auth-write: Edit authentication settings and manage users and usergroups.

    Warning

    Members of the auth-write group, or any other group with write privileges to the AAA menu are essentially equivalent to system administrators of SCB, because they can give themselves any privilege. Users with limited rights should never have such privileges.

    If a user with write privileges to the AAA menu gives himself new privileges (for example gives himself group membership to a new group), then he has to relogin to the SCB web interface to activate the new privilege.

  • search: Browse and download various logs and alerts in the Search menu. The members of this group have access to the audit trail files as well. Note that to open encrypted audit trail files, the proper encryption keys are required.

  • changelog: View the history of SCB configuration changes in the AAA > Accounting menu.

  • report: Browse, create and manage reports, and add statistics-based chapters to the reports in the Reports menu. Users with this privilege can access every report. To grant access to users only to specific reports, use the Reports are accessible by the following groups option of the report. For details, see Procedure 19.2, Configuring custom reports.

    Note

    To control exactly which statistics-based chapters and reports can the user include in a report, use the Use static subchapters privileges.

  • policies-view: View the policies and settings in the Policies menu.

  • policies-write: Edit the policies and settings in the Policies menu.

  • ssh-view: View all connection and policy settings in the SSH Control menu.

  • ssh-write: Edit all connection and policy settings in the SSH Control menu.

  • rdp-view: View all connection and policy settings in the RDP Control menu.

  • rdp-write: Edit all connection and policy settings in the RDP Control menu.

  • telnet-view: View all connection and policy settings in the Telnet Control menu.

  • telnet-write: Edit all connection and policy settings in the Telnet Control menu.

  • vnc-view: View all connection and policy settings in the VNC Control menu.

  • vnc-write: Edit all connection and policy settings in the VNC Control menu.

  • indexing: Allows host running the Audit Player application to access and download audit trails for automatic indexing. Note that the members of this group can access the SCB web interface as well, and download any audit trail directly.

  • ica-view: View all connection and policy settings in the ICA Control menu.

  • ica-write: Edit all connection and policy settings in the ICA Control menu.

  • api: View and edit rights for the Access RPC API privilege, to access SCB through RPC.

  • http-view: View all connection and policy settings in the HTTP Control menu.

  • http-write: Edit all connection and policy settings in the HTTP Control menu.

  • indexer-view: View all connection and policy settings in the Indexer menu.

  • indexer-write: Edit all connection and policy settings in the Indexer menu.

5.8. Listing and searching configuration changes

SCB automatically tracks every change of its configuration. To display the history of changes, select AAA > Accounting. The changes are displayed on a search interface; for more information on using and customizing this interface, see Section 5.8.1, Using the internal search interface.

The following information is displayed about each modification:

Figure 5.11. Browsing configuration changes

Browsing configuration changes

  • Timestamp: The date of the modification.

  • Author: Username of the administrator who modified the configuration of SCB.

  • Page: The menu item that was modified.

  • Field name: The name of the field or option that was modified.

  • New value: The new value of the configuration parameter.

  • Message: The changelog or commit log that the administrator submitted. This field is available only if the Require commit log option is enabled (see below).

  • Old value: The old value of the configuration parameter.

  • Swap: Signs if the order of objects was modified on the page (for example the order of two policies in the list).

To request the administrators to write an explanation to every configuration change, navigate to AAA > Settings > Accounting settings and select the Require commit log option.

5.8.1. Using the internal search interface

The internal search interface is for browsing and filtering the configuration changes and reports of SCB.

Figure 5.12. The internal search interface

The internal search interface

The bars display the number of results in the selected interval. Use the and icons to zoom, and the arrows to display the previous or the next intervals. To explicitly select a date, select Jump to and set the date in the calendar. You can change the length of the displayed interval with the Scale option.

Hovering the mouse above a bar displays the number of entries and the start and end date of the period that the bar represents. Click a bar to display the entries of that period in the table. Use Shift+Click to select multiple bars.

If data is too long to fit on one line, it is automatically wrapped and only the first line is displayed. To expand a row, click . To shrink the row back to its original size, click . To expand/shrink all rows, click the respective button on the header of the table. The rows can also be expanded/shrunk by double clicking on the respective row.

5.8.1.1. Filtering

The tables can be filtered for any parameter, or a combination of parameters. To filter the list, enter the filter expression in the input field of the appropriate column, and press Enter, or click on an entry in the table.

Note

When you use filters, the bars display the statistics of the filtered results.

Filtering displays also partial matches. For example, filtering the Author column on the AAA > Accounting screen for adm displays all changes performed by users whose username contains the adm string.

You can use the icon to perform an exact search, and the icon for inverse filtering ("does not include"). To clear filters from a column, click .

To restore the original table, click Clear all filters.

5.8.1.2. Exporting the results

To save the table of search results as a file, click Export as CSV. This saves the table as a text file containing comma-separated values. Note that if an error occurs when exporting the data, the exported CSV file will include a line (usually as the last line of the file) starting with a zero and the details of the problem, for example 0;description_of_the_error.

Warning

Do not use Export as CSV to export large amounts of data, as exporting data can be very slow, especially if the system is under heavy load.

5.8.1.3. Procedure – Customizing columns of the internal search interface

Purpose: 

To customize the data displayed on the interface.

Steps: 

  1. Navigate to the database you want to browse, for example AAA > Accounting.

  2. Click Customize Columns. A pop-up window containing the list of visible and available columns is displayed.

    Figure 5.13. Customizing columns of the general search interfaces

    Customizing columns of the general search interfaces

  3. The displayed parameters are enlisted in the Visible columns field. All other available parameters are enlisted in the Available columns field.

    • To add parameters to the Visible columns field, select the desired parameter(s) and click Add.

    • To remove parameters from the Visible columns field, select the desired parameter(s) and click Remove.

    • To freeze columns (to make them permanently visible, even when scrolling horizontally), enable the Freeze option next to the desired parameter.

    Note

    To select multiple parameters, press Ctrl while clicking the items.

  4. Click OK. The selected information is displayed.

5.9. Displaying the privileges of users and user groups

SCB version 3.2 and later provides an interface to query the user-rights and privileges of individual users and user groups. To display the privileges of a user or usergroup, navigate to AAA > Permission Query, enter the name of the user or group into the respective field, then click Filter. Note that:

  • It is not possible to filter on both the username and the group at the same time.

  • Partial matches are also displayed.

  • Usergroups can be local usergroups, userlists, or LDAP usergroups.

Web interface permissions. For usergroups accessing the SCB web interface, a table is displayed that lists the pages of the SCB web interface that the user or usergroup can access. The following information is displayed:

  • Page: The name of the page or group of pages, for example, Basic Settings.

  • Element: If a group has access only to a section of a page, the name of the element is listed here. For example, a particular Channel Policy.

  • Group: The name of the usergroup.

  • Permission: The type of access that the user or usergroup has to the page: read or read and write/perform.

Figure 5.14. Displaying web interface permissions

Displaying web interface permissions

Connection permissions. To review which servers a user or usergroup can access, SCB collects the main information about the connections the user or group is permitted to use. The following information is displayed.

Note

To display the usergroups that can access a specific Connection Policy, open the Connection Policy, then select Show connection permissions > Show on the Connections page.

Figure 5.15. Displaying connection permissions

Displaying connection permissions

  • Gateway group: Lists the group memberships required to access the connection. Group memberships can be restricted at the following places:

    • Connection > Gateway authentication > Groups

    • Channel Policies > Gateway group

    • Policies > Usermapping Policies > Groups

  • Source:

    Source IP: The IP address of the client.

  • To:

    Destination IP: The IP address of the server as requested by the client.

  • To port:

    Destination port: The port number of the server as requested by the client.

  • Target:

    Server IP: The IP address of the server connected by SCB.

  • Target port:

    Server port: The port number of the server connected by SCB.

  • Remote user:

    Username on server: The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection. For details on usermapping, see Procedure 18.1, Configuring usermapping policies.

  • Remote group: The group that can access the destination server, as set in the Usermapping Policy (if any).

  • Protocol:

    Protocol: The protocol used in the connection (Citrix ICA, HTTP, RDP, SSH, Telnet, or VNC).

  • Connection:

    Connection ID: The identifier of the connection policy.

  • Authorizer:

    Four-eyes authorizer: The username of the user who authorized the session. Available only if 4-eyes authorization is required for the channel. For details on 4-eyes authorization, see Section 18.3, Configuring 4-eyes authorization.

  • Auth type: The authentication method used in the client-side connection during gateway authentication.

  • Channel: The type of the channel, for example, session-shell.

  • Time: The name of the Time Policy used in the connection.

  • LDAP: The name of the LDAP Server used in the connection (if any).

  • Credential store: The name of the Credential Store used in the connection (if any).

  • Audit: Indicates if the connection is recorded into audit trails.

Usergroup memberships. When searching for users, the table displays the group memberships of the matching users. When searching for usergroups, the table displays the members of the matching groups. The following information is displayed:

  • User: The username of the user.

  • Group: The name of the usergroup or userlist.

  • Exception: Usernames that are denied in case of default-deny userlists managed locally on SCB.

Figure 5.16. Displaying usergroup and userlist memberships

Displaying usergroup and userlist memberships

Chapter 6. Managing SCB

The following sections explain the basic management tasks of SCB.

6.1. Controlling SCB — reboot, shutdown

To reboot or shut down SCB, navigate to Basic Settings > System > System control > This node and click the respective action button. The Other node refers to the slave node of a high availability SCB cluster. For details on high availability clusters, see Section 6.2, Managing a high availability SCB cluster.

Warning
  • When rebooting the nodes of a cluster, reboot the other (slave) node first to avoid unnecessary takeovers.

  • When shutting down the nodes of a cluster, shut down the other (slave) node first. When powering on the nodes, start the master node first to avoid unnecessary takeovers.

  • When both nodes are running, avoid interrupting the connection between the nodes: do not unplug the Ethernet cables, reboot the switch or router between the nodes (if any), or disable the HA interface of SCB.

Figure 6.1. Performing basic management

Performing basic management

Note

Web sessions to the SCB interface are persistent and remain open after rebooting SCB, so you do not have to relogin after a reboot.

6.1.1. Procedure – Disabling controlled traffic

Purpose: 

To temporarily disable some or all of the controlled traffic to the protected servers, complete the following steps:

Figure 6.2. Disabling the controlled traffic

Disabling the controlled traffic

Warning

Disabling traffic that way is only temporary; connections will be enabled again after committing any other change from the SCB web interface. For details on how to permanently disable a type of traffic, see Procedure 6.1.2, Disabling controlled traffic permanently.

Note

Disabling the traffic affects only the traffic configured in the Connection policies, other traffic can pass SCB even if the all traffic is disabled. For details on configuring Connection policies, see Chapter 7, General connection settings.

Steps: 

  1. Navigate to the Basic Settings > System > Traffic control.

    • To disable SSH traffic, click Stop in the SSH traffic field. Note that this also stops all other traffic forwarded in SSH, for example X11.

    • To disable RDP traffic, click Stop in the RDP traffic field.

    • To disable Telnet and TN3270 traffic, click Stop in the Telnet traffic field.

    • To disable VNC traffic, click Stop in the VNC traffic field.

    • To disable all types of traffic, click Stop in the All services field.

    The System monitor displays the status of all types of traffic.

6.1.2. Procedure – Disabling controlled traffic permanently

Note

Disabling the traffic affects only the traffic configured in the Connection policies, other traffic can pass SCB even if the all traffic is disabled. For details on configuring Connection policies, see Chapter 7, General connection settings.

Steps: 

  1. Figure 6.3. Disabling the controlled traffic persistently

    Disabling the controlled traffic persistently

    Navigate to the Global Options page of the traffic type you want to disable, for example to SSH Control > Global Options to disable SSH traffic.

  2. Set the Traffic > Service field to disabled.

  3. Click .

6.2. Managing a high availability SCB cluster

High availability (HA) clusters can stretch across long distances, such as nodes across buildings, cities or even continents. The goal of HA clusters is to support enterprise business continuity by providing location-independent failover and recovery.

To set up a high availability cluster, connect two SCB units with identical configurations in high availability mode. This creates a master-slave (active-backup) node pair. Should the master node stop functioning, the slave node takes over the IP addresses of the master node's interfaces. Gratuitous ARP requests are sent to inform hosts on the local network that the MAC addresses behind these IP addresses have changed.

The master node shares all data with the slave node using the HA network interface (labeled as 4 or HA on the SCB appliance). The disks of the master and the slave node must be synchronized for the HA support to operate correctly. Interrupting the connection between running nodes (unplugging the Ethernet cables, rebooting a switch or a router between the nodes, or disabling the HA interface) disables data synchronization and forces the slave to become active. This might result in data loss. You can find instructions to resolve such problems and recover an SCB cluster in Section 23.7, Troubleshooting an SCB cluster.

Note

HA functionality was designed for physical SCB units. If SCB is used in a virtual environment, use the fallback functionalities provided by the virtualization service instead.

The Basic Settings > High Availability page provides information about the status of the HA cluster and its nodes.

Figure 6.4. Managing a high availability cluster

Managing a high availability cluster

The following information is available about the cluster:

  • Status: Indicates whether the SCB nodes recognize each other properly and whether those are configured to operate in high availability mode.

    You can find the description of each HA status in Section 23.7.1, Understanding SCB cluster statuses.

  • Current master: The MAC address of the high availability interface (4 or HA) of the node. This address is also printed on a label on the top cover of the SCB unit.

  • HA UUID: A unique identifier of the HA cluster. Only available in High Availability mode.

  • DRBD status: Indicates whether the SCB nodes recognize each other properly and whether those are configured to operate in high availability mode.

    You can find the description of each DRBD status in Section 23.7.1, Understanding SCB cluster statuses.

  • DRBD sync rate limit: The maximum allowed synchronization speed between the master and the slave node.

    You can find more information about configuring the DRBD sync rate limit in Section 6.2.1, Adjusting the synchronization speed.

The active (master) SCB node is labeled as This node, this unit inspects the SSH traffic and provides the web interface. The SCB unit labeled as Other node is the slave node that is activated if the master node becomes unavailable.

The following information is available about each node:

  • Node ID: The MAC address of the HA interface of the node. This address is also printed on a label on the top cover of the SCB unit.

    For SCB clusters, the IDs of both nodes are included in the internal log messages of SCB. Note that if the central log server is a syslog-ng server, the keep-hostname option should be enabled on the syslog-ng server.

  • Node HA state: Indicates whether the SCB nodes recognize each other properly and whether those are configured to operate in high availability mode.

    You can find the description of each HA status in Section 23.7.1, Understanding SCB cluster statuses.

  • Node HA UUID: A unique identifier of the cluster. Only available in High Availability mode.

  • DRBD status: The status of data synchronization between the nodes.

    You can find the description of each DRBD status in Section 23.7.1, Understanding SCB cluster statuses.

  • RAID status: The status of the RAID device of the node. If it is not Optimal, there is a problem with the Raid device. For details, see Section 23.8, Understanding SCB RAID status.

  • Boot firmware version: Version number of the boot firmware.

    You can find more information about the boot and the core firmware in Section 2.12, Firmware in SCB.

  • HA link speed: The maximum allowed speed between the master and the slave node. The HA link's speed must exceed the DRBD sync rate limit, else the web UI might become unresponsive and data loss can occur.

  • Interfaces for Heartbeat: Virtual interface used only to detect that the other node is still available; it is not used to synchronize data between the nodes (only heartbeat messages are transferred).

    You can find more information about configuring redundant heartbeat interfaces in Procedure 6.2.2, Redundant heartbeat interfaces.

  • Next hop monitoring: IP addresses (usually next hop routers) to continuously monitor from both the master and the slave nodes using ICMP echo (ping) messages. If any of the monitored addresses becomes unreachable from the master node while being reachable from the slave node (in other words, more monitored addresses are accessible from the slave node) then it is assumed that the master node is unreachable and a forced takeover occurs – even if the master node is otherwise functional.

    You can find more information about configuring next-hop monitoring in Procedure 6.2.3, Next-hop router monitoring.

The following configuration and management options are available for HA clusters:

  • Set up a high availability cluster: You can find detailed instructions for setting up a HA cluster in Procedure B.2, Installing two SCB units in HA mode.

  • Adjust the DRBD (master-slave) synchronization speed: You can change the limit of the DRBD synchronization rate.

    You can find more information about configuring the DRBD synchronization speed in Section 6.2.1, Adjusting the synchronization speed.

  • Configure redundant heartbeat interfaces: You can configure virtual interfaces for each HA node to monitor the availability of the other node.

    You can find more information about configuring redundant heartbeat interfaces in Procedure 6.2.2, Redundant heartbeat interfaces.

  • Configure next-hop monitoring: You can provide IP addresses (usually next hop routers) to continuously monitor from both the master and the slave nodes using ICMP echo (ping) messages. If any of the monitored addresses becomes unreachable from the master node while being reachable from the slave node (in other words, more monitored addresses are accessible from the slave node) then it is assumed that the master node is unreachable and a forced takeover occurs – even if the master node is otherwise functional.

    You can find more information about configuring next-hop monitoring in Procedure 6.2.3, Next-hop router monitoring.

  • Reboot the HA cluster: To reboot both nodes, click Reboot Cluster. To prevent takeover, a token is placed on the slave node. While this token persists, the slave node halts its boot process to make sure that the master node boots first. Following reboot, the master removes this token from the slave node, allowing it to continue with the boot process.

    If the token still persists on the slave node following reboot, the Unblock Slave Node button is displayed. Clicking the button removes the token, and reboots the slave node.

  • Reboot a node: Reboots the selected node.

    When rebooting the nodes of a cluster, reboot the other (slave) node first to avoid unnecessary takeovers.

  • Shutdown a node: Forces the selected node to shutdown.

    When shutting down the nodes of a cluster, shut down the other (slave) node first. When powering on the nodes, start the master node first to avoid unnecessary takeovers.

  • Manual takeover: To activate the other node and disable the currently active node, click Activate slave.

    Activating the slave node terminates all connections of SCB and might result in data loss. The slave node becomes active after about 60 seconds, during which the protected servers cannot be accessed.

6.2.1. Adjusting the synchronization speed

When operating two SCB units in High Availability mode, every incoming data copied from the master (active) node to the slave (passive) node. Since synchronizing data can take up significant system-resources, the maximal speed of the synchronization is limited, by default, to 10 Mbps. However, this means that synchronizing large amount of data can take very long time, so it is useful to increase the synchronization speed in certain situations — for example, when synchronizing the disks after converting a single node to a high availability cluster.

The Basic Settings > High Availability > DRBD status field indicates whether the latest data (including SCB configuration, audit trails, log files, and so on) is available on both SCB nodes. For a description of each possible status, see Section 23.7.1, Understanding SCB cluster statuses.

To change the limit of the DRBD synchronization rate, navigate to Basic Settings > High Availability, select DRBD sync rate limit, and select the desired value.

Set the sync rate carefully. A high value is not recommended if the load of SCB is very high, as increasing the resources used by the synchronization process may degrade the general performance of SCB. On the other hand, the HA link's speed must exceed the speed of the incoming logs, else the web UI might become unresponsive and data loss can occur.

6.2.2. Procedure – Redundant heartbeat interfaces

Purpose: 

To avoid unnecessary takeovers and to minimize the chance of split-brain situations, you can configure additional heartbeat interfaces in SCB. These interfaces are used only to detect that the other node is still available; they are not used to synchronize data between the nodes (only heartbeat messages are transferred). For example, if the main HA interface breaks down, or is accidentally unplugged and the nodes can still access each other on the redundant HA interface, no takeover occurs, but no data is synchronized to the slave node until the main HA link is restored. Similarly, if connection on the redundant heartbeat interface is lost, but the main HA connection is available, no takeover occurs.

If a redundant heartbeat interface is configured, its status is displayed in the Basic Settings > High Availability > Redundant Heartbeat status field, and also in the HA > Redundant field of the System monitor. For a description of each possible status, see Section 23.7.1, Understanding SCB cluster statuses.

The redundant heartbeat interface is a virtual interface with a virtual MAC address that uses an existing interface of SCB. The MAC address of the virtual redundant heartbeat interface is displayed as HA MAC. The MAC address of the redundant heartbeat interface is generated in a way that it cannot interfere with the MAC addresses of physical interfaces. Similarly, the HA traffic on the redundant heartbeat interface cannot interfere with any other traffic on the interface used.

If the nodes lose connection on the main HA interface, and after a time the connection is lost on the redundant heartbeat interfaces as well, the slave node becomes active. However, as the master node was active for a time when no data synchronization was possible between the nodes, this results in a split-brain situation which must be resolved before the HA functionality can be restored. For details, see Procedure 23.7.3, Recovering from a split brain situation.

Note

Even if redundant HA links are configured, if the dedicated HA link fails, the slave node will not be visible on the High Availability page anymore.

To configure a redundant heartbeat interface, complete the following steps.

Steps: 

  1. Navigate to Basic Settings > High Availability > Interfaces for Heartbeat.

  2. Select the interface you want to use as redundant heartbeat interface (for example Physical interface 1). Using an interface as a redundant heartbeat interface does not affect the original traffic of the interface.

    Figure 6.5. Configuring redundant heartbeat interfaces

    Configuring redundant heartbeat interfaces

  3. Enter an IP address into the This node > Interface IP field of the selected interface. Note the following:

    • The two nodes must have different Interface IP.

    • If you do not use next hop monitoring on the redundant interface, you can use any Interface IP (even if otherwise it does not exist on that network).

    • If you use next hop monitoring on the redundant interface, the Interface IP address must be a real IP address that is visible from the other node.

    • If you use next hop monitoring on the redundant interface, the Interface IP must be accessible from the next-hop address, and vice-versa. For details on next hop monitoring, see Procedure 6.2.3, Next-hop router monitoring.

    Use an IPv4 address.

  4. If the two nodes are in a different subnetwork, enter the IP address of the local gateway into the This node > Gateway IP field. The Interface IP address of the node must be accessible from the Gateway IP address.

    Use an IPv4 address.

  5. Enter an IP address into the Other node > Interface IP field of the selected interface. Note the following:

    • The two nodes must have different Interface IP.

    • If you do not use next hop monitoring on the redundant interface, you can use any Interface IP (even if otherwise it does not exist on that network).

    • If you use next hop monitoring on the redundant interface, the Interface IP address must be a real IP address that is visible from the other node.

    • If you use next hop monitoring on the redundant interface, the Interface IP must be accessible from the next-hop address, and vice-versa. For details on next hop monitoring, see Procedure 6.2.3, Next-hop router monitoring.

    Use an IPv4 address.

  6. If the two nodes are in a different subnetwork, enter the IP address of the local gateway into the Other node > Gateway IP field. The Interface IP address of the node must be accessible from the Gateway IP address.

    Use an IPv4 address.

  7. Repeat the previous steps to add additional redundant heartbeat interfaces if needed.

  8. Click .

  9. Restart the nodes for the changes to take effect: click Reboot Cluster.

6.2.3. Procedure – Next-hop router monitoring

Purpose: 

By default, HA takeover occurs only if the master node stops working or becomes unreachable from the slave node. However, this does not cover the scenario when the master node becomes unaccessible to the outside world while the slave node would be still accessible (for example because it is connected to a different router).

To address such situations, you can specify IP addresses (usually next hop routers) to continuously monitor from both the master and the slave nodes using ICMP echo (ping) messages. One such address can be set up for every interface.

When setting up next hop monitoring, you have to make sure that the master and slave nodes can ping the specified address directly. You can either:

  • Choose the addresses of the redundant-HA SCB interfaces so that they are on the same subnet as the next-hop address

  • Configure the next-hop device with an additional IP-address that is on the same subnet as the redundant-HA SCB interfaces facing it

If any of the monitored addresses becomes unreachable from the master node while being reachable from the slave node (in other words, more monitored addresses are accessible from the slave node) then it is assumed that the master node is unreachable and a forced takeover occurs — even if the master node is otherwise functional.

Naturally, if the slave node is not capable of taking over the master node (for example because there is data not yet synchronized from the current master node) no takeover is performed.

To configure next hop monitoring, complete the following steps.

Steps: 

  1. Navigate to Basic Settings > High Availability > Next hop monitoring.

  2. Select the interface to use for monitoring its next-hop router.

    Figure 6.6. Configuring next hop monitoring

    Configuring next hop monitoring

  3. Enter the IP address to monitor from the current master node (for example the IP address of the router or the switch connected to the interface) into the This node > Next hop IP field of the selected interface. This IP address must be a real IP address that is visible from the interface, and must be on the same local network segment.

    Use an IPv4 address.

  4. Enter the IP address to monitor from the current slave node (for example the IP address of the router or the switch connected to the interface) into the Other node > Next hop IP field of the selected interface. This IP address must be a real IP address that is visible from the interface, and must be on the same local network segment.

    Use an IPv4 address.

  5. Repeat the previous steps to add IP addresses to be monitored from the other interfaces if needed.

  6. Click .

    Warning

    For the changes to take effect, you have to restart both nodes. To restart both nodes, click Reboot Cluster.

6.3. Upgrading SCB

SCB appliances are preinstalled with the latest available Long Term Support (LTS) release. Each LTS release is supported for 3 years after original publication date, and for 1 year after succeeding LTS Release is published (whichever date is later). You are encouraged to upgrade to succeeding LTS releases.

Feature Releases provide additional features which are not yet consolidated to an LTS release. To gain access to these features, you may install a supported Feature Release on the appliance, with the following conditions:

  • You cannot roll back to an LTS release from a Feature Release.

  • Feature Releases are released and supported in a timeline of 6 (+2) months. You have to keep upgrading SCB to the latest Feature Release to ensure that your appliance is supported.

For both LTS and Feature Releases, BalaBit regularly incorporates security patches and bugfixes, and issues updated Revisions of the released product. We strongly recommend always installing the latest Revision of the used software Release.

Warning

Downgrading from the latest feature release, even to an LTS release, voids support for SCB.

The following sections describe how to keep SCB up to date, and how to install a new license:

6.3.1. Upgrade checklist

The following list applies to all configurations:

  • You have created a configuration backup of SCB.

    For detailed instructions, refer to Procedure 6.3.6, Exporting the configuration of SCB.

  • You have a valid MyBalabit account.

    To download the required firmware file and the license, you need a valid MyBalabit account. You can sign up at https://my.balabit.com/login/. Note that the registration is not automatic, and might require up to two working days to process.

  • You have downloaded the latest SCB firmware from https://www.balabit.com/privileged-session-manager/download.

  • You have read the Release Notes of the firmware before updating. The Release Notes might include additional instructions specific to the firmware version.

    The Release Notes are available here: https://www.balabit.com/privileged-session-manager/download.

  • You have verified that SCB is in good condition (no issues are displayed on the System Monitor).

  • Optional: You have exported core dump files, if necessary for debugging, from Basic Settings > Troubleshooting > Core files. These files are removed during upgrade.

If you have a high availability cluster:

  • You have IPMI access to the slave node. You can find detailed information on using the IPMI interface in the following documents:

    For SCB T4 and T10, see the X9 SMT IPMI User's Guide. For SCB T1, see the SMT IPMI User's Guide.

  • You have verified on the Basic Settings > High Availability page that the HA status is not degraded.

If you are upgrading SCB in a virtual environment:

  • You have created a snapshot of the virtual machine before starting the upgrade process.

  • You have configured and enabled console redirection (if the virtual environment allows it).

During the upgrade, SCB displays information about the progress of the upgrade and any possible problems to the console, which you can monitor with IPMI (ILOM) or console access.

We recommend that you test the upgrade process in a non-productive (virtual, etc.) environment first.

Upgrading SCB requires a reboot. We strongly suggest that you perform the upgrade on the productive appliance during maintenance hours only, to avoid any potential data loss.

6.3.2. Procedure – Upgrading SCB (single node)

Purpose: 

To upgrade SCB to a newer firmware version, complete the following steps. You are recommended to always use the latest maintenance release available.

Warning

When upgrading to a new major release (that is, to a new Feature Release or a new Long-Term Supported release), always follow the instructions of the How to upgrade to Balabit Shell Control Box guide for that release, as it contains more detailed instructions (available at the Balabit Documentation Page).

Steps: 

  1. Navigate to Basic Settings > System > Firmwares.

    Figure 6.7. Managing the firmwares

    Managing the firmwares

  2. Upload the new firmware.

  3. To read the Upgrade Notes of the uploaded firmware, click on the icon. The Upgrade Notes are displayed in a pop-up window.

  4. Click Test for the new firmware to check if your configuration can be upgraded to version 4 F3. If the test returns any errors, correct them before continuing the upgrade process. If you encounter any problems, contact the Balabit Support Team.

  5. Warning

    Proceed only if the upgrade test is successful.

    Activate the firmware, but do not reboot SCB yet.

  6. Navigate to Basic Settings > System > System Control > This node, and choose Reboot.

    SCB attempts to boot with the new firmware. Wait for the process to complete.

  7. Login to the SCB web interface to verify that the upgrade was successful.

    Navigate to Basic Settings > System > Version details, or check the system log for the version numbers SCB reports on boot. In case you encounter problems, you can find common troubleshooting steps in Section 6.3.4, Troubleshooting.

6.3.3. Procedure – Upgrading an SCB cluster

Purpose: 

To upgrade an SCB cluster to a newer firmware version, complete the following steps. You are recommended to always use the latest maintenance release available.

Warning

When upgrading to a new major release (that is, to a new Feature Release or a new Long-Term Supported release), always follow the instructions of the How to upgrade to Balabit Shell Control Box guide for that release, as it contains more detailed instructions (available at the Balabit Documentation Page).

Steps: 

  1. Navigate to Basic Settings > System > Firmwares.

  2. Upload the new firmware.

  3. To read the Upgrade Notes of the uploaded firmware, click on the icon. The Upgrade Notes are displayed in a pop-up window.

  4. Click Test for the new firmware to check if your configuration can be upgraded to version 4 F3. If the test returns any errors, correct them before continuing the upgrade process. If you encounter any problems, contact the Balabit Support Team.

  5. Warning

    Proceed only if the upgrade test is successful.

    Activate the firmware, but do not reboot SCB yet.

  6. Navigate to Basic Settings > High availability, and verify that the new firmware is active on the slave node. This might take a few minutes.

  7. In Basic Settings > High availability > Other node, click Shutdown.

  8. Restart the master node: click This node > Reboot.

    SCB attempts to boot with the new firmware. Wait for the process to complete.

  9. Login to the SCB web interface to verify that the master node upgrade was successful.

    Navigate to Basic Settings > System > Version details, or check the system log for the version numbers SCB reports on boot. In case you encounter problems, you can find common troubleshooting steps in Section 6.3.4, Troubleshooting.

  10. Use the IPMI interface to power on the slave node.

    The slave node attempts to boot with the new firmware, and reconnects to the master node to sync data. During the sync process, certain services (including Heartbeat) are not available. Wait for the process to finish, and the slave node to boot fully.

  11. Navigate to Basic Settings > High availability and verify that the slave node is connected, and has the same firmware versions as the master node.

6.3.4. Troubleshooting

If you experience any strange behavior of the web interface, first try to reload the page by holding the SHIFT key while clicking the Reload button of your browser to remove any cached version of the page.

In the unlikely case that SCB encounters a problem during the upgrade process and cannot revert to its original state, SCB performs the following actions:

  • Initializes the network interfaces using the already configured IP addresses.

  • Enables SSH-access to SCB, unless SCB is running in sealed mode. That way it is possible to access the logs of the upgrade process that helps the Balabit Support Team to diagnose and solve the problem. Note that SSH access will be enabled on every active interface, even if management access has not been enabled for the interface.

In case the web interface is not available within 30 minutes of rebooting SCB, check the information displayed on the local console and contact the Balabit Support Team at https://support.balabit.com.

6.3.5. Procedure – Reverting to an older firmware version

Purpose: 

SCB can store up to five different firmware versions, any of them can be booted if required. The available firmwares are displayed on the Basic Settings > System > Firmwares page. The list shows the detailed version of each firmware, including the version number, the revision number, and the build date. The firmware running on SCB is marked with in the Current column. The firmware that will be run after the next SCB reboot is marked with in the After reboot column.

To boot an older firmware, complete the following steps:

Warning

When upgrading SCB, it is possible that the configuration file is updated as well. In such cases, simply rebooting with the old firmware will not result in a complete downgrade, because the old firmware may not be able to read the new configuration file. If this happens, access the console menu of SCB, and select the Revert Configuration option to restore the configuration file to its state before the firmware was upgraded. For details on using the console menu, see Section 6.5.1, Using the console menu of SCB.

Warning

Downgrading from the latest feature release, even to an LTS release, voids support for SCB.

Steps: 

  1. Navigate to Basic Settings > System > Firmwares.

  2. Select the firmware version to use, and click in the After reboot column.

  3. If you are downgrading a single SCB node:

    Select System control > This node > Reboot to reboot SCB.

  4. If you are downgrading an SCB cluster:

    Follow the instructions described in Procedure 6.3.3, Upgrading an SCB cluster (skip the upload steps). Below is a summary of the necessary actions:

    1. You need IPMI (or direct physical) access to the slave node to proceed.

    2. Take the slave node offline.

    3. Restart the master node. Following reboot, verify that the master node was downgraded successfully.

    4. Use the IPMI interface to power on the slave node. Verify that the slave node reconnected to the master, and was downgraded successfully.

6.3.6. Procedure – Exporting the configuration of SCB

Purpose: 

The configuration of SCB can be exported (for manual archiving, or to migrate it to another SCB unit) from the Basic Settings > System page. Use the respective action buttons to perform the desired operation.

Figure 6.8. Exporting the SCB configuration

Exporting the SCB configuration

Steps: 

  1. Navigate to Basic Settings > System > Export configuration.

  2. Select how to encrypt the configuration:

    • To export the configuration file without encryption, select No encryption.

      Warning

      Exporting the SCB configuration without encryption is not recommended, as it contains sensitive information such as password hashes and private keys.

    • To encrypt the configuration file with a simple password, select Encrypt with password and enter the password into the Encryption password and Confirm password fields.

      Note

      SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

    • To encrypt the configuration file with GPG, select GPG encryption. Note that this option uses the same GPG key that is used to encrypt automatic system backups, and is only available if you have uploaded the public part of a GPG key to SCB at Basic Settings > Management > System backup. For details, see Procedure 4.7.6, Encrypting configuration backups with GPG.

  3. Click Export.

    Note

    The exported file is a gzip-compressed archive. On Windows platforms, it can be decompressed with common archive managers such as the free 7-Zip tool.

    The name of the exported file is <hostname_of_SCB>-YYYMMDDTHHMM.config; the -encrypted or -gpg suffix is added for password-encrypted and GPG-encrypted files, respectively.

6.3.7. Procedure – Importing the configuration of SCB

Purpose: 

The configuration of SCB can be imported from the Basic Settings > System page. Use the respective action buttons to perform the desired operation.

Figure 6.9. Importing the SCB configuration

Importing the SCB configuration

Warning

It is not possible to import the configuration of an older major release (for example, 1.0) into a newer release (for example, 2.0).

Steps: 

  1. Warning

    Do not export or import configuration between a physical SCB deployment and a virtual one. Because of the differences and limitations between physical and virtual appliances, configure the virtual appliance from scratch to ensure proper functionality. When you migrate a virtual SCB to another one, you can export and import the configuration.

    Navigate to Basic Settings > System > Import configuration.

  2. Click Browse and select the configuration file to import.

  3. Enter the password into the Encryption password field and click Upload.

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

6.4. Managing the SCB license

Information of the current license of SCB is displayed on the Basic Settings > System > License page. The following information is displayed:

Figure 6.10. Updating the license

Updating the license

  • Customer: The company permitted to use the license (for example Example Ltd.).

  • Serial: The unique serial number of the license.

  • Limit type:

    • Host: Limits the number of servers (individual IP addresses) that can be connected through SCB.

    • Session: Limits the number of concurrent sessions (parallel connections) that can pass through SCB at a time (for example 25). SCB will reject additional connection requests until an already established connection is closed.

  • Limit: The actual value of the session or host limit. To list which hosts SCB counts against this limit, click the on the value of the limit.

  • Valid: The period in which the license is valid. The dates are displayed in YYYY/MM/DD format.

The full text of the End User License Agreement is also displayed here.

SCB starts sending automatic alerts daily, 60 days before the license expires. An alert is sent also when the number of protected servers exceeds 90% of the limit set in the license.

6.4.1. Procedure – Updating the SCB license

Purpose: 

The SCB license must be updated before the existing license expires or when you purchase a new license.

Steps: 

To update the license, complete the following steps:

Warning

Before uploading a new license, you are recommended to backup the configuration of SCB. For details, see Procedure 6.3.6, Exporting the configuration of SCB.

Steps: 

  1. Navigate to Basic Settings > System > License.

  2. Click Browse and select the new license file.

    Note

    It is not required to manually decompress the license file. Compressed licenses (for example .zip archives) can also be uploaded.

  3. Click Upload, then .

  4. Warning

    This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.

    To activate the new license, navigate to Traffic control > All services and click Restart.

6.5. Accessing the SCB console

This section describes how to use the console menu of SCB, how to enable remote SSH access to SCB, and how to change the root password from the web interface.

6.5.1. Using the console menu of SCB

Connecting to the Balabit Shell Control Box locally or remotely using Secure Shell (SSH) allows you to access the console menu of SCB. The console menu provides access to the most basic configuration and management settings of SCB. It is mainly used for troubleshooting purposes; the primary interface of SCB is the web interface.

The console menu is accessible to the root user using the password set during completing the Welcome Wizard.

Figure 6.11. The console menu

The console menu

The console menu provides allows you to perform the following actions:

  • Access the local shells of the core and boot firmwares. This is usually not recommended and only required in certain troubleshooting situations. Select the boot/core shell's keyboard layout for the local console. This will not affect the keyboard layout if you have accessed the shell via SSH.

    You can find more information about the boot and the core firmware in Section 2.12, Firmware in SCB.

  • Select the active firmware, and delete unneeded firmwares. Accessing the firmware management is useful if after an update the new firmware does not operate properly and the web interface is not available to activate the previous firmware.

  • Start backup processes.

  • Change the passwords of the root and admin users.

  • Access the network-troubleshooting functions and display the available log files. If the web interface is inaccessible, it can be the result of an internal locking error. To resolve this issue, delete the lock files. After deletion, they are archived, and included in the debug bundle if they are not older than 30 days. To create a debug bundle, if the web interface is inaccessible, select Create debug bundle.

    Note

    If deleting the lock files did not resolve the issue, contact the Balabit Support Team.

  • Reboot and shutdown the system.

  • Enable and disable sealed mode. For details, see Section 6.6, Sealed mode.

  • Revert the configuration file. For details, see Procedure 6.3.5, Reverting to an older firmware version.

  • Set the IP address of the HA interface.

Note

Note that logging in to the console menu automatically locks the SCB interface, meaning that users cannot access the web interface while the console menu is used. The console menu can be accessed only if there are no users accessing the web interface. The connection of web-interface users can be terminated to force access to the console menu.

6.5.2. Procedure – Enabling SSH access to the SCB host

Purpose: 

Exclusively for troubleshooting purposes, you can access the SCB host using SSH.

Completing the Welcome Wizard automatically disables SSH access to SCB. Re-enabling it allows you to connect remotely to the SCB host and login using the root user. The password of the root user is the one you provided in the Welcome Wizard. For details on how to change the root password from the web interface, see Procedure 6.5.3, Changing the root password of SCB.

Warning

Accessing the SCB host directly using SSH is not recommended or supported, except for troubleshooting purposes. In such case, the Balabit Support Team will give you exact instructions on what to do to solve the problem.

For security reasons, disable SSH access to SCB when it is not needed. For details, see Procedure 6.5.2, Enabling SSH access to the SCB host.

The following encryption algorithms are configured on the local SSH service of SCB:

  • Key exchange (KEX) algorithms:

    diffie-hellman-group-exchange-sha256
  • Ciphers:

    aes256-ctr,aes128-ctr
  • Message authentication codes:

    hmac-sha2-512,hmac-sha2-256

SSH access is, by default, protected against brute-force attacks: after 20 unsuccessful login attempts, the offending IP is blocked from accessing the SSH service for ten minutes.

You can turn off brute force protection by unselecting the Protect against brute-force attacks option for the SSH server.

Steps: 

  1. Navigate to Basic Settings > Local Services > SSH server.

    Figure 6.12. Enabling remote SSH access to SCB

    Enabling remote SSH access to SCB

  2. Select the Enable option.

    Note

    Remote SSH access is automatically disabled if Sealed mode is enabled. For details, see Section 6.6, Sealed mode.

  3. Choose the authentication method for the remote SSH connections.

    • To enable password-based authentication, select the Enable password authentication option.

    • To enable public-key authentication, click in the Authorized keys field, click and upload the private keys of the users who can access and manage SCB remotely via SSH.

      Balabit recommends using 2048-bit RSA keys (or stronger).

  4. Choose an address and a port for the SSH server in the Listening addresses section.

    The available addresses correspond to the interface addresses configured in Basic Settings > Network > Interfaces. Only IPv4 addresses can be selected.

    To add multiple addresses, click .

  5. Optional step: To permit SSH acces only from selected subnets or IP addresses, select Restrict clients, click and enter the IP address and netmask of the allowed clients.

    Use an IPv4 address.

    To add multiple addresses, click .

  6. Click .

6.5.3. Procedure – Changing the root password of SCB

Purpose: 

The root password is required to access SCB locally, or remotely via an SSH connection. Note that the password of the root user can be changed from the console menu as well. For details, see Section 6.5, Accessing the SCB console.

Steps: 

  1. Navigate to Basic Settings > Management > Change root password.

    Figure 6.13. Changing the root password of SCB

    Changing the root password of SCB

  2. Enter the new password into the New root password and Confirm password fields.

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  3. Click .

6.6. Sealed mode

When sealed mode is enabled, the following settings are automatically applied:

  • SCB cannot be accessed remotely via SSH for maintenance;

  • the root password of SCB cannot be changed in sealed mode;

  • it is not possible to upload or delete Credential Store plugins in sealed mode;

  • Sealed mode can be disabled only from the local console. For details, see Procedure 6.6.1, Disabling sealed mode.

To enable sealed mode use one of the following methods:

  • Select the Sealed mode option during the Welcome Wizard.

  • Select Basic Settings > System > Sealed mode > Activate sealed mode on the SCB web interface.

  • Login to SCB as root using SSH or the local console, and select Sealed mode > Enable from the console menu.

6.6.1. Procedure – Disabling sealed mode

Purpose: 

The event of disabling sealed mode is logged. To disable sealed mode, complete the following steps:

Steps: 

  1. Go to the SCB appliance and access the local console.

  2. Login as root.

  3. From the console menu, select Sealed mode > Disable

  4. Select Back to Main menu > Logout.

6.7. Out-of-band management of SCB

SCB 4 F3 includes a dedicated out-of-band management interface conforming to the Intelligent Platform Management Interface (IPMI) v2.0 standards. The IPMI interface allows system administrators to monitor the system health of SCB and to manage the computer events remotely, independently of the operating system of SCB. SCB is accessible using the IPMI interface only if the IPMI interface is physically connected to the network.

Basic information about the IPMI interface is available also on the SCB web interface on the Basic Settings > High Availability page. The following information is displayed:

Figure 6.14. Information about the IPMI interface SCB

Information about the IPMI interface SCB

  • Hardware serial number: The unique serial number of the appliance.

  • IPMI IP address: The IP address of the IPMI interface.

  • IPMI subnet mask: The subnet mask of the IPMI interface.

  • IPMI default gateway: The address of the default gateway configured for the IPMI interface.

  • IPMI IP address source: Shows how the IPMI interface receives its IP address: dynamically from a DHCP server, or it uses a fixed static address.

6.7.1. Procedure – Configuring the IPMI interface

Purpose: 

To modify the network configuration of IPMI from the console of SCB, complete the following steps.

Prerequisites: 

SCB is accessible using the IPMI interface only if the IPMI interface is physically connected to the network. For details on connecting the IPMI interface, see Procedure B.1, Installing the SCB hardware.

Warning

IPMI searches for available network interfaces during boot. Make sure that IPMI is connected to the network through the dedicated ethernet interface before SCB is powered on.

It is not necessary for the IPMI interface to be accessible from the Internet, but the administrator of SCB must be able to access it for support and troubleshooting purposes in case vendor support is needed. The following ports are used by the IMPI interface:

  • Port 623 (UDP): IPMI (cannot be changed)

  • Port 5123 (UDP): floppy (cannot be changed)

  • Port 5901 (TCP): video display (configurable)

  • Port 5900 (TCP): HID (configurable)

  • Port 5120 (TCP): CD (configurable)

  • Port 80 (TCP): HTTP (configurable)

Steps: 

  1. Use the local console (or SSH) to log in to SCB as root.

  2. Choose Shells > Boot shell.

  3. Check the network configuration of the interface:

    # ipmitool lan print

    This guide assumes that channel 1 is used for LAN. If your setup differs, adjust the following commands accordingly.

  4. Configure the interface. You can use DHCP or configure a static IP address manually.

    Use an IPv4 address.

    • To use DHCP, enter the following command:

      # ipmitool lan set 1 ipsrc dhcp

    • To use static IP, enter the following command:

      # ipmitool lan set 1 ipsrc static

      Set the IP address:

      # ipmitool lan set 1 ipaddr <IPMI-IP>

      Set the netmask:

      # ipmitool lan set 1 netmask <IPMI-netmask>

      Set the IP address of the default gateway:

      # ipmitool lan set 1 defgw ipaddr <gateway-IP>

  5. Configure IPMI to use the dedicated Ethernet interface.

    • On the N1000, T1, T4, and T10 appliances, issue the following command:

      # ipmitool raw 0x30 0x70 0xc 1 0

    • On the 1000d, and 10000 appliances, issue the following command:

      # ipmitool raw 0x30 0x70 0xc 1 1 0

  6. Verify the network configuration of IPMI:

    # ipmitool lan print 1

    Use a browser to connect to the reported network address.

  7. Change the default password:

    1. Log in to the IPMI web interface using the default login credentials (username: ADMIN, password: ADMIN or changeme, depending on your hardware).

      Note

      The login credentials are case sensitive.

    2. Navigate to Configure > Users.

    3. Select ADMIN, and choose Modify User.

    4. Change the password, and save the changes with Modify.

6.8. Managing the certificates used on SCB

SCB uses a number of certificates for different tasks that can be managed from the Basic Settings > Management > SSL certificate menu.

Figure 6.15. Changing the web certificate of SCB

Changing the web certificate of SCB

The following certificates can be modified here:

  • CA certificate: The certificate of the internal Certificate Authority of SCB.

  • Server certificate: The certificate of the SCB web interface, used to encrypt the communication between SCB and the administrators.

    Note

    If this certificate is changed, the browser of SCB users will display a warning stating that the certificate of the site has changed.

  • TSA certificate: The certificate of the internal Timestamping Authority that provides the timestamps used when creating encrypted audit-trails.

Note

SCB uses other certificates for different purposes that are not managed here, for example, to encrypt data stored on SCB. For details, see Procedure 7.10.1, Encrypting audit trails.

Use every keypair or certificate only for one purpose. Do not reuse cryptographic keys or certificates, for example, do not use the certificate of the SCB webserver to encrypt audit trails, or do not use the same keypair for signing and encrypting data.

For every certificate, the distinguished name (DN) of the X.509 certificate and the fingerprint of the private key is displayed. To display the entire certificate click on the DN; to display the public part of the private key, click on the fingerprint. It is not possible to download the private key itself from the SCB web interface, but the public part of the key can be downloaded in different formats (for example PEM, DER, or OpenSSH). Also, the X.509 certificate can be downloaded in PEM and DER formats.

During the initial configuration, SCB creates a self-signed CA certificate, and uses this CA to issue the certificate of the web interface (see Server certificate) and the internal Timestamping Authority (TSA certificate).

There are two methods to manage certificates of SCB:

  • Recommended: Generate certificates using your own PKI solution and upload them to SCB.

    Generate a CA certificate and two other certificates signed with this CA using your PKI solution and upload them to SCB. For the Server and TSA certificates, upload the private key as well. Balabit recommends using 2048-bit RSA keys (or stronger), and to use certificates that have the appropriate keyUsage or extendedKeyUsage fields set (for example, extendedKeyUsage=serverAuth for the SCB web server certificate).

    For details on uploading certificates and keys created with an external PKI, complete Procedure 6.8.2, Uploading external certificates to SCB.

    Warning

    The Server and the TSA certificates must be issued by the same Certificate Authority.

  • Use the certificates generated on SCB. In case you want to generate new certificates and keys for SCB using its self-signed CA certificate, or generate a new self-signed CA certificate, complete Procedure 6.8.1, Generating certificates for SCB.

    Note

    Generate certificates using your own PKI solution and upload them to SCB whenever possible. Certificates generated on SCB cannot be revoked, and can become a security risk if they are somehow compromised.

6.8.1. Procedure – Generating certificates for SCB

Purpose: 

Create a new certificate for the SCB webserver or the Timestamping Authority using the internal CA of SCB, or create a new, self-signed CA certificate for the internal Certificate Authority of SCB.

Balabit recommends using 2048-bit RSA keys (or stronger).

Steps: 

  1. Navigate to Basic Settings > Management > SSL certificate.

  2. Fill the fields of the new certificate:

    1. Country: Select the country where SCB is located (for example HU - Hungary).

    2. Locality: The city where SCB is located (for example Budapest).

    3. Organization: The company who owns SCB (for example Example Inc.).

    4. Organization unit: The division of the company who owns SCB (for example IT Security Department).

    5. State or Province: The state or province where SCB is located.

  3. Select the certificate you want to generate.

    • To create a new certificate for the SCB web interface, select Generate Server.

    • To create a new certificate for the Timestamping Authority, select Generate TSA.

    • To create a new certificate for the internal Certificate Authority of SCB, select Generate All. Note that in this case new certificates are created automatically for the server and TSA certificates as well.

    Note

    When generating new certificates, the server and TSA certificates are signed using the certificate of the CA. If you have uploaded an external CA certificate along with its private key, it will be used to create the new server and TSA certificates. If you have uploaded an external CA certificate without its private key, use your external PKI solution to generate certificates and upload them to SCB.

    Warning

    Generating a new certificate automatically deletes the earlier certificate.

  4. Click .

6.8.2. Procedure – Uploading external certificates to SCB

Purpose: 

Upload a certificate generated by an external PKI system to SCB.

Prerequisites: 

The certificate to upload. For the TSA and Server certificate, the private key of the certificate is needed as well. The certificates must meet the following requirements:

  • SCB accepts certificates in PEM format. The DER format is currently not supported.

  • SCB accepts private keys in PEM (RSA and DSA), and PUTTY format. Password-protected private keys are also supported.

    Note

    SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

    For the internal CA certificate of SCB, uploading the private key is not required.

  • For the TSA certificate, the X509v3 Extended Key Usage attribute must be enabled and set to critical. Also, its default value must be set to Time Stamping.

  • For the Server certificate, the X509v3 Extended Key Usage attribute must be enabled and its default value set to TLS Web Server Authentication. Also, the Common Name of the certificate must contain the domain name or the IP address of the SCB host. If the web interface is accessible from multiple interfaces or IP addresses, list every IP address using the Subject Alt Name option.

  • For the certificate used to sign audit trails, the X509v3 Extended Key Usage attribute must be enabled and its default value set to TLS Web Server Authentication.

Balabit recommends using 2048-bit RSA keys (or stronger).

Steps: 

  1. Navigate to Basic Settings > Management > SSL certificate.

  2. Click to upload the new certificate. A pop-up window is displayed.

    Figure 6.16. Uploading certificates

    Uploading certificates

    Select Browse, select the file containing the certificate, and click Upload. To upload a certificate chain, copy the certificates after each other in a single file. Alternatively, you can also copy-paste the certificate into the Certificate field and click Set.

    To copy-paste a certificate chain, copy and paste the certificates one by one after each other. The certificates do not have to be in order, SCB will order them. The chain is validated: if a member of the chain is missing, an error message is displayed.

  3. To upload the private key corresponding to the certificate, click icon. A pop-up window is displayed.

    Figure 6.17. Uploading the private key

    Uploading the private key

    Select Browse, select the file containing the private key, provide the Password if the key is password-protected, and click Upload. Alternatively, you can also copy-paste the private key into the Key field, provide the Password there, and click Set.

    In case of a certificate chain, the private key has to be the same as the bottom level certificate.

    Expected result: 

    The new certificate is uploaded. If you receive the Certificate issuer mismatch error message after importing a certificate, you must import the CA certificate which signed the certificate as well (the private key of the CA certificate is not mandatory).

    Note

    To download previously uploaded certificates, click on the certificate and either download the certificate (or certificate chain) in one single PEM or DER file, or you can download single certificate files separately (if it is a certificate chain).

6.8.3. Procedure – Generating TSA certificate with Windows Certificate Authority

To generate a TSA certificate with Windows Certificate Authority (CA) that works with SCB, generate a CSR (certificate signing request) on a computer running OpenSSL and sign it with Windows CA, then import this certificate into SCB for timestamping.

Prerequisites: 

A valid configuration file for OpenSSL with the following extensions:

[ tsa_cert ]
extendedKeyUsage = critical,timeStamping
Tip

You can copy /etc/xcb/openssl-ca.cnf from SCB to the computer that will be used for signing. Rename the file to openssl-temp.cnf.

The TSA certificate is considered valid, in terms of compatibility with SCB, if the following conditions are met:

  • Must be a valid CA certificate (CA is true).

  • Key Usage: Time Stamping is required. No other key usage is permitted.

  • Extended Key Usage: Must be set to critical.

  • Optional Key Usage: If Key Usage is present, it must be digitalSignature and/or nonRepudiation. Other values are not permitted.

The following X509v3 extensions are supported:

  • Hard requirement:

    X509v3 Extended Key Usage must be critical, and must only contain Time Stamping.

  • Optional:

    X509v3 Key Usage, if present, must be digitalSignature and/or nonRepudiation.

  • Other extensions must not be specified.

Steps: 

  1. Create CSR using the new configuration file: openssl req -set_serial 0 -config openssl-temp.cnf -reqexts tsa_cert -new -newkey rsa:2048 -keyout timestamp.key -out timestamp.csr -nodes

  2. Complete the required fields according to your environment:

    Generating a 2048 bit RSA private key
    ........................+++
    ......................................+++
    writing new private key to 'timestamp.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:HU
    State or Province Name (full name) []:Budapest
    Locality Name (eg, city) []:Budapest
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:BalaBit IT Security
    Organizational Unit Name (eg, section) []:Service Delivery
    Common Name (eg, YOUR name) []:scb35-1-i1.tohuvabohu.balabit
    Email Address []:[email protected].com
  3. This step is for Windows Server 2008. Skip to the next step to continue with the instructions for Windows Server 2012.

    Sign the generated CSR with your Windows CA. Make sure that the CSR file is accessible from your Windows CA server.

    1. To issue and sign the new certificate request, open the Microsoft Certification Authority Management Console: Start > Run and run certsrv.msc.

    2. Right-click on the server name and navigate to All Tasks > Submit new request....

      Figure 6.18. Submitting a new request

      Submitting a new request

    3. Select the CSR created in the second step.

    4. On the left pane, click Pending Requests. The new certificate request is displayed in the right pane.

      Figure 6.19. Issuing a new certificate

      Issuing a new certificate

    5. To issue the new SSL certificate, right-click on the pending certificate request, select “All Tasks” and click on “Issue”.

    6. Select "Issued Certificates" and double-click on the certificate issued in the previous step.

    7. The CA Certificate window opens. Navigate to the Details tab. Ensure that the required Enhanced Key Usage field is visible and contains the Time Stamping value.

      Figure 6.20. Verifying certificate details

      Verifying certificate details

    8. Click Copy to File. The Certificate Export Wizard launches. Click Next.

    9. Select the format of the certificate: Base-64 encoded X.509 (.CER). Click Next.

      Figure 6.21. Selecting certificate file format

      Selecting certificate file format

    10. Select location to save the certificate, and save it.

    11. The Completing the Certificate Export Wizard screen is displayed. Click Finish.

  4. This step is for Windows Server 2012.

    Create and configure a time stamping web server template in the Certificate Authority, and use that to generate the TSA certificate.

    1. Start the Certification Authority Microsoft Management Console, and select the CA server.

    2. Right-click on Certificate Templates, and choose Manage.

      Figure 6.22. Managing certificate templates

      Managing certificate templates

      The Certificate Templates Console opens.

    3. Right-click on the Web Server template, and choose Duplicate Template.

      The Properties of New Template window is displayed.

    4. Make the following changes to the new template:

      • On the General tab, change the Template display name to TSA.

        Figure 6.23. Creating the new template

        Creating the new template

      • On the Request Handling tab, enable the Allow private key to be exported option.

      • On the Extensions tab, make the following changes:

        Edit Application Policies: remove Server Authentication, add Time Stamping, and enable the Make this extension critical option, then choose OK.

        Edit Key Usage: enable the Signature is proof of origin option, then choose OK.

        Figure 6.24. Configuring the properties of the new template

        Configuring the properties of the new template

      • On the Security tab, select Authenticated Users, and set Enroll to Allowed.

        Figure 6.25. Configuring permissions for the template

        Configuring permissions for the template

    5. Choose Apply. The new TSA template is now displayed in the list of templates.

    6. Return to the Certification Authority main screen, and select the Certificate Templates folder. Right-click under the list, and choose New > Certificate Template to Issue. The Enable Certificate Templates window is displayed.

      Figure 6.26. Enable the new template

      Enable the new template

    7. Select the TSA certificate template, and choose OK.

    8. Open the command line, and issue the following command:

      certreq -submit -attrib "CertificateTemplate:TSA" <CSR>

      Replace <CSR> with the full path of the CSR created earlier (in the second step).

    9. The Certification Authority List is displayed. Select the CA.

    10. The Save Certificate window is displayed. Choose an output folder.

      The certificate is generated to the specified folder.

  5. In SCB, navigate to Basic Settings > Management > SSL certificate.

  6. Click next to TSA X.509 certificate, browse for the previously generated certificate, and click Upload.

  7. Click next to TSA private key, browse for the previously generated key, and click Upload.

    Note

    If the root CA (the CA X.509 certificate field under Basic Settings > Management > SSL certificate) that is used for other certificates on SCB is different from the CA that was used to sign the TSA certificate, a warning is displayed. In this scenario, ignore this warning.

Chapter 7. General connection settings

Connections determine if a server can be accessed from a particular client. The policies used in the connection definition can restrict the availability of the connection based on the username, time, authentication method, and so on. Channel policies (see Procedure 7.5, Creating and editing channel policies) determine if a particular channel can be used within an already established connection. The policies used in the channel policy can restrict the availability of the channel based on the server and the client IP address, username, and so on. The types of policies available in a connection depend on the protocol (SSH, RDP, and so on) enabled in the connection.

SCB compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. The first connection policy completely matching the connection request is applied to the connection.

This section describes how to configure connections, and details the general configuration options and policies that apply to every type of connection that SCB can control: HTTP, ICA, RDP, SSH, Telnet, and VNC. For a detailed list of supported protocol versions, see Section 2.2, Supported protocols and client applications.

Protocol-specific configuration options are described in their respective sections: Chapter 8, HTTP-specific settings, Chapter 9, ICA-specific settings, Chapter 10, RDP-specific settings, Chapter 11, SSH-specific settings, Chapter 12, Telnet-specific settings, and Chapter 14, VNC-specific settings.

7.1. Procedure – Configuring connections

Purpose: 

To configure a connection, complete the following steps.

Note

Avoid using the IP address configured for administrator or user login on SCB when configuring HTTP or SSH connections.

Steps: 

  1. Select the type of connection from the main menu.

    • To configure a HTTP connection, select HTTP Control > Connections.

    • To configure an ICA connection, select ICA Control > Connections.

    • To configure a Remote Desktop connection, select RDP Control > Connections.

    • To configure a Secure Shell connection, select SSH Control > Connections.

    • To configure a Telnet connection, select Telnet Control > Connections.

    • To configure a VNC connection, select VNC Control > Connections.

  2. Click to define a new connection and enter a name that will identify the connection (for example admin_mainserver).

    Tip

    It is recommended to use descriptive names that give information about the connection, for example refer to the name of the accessible server, the allowed clients, and so on.

    Figure 7.1. Configuring connections

    Configuring connections

  3. Enter the IP address of the client that will be permitted to access the server into the From field. Click to list additional clients.

    You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

    You can also enter a hostname instead of the IP address, and SCB automatically resolves the hostname to IP address. Note the following limitations:

    • SCB uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

    • Only IPv4 addresses are supported.

    • If the Domain Name Server returns multiple IP addresses, SCB selects randomly from the list.

  4. Enter the IP address that the clients will request into the To field.

    You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

    You can also enter a hostname instead of the IP address, and SCB automatically resolves the hostname to IP address. Note the following limitations:

    • SCB uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

    • Only IPv4 addresses are supported.

    • If the Domain Name Server returns multiple IP addresses, SCB selects randomly from the list.

    • In non-transparent mode, enter the IP address of an SCB logical interface.

      For more information on setting up logical network interfaces on SCB, see Procedure 4.3.2, Managing logical interfaces.

    • In transparent mode, enter the IP address of the protected server.

    Click to add additional IP addresses.

  5. If the clients use a custom port to address the server instead of the default port used by the protocol, enter the port number that the clients will request into the Port field. Click to list additional port numbers.

  6. Non-transparent mode: Enter the IP address and port number of the target server into the Target field. SCB will connect all incoming client-side connections to this server. For details on organizing connections in non-transparent mode, see Section 22.2, Organizing connections in non-transparent mode.

    Figure 7.2. Configuring non-transparent connections

    Configuring non-transparent connections

  7. Configure advanced settings if needed, like network address translation, channel policy, gateway authentication, various policies, or other settings.

  8. Click to save the connection.

    Tip

    To temporarily disable a connection, deselect the checkbox before the name of the connection.

  9. If needed, reorder list of the connection policies. You can move connection policies by clicking the buttons.

    SCB compares the connection policies to the parameters of the connection request one-by-one, starting with the first policy in the policy list. The first connection policy completely matching the connection request is applied to the connection.

  10. Depending on your needs and environment, you may want to set further settings for your connections.

    • To modify the destination or source addresses of the connections, see Procedure 7.2, Modifying the destination address and Procedure 7.4, Modifying the source address.

    • Select a Backup Policy and an Archiving Policy for the audit trails and indexes of the connection.

      You can find more information on creating backup and archive policies in Section 4.7, Data and configuration backups and Section 4.8, Archiving and cleanup.

      If you have indexed trails, the index itself is also archived:

      • When using the Indexer service: Every 30 days, unless the Backup & Archive/Cleanup > Archive/Cleanup policies / Retention time in days is configured to occur less frequently (more than 30 days). For example, if the Retention time in days is 60 days, the index will be archived every 60 days. The content of the archived index will be the content that was available X days before the archival date, where X is the number in the Retention time in days field.

      • When using the Audit Player: Approximately every 50 days, a new index file is created, at which point the older index files can be archived. You can set Retention time in days to a more frequent value, it does not change this behavior.

      Warning

      Hazard of data loss!

      Make sure you also backup your data besides archiving (for details, see Section 4.7, Data and configuration backups). If a system crash occurs, you can lose up to 30 days of index, since the index is only archived in every 30 days.

      Note

      The backup and archive policies set for the connection operate only on the audit trails and indexes of the connection. General data about the connections that is displayed on the Search page is archived and backed up as part of the system-backup process of SCB.

    • If you want to timestamp, encrypt, or sign the audit trails, configure an Audit Policy to suit your needs. For details, see Section 7.10, Audit policies.

      Warning

      In RDP connections, if the client uses the Windows login screen to authenticate on the server, the password of the client is visible in the audit trail. To avoid displaying the password when replaying the audit trail, you are recommended to encrypt the upstream traffic in the audit trail using a separate certificate from the downstream traffic. For details, see Procedure 7.10.1, Encrypting audit trails.

    • To require the users to authenticate themselves not only on the target server, but on SCB as well, see Section 18.2, Configuring gateway authentication.

    • To require four-eyes authorization on the connections, with the possibility of an auditor monitoring the connection in real-time, see Section 18.3, Configuring 4-eyes authorization.

    • Certain connections and scenarios (for example SSH authentication, gateway authentication, Network Level Authentication (NLA) connections) SCB can authenticate the user to an LDAP database, or retrieve the group memberships of the user. To use these features, select an LDAP Server. For details, see Procedure 7.9, Authenticating users to an LDAP server.

      Note

      To display the usergroups that can access a specific Connection Policy, open the Connection Policy, then select Show connection permissions > Show on the Connections page.

    • To limit the number of new connection requests accepted from a single client IP address per minute, enter the maximal number of accepted connections into the Connection rate limit field.

  11. If your clients and servers support it, configure the connection to use strong encryption.

  12. For graphical connections, adjust the settings of your servers for optimal performance:

    • For optimal performance and text recognition in graphical protocols, disable antialiasing on your servers. Antialiased text in the audit trails of RDP, VNC, and X11 connections is not recognized by the OCR engine of the Audit Player. The indexer service recognizes antialiased text, but its accuracy depends on the exact antialiasing settings. Disable antialiasing in order to properly index the trails of these connections. Note that antialiasing is enabled by default on Windows Vista and newer. Antialiasing is also called font smoothing. ClearType is an antialiasing technology used on Microsoft Windows, and should be disabled for optimal performance.

    • When processing RDP connections, SCB attempts to extract the username from the connection. To ensure that your users can access the target servers only when their username is recorded, see Section 10.9, Usernames in RDP connections.

    • If you are using Audit Player (AP) to OCR graphical audit trails, configure your servers to use the Tahoma or MS Sans Serif fonts on the user interface for optimal performance.

7.2. Procedure – Modifying the destination address

Purpose: 

The destination address is the address of the server where the clients finally connect to. To modify the destination address of a connection, complete the following steps.

Steps: 

  1. Navigate to the Connections tab storing the connection and click to display the details of the connection.

    Figure 7.3. Configuring connections

    Configuring connections

  2. The Target section allows you to configure Network Address Translation (NAT) on the server side of SCB. Destination NAT determines the target IP address of the server-side connection. Set the destination address as required. The following options are available:

    Note

    It is not possible to direct the traffic to the IP addresses belonging to SCB.

    • Use the original target address of the client: Connect to the IP address targeted by the client. This is the default behavior in transparent mode. This option is not available in non-transparent mode. For HTTP connections, you can use the Use the original target address of the client option only when the Act as HTTP proxy option is disabled.

    • NAT destination address: Perform a network address translation on the target address. Enter the target address in IP address/Prefix format.

      You can also enter a hostname instead of the IP address, and SCB automatically resolves the hostname to IP address. Note the following limitations:

      • SCB uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

      • Only IPv4 addresses are supported.

      • If the Domain Name Server returns multiple IP addresses, SCB selects randomly from the list.

    • Use fix address: Enter the IP address and port number of the server. The connection will connect always to this address, redirecting the clients to the server.

      You can also enter a hostname instead of the IP address, and SCB automatically resolves the hostname to IP address. Note the following limitations:

      • SCB uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

      • Only IPv4 addresses are supported.

      • If the Domain Name Server returns multiple IP addresses, SCB selects randomly from the list.

    • Inband destination selection: Extract the address of the server from the username. Note that for HTTP connections, you can use the Inband destination selection option only when the Act as HTTP proxy option is enabled. For details, see Procedure 7.3, Configuring inband destination selection.

  3. Click .

7.3. Procedure – Configuring inband destination selection

Purpose: 

With inband destination selection, you can create a single connection policy and allow users to access any server by including the name of the target server in their username (for example, ssh [email protected]@scb_address, or username%@targetserver%scb_address). To configure a Connection Policy to extract the address of the server from the username, complete the following steps.

Prerequisites: 

Steps: 

  1. Navigate to the Connection policy you want to modify, for example, to SSH Control > Connections.

  2. Select Inband destination selection.

    Figure 7.4. Configuring inband destination selection

    Configuring inband destination selection

  3. Optional Step: Enter the IP address or the hostname of the domain name server used to resolve the address of the target server into the DNS Server field.

    If you do not set the DNS Server field, SCB will use the global DNS server (set on the Basic Settings > Networking page) to resolve the hostnames in this connection.

  4. Optional Step: Configure domain names and CNAME records.

    If the clients do not include the domain name when addressing the server (for example they use [email protected] instead of [email protected], or username%server for RDP connections), SCB can automatically add domain information (for example example.com). Enter the domain name to add into the Append domain field.

    SCB can also resolve CNAME records.

    To enter more domain names (for example because connections extend through subnets), click . In case of more domain names in the Append domain field, SCB appends the first domain name in the list that the target can be resolved with.

  5. Enter the addresses of the servers that the users are permitted to access into the Targets field. Note the following points:

    • Use the IP address/prefix (for example 192.168.2.16/32, or 10.10.0.0/16) format. Alternatively, you can use the FQDN of the server. To permit access to any server, enter *.

    • For FQDN, you can use the * and ? wildcard characters.

      Warning

      If only the hostname of the server is listed and the client targets the server using its IP address, SCB refuses the connection.

    • If the clients target the server using its IP address, include the IP address of the server in the Targets > Domain list. This is required because SCB resolves the hostnames to IP addresses, but does not reverse-resolve IP addresses to hostnames.

    • If the clients target the server using its hostname, then the hostname-from-the-client-request + the-value-of-the-Append-domain-option must appear in the Targets > Domain list. Alternatively, you must include the IP address of the hostname-from-the-client-request + the-value-of-the-Append-domain-option host.

    Example 7.1. Hostnames and inband destination selection

    For example, you have set Append domain to example.com, and your clients use the username%servername request, then you must include either the servername.example.com host or its IP address in theTargets > Domain list.

  6. If the clients can access only a specified port on the server, enter it into the Port field. If the Port is not set, the clients may access any port on the server.

  7. If there are any servers that the users cannot target using inband destination selection, add them to the Exceptions field.

  8. To use inband destination selection with RDP connections without using SCB as a Terminal Services Gateway, you must use SSL-encrypted RDP connections (see Procedure 10.4, Using SSL-encrypted RDP connections).

  9. Click .

    Expected result: 

    The connection policy will extract the address of the destination server from the protocol information.

    Note

    For examples on using inband destination selection to establish an SSH connection, including scenarios where non-standard ports or gateway authentication is used, see Section 22.3, Using inband destination selection in SSH connections.

7.4. Procedure – Modifying the source address

Purpose: 

The source address is the address that SCB uses to connect the server. The server sees this address as the source of the connection. To modify the source address of a connection, complete the following steps.

Steps: 

  1. Navigate to the Connections tab storing the connection and click to display the details of the connection.

    Figure 7.5. Configuring connections

    Configuring connections

  2. The SNAT section allows you to configure Source Network Address Translation (SNAT) on the server side of SCB. SNAT determines the IP address SCB uses in the server-side connection. The target server will see the connection coming from this address. The following options are available:

    • Use the IP address of an SCB logical interface: Server-side connections will originate from SCB's logical network interface. This is the default behavior of the connection.

    • Use the original IP address of the client: Server-side connections will originate from the client's IP address, as seen by SCB.

    • Use fix address: Enter the IP address that will be used as the source address in server-side connections.

      You can also enter a hostname instead of the IP address, and SCB automatically resolves the hostname to IP address. Note the following limitations:

      • SCB uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

      • Only IPv4 addresses are supported.

      • If the Domain Name Server returns multiple IP addresses, SCB selects randomly from the list.

      Warning

      Do not forget to properly configure routers and other network devices when using the Use fix address option: messages sent by the server to this address must reach SCB.

  3. Click .

7.5. Procedure – Creating and editing channel policies

Purpose: 

The Channel policy lists the channels (for example, terminal session and SCP in SSH; Drawing, Clipboard in RDP) that can be used in the connection, and also determines if the channel is audited or not. The Channel policy can also restrict access to each channel based on the IP address of the client or the server, a user list, user group, or a time policy. For example, all clients may access the servers defined in a connection via SSH terminal, but the channel policy may restrict SCP access only to a single client. The policies set in the channel policy are checked when the user attempts to open a particular channel type in the connection.

Figure 7.6. Configuring channel policies

Configuring channel policies

To create a new channel policy or edit an existing one, complete the following procedure:

Steps: 

  1. Channel policies are configured individually for every protocol. Navigate to the Channel Policies tab of the respective protocol (for example, SSH Control > Channel Policies) and click to create a new channel policy. Enter a name for the policy into the Channel Policy field (for example, shell_and_backup).

  2. Click to add a new channel.

  3. Select the channel to be enabled in the connection from the Type field. All restrictions set in the following steps will be effective on this channel type. The available channels are different for every protocol. For their descriptions, see the following sections:

  4. To restrict the availability of the channel only to certain clients, click in the From field and enter the IP address of the client allowed to use this type of the channel. Repeat this step until all required client IPs are listed.

    You can also enter a hostname instead of the IP address, and SCB automatically resolves the hostname to IP address. Note the following limitations:

    • SCB uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

    • Only IPv4 addresses are supported.

    • If the Domain Name Server returns multiple IP addresses, SCB selects randomly from the list.

  5. To restrict the availability of the channel only to certain servers, click in the Target field and enter the IP address of the server allowed to use this type of the channel. Repeat this step until all required server IPs are listed.

    Note

    Use the real IP address of the server, which may be different from the one addressed by the clients, specified in the Target field of the connection policy.

    You can also enter a hostname instead of the IP address, and SCB automatically resolves the hostname to IP address. Note the following limitations:

    • SCB uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

    • Only IPv4 addresses are supported.

    • If the Domain Name Server returns multiple IP addresses, SCB selects randomly from the list.

  6. To restrict the availability of the channel only to certain users, click in the Remote Group field and enter the name of the user group allowed to use this type of the channel. Repeat this step until all permitted groups are listed.

    To restrict the availability of the channel when using gateway authentication, click in the Gateway Group field and enter the name of the user group allowed to use this type of the channel. Repeat this step until all permitted groups are listed.

    You may list local user lists as defined in Procedure 7.8, Creating and editing user lists, or LDAP groups (for details on accessing LDAP servers from SCB, see Procedure 7.9, Authenticating users to an LDAP server). Note the following behavior of SCB:

    • If you list multiple groups, members of any of the groups can access the channel.

      Note

      When listing both a whitelist and blacklist in the Remote Group section and a username appears on both lists, the user will be able to access the channel.

    • If you do not list any groups, anyone can access the channel.

      Note

      When the channel opens, there are certain cases when the remote group is not known yet. For example, in case of an RDP or ICA login screen, the drawing channel has to be opened first to properly display the logon screen. Only those channel rules will apply, where the Remote group field is empty. In case of network level authentication, all required information is present already so this limitation does not apply.

    • If a local user list and an LDAP group has the same name and the LDAP server is configured in the connection that uses this channel policy, both the members of the LDAP group and the members of the local user list can access the channel.

    Note

    User lists and LDAP support is currently available only for the SSH and RDP protocols. For other protocols, see Section 18.2, Configuring gateway authentication.

  7. Select a time policy to narrow the availability of the channel. If the time policy of the channel policy is set to 7x24, the channel is always available. For details, see Procedure 7.7, Configuring time policies.

  8. Some channel types require additional parameters, for example port forwarding in SSH needs the IP addresses and ports of the source and destination machines. Click in the Details field and enter the required parameters. For a list of parameters used by the different channels, see Section 11.2, Supported SSH channel types and Section 10.1, Supported RDP channel types.

  9. Select the Audit option to record the activities of the channel into audit trails. Typically large file-transfers (for example system backups, SFTP channels) are not audited because they result in very large audit trails. Check regularly the free hard disk space available on SCB if you do audit such channels. You can also receive alerts about disk space fill up if you set these. For details, see Procedure 4.6.3, Preventing disk space fill up and Section 4.6.4, System related traps.

  10. Select the 4 eyes option to require four-eyes authorization to access the channel. For details, see Section 18.3, Configuring 4-eyes authorization.

  11. Repeat Steps 2-10 to add other channels to the policy.

    Note

    The order of the rules matters. The first matching rule will be applied to the connection. Also, note that you can add the same channel type more than once, to fine-tune the policy.

  12. Click to save the list.

7.6. Real-time content monitoring with Content Policies

You can monitor the traffic of certain connections in real time, and execute various actions if a certain pattern (for example, a particular command or text) appears in the command line or on the screen, or if a window with a particular title appears in a graphical protocol. Since content-monitoring is performed real-time, SCB can prevent harmful commands from being executed on your servers. SCB can also detect numbers that might be credit card numbers. The patterns to find can be defined as regular expressions. In case of ICA, RDP, and VNC connections, SCB can detect window title content.

The following actions can be performed:

  • Log the event in the system logs.

  • Immediately terminate the connection.

  • Send an e-mail or SNMP alerts about the event.

  • Store the event in the connection database of SCB.

SCB currently supports content monitoring in SSH session-shell connections, Telnet connections, RDP and Citrix ICA Drawing channels, and in VNC connections.

Note

Command, credit card and window detection algorithms use heuristics. In certain (rare) situations, they might not match the configured content. In such cases, contact the Balabit Support Team to help analyze the problem.

Real-time content monitoring in graphical protocols is not supported for Arabic and CJK languages.

7.6.1. Procedure – Creating a new content policy

Purpose: 

To create a new content policy that performs an action if a predefined content appears in a connection, complete the following steps.

Note

Using content policies significantly slows down connections (approximately 5 times slower), and can also cause performance problems when using the indexer service.

Figure 7.7. Content policies

Content policies

Steps: 

  1. Navigate to Policies > Content Policies, click and enter a name for the policy.

  2. Select the type of event that you want to monitor:

    • Commands: The commands executed in the session-shell channel of SSH connections, or in Telnet connections.

      Warning

      During indexing, if a separate certificate is used to encrypt the upstream traffic, command detection works only if the upstream key is accessible on the machine running the indexer.

    • Screen content: Every text that appears on the screen. For example, every text that is displayed in the terminal of SSH or Telnet connections. This includes the executed commands as well, unless echoing is turned off for the terminal.

    • Credit card: Process every text that appears on the screen and attempt to detect credit card numbers in SSH or Telnet connections. SCB performs an action if the number of detected credit card numbers exceeds the value set as Permitted number of credit card numbers.

      Credit card number detection is based on the Luhn algorithm and lists of known credit card number prefixes.

    • Window title detection: Text appearing as window titles in case of RDP, Citrix ICA, and VNC connections. Only Windows Classic Themes are supported. Themes with rounded corners, or Windows Aero themes are not supported. Windows that do not have an X (close window) button in the top-right corner (or it is not visible) are not detected.

      The configuration JSON file contains the most common window title color schemes.

      Note

      Do not adjust or modify the following settings unless you know exactly what you are doing. Misconfiguring them will severely decrease the performance of SCB.

      • If a special color is used, open /opt/scb/etc/window-title-default on the server, and add the color scheme in RGB. In case of a single color, enter "to": null. After adding a new color, temporarily disable all traffic going through SCB. Navigate to Basic Settings > System > System control and click Stop in the All services field. Login to SCB as root locally (or remotely using SSH) to access the Console menu. Select Shells > Core Shell, and issue the zorpctl restart command.

      • The minimum and maximum height and the minimum width of the window title are determined in pixels, as "minheight", "maxheight" and "minwidth".

  3. Select Match, click and enter a string or regular expression. SCB will perform an action if this expression is found in the connection, unless it is listed in the Ignore list. For example, SCB can terminate the connection if the user issues the rm -rf * in an SSH connection. Repeat this step to add further expressions if needed.

    • Use Perl Compatible Regular Expressions (PCRE).

    • The following characters must be escaped using a backslash character: '(single-quote). For example, instead of .*' use .*\'

    • SCB uses substring search to find the expression in the content. That is, SCB finds the expression even if there is more content before or after the matching part. For example, the conf pattern will match the following texts: conf, configure, reconfigure, arcconf, and so on.

    • Using complicated regular expressions or using many regular expressions will affect the performance of SCB.

    • If the multiple expressions are set, SCB processes them one after the other, and stops processing the content if the first match is found, even if other expressions would also match the content. Therefore, when using multiple expressions, start with the most specific one, and add general expressions afterward.

    Example 7.2. Sample regular expressions for content policies

    The following simple regular expressions are samples to demonstrate what kinds of events that can be detected using content policies.

    • The enable command on Cisco devices: the user enters privileges mode.

    • The conf term command on Cisco devices: the user configures the networking parameters of the device.

    • The sudo and su - commands: the user enters privileged mode Linux and other UNIX platforms.

  4. To add an exception to the Match rule, select Ignore, click and enter a string or regular expression. SCB will not perform any action if this expression is found in the connection. For example, to permit the users to delete only the /tmp directory in an SSH connection, enter rm -rf /tmp. Repeat this step to add further expressions if needed.

    Example 7.3. Sample content policies using Ignore rules

    The following expressions can be used to perform an action if any SQL command is used in MySQL, except for the select and help commands:

    • Into the Match expression, enter mysql>.*

    • Add two Ignore expressions: mysql> select.* and mysql> help.*

  5. Select the action to perform.

    • Log: Send a log message into the system logs. The log message includes the expression that matched the content. On log level 6, the message includes the matching content as well.

    • Terminate: Immediately terminate the connection. When using the Terminate action for the Command event type, and a command matches an expression, the connection is terminated before the command is executed. When using the Terminate action, note the following points.

      • Select the Log or Notify action as well so that it is easy to find out why a connection was terminated.

      • If the connection is terminated by a content policy, the Verdict of the connection becomes ACCEPT-TERMINATED.

    • Notify: Send an e-mail or SNMP alert about the event. To configure the alerts, navigate to Basic Settings > Alerting & Monitoring and set the required alerts for the Real time audit event detected (scbAuditRealTime) event.

    • Store in connection database: Add the event to the SCB connection database. These events are displayed in the Alerts column of the Search > Search page. If the column is not visible, click Customize columns....

  6. To apply the content policy only for users belonging to specific groups, select Gateway Group or Remote Group, and specify the usergroups as needed. If Gateway Group or Remote Group is set, the content policy is applied only to connections of these usergroups.

  7. To add a new rule to the policy, click and repeat Steps 2-6.

    Note that if you have more than one rules in a policy, SCB evaluates them as follows.

    1. SCB evaluates the first (top) rule.

    2. If the rule contains Gateway Group or Remote Group restrictions, SCB checks if the current user belongs to any of the specified groups. If the groups do not match, SCB skips the rule.

    3. If the content matches any entry of the Ignore list, SCB skips the rule.

    4. If the content matches any entry of the Match list, SCB performs the action configured for the rule. Otherwise, SCB skips the rule.

    5. If the current rule did not match the content, SCB evaluates the next rule of the policy (if any).

  8. Click .

    Expected result: 

    A new content policy is created.

  9. To use the content policy created in the previous steps, select the policy in the channel policy that is used to control the connections.

    Note

    It is not required to enable auditing to use content policies.

7.7. Procedure – Configuring time policies

Purpose: 

The time policy determines the timeframe when the users are permitted to access a particular channel. By default, there is no time-based restriction, all channels are available 7x24. Complete the following procedure to create a time policy or edit an existing one:

Figure 7.8. Configuring time policies

Configuring time policies

Steps: 

  1. Navigate to the Time Policies tab of the Policies menu item and click to create a new time policy. Enter a name for the policy into the Time Policy field (for example workhoursonly).

  2. Click to display the days of the week and the allowed intervals.

  3. Enter the intervals for each day when the users are allowed to access the connection. Use the hh:mm format (for example from 08:00 to 16:00).

  4. To add multiple intervals for a day, click .

  5. Click .

  6. To actually restrict access to a connection or a channel based on the policy created in the previous steps:

    • Select this policy in the Time Policy field of the channel policy.

    • Click .

7.8. Procedure – Creating and editing user lists

Purpose: 

User lists are white- or blacklists of usernames that allow fine-control over who can access a connection or a channel. Complete the following procedure to create a new user list or edit an existing one:

Warning

User Lists are white- or blacklists of usernames that determine who can access the server remotely. However, this cannot prevent a user from accessing the server from a local terminal.

Figure 7.9. Configuring user lists

Configuring user lists

Steps: 

  1. Navigate to the User Lists tab of the Policies menu and click to create a new user list. Enter a name for the list into the User List field (for example serveradmins).

    Warning

    Usernames, the names of user lists, and the names of usergroups are case sensitive.

  2. Click to display the list of users.

  3. Select the default policy of the user list. Select Reject for a whitelist, that is, to allow access only to the members of the list. Select Accept for a blacklist, that is, to allow access to everyone except the members of the list.

  4. Click and enter a username into the displayed field. Repeat this step until all required usernames are listed.

    Warning

    Usernames, the names of user lists, and the names of usergroups are case sensitive.

  5. Click to save the list.

  6. To actually restrict access to a channel based on the user list created in the previous steps:

    • Navigate to the Channel Policies tab of the type of connection you want to control and click to display the details of the policy.

    • Click in the Group section to add a new group to the policy and enter the name of the group. Repeat this step to add other groups.

      Warning

      Usernames, the names of user lists, and the names of usergroups are case sensitive.

      Note

      When listing more groups, users of any of the listed groups can access the channel. For details, see Procedure 7.5, Creating and editing channel policies.

      When listing both a whitelist and blacklist in the Group section and a username appears on both lists, the user will be able to access the channel.

    • Click .

7.9. Procedure – Authenticating users to an LDAP server

Purpose: 

Note

This feature is currently available only for SSH and RDP connections. For other protocols, see Section 18.2, Configuring gateway authentication.

SCB can authenticate the users of the controlled connections to LDAP databases. To authenticate the users to an LDAP database, complete the following steps.

Warning

By default, SCB uses nested groups when querying the LDAP server. Nested groups are mostly useful when authenticating the users to Microsoft Active Directory, but can slow down the query and cause the connection to timeout if the LDAP tree is very large. In this case, disable the Enable nested groups option.

Steps: 

  1. Navigate to Policies > LDAP Servers and click to create a new LDAP policy.

  2. Enter a name for the policy into the LDAP Policy field (for example ldapservers).

  3. Figure 7.10. Configuring LDAP Server policies

    Configuring LDAP Server policies

    1. Enter the IP address or hostname and port of the LDAP server into the Server Address field. If you want to encrypt the communication between SCB and the LDAP server, in case of TLS, enter 636 as the port number, or in case of STARTTLS, enter 389 as the port number.

      Use an IPv4 address.

      To add multiple servers, click and enter the address of the next server. If a server is unreachable, SCB will try to connect to the next server in the list in failover fashion.

      Warning

      If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example ldap.example.com) in the Server Address field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.

    2. Select the type of your LDAP server in the Type field. Select Active Directory to connect to Microsoft Active Directory servers, or Posix to connect to servers that use the POSIX LDAP scheme.

    3. Enter the name of the DN to be used as the base of the queries into the Base DN field (for example DC=demodomain,DC=exampleinc).

    4. Enter the name of the DN where SCB should bind to before accessing the database into the Bind DN field.

      For example: CN=Administrator,CN=Users,DC=demodomain,DC=exampleinc.

      Note

      SCB accepts both pre-win2000-style and Win2003-style account names (User Principal Names), for example [email protected] is also accepted.

      Note

      Do not use sAMAccountName, as the bind DN expects a CN.

    5. To configure or change the password to use when binding to the LDAP server, click Change and enter the password. Click Update. Click .

      Note

      SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

  4. Skip this step if you use passwords to authenticate the users.

    • If you use public-key authentication and receive the public key of the users from the LDAP database, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field. For details on using public-key authentication with the LDAP database, see Section 22.1, Configuring public-key authentication on SCB.

    • If you use X.509 certificate for authentication and receive the certificates of the users from the LDAP database, enter the name of the LDAP attribute that stores the certificates of the users into the Certificate attribute name field.

  5. Skip this step if you use passwords to authenticate the users.

    • If you use public-key authentication and want SCB to generate server-side encryption keys on-the-fly and store them in a separate attribute on the LDAP server, enter the name of the attribute into the Generated publickey attribute name field.

    • If you use certificate authentication and want SCB to generate server-side certificates on-the-fly and store them in a separate attribute on the LDAP server, enter the name of the attribute into the Generated certificate attribute name field.

  6. If you want to encrypt the communication between SCB and the LDAP server, in Encryption, select the TLS or the STARTTLS option and complete the following steps:

    Note

    TLS-encrypted connection to Microsoft Active Directory is supported only on Windows 2003 Server and newer platforms. Windows 2000 Server is not supported.

    • If you want SCB to verify the certificate of the server, select Only accept certificates authenticated by the specified CA certificate and click the icon in the CA X.509 certificate field. A pop-up window is displayed.

      Click Browse, select the certificate of the Certificate Authority (CA) that issued the certificate of the LDAP server, then click Upload. Alternatively, you can paste the certificate into the Copy-paste field and click Set.

      SCB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.

      Warning

      If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example ldap.example.com) in the Server Address field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.

    • If the LDAP server requires mutual authentication, that is, it expects a certificate from SCB, enable Authenticate as client. Generate and sign a certificate for SCB, then click in the Client X.509 certificate field to upload the certificate. After that, click in the Client key field and upload the private key corresponding to the certificate.

    Balabit recommends using 2048-bit RSA keys (or stronger).

  7. Optional Step: If your LDAP server uses a custom POSIX LDAP scheme, you might need to set which LDAP attributes store the username, or the attributes that set group memberships. For example, if your LDAP scheme does not use the uid attribute to store the usernames, set the Username (userid) attribute name option. You can customize group-membership attributes using the POSIX group membership attribute name and GroupOfUniqueNames membership attribute name options.

    Note that SCB treats the retrieved usernames and group names as case sensitive.

  8. To commit the changes, click .

  9. If you have modified the Server certificate check field or the keys used in the connections, perform the following steps:

    Warning

    This step terminates all controlled connections going through SCB. Disconnect your clients from the protected servers before proceeding.

    To activate the new settings, navigate to Basic Settings > System > Traffic control > All services section and click Restart.

  10. Click Test to test the connection.

    Note

    Testing TLS and STARTTLS-encrypted connections is not supported.

7.10. Audit policies

An audit trail is a file storing the recorded activities of the administrators. Audit trails are not created automatically for every connection: auditing must be enabled manually in the channel policy used in the connection. The available default channel policies enable auditing for the most common channels. Audit trails are automatically compressed, and can be encrypted, timestamped, and signed as well. Audit trails can be replayed using the Audit Player application (for details, see Chapter 17, Replaying audit trails with Audit Player), or directly in your browser (for details, see Procedure 16.1.2, Replaying audit trails in your browser).

Tip

By default, every connection uses the built-in default audit policy. Unless you use a custom audit policy, modifying the default audit policy will affect every audited channel of the connections passing through SCB.

Warning

In RDP connections, if the client uses the Windows login screen to authenticate on the server, the password of the client is visible in the audit trail. To avoid displaying the password when replaying the audit trail, you are recommended to encrypt the upstream traffic in the audit trail using a separate certificate from the downstream traffic. For details, see Procedure 7.10.1, Encrypting audit trails.

7.10.1. Procedure – Encrypting audit trails

Purpose: 

To prevent unauthorized access to the audit trail files, SCB can encrypt:

  • The entire trail.

  • The entire trail, and the upstream part with an additional (set of) certificate(s).

  • Only the upstream part.

With upstream encryption, the passwords are visible only with the private key of the certificate used for encrypting the upstream traffic.

Note

Even if the upstream traffic is encrypted with a separate certificate, only one audit trail file is created for a session.

Encrypting the upstream part has the following limitations:

  • VNC, and X11 trails cannot be replayed without the upstream encryption keys.

  • VNC trails cannot be indexed without the upstream encryption keys.

  • During indexing, command detection does not work without the upstream encryption keys.

Tip

For more information on uploading certificates for indexing and replaying audit trails, see:

Encryption requires one or more RSA keys (in PEM-encoded X.509 certificates), depending on the configuration.

Note

Certificates are used as a container and delivery mechanism; for encryption and decryption, only the keys are used.

Balabit recommends using 2048-bit RSA keys (or stronger).

Use every keypair or certificate only for one purpose. Do not reuse cryptographic keys or certificates, for example, do not use the certificate of the SCB webserver to encrypt audit trails, or do not use the same keypair for signing and encrypting data.

The following encryption options are available:

  • Encrypt with a single certificate. This is the most simple approach: SCB uses one certificate to encrypt the audit trails; anyone who has the private key of that certificate can replay the audit trails. If that key is lost, there is no way to open the audit trails.

  • Encrypt separately with multiple certificates.SCB uses two or more certificates separately to encrypt the audit trails; anyone who has the private key of one of the encryption certificates can replay the audit trails.

  • Encrypt jointly with two certificates.SCB uses two certificates together (a certificate-pair) to encrypt the audit trails. The private keys of both encryption certificates are needed to replay the audit trails. This is a kind of "four-eyes in auditing".

You can combine the different encryption methods, so for example it is possible to encrypt the audit trails with multiple certificate-pairs, and to replay the trails only if the private keys of a certificate-pair are available. This is true for encrypting the upstream traffic as well. At the extreme, you will need four private keys to fully replay an audit trail: two to open the normal traffic, and two more to display the upstream traffic.

Note that SCB itself cannot create the certificates used to encrypt the audit trails.

Tip

If two certificates are displayed in a row, they are a certificate-pair and you need the private key of both to replay the audit trails. If two certificates are displayed in separate rows, you need the one of the private keys to replay the audit trails. If there are multiple rows containing two certificates, you need the private keys of the certificate(s) listed in any of the rows.

Figure 7.11. Encrypting audit trails: joint encryption with a certificate pair

Encrypting audit trails: joint encryption with a certificate pair

Each audit policy can have up to 8 lines of certificate pairs.

Steps: 

  1. Navigate to Policies > Audit Policies and select the audit policy you will use in your connections.

    Tip

    By default, every connection uses the built-in default audit policy. Unless you use a custom audit policy, modifying the default audit policy will affect every audited channel of the connections passing through SCB.

  2. Select the Enable encryption option.

  3. To upload a certificate for encrypting the entire trail:

    1. Click the icon under the Encryption cert (X.509 RSA) 4-eyes cert (X.509 RSA) row.

    2. Click on the left icon and upload a certificate to SCB. This certificate will be used to encrypt the audit trails, and it must not include the private key.

      Note

      To replay the audit trails, you need the private key of the certificate on the computer running the Audit Player application.

    3. Optional step: To encrypt the audit trails jointly with another certificate, click on the right icon and upload a certificate to SCB. Note that the private key of both certificates will be required to replay the audit trails.

    4. Repeat these steps to encrypt the audit trails separately with additional certificates.

  4. To upload a certificate for encrypting the upstream traffic:

    1. Select Encrypt upstream traffic with different certificates.

    2. Click the icon under the Encryption cert (X.509 RSA) 4-eyes cert (X.509 RSA) row.

    3. Click on the left icon and upload a certificate to SCB. This certificate will be used to encrypt the audit trails, and it must not include the private key.

      Note

      To replay the upstream part of the audit trails, you need the private key of the certificate on the computer running the Audit Player application.

    4. Optional step: To encrypt the audit trails jointly with another certificate, click on the right icon and upload a certificate to SCB. Note that the private key of both certificates will be required to replay the audit trails.

    5. Repeat these steps to encrypt the upstream separately with additional certificates.

  5. Click .

7.10.2. Procedure – Timestamping audit trails with built-in timestamping service

Purpose: 

To add timestamps to the audit trails by using the built-in timestamping service of SCB, complete the following steps:

Steps: 

  1. Configure the timestamping interval. You have to repeat these steps for each protocol (HTTP, ICA, RDP, SSH, Telnet, and VNC) you want to configure:

    Figure 7.12. Configuring local timestamping

    Configuring local timestamping

    1. In the protocol control settings, navigate to Global Options > Timestamping (for example, SSH Control > Global Options > Timestamping).

    2. Select Local.

      Note

      Make sure that you leave the Timestamping policy field empty. Timestamping policy has relevance only when Timestamping is set to Remote.

    3. Set the Signing interval. You can choose any value between 10 and 100 000 seconds.

      Note

      The same interval setting applies to timestamping and signing.

    4. Click .

  2. Configure audit policies to use timestamping. You have to repeat these steps for each audit policy you want to configure:

    1. Navigate to Policies > Audit Policies and select the audit policy you will use in your connections.

      Tip

      By default, every connection uses the built-in default audit policy. Unless you use a custom audit policy, modifying the default audit policy will affect every audited channel of the connections passing through SCB.

    2. Select the Enable timestamping option.

      Figure 7.13. Timestamping audit trails

      Timestamping audit trails

    3. Click . SCB will automatically add timestamps to the audit trails of every connection that is audited and uses this audit policy.

      Note

      For details on how to change the certificate used for timestamping, see Section 6.8, Managing the certificates used on SCB.

7.10.3. Procedure – Timestamping audit trails with external timestamping service

Purpose: 

To request timestamps from a remote Timestamping Authority (TSA), complete the following steps:

Steps: 

  1. Configure the remote TSA, and the timestamping interval. You have to repeat these steps for each protocol (HTTP, ICA, RDP, SSH, Telnet, and VNC) you want to configure:

    Figure 7.14. Configuring a remote TSA

    Configuring a remote TSA

    1. In the protocol control settings, navigate to Global Options > Timestamping (for example, SSH Control > Global Options > Timestamping).

    2. Select Remote.

    3. Enter the address of the timestamping server into the URL field. Note that currently only plain HTTP services are supported, password-protected and HTTPS services are not supported.

    4. If the Timestamping Server has timestamping policies configured, enter the OID of the policy to use into the Timestamping policy field. SCB will include this ID in the timestamping requests sent to the TSA.

    5. Set the Signing interval. You can choose any value between 10 and 100 000 seconds.

      Note

      The same interval setting applies to timestamping and signing.

    6. Click .

  2. Configure audit policies to use timestamping. You have to repeat these steps for each audit policy you want to configure:

    1. Navigate to Policies > Audit Policies and select the audit policy you will use in your connections.

      Tip

      By default, every connection uses the built-in default audit policy. Unless you use a custom audit policy, modifying the default audit policy will affect every audited channel of the connections passing through SCB.

    2. Select the Enable timestamping option.

      Figure 7.15. Timestamping audit trails

      Timestamping audit trails

    3. Click . SCB will automatically add timestamps to the audit trails of every connection that is audited and uses this audit policy.

7.10.4. Procedure – Digitally signing audit trails

Purpose: 

SCB can digitally sign the audit trails to prevent the manipulation of the audit trail files. This requires an X.509 certificate and also the private key of the certificate. Note that SCB can generate a private key that you can use to create a certificate, but SCB itself cannot create the certificate used to sign the audit trails.

Steps: 

  1. Configure the signing interval. You have to repeat these steps for each protocol (HTTP, ICA, RDP, SSH, Telnet, and VNC) you want to configure:

    Figure 7.16. Configuring the signing interval

    Configuring the signing interval

    1. In the protocol control settings, navigate to Global Options > Timestamping (for example, SSH Control > Global Options > Timestamping).

    2. Set the Signing interval. You can choose any value between 10 and 100 000 seconds.

      Note

      The same interval setting applies to timestamping and signing.

    3. Click .

  2. Navigate to Policies > Audit Policies and select the audit policy you will use in your connections.

    Figure 7.17. Signing audit trails

    Signing audit trails

    Tip

    By default, every connection uses the built-in default audit policy. Unless you use a custom audit policy, modifying the default audit policy will affect every audited channel of the connections passing through SCB.

  3. Select the Enable signing option.

  4. Upload a certificate and the corresponding private key to SCB.

  5. Click . SCB will automatically sign the audit trails of every connection that is audited and uses this audit policy.

  6. Repeat the above steps for other audit policies if needed.

7.11. Procedure – Verifying certificates with Certificate Authorities

Purpose: 

SCB can check the validity of certificates using the certificates and certificate-revocation lists of the certificate authorities that issued the certificates. This can be used for example to verify the certificates of the servers in SSH/RDP connections. To create a list of CA certificates to use during the certificate validation, complete the following steps:

Steps: 

  1. Figure 7.18. Creating Trusted CA lists

    Creating Trusted CA lists

    Navigate to Policies > Trusted CA Lists and click to create a new list.

  2. Enter a name for the CA list into the topmost field.

  3. Click in the Certificate field, and upload the certificate of the Certificate Authority (CA) that will be used to validate the certificates.

  4. Enter the URL of the Certificate Revocation List of the CA into the CRL field. Certificates appearing on the CRL list will be automatically rejected.

    Note

    Note that only .pem format CRLs are accepted. CRLs that are in PKCS7 format (.crl) are not accepted.

  5. To further limit which certificates are accepted, you may use the following options:

    • Strict hostname check: Select this option to accept only certificates when the Common Name of the certificate contains the hostname or the IP address of the host showing the certificate.

    • Use DNS to lookup hostnames: Select this option to use the domain name server set on Basic Settings > Network > Naming to resolve the hostnames and IP addresses for certificate validation. If you have enabled the Strict hostname check option, you probably want to enable this option as well.

    • To restrict the accepted certificates based on the content of the certificate, enter the required value into the appropriate field of the User certificate validation section. For example, to accept only certificates that contain Example Inc. in their Organization Name field, enter Example Inc. in to the Organization Name field. In the Common name, E-mail address, and Alternative e-mail address fields you can use the $username macro to refer to the username used in the connection. This macro makes it possible to check that the user is using his own certificate.

  6. Click .

7.12. Procedure – Signing certificates on-the-fly

Purpose: 

At a number of places, SCB can generate the server certificates on the fly. This technique is used for example in SSL-encrypted RDP sessions, RDP sessions that use Network Level Authentication (CredSSP), or SSH connections that use X.509-based authentication. To create a signing CA, complete the following steps:

Note

Note the following points about using signing CAs:

  • Signing CAs require a CA certificate permitted to sign certificates, and also the corresponding private key.

  • These CAs cannot be used to sign audit trails. For details on how to configure the certificates used to sign audit trails, see Procedure 7.10.4, Digitally signing audit trails.

  • The version of the generated certificates will be the same as the version of the signing CA.

  • SCB will include the CRL (from the crlDistributionPoints extension) of the signing CA in the generated certificate.

Steps: 

  1. Figure 7.19. Creating Signing CAs

    Creating Signing CAs

    Navigate to Policies > Signing CAs and click .

  2. Enter a name for the CA into the topmost field.

  3. To upload a CA certificate and its private key, complete the following steps. Skip this step if you want to generate a CA on SCB.

    1. Click in the CA X.509 certificate field and upload the certificate of the certificate authority.

    2. Click in the CA private key field and upload the private key of the certificate authority.

    3. Click .

  4. To generate a CA certificate on SCB, complete the following steps:

    1. Enter the Common Name for the CA certificate into the Common Name field. This name will be visible in the Issued By field of the certificates signed by this CA.

    2. Fill the other fields as required, then click Generate private key and certificate.

    3. Click .

7.13. Procedure – Creating a Local User Database

Purpose: 

Local User Databases are available for RDP, SSH and Telnet protocols, and can be used to authenticate the clients to credentials that are locally available on SCB. Such credentials include passwords, public keys, and certificates. Local User Databases are most commonly used in inband gateway authentication scenarios. To create a Local User Database, complete the following steps.

Note

To store credentials on SCB and use them to authenticate on the server, use a local Credential Store. For details, see Section 18.4, Using credential stores for server-side authentication.

Steps: 

  1. Navigate to Policies > Local User Databases and click .

  2. Enter the name of the Local User Database.

  3. Figure 7.20. Mapping keys and certificates

    Mapping keys and certificates

    Click to add entries.

  4. Enter the name of the user into the Username field.

    Note

    If you also use Usermapping policies, enter the username that the client will use on the server side. If you also use gateway authentication, the gateway username can be used as well.

    • If you use public-key based authentication on the client side, click the icon in the Client Side (public key/certificate) > Public keys field, and upload the public key of the client.

    • If you use certificate-based authentication on the client side, click the icon in the Client Side (public key/certificate) > Certificates field, and upload the certificate of the client.

    SCB will verify that a client trying to use the username set in Step 3 is authenticating itself with the private key that corresponds to the uploaded public key or certificate.

    Balabit recommends using 2048-bit RSA keys (or stronger).

  5. Repeat the above steps to add other users as required.

  6. Click .

  7. Navigate to the Authentication Policies tab of the respective protocol and select the Local User Database there.

7.14. Procedure – Configuring cleanup for the SCB connection database

Purpose: 

SCB can automatically archive audit trails older than a specified retention time. However, the metadata of the corresponding connections is not deleted from the SCB connection database. Deleting the stored data about old connections decreases the size of the database, making searches faster, and might be also required by certain policies or regulations. The period after metadata is deleted can be specified individually for the different protocols, (for example, data about SSH connections can be stored longer than other connections) and also for every connection policy. In order to configure SCB to delete the metadata of old connections for a particular protocol, complete the following steps:

Steps: 

  1. Navigate to the Global Options page of the respective protocol, for example, to SSH Control > Global Options.

  2. Figure 7.21. Configuring connection database cleanup for a protocol

    Configuring connection database cleanup for a protocol

    Enter how long SCB (in days) should keep the metadata into the Channel database cleanup field. For example, if you specify 365, SCB will delete the data of connections older than a year. Enter zero (0) to keep the data indefinitely (this is also the default behavior of SCB).

    Note

    The time you specify cannot be shorter than the Retention time in days set for the Archive policies used in the connections of this protocol.

    The time you specify cannot be shorter than the Channel database cleanup set in the individual connection policies of this protocol.

  3. Click and repeat the previous step for other protocols if needed.

  4. Figure 7.22. Configuring connection database cleanup for a connection

    Configuring connection database cleanup for a connection

    To delete the metadata of certain connections earlier than the time set in the Global Options > Channel database cleanup field of the protocol, navigate to the particular connection policy, and enter how long SCB (in days) should keep the metadata of the sessions of this connection policy into the Channel database cleanup field. Enter zero (0) to use the settings of the protocol (this is also the default behavior of SCB).

    Note

    The time you specify cannot be shorter than the Retention time in days set for the Archive policy used in the particular connection.

  5. Click and repeat the previous step for other connections if needed.

    Expected outcome: 

    Every day SCB deletes the metadata of connections older than the given cleanup time from the connection database.

Chapter 8. HTTP-specific settings

The following sections describe configuration settings available only for the HTTP protocol. Use the following policies to control who, when, and how can access the HTTP connection. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.

Auditing HTTP and HTTPS connections is possible in both transparent and non-transparent modes. SCB can also be used as an HTTP/HTTPS proxy to simplify client configuration and integration into your network environment, or it can forward HTTP traffic, behaving as a HTTP tunnel.

  • Channel Policy: The HTTP protocol has only one channel type with no special configuration options. The available channel policy options are the following: From, Target, Time, 4 eyes, Audit, and Remote groups. Note that the Remote groups option is used only if the user performs inband authentication using one of the supported HTTP authentication methods (see Section 8.2, Authentication in HTTP and HTTPS). For details on configuring these options, see Procedure 7.5, Creating and editing channel policies.

    When setting Target, note the following:

    • If the connection uses DNAT (NAT destination address), the target address of the original client will be compared to the Target parameter of the Channel policy, that is not necessarily equivalent with the server's address.

    • If the connection is redirected to a Fix address, the redirected address will be compared to the Target parameter of the Channel policy.

  • HTTP connections: For details, see Section 8.3, Setting up HTTP connections.

  • HTTP sessions: HTTP settings determine the parameters of the connection on the protocol level, including timeout value, and so on. For details, see Section 8.4, Session-handling in HTTP.

  • HTTP settings: HTTP settings determine the parameters of the connection on the protocol level, including timeout value, and so on. For details, see Procedure 8.5, Creating and editing protocol-level HTTP settings.

8.1. Limitations in handling HTTP connections

Avoid using the IP address configured for administrator or user login on SCB when configuring HTTP or SSH connections.

The current version of SCB does not support the following features that are available for other protocols:

  • Gateway authentication

  • Four-eyes authorization

  • Usermapping policies

  • User authentication to LDAP servers

Forwarding HTTP connections to an HTTP proxy is not supported. If your clients use an HTTP proxy to access the target servers, place SCB behind the proxy: Clients - HTTP Proxy - SCB.

Warning

The Clients - SCB - HTTP Proxy scenario is NOT supported.

8.2. Authentication in HTTP and HTTPS

For the audited HTTP and HTTPS connections, SCB supports the following inband authentication methods for the HTTP protocol. These authentication methods are automatically supported for every Connection policy, without further configuration.

  • Basic Access Authentication (according to RFC2617

  • The NTLM authentication method commonly used by Microsoft browsers, proxies, and servers

SCB records the username used in the authentication process into the Username and Remote username fields of the connection database.

For authenticated sessions, SCB can perform group-based user authorization that allows you to finetune access to your servers and services: you can set the required group membership in the Channel policy of the HTTP connection. Note that group-based authorization in HTTP works only for authenticated sessions. If a username is not available for the session, SCB will permit the connection even if the Remote groups field is set.

SCB does not store failed HTTP authentication attempts in the connection database. This means that the Verdict field of the Search page will never contain CONN-AUTH-FAIL values for HTTP connections.

Note that authentication also affects the way SCB handles HTTP sessions. For details, see Section 8.4, Session-handling in HTTP.

8.3. Setting up HTTP connections

This section focuses on describing the HTTP-specific details of connection configuration. For a detailed description on configuring connections, see Chapter 7, General connection settings.

8.3.1. Procedure – Setting up a transparent HTTP connection

Purpose: 

To setup a transparent HTTP connection, perform the following steps. To audit HTTP connections in non-transparent mode, see Procedure 8.3.2, Enabling SCB to act as a HTTP proxy.

Figure 8.1. Transparent HTTP connection

Transparent HTTP connection

Steps: 

  1. In the Name field, enter the name of the connection that will identify the connection policy.

  2. In the From field, enter the IP address and prefix of the client that will be permitted to access the server.

    You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

  3. In the To field, enter the IP address and prefix that the clients will target.

    You can use an IPv4 or an IPv6 address. To limit the IP range to the specified address, set the prefix to 32 (IPv4) or 128 (IPv6).

  4. In the Target section, select Use original target address of the client.

  5. In the SNAT section, select Use the original IP address of SCB.

  6. Since SCB cannot automatically decide whether the incoming sessions are encrypted or not, it is required to setup another identical connection policy for the same sessions, for HTTPS. As a result, HTTP and HTTPS sessions will be saved into separate trails.

    1. Setup a new connection policy with the same settings as above.

    2. Set the Port to 443.

    3. Enable SSL encryption. For details, see Procedure 8.3.3, Enabling SSL encryption in HTTP.

8.3.2. Procedure – Enabling SCB to act as a HTTP proxy

Purpose: 

To enable SCB to act as a HTTP proxy, perform the following steps.

Figure 8.2. Act as HTTP proxy

Act as HTTP proxy

Steps: 

  1. Enable Act as HTTP proxy to configure the client to use SCB as a HTTP proxy.

  2. Select Inband destination selection as Target.

  3. To permit access to any HTTP servers, enter 0.0.0.0/0 into the Domain field. Alternatively, enter the IP address or subnet of the HTTP address you want permit access to. For IPv6 addresses, add ::/0 as well.

  4. To permit HTTP access to the destination servers on any port, leave the Domain > Port field empty. Otherwise, clients will be permitted only to access the specified port.

  5. Enter the port where SCB should accept HTTP connections into the To > Port field. The default port number when using the Act as HTTP proxy setting is 3128. This value should be the same as the proxy port setting on your clients.

  6. Ensure that you have set SCB as proxy on the clients.

8.3.3. Procedure – Enabling SSL encryption in HTTP

Purpose: 

To enable SSL encryption, perform the following steps. This setting either enforces SSL encryption, or accepts both HTTP and HTTPS requests.

Figure 8.3. Enabling SSL encryption in HTTP

Enabling SSL encryption in HTTP

Steps: 

  1. In SSL Settings, select Permit HTTPS traffic. To control plain HTTP traffic with the same connection policy, enable Allow HTTP traffic.

  2. Select the certificate to show to the clients.

    • To use the same certificate for every session, select Use the same certificate for each connection.

      Note

      When using the Use the same certificate for each connection option and the connection policy allows access to multiple servers using HTTPS, the client browsers will display a warning because the certificate used in the connection will be invalid: the Common Name of the certificate will not match the hostname or IP address of the server.

    • To use a separate certificate for every session, complete the following steps.

      1. Create a certificate authority that will be used to sign the certificates that SCB shows to the server. For details, see Procedure 7.12, Signing certificates on-the-fly.

      2. Select Bridge certificate. In this case, SCB performs certificate bridging, that is, copies the data from the server's certificate into a new one, issued by the selected Certificate Authority.

        Note

        Bridge certificate option does not work the same way as the Generate certificate on-the-fly option in other protocol settings.

      3. In the Signing CA field, select the certificate authority to use.

        Note

        Import the certificate of the signing Certificate Authority to your clients. Otherwise, the client browsers will display a warning because of the unknown Certificate Authority.

  3. Select how SCB should authenticate the server.

    • To permit connections to servers without requesting a certificate, select No validation.

    • To permit connections only to servers having valid certificate that was signed by a specific CA, complete the following steps.

      1. Create a list of trusted Certificate Authorities that will be used to validate the certificates of the servers. For details on creating a trusted CA list, see Procedure 7.11, Verifying certificates with Certificate Authorities.

      2. Select Only accept certificates authenticated by the trusted CA list.

      3. In the Trusted CA field, select the certificate authority list to use.

8.3.4. Procedure – Configuring half-sided SSL encryption in HTTP

Purpose: 

To enable half-sided SSL encryption, require HTTPS on client side, and HTTP on server side perform the following steps.

Figure 8.4. Enabling half-sided SSL encryption in HTTP

Enabling half-sided SSL encryption in HTTP

Limitations: 

The Server Name Indication (SNI) extension of SSL and TLS is only supported by appropriate client OS and browser combinations. For details on the limitations, see Browsers with support for TLS server name indication. There are several unsupported scenarios, for example Windows XP + any version of Internet Explorer, Ubuntu Lucid + certain versions of Mozilla Firefox. When the client does not support SNI, the CN will contain the target IP, and the client browsers will display a warning when accessing these servers.

Note

When Generate certificate on-the-fly is selected, and the connection is in transparent setup, the CN field is filled in using SNI (Server Name Indication). When the client does not support SNI, the CN will contain the target IP, which may cause certificate verification warning on the client browser.

Steps: 

  1. In SSL Settings, select Require HTTPS on client side and HTTP on server side.

    Note

    If the connection is configured at Target to Use fix address and the port number is set to 443, SCB will still automatically use port 80 to connect to the server, when Require HTTPS on client side and HTTP on server side is selected.

  2. To use a fix certificate, select Use the same certificate for each connection and copy or upload the certificate.

    Balabit recommends using 2048-bit RSA keys (or stronger).

  3. To generate a certificate on-the-fly, signed by a provided Signing CA, select Generate certificate on-the-fly. It uses the parameters of the signing CA, excluding the CN field, which is filled with the name of the target host name.

    Note

    When Generate certificate on-the-fly is selected, and the connection is in transparent setup, the CN field is filled in using SNI (Server Name Indication). When the client does not support SNI, the CN will contain the target IP, which may cause certificate verification warning on the client browser.

8.4. Session-handling in HTTP

Communication over HTTP consists of client requests and server responses (also called exchanges). Unlike in other protocols, for example SSH, these request-response pairs do not form a well-defined, continuous connection. Therefore, SCB assumes that an HTTP request-response pair belongs to a specific session if the following points are true:

  • The IP address of the client is the same

  • The hostname of the target server (not the IP address) is the same

  • The username is the same (if the user has performed inband authentication)

  • The time elapsed since the last request-response pair between the same client and server is less then the session timeout value (15 minutes by default).

SCB creates a separate audit trail and records the accessed URLs for every session. These are displayed on the Search > Search page. If any of the columns is not visible, click Customize columns....

For technical reasons, in authenticated sessions the login page where the user provides the credentials is not part of the session associated with the username. This means that even if the login page is the first that the user visits, SCB will record two sessions: the first does not include a username, the second one does. These two sessions are visible on the Active Connections page (until the unauthenticated session times out).

8.5. Procedure – Creating and editing protocol-level HTTP settings

Purpose: 

HTTP settings determine the parameters of the connection on the protocol level, including timeout value, and so on. Complete the following procedure to create a new HTTP settings profile or edit an existing one.

Warning

Modifying the HTTP settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing.

Steps: 

  1. Navigate to the Settings tab of the HTTP Control menu item and click to create a HTTP setting profile. Enter a name for the profile (for example http_special).

  2. Click to display the parameters of the connection.

  3. Modify the parameters as needed. The following parameters are available:

    • Idle timeout: Timeout value for the session in milliseconds. To avoid early timeout, set it to a larger value, for example a week (604800000 milliseconds).

      Warning

      Determining if a connection is idle is based on the network traffic generated by the connection, not the activity of the user. For example, if an application or the taskbar of a graphical desktop displays the time which is updated every minute, it generates network traffic every minute, negating the effects of timeout values greater than one minute and preventing SCB from closing the connection.

    • Session timeout: Timeout value for the session in seconds.

    • Enable pre channel check: Select this option to evaluate the connection and channel policies before establishing the server-side connection. That way if the connection is not permitted at all, SCB does not establish the server-side connection.

      Note

      This option cannot be disabled.

  4. Click .

  5. Select this settings profile in the HTTP settings field of your connections.

Chapter 9. ICA-specific settings

The following sections describe configuration settings available only for the ICA protocol. Use the following policies to control who, when, and how can access the ICA connection.

Note

As an experimental feature, IPv6 addresses can be configured for ICA connections.

9.1. Setting up ICA connections

This section focuses on describing the ICA-specific details of connection configuration. For a detailed description on configuring connections, see Chapter 7, General connection settings.

Warning

If the clients are accessing a remote application or desktop that is shared for Anonymous users (that is, the Users properties of the application is set to Allow anonymous users in the Citrix Delivery Services Console), the actual remote session will be running under an Anonymous account name (for example, Anon001, Anon002, and so on), not under the username used to access the remote server. Therefore, you need to enable usermapping to the Anon* usernames.

To accomplish this, create a usermapping policy and set the Username option to Anon*, and the Groups option to *, then use this usermapping policy in your ICA connections. For details on using usermapping policies, see Procedure 18.1, Configuring usermapping policies.

Reliable connection is also known as Common Gateway Protocol (CGP). It attempts to reconnect to the server in case of a network failure. To use this feature, enable Reliable and enter the default port in the Port field in the upper right corner.

Enable Act as SOCKS proxy to configure the client to use SCB as a SOCKS proxy. If you have enabled this option, you can select Inband destination selection as Target. Enter the IP address or the IP address/Prefix of the brokers (Citrix XML Brokers) used by the client in this connection policy into the Address field. It is also recommended to enable access to the brokers on port 443, as the clients usually try to access the broker using this port first. Disabling port 443 will cause a denied connection to appear on the SCB Search interface for every connection attempt (but the clients will be able to connect the server).

Warning

SCB does not audit or monitor the traffic between the brokers and the clients in any way, and are not listed on the SCB search interface. Only the connections between the clients and the actual servers are audited.

Warning

If SCB is acting as a SOCKS proxy and a client attempts to access a server that it is not permitted to access according to the configuration of SCB, SCB will deny the connection. However, the Citrix client application will automatically attempt to connect the server directly without using a proxy and will succeed if the server is directly accessible from the client. Ensure that your firewalls are configured properly to prevent such connections, as these direct connections cannot be audited by SCB.

Note

When enabling Reliable connection or Act as SOCKS proxy the first time, a warning is displayed suggesting the default port to be used based on the specific settings. Also, read the tooltips on these options; they contain up-to-date information about the default port numbers.

9.2. Supported ICA channel types

The available ICA channel types and their functionalities are described below. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.

  • Drawing (Thinwire): Enables access to the server's desktop (screen). This channel is for remoting graphics and user input (keyboard, mouse). This channel must be enabled for ICA to work.

  • Audio Mapping: Enable access to the sound device of the server.

  • Drive Mapping: Enable access to the client's hard drives on the server.

  • Clipboard: Enable access to the server's clipboard: the clipboard of the remote desktop can be pasted into local applications (and vice-versa). Note that SCB can audit the clipboard channel, but the Audit Player currently cannot search or display its contents.

  • Smartcard: Enable using client side installed smartcards in server-side applications.

  • Printer (COM1): Enable access to the serial port COM1.

  • Printer (COM2): Enable access to the serial port COM2.

  • Printer (LPT1): Enable access to the parallel port LPT1.

  • Printer (LPT2): Enable access to the parallel port LPT2.

  • Printer Spooler: Enable access to the client's printer from the remote desktops and applications.

  • HDX Mediastream: Some user widgets (for example Flash player) will not run on the server but on the client. These widgets are controlled from the server side using this channel. This is not supported by AP and it is disabled by default.

  • USB: Enable using client side installed USB devices in server-side applications.

  • Seamless: Enable seamless channels that run a single application on the ICA server, instead of accessing the entire desktop. When disabled, the application window will be accessed along with an empty desktop.

  • Speedbrowse: Speeds up web browsing. Not currently supported by AP, should be disabled by default.

  • Custom: Applications can open custom channels to the clients connecting remotely to the server. Enabling the Custom channel allows the clients to access all of these custom channels. To permit only specific channels, enter the unique names of the channel into the Details field.

Note

When the channel opens, there are certain cases when the remote group is not known yet. For example, in case of an RDP or ICA login screen, the drawing channel has to be opened first to properly display the logon screen. Only those channel rules will apply, where the Remote group field is empty. In case of network level authentication, all required information is present already so this limitation does not apply.

Note

Multi-stream ICA is not supported in SCB 4 F3.

9.3. Procedure – Creating and editing protocol-level ICA settings

Purpose: 

ICA settings determine the parameters of the connection on the protocol level, including timeout value, and so on. Complete the following procedure to create a new ICA settings profile or edit an existing one:

Figure 9.1. ICA settings

ICA settings

Warning

Modifying the ICA settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing.

Steps: 

  1. Navigate to the Settings tab of the ICA Control menu item and click to create an ICA setting profile. Enter a name for the profile (for example ica_special).

  2. Click to display the parameters of the ICA connection.

  3. Modify the parameters as needed. The following parameters are available:

    • Idle timeout: Connection timeout value in milliseconds. To avoid early timeout, set it to a larger value, for example a week (604800000 milliseconds).

      Warning

      Determining if a connection is idle is based on the network traffic generated by the connection, not the activity of the user. For example, if an application or the taskbar of a graphical desktop displays the time which is updated every minute, it generates network traffic every minute, negating the effects of timeout values greater than one minute and preventing SCB from closing the connection.

    • Reconnect timeout: How many milliseconds SCB waits for reconnections when reliable connections are used. Reliable connections use the Common Gateway Protocol (CGP).

    • Server connection attempts: How many times SCB tries to connect to the target server.

    • Reconnection intervals: How many milliseconds SCB waits between two connection attempts on the server side.

    • Enable pre channel check: Select this option to evaluate the connection and channel policies before establishing the server-side connection. That way if the connection is not permitted at all, SCB does not establish the server-side connection.

    Note

    Reliability settings only apply if you have enabled Reliable connection in ICA Control > Connections.

  4. Click .

  5. Select this settings profile in the ICA settings field of your connections.

9.4. SCB deployment scenarios in a Citrix environment

This section enlists the available SCB deployment scenarios in a Citrix environment. The text on the arrows are formatted in (<step number>) <target port> format. The target ports define the protocols used in the communication:

  • 80: Web service, HTTP: the list of available resources fetched in an XML format from the broker (v12 and v11 with XenApp only). The broker sends all the necessary information, including secure gateway and server addresses to the client.

  • 8080: XML service, HTTP+XML: application discovery, load balancing (v12 and v11 with XenApp only), used to fetch target to the application/desktop by the client from the broker (used for load balancing, and so on).

  • 443: XML service access or SOCKS/ICA or CGP/ICA wrapped in SSL. The client communicates with the secure gateway on this port for everything.

  • 1080: SOCKS. The client can be configured to access the target server and the broker using a SOCKS proxy.

  • 1494: Plain ICA.

  • 2598: CGP/ICA (reliable mode enabled).

Warning

Accessing XenDesktop is supported only in the following scenarios. Only reliable connections (CGP) are supported.

Client - SCB - Server (Transparent mode)

The SCB is deployed between the client and the server and the clients use predefined connection files or Program Neighbourhood, without a broker or secure gateway. The clients try to connect to their original ICA/CGP server.

Figure 9.2. Client - SCB - Server (Transparent mode)

Client - SCB - Server (Transparent mode)

Client - SCB - Server (Non-transparent mode)

The SCB is deployed between the client and the server and the clients use predefined connection files or Program Neighbourhood, without a broker or secure gateway. The clients try to connect to SCB, which can distinguish between the potential targets for example by source IP, or by having multiple IP addresses itself.

Figure 9.3. Client - SCB - Server (Non-transparent mode)

Client - SCB - Server (Non-transparent mode)

Client - Broker - SCB - Server (Transparent mode)

The clients are using a farm broker which gives them a list of the available applications and servers, but they do not use a secure gateway in the network. The SCB is placed between the clients and the servers in transparent mode, and it catches the connections when the clients try to connect to the server IP addresses they got from the broker.

Figure 9.4. Client - Broker - SCB - Server (Transparent mode)

Client - Broker - SCB - Server (Transparent mode)

Client - Broker - original secure gateway - Secure Ticket Authority (STA) - SCB - Server

In this setup, a secure gateway is used in the network and the SCB is placed between this gateway and the servers in transparent mode. The clients connect to the broker for the list of available applications/servers and then make their further connections through the original secure gateway. That gateway forwards the connections either to the broker or to the CGP/ICA servers, which latter the SCB intercepts and audits/controls.

Figure 9.5. Client - Broker - original secure gateway - Secure Ticket Authority (STA) - SCB - Server

Client - Broker - original secure gateway - Secure Ticket Authority (STA) - SCB - Server

Client - Broker - SCB as socks proxy - Server

In this setup, the SCB acts as a SOCKS proxy for the client. It can be set either manually or specified by the broker. The client then makes all its connections to the broker or to the server using SCB as a proxy and hence it can audit/control these connections.

Figure 9.6. Client - Broker - SCB as socks proxy - Server

Client - Broker - SCB as socks proxy - Server

To configure such a scenario, you must set the ICA Connection Policy as follows:

  • Enter the IP address of SCB into the To field. This must be the public IP address that the clients will target.

  • Select Inband destination selection, and list the IP addresses or networks of target servers in the Targets field. (For details, see Procedure 7.3, Configuring inband destination selection.)

  • Select Act as a SOCKS proxy.

  • Add the IP addresses of your brokers to the Brokers field.

9.5. Troubleshooting Citrix-related problems

Accessing Citrix servers using the Remote Desktop Protocol

Accessing Citrix servers using the Remote Desktop Protocol may fail in certain situations, and the connection is terminated with the ERROR: error while decompressing packet error message on the client, or with the Event56, TermDD, The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. message on the server.

To overcome this problem, modify the settings of the network card of the server, and disable the Large Send Offload option.

Note

The problem is not related to using SCB in your environment.

Chapter 10. RDP-specific settings

The following sections describe configuration settings available only for the RDP protocol. Use the following policies to control who, when, and how can access the RDP connection.

Using multiple monitors (Multimon) is supported. To enable Multimon, use one of the following three methods:

  • enable Display > Use all my monitors for the remote session option in the Remote Desktop Client (mstsc.exe) window of the client machine

  • use the /multimon switch on the mstsc.exe command line

  • add the use multimon:i:1 row to the RDP file

Note

The Maximum display width and Maximum display height options should be high enough to cover the combined resolution of the client monitor setup. Connections that exceed these limits will automatically fail. Make sure to adjust these settings if your clients use multiple monitors. For example, if your clients use two monitors that have a resolution of 1920x1080 pixels each, set Maximum display width to 4000, and Maximum display height to 2200.

10.1. Supported RDP channel types

The available RDP channel types and their functionalities are described below. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.

  • Drawing: Enables access to the server's graphical desktop (screen). This channel must be enabled for RDP to work.

    Note

    In case the Drawing channel is disabled and the load of SCB is high, or the connection requires four-eyes authorization and the Authorizer is slow to accept the connection, the client might receive the following error message:

    The Remote Desktop Gateway server administrator has ended the connection.
    Try reconnecting later or contact your network administrator for assistance
  • Clipboard: Enable access to the server's clipboard: the clipboard of the remote desktop can be pasted into local applications (and vice-versa). Note that SCB can audit the clipboard channel, but cannot search or display its contents.

  • Redirects: Enables access to every device redirections available in RDP, like file-sharing, printer sharing, device (for example CD-ROM) sharing, and so on.

    • To make the list of file operations available in the File operations column of the Search > Search page, navigate to the Channel Policies page of the protocol, and enable the Log file transfers to database option. This option is disabled by default.

    • To send the file operations into the system log, enable the Log file transfers to syslog option. This option is disabled by default.

      Note

      Turning logging on might result in a slight performance penalty. If traffic load slows processes down, disable the option. You will see the file list in the audit player without enabling this option.

    To enable only specific types of redirections, use the following channels:

    • Serial redirect: Enables access to serial-port redirections.

    • Parallel redirect: Enables access to parallel-port redirections.

    • Printer redirect: Enables access to shared printers.

    • Disk redirect: Enables access to shared disk drives.

    • SCard redirect: Enables access to shared SCard devices.

    To permit only specific redirections, enter the unique name of the redirection into the Details field. For example, if you want to enable access only to the shared disk drive C:, enable the Disk redirect channel and enter C: into the Permitted devices field. Note that the name of the device comes from the device itself, so it is case sensitive, and may not always be reliable from a security point of view.

  • Sound: Enable access to the sound device of the server.

  • Custom: Applications can open custom channels to the clients connecting remotely to the server. Enabling the Custom channel allows the clients to access all of these custom channels. To permit only specific channels, enter the unique names of the channel into the Permitted devices field.

    For example, to monitor RemoteApp connections, you need to configure custom channels. For more information, see Procedure 10.11, Configuring RemoteApps.

  • Seamless: Enable seamless channels that run a single application on the RDP server, instead of accessing the entire desktop.

  • Dynamic virtual channel: Enable the server to open channels back to the client dynamically. To restrict which dynamic channels are permitted, select Channel details, click and enter the name of the permitted channel.

Note

When the channel opens, there are certain cases when the remote group is not known yet. For example, in case of an RDP or ICA login screen, the drawing channel has to be opened first to properly display the logon screen. Only those channel rules will apply, where the Remote group field is empty. In case of network level authentication, all required information is present already so this limitation does not apply.

10.2. Procedure – Creating and editing protocol-level RDP settings

Purpose: 

RDP settings determine the parameters of the connection on the protocol level, including timeout value, the version of RDP permitted in the connection, and display parameters. Complete the following procedure to create a new RDP settings profile or edit an existing one:

Figure 10.1. RDP settings

RDP settings

Warning

Modifying the RDP settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing.

Steps: 

  1. Navigate to RDP Control > Settings and click to create an RDP setting profile. Enter a name for the profile (for example rdp5only).

  2. Click to display the parameters of the RDP connection.

  3. Modify the parameters as needed. The following parameters are available:

    • Idle timeout: Timeout value for the connection in milliseconds. To avoid early timeout, set it to a larger value, for example a week (604800000 milliseconds).

      Warning

      Determining if a connection is idle is based on the network traffic generated by the connection, not the activity of the user. For example, if an application or the taskbar of a graphical desktop displays the time which is updated every minute, it generates network traffic every minute, negating the effects of timeout values greater than one minute and preventing SCB from closing the connection.

      Warning

      If the value is set below 31 seconds, MSTSC can fail and prevent new connections if Act as a TS Gateway is enabled in RDP Control > Connections. To prevent this, set the Idle timeout value to at least 31 seconds.

    • Maximum display width: The maximum allowed width of the remote desktop in pixels (for example 1024).

      Note

      The Maximum display width and Maximum display height options should be high enough to cover the combined resolution of the client monitor setup. Connections that exceed these limits will automatically fail. Make sure to adjust these settings if your clients use multiple monitors. For example, if your clients use two monitors that have a resolution of 1920x1080 pixels each, set Maximum display width to 4000, and Maximum display height to 2200.

    • Maximum display height: The maximum allowed height of the remote desktop in pixels (for example 768).

      Note

      The Maximum display width and Maximum display height options should be high enough to cover the combined resolution of the client monitor setup. Connections that exceed these limits will automatically fail. Make sure to adjust these settings if your clients use multiple monitors. For example, if your clients use two monitors that have a resolution of 1920x1080 pixels each, set Maximum display width to 4000, and Maximum display height to 2200.

    • Maximum display depth: The maximum allowed color depth the remote desktop in bits (for example 24). The following values are valid: 8, 15, 16, 24.

      Warning
      • Using 32-bit color depth is currently not supported: client connections requesting 32-bit color depth automatically revert to 24-bit.

      • Certain Windows versions do not support 24-bit color depth. In this case, those versions can only be displayed in 16-bit color depth. SCB automatically changes its settings to 16-bit.

    • Enable RDP4: Select this option to enable the version 4 of the Remote Desktop Protocol.

    • Enable RDP5: Select this option to enable the version 5 of the Remote Desktop Protocol. To enable SSL-encryption for the RDP protocol, select the Enable RDP5 option, and either select the Enable Network Level Authentication option, or set a Signing CA in your connection policies.

    • Enable Network Level Authentication: Select this option to enable the use of Network Level Authentication (NLA, also called Credential Security Service Provider or CredSSP).

      Note the following points:

      • SSL-encrypted connections do not require this option, it is only needed for Network Level Authentication (NLA).

      • Smartcard authentication cannot be used when the Enable Network Level Authentication option is enabled.

      Warning
      • To access hosts running Windows 2008 Server R2 using Network Level Authentication (NLA), select the Enable RDP4 style authentication option as well.

      • To access servers from Windows XP SP3 clients using Network Level Authentication (NLA), you have to turn CredSSP on. For details, see Description of the CredSSP in Windows XP SP3.

    • Enable RDP4 style authentication: Select this option to enable RDP4 authentication within the RDP5 protocol. This might be needed for compatibility reasons with certain client applications.

    • Enable pre channel check: Select this option to evaluate the connection and channel policies before establishing the server-side connection. That way if the connection is not permitted at all, SCB does not establish the server-side connection.

    • Permit unreliable usernames: SCB automatically terminates RDP connections if it cannot reliably extract the username from the RDP connection. Enable this option to permit connections with unreliable usernames. For details on ensuring that the usernames in RDP connections are reliable, see Section 10.9, Usernames in RDP connections.

      Known issue: When a accessing a Windows Server 2003 R2 host, the Permit unreliable usernames option is disabled, and the username is unreliable, SCB terminates the connection, but only after the user logs in. As a result, the session is not closed on the server-side.

    • Autologon domain suffix: Enter the suffix that the client will append to the domain when using autologon in conjunction with Network Level Authentication (CredSSP).

  4. Click .

  5. Select this settings profile in the RDP settings field of your connections.

10.3. Network Level Authentication (NLA) with SCB

You can configure SCB to use Network Level Authentication (NLA) in two different scenarios.

10.3.1. Procedure – Network Level Authentication (NLA) with domain membership

Purpose: 

Joining a domain is required when using Credential Security Service Provider (CredSSP, also called Network Level Authentication or NLA).

Prerequisites: 

The target servers and SCB must be in the same domain, or you must establish trust between the domains that contain the target servers and SCB. For details on the type of trust required, see Section 10.3.2, Using SCB across multiple domains. If you cannot or do not want to join SCB to the domain, see Procedure 10.3.3, Network Level Authentication without domain membership.

Steps: 

  1. Navigate to RDP Control > Settings, and select the Enable Network Level Authentication option. (If you will have connections that will not use Network Level Authentication, create a separate RDP Settings policy).

  2. Navigate to RDP Control > Domain membership.

  3. Enter the name of the domain (for example mydomain) into the Domain field.

    Figure 10.2. Joining a domain

    Joining a domain

  4. Enter the name of the realm (for example mydomain.example.com) into the Full domain name field.

    Note

    Ensure that your DNS settings are correct and that the full domain name can be resolved from SCB. To check this, navigate to Basic Settings > Troubleshooting > Ping, enter the full domain name into the Hostname field, and select Ping host.

  5. Click .

  6. Click Join domain. A pop-up window is displayed.

  7. SCB requires an account to your domain to be able to join the domain. Enter the following information:

    • The name of the user into the Username field.

    • The password into the Password field.

      Note

      SCB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

    • The name of your domain controller into the Domain controller field. If you leave this field blank, SCB tries to find the domain controller automatically.

      Note

      Ensure that your DNS settings are correct and that the hostname of the domain controller can be resolved from SCB. To check this, navigate to Basic Settings > Troubleshooting > Ping, enter the name of the domain controller into the Hostname field, and select Ping host.

    • The organizational unit into the Organization unit field.

  8. Click Join domain.

  9. If successful, SCB displays the name of the domain it joined.

10.3.2. Using SCB across multiple domains

If your users work are in a domain (EXAMPLE-DOMAIN), SCB is also in that domain (EXAMPLE-DOMAIN), but your users need to access servers that are in a different domain (OTHER-DOMAIN), you must establish a level of trust between the domains. This is summarized in the following table.

Domain username of the client Domain of the target server Result
EXAMPLE-DOMAIN\myusername EXAMPLE-DOMAIN Connection is established
EXAMPLE-DOMAIN\myusername OTHER-DOMAIN If OTHER-DOMAIN trusts EXAMPLE-DOMAIN, the connection is established
OTHER-DOMAIN\myusername OTHER-DOMAIN If two-way trust is established between OTHER-DOMAIN and EXAMPLE-DOMAIN, the connection is established
OTHER-DOMAIN\myusername EXAMPLE-DOMAIN If two-way trust is established between OTHER-DOMAIN and EXAMPLE-DOMAIN, the connection is established

10.3.3. Procedure – Network Level Authentication without domain membership

Purpose: 

There are scenarios when you want to use SCB to monitor RDP access to servers that accept only Network Level Authentication (NLA, also called CredSSP), but SCB is not a member of the same domain (or of a trusted domain) as the RDP server. For example, you cannot add SCB to that domain for some reason, or the RDP server is a standalone server that is not part of a domain. The following table shows such a scenario.

User Client domain membership SCB domain membership Server domain membership
local or any domain any domain not a domain member, or other than <server-domain> <server-domain>

Limitations: 

  • Server-side redirection may not work.

  • You must properly configure your RDP clients (as described in the following steps).

Steps: 

  1. Navigate to RDP Control > Settings, and clear the Enable Network Level Authentication > Require domain membership option.

  2. Configure your RDP clients.

    • On Windows Vista SP1 and newer platforms (Remote Desktop Protocol 6.1 or newer):

      Navigate to Local Group Policy Editor > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client and enable the Prompt for credentials on the client computer option in the clients. For details, see https://technet.microsoft.com/en-us/library/cc753945%28v=ws.10%29.aspx.

    • On Windows Vista and older platforms (Remote Desktop Protocol 6.0 or older):

      Configure your RDP clients to save the credentials, or make sure that the Allow me to save credentials option is selected in the RDP client.

10.4. Procedure – Using SSL-encrypted RDP connections

Purpose: 

To enable SSL-encrypted RDP connections, you have two options:

  • Enable Network Level Authentication (NLA, also called CredSSP). To enable NLA in RDP connections, see Section 10.3, Network Level Authentication (NLA) with SCB. Note that Network Level Authentication uses SSL-encryption with self-signed certificates, so you do not have to configure a signing CA.

  • Enable RDP5 connections and configure a signing CA. If both the client and the server supports SSL encryption, the connection will be encrypted. To use this solution, complete the following steps.

Steps: 

  1. Navigate to RDP Control > Settings, and select the Enable RDP5 option in the protocol settings of the connection. In the default setting, this is enabled. For details, see Procedure 10.2, Creating and editing protocol-level RDP settings.

  2. Create a certificate authority that will be used to sign the certificates that SCB shows to the client. For details, see Procedure 7.12, Signing certificates on-the-fly.

  3. Navigate to RDP Control > Connections and select the connection policy to modify.

  4. Figure 10.3. Using SSL-encryption in RDP connections

    Using SSL-encryption in RDP connections

    In the Signing CA field, select the certificate authority to use.

    Warning

    SSL-encrypted RDP connections will be automatically rejected if no signing CA is selected.

  5. Click .

10.5. Procedure – Verifying the certificate of the RDP server in encrypted connections

Purpose: 

By default, SCB accepts any certificate shown by the server. To accept only verified certificates, complete the following steps:

Steps: 

  1. Create a list of trusted CA certificates that will be used to verify the certificate of the server. For details, see Procedure 7.11, Verifying certificates with Certificate Authorities.

  2. Navigate to RDP Control > Connections and select the connection policy to modify.

  3. Figure 10.4. Using SSL-encryption in RDP connections

    Using SSL-encryption in RDP connections

    Select Verify server certificate.

  4. Select the CA list to use for verifying the certificate of the server from the Trusted CA list field.

  5. Click .

  6. Optional step: Configure your Windows servers to display a certificate signed with the above Certificate Authority for incoming RDP connections. To accomplish this, complete the following steps:

    1. Generate a certificate that contains the IP address or the hostname of the target server in its Common Name (CN) field and sign it with the Certificate Authority whose certificate you added to the Trusted CA list of SCB.

    2. Convert the signed certificate of the target server to PKCS12 format that includes the private key.

    3. Start the Microsoft Management Console (MMC) on the target server and select Add Snap-in > Certificates > Computer Account.

    4. Right-click on the Personal store, then select All Tasks > Import, and select the certificate created for the server.

    5. Complete the Certificate Import Wizard, but do not select the Extended certificate properties option.

    6. Select Start > Administrative tools > Remote Desktop > Remote Desktop Session Host Configuration.

    7. Right-click on the connection you want to configure and select Properties > General.

    8. Set the Security layer to SSL.

    9. Click Certificate > Select and select the imported certificate. The server will use this certificate to verify its identity for the incoming RDP connections.

10.6. Procedure – Using SCB as a Terminal Services Gateway

Purpose: 

Terminal Services Gateway (TS Gateway) is a role service in the Terminal Services server role that allows authorized remote users to connect to resources located on an internal or private network from any Internet-connected device. The accessible resources can be terminal servers, remote applications, remote desktops, and so on.

The Terminal Services Gateway Server Protocol is a remote procedure call (RPC) protocol using HTTPS as the transport mechanism, used primarily for tunneling client to server traffic across firewalls. The Balabit Shell Control Box can act as a Terminal Services Gateway, receiving connections using the Terminal Services Gateway Server Protocol and transferring them to the target servers using the RDP protocol.

The Terminal Services Gateway Server Protocol enables inband destination selection, meaning that SCB can extract the address of the target server from the client connections. This greatly simplifies managing connections on SCB without having to encode the name of the target server in the username, which was problematic as the length of the username is limited on many platforms — especially in non-transparent mode.

Prerequisites: 

  • To access remote servers using a Terminal Services Gateway, the clients must use version 6.1 or newer of the Remote Desktop application. Note that officially only version 6.0 is available for the Windows 2003 Server operating system, though it is possible to install a newer version. However, this is a problem only when initiating RDP connections from the Windows 2003 Server host, not when the Windows 2003 Server is the target of the connection.

  • Please note that Windows XP clients can only access Terminal Services Gateway with Service Pack 3 and CredSSP fix installed. See the Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3 for details on installing CredSSP fix.

  • SCB must be a member of a Windows Domain (for details on joining a domain, see Procedure 10.3.1, Network Level Authentication (NLA) with domain membership), or you must use a Local User Database (for details, see Procedure 7.13, Creating a Local User Database).

  • Ensure that the system times of the Domain Controller, the target servers, the clients, and SCB are synchronized.

  • Gateway authentication on the SCB web interface cannot be used for connection policies that use SCB as a Terminal Services Gateway. However, the Remote Desktop applications of the clients can be configured to perform two separate authentications, one on the Terminal Services Gateway (that is, on SCB), and one on the target server. For details on configuring the Remote Desktop applications of the clients to perform gateway authentications, see Procedure 10.7, Configuring Remote Desktop clients for gateway authentication.

  • The Terminal Services Gateway Server Protocol supports various authentication methods. SCB acting as a Terminal Services Gateway supports only NTLM authentication.

  • SCB can be used as a Terminal Services Gateway. The terminal service clients must be configured to use SCB as the Terminal Services Gateway. SCB will connect the server (selected inband) after authentication.

  • Terminal Services Gateway will require a certificate. Decide whether you want to use a fix certificate, or an on-the-fly generated certificate before performing the steps below and prepare the certificate.

  • You may also need to adjust the port settings of the connections. The default port for RDP connections is 3389, but the Terminal Services Gateway Server Protocol uses port 443. However, the SCB web interface uses port 443 as well, and other connection policies might already use port 443. Therefore, if administrator or user login is enabled on the interface that receives the Terminal Services connections, add a new alias IP address to the interface of SCB and use this alias in your connection policy and the client configurations. For details on creating IP aliases on SCB, see Procedure 4.3.2, Managing logical interfaces.

Steps: 

  1. Navigate to RDP Control > Connections and create a new connection policy that will handle the incoming client connections that use the Terminal Services Gateway Server Protocol.

  2. Enable the Act as a Terminal Services Gateway option.

    Figure 10.5. Configuring SCB as a Terminal Services Gateway

    Configuring SCB as a Terminal Services Gateway

  3. Set the target of the connections.

    • To direct every incoming connection to a single target server, select Use fix address and specify the address of the target server.

    • To extract the destination address from the Terminal Services Gateway Server Protocol, select Inband destination selection and set the address of the servers the clients are allowed to access in the Target > Domain fields. For details on using inband destination selection, see Procedure 7.2, Modifying the destination address.

    Note

    In non-transparent mode, enter the IP address generated for the Terminal Services Gateway service into the To field. Do not enter the IP address configured for administrator or user login.

  4. To act as a Terminal Services Gateway, SCB needs to display a certificate to the clients.

    • To display always the same certificate, select Use the same certificate for every connection and upload the X.509 certificate and the matching private key.

      Balabit recommends using 2048-bit RSA keys (or stronger).

      Warning

      The Common Name (CN) of the certificate must be the FQDN of SCB, which is the address of the Terminal Services Gateway specified in the client applications. Otherwise the clients will reject the connections.

    • To automatically create new certificates on SCB for every client, select Generate certificate on-the-fly, then select the Certificate Authority (CA) to sign the generated certificates with from the Signing CA field. For details on creating a signing CA, see Procedure 7.12, Signing certificates on-the-fly.

      By default, the Common Name (CN) of the generated certificate is <SCB-hostname.domainname>. You can set a custom Common Name in the Custom Common Name field.

      Note

      Save the CA certificate used to sign the certificate that SCB shows into DER format and import it to the clients into the Local Computer > Trusted Root Certificate store of the clients so that the clients can verify the identity of SCB.

    • To use Active Directory for authentication, select Active Directory.

    • To use a Local User Database for authentication, select Local User Database, enter the Domain and select the Local User Database from the list.

  5. Configure other parameters of the connection policy as needed for your environment.

  6. Click .

10.7. Procedure – Configuring Remote Desktop clients for gateway authentication

Purpose: 

To configure the Remote Desktop applications of the clients to perform two separate authentications: one on the Terminal Services Gateway (that is, on SCB), and one on the target server. For details on configuring SCB to act as a Terminal Services Gateway, see Procedure 10.6, Using SCB as a Terminal Services Gateway.

Prerequisites: 

  • SCB must be configured to act as a Terminal Services Gateway. For details, see Procedure 10.6, Using SCB as a Terminal Services Gateway.

  • The client must use version 6.1 or newer of the Remote Desktop application.

  • The target server must be member of a domain.

  • The logical interface of SCB must be accessible from the client. You might have to add the address of the logical interface to the Windows/System32/Drivers/etc/hosts file to accomplish this.

Steps: 

  1. On your Windows client, start the Remote Desktop Connection application and select Advanced > Settings.

    Figure 10.6. Configuring Remote Desktop clients to use SCB as a Terminal Services Gateway

    Configuring Remote Desktop clients to use SCB as a Terminal Services Gateway

  2. Configure the client to use SCB as its Terminal Services Gateway. Select Connection settings > Use these RD Gateway settings.

    Figure 10.7. Configuring Remote Desktop clients to use SCB as a Terminal Services Gateway

    Configuring Remote Desktop clients to use SCB as a Terminal Services Gateway

  3. Enter the address of SCB into the Server name field. Use the address of the SCB's logical interface that you have configured to accept RDP connections.

  4. Select Logon method > Ask for password (NTLM).

  5. Uncheck the Bypass RD Gateway server for local addresses and Use my RD Gateway credentials for the remote computer options.

    Note

    Technically, gateway authentication is performed even if the Use my RD Gateway credentials for the remote computer option is selected, but the same credentials are used on the gateway and on the remote server.

  6. Click OK.

  7. Into the Username enter the domain username (for example, exampledomain\exampleusername).

  8. Click Connect.

    Note

    Depending on your network environment, it might take up to a minute until the connection is established.

10.8. Inband destination selection in RDP connections

To use inband destination selection with RDP connections, it is recommended to use SCB as a Terminal Services Gateway. For details, see Procedure 10.6, Using SCB as a Terminal Services Gateway.

To use inband destination selection with RDP connections without using SCB as a Terminal Services Gateway, you must use SSL-encrypted RDP connections (see Procedure 10.4, Using SSL-encrypted RDP connections).

In the latter case, perform the following configuration on your clients:

  • On Windows Vista SP1 and newer platforms (Remote Desktop Protocol 6.1 or newer):

    Navigate to Local Group Policy Editor > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client and enable the Prompt for credentials on the client computer option in the clients. For details, see https://technet.microsoft.com/en-us/library/cc753945%28v=ws.10%29.aspx.

  • On Windows Vista and older platforms (Remote Desktop Protocol 6.0 or older):

    Configure your RDP clients to save the credentials, or make sure that the Allow me to save credentials option is selected in the RDP client.

Also, your users have to encode the address of the destination server in the username field in their client application. Since most RDP client applications limit which special characters can be used in usernames, this is not always intuitive. For the Microsoft Remote Desktop application (mstsc), note the following points:

  • Use % character to separate the fields, for example: username%my-targetserver

  • To specify the port number of the server (if it does not use the default port), use the caret ^ character, for example: username%my-targetserver^6464

  • To specify an IPv6 address, replace the colons with carets, and enclose the address in parentheses. For example, to target the ::1 IP address, use username%(^^1). To target port 6464 of the same server, use username%(^^1)^6464.

10.9. Usernames in RDP connections

When processing RDP connections, SCB attempts to extract the username from the connection. For example, you need the username to:

SCB can record the username automatically in the following situations if the RDP connection is using Network Level Authentication (CredSSP), and usually in other scenarios as well. The known scenarios that interfere with RDP usernames are listed in Section Windows settings that interfere with username extraction.

To ensure that your users can access the target servers only when their username is recorded, you can configure SCB to terminate RDP connections if it cannot reliably extract the username. To terminate such connections, disable the RDP Control > Settings > Permit unreliable usernames option.

Windows settings that interfere with username extraction

The following settings on the Windows client or server can prevent SCB from correctly extracting the username from the RDP connection. As a result, the username is not visible on the Search, Four Eyes and Active Connections pages.

  • The DontDisplayLastUserName option is enabled on the server. The DontDisplayLastUserName security setting of Windows servers specifies whether the username from the last successful login is displayed on the login screen as a default for the next login. To disable the DontDisplayLastUserName security setting, do one of the following.

  • There is no server-side authentication. To avoid this problem, ensure that your server requires authentication from the users.

  • If the server is Windows 2003 Server or Windows XP and the Allow to save credentials or Remember my credentials options are enabled in the Remote Desktop client application. In this case, disable these options on the client, and delete any credentials that have already been saved on the client.

10.10. Procedure – Saving login credentials for RDP on Windows

You can use automatic RDP login on Windows, but the stored credentials are not trusted by default, and you have to enter the password for each connection. Create the following local policies on the client to allow delegating saved credentials:

  1. Start the Group Policy Editor: run gpedit.msc

  2. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > System > Credentials Delegation

  3. Open the Allow Delegating Saved Credentials with NTLM-only Server Authentication policy

  4. Click Show and enter TERMSRV/*

  5. Click Apply

  6. Open the Allow Delegating Saved Credentials policy

  7. Click Show and enter TERMSRV/*

  8. Click Apply

  9. Open the Allow Delegating Default Credentials with NTLM-only Server Authentication policy

  10. Click Show and enter TERMSRV/*

  11. Click Apply

  12. Open the Allow Delegating Default Credentials policy

  13. Click Show and enter TERMSRV/*

  14. Click Apply

  15. Verify that the Deny Delegating Saved Credentials policy does not contain TERMSRV/* in the list

  16. Close the Group Policy Editor

  17. From the command line, issue the gpupdate /force command

10.11. Procedure – Configuring RemoteApps

Overview: 

RemoteApps use RDP channels that are denied by default. When configuring RDP connections for RemoteApps on SCB, create a custom channel policy which enables the following channels:

  • Drawing

  • rail

  • rail_ri

  • rail_wi

Figure 10.8. Configuring the required channels for RemoteApps

Configuring the required channels for RemoteApps

Prerequisites: 

You must disable the Use advanced RemoteFX graphics for RemoteApp group policy on the RDP server.

The policy is available at Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > Use advanced RemoteFX graphics for RemoteApp.

Steps: 

  1. Navigate to RDP Control > Channel Policies.

  2. Click to create a new channel policy.

  3. Enter the name for the channel policy.

  4. Choose Drawing as the channel type.

  5. Click to add an additional channel type.

  6. Choose Custom as the second channel type.

  7. In Channel details, click to add the following channels:

    • rail

    • rail_ri

    • rail_wi

    (You have to click for each channel.)

  8. Click to save the channel policy.

  9. You have created a channel policy for RemoteApps.

    When you configure a connection that uses RemoteApps in RDP Control > Connections, select this channel policy as the Channel policy of the connection.

Chapter 11. SSH-specific settings

The following sections describe configuration settings available only for the SSH protocol. Use the following policies to control who, when, and how can access the SSH connection.

  • Hostkeys and host certificates: SCB allows you to set how the identity of the client hosts and servers is verified. For details, see Procedure 11.1, Setting the SSH host keys and certificates of the connection.

  • Authentication Policy: Authentication policies describe the authentication methods allowed in a connection. Different methods can be used for the client and server-side connections. For details, see Section 11.3, Authentication Policies.

  • User List: A user list is a list of usernames permitted to use — or forbidden from using — the connection. Essentially it is a blacklist or a whitelist. All users matching the other requirements of the connection are accepted by default. For details, see Procedure 7.8, Creating and editing user lists.

  • Channel Policy: The channel policy determines which SSH channels (for example terminal session, SCP, and so on) can be used in the connection, and whether they are audited or not. The different channels may be available only under certain restrictions, as set in the channel policy. For details, see Procedure 7.5, Creating and editing channel policies.

  • SSH settings: SSH settings determine the parameters of the connection on the protocol level, including timeout value and greeting message of the connection. The following parameters determine which algorithms are used in the connections, and can be set independently for the client and the server side: key exchange, host key, cipher, MAC, and compression algorithms. The default values include all possible algorithms. For details, see Procedure 11.5, Creating and editing protocol-level SSH settings.

  • Content Policy: Content policies allow you to inspect the content of the connections for various text patterns, and perform an action if the pattern is found. For example, SCB can send an e-mail alert if a specific command is used in an SSH terminal session. For details, see Procedure 7.6.1, Creating a new content policy.

  • Ticketing Policy: Ticketing policies allow you to request a ticket ID from the user before authenticating on the target server. That way, SCB can verify that the user has a valid reason to access the server — and optionally terminate the connection if he does not. For details, see Section 18.5, Integrating ticketing systems.

11.1. Procedure – Setting the SSH host keys and certificates of the connection

Purpose: 

By default, SCB accepts and stores the host key or certificate of the server when the connection is first established. To manually set the SSH keys and certificates used and accepted in the connection, complete the following steps.

Steps: 

  1. Figure 11.1. Configuring SSH host keys of the connection

    Configuring SSH host keys of the connection

    Navigate to SSH Control > Connections and click to display the details of the connection.

  2. To verify the identity of the servers based on their hostkeys, select Server-side hostkey settings > Allow plain host keys.

    Note

    At least one of the Server-side hostkey settings options must be enabled.

    • Select Accept key for the first time to automatically record the key shown by the server on the first connection. SCB will accept only this key from the server in later connections. This is the default behavior of SCB.

    • Select Only accept trusted keys if the key of the server is already available on SCB. SCB will accept only the stored key from the server. For further information on setting the host keys of the server, see Section 11.4, Server host keys and certificates.

    • Select No check required to disable SSH host key verification.

      Warning

      Disabling SSH host key verification makes it impossible for SCB to verify the identity of the server and prevent man-in-the-middle (MITM) attacks.

  3. To verify the identity of the servers based on their X.509 host certificates, select Server-side hostkey settings > Allow X.509 host certificates.

    Note

    At least one of the Server-side hostkey settings options must be enabled.

    • Select Accept certificate for the first time to automatically record the certificate shown by the server on the first connection. SCB will accept only this certificate from the server in later connections.

    • Select Only accept uploaded certificates if the certificate of the server is already available on SCB. SCB will accept only the stored certificate from the server. for further information on setting the host certificate of the server, see Section 11.4, Server host keys and certificates.

    • Select Only accept certificates authenticated by the trusted CA list to verify the host certificate of the server to a CA certificate, and select the Trusted CA list to use in the Trusted CA list field. For details on creating CA lists, see Procedure 7.11, Verifying certificates with Certificate Authorities.

      Note

      By default, SCB accepts only plain hostkeys, and accepts them for the first time.

    • Select No check required to disable SSH host key verification.

      Warning

      Disabling SSH host key verification makes it impossible for SCB to verify the identity of the server and prevent man-in-the-middle (MITM) attacks.

  4. To set the RSA and DSA host keys that SCB shows to the clients, select Client side hostkey settings > Allow plain host keys, and click the icon in the RSA host key or the DSA host key fields to set the RSA and DSA host keys, respectively. It is possible to upload or paste a key or to generate a new one. Click on the fingerprint to display the public part of the key.

    Balabit recommends using 2048-bit RSA keys (or stronger).

    Warning

    When generating DSA keys, change the key size to 1024 bits.

  5. To enable SCB to show an X.509 certificate to the clients, select Client side hostkey settings > Allow X.509 host certificates.

    • To always use the same certificate, select Use the same certificate for every connection and upload a private key and a certificate.

    • To generate a new certificate for the connection policy (not for every session), select Generate certificates on-the-fly, and set the CA to use for signing the certificate in the Signing CA field. For details about creating signing CAs, see Procedure 7.12, Signing certificates on-the-fly.

  6. Click .

11.2. Supported SSH channel types

The available SSH channel types and their functionalities are described below. For a list of supported client applications, see Section 2.2, Supported protocols and client applications.

  • Agent: Forwards the SSH authentication agent from the client to the server.

    Note

    To perform agent-based authentication on the target server, it is not required to enable the Agent-forwarding channel in the Channel Policy used by the connection. The Agent-forwarding channel is needed only to establish connections from the target server to other devices and authenticate using the agent running on the client.

  • X11 Forward: Forwards the graphical X-server session from the server to the client. Enter the address of the client into the Details > Target address field to permit X11-forwarding only to the specified clients. Specify IP addresses or networks (in IP address/Prefix format).

    To be able to display X11 trails, certain fonts are required. For details, see Procedure 17.3.6, Adding a new font for displaying X11 trails.

    Note

    Certain client applications send the Target address as a hostname, while others as an IP address. If you are using a mix of different client applications, you might have to duplicate the channel rules and create IP-address and hostname versions of the same rule.

  • Local Forward: Forwards traffic arriving to a local port of the client to a remote host. To enable forwarding only between selected hosts, enter their IP addresses into the Details field. If the Details field is empty, local forwarding is enabled without restriction, the client may forward any traffic to the remote host. Enter the source of the forwarded traffic into the Originator, the target of the traffic into the Target field. Specify IP addresses or networks (in IP address/Prefix format). These parameters are the end-points of the forwarded traffic (that is, the local host that sends data to the remote host), and not the SSH server or the client. For example, to enable forwarding from the 192.168.20.20 host to the remote host 192.168.50.50, enter 192.168.20.20 into the Originator, and 192.168.50.50 into the Target field.

    Figure 11.2. Local TCP forwarding

    Local TCP forwarding

    Note

    Certain client applications send the Originator and Target addresses as hostnames, while others as IP addresses. If you are using a mix of different client applications, you might have to duplicate the channel rules and create IP-address and hostname versions of the same rule.

    Warning

    Port forwarding across SCB may fail for certain SSH client-server combinations. This happens if within the protocol, the address of the remote host is specified as a hostname during the port-forwarding request (SSH_MSG_GLOBAL_REQUEST), but the hostname is resolved to IP address in the channel opening request (SSH_MSG_CHANNEL_OPEN. By default, SCB rejects such connections.

    To enable these connections, navigate to SSH Control > Settings, and disable the Strict mode option.

  • Remote Forward: Forwards traffic arriving a remote port of the server to the client. To enable forwarding only between selected hosts, enter their IP addresses into the Details field. If the Details field is empty, remote forwarding is enabled without restriction, the SSH server may forward any traffic to the client. Enter the source of the forwarded traffic into the Originator, the target of the traffic into the Target field. Specify IP addresses or networks (in IP address/Prefix format). These parameters are the end-points of the forwarded traffic (that is, the remote host that sends data to the client), and not the SSH server. For example, to enable forwarding from the 192.168.20.20 remote host to the client 192.168.50.50, enter 192.168.20.20 into the Originator, and 192.168.50.50 into the Target field.

    Figure 11.3. Remote TCP forwarding

    Remote TCP forwarding

    Note

    Certain client applications send the Originator and Target addresses as hostnames, while others as IP addresses. If you are using a mix of different client applications, you might have to duplicate the channel rules and create IP-address and hostname versions of the same rule.

    Warning

    Port forwarding across SCB may fail for certain SSH client-server combinations. This happens if within the protocol, the address of the remote host is specified as a hostname during the port-forwarding request (SSH_MSG_GLOBAL_REQUEST), but the hostname is resolved to IP address in the channel opening request (SSH_MSG_CHANNEL_OPEN. By default, SCB rejects such connections.

    To enable these connections, navigate to SSH Control > Settings, and disable the Strict mode option.

  • Session Exec: Execute a remote command (for example rsync) without opening a session shell. Enter the permitted command into the Permitted commands field. You can use regular expressions to specify the commands. This field can contain only letters (a-z, A-Z), numbers (0-9), and the following special characters ({}()*?\\|[]).

    Warning

    Restricting the commands available in Session Exec channels does not guarantee that no other commands can be executed. Commands can be renamed, or executed from shell scripts to circumvent such restrictions.

  • Session Exec SCP: Transfers files using the Secure Copy (SCP) protocol.

    • To make the list of file operations available in the File operations column of the Search > Search page, navigate to the Channel Policies page of the protocol, and enable the Log file transfers to database option. This option is disabled by default.

    • To send the file operations into the system log, enable the Log file transfers to syslog option. This option is disabled by default.

      Note

      Turning logging on might result in a slight performance penalty. If traffic load slows processes down, disable the option. You will see the file list in the audit player without enabling this option.

    Warning

    The WinSCP application does not follow the RFC of the SCP protocol properly, but transfers files in a Session Shell channel instead of a Session Exec SCP channel. This has the following results:

    • If the Session Shell channel is enabled in a Channel Policy (this is needed for SSH terminal sessions as well), and your users use WinSCP using the File protocol > SCP option, they will be able to transfer files to and from the server. Also, these files will not be listed in the File operations field of the Search > Search page, and you cannot save the files from the audit trail using the Audit Player application.

    • To avoid these problems, you have to enforce that your clients use WinSCP with the File protocol > SFTP option. WinSCP uses SFTP by default, but can be changed manually to use SCP, and also falls back to using SCP if a server rejects SFTP.

    • To terminate the connection when a user transfers a file with WinSCP using the Session Shell channel, create a Content Policy that matches the WinSCP: this is end-of-file string in screen content, and use this policy in your Connection Policies. For details on Content Policies, see Section 7.6, Real-time content monitoring with Content Policies. This solution has been tested with WinSCP version 5.1.5: if it does not work for your version, contact the Balabit Support Team.

  • Session Subsystem: Use a subsystem. Enter the name of the permitted subsystem into the Details field.

  • Session SFTP: Transfers files using the Secure File Transfer Protocol (SFTP).

    • To make the list of file operations available in the File operations column of the Search > Search page, navigate to the Channel Policies page of the protocol, and enable the Log file transfers to database option. This option is disabled by default.

    • To send the file operations into the system log, enable the Log file transfers to syslog option. This option is disabled by default.

      Note

      Turning logging on might result in a slight performance penalty. If traffic load slows processes down, disable the option. You will see the file list in the audit player without enabling this option.

  • Session Shell: The traditional remote terminal session.

    Warning

    The WinSCP application does not follow the RFC of the SCP protocol properly, but transfers files in a Session Shell channel instead of a Session Exec SCP channel. This has the following results:

    • If the Session Shell channel is enabled in a Channel Policy (this is needed for SSH terminal sessions as well), and your users use WinSCP using the File protocol > SCP option, they will be able to transfer files to and from the server. Also, these files will not be listed in the File operations field of the Search > Search page, and you cannot save the files from the audit trail using the Audit Player application.

    • To avoid these problems, you have to enforce that your clients use WinSCP with the File protocol > SFTP option. WinSCP uses SFTP by default, but can be changed manually to use SCP, and also falls back to using SCP if a server rejects SFTP.

    • To terminate the connection when a user transfers a file with WinSCP using the Session Shell channel, create a Content Policy that matches the WinSCP: this is end-of-file string in screen content, and use this policy in your Connection Policies. For details on Content Policies, see