Defining SSH Tectia Connector Settings

SSH Tectia Connector settings are defined entirely in the SSH Tectia Configuration tool.

Defining General Settings for Connector

Figure 4.29. Defining general settings for SSH Tectia Connector

Defining Applications for Pass-Through

Applications that are passed through are defined in the General Settings view.

Select the Pass-through when engine down check box to have connections passed through when the SSH Tectia Connector engine is not operational. This option can be activated if it is necessary to temporarily deactivate SSH Tectia Connector so that it does not block network communications. If users should only access the network using secure communications, leave this option disabled.
Use the Pass-through apps text box to enter the process names of the applications that are allowed to pass through. Comparing the application name to the applications listed in this field is case-insensitive. The process names should include the file extension (the correct name format can be checked from Windows Task Manager). Use commas to separate entries, for example: ssh-client-g3.exe,nslookup.exe,ping.exe

Defining Pseudo IPs

Pseudo IP numbers are used when accessing the internal network from the outside because name resolution for the machines in the internal network is not available from the outside. If specified in the filter rule, pseudo IP numbers are used when an IP address cannot be resolved by the Connection Broker.

Specify an IP address (using the dotted decimal notation) in the Pseudo IP start text box. This address is used as the base for the pseudo IP addresses that will be generated for connections.

Settings

When the Show security notification check box is selected, a notification is briefly displayed when a new application is secured. A list of currently tunneled applications is shown in the Connector icon tray menu.

Figure 4.30. Security notification

Select the Enable Connector check box to use Connector. The text Connector enabled is shown in the tray menu. When Connector is enabled, it can be temporarily disabled from the tray menu by clicking the Connector enabled menu option. To disable Connector also in the future sessions, clear the Enable Connector check box.

Defining Filter Rules

Figure 4.31. Filter rules

Type an application name in the Application to tunnel field or click Browse... to locate an application.

Click the Add... button to define a new filter rule in the Add a new filter dialog box. Click Edit... to modify and Delete to remove.

Figure 4.32. Defining a filter rule

Hostname: The DNS name (for example: fw.company.com). Either this and/or the IP address field has to have a value. When both the hostname and the IP address are defined, they both have to match for the rule to take effect. This value can be a regular expression. See Appendix A in SSH Tectia Connector Administrator Manual.
IP address: The IP address (for example: 10.1.0.49). When both the hostname and the IP address are defined, they both have to match for the rule to take effect. If this value is not defined, the engine will resolve the IP address using a DNS query. This value can be a regular expression. See Appendix A in SSH Tectia Connector Administrator Manual.
Ports: Select a single port or a port range and define port numbers for the tunneled connections.
Action: Select one of the following:
DIRECT
The connection is made directly to the host without tunneling, using the host's IP address if it can be resolved. If it cannot be resolved, the connection fails.
BLOCK
The connection is blocked. Applications usually inform the user that the connection is refused.
TUNNEL
The connection is tunneled through the selected profile. If the connection is made using the DNS name, the tunnel is created with the DNS name. This means that the actual DNS name resolution is done at the remote end, which enables tunneling connections to hosts that are not visible to the local machine. If the port does not match a port or port range, the connection is direct.
Select a server profile to tunnel through from the second drop-down list.
Fallback to plain text if connection cannot be established: If creating the tunnel fails (or the connection to the Secure Shell server fails) the Connection Broker will normally return a "host not reachable" error. However, when this check box is selected a direct (unsecured) connection is used instead.
Use pseudo IP: When this check box is selected, the engine assigns a pseudo IP address for the host instead of doing a DNS query. When the check box is not selected, a normal DNS query is made.

When an application connects to a host, filters are used to determine the correct action to apply to the connection. The filter list is scanned through to find a filter that matches the connection. The first matching filter is used. Filters are evaluated from top down. Use the arrow buttons to organize the list.