SSH Tectia Connector settings are defined entirely in the SSH Tectia Configuration tool. See Defining General Settings for Connector and Defining Filter Rules.
On the General page, you can define general settings for SSH Tectia Connector.
Applications that are passed through are defined in the General Settings view.
Select the Pass-through when engine down check box to have connections passed through when the SSH Tectia Connector engine is not operational. This option can be activated if it is necessary to temporarily deactivate SSH Tectia Connector so that it does not block network communications. If users should only access the network using secure communications, leave this option disabled.
Use the Pass-through apps text box to
enter the process names of the applications that are allowed to pass
through. Comparing the application name to the applications listed in this
field is case-insensitive. The process names should include the file
extension (the correct name format can be checked from Windows
Task Manager). Use commas to separate entries, for example:
ssh-client-g3.exe,nslookup.exe,ping.exe
The pass-through settings are not stored in the ssh-broker-config.xml
file but directly in the Windows Registry, under
HKEY_LOCAL_MACHINE\SOFTWARE\SSH Communications
Security\SSH Tectia Connector
Pseudo IP numbers are used when accessing an internal network from the outside because name resolution for the machines in the internal network is not available from the outside. If specified in the filter rule, pseudo IP numbers are used when an IP address cannot be resolved by the Connection Broker. In this case, SSH Tectia Server resolves the real IP address.
Specify an IP address (using the dotted decimal notation) in the Pseudo IP start text box. This address is used as the base for the pseudo IP addresses that will be generated for connections.
When the Show security notification check box is selected, a notification is briefly displayed when a new application is secured. A list of currently tunneled applications is shown in the Connector icon tray menu.
Select the Enable Connector check box to use Connector. The text Connector enabled is shown in the tray menu. When SSH Tectia Connector is enabled, it can be temporarily disabled from the tray menu by clicking the Connector enabled menu command. To disable Connector also in the future sessions, clear the Enable Connector check box.
On the Filters page, you can define the SSH Tectia Connector filter rules.
Type an application name in the Application to tunnel field or click Browse... to locate an application.
Click the Add... button to define a new filter rule in the Filter Rule dialog box. Click Edit... to modify and Delete to remove existing filter rules.
Any host or IP address: The rule is used for all addresses.
Hostname: The rule is used for connections to the defined DNS address(es). The engine will resolve the IP address using a DNS query. The value can also be a regular expression. See Appendix B.
IP address: The rule is used for connections to the defined IP address(es). This value can be a regular expression. See Appendix B.
Ports: Select a single port or a port range and define port numbers for the captured connections. If this is undefined, the rule will be used for all ports.
Action: Select one of the following:
The connection is made directly to the host without tunneling, using the host's IP address if it can be resolved. If it cannot be resolved, the connection fails.
The connection is blocked. Applications usually inform the user that the connection is refused.
The connection is tunneled through the selected profile. If the connection is made using a DNS name, the tunnel is created with the DNS name. This means that the actual DNS name resolution is done at the remote end, which enables tunneling connections to hosts that are not visible to the local machine. If the port does not match a port or port range, the connection is direct.
Select a server profile to tunnel through from the second drop-down list.
Fall back to DIRECT if secure connection cannot be established: If creating the tunnel fails (or the connection to the Secure Shell server fails) the Connection Broker will normally return a "host not reachable" error. However, when this check box is selected a direct (unsecured) connection is used instead.
Use pseudo IP: When this check box is selected and a captured application attempts connection using a hostname, SSH Tectia Connector assigns a pseudo IP address for the host instead of doing a DNS query. When the check box is not selected, a normal DNS query is made.
The fallback and pseudo IP options cannot be enabled at the same time. If they are, and the secure connection fails, the application will try a direct connection with the pseudo IP, which will not work.
When an application connects to a host, filters are used to determine the correct action to apply to the connection. The filter list is scanned through to find a filter that matches the connection. The first filter that matches the DNS or IP address of the connection is used. Filters are evaluated from top down. Use the arrow buttons to organize the list.