SSH Tectia

Defining Transparent Tunnels

Under Transparent Tunnels, you can define the settings for transparent tunneling of applications using TCP or FTP services. For generic connection capture settings, see Defining the Connection Capture Settings, and for defining the filter rules, see Defining Filter Rules.

All settings are made in the Connection Broker configuration, so no modifications are required on the tunneled applications.

Defining the Connection Capture Settings

On the Connection Capture page, you can define how transparent TCP tunneling captures the connections made by TCP-based applications.

Defining the transparent TCP tunneling settings

Figure 4.35. Defining the transparent TCP tunneling settings

Advanced Capture Options

Define the exceptional applications that will be allowed to use direct connection to the network instead of being captured and tunneled securely. These applications will not be processed by the filter rules.

The application names are handled case-insensitively. Make sure the process names include also the file extensions. You can check the correct name format in Windows Task Manager. Use commas but no spaces to separate the entries, for example:

ssh-client-g3.exe,nslookup.exe,ping.exe

The direct connection settings are not stored in the ssh-broker-config.xml file but directly in the Windows Registry, under HKEY_LOCAL_MACHINE\SOFTWARE\SSH Communications Security\SSH Tectia Connector

Use direct connection for all applications when the Connection Broker is down: Select this option if it is necessary to temporarily deactivate connection capturing so that it does not block network communications. If this option is un-selected, all applications will be blocked when the Connection Broker is down. When this option is selected (the default), all applications will be able to connect to the network when the Connection Broker is down. If users should only access the network using secure communications, leave this option disabled.

Connection Capture Settings

Show security notification: Select this option to have a notification briefly displayed when a new application is secured with a FTP or TCP tunnel, and when the tunneling ends. The notification specifies the secured application, the destination, as well as the Secure Shell server used as the tunneling end point. A list of currently tunneled applications is shown in the SSH Tectia Status window (started via the short cut menu).

Security notification

Figure 4.36. Security notification

Enable transparent tunneling at startup: Select this option to activate the transparent TCP tunneling feature when Connection Broker starts up. To disable transparent TCP tunneling in future sessions, clear the Enable transparent tunneling at startup check box. Connection Broker reads this setting in the configuration when it starts up.

When this setting is selected, the text Transparent tunneling enabled will be shown in the SSH Tectia tray menu. The shortcut menu shows the current status of transparent TCP tunneling, and the feature can be temporarily disabled by unselecting Transparent tunneling enabled in the menu. The setting in the SSH Tectia tray menu is not saved in the configuration.

Defining Filter Rules

On the Filter Rules page, you can define the filters based on the characteristics of tunneled applications. The filters are used to select how and to which applications the transparent tunneling will be applied.

Defining filter rule settings

Figure 4.37. Defining filter rule settings

When an application connects to a host, the filter rules are used to determine the correct action to apply to the connection. The filter list is scanned through searching for a filter that matches the connection. The first filter that matches the DNS or IP address of the connection is used. Filters are evaluated from top down. You can use the arrow buttons to organize the list.

Click the Add... button to define a new filter rule in the Filter Rule dialog box. Click Edit... to modify and Delete to remove existing filter rules.

Adding a new filter rule

Figure 4.38. Adding a new filter rule

Application to Capture

Tunnel all applications: Select this option to capture all connections initiated by TCP-based applications.

To specify only some applications to be captured, click Add and enter the name of an application or locate the application with Browse.... You can list several applications. The path and application name must be given using regular expressions following the egrep syntax. If you use the Browse, the GUI enters the applications automatically in the correct format. For information on the syntax, see Appendix D.

To modify or delete the listed applications, select the relevant application and click Edit or Delete.

Filter by Address

Define hosts whose connections will be captured.

Any host or IP address: Select this option to capture the connections to all hosts.

Host name: Select this option to capture only the connections to individual hosts. Define the DNS address(es) of the host(s) in a comma-separated list. The SSH Tectia Client will resolve the IP address using a DNS query. The value can also be a regular expression.

IP address: Select this option to capture only the connections to the defined IP address(es). The value can also be a regular expression.

Filter by Port

Define the ports whose connections will be captured.

Any port: Select this option to capture the connections of all ports.

Single port: Select this option to define only individual port(s) to be captured. Enter the port number(s) in a comma-separated list.

Port range: Select this option to define a range of port numbers whose connections will be captured.

Action

Connect directly: Select this option to make the connection directly to the host without tunneling, using the host's IP address if it can be resolved. If it cannot be resolved, the connection fails.

Block connection: Select this option to block the connection. Applications usually inform the user that the connection is refused.

Transparent TCP tunneling using: Activates transparent TCP tunneling for the defined connections. Select from the drop-down menu whether the transparent TCP tunneling is used with the default settings, or through a connection profile. By default, the transparent TCP tunneling uses the destination host name received from the application that initiated the connection. When a profile is used, you can choose to use the destination host name and the user name defined in the profile, or those received from the application.

If the connection is made using a DNS name, the tunnel is created with the DNS name. This means that the actual DNS name resolution is done at the remote end, which enables tunneling connections to hosts that are not visible to the local machine. If the used port does not match a port or port range, the connection is direct.

Transparent FTP tunneling using: Activates transparent FTP tunneling for the defined connections. This is available with SSH Tectia ConnectSecure only.

FTP-SFTP conversion using: Activates FTP-SFTP conversion for the defined connections. This is available with SSH Tectia ConnectSecure only.

Additional

Use user name from the application: This is not available with TCP tunneling.

Use host name from the application: Select this option to make SSH Tectia Client resolve and use the host name sent by the application (instead of doing a DNS query) to establish a tunnel to the destination host. When the check box is not selected, a normal DNS query is made. By default, this setting is on for transparent TCP tunneling. When transparent TCP tunneling is made through a connection profile, you can choose to disable this setting.

Fall back to direct connection if secure connection fails: Select this option to allow a direct (unsecured plain-text) connection in case creating a tunnel fails or the connection to the Secure Shell server fails. If this is not selected, the Connection Broker will normally return a "host not reachable" error.

Connection is made from public to private network: Use this option if the connection is made from public network to a private network with its own address space. This setting specifies whether a pseudo IP address will be used when an IP address cannot be resolved by the Connection Broker. When the checkbox is not selected, a normal DNS query is made for the target hostname. When the checkbox is selected, the Connection Broker assigns a pseudo IP address for the target host and Secure Shell server will resolve the real IP address. This is needed because the name resolution for machines located in an internal network is not available from outside.