Under Transparent Tunnels, you can define the settings for transparent tunneling of applications using TCP or FTP services. For generic connection capture settings, see Defining the Connection Capture Settings, and for defining the filter rules, see Defining Filter Rules.
All settings are made in the Connection Broker configuration, so no modifications are required on the tunneled applications.
On the Connection Capture page, you can define how transparent TCP tunneling captures the connections made by TCP-based applications.
In field Always use direct connection for the listed applications, define those exceptional applications that will be allowed to use direct connection to the network instead of being captured and tunneled securely. These applications will not be processed by the filter rules and will be allowed to pass through also when you have disabled option Use direct connection for all applications when the Connection Broker is down.
In the Always use direct connection for the listed applications field, the application names are handled case-insensitively. Make sure the process names include also the file extensions. You can check the correct name format in Windows Task Manager. Use commas but no spaces to separate the entries, for example:
ssh-client-g3.exe,nslookup.exe,ping.exe
The direct connection settings are not stored in the ssh-broker-config.xml
file but directly in the Windows Registry, under
HKEY_LOCAL_MACHINE\SOFTWARE\SSH Communications Security\SSH Tectia Connector\PassThroughWhenEngineDown
(in 32-bit systems) or under
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SSH Communications Security\SSH Tectia Connector\PassThroughWhenEngineDown
(in 64-bit systems).
Use direct connection for all applications when the Connection Broker is down: Select this option if it is necessary to temporarily deactivate connection capturing so that it does not block network communications. When this option is selected (the default), all applications will be able to connect to the network when the Connection Broker is down. If users should only access the network using secure communications, un-select this option. When this option is un-selected, applications will be blocked when the Connection Broker is down, except for those applications that are defined in the list of direct connection (passthrough) applications above.
Show security notification: Select this option to have a notification briefly displayed when a new application is secured with a FTP or TCP tunnel, and when the tunneling ends. The notification specifies the secured application, the destination, as well as the Secure Shell server used as the tunneling end point. A list of currently tunneled applications is shown in the SSH Tectia Status window (started via the short cut menu).
Enable transparent tunneling at startup: Select this option to activate the transparent TCP tunneling feature when Connection Broker starts up. To disable transparent TCP tunneling in future sessions, clear the Enable transparent tunneling at startup check box. Connection Broker reads this setting in the configuration when it starts up.
When this setting is selected, the text Transparent tunneling enabled
will be shown in the SSH Tectia tray menu. The shortcut menu shows the current
status of transparent TCP tunneling, and the feature can be temporarily
disabled by unselecting Transparent tunneling enabled
in the
menu. The setting in the SSH Tectia tray menu is not saved in the configuration.
On the Filter Rules page, you can define the filters based on the characteristics of tunneled applications. The filters are used to select how and to which applications the transparent tunneling will be applied.
When an application connects to a host, the filter rules are used to determine the correct action to apply to the connection. The filter list is scanned through searching for a filter that matches the connection. The first filter that matches the DNS or IP address of the connection is used. Filters are evaluated from top down. You can use the arrow buttons to organize the list.
Click the Add button to define a new filter rule in the Filter Rule dialog box. Click Edit to modify and Delete to remove existing filter rules.
Tunnel all applications: Select this option to capture all connections initiated by TCP-based applications.
To specify only some applications to be captured, click Add and enter the name of an application or locate the application with Browse.... You can list several applications. The path and application name must be given using regular expressions following the egrep syntax. If you use the Browse, the GUI enters the applications automatically in the correct format. For information on the syntax, see Appendix D.
To modify or delete the listed applications, select the relevant application and click Edit or Delete.
Note | |
---|---|
When Internet Explorer is used in protected mode, Connection Broker may request the authentication procedure for the same destination SSH connection twice, because connections are not shared between low and higher integrity processes for security reasons. |
Define hosts whose connections will be captured.
Any host or IP address: Select this option to capture the connections to all hosts.
Host name: Select this option to capture only the connections to individual hosts. Define the DNS address(es) of the host(s) in a comma-separated list. The SSH Tectia Client will resolve the IP address using a DNS query. The value can also be a regular expression following the egrep syntax.
IP address: Select this option to capture only the connections to the defined IP address(es). The value can also be a regular expression following the egrep syntax.
Define the ports whose connections will be captured.
Any port: Select this option to capture the connections of all ports.
Single port: Select this option to define only individual port(s) to be captured. Enter the port number(s) in a comma-separated list.
Port range: Select this option to define a range of port numbers whose connections will be captured.
Connect directly: Select this option to make the connection directly to the host without tunneling, using the host's IP address if it can be resolved. If it cannot be resolved, the connection fails.
Block connection: Select this option to block the connection. Applications usually inform the user that the connection is refused.
Transparent TCP tunneling using: Activates transparent TCP tunneling for the defined connections. Select from the drop-down menu whether the transparent TCP tunneling is used with the default settings, or through a connection profile. By default, the transparent TCP tunneling uses the destination host name received from the application that initiated the connection. When a profile is used, you can choose to use the destination host name and the user name defined in the profile, or those received from the application.
If the connection is made using a DNS name, the tunnel is created with the DNS name. This means that the actual DNS name resolution is done at the remote end, which enables tunneling connections to hosts that are not visible to the local machine. If the used port does not match a port or port range, the connection is direct.
Transparent FTP tunneling using: Activates transparent FTP tunneling for the defined connections. This is available with SSH Tectia ConnectSecure only.
FTP-SFTP conversion using: Activates FTP-SFTP conversion for the defined connections. This is available with SSH Tectia ConnectSecure only.
Use user name from the application: This is not available with TCP tunneling.
Use host name from the application: Select this option to make SSH Tectia Client resolve and use the host name sent by the application (instead of doing a DNS query) to establish a tunnel to the destination host. When the check box is not selected, a normal DNS query is made. By default, this setting is on for transparent TCP tunneling. When transparent TCP tunneling is made through a connection profile, you can choose to disable this setting.
Fall back to direct connection if secure connection fails: Select this option to allow a direct (unsecured plain-text) connection in case creating a tunnel fails or the connection to the Secure Shell server fails. If this is not selected, the Connection Broker will normally return a "host not reachable" error.
Connection is made from public to private network: Use this option if the connection is made from public network to a private network with its own address space. This setting specifies whether a pseudo IP address will be used when an IP address cannot be resolved by the Connection Broker. When the check box is not selected, a normal DNS query is made for the target hostname. When the check box is selected, the Connection Broker assigns a pseudo IP address for the target host and Secure Shell server will resolve the real IP address. This is needed because the name resolution for machines located in an internal network is not available from outside.