SSH Tectia

Defining Transparent Tunnels

Under Transparent Tunnels, you can define the settings for transparent tunneling of applications using TCP or FTP services. For generic connection capture settings, see Defining the Connection Capture Settings, and for defining the filter rules, see Defining Filter Rules.

All settings are made in the Connection Broker configuration, so no modifications are required on the tunneled applications or FTP services.

Defining the Connection Capture Settings

On the Connection Capture page, you can define the general settings for transparent TCP tunneling, transparent FTP tunneling, and FTP-SFTP conversion which all depend on the connection capture function.

Defining the connection capture settings

Figure A.41. Defining the connection capture settings

Advanced Capture Options

In field Always use direct connection for the listed applications, define those exceptional applications that will be allowed to use direct connection to the network instead of being captured and tunneled securely. These applications will not be processed by the filter rules and will be allowed to pass through also when you have disabled option Use direct connection for all applications when the Connection Broker is down.

In the Always use direct connection for the listed applications field, the application names are handled case-insensitively. Make sure the process names include also the file extensions. You can check the correct name format in Windows Task Manager. Use commas but no spaces to separate the entries, for example:

ssh-client-g3.exe,nslookup.exe,ping.exe

The direct connection settings are not stored in the ssh-broker-config.xml file but directly in the Windows Registry, under HKEY_LOCAL_MACHINE\SOFTWARE\SSH Communications Security\SSH Tectia Connector\PassThroughWhenEngineDown (in 32-bit systems) or under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SSH Communications Security\SSH Tectia Connector\PassThroughWhenEngineDown (in 64-bit systems).

Use direct connection for all applications when the Connection Broker is down: Select this option if it is necessary to temporarily deactivate connection capturing so that it does not block network communications. When this option is selected (the default), all applications will be able to connect to the network when the Connection Broker is down. If users should only access the network using secure communications, un-select this option. When this option is un-selected, applications will be blocked when the Connection Broker is down, except for those applications that are defined in the list of direct connection (passthrough) applications above.

Connection Capture Settings

Show security notification: Select this option to have a notification briefly displayed when a new application is secured with a FTP or TCP tunnel, and when the tunneling ends. The notification specifies the secured application, the destination, as well as the Secure Shell server used as the tunneling end point. A list of currently tunneled applications is shown in the SSH Tectia Status window (started via the short cut menu).

Security notification

Figure A.42. Security notification

Enable transparent tunneling at startup: Select this option to activate the transparent tunneling feature when Connection Broker starts up. To disable transparent TCP tunneling in future sessions, clear the Enable transparent tunneling at startup check box. Connection Broker reads this setting in the configuration when it starts up.

When this setting is selected, the text Transparent tunneling enabled will be shown in the SSH Tectia tray menu. The shortcut menu shows the current status of transparent TCP tunneling, and the feature can be temporarily disabled by unselecting Transparent tunneling enabled in the menu. The setting in the SSH Tectia tray menu is not saved in the configuration.

FTP-SFTP Conversion Settings

Filter @ signs: With FTP-SFTP conversion, select this option to extract the FTP user name, FTP server name, and the FTP server password from a script designed to connect to an FTP server via a proxy.

The FTP script is expected to specify the username in format ftp-user@proxy-user@ftp-server and the password in format ftp-password@proxy-password. The @ sign is used to extract the relevant data from the strings.

When Filter @ signs is selected, SSH Tectia ConnectSecure cuts the username string at the first @ sign to extract the ftp-user and at the last @ sign to extract the ftp-server, and the rest of the string is ignored. Likewise, the passwords string is cut at the last @ sign and the first part is used as the password on the FTP server.

Defining Filter Rules

On the Filter Rules page, you can define the filters based on the characteristics of tunneled applications. The filters are used to select how and to which applications the transparent tunneling or FTP-SFTP conversion services will be applied.

Defining filter rule settings

Figure A.43. Defining filter rule settings

When an application connects to a host, the filter rules are used to determine the correct action to apply to the connection. The filter list is scanned through searching for a filter that matches the connection. The first filter that matches the DNS or IP address of the connection is used. Filters are evaluated from top down. You can use the arrow buttons to organize the list.

Click the Add button to define a new filter rule in the Filter Rule dialog box. Click Edit to modify and Delete to remove existing filter rules.

Adding a new filter rule

Figure A.44. Adding a new filter rule

Application to Capture

Tunnel all applications: Select this option to capture all connections initiated by FTP and TCP-based applications.

To specify only some applications to be captured, click Add and enter the name of an application or locate the application with Browse.... You can list several applications. The path and application name must be given using regular expressions following the egrep syntax. If you use the Browse, the GUI enters the applications automatically in the correct format. For information on the syntax, see Appendix D.

To modify or delete the listed applications, select the relevant application and click Edit or Delete.

[Note]Note

When Internet Explorer is used in protected mode, Connection Broker may request the authentication procedure for the same destination SSH connection twice, because connections are not shared between low and higher integrity processes for security reasons.

Filter by Address

Define hosts whose connections will be captured.

Any host or IP address: Select this option to capture the connections to all hosts.

Host name: Select this option to capture only the connections to individual hosts. Define the DNS address(es) of the host(s) in a comma-separated list. The SSH Tectia ConnectSecure will resolve the IP address using a DNS query. The value can also be a regular expression following the egrep syntax.

IP address: Select this option to capture only the connections to the defined IP address(es). The value can also be a regular expression following the egrep syntax.

Filter by Port

Define the ports whose connections will be captured.

Any port: Select this option to capture the connections of all ports.

Single port: Select this option to define only individual port(s) to be captured. Enter the port number(s) in a comma-separated list.

Port range: Select this option to define a range of port numbers whose connections will be captured.

Action

Connect directly: Select this option to make the connection directly to the host without tunneling, using the host's IP address if it can be resolved. If it cannot be resolved, the connection fails.

Block connection: Select this option to block the connection. Applications usually inform the user that the connection is refused.

Transparent TCP tunneling using: Activates transparent TCP tunneling for the defined connections. Select from the drop-down menu whether the transparent TCP tunneling is used with the default settings, or through a connection profile. By default, the transparent TCP tunneling uses the destination host name received from the application that initiated the connection. When a profile is used, you can choose to use the destination host name and the user name defined in the profile, or those received from the application.

If the connection is made using a DNS name, the tunnel is created with the DNS name. This means that the actual DNS name resolution is done at the remote end, which enables tunneling connections to hosts that are not visible to the local machine. If the used port does not match a port or port range, the connection is direct.

Transparent FTP tunneling using: Activates transparent FTP tunneling for the defined connections. Select from the drop-down menu whether the transparent FTP tunneling is used with the default settings, or through a connection profile. By default, the transparent FTP tunneling uses the user name and the destination host name received from the application that initiated the connection. When a profile is used, you can choose to use the destination and user name defined in the profile, or those received from the application.

FTP-SFTP conversion using: Activates FTP-SFTP conversion for the defined connections. Select from the drop-down menu whether the FTP connections will be converted to SFTP with the default settings or through a connection profile. By default, the FTP-SFTP conversion uses the user name and the destination host name received from the application that initiated the connection. When a profile is used, the destination and user name defined in the profile are used. If the profile defines the destination host name or the user name with an asterisk (*), then the names received from the application are used.

Additional

Use user name from the application: Select this option to make SSH Tectia ConnectSecure resolve and use the user name sent by the application. When the check box is not selected, the user is requested to enter the user name, or the current Windows username is applied. This setting is enabled by default for transparent FTP tunneling and FTP-SFTP conversion. Disable this setting in case you use transparent FTP tunneling through a connection profile where the user name is defined, because this setting will override any user name settings made in the profile. Use a connection profile where the user name selection is Use current Windows user name or Prompt user for the user name.

Use host name from the application: Select this option to make SSH Tectia ConnectSecure resolve and use the host name sent by the application (instead of doing a DNS query) to establish a tunnel to the destination host. When the check box is not selected, a normal DNS query is made.

By default, Use host name from the application is enabled for transparent FTP and TCP tunneling, and for FTP-SFTP conversion. When transparent TCP or FTP tunneling is made through a connection profile, you can choose to disable this setting.

Fall back to direct connection if secure connection fails: Select this option to allow a direct (unsecured plain-text) connection in case creating a tunnel fails or the connection to the Secure Shell server fails. If this is not selected, the Connection Broker will normally return a "host not reachable" error.

Connection is made from public to private network: Use this option if the connection is made from public network to a private network with its own address space. This setting specifies whether a pseudo IP address will be used when an IP address cannot be resolved by the Connection Broker. When the check box is not selected, a normal DNS query is made for the target hostname. When the check box is selected, the Connection Broker assigns a pseudo IP address for the target host and Secure Shell server will resolve the real IP address. This is needed because the name resolution for machines located in an internal network is not available from outside.