Under Transparent Tunnels / FTP Security, you can define the settings for transparent tunneling of applications using TCP or FTP services. For generic connection capture settings, see Defining the Connection Capture Settings, and for defining the filter rules, see Defining Filter Rules.
All settings are made in the Connection Broker configuration, so no modifications are required on the tunneled applications or FTP services.
On the Connection Capture page, you can define the general settings for transparent TCP tunneling, transparent FTP tunneling, and FTP-SFTP conversion which all depend on the connection capture function.
In field Always use direct connection for the listed applications, define those exceptional applications that will be allowed to use direct connection to the network instead of being captured and tunneled securely. These applications will not be processed by the filter rules and will be allowed to pass through also when you have disabled option Use direct connection for all applications when the Connection Broker is down.
In the Always use direct connection for the listed applications field, the application names are handled case-insensitively. Make sure the process names include also the file extensions. You can check the correct name format in Windows Task Manager. Use commas but no spaces to separate the entries, for example:
ssh-client-g3.exe,nslookup.exe,ping.exe
The direct connection settings are not stored in the ssh-broker-config.xml
file but directly in the Windows Registry, under
HKEY_LOCAL_MACHINE\SOFTWARE\SSH Communications Security\SSH Tectia Connector\PassThroughWhenEngineDown
(in 32-bit systems) or under
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SSH Communications Security\SSH Tectia Connector\PassThroughWhenEngineDown
(in 64-bit systems).
Use direct connection for all applications when the Connection Broker is down: Select this option if it is necessary to temporarily deactivate connection capturing so that it does not block network communications. When this option is selected (the default), all applications will be able to connect to the network when the Connection Broker is down. If users should only access the network using secure communications, un-select this option. When this option is un-selected, applications will be blocked when the Connection Broker is down, except for those applications that are defined in the list of direct connection (passthrough) applications above.
Show security notification: Select this option to have a notification briefly displayed when a new application is secured with a FTP or TCP tunnel, and when the tunneling ends. The notification specifies the secured application, the destination, as well as the Secure Shell server used as the tunneling end point. A list of currently tunneled applications is shown in the Tectia Connections Status GUI (started via the short cut menu).
Enable transparent tunneling at startup: Select this option to activate the transparent tunneling feature when Connection Broker starts up. To disable transparent TCP tunneling in future sessions, clear the Enable transparent tunneling at startup check box. Connection Broker reads this setting in the configuration when it starts up.
When this setting is selected, the text Transparent tunneling enabled
will be shown in the Tectia tray menu. The shortcut menu shows the current
status of transparent TCP tunneling, and the feature can be temporarily
disabled by unselecting Transparent tunneling enabled
in the
menu. The setting in the Tectia tray menu is not saved in the configuration.
Filter @ signs: With FTP-SFTP conversion, select this option to extract the FTP user name, FTP server name, and the FTP server password from a script designed to connect to an FTP server via a proxy.
The FTP script is expected to specify the user name in format
ftp-user@proxy-user@ftp-server
and the password in format
ftp-password@proxy-password
. The @ sign is used to
extract the relevant data from the strings.
When Filter @ signs
is selected, Tectia ConnectSecure cuts the user name
string at the first @ sign to extract the ftp-user
and
at the last @ sign to extract the ftp-server
, and the
rest of the string is ignored. Likewise, the passwords string is cut at the
last @ sign and the first part is used as the password on the FTP
server.
When the option Connections from public network to private network is enabled in a filter rule that is defined on Filter Rule page, the start of pseudo IP address space used by this option is defined here (for more details on the option Connections from public network to private network, see Defining Filter Rules).
IPv4 start address: Defines the start address of pseudo IPv4 address space.
IPv6 start address: Defines the start address of pseudo IPv6 address space.
On the Filter Rules page, you can define the filters based on the characteristics of tunneled applications. The filters are used to select how and to which applications the transparent tunneling or FTP-SFTP conversion services will be applied.
When an application connects to a host, the filter rules are used to determine the correct action to apply to the connection. The filter list is scanned through searching for a filter that matches the connection. The first filter that matches the DNS or IP address of the connection is used. Filters are evaluated from top down. You can use the arrow buttons to organize the list.
Click the Add button to define a new filter rule in the Filter Rule dialog box. Click Edit to modify and Delete to remove existing filter rules.
Tunnel all applications: Select this option to capture all connections initiated by FTP and TCP-based applications.
To specify only some applications to be captured, click Add and enter the name of an application or locate the application with Browse.... You can list several applications. The path and application name must be given using regular expressions following the egrep syntax. If you use the Browse, the GUI enters the applications automatically in the correct format. For information on the syntax, see Appendix D.
To modify or delete the listed applications, select the relevant application and click Edit or Delete.
Note | |
---|---|
When Internet Explorer is used in protected mode, Connection Broker may request the authentication procedure for the same destination SSH connection twice, because connections are not shared between low and higher integrity processes for security reasons. |
Define hosts whose connections will be captured.
Any host or IP address: Select this option to capture the connections to all hosts.
Host name: Select this option to capture only the connections to individual hosts. Define the DNS address(es) of the host(s) in a comma-separated list. The Tectia ConnectSecure will resolve the IP address using a DNS query. The value can also be a regular expression following the egrep syntax.
IP address: Select this option to capture only the connections to the defined IP address(es). The value can also be a regular expression following the egrep syntax. In this case the Connection Broker does the string matching with the assumption that the IP address is written in its canonical form.
Define the ports whose connections will be captured.
Any port: Select this option to capture the connections of all ports.
Single port: Select this option to define only individual port(s) to be captured. Enter the port number(s) in a comma-separated list.
Port range: Select this option to define a range of port numbers whose connections will be captured.
Connect directly: Select this option to make the connection directly to the host without tunneling, using the host's IP address if it can be resolved. If it cannot be resolved, the connection fails.
Block connection: Select this option to block the connection. Applications usually inform the user that the connection is refused.
Transparent TCP tunneling using: Activates transparent TCP tunneling for the defined connections. Select from the drop-down menu whether the transparent TCP tunneling is used with the default settings, or through a connection profile. By default, the transparent TCP tunneling uses the destination host name received from the application that initiated the connection. When a profile is used, you can choose to use the destination host name and the user name defined in the profile, or those received from the application.
If the connection is made using a DNS name, the tunnel is created with the DNS name. This means that the actual DNS name resolution is done at the remote end, which enables tunneling connections to hosts that are not visible to the local machine. If the used port does not match a port or port range, the connection is direct.
Transparent FTP tunneling using: Activates transparent FTP tunneling for the defined connections. Select from the drop-down menu whether the transparent FTP tunneling is used with the default settings, or through a connection profile. By default, the transparent FTP tunneling uses the user name and the destination host name received from the application that initiated the connection. When a profile is used, you can choose to use the destination and user name defined in the profile, or those received from the application.
FTP-SFTP conversion using: Activates FTP-SFTP conversion for the defined connections. Select from the drop-down menu whether the FTP connections will be converted to SFTP with the default settings or through a connection profile. By default, the FTP-SFTP conversion uses the user name and the destination host name received from the application that initiated the connection. When a profile is used, the destination and user name defined in the profile are used. If the profile defines the destination host name or the user name with an asterisk (*), then the names received from the application are used.
Use user name from the application: Select this option to make Tectia ConnectSecure resolve and use the user name sent by the application. When the check box is not selected, the user is requested to enter the user name, or the current Windows user name is applied. This setting is enabled by default for transparent FTP tunneling and FTP-SFTP conversion. Disable this setting in case you use transparent FTP tunneling through a connection profile where the user name is defined, because this setting will override any user name settings made in the profile. Use a connection profile where the user name selection is Use current Windows user name or Prompt user for the user name.
Use host name from the application: Select this option to make Tectia ConnectSecure resolve and use the host name sent by the application (instead of doing a DNS query) to establish a tunnel to the destination host. When the check box is not selected, a normal DNS query is made.
By default, Use host name from the application is enabled for transparent FTP and TCP tunneling, and for FTP-SFTP conversion. When transparent TCP or FTP tunneling is made through a connection profile, you can choose to disable this setting.
Fall back to direct connection if secure connection fails: For transparent FTP or TCP tunneling, select this option to allow a direct (unsecured plain-text) connection in case creating a tunnel fails or the connection to the Secure Shell server fails. If this is not selected, the Connection Broker will return an error about not being able to establish a connection.
Connection is made from public to private network: Use this option if the connection is made from public network to a private network with its own address space. This setting specifies whether a pseudo IP address will be used when an IP address cannot be resolved by the Connection Broker. When the check box is not selected, a normal DNS query is made for the target hostname. When the check box is selected, the Connection Broker assigns a pseudo IP address for the target host and Secure Shell server will resolve the real IP address. This is needed because the name resolution for machines located in an internal network is not available from outside.
The start addresses (IPv4 and IPv6) of pseudo IP address spaces are defined on the Connection Capture page. For more details, see Defining the Connection Capture Settings.