Global Parameters: Proxy

HTTP Proxy [Deprecated]

This parameter enables an HTTP Proxy server that allows high-trust login to WEB applications and WEB Sites.

Note that the System server should be restarted to initialize the HTTP Proxy server.

HTTP Proxy Connect Timeout

Timeout for connecting to the upstream server on a new connection, in seconds. If set to 0 then the parameter defaults to 40 seconds.

Restart the service after updating this parameter.

HTTP Proxy Domains

WEB Domains to be handled by HTTP Proxy for high-trust login.

HTTP Proxy Idle Connection Timeout

Timeout after which to disconnect idle connections, in seconds. If set to 0 then the parameter defaults to 70 seconds.

Restart the service after updating this parameter.

HTTP Proxy Port

Port for HTTP Proxy server.

HTTP User Placeholder

This parameter defines a placeholder to type into the User field of a WEB application or a WEB site to be resolved by the HTTP Proxy server to enable high-trust login.

HTTP Password Placeholder

This parameter defines a placeholder to type into the Password field of a WEB application or a WEB site to be resolved by the HTTP Proxy server to enable high-trust login.

Oracle Proxy

This parameter enables an Oracle Proxy server that allows high-trust login to Oracle RDBMS servers using native clients such as sqlplus, Oracle SQL Developer, Quest Toad for Oracle, etc.

Note that the System server should be restarted to initialize the Oracle Proxy server.

Oracle Proxy Port

This parameter defines the access port for the Oracle Proxy server to serve high-trust login for native clients.

Note that the System server should be restarted to initialize Oracle Proxy server with new port.

RDP Proxy

This parameter enables an RDP Proxy server that allows high-trust login to Windows servers or desktop computers using native clients such as MS RDP (mstsc), RDCMan, mRemoteNG, mobile remote desktop clients, etc.

Note that the System server should be restarted to initialize the RDP Proxy server.

To connect to RDP server through RDP Proxy, specify RDP Proxy host and port in the client application as a destination server and user#record as a user where the user is a system user and the record is either Record ID or search criteria identifying the single record. In this case, the session will be established with the host and credentials on the record.

RDP Proxy Idle Timeout

Disconnect open RDP proxy session if it is idle for the specified number of seconds.

If set to 0 then it will never disconnect idle sessions.

RDP Proxy Ciphers Deny List

This parameter disables security ciphers by regular expression pattern. Multiple patterns must be split by coma.

Examples:

.*_SHA deny all ciphers with ending _SHA (SHA1) hashing algorithm.

TLS_RSA.*, .*_SHA deny all RSA algorithms and those with SHA1 hashing.

RDP Proxy Client Ciphers and RDP Proxy Server Ciphers are written to $PAM_HOME/web/logs/pam.log during application startup.

RDP Proxy Port

This parameter defines the access port for the RDP Proxy server to serve high trust login for native clients

Note that the System server should be restarted to initialize the RDP Proxy server with a new port.

RDP Proxy Protocol Level

This parameter controls the RDP Proxy protocol level used for both - client to proxy and proxy to remote server authentication.

  • nla stands for Network Level Authentication. Using nla requires TLS encryption and performs authentication steps before starting the remote desktop sessions.
  • ext stands for Extended NLA. This protocol is almost the same as NLA and in addition, requires "Early User Authorization Result" sent from the server immediately after authentication is performed.

SSH Proxy

This parameter enables an SSH Proxy server that allows high-trust login to SSH servers (such as Unix or network devices) using native clients such as Unix Shell, Putty, Secure CRT, etc.

Note that the System server should be restarted to initialize the SSH Proxy server.

SSH Proxy Banner

This parameter defines the banner displayed to SSH Proxy clients.

Use \n character for new line separator.

Note that update of this parameter requires a restart of SSH Proxy service.

SSH Proxy Ciphers

Cipher algorithms are used by ssh proxy server for data encryption. The algorithm list should be comma-separated.

Available algorithms: aes128-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc. Available vulnerable algorithms: arcfour128, arcfour256, blowfish-cbc, 3des-cbc.

Default settings exclude known weak algorithms.

SSH Proxy Idle Timeout

Disconnect open ssh proxy session if it is idle for the specified number of seconds.

If set to 0 then it will never disconnect idle sessions.

SSH Proxy Keep Alive Count

A number of keep-alive messages without a response from the client. After limit exceeds disconnect stale session.

If set to 0 never send such messages.

SSH Proxy Keep Alive Interval

Send keep-alive messages every specified amount of seconds.

If set to 0 never send such messages.

SSH Proxy Key Exchange Algorithms

Key Exchange Algorithms used by ssh proxy server to securely exchange encryption keys with the connected client. The algorithm list should be comma-separated.

Available algorithms: ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group18-sha512, diffie-hellman-group17-sha512, diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256. Available vulnerable algorithms: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1

Default settings exclude known weak algorithms.

SSH Proxy Macs

Message Authentication Code algorithms used by ssh proxy server for integrity data protection.

The algorithm list should be comma-separated.

Available algorithms: hmac-sha2-512-etm@openssh.com, hmac-sha2-512, hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1-etm@openssh.com, hmac-sha1. Available vulnerable algorithms: hmac-md5, hmac-md5-96, hmac-sha1-96

Default settings exclude known weak algorithms.

SSH Proxy Port

This parameter defines the access port for SSH Proxy server to serve high trust login for native clients.

Defines custom port for universal proxy service (default: 2017).

System parameter: xtam.proxy.universal=enabled|disabled

Note that the PAM server should be restarted to initialize the SSH Proxy server with a new port.

SSH Proxy Public Key Expiration (in days)

SSH Proxy Public Key expiration in days.

Leave this parameter blank to disable SSH Proxy Public Key expiration.

Universal Proxy

Enabled or disabled universal proxy service.

System parameter: xtam.proxy.universal=enabled|disabled

Universal Proxy HTTP Forwarding

This parameter enables HTTP traffic forwarding mode for Universal Proxy to local or remote host.

Enables Native Session Manager and HTTP Proxy port forwarding.

System parameter: xtam.proxy.universal.forward.http=enabled|disabled

Universal Proxy HTTP Forwarding Host

This parameter holds host:port value of upstream server for HTTP traffic forwarding mode.

Defines Native Session Manager and HTTP Proxy port forwarding host (default: 127.0.0.1:8081).

System parameter: xtam.proxy.universal.forward.http.host=host:port

Universal Proxy HTTP Forwarding Use SSL

This parameter enables SSL support when connecting to upstream server for HTTP traffic forwarding mode.

Enables SSL communication with WEB Session Manager.

System parameter: xtam.proxy.universal.forward.sm.ssl=enabled|disabled

Universal Proxy Session Manager Forwarding

This parameter enables Session Manager traffic forwarding mode for Universal Proxy to local or remote host.

Enables WEB Session Manager port forwarding.

System parameter: xtam.proxy.universal.forward.sm=enabled|disabled

Universal Proxy Session Manager Forwarding Host

This parameter holds host:port value of upstream server for Session Manager traffic forwarding mode.

Defines WEB Session Manager port forwarding host (default: 127.0.0.1:4822).

System parameter: xtam.proxy.universal.forward.sm.host=host:port

Universal Proxy Session Manager Forwarding Use SSL

This parameter enables SSL support when connecting to upstream server for Session Manager traffic forwarding mode.

Enables SSL communication with WEB Session Manager.

System parameter: xtam.proxy.universal.forward.sm.ssl=enabled|disabled

 

Note that for WEB Session Manager forwarding remote node keystore should contain certificate of the remote WEB Session Manager. In addition to this, master nodes should contain certificates of the remote universal proxy instead of the remote WEB Session Manager. Remote WEB Session manager in this scenario could be completely hidden behind the firewall because only remote universal proxy will connect to remote WEB Session manager on the same node.

Other Global Parameters

Global Parameters: Access

Global Parameters: Browser Extension

Global Parameters: Discovery

Global Parameters: Drivers

Global Parameters: Jobs

Global Parameters: Preference

Global Parameters: Proxy

Global Parameters: Sessions

Global Parameters: Storage

Global Parameters: Workflow