Global Parameters: Proxy
HTTP Proxy [Deprecated]
This parameter enables an HTTP Proxy server that allows high-trust login to WEB applications and WEB Sites.
Note that the System server should be restarted to initialize the HTTP Proxy server.
HTTP Proxy Connect Timeout
Timeout for connecting to the upstream server on a new connection, in seconds. If set to 0 then the parameter defaults to 40 seconds.
Restart the service after updating this parameter.
HTTP Proxy Domains
WEB Domains to be handled by HTTP Proxy for high-trust login.
HTTP Proxy Idle Connection Timeout
Timeout after which to disconnect idle connections, in seconds. If set to 0 then the parameter defaults to 70 seconds.
Restart the service after updating this parameter.
HTTP Proxy Port
Port for HTTP Proxy server.
HTTP User Placeholder
This parameter defines a placeholder to type into the User field of a WEB application or a WEB site to be resolved by the HTTP Proxy server to enable high-trust login.
HTTP Password Placeholder
This parameter defines a placeholder to type into the Password field of a WEB application or a WEB site to be resolved by the HTTP Proxy server to enable high-trust login.
Oracle Proxy
This parameter enables an Oracle Proxy server that allows high-trust login to Oracle RDBMS servers using native clients such as sqlplus, Oracle SQL Developer, Quest Toad for Oracle, etc.
Note that the System server should be restarted to initialize the Oracle Proxy server.
Oracle Proxy Port
This parameter defines the access port for the Oracle Proxy server to serve high-trust login for native clients.
Note that the System server should be restarted to initialize Oracle Proxy server with new port.
RDP Proxy
This parameter enables an RDP Proxy server that allows high-trust login to Windows servers or desktop computers using native clients such as MS RDP (mstsc), RDCMan, mRemoteNG, mobile remote desktop clients, etc.
Note that the System server should be restarted to initialize the RDP Proxy server.
To connect to RDP server through RDP Proxy, specify RDP Proxy host and port in the client application as a destination server and user#record as a user where the user is a system user and the record is either Record ID or search criteria identifying the single record. In this case, the session will be established with the host and credentials on the record.
RDP Proxy Idle Timeout
Disconnect open RDP proxy session if it is idle for the specified number of seconds.
If set to 0 then it will never disconnect idle sessions.
RDP Proxy Ciphers Deny List
This parameter disables security ciphers by regular expression pattern. Multiple patterns must be split by coma.
Examples:
.*_SHA deny all ciphers with ending _SHA (SHA1) hashing algorithm.
TLS_RSA.*, .*_SHA deny all RSA algorithms and those with SHA1 hashing.
RDP Proxy Client Ciphers and RDP Proxy Server Ciphers are written to $PAM_HOME/web/logs/pam.log during application startup.
RDP Proxy Port
This parameter defines the access port for the RDP Proxy server to serve high trust login for native clients
Note that the System server should be restarted to initialize the RDP Proxy server with a new port.
RDP Proxy Protocol Level
This parameter controls the RDP Proxy protocol level used for both - client to proxy and proxy to remote server authentication.
- nla stands for Network Level Authentication. Using nla requires TLS encryption and performs authentication steps before starting the remote desktop sessions.
- ext stands for Extended NLA. This protocol is almost the same as NLA and in addition, requires "Early User Authorization Result" sent from the server immediately after authentication is performed.
SSH Proxy
This parameter enables an SSH Proxy server that allows high-trust login to SSH servers (such as Unix or network devices) using native clients such as Unix Shell, Putty, Secure CRT, etc.
Note that the System server should be restarted to initialize the SSH Proxy server.
SSH Proxy Banner
This parameter defines the banner displayed to SSH Proxy clients.
Use \n character for new line separator.
Note that update of this parameter requires a restart of SSH Proxy service.
SSH Proxy Ciphers
Cipher algorithms are used by ssh proxy server for data encryption. The algorithm list should be comma-separated.
Available algorithms: aes128-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc. Available vulnerable algorithms: arcfour128, arcfour256, blowfish-cbc, 3des-cbc.
Default settings exclude known weak algorithms.
SSH Proxy Idle Timeout
Disconnect open ssh proxy session if it is idle for the specified number of seconds.
If set to 0 then it will never disconnect idle sessions.
SSH Proxy Keep Alive Count
A number of keep-alive messages without a response from the client. After limit exceeds disconnect stale session.
If set to 0 never send such messages.
SSH Proxy Keep Alive Interval
Send keep-alive messages every specified amount of seconds.
If set to 0 never send such messages.
SSH Proxy Key Exchange Algorithms
Key Exchange Algorithms used by ssh proxy server to securely exchange encryption keys with the connected client. The algorithm list should be comma-separated.
Available algorithms: ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group18-sha512, diffie-hellman-group17-sha512, diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256. Available vulnerable algorithms: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
Default settings exclude known weak algorithms.
SSH Proxy Macs
Message Authentication Code algorithms used by ssh proxy server for integrity data protection.
The algorithm list should be comma-separated.
Available algorithms: hmac-sha2-512-etm@openssh.com, hmac-sha2-512, hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1-etm@openssh.com, hmac-sha1. Available vulnerable algorithms: hmac-md5, hmac-md5-96, hmac-sha1-96
Default settings exclude known weak algorithms.
SSH Proxy Port
This parameter defines the access port for SSH Proxy server to serve high trust login for native clients.
Defines custom port for universal proxy service (default: 2017).
System parameter: xtam.proxy.universal=enabled|disabled
Note that the PAM server should be restarted to initialize the SSH Proxy server with a new port.
SSH Proxy Public Key Expiration (in days)
SSH Proxy Public Key expiration in days.
Leave this parameter blank to disable SSH Proxy Public Key expiration.
Universal Proxy
Enabled or disabled universal proxy service.
System parameter: xtam.proxy.universal=enabled|disabled
Universal Proxy HTTP Forwarding
This parameter enables HTTP traffic forwarding mode for Universal Proxy to local or remote host.
Enables Native Session Manager and HTTP Proxy port forwarding.
System parameter: xtam.proxy.universal.forward.http=enabled|disabled
Universal Proxy HTTP Forwarding Host
This parameter holds host:port value of upstream server for HTTP traffic forwarding mode.
Defines Native Session Manager and HTTP Proxy port forwarding host (default: 127.0.0.1:8081).
System parameter: xtam.proxy.universal.forward.http.host=host:port
Universal Proxy HTTP Forwarding Use SSL
This parameter enables SSL support when connecting to upstream server for HTTP traffic forwarding mode.
Enables SSL communication with WEB Session Manager.
System parameter: xtam.proxy.universal.forward.sm.ssl=enabled|disabled
Universal Proxy Session Manager Forwarding
This parameter enables Session Manager traffic forwarding mode for Universal Proxy to local or remote host.
Enables WEB Session Manager port forwarding.
System parameter: xtam.proxy.universal.forward.sm=enabled|disabled
Universal Proxy Session Manager Forwarding Host
This parameter holds host:port value of upstream server for Session Manager traffic forwarding mode.
Defines WEB Session Manager port forwarding host (default: 127.0.0.1:4822).
System parameter: xtam.proxy.universal.forward.sm.host=host:port
Universal Proxy Session Manager Forwarding Use SSL
This parameter enables SSL support when connecting to upstream server for Session Manager traffic forwarding mode.
Enables SSL communication with WEB Session Manager.
System parameter: xtam.proxy.universal.forward.sm.ssl=enabled|disabled
Note that for WEB Session Manager forwarding remote node keystore should contain certificate of the remote WEB Session Manager. In addition to this, master nodes should contain certificates of the remote universal proxy instead of the remote WEB Session Manager. Remote WEB Session manager in this scenario could be completely hidden behind the firewall because only remote universal proxy will connect to remote WEB Session manager on the same node.