Global Parameters: Proxy
HTTP Proxy [Deprecated]
This parameter enables an HTTP Proxy server that allows high-trust login to WEB applications and WEB Sites.
Note that the System server should be restarted to initialize the HTTP Proxy server.
HTTP Proxy Connect Timeout
Timeout for connecting to the upstream server on a new connection, in seconds. If set to 0 then the parameter defaults to 40 seconds.
Restart the service after updating this parameter.
HTTP Proxy Domains
WEB Domains to be handled by HTTP Proxy for high-trust login.
HTTP Proxy Idle Connection Timeout
Timeout after which to disconnect idle connections, in seconds. If set to 0 then the parameter defaults to 70 seconds.
Restart the service after updating this parameter.
HTTP Proxy Port
Port for HTTP Proxy server.
HTTP User Placeholder
This parameter defines a placeholder to type into the User field of a WEB application or a WEB site to be resolved by the HTTP Proxy server to enable high-trust login.
HTTP Password Placeholder
This parameter defines a placeholder to type into the Password field of a WEB application or a WEB site to be resolved by the HTTP Proxy server to enable high-trust login.
Proxy Key Password
Private key password for RDP, SQL, HTTP and Universal proxies to secure communication link between native clients and the proxy.
Initial value for this parameter is randomly generated together with the keys and certificates during the system initialization. When the keys are replaced the system administrator can use the password defined by this parameter or update the password using this parameter.
The keys are located in the folder $PAM_HOME/content/keys and should be replicated between nodes in the high availability deployments. RDP, SQL and Universal Proxy key pair are stored in the files keystore_rdp.p12 (private key) and certificate_rdp.cer (public key). HTTP Proxy key pair is stored in the files keystore.p12 (private key) and certificate.cer (public key).
RDP Proxy
This parameter enables an RDP Proxy server that allows high-trust login to Windows servers or desktop computers using native clients such as MS RDP (mstsc), RDCMan, mRemoteNG, mobile remote desktop clients, etc.
Note that the System server should be restarted to initialize the RDP Proxy server.
To connect to RDP server through RDP Proxy, specify RDP Proxy host and port in the client application as a destination server and user#record as a user where the user is a system user and the record is either Record ID or search criteria identifying the single record. In this case, the session will be established with the host and credentials on the record.
RDP Proxy Idle Timeout
Disconnect open RDP proxy session if it is idle for the specified number of seconds.
If set to 0 then it will never disconnect idle sessions.
RDP Proxy Ciphers Deny List
This parameter disables security ciphers by regular expression pattern. Multiple patterns must be split by coma.
Examples:
.*_SHA deny all ciphers with ending _SHA (SHA1) hashing algorithm.
TLS_RSA.*, .*_SHA deny all RSA algorithms and those with SHA1 hashing.
RDP Proxy Client Ciphers and RDP Proxy Server Ciphers are written to $PAM_HOME/web/logs/pam.log during application startup.
RDP Proxy Idle Timeout
Disconnect open RDP proxy session if it is idle for specified number of seconds. If set to 0 then it will never disconnect idle sessions.
RDP Proxy Port
This parameter defines the access port for the RDP Proxy server to serve high trust login for native clients
Note that the System server should be restarted to initialize the RDP Proxy server with a new port.
RDP Proxy Protocol Level
This parameter controls the RDP Proxy protocol level used for both - client to proxy and proxy to remote server authentication.
- nla stands for Network Level Authentication. Using nla requires TLS encryption and performs authentication steps before starting the remote desktop sessions.
- ext stands for Extended NLA. This protocol is almost the same as NLA and in addition, requires "Early User Authorization Result" sent from the server immediately after authentication is performed.
SSH Proxy
This parameter enables an SSH Proxy server that allows high-trust login to SSH servers (such as Unix or network devices) using native clients such as Unix Shell, Putty, Secure CRT, etc.
Note that the System server should be restarted to initialize the SSH Proxy server.
SSH Proxy Allowed Channels
This parameter controls what channels/subsystems allowed to use by client software when connecting through SSH Proxy server.
Supported channels are:
-
shell - Allows shell connection.
-
exec - Allows remote command execution including scp transfer.
-
sftp - Allows file transfer using SFTP protocol.
-
tunnel - Allows SSH tunnels over SSH Proxy.
Settings could be overridden on record level using custom filed named SshChannels. There are two scenarios to override channel settings:
-
List channels allowed for current record. This will allow only shell and exec channels to open: shell, exec
-
Use system defaults but add or remove specific channel. This will use setting from system parameter but allow sftp and deny tunnel channels: +sftp,-tunnel
SSH Proxy Banner
This parameter defines the banner displayed to SSH Proxy clients.
Use \n character for new line separator.
Note that update of this parameter requires a restart of SSH Proxy service.
SSH Proxy Ciphers
Cipher algorithms are used by ssh proxy server for data encryption. The algorithm list should be comma-separated.
Available algorithms: aes128-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc. Available vulnerable algorithms: arcfour128, arcfour256, blowfish-cbc, 3des-cbc.
Default settings exclude known weak algorithms.
SSH Proxy Idle Timeout
Disconnect open ssh proxy session if it is idle for the specified number of seconds.
If set to 0 then it will never disconnect idle sessions.
SSH Proxy Keep Alive Count
A number of keep-alive messages without a response from the client. After limit exceeds disconnect stale session.
If set to 0 never send such messages.
SSH Proxy Keep Alive Interval
Send keep-alive messages every specified amount of seconds.
If set to 0 never send such messages.
SSH Proxy Key Exchange Algorithms
Key Exchange Algorithms used by ssh proxy server to securely exchange encryption keys with the connected client. The algorithm list should be comma-separated.
Available algorithms: ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group18-sha512, diffie-hellman-group17-sha512, diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256. Available vulnerable algorithms: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
Default settings exclude known weak algorithms.
SSH Proxy Macs
Message Authentication Code algorithms used by ssh proxy server for integrity data protection.
The algorithm list should be comma-separated.
Available algorithms: hmac-sha2-512-etm@openssh.com, hmac-sha2-512, hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1-etm@openssh.com, hmac-sha1. Available vulnerable algorithms: hmac-md5, hmac-md5-96, hmac-sha1-96
Default settings exclude known weak algorithms.
SSH Proxy Port
This parameter defines the access port for SSH Proxy server to serve high trust login for native clients.
Defines custom port for universal proxy service (default: 2017).
System parameter: xtam.proxy.universal=enabled|disabled
Note that the PAM server should be restarted to initialize the SSH Proxy server with a new port.
SSH Proxy Public Key Expiration (in days)
SSH Proxy Public Key expiration in days.
Leave this parameter blank to disable SSH Proxy Public Key expiration.
Throttle SSH Proxy Automation Connections
This parameter defines artificial delay in milliseconds for SSH Proxy to apply before every new connection performed by a user with Automation global role. The parameter might be defined as a fixed value or as a range (for example 500-1000) in which case the system will select a random delay in milliseconds inside the range.
This parameter is used to throttle performance of automation clients that frequently open multiple connections through SSH Proxy to reduce the load on other system components.
Universal Proxy HTTP Forwarding
This parameter enables HTTP traffic forwarding mode for Universal Proxy to local or remote host.
Enables Native Session Manager and HTTP Proxy port forwarding.
System parameter: xtam.proxy.universal.forward.http=enabled|disabled
Universal Proxy HTTP Forwarding Host
This parameter holds host:port value of upstream server for HTTP traffic forwarding mode.
Defines Native Session Manager and HTTP Proxy port forwarding host (default: 127.0.0.1:8081).
System parameter: xtam.proxy.universal.forward.http.host=host:port
Universal Proxy HTTP Forwarding Use SSL
This parameter enables SSL support when connecting to upstream server for HTTP traffic forwarding mode.
Enables SSL communication with WEB Session Manager.
System parameter: xtam.proxy.universal.forward.sm.ssl=enabled|disabled
Universal Proxy Session Manager Forwarding
This parameter enables Session Manager traffic forwarding mode for Universal Proxy to local or remote host.
Enables WEB Session Manager port forwarding.
System parameter: xtam.proxy.universal.forward.sm=enabled|disabled
Universal Proxy Session Manager Forwarding Host
This parameter holds host:port value of upstream server for Session Manager traffic forwarding mode.
Defines WEB Session Manager port forwarding host (default: 127.0.0.1:4822).
System parameter: xtam.proxy.universal.forward.sm.host=host:port
Universal Proxy Session Manager Forwarding Use SSL
This parameter enables SSL support when connecting to upstream server for Session Manager traffic forwarding mode.
Enables SSL communication with WEB Session Manager.
System parameter: xtam.proxy.universal.forward.sm.ssl=enabled|disabled
Note that for WEB Session Manager forwarding remote node keystore should contain certificate of the remote WEB Session Manager. In addition to this, master nodes should contain certificates of the remote universal proxy instead of the remote WEB Session Manager. Remote WEB Session manager in this scenario could be completely hidden behind the firewall because only remote universal proxy will connect to remote WEB Session manager on the same node.
