Professional Documents
Culture Documents
Bastion User Guide en
Bastion User Guide en
Reference: https://doc.wallix.com/en/bastion/9.0.2/Bastion-user-guide
Copyright © 2021 WALLIX
WALLIX Bastion 9.0.2 – User Guide
Table of Contents
1. Introduction ............................................................................................................................ 3
1.1. Preamble ..................................................................................................................... 3
1.2. Copyright & Licenses .................................................................................................. 3
1.3. Legend ........................................................................................................................ 3
1.4. About this document ................................................................................................... 3
2. General principles .................................................................................................................. 5
2.1. WALLIX Session Manager .......................................................................................... 5
2.2. WALLIX Password Manager ....................................................................................... 5
2.3. Session recording ....................................................................................................... 6
3. Using the WALLIX Bastion Web interface (GUI) .................................................................... 7
3.1. “My Preferences” menu .............................................................................................. 8
3.2. Summary ................................................................................................................... 10
3.3. “My Authorizations” menu - Session authorizations ................................................... 10
3.4. “My Authorizations” menu - Password authorizations ................................................ 12
3.5. Approval workflow ..................................................................................................... 13
3.5.1. Approval request for sessions ........................................................................ 13
3.5.2. Approval request for passwords ..................................................................... 15
3.6. X509 strong authentication ....................................................................................... 15
4. Logging on to target devices ............................................................................................... 18
4.1. General information ................................................................................................... 18
4.2. Password or key authentication ................................................................................ 18
4.2.1. Generating a key under Linux ........................................................................ 18
4.2.2. Generating a key under Windows .................................................................. 19
4.3. Simplified authentication in X509 mode .................................................................... 23
4.4. SSH logons ............................................................................................................... 24
4.4.1. SSH specific options ...................................................................................... 24
4.4.2. SSH logons from a Unix/Linux workstation ..................................................... 25
4.4.3. SSH logons from a Windows workstation ....................................................... 30
4.5. RDP logons ............................................................................................................... 35
4.5.1. RDP specific options ...................................................................................... 35
4.5.2. RDP logons from a Linux workstation ............................................................ 35
4.5.3. RDP logons from a Windows workstation (XP, Vista or 7, 8 or 10) .................. 39
5. Managing approval requests ................................................................................................ 43
6. Troubleshooting .................................................................................................................... 46
6.1. General information on login issues .......................................................................... 46
6.2. Silent SSH session ................................................................................................... 46
7. Contact WALLIX Bastion Support ........................................................................................ 48
2
WALLIX Bastion 9.0.2 – User Guide
Chapter 1. Introduction
1.1. Preamble
Thank you for choosing WALLIX Bastion.
The WALLIX Bastion solution is marketed in the form of a dedicated, ready-to-use server or as a
virtual device for the following virtual environments:
This product has been engineered with the greatest care by our teams at WALLIX and we trust that
it will deliver complete satisfaction.
WALLIX
Service Support
250 bis, Rue du Faubourg Saint-Honoré
75008 PARIS
FRANCE
1.3. Legend
prompt $ command to input <parameter to replace>
command output
on one or more lines
prompt $
3
WALLIX Bastion 9.0.2 – User Guide
• use the WALLIX Bastion Web user interface (also called “GUI” in this document) to find out your
access rights, change your password or upload your SSH public key;
• use your usual connection tools in a way that is compatible with WALLIX Bastion.
4
WALLIX Bastion 9.0.2 – User Guide
Chapter 2. General principles
The role of WALLIX Bastion is to:
For WALLIX Bastion to relay your connections you must log on:
• either with your login and password for logging onto the WALLIX Bastion Web interface from your
browser and for connecting to target devices via RDP proxy
• or with your login and password for RDP sessions
• or with your login and password or your public key for SSH sessions.
• “auto logon” mode: you automatically log on to the target account without needing to know the
password
• “manual logon” mode: you manually log on to the target account and need to know the password.
Warning:
In order to ensure the security of data exchange, the user workstation must provide an
electronic certificate used by WALLIX Bastion to authenticate and must be configured to
allow WALLIX Bastion authentication from this electronic certificate.
• identify the users whom are connected to specific devices and monitor their activity: sessions
can be viewed through the WALLIX Bastion Web interface or downloaded to be viewed locally
on your workstation. RDP sessions can be viewed in real time.
• get a direct resource access using native clients such as PuTTY, WinSCP, MSTC or OpenSSH.
5
WALLIX Bastion 9.0.2 – User Guide
• view the list of the target accounts for which you are authorized to view/check out the password
• access account credentials (login, password and SSH key)
2.3. Session recording
WALLIX Bastion can record user sessions (except X11 sessions) as stated in the SSH logon and
in the RDP logon prompt.
The commands you enter from your workstation (keyboard/mouse) and the responses from the
target device you are logged on to and which are displayed on your screen can be stored for later
viewing.
This feature can be activated and the session records can be viewed at any time by an authorized
WALLIX Bastion administrator.
6
WALLIX Bastion 9.0.2 – User Guide
Note:
Internet Explorer is not supported by the default interface.
Your browser must be configured to accept cookies and run JavaScript.
You can access the legacy interface by clicking on the “Legacy interface” icon at the top
of the page.
The bastion_ip_address has been provided by your WALLIX Bastion Administrator. If not, you can
use the domain name.
Then log on with the details provided by your WALLIX Bastion administrator:
• If your WALLIX Bastion administrator has enabled the Kerberos authentication method, then enter
the following URL in your browser’s address bar:
https://bastion_ip_address/iwab or https://<bastion_name>/iwab
• If your WALLIX Bastion administrator has provided you with an X509 certificate, then go to
Section 3.6, “X509 strong authentication”, page 15.
• If not, enter your login and password and then click on the “Log in” button (the “User name” field
is not case-sensitive) on the login screen
• If your administrator has set two-factor authentication, enter also the required credentials during
secondary authentication
• If your WALLIX Bastion administrator has set authentication from your AD, you may be prompted
for password change after expiration on the login screen.
Figure 3.1. Login screen
7
WALLIX Bastion 9.0.2 – User Guide
Note:
The login screen is displayed depending on your language preferences set in your
browser. Once you are connected, the GUI is displayed in the language that you
selected in your WALLIX Bastion settings (refer to Section 3.1, ““My Preferences”
menu”, page 8).
Figure 3.2. Home page
The menu on the left allows you to access the main features. This menu may vary depending on
your user profile and your assigned rights.
From the header on the upper part of the screen, you can:
• view the name of the user who is logged on. When hovering the mouse over the user name area,
a contextual menu shows the entries to the “My preferences” page, the “Legacy interface” icon
and the logout icon.
• access the contextual online help by clicking on the icon
• view the possible notifications by clicking on the icon.
This page can be used to change your personal settings. You can:
8
WALLIX Bastion 9.0.2 – User Guide
Warning:
Depending on the configuration set by your administrator, the “Password” tab may not
be displayed.
• drag-and-drop, upload or enter manually an SSH public key using RSA, ED25519 or ECDSA
algorithmn or delete an existing SSH public key
Warning:
Depending on the configuration set by your administrator, the “SSH public key” tab may
not be displayed.
This key must be in the OpenSSH format. Otherwise an error message is displayed.
If you use PuTTYgen to generate the key, you must save in a text file the public key
displayed in the OpenSSH format during the generation. As an example, this key is
labelled as follows:
“ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0yR9lBQov6[.....]c3xu9p/xNjw==
rsa-key-20151204”
You can then upload this key on the “SSH public key” tab on this page.
If a key already exists, you can load a private key using PuTTYgen in order to generate
the corresponding public key in the appropriate format.
Note:
The area allowing the password change is not available on this page if your user
authentication is external (for example, when your authentication is linked to a company
directory or a Kerberos KDC).
A password may be rejected (accordingly to the configuration set by the WALLIX Bastion
administrator) in some cases:
• if the password is included in the list of forbidden trivial passwords by the WALLIX Bastion
administrator
• if the password is too short or does not include any special characters, numbers or capital letters
• if the password corresponds to your login
• if the password is the same as a previous password.
9
WALLIX Bastion 9.0.2 – User Guide
3.2. Summary
On the pages of the Web interface, a summary is displayed on the right part of your screen. It gives
an overview of the data defined within WALLIX Bastion.
By clicking on the main entries of the summary, you are redirected to the concerned pages and
you can view, enter, add, edit or delete data. Note that you have the possibility to hide and show
this summary at any moment.
From the “Sessions” page on the “My Authorizations” menu, you can view the list of the targets to
which you are authorized to access.
On each line, you can have an access to the target by clicking on one of the following icons:
• : this icon allows you to download an RDP configuration file or a shell script with the SSH
command (WALLIX-PuTTY on Windows or SSH on other systems) you can save to establish a
connection from an RDP or an SSH client (filename suffix .puttywab or .xsh or .rdp under Windows
and .sh or .remmina under Linux). In this case, the WALLIX Bastion password is required for the
connection.
• : (“Instant access (one-time password, limited in time)”): this icon allows you to open the file to
immediately establish a connection from an RDP client (filename suffix .rdp under Windows and
.sh or .remmina under Linux). In this case, no password is required but the access is granted for
a limited period of time. This icon is also displayed for the connection to an application.
10
WALLIX Bastion 9.0.2 – User Guide
• : (“Instant access with WALLIX-PuTTY (one-time password, limited in time)”): this icon allows
you to open the file to immediately establish a connection from an SSH client (filename suffix
.puttywab or .xsh under Windows and .sh under Linux). In this case, no password is required
but the access is granted for a limited period of time. For SSH authentication, also refer to
Section 4.4.2.1, “Target connection in interactive mode for SCP and SFTP protocols”, page 25.
Note:
To use the .puttywab files on Windows, the application WALLIX-PuTTY has to be
downloaded and installed from the link “Download WALLIX-PuTTY” displayed at the top
of the page. This link is only displayed when the workstation is running under Windows
and you are also authorized to connect to at least one SSH target. The installation sets
the file association so that the application is started automatically. The installation does
not require administrative privileges. However, the installation is only operational for the
logged user and not for all users of the workstation.
The link “Download RDP configuration file” displayed at the top of the page allows you
to download an RDP configuration file with the RemoteApp mode enabled. You can then
save the file to establish a connection to an application in interactive mode via the RDP
client selector. This link is only displayed when the RemoteApp mode is enabled and
you are also authorized to connect to at least one application. The RemoteApp mode is
enabled by default when accessing applications.
If an approval workflow has been defined to be authorized to access the target, click on “Request” in
the “Approval” column to notify the approvers and get access to the target. For further information,
refer to Section 3.5, “Approval workflow”, page 13.
11
WALLIX Bastion 9.0.2 – User Guide
From the “Passwords” page on the “My Authorizations” menu, you can view the list of the target
accounts for which you are authorized to check out the account's credentials.
• click on “View” at the beginning of the line to display in another page the credentials of the related
account.
• click on “Check out” at the beginning of the line to display in another page the credentials of
the related account in another page. In this case, the lock has been enabled at the level of the
checkout policy associated with this account: only you can access the credentials at this time.
Important:
If an approval is not necessary to access the credentials or has been accepted
by approvers, you can directly check out the data. Otherwise, an error message
is displayed and you must send a request to access the credentials. For further
information, refer to Section 3.5, “Approval workflow”, page 13.
• click on “Check out remotely” at the beginning of the line to display in another page the credentials
of the related external vault account.
• identify the account being locked consequently to an ongoing checkout. In this case, no action
can be performed until the release of this lock.
• send a request to approvers to access the account's credentials by clicking on “Request” in the
“Approval” column at the end of the line. For further information, refer to Section 3.5, “Approval
workflow”, page 13.
When you have access to the page listing the account's credentials, you can view:
• the name of the account being checked out mentioned above the frame
• the login of the account
• the credentials of the account, which can be:
– the password if it has been defined for the account either on the local or the remote WALLIX
Bastion
– the SSH private key if it has been defined for the account either on the local or the remote
WALLIX Bastion. This key can be downloaded in the OpenSSH or PuTTY key formats and can
be encrypted with a passphrase entered in the dedicated field.
12
WALLIX Bastion 9.0.2 – User Guide
– the certificate (i.e. the signed SSH public key) if the account is defined on a domain associated
with a Certificate Authority. This certificate can be downloaded in the OpenSSH or ssh.com
formats.
• click on the “Check in” button to end check out. You are then redirected to the page listing the
authorized target accounts. If the lock has been enabled in the checkout policy associated with
this account, this action also releases the lock of the account.
• click on the “Extend checkout” button if a checkout extension has been defined in the checkout
policy associated with the account. Otherwise this button is not displayed. This action extends
the checkout duration and can then be performed several times as long as the maximum duration
has not been reached.
When the lock has been enabled in the checkout policy associated with this account, the latter
remains locked for the period defined within this policy. It is then necessary to click on the “Check
in” button to release the lock of the account before the end of checkout duration. Nonetheless,
the account is automatically checked in at the end of this duration and the user is redirected to
the page listing the authorized target accounts. The remaining time before automatic check-in is
displayed below the credentials.
3.5. Approval workflow
If an approval workflow has been defined to be authorized to connect to a target or access the target
credentials, you must send a request for approval to notify the approvers and get the access.
13
WALLIX Bastion 9.0.2 – User Guide
The current requests are then listed at the bottom of the “Sessions” page as shown by Figure 3.4,
““My Authorizations” menu - “Sessions” page”, page 11. By clicking on the notepad icon at the
beginning of the line it is possible to cancel the request (if its status is “pending” or “approved”) and
send an email to all the concerned approvers.
The statuses of a valid request (its duration has not expired) can be either of the following:
• a request is marked as “accepted” when the quorum (i.e. the minimum number of favorable
answers required for the authorization) has been reached
Note:
When the request is accepted by the first approver and the start date and time have
been reached:
– the start date and time of the request are then updated with the start date and time
of this action
– the end date and time are then extended for the request duration from this action
• a request is marked as “rejected” and subsequently dismissed as soon as an approver rejects it.
The user is then notified by email of the reason for the rejection.
• a request is “pending” as long as the quorum has not been reached and it has not been rejected.
If the request is no longer valid, it is then marked as “closed” and it is no longer possible for an
approver to answer the request.
Once a request is approved, it is possible to start a new session as long as the period defined by
the request's duration has not expired. During this period, it is also possible to restart the session
multiple times. It is then not necessary to keep open the initial connection.
In the case you want to start a session immediately (with an SSH or RDP client), the proxy
offers the possibility to fill in a request form, as shown by Figure 3.7, “Approval request (RDP
Proxy)”, page 15, if the selected target requires an approval.
14
WALLIX Bastion 9.0.2 – User Guide
The current requests are then listed at the bottom of the “Passwords” page (refer to Figure 3.5,
““My Authorizations” menu - “Passwords” page”, page 13). By clicking on the notepad icon at
the beginning of the line it is possible to cancel the request (if its status is “pending”or “approved”)
and send an email to all the concerned approvers.
The statuses of a valid request (its duration has not expired) can be either of the following:
• a request is marked as “accepted” when the quorum (i.e. the minimum number of favorable
answers required for the authorization) has been reached
• a request is marked as “rejected” and subsequently dismissed as soon as an approver rejects it.
The user is then notified by email of the reason for the rejection.
• a request is “pending” as long as the quorum has not been reached and it has not been rejected.
If the request is no longer valid, it is then marked as “closed” and it is no longer possible for an
approver to answer the request.
Once a request is approved, it is possible to access the target credentials as long as the period
defined by the request's duration has not expired.
15
WALLIX Bastion 9.0.2 – User Guide
In this case, your administrator must provide you with a certificate either in the form of software
certificate or on a physical device (USB key, smart card, etc.).
If your certificate is stored on a physical device, you should first insert the device so that the
certificate is available in the system.
If your certificate is stored in a file, you should first import the certificate into your browser so that it
can be used to provide your authentication. The procedure to follow depends on your browser:
• Under Firefox, select the “Tools” | “Options” menu command and click on “Privacy & Security”. In
the “Certificates” section, click on the “View Certificates” button. On the “Your Certificates” tab,
click on the “Import” button.
• Under Chrome, click on the “Customize and control Google Chrome” icon beside the address bar
In the menu, select “Settings”, click on “Privacy and security” and on the “Manage certificates”
button. Lastly, in the “Personal” tab, click on the “Import” button.
• Under Internet Explorer, click on the “Tools” menu and select “Internet options”. On the “Content”
tab, click on the “Certificates” button. On the “Personal” tab, click on the “Import...” button and
then follow the wizard’s instructions.
• either select “PASSWORD Authentication”, then enter a login and password and click on the
“LOG IN” button
• or select “X509 Authentication”, then click on the “LOG IN” button. In this case, your browser
will ask you to choose a certificate (if you have more than one and you have not yet saved your
choice) and then ask you to enter the certificate’s password if necessary. If the certificate has
been linked with a WALLIX Bastion account, you will immediately be authenticated and logged
on with this account.
Note:
If your certificate is stored in a physical form, the smart card or USB key concerned
must be inserted throughout the authentication phase.
16
WALLIX Bastion 9.0.2 – User Guide
If your administrator has set two-factor authentication, enter also the required
credentials during secondary authentication.
An alternative authentication mode is available for the sessions started directly via a client (SSH
or RDP) while you remain connected to the GUI in X509 authentication mode (refer to Section 4.3,
“Simplified authentication in X509 mode”, page 23).
17
WALLIX Bastion 9.0.2 – User Guide
Only encrypted SSH and RDP connections are allowed between workstations and WALLIX Bastion
(hostile zone).
You can continue to use your usual tools with WALLIX Bastion such as SSH clients in text or graphic
mode or RDP clients on Unix, Windows or Mac OS X platforms.
However, the form of the command line and/or graphic client settings may change slightly to take
the indirection introduced by WALLIX Bastion into account (refer to the following sections).
However, users must always enter their password to log on to the WALLIX Bastion Web interface
and connect to target devices via RDP sessions, unless they have been provided with a Kerberos
authentication method or an X509 certificate by the WALLIX Bastion administrator.
Note:
Your SSH public key must be entered either by your administrator via the Web
administration interface or by yourself on the “My Preferences” page (refer to Section 3.1,
““My Preferences” menu”, page 8).
The use of SSH key authentication also means that a resident agent can be used on the client
workstation. As a result, the authentication parameters can be used so that users are only asked
to enter their key protection password once: when the agent starts or the first time the key is used.
The key can then be reused without having to re-enter the password each time. The agent’s use
is transparent with all supported clients.
The authentication agent can optionally also be used to transfer the client’s authentication
parameters to WALLIX Bastion so that it can use them for authentication when logging on to target
devices. This functionality allows WALLIX Bastion to use the client’s private keys without users
needing to re-enter passwords or WALLIX Bastion needing to know the private keys concerned. For
this, you must usually explicitly activate the option when the clients are started, as they generally
do not activate it for security reasons.
Note:
Some clients that support agent use may not support the authentication transfer option.
18
WALLIX Bastion 9.0.2 – User Guide
You can also use the ~/.ssh/id_rsa file, which is the default identity used by all OpenSSH
commands. In this case, if the file already exists you can skip the first two steps in this section and
import the file ~/.ssh/id_rsa.pub into WALLIX Bastion (refer to Section 3.1, ““My Preferences”
menu”, page 8).
In this example, the private key’s identity is wab_rsa2048, but you can use any other valid file name.
It is recommended to save this key in the .ssh directory of your HOME directory.
1. Run the following terminal command to generate the public/private key pair:
You can also use the parameter -b SIZE to change the key’s size. By default, an RSA key in
the current version of ssh-keygen is 2,048 bits, which is a reasonable size. If keys shall be used
later than 2030, however, a 4,096-bit key is recommended.
2. Import the file ~/.ssh/wab_rsa2048.pub into WALLIX Bastion. To do this, please refer to
Section 3.1, ““My Preferences” menu”, page 8.
3. If you do not use an authentication agent, the “ssh”, “scp” and “sftp” commands will directly
use either the default identity key ~/.ssh/id_rsa or the private key passed as an argument
using the parameter -i KEY, for example:
$ ssh-add ~/.ssh/wab_rsa2048
Enter passphrase for /home/martin/.ssh/wab_rsa2048:
Identity added: /home/martin/.ssh/wab_rsa2048 (/home/martin/.ssh/wab_rsa2048)
You can then log on to the SSH proxy without having to re-enter the password and without the
parameter -i in the command line (SSH will automatically try all the identities added in the agent).
5. Start your SSH connection as described in Section 3.1, ““My Preferences” menu”, page 8.
In this example, the private key is named wab_rsa2048, but you can use any other valid file name.
Note: if the keys shall be used beyond 2030, a 4,096-bit key is recommended
19
WALLIX Bastion 9.0.2 – User Guide
20
WALLIX Bastion 9.0.2 – User Guide
Launch Pageant (if it is not already running), then double-click on the Pageant icon which
appears in the Windows taskbar notification area: the Pageant Key List window opens.
Click on the “Add Key” button and browse the directories to select the private key file in My
Documents\wab_rsa2048.ppk.
21
WALLIX Bastion 9.0.2 – User Guide
You can now log on to the SSH proxy using PuTTY, PSCP, PSFTP, FileZilla or WinSCP (unless
WinSCP is configured to prevent Pageant authentication).
Alternatively, you can simply double-click on the private key file in the File Explorer to add the
key. To do this, the “.ppk” file extension must first have been associated with Pageant.
• If you use PuTTY without Pageant:
Launch PuTTY to open the PuTTY Configuration window. In the “Category” tree-structure,
select “Connection” | “SSH” | “Auth”; on the “Authentication parameters” frame, click on the
“Browse” button and then select the private key file in My Documents\wab_rsa2048.ppk.
Remember to save the session configuration settings if you want to reuse them.
• If you use PSCP or PSFTP without Pageant:
22
WALLIX Bastion 9.0.2 – User Guide
Launch FileZilla then select the “Edit” menu command | “Settings” and select the “SFTP”
page. Click on the “Add key file” button and select the private key file, My Documents
\wab_rsa2048.ppk
Launch WinSCP. On the “Session” configuration category (refer to Figure 4.9, “WinSCP Login
window - Session category”, page 33 below), click on “...” near the “Private key file” field
and select the file My Documents\wab_rsa2048.ppk.
11. Launch your SSH connection as described in Section 4.4.3, “SSH logons from a Windows
workstation”, page 30
Note:
You must launch Pageant if you wish to use the SSH agent authentication transfer
functionality.
If you click on “Accept”, the session connection will be established immediately without using keys
or entering passwords.
If you click on “Reject” or you do not reply within 30 seconds, the connection to WALLIX Bastion
for the desired session will be closed.
23
WALLIX Bastion 9.0.2 – User Guide
A frame allows you to save your choice to allow multiple automatic connections through a one-time
confirmation for either RDP sessions or SSH sessions or both, for a given validity period (expressed
in seconds).
Warning:
For most clients, a message is displayed on the Web interface to inform you that WALLIX
Bastion is awaiting your authorization. This is not the case when you use SCP or SFTP
clients which wait silently as they are not designed to display server messages.
The browser and the RDP or SSH client must be both running on the same workstation
(and then use the same IP) to allow the display of this message on the Web interface.
To return to normal proxy authentication, simply log out from the Web interface.
4.4. SSH logons
4.4.1. SSH specific options
The following options, which mainly determine the channels authorized for the session, are provided
for the SSH protocol:
Note:
Some clients also need the option SSH_SHELL_SESSION to list the directories when
they are used in SCP mode.
24
WALLIX Bastion 9.0.2 – User Guide
25
WALLIX Bastion 9.0.2 – User Guide
• “root@asterix:OpenSSH” refers to the target account (root), machine (asterix) and service
(OpenSSH). This part is case-sensitive.
Note:
Depending on how the administrator has configured the account, machine and service,
you may be asked to authenticate as root@asterix:OpenSSH.
The following alternative syntax is also accepted for compatibility reason, although it has been
deprecated:
$ ssh -t martin@wab.mycorp.lan root@asterix:OpenSSH
martin's password:
Note:
The SSH command line option “-t” is essential in this case. It is used to allocate the
pseudo terminal needed in order to display the session.
If only one SSH, TELNET or RLOGIN service is declared on the target machine, you can omit the
service name as shown below:
$ ssh -t martin@wab.mycorp.lan root@asterix
martin's password:
or when there is only one SSH, TELNET or RLOGIN service on this machine:
$ ssh martin@wab.mycorp.lan root@asterix halt
martin's password:
The “halt” command is run on the “asterix” machine as a result without the shell being opened.
26
WALLIX Bastion 9.0.2 – User Guide
The following alternative syntax is also accepted for compatibility reason, although it has been
deprecated:
$ scp myfile martin@wab.mycorp.lan:root@asterix:OpenSSH:/tmp
martin's password:
If only one SSH service is declared on the target machine, you can omit the service name as shown
below:
$ scp myfile martin@wab.mycorp.lan:root@asterix:/tmp
martin's password:
If only one SSH service is declared on the target machine, you can omit the service name as shown
below:
$ sftp root@asterix+martin@wab.mycorp.lan
Connecting to wab.mycorp.lan...
martin's password:
sftp>
• “martin” refers to a user declared on WALLIX Bastion and authorized to use “SSH_X11” (refer
to Section 4.4.1, “SSH specific options”, page 24). This login is not case-sensitive.
27
WALLIX Bastion 9.0.2 – User Guide
• “root@asterix:OpenSSH” refers to the target account (root), machine (asterix) and target
service (OpenSSH). This part is case-sensitive.
The SSH command line option “-X” tells WALLIX Bastion you want to start an “X11 Forwarding”
session: the graphics applications run on the target device during the session will be displayed on
the workstation.
The following alternative syntax is also accepted for compatibility reason, although it has been
deprecated:
$ ssh -t -X martin@wab.mycorp.lan root@asterix:OpenSSH
martin's password:
If only one SSH service is declared on the target machine, you can omit the service name as shown
below:
$ ssh -t -X martin@wab.mycorp.lan root@asterix
martin's password:
You can then select the desired target by entering its number.
Note:
In some graphical environments, an agent containing all of your user identities is already
activated when you log on. The following commands are then unnecessary. This is
generally the case with Debian or Ubuntu distributions, but not with RedHat distributions.
However, this may vary depending on your configuration.
First, you must launch the resident agent in your shell session by entering the following command;
this adds the agent’s declaration to the shell environment so that the compatible programs can
automatically use it:
$ eval $(ssh-agent)
28
WALLIX Bastion 9.0.2 – User Guide
“PRIVATE_KEY_PATH” refers to the path of the desired identity’s private key, which is generally
stored in the “~/.ssh” directory, for example “~/.ssh/id_rsa”.
You can then use one of the logon commands described in the previous sections
(4.4.2.2, page 25 to 4.4.2.7, page 28) without having to re-enter the password. These will
automatically use the agent for key-based authentication whenever it is available and declared in
the shell environment.
$ ssh -A -t martin@wab.mycorp.lan
The SSH command line option “-A” tells WALLIX Bastion you want to start a session using the
authentication transfer option: if the option is activated on the target device, the authentication
parameters used for connection to WALLIX Bastion will be reused to log on to the target.
Warning:
The authentication transfer option is incompatible with RSA keys more than 2,048 bits
long and cannot operate if the agent contains RSA and DSA identities simultaneously.
In a directory in your PATH, create the launcher script file named “scp-A” containing the following
lines:
#!/bin/sh
scp -oForwardAgent=yes -S scp-A-wrapper "$@"
Next, create the wrapper script file “scp-A-wrapper” in the same directory, containing the following
lines:
#!/usr/bin/perl
exec '/usr/bin/ssh', map {($_ =~ /^-oForwardAgent[ =]no$/) || ($_ eq '-a') ? (
) : $_} @ARGV;
You can then use the launcher script file “scp-A” in place of the “scp” command:
29
WALLIX Bastion 9.0.2 – User Guide
1. In the “Category” tree-structure, select “Session” and on “Specify the destination you want to
connect to”, enter the following information:
• Host Name: enter the FQDN or the IP address for WALLIX Bastion
• Port: enter 22 (the SSH proxy listening port for WALLIX Bastion)
2. In the “Category” tree-structure, select “Connection” | “Data” and enter the name of the target
account, device, service and WALLIX Bastion user login in the “Auto-login username” field (the
WALLIX Bastion user login is not case-sensitive but the other fields are):
30
WALLIX Bastion 9.0.2 – User Guide
Warning:
PuTTY does not allow you to save your password. If you use this authentication method,
you will be asked to enter your password when you log on.
If you want to use key-based authentication without using the authentication agent, you can also
specify the private key file in the “Private key file for authentication” field which can be accessed
from the tree-structure by selecting “Connection” | “SSH” | “Auth”. This is unnecessary if you use
the authentication agent.
Note:
In order to use the authentication agent (refer to Section 4.4.3.5, “Logging on with
the authentication agent”, page 34), you must ensure that the option “Attempt
authentication using Pageant” is selected. This field can be accessed from the tree-
structure by selecting “Connection” | “SSH” | “Auth”.
The above command transfers the file entitled “myfile” between the local workstation and the “/
tmp” directory using the “root” account on “asterix”. The “Auto logon” mode must be enabled
for this account.
The following alternative syntax is also accepted for compatibility reason, although it has been
deprecated:
31
WALLIX Bastion 9.0.2 – User Guide
martin's password :
If only one SSH service is declared on the target machine, you can omit the service name as
follows: “root@asterix”
• Password: WALLIX Bastion password for user “martin”
32
WALLIX Bastion 9.0.2 – User Guide
If only one SSH service is declared on the target machine, you can omit the service name as
follows: “root@asterix”
• Password: WALLIX Bastion password for user “martin”
In the “Preferences” category, select “Transfer” then enter the following information:
Note:
The above steps must be carried out in the order given. When the check box of the option
“Preserve timestamp” is deselected, the option “Ignore permission errors” is disabled.
Note:
In order to use the authentication agent (refer to Section 4.4.3.5, “Logging on with
the authentication agent”, page 34), you must ensure that the option “Attempt
33
WALLIX Bastion 9.0.2 – User Guide
authentication using Pageant” is selected. This field can be accessed by clicking on the
“Advanced...” button and then selecting “SSH” | “Authentication” from the tree-structure.
First, launch the Pageant authentication agent. You must then add one or more identities to this
agent. To do so, right-click on the Pageant icon in the taskbar notification area and select “Add key”
in the contextual menu.
You can then use one of the logon commands described in the previous sections
(4.4.3.1, page 30 to 4.4.3.4, page 32) without having to re-enter the password. These will
automatically use the agent for key-based authentication whenever it is available and declared in
the shell environment.
Warning:
The authentication transfer option is incompatible with RSA keys more than 2,048 bits
long and cannot operate if the agent contains RSA and DSA identities simultaneously.
34
WALLIX Bastion 9.0.2 – User Guide
4.5. RDP logons
4.5.1. RDP specific options
The following options, which mainly determine the authorized actions for the session, are provided
for the RDP protocol:
• RDP_CLIPBOARD_UP: allows data transfer via the clipboard from the client to the RDP session
• RDP_CLIPBOARD_DOWN: allows data transfer via the clipboard from the session to the RDP
client
• RDP_CLIPBOARD_FILE: allows file transfer from the copy/paste function via the clipboard
• RDP_PRINTER: allows use of local printers in the remote session
• RDP_COM_PORT: allows use of local serial and parallel ports in the remote session
• RDP_DRIVE: allows use of local drives in the remote session
• RDP_SMARTCARD: allows use of local smartcards in the remote session
• RDP_AUDIO_OUTPUT: allows audio playback from the session to the RDP client
• RDP_AUDIO_INPUT: allows audio recording from the client to the RDP session
If you do not have rights for the appropriate subprotocol, you may not be authorized to transfer data
via the clipboard or use your local drive in the remote session.
Note:
Some session options must be associated with others to be fully operational:
Enter the following command to display the RDP logon window, “wab.mycorp.lan” being the IP
address for WALLIX Bastion:
$ rdesktop wab.mycorp.lan
35
WALLIX Bastion 9.0.2 – User Guide
The “Target” field can be entered with a string labelled in this format:
“Admin@WindowsServer:RemoteDesktop”, referring to the account (“Admin”), machine
(“WindowsServer”) and service (“RemoteDesktop”) of a target declared on WALLIX Bastion and
authorized for access by the user. This part is case-sensitive.
If only one RDP or VNC service is declared on the target machine, the service name can be omitted
as follows: “Admin@WindowsServer”.
The “Login” field must refer to a user declared on WALLIX Bastion (e.g., “User”) with the appropriate
authorization to connect to the target. This login is not case-sensitive.
The “Password” field must be entered with the WALLIX Bastion password for the user “User”.
Click on the arrow icon to log on to the remote machine: the Windows remote session then appears
on your screen.
You can also enter the “login” parameter in the rdesktop command line as follows,
“wab.mycorp.lan” being the IP address for WALLIX Bastion:
36
WALLIX Bastion 9.0.2 – User Guide
It is then required to enter the password and click on the arrow icon to log on to the remote machine.
It is also possible to enter a WALLIX Bastion user name only. In this case, the list of accessible
servers is then displayed on an intermediate page:
37
WALLIX Bastion 9.0.2 – User Guide
If an accessible server belongs to different groups, several entries for the same remote resource
appear on the list. You can apply a filter by group, account or protocol to a long list in order to narrow
down your search.
You can then simply select the desired server by highlighting the corresponding line and then click
on the “Connect” button to log on.
Before the connection is actually established, the system may display a series of dialogue boxes
and/or ask for confirmation. This means that you may be warned that the session is being recorded
or your password is about to expire, or informed of the time at which the session will be disconnected
automatically.
Note:
Here are some useful options for rdesktop:
• “-g 1024x768” to select the screen resolution (you can replace 1024x768 with the
desired resolution).
• “-a 24” to select the colour depth (bits per pixel). The values supported are 8, 15,
16 and 24
Columns on the RDP selector may be resized to allow the correct display of truncated text by
clicking on the square icon available on the header of the concerned column headers as shown by
Figure 4.14, “RDP selector - Column header for "Authorization" shows icon for resizing truncated
text”, page 38 and Figure 4.15, “RDP selector - Column "Authorization" shows full text after
resizing”, page 39.
38
WALLIX Bastion 9.0.2 – User Guide
• : this icon allows you to download a configuration file you can save onto your workstation to
establish a connection from an RDP client. In this case, the WALLIX Bastion password is required
for the connection.
• : this icon allows you to open directly or download the file to immediately establish a connection
from an RDP client and access the remote machine. In this case, no password is required but
the access is granted for a limited period of time.
39
WALLIX Bastion 9.0.2 – User Guide
Click on “Connect” to display the prompt shown in Figure 4.11, “RDP logon window”, page 36.
• “martin” refers to a user declared on WALLIX Bastion and authorized to use “RDP”. This login
is not case-sensitive.
• “administrator@win2003:RemoteDesktop” refers to the account (administrator), machine
(win2003) and service (RemoteDesktop) of a target declared on WALLIX Bastion and authorized
for access by the user “martin”. This part is case-sensitive.
If only one RDP or VNC service is declared on the target machine, you can omit the service name
as follows: “administrator@win2003”
The WALLIX Bastion password for user “martin” must be entered in the “Password” field.
Click on the “Connect” button to log on to the remote machine: the Windows session then appears
on your screen.
It is also possible to enter a WALLIX Bastion user name only. In this case, the list of accessible
servers is then displayed on an intermediate page:
40
WALLIX Bastion 9.0.2 – User Guide
Figure 4.17. RDP selector
If an accessible server belongs to different groups, several entries for the same remote resource
appear on the list. You can apply a filter by group, account or protocol to a long list in order to narrow
down your search.
You can then simply select the desired server by highlighting the corresponding line and then click
on the “Connect” button to log on.
Before the connection is actually established, the system may display a series of dialogue boxes
and/or ask for confirmation. This means that you may be warned that the session is being recorded
or your password is about to expire, or informed of the time at which the session will be disconnected
automatically.
Note:
You can also log on to the remote console. To do this, start the MSTSC client from the
Windows “Run” prompt by entering “mstsc /admin” or “mstsc /console”, depending
on your version of Windows (“/admin” must be used for Windows Vista SP3 or later).
41
WALLIX Bastion 9.0.2 – User Guide
Device redirection
This feature allows you to transfer files between two Windows machines
using the drag-and-drop method, even within the RDP session, or to copy and
paste text from the local machine to the remote machine and vice versa.
42
WALLIX Bastion 9.0.2 – User Guide
In order to approve or reject the request, go to the “My Current Approvals” page in the “My
Authorizations” menu. This page lists all the pending requests addressed to you as shown by
Figure 5.1, ““My Current Approvals” page”, page 43.
Select a request and click on the notepad icon at the beginning of the line to open the approval
request detail page as shown by Figure 5.2, “Approval request detail page”, page 44.
Since a session or the target credentials can still be accessed as long as an accepted request has
not expired, you can cancel a request before its expiration to inhibit further access from a user to
the target by clicking on the “Cancel” button.
43
WALLIX Bastion 9.0.2 – User Guide
From the “My Approval History” page, you can view all the requests which are no longer pending
for approval as shown by Figure 5.3, ““My Approval History” page”, page 45.
You can define filters on the top of the page to facilitate the search and restrict the display to relevant
records. The available filters are based on:
The wildcard symbol * can be used in this field to perform a search based on specific criteria. This
character can be placed anywhere to replace any string (including empty strings) in the search
terms.
The table below illustrates the possible search types using the wildcard symbol *:
Search string Returns only lines with at least one column matching...
rdp* any string starting with the word “rdp” (e.g.: RDPDevice1)
*rdp any string ending with the word “rdp” (e.g.: ServiceRdp)
*rdp* or rdp any string including the word “rdp”, regardless of the position of the keyword
in the character string found.
r*p any string starting with “r” and ending with “p”. (e.g.: Rdp, RP)
By clicking on the notepad icon at the beginning of the line, you are redirected to the detail of all
the answers for the request.
If the request’s status is “accepted”, you can cancel the request before expiration by clicking on
the “Cancel request” button.
44
WALLIX Bastion 9.0.2 – User Guide
45
WALLIX Bastion 9.0.2 – User Guide
Chapter 6. Troubleshooting
6.1. General information on login issues
A logon to a target account may fail for any of the following reasons:
$ ssh -T root@obelix:martin@wab.mycorp.lan
martin's password:
Launch PuTTY to open the PuTTY Configuration window. Then in the “Category” tree-structure,
select “Connection” | “SSH” | “TTY”and select the option “Don’t allocate a pseudo-terminal”.
46
WALLIX Bastion 9.0.2 – User Guide
47
WALLIX Bastion 9.0.2 – User Guide
Web: https://support.wallix.com/
Telephone: (+33) (0)1 70 36 37 50 for Europe, Middle East and Africa and (+1) 438-777-9439 for
the Americas
48