Professional Documents
Culture Documents
Bastion User Guide en
Bastion User Guide en
Reference: https://doc.wallix.com/en/Bastion/10.0/Bastion-user-guide-en.pdf
Table of Contents
1. Introduction ............................................................................................................................ 3
1.1. Preamble ..................................................................................................................... 3
1.2. Copyright & Licenses .................................................................................................. 3
1.3. Legend ........................................................................................................................ 3
1.4. About this document ................................................................................................... 4
2. General principles .................................................................................................................. 5
2.1. WALLIX Session Manager .......................................................................................... 5
2.2. WALLIX Password Manager ....................................................................................... 5
2.3. Session recording ....................................................................................................... 6
3. Using the WALLIX Bastion Web interface (GUI) .................................................................... 7
3.1. “My preferences” menu ............................................................................................... 9
3.2. Summary ................................................................................................................... 10
3.3. “My authorizations” menu - Session authorizations ................................................... 10
3.4. “My authorizations” menu - Password authorizations ................................................ 12
3.5. Approval workflow ..................................................................................................... 13
3.5.1. Approval request for sessions ........................................................................ 13
3.5.2. Approval request for passwords ..................................................................... 15
3.6. X509 strong authentication ....................................................................................... 15
4. Connections to target devices .............................................................................................. 18
4.1. General information ................................................................................................... 18
4.2. Password or key authentication ................................................................................ 18
4.2.1. Generating a key under Linux ........................................................................ 18
4.2.2. Generating a key under Windows .................................................................. 19
4.3. Simplified authentication in X509 mode .................................................................... 23
4.4. SSH connections ...................................................................................................... 24
4.4.1. SSH specific options ...................................................................................... 24
4.4.2. SSH connections from a Unix/Linux workstation ............................................ 25
4.4.3. SSH connections from a Windows workstation .............................................. 30
4.5. RDP connections ...................................................................................................... 35
4.5.1. RDP specific options ...................................................................................... 35
4.5.2. RDP connections from a Linux workstation .................................................... 35
4.5.3. RDP connections from a Windows workstation (XP, Vista or 7, 8 or 10) .......... 39
4.6. Universal Tunneling connections ............................................................................... 43
4.6.1. Prerequisites .................................................................................................. 43
4.6.2. Redirection modes ......................................................................................... 43
4.6.3. Universal Tunneling connections from a Windows workstation ....................... 43
4.6.4. Universal Tunneling connections from a Linux workstation ............................. 47
5. Managing approval requests ................................................................................................ 48
6. Troubleshooting .................................................................................................................... 51
6.1. General information on login issues .......................................................................... 51
6.2. Silent SSH session ................................................................................................... 51
7. Contact WALLIX Bastion Support ........................................................................................ 53
2
WALLIX Bastion 10.0.5 – User Guide
Chapter 1. Introduction
1.1. Preamble
Thank you for choosing WALLIX Bastion.
The WALLIX Bastion solution is marketed in the form of a dedicated, ready-to-use server or as a
virtual device for the following virtual environments:
This product has been engineered with the greatest care by our teams at WALLIX and we trust that
it will deliver complete satisfaction.
All the product or company names mentioned herein are the registered trademarks of their
respective owners.
WALLIX Bastion is based on free software. The list and source code of GPL and LGPL licensed
software used by WALLIX Bastion are available from WALLIX. Please send your request on Internet
by creating a new case at https://support.wallix.com/ or in writing to:
WALLIX
Service Support
250 bis, Rue du Faubourg Saint-Honoré
75008 PARIS
FRANCE
1.3. Legend
prompt $ command to input <parameter to replace>
command output
on one or more lines
prompt $
3
WALLIX Bastion 10.0.5 – User Guide
• use the WALLIX Bastion Web user interface (also called “GUI” in this document) to find out your
access rights, change your password or upload your SSH public key;
• use your usual connection tools in a way that is compatible with WALLIX Bastion.
4
WALLIX Bastion 10.0.5 – User Guide
For WALLIX Bastion to relay your connections you must log on:
• either with your login and password for logging onto the WALLIX Bastion Web interface from your
browser and for connecting to target devices via RDP proxy
• or with your login and password for RDP sessions
• or with your login and password or your public key for SSH sessions.
• “auto logon” mode: you automatically log on to the target account without needing to know the
password
• “manual logon” mode: you manually log on to the target account and need to know the password.
Warning:
In order to ensure the security of data exchange, the user workstation must provide an
electronic certificate used by WALLIX Bastion to authenticate and must be configured to
allow WALLIX Bastion authentication from this electronic certificate.
• identify the users whom are connected to specific devices and monitor their activity: sessions
can be viewed through the WALLIX Bastion Web interface or downloaded to be viewed locally
on your workstation. RDP sessions can be viewed in real time.
• get a direct resource access using native clients such as PuTTY, WinSCP, MSTC or OpenSSH.
5
WALLIX Bastion 10.0.5 – User Guide
• view the list of the target accounts for which you are authorized to view/check out the password
• access account credentials (login, password and SSH key)
This feature can be activated and the session records can be viewed at any time by an authorized
WALLIX Bastion administrator.
6
WALLIX Bastion 10.0.5 – User Guide
https://bastion_ip_address/ui or https://<bastion_name>/ui
Note:
Internet Explorer is not supported by the default interface.
You can access the legacy interface by clicking on the “Legacy interface” icon at the top
of the page.
The bastion_ip_address has been provided by your WALLIX Bastion Administrator. If not, you can
use the domain name.
Then log on from the login screen with the details provided by your WALLIX Bastion administrator:
• If your administrator has provided you with credentials, enter your login and password and then
click on the “Log in” button (the “User name” field is not case-sensitive)
• If your administrator has set two-factor authentication, enter also the required credentials during
secondary authentication
• If your administrator has enabled the Kerberos authentication method, then enter the following
URL in your browser’s address bar:
https://bastion_ip_address/iwab or https://<bastion_name>/iwab
• If your administrator has provided you with an X509 certificate, then go to Section 3.6, “X509
strong authentication”, page 15
• If your administrator has set authentication from Azure AD, click on the dedicated button in the
“Other authentication method” section. You are then redirected on the Microsoft login page and
you must enter the credentials of your Azure AD account to access the Web interface.
• If your administrator has set authentication from your AD, you may be prompted for password
change after expiration on the login screen.
7
WALLIX Bastion 10.0.5 – User Guide
Note:
The login screen is displayed depending on your language preferences set in your
browser. Once you are connected, the GUI is displayed in the language that you
selected in your WALLIX Bastion settings (refer to Section 3.1, ““My preferences”
menu”, page 9).
8
WALLIX Bastion 10.0.5 – User Guide
• view the name of the user who is logged on. When hovering the mouse over the user name area,
a contextual menu shows the entries to the “My preferences” page, the “Legacy interface” icon
and the logout icon.
Note:
Any logout made from this interface is only effective on WALLIX Bastion. Thus, a user
authenticated via SAML external authentication on Azure AD will not be disconnected
from their session on this tenant.
Warning:
Depending on the configuration set by your administrator, the “Password” tab may not
be displayed.
• drag-and-drop, upload or enter manually an SSH public key using RSA, ED25519 or ECDSA
algorithmn or delete an existing SSH public key
Warning:
Depending on the configuration set by your administrator, the “SSH public key” tab may
not be displayed.
This key must be in the OpenSSH format. Otherwise an error message is displayed.
If you use PuTTYgen to generate the key, you must save in a text file the public key
displayed in the OpenSSH format during the generation. As an example, this key is
labelled as follows:
“ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0yR9lBQov6[.....]c3xu9p/xNjw==
rsa-key-20151204”
You can then upload this key on the “SSH public key” tab on this page.
If a key already exists, you can load a private key using PuTTYgen in order to generate
the corresponding public key in the appropriate format.
9
WALLIX Bastion 10.0.5 – User Guide
Note:
The area allowing the password change is not available on this page if your user
authentication is external (for example, when your authentication is linked to a company
directory or a Kerberos KDC).
A password may be rejected (accordingly to the configuration set by the WALLIX Bastion
administrator) in some cases:
• if the password is included in the list of forbidden trivial passwords by the WALLIX Bastion
administrator
• if the password is too short or does not include any special characters, numbers or capital letters
• if the password corresponds to your login
• if the password is the same as a previous password.
3.2. Summary
On the pages of the Web interface, a summary is displayed on the right part of your screen. It gives
an overview of the data defined within WALLIX Bastion.
By clicking on the main entries of the summary, you are redirected to the concerned pages and
you can view, enter, add, edit or delete data. Note that you have the possibility to hide and show
this summary at any moment.
10
WALLIX Bastion 10.0.5 – User Guide
From the “Sessions” page on the “My authorizations” menu, you can view the list of the targets to
which you are authorized to access.
On each line, you can have an access to the target by clicking on one of the following icons:
• : this icon allows you to download an RDP configuration file or a shell script with the SSH
command (WALLIX-PuTTY on Windows or SSH on other systems) you can save to establish a
connection from an RDP or an SSH client (filename suffix .puttywab or .xsh or .rdp under Windows
and .sh or .remmina under Linux). In this case, the WALLIX Bastion password is required for the
connection.
• : (“Instant access (one-time password, limited in time)”): this icon allows you to open the file to
immediately establish a connection from an RDP client (filename suffix .rdp under Windows and
.sh or .remmina under Linux). In this case, no password is required but the access is granted for
a limited period of time. This icon is also displayed for the connection to an application.
• : (“Instant access with WALLIX-PuTTY (one-time password, limited in time)”): this icon allows
you to open the file to immediately establish a connection from an SSH client (filename suffix
.puttywab or .xsh under Windows and .sh under Linux). In this case, no password is required
but the access is granted for a limited period of time. For SSH authentication, also refer to
Section 4.4.2.1, “Target connection in interactive mode for SCP and SFTP protocols”, page 25.
Note:
To use the .puttywab files on Windows, the WALLIX-PuTTY application has to be
downloaded and installed from the “Download WALLIX-PuTTY” link displayed at the top
of the page. This link is only displayed when the workstation is running under Windows
and you are also authorized to connect to at least one SSH target. The installation sets
the file association so that the application is started automatically. The installation does
not require administrative privileges. However, the installation is only operational for the
logged user and not for all users of the workstation.
The “Download RDP configuration file” link displayed at the top of the page allows you
to download an RDP configuration file with the RemoteApp mode enabled. You can then
save the file to establish a connection to an application in interactive mode via the RDP
client selector. This link is only displayed when the RemoteApp mode is enabled and
you are also authorized to connect to at least one application. The RemoteApp mode is
enabled by default when accessing applications.
11
WALLIX Bastion 10.0.5 – User Guide
If an approval workflow has been defined to be authorized to access the target, click on “Request” in
the “Approval” column to notify the approvers and get access to the target. For further information,
refer to Section 3.5, “Approval workflow”, page 13.
From the “Passwords” page on the “My authorizations” menu, you can view the list of the target
accounts for which you are authorized to check out the account's credentials.
• click on “View” at the beginning of the line to display in another page the credentials of the related
account.
• click on “Check out” at the beginning of the line to display in another page the credentials of
the related account in another page. In this case, the lock has been enabled at the level of the
checkout policy associated with this account: only you can access the credentials at this time.
Important:
If an approval is not necessary to access the credentials or has been accepted
by approvers, you can directly check out the data. Otherwise, an error message
is displayed and you must send a request to access the credentials. For further
information, refer to Section 3.5, “Approval workflow”, page 13.
• click on “Check out remotely” at the beginning of the line to display in another page the credentials
of the related external vault account.
• identify the account being locked consequently to an ongoing checkout. In this case, no action
can be performed until the release of this lock.
• send a request to approvers to access the account's credentials by clicking on “Request” in the
“Approval” column at the end of the line. For further information, refer to Section 3.5, “Approval
workflow”, page 13.
When you have access to the page listing the account's credentials, you can view:
• the name of the account being checked out mentioned above the frame
• the login of the account
• the credentials of the account, which can be:
– the password if it has been defined for the account either on the local or the remote WALLIX
Bastion
12
WALLIX Bastion 10.0.5 – User Guide
– the SSH private key if it has been defined for the account either on the local or the remote
WALLIX Bastion. This key can be downloaded in the OpenSSH or PuTTY key formats and can
be encrypted with a passphrase entered in the dedicated field.
– the certificate (i.e. the signed SSH public key) if the account is defined on a domain associated
with a Certificate Authority. This certificate can be downloaded in the OpenSSH or ssh.com
formats.
• click on the “Check in” button to end check out. You are then redirected to the page listing the
authorized target accounts. If the lock has been enabled in the checkout policy associated with
this account, this action also releases the lock of the account.
• click on the “Extend checkout” button if a checkout extension has been defined in the checkout
policy associated with the account. Otherwise this button is not displayed. This action extends
the checkout duration and can then be performed several times as long as the maximum duration
has not been reached.
When the lock has been enabled in the checkout policy associated with this account, the latter
remains locked for the period defined within this policy. It is then necessary to click on the “Check
in” button to release the lock of the account before the end of checkout duration. Nonetheless,
the account is automatically checked in at the end of this duration and the user is redirected to
the page listing the authorized target accounts. The remaining time before automatic check-in is
displayed below the credentials.
13
WALLIX Bastion 10.0.5 – User Guide
The current requests are then listed at the bottom of the “Sessions” page as shown by Figure 3.4,
““My authorizations” menu - “Sessions” page”, page 11. By clicking on the notepad icon at the
beginning of the line it is possible to cancel the request (if its status is “pending” or “approved”) and
send an email to all the concerned approvers.
The statuses of a valid request (its duration has not expired) can be either of the following:
• a request is marked as “accepted” when the quorum (i.e. the minimum number of favorable
answers required for the authorization) has been reached
Note:
When the request is accepted by the first approver and the start date and time have
been reached:
– the start date and time of the request are then updated with the start date and time
of this action
– the end date and time are then extended for the request duration from this action
• a request is marked as “rejected” and subsequently dismissed as soon as an approver rejects it.
The user is then notified by email of the reason for the rejection.
• a request is “pending” as long as the quorum has not been reached and it has not been rejected.
If the request is no longer valid, it is then marked as “closed” and it is no longer possible for an
approver to answer the request.
Once a request is approved, it is possible to start a new session as long as the period defined by
the request's duration has not expired. During this period, it is also possible to restart the session
multiple times. It is then not necessary to keep open the initial connection.
In the case you want to start a session immediately (with an SSH or RDP client), the proxy
offers the possibility to fill in a request form, as shown by Figure 3.7, “Approval request (RDP
Proxy)”, page 15, if the selected target requires an approval.
14
WALLIX Bastion 10.0.5 – User Guide
The current requests are then listed at the bottom of the “Passwords” page (refer to Figure 3.5,
““My authorizations” menu - “Passwords” page”, page 13). By clicking on the notepad icon at
the beginning of the line it is possible to cancel the request (if its status is “pending”or “approved”)
and send an email to all the concerned approvers.
The statuses of a valid request (its duration has not expired) can be either of the following:
• a request is marked as “accepted” when the quorum (i.e. the minimum number of favorable
answers required for the authorization) has been reached
• a request is marked as “rejected” and subsequently dismissed as soon as an approver rejects it.
The user is then notified by email of the reason for the rejection.
• a request is “pending” as long as the quorum has not been reached and it has not been rejected.
If the request is no longer valid, it is then marked as “closed” and it is no longer possible for an
approver to answer the request.
Once a request is approved, it is possible to access the target credentials as long as the period
defined by the request's duration has not expired.
15
WALLIX Bastion 10.0.5 – User Guide
In this case, your administrator must provide you with a certificate either in the form of software
certificate or on a physical device (USB key, smart card, etc.).
If your certificate is stored on a physical device, you should first insert the device so that the
certificate is available in the system.
If your certificate is stored in a file, you should first import the certificate into your browser so that it
can be used to provide your authentication. The procedure to follow depends on your browser:
• Under Firefox, select the “Tools” | “Options” menu command and click on “Privacy & Security”. In
the “Certificates” section, click on the “View Certificates” button. On the “Your Certificates” tab,
click on the “Import” button.
• Under Chrome, click on the “Customize and control Google Chrome” icon beside the address bar
In the menu, select “Settings”, click on “Privacy and security” and on the “Manage certificates”
button. Lastly, in the “Personal” tab, click on the “Import” button.
• Under Internet Explorer, click on the “Tools” menu and select “Internet options”. On the “Content”
tab, click on the “Certificates” button. On the “Personal” tab, click on the “Import...” button and
then follow the wizard’s instructions.
• either select “PASSWORD Authentication”, then enter a login and password and click on the
“LOG IN” button
• or select “X509 Authentication”, then click on the “LOG IN” button. In this case, your browser
will ask you to choose a certificate (if you have more than one and you have not yet saved your
choice) and then ask you to enter the certificate’s password if necessary. If the certificate has
been linked with a WALLIX Bastion account, you will immediately be authenticated and logged
on with this account.
Note:
If your certificate is stored in a physical form, the smart card or USB key concerned
must be inserted throughout the authentication phase.
16
WALLIX Bastion 10.0.5 – User Guide
If your administrator has set two-factor authentication, enter also the required
credentials during secondary authentication.
An alternative authentication mode is available for the sessions started directly via a client (SSH
or RDP) while you remain connected to the GUI in X509 authentication mode (refer to Section 4.3,
“Simplified authentication in X509 mode”, page 23).
17
WALLIX Bastion 10.0.5 – User Guide
Note:
Your SSH public key must be entered either by your administrator via the Web
administration interface or by yourself on the “My Preferences” page (refer to Section 3.1,
““My preferences” menu”, page 9).
The use of SSH key authentication also means that a resident agent can be used on the client
workstation. As a result, the authentication parameters can be used so that users are only asked
to enter their key protection password once: when the agent starts or the first time the key is used.
The key can then be reused without having to re-enter the password each time. The agent’s use
is transparent with all supported clients.
The authentication agent can optionally also be used to transfer the client’s authentication
parameters to WALLIX Bastion so that it can use them for authentication when logging on to target
devices. This functionality allows WALLIX Bastion to use the client’s private keys without users
needing to re-enter passwords or WALLIX Bastion needing to know the private keys concerned. For
this, you must usually explicitly activate the option when the clients are started, as they generally
do not activate it for security reasons.
Note:
Some clients that support agent use may not support the authentication transfer option.
18
WALLIX Bastion 10.0.5 – User Guide
You can also use the ~/.ssh/id_rsa file, which is the default identity used by all OpenSSH
commands. In this case, if the file already exists you can skip the first two steps in this section and
import the file ~/.ssh/id_rsa.pub into WALLIX Bastion (refer to Section 3.1, ““My preferences”
menu”, page 9).
In this example, the private key’s identity is wab_rsa2048, but you can use any other valid file name.
It is recommended to save this key in the .ssh directory of your HOME directory.
1. Run the following terminal command to generate the public/private key pair:
You can also use the parameter -b SIZE to change the key’s size. By default, an RSA key in
the current version of ssh-keygen is 2,048 bits, which is a reasonable size. If keys shall be used
later than 2030, however, a 4,096-bit key is recommended.
2. Import the file ~/.ssh/wab_rsa2048.pub into WALLIX Bastion. To do this, please refer to
Section 3.1, ““My preferences” menu”, page 9.
3. If you do not use an authentication agent, the “ssh”, “scp” and “sftp” commands will directly
use either the default identity key ~/.ssh/id_rsa or the private key passed as an argument
using the parameter -i KEY, for example:
$ ssh-add ~/.ssh/wab_rsa2048
Enter passphrase for /home/martin/.ssh/wab_rsa2048:
Identity added: /home/martin/.ssh/wab_rsa2048 (/home/martin/.ssh/wab_rsa2048)
You can then log on to the SSH proxy without having to re-enter the password and without the
parameter -i in the command line (SSH will automatically try all the identities added in the agent).
5. Start your SSH connection as described in Section 3.1, ““My preferences” menu”, page 9.
In this example, the private key is named wab_rsa2048, but you can use any other valid file name.
Note: if the keys shall be used beyond 2030, a 4,096-bit key is recommended
19
WALLIX Bastion 10.0.5 – User Guide
20
WALLIX Bastion 10.0.5 – User Guide
Launch Pageant (if it is not already running), then double-click on the Pageant icon which
appears in the Windows taskbar notification area: the Pageant Key List window opens.
Click on the “Add Key” button and browse the directories to select the private key file in My
Documents\wab_rsa2048.ppk.
21
WALLIX Bastion 10.0.5 – User Guide
You can now log on to the SSH proxy using PuTTY, PSCP, PSFTP, FileZilla or WinSCP (unless
WinSCP is configured to prevent Pageant authentication).
Alternatively, you can simply double-click on the private key file in the File Explorer to add the
key. To do this, the “.ppk” file extension must first have been associated with Pageant.
• If you use PuTTY without Pageant:
Launch PuTTY to open the PuTTY Configuration window. In the “Category” tree-structure,
select “Connection” | “SSH” | “Auth”; on the “Authentication parameters” frame, click on the
“Browse” button and then select the private key file in My Documents\wab_rsa2048.ppk.
Remember to save the session configuration settings if you want to reuse them.
• If you use PSCP or PSFTP without Pageant:
22
WALLIX Bastion 10.0.5 – User Guide
Launch FileZilla then select the “Edit” menu command | “Settings” and select the “SFTP”
page. Click on the “Add key file” button and select the private key file, My Documents
\wab_rsa2048.ppk
Launch WinSCP. On the “Session” configuration category (refer to Figure 4.9, “WinSCP Login
window - Session category”, page 33 below), click on “...” near the “Private key file” field
and select the file My Documents\wab_rsa2048.ppk.
11. Launch your SSH connection as described in Section 4.4.3, “SSH connections from a Windows
workstation”, page 30
Note:
You must launch Pageant if you wish to use the SSH agent authentication transfer
functionality.
If you click on “Accept”, the session connection will be established immediately without using keys
or entering passwords.
If you click on “Reject” or you do not reply within 30 seconds, the connection to WALLIX Bastion
for the desired session will be closed.
23
WALLIX Bastion 10.0.5 – User Guide
A frame allows you to save your choice to allow multiple automatic connections through a one-time
confirmation for either RDP sessions or SSH sessions or both, for a given validity period (expressed
in seconds).
Warning:
For most clients, a message is displayed on the Web interface to inform you that WALLIX
Bastion is awaiting your authorization. This is not the case when you use SCP or SFTP
clients which wait silently as they are not designed to display server messages.
The browser and the RDP or SSH client must be both running on the same workstation
(and then use the same IP) to allow the display of this message on the Web interface.
To return to normal proxy authentication, simply log out from the Web interface.
Note:
Some clients also need the option SSH_SHELL_SESSION to list the directories when
they are used in SCP mode.
24
WALLIX Bastion 10.0.5 – User Guide
4.4.2.1. Target connection in interactive mode for SCP and SFTP protocols
As SCP and SFTP protocols do not allow a secondary interactive mode, it is necessary to add
specific options during primary connection (i.e. the connection initiated between a user and WALLIX
Bastion) to be prompted for target connection information, displayed as prompts or dialog boxes,
using primary interactive keyboard (“keyboard interactive”). This system assumes that the client
supports the interactive keyboard authentication method (“keyboard interactive”).
The question mark “?” is a forbidden character in the user name (or login) but it can be used as
a separator to specify options (on the right) requesting clearly a prompt to enter the login and/or
a password to connect to the target.
The “p” option requests the target password.
The “l” option requests the target login.
The question mark “?” without any option requests the target password by default.
Examples:
Login: “wabuser”: no additional prompt
Login: “wabuser?”: target password is prompted
Login: “wabuser?p”: target password is prompted
Login: “wabuser?l”: target login is prompted
Login: “wabuser?lp”: target login is prompted first then target password is prompted
25
WALLIX Bastion 10.0.5 – User Guide
• “root@asterix:OpenSSH” refers to the target account (root), machine (asterix) and service
(OpenSSH). This part is case-sensitive.
Note:
Depending on how the administrator has configured the account, machine and service,
you may be asked to authenticate as root@asterix:OpenSSH.
The following alternative syntax is also accepted for compatibility reason, although it has been
deprecated:
$ ssh -t martin@wab.mycorp.lan root@asterix:OpenSSH
martin's password:
Note:
The SSH command line option “-t” is essential in this case. It is used to allocate the
pseudo terminal needed in order to display the session.
If only one SSH, TELNET or RLOGIN service is declared on the target machine, you can omit the
service name as shown below:
$ ssh -t martin@wab.mycorp.lan root@asterix
martin's password:
or when there is only one SSH, TELNET or RLOGIN service on this machine:
$ ssh martin@wab.mycorp.lan root@asterix halt
martin's password:
The “halt” command is run on the “asterix” machine as a result without the shell being opened.
26
WALLIX Bastion 10.0.5 – User Guide
The following alternative syntax is also accepted for compatibility reason, although it has been
deprecated:
$ scp myfile martin@wab.mycorp.lan:root@asterix:OpenSSH:/tmp
martin's password:
If only one SSH service is declared on the target machine, you can omit the service name as shown
below:
$ scp myfile martin@wab.mycorp.lan:root@asterix:/tmp
martin's password:
If only one SSH service is declared on the target machine, you can omit the service name as shown
below:
$ sftp root@asterix+martin@wab.mycorp.lan
Connecting to wab.mycorp.lan...
martin's password:
sftp>
• “martin” refers to a user declared on WALLIX Bastion and authorized to use “SSH_X11” (refer
to Section 4.4.1, “SSH specific options”, page 24). This login is not case-sensitive.
27
WALLIX Bastion 10.0.5 – User Guide
• “root@asterix:OpenSSH” refers to the target account (root), machine (asterix) and target
service (OpenSSH). This part is case-sensitive.
The SSH command line option “-X” tells WALLIX Bastion you want to start an “X11 Forwarding”
session: the graphics applications run on the target device during the session will be displayed on
the workstation.
The following alternative syntax is also accepted for compatibility reason, although it has been
deprecated:
$ ssh -t -X martin@wab.mycorp.lan root@asterix:OpenSSH
martin's password:
If only one SSH service is declared on the target machine, you can omit the service name as shown
below:
$ ssh -t -X martin@wab.mycorp.lan root@asterix
martin's password:
You can then select the desired target by entering its number.
Note:
In some graphical environments, an agent containing all of your user identities is already
activated when you log on. The following commands are then unnecessary. This is
generally the case with Debian or Ubuntu distributions, but not with RedHat distributions.
However, this may vary depending on your configuration.
First, you must launch the resident agent in your shell session by entering the following command;
this adds the agent’s declaration to the shell environment so that the compatible programs can
automatically use it:
$ eval $(ssh-agent)
28
WALLIX Bastion 10.0.5 – User Guide
“PRIVATE_KEY_PATH” refers to the path of the desired identity’s private key, which is generally
stored in the “~/.ssh” directory, for example “~/.ssh/id_rsa”.
You can then use one of the logon commands described in the previous sections
(4.4.2.2, page 25 to 4.4.2.7, page 28) without having to re-enter the password. These will
automatically use the agent for key-based authentication whenever it is available and declared in
the shell environment.
$ ssh -A -t martin@wab.mycorp.lan
The SSH command line option “-A” tells WALLIX Bastion you want to start a session using the
authentication transfer option: if the option is activated on the target device, the authentication
parameters used for connection to WALLIX Bastion will be reused to log on to the target.
Warning:
The authentication transfer option is incompatible with RSA keys more than 2,048 bits
long and cannot operate if the agent contains RSA and DSA identities simultaneously.
In a directory in your PATH, create the launcher script file named “scp-A” containing the following
lines:
#!/bin/sh
scp -oForwardAgent=yes -S scp-A-wrapper "$@"
Next, create the wrapper script file “scp-A-wrapper” in the same directory, containing the following
lines:
#!/usr/bin/perl
exec '/usr/bin/ssh', map {($_ =~ /^-oForwardAgent[ =]no$/) || ($_ eq '-a') ? (
) : $_} @ARGV;
You can then use the launcher script file “scp-A” in place of the “scp” command:
29
WALLIX Bastion 10.0.5 – User Guide
1. In the “Category” tree-structure, select “Session” and on “Specify the destination you want to
connect to”, enter the following information:
• Host Name: enter the FQDN or the IP address for WALLIX Bastion
• Port: enter 22 (the SSH proxy listening port for WALLIX Bastion)
2. In the “Category” tree-structure, select “Connection” | “Data” and enter the name of the target
account, device, service and WALLIX Bastion user login in the “Auto-login username” field (the
WALLIX Bastion user login is not case-sensitive but the other fields are):
30
WALLIX Bastion 10.0.5 – User Guide
Warning:
PuTTY does not allow you to save your password. If you use this authentication method,
you will be asked to enter your password when you log on.
If you want to use key-based authentication without using the authentication agent, you can also
specify the private key file in the “Private key file for authentication” field which can be accessed
from the tree-structure by selecting “Connection” | “SSH” | “Auth”. This is unnecessary if you use
the authentication agent.
Note:
In order to use the authentication agent (refer to Section 4.4.3.5, “Logging on with
the authentication agent”, page 34), you must ensure that the option “Attempt
authentication using Pageant” is selected. This field can be accessed from the tree-
structure by selecting “Connection” | “SSH” | “Auth”.
The above command transfers the file entitled “myfile” between the local workstation and the “/
tmp” directory using the “root” account on “asterix”. The “Auto logon” mode must be enabled
for this account.
The following alternative syntax is also accepted for compatibility reason, although it has been
deprecated:
31
WALLIX Bastion 10.0.5 – User Guide
martin's password :
If only one SSH service is declared on the target machine, you can omit the service name as
follows: “root@asterix”
• Password: WALLIX Bastion password for user “martin”
32
WALLIX Bastion 10.0.5 – User Guide
If only one SSH service is declared on the target machine, you can omit the service name as
follows: “root@asterix”
• Password: WALLIX Bastion password for user “martin”
In the “Preferences” category, select “Transfer” then enter the following information:
Note:
The above steps must be carried out in the order given. When the check box of the option
“Preserve timestamp” is deselected, the option “Ignore permission errors” is disabled.
Note:
In order to use the authentication agent (refer to Section 4.4.3.5, “Logging on with
the authentication agent”, page 34), you must ensure that the option “Attempt
33
WALLIX Bastion 10.0.5 – User Guide
authentication using Pageant” is selected. This field can be accessed by clicking on the
“Advanced...” button and then selecting “SSH” | “Authentication” from the tree-structure.
First, launch the Pageant authentication agent. You must then add one or more identities to this
agent. To do so, right-click on the Pageant icon in the taskbar notification area and select “Add key”
in the contextual menu.
You can then use one of the logon commands described in the previous sections
(4.4.3.1, page 30 to 4.4.3.4, page 32) without having to re-enter the password. These will
automatically use the agent for key-based authentication whenever it is available and declared in
the shell environment.
Warning:
The authentication transfer option is incompatible with RSA keys more than 2,048 bits
long and cannot operate if the agent contains RSA and DSA identities simultaneously.
34
WALLIX Bastion 10.0.5 – User Guide
• RDP_CLIPBOARD_UP: allows data transfer via the clipboard from the client to the RDP session
• RDP_CLIPBOARD_DOWN: allows data transfer via the clipboard from the session to the RDP
client
• RDP_CLIPBOARD_FILE: allows file transfer from the copy/paste function via the clipboard
• RDP_PRINTER: allows use of local printers in the remote session
• RDP_COM_PORT: allows use of local serial and parallel ports in the remote session
• RDP_DRIVE: allows use of local drives in the remote session
• RDP_SMARTCARD: allows use of local smartcards in the remote session
• RDP_AUDIO_OUTPUT: allows audio playback from the session to the RDP client
• RDP_AUDIO_INPUT: allows audio recording from the client to the RDP session
If you do not have rights for the appropriate subprotocol, you may not be authorized to transfer data
via the clipboard or use your local drive in the remote session.
Note:
Some session options must be associated with others to be fully operational:
Enter the following command to display the RDP logon window, “wab.mycorp.lan” being the IP
address for WALLIX Bastion:
$ rdesktop wab.mycorp.lan
35
WALLIX Bastion 10.0.5 – User Guide
The “Target” field can be entered with a string labelled in this format:
“Admin@WindowsServer:RemoteDesktop”, referring to the account (“Admin”), machine
(“WindowsServer”) and service (“RemoteDesktop”) of a target declared on WALLIX Bastion and
authorized for access by the user. This part is case-sensitive.
If only one RDP or VNC service is declared on the target machine, the service name can be omitted
as follows: “Admin@WindowsServer”.
The “Login” field must refer to a user declared on WALLIX Bastion (e.g., “User”) with the appropriate
authorization to connect to the target. This login is not case-sensitive.
The “Password” field must be entered with the WALLIX Bastion password for the user “User”.
Click on the arrow icon to log on to the remote machine: the Windows remote session then appears
on your screen.
You can also enter the “login” parameter in the rdesktop command line as follows,
“wab.mycorp.lan” being the IP address for WALLIX Bastion:
36
WALLIX Bastion 10.0.5 – User Guide
It is then required to enter the password and click on the arrow icon to log on to the remote machine.
It is also possible to enter a WALLIX Bastion user name only. In this case, the list of accessible
servers is then displayed on an intermediate page:
37
WALLIX Bastion 10.0.5 – User Guide
If an accessible server belongs to different groups, several entries for the same remote resource
appear on the list. You can apply a filter by group, account or protocol to a long list in order to narrow
down your search.
You can then simply select the desired server by highlighting the corresponding line and then click
on the “Connect” button to log on.
Before the connection is actually established, the system may display a series of dialogue boxes
and/or ask for confirmation. This means that you may be warned that the session is being recorded
or your password is about to expire, or informed of the time at which the session will be disconnected
automatically.
Note:
Here are some useful options for rdesktop:
• “-g 1024x768” to select the screen resolution (you can replace 1024x768 with the
desired resolution).
• “-a 24” to select the colour depth (bits per pixel). The values supported are 8, 15,
16 and 24
Columns on the RDP selector may be resized to allow the correct display of truncated text by
clicking on the square icon available on the header of the concerned column headers as shown by
Figure 4.14, “RDP selector - Column header for "Authorization" shows icon for resizing truncated
text”, page 38 and Figure 4.15, “RDP selector - Column "Authorization" shows full text after
resizing”, page 39.
38
WALLIX Bastion 10.0.5 – User Guide
Figure 4.15. RDP selector - Column "Authorization" shows full text after resizing
• : this icon allows you to download a configuration file you can save onto your workstation to
establish a connection from an RDP client. In this case, the WALLIX Bastion password is required
for the connection.
• : this icon allows you to open directly or download the file to immediately establish a connection
from an RDP client and access the remote machine. In this case, no password is required but
the access is granted for a limited period of time.
39
WALLIX Bastion 10.0.5 – User Guide
Click on “Connect” to display the prompt shown in Figure 4.11, “RDP logon window”, page 36.
• “martin” refers to a user declared on WALLIX Bastion and authorized to use “RDP”. This login
is not case-sensitive.
• “administrator@win2003:RemoteDesktop” refers to the account (administrator), machine
(win2003) and service (RemoteDesktop) of a target declared on WALLIX Bastion and authorized
for access by the user “martin”. This part is case-sensitive.
If only one RDP or VNC service is declared on the target machine, you can omit the service name
as follows: “administrator@win2003”
The WALLIX Bastion password for user “martin” must be entered in the “Password” field.
Click on the “Connect” button to log on to the remote machine: the Windows session then appears
on your screen.
It is also possible to enter a WALLIX Bastion user name only. In this case, the list of accessible
servers is then displayed on an intermediate page:
40
WALLIX Bastion 10.0.5 – User Guide
If an accessible server belongs to different groups, several entries for the same remote resource
appear on the list. You can apply a filter by group, account or protocol to a long list in order to narrow
down your search.
You can then simply select the desired server by highlighting the corresponding line and then click
on the “Connect” button to log on.
Before the connection is actually established, the system may display a series of dialogue boxes
and/or ask for confirmation. This means that you may be warned that the session is being recorded
or your password is about to expire, or informed of the time at which the session will be disconnected
automatically.
Note:
You can also log on to the remote console. To do this, start the MSTSC client from the
Windows “Run” prompt by entering “mstsc /admin” or “mstsc /console”, depending
on your version of Windows (“/admin” must be used for Windows Vista SP3 or later).
41
WALLIX Bastion 10.0.5 – User Guide
Device redirection
The RDP proxy embedded in WALLIX Bastion allows “device redirection”,
i.e. the option of displaying the local workstation’s resources: printer,
directory, notepad, etc. on the “Workstation” of the remote session.
This feature allows you to transfer files between two Windows machines
using the drag-and-drop method, even within the RDP session, or to copy and
paste text from the local machine to the remote machine and vice versa.
Important: you may need to enable the feature
from the “Terminal Server Client” interface.
Figure 4.18. MSTSC client startup settings under Windows 7
Note:
The smart card authentication is only possible for the connection to targets through the
interactive login mechanism.
42
WALLIX Bastion 10.0.5 – User Guide
All application protocols based on TCP for the transport layer in the Open Systems Interconnection
model (OSI model) can be managed by Universal Tunneling. An SSH tunnel is used between
the user's workstation and WALLIX Bastion to encrypt and protect the data. For each Universal
Tunneling session, a PCAP file can be generated to ensure traceability after the session.
4.6.1. Prerequisites
UT sessions are compatible with the user workstations running under:
• Windows XP, Windows 7, Windows 8, Windows 10 for the redirection to the local address mode
and the redirection to a temporary interface mode
• any Linux distribution with OpenSSH, only for the redirection to the local address mode
• the redirection to the local address: the fat client must be configured to redirect its traffic on the
local address (127.0.0.1) and on an access port defined on the user workstation. The traffic will
then be redirected through the SSH tunnel. This mode does not require any specific privileges
from the user.
• the redirection to a temporary interface: the fat client does not need to be configured as a
temporary network interface will be created on the user's workstation using the IP of the target.
The traffic sent on this interface will then be redirected through the tunnel. This mode requires
specific privileges from the user.
The WALLIX-PuTTY application has to be downloaded and installed from the “Download WALLIX-
PuTTY” link displayed at the top of the “My authorizations” page. This link is only displayed when
the user is authorized to connect to at least one Universal Tunneling target. The installation sets
the file association so that the application is started automatically. The installation does not require
43
WALLIX Bastion 10.0.5 – User Guide
administrative privileges. However, the installation is only operational for the logged user and not
for all users of the workstation.
Important:
Logging on using the configuration file only allows the redirection to a temporary interface
mode.
The WALLIX-PuTTY application has to be downloaded and installed from the “Download WALLIX-
PuTTY” link displayed at the top of the “My authorizations” page. This link is only displayed when
the user is authorized to connect to at least one Universal Tunneling target. The installation sets
the file association so that the application is started automatically. The installation does not require
administrative privileges. However, the installation is only operational for the logged user and not
for all users of the workstation.
44
WALLIX Bastion 10.0.5 – User Guide
45
WALLIX Bastion 10.0.5 – User Guide
46
WALLIX Bastion 10.0.5 – User Guide
4. Click on “Open”.
Important:
Logging in from a Linux workstation only allows the redirection to the local address mode.
47
WALLIX Bastion 10.0.5 – User Guide
In order to approve or reject the request, go to the “My Current Approvals” page in the “My
authorizations” menu. This page lists all the pending requests addressed to you as shown by
Figure 5.1, ““My Current Approvals” page”, page 48.
Select a request and click on the notepad icon at the beginning of the line to open the approval
request detail page as shown by Figure 5.2, “Approval request detail page”, page 49.
Since a session or the target credentials can still be accessed as long as an accepted request has
not expired, you can cancel a request before its expiration to inhibit further access from a user to
the target by clicking on the “Cancel” button.
48
WALLIX Bastion 10.0.5 – User Guide
From the “My Approval History” page, you can view all the requests which are no longer pending
for approval as shown by Figure 5.3, ““My Approval History” page”, page 50.
You can define filters on the top of the page to facilitate the search and restrict the display to relevant
records. The available filters are based on:
The wildcard symbol * can be used in this field to perform a search based on specific criteria. This
character can be placed anywhere to replace any string (including empty strings) in the search
terms.
The table below illustrates the possible search types using the wildcard symbol *:
Search string Returns only lines with at least one column matching...
rdp* any string starting with the word “rdp” (e.g.: RDPDevice1)
*rdp any string ending with the word “rdp” (e.g.: ServiceRdp)
*rdp* or rdp any string including the word “rdp”, regardless of the position of the keyword
in the character string found.
r*p any string starting with “r” and ending with “p”. (e.g.: Rdp, RP)
By clicking on the notepad icon at the beginning of the line, you are redirected to the detail of all
the answers for the request.
If the request’s status is “accepted”, you can cancel the request before expiration by clicking on
the “Cancel request” button.
49
WALLIX Bastion 10.0.5 – User Guide
50
WALLIX Bastion 10.0.5 – User Guide
Chapter 6. Troubleshooting
6.1. General information on login issues
A connection to a target account may fail for any of the following reasons:
$ ssh -T root@obelix:martin@wab.mycorp.lan
martin's password:
Launch PuTTY to open the PuTTY Configuration window. Then in the “Category” tree-structure,
select “Connection” | “SSH” | “TTY”and select the option “Don’t allocate a pseudo-terminal”.
51
WALLIX Bastion 10.0.5 – User Guide
52
WALLIX Bastion 10.0.5 – User Guide
Web: https://support.wallix.com/
Telephone: (+33) (0)1 70 36 37 50 for Europe, Middle East and Africa and (+1) 438-814-0255 for
the Americas
53