Bastion User Guide en

BASTION DOCUMENTATION
WALLIX Bastion 10.0

hotfix 5
USER GUIDE
Reference: https://doc.wallix.com/en/Bastion/10.0/Bastion-user-guide-en.pdf
Copyright © 2023 WALLIX

WALLIX Bastion 10.0.5 – User Guide
Table of Contents
1. Introduction ............................................................................................................................ 3
1.1. Preamble ..................................................................................................................... 3
1.2. Copyright & Licenses .................................................................................................. 3
1.3. Legend ........................................................................................................................ 3
1.4. About this document ................................................................................................... 4
2. General principles .................................................................................................................. 5
2.1. WALLIX Session Manager .......................................................................................... 5
2.2. WALLIX Password Manager ....................................................................................... 5
2.3. Session recording ....................................................................................................... 6
3. Using the WALLIX Bastion Web interface (GUI) .................................................................... 7
3.1. “My preferences” menu ............................................................................................... 9
3.2. Summary ................................................................................................................... 10
3.3. “My authorizations” menu - Session authorizations ................................................... 10
3.4. “My authorizations” menu - Password authorizations ................................................ 12
3.5. Approval workflow ..................................................................................................... 13
3.5.1. Approval request for sessions ........................................................................ 13
3.5.2. Approval request for passwords ..................................................................... 15
3.6. X509 strong authentication ....................................................................................... 15
4. Connections to target devices .............................................................................................. 18
4.1. General information ................................................................................................... 18
4.2. Password or key authentication ................................................................................ 18
4.2.1. Generating a key under Linux ........................................................................ 18
4.2.2. Generating a key under Windows .................................................................. 19
4.3. Simplified authentication in X509 mode .................................................................... 23
4.4. SSH connections ...................................................................................................... 24
4.4.1. SSH specific options ...................................................................................... 24
4.4.2. SSH connections from a Unix/Linux workstation ............................................ 25
4.4.3. SSH connections from a Windows workstation .............................................. 30
4.5. RDP connections ...................................................................................................... 35
4.5.1. RDP specific options ...................................................................................... 35
4.5.2. RDP connections from a Linux workstation .................................................... 35
4.5.3. RDP connections from a Windows workstation (XP, Vista or 7, 8 or 10) .......... 39
4.6. Universal Tunneling connections ............................................................................... 43
4.6.1. Prerequisites .................................................................................................. 43
4.6.2. Redirection modes ......................................................................................... 43
4.6.3. Universal Tunneling connections from a Windows workstation ....................... 43
4.6.4. Universal Tunneling connections from a Linux workstation ............................. 47
5. Managing approval requests ................................................................................................ 48
6. Troubleshooting .................................................................................................................... 51
6.1. General information on login issues .......................................................................... 51
6.2. Silent SSH session ................................................................................................... 51
7. Contact WALLIX Bastion Support ........................................................................................ 53
2
Chapter 1. Introduction
1.1. Preamble
Thank you for choosing WALLIX Bastion.
The WALLIX Bastion solution is marketed in the form of a dedicated, ready-to-use server or as a
virtual device for the following virtual environments:
• Amazon Web Services (AWS)

• Google Cloud Platform (GCP)
• Kernel-based Virtual Machine (KVM)
• Microsoft Azure
• Microsoft Hyper-V
• Nutanix AHV
• OpenStack
• VMware vSphere
This product has been engineered with the greatest care by our teams at WALLIX and we trust that
it will deliver complete satisfaction.
1.2. Copyright & Licenses

This document is the property of WALLIX and may not be reproduced without its prior consent.
All the product or company names mentioned herein are the registered trademarks of their
respective owners.
WALLIX Bastion is subject to the WALLIX software license contract.
WALLIX Bastion is based on free software. The list and source code of GPL and LGPL licensed
software used by WALLIX Bastion are available from WALLIX. Please send your request on Internet
by creating a new case at https://support.wallix.com/ or in writing to:
WALLIX
Service Support
250 bis, Rue du Faubourg Saint-Honoré
75008 PARIS
FRANCE
1.3. Legend
prompt $ command to input <parameter to replace>
command output
on one or more lines
prompt $
3
1.4. About this document

This document is the User Guide for WALLIX Bastion 10.0.5. You will find it useful if your company’s
technical and organizational rules require you to use WALLIX Bastion to connect to the devices you
administer (servers, network devices, security equipments and Web administration interfaces).
This guide will help you to:
• use the WALLIX Bastion Web user interface (also called “GUI” in this document) to find out your
access rights, change your password or upload your SSH public key;
• use your usual connection tools in a way that is compatible with WALLIX Bastion.
4
Chapter 2. General principles

The role of WALLIX Bastion is to:
• relay your SSH or RDP connections to the target devices

• control your connections according to the rights defined in your profile
• record your actions (if the option is enabled by the WALLIX Bastion administrator).
For WALLIX Bastion to relay your connections you must log on:
• either with your login and password for logging onto the WALLIX Bastion Web interface from your
browser and for connecting to target devices via RDP proxy
• or with your login and password for RDP sessions
• or with your login and password or your public key for SSH sessions.
Your rights define:
• which target devices and accounts you can connect to

• the target devices and accounts for which you are allowed to view the passwords
• which connection protocols you can use
• the time frames during which you are authorized to connect to the target accounts
• a restrictive source IP address (optional).
There are two target account logon modes:
• “auto logon” mode: you automatically log on to the target account without needing to know the
password
• “manual logon” mode: you manually log on to the target account and need to know the password.
Warning:
In order to ensure the security of data exchange, the user workstation must provide an
electronic certificate used by WALLIX Bastion to authenticate and must be configured to
allow WALLIX Bastion authentication from this electronic certificate.
2.1. WALLIX Session Manager

This specific feature of WALLIX Bastion 10.0.5 is available according to your software license
contract.
This feature allows you to:
• identify the users whom are connected to specific devices and monitor their activity: sessions
can be viewed through the WALLIX Bastion Web interface or downloaded to be viewed locally
on your workstation. RDP sessions can be viewed in real time.
• get a direct resource access using native clients such as PuTTY, WinSCP, MSTC or OpenSSH.
2.2. WALLIX Password Manager

This specific feature of WALLIX Bastion 10.0.5 is available according to your software license
contract.
5
This feature allows you to:
• view the list of the target accounts for which you are authorized to view/check out the password
• access account credentials (login, password and SSH key)
2.3. Session recording

WALLIX Bastion can record user sessions (except X11 sessions) as stated in the SSH connection
and in the RDP logon prompt.
The commands you enter from your workstation (keyboard/mouse) and the responses from the
target device you are logged on to and which are displayed on your screen can be stored for later
viewing.
This feature can be activated and the session records can be viewed at any time by an authorized
WALLIX Bastion administrator.
6
Chapter 3. Using the WALLIX Bastion

Web interface (GUI)
To access the GUI, enter the following URL in your browser’s address bar:
https://bastion_ip_address/ui or https://<bastion_name>/ui
Note:
Internet Explorer is not supported by the default interface.
Your browser must be configured to accept cookies and run JavaScript.
You can access the legacy interface by clicking on the “Legacy interface” icon at the top
of the page.
The bastion_ip_address has been provided by your WALLIX Bastion Administrator. If not, you can
use the domain name.
Then log on from the login screen with the details provided by your WALLIX Bastion administrator:
• If your administrator has provided you with credentials, enter your login and password and then
click on the “Log in” button (the “User name” field is not case-sensitive)
• If your administrator has set two-factor authentication, enter also the required credentials during
secondary authentication
• If your administrator has enabled the Kerberos authentication method, then enter the following
URL in your browser’s address bar:
https://bastion_ip_address/iwab or https://<bastion_name>/iwab
• If your administrator has provided you with an X509 certificate, then go to Section 3.6, “X509
strong authentication”, page 15
• If your administrator has set authentication from Azure AD, click on the dedicated button in the
“Other authentication method” section. You are then redirected on the Microsoft login page and
you must enter the credentials of your Azure AD account to access the Web interface.
• If your administrator has set authentication from your AD, you may be prompted for password
change after expiration on the login screen.
7
Figure 3.1. Login screen
Note:
The login screen is displayed depending on your language preferences set in your
browser. Once you are connected, the GUI is displayed in the language that you
selected in your WALLIX Bastion settings (refer to Section 3.1, ““My preferences”
menu”, page 9).
Once you have logged in successfully, the following screen is displayed:
Figure 3.2. Home page

The menu on the left allows you to access the main features. This menu may vary depending on
your user profile and your assigned rights.
From the header on the upper part of the screen, you can:
8
• view the name of the user who is logged on. When hovering the mouse over the user name area,
a contextual menu shows the entries to the “My preferences” page, the “Legacy interface” icon
and the logout icon.
Note:
Any logout made from this interface is only effective on WALLIX Bastion. Thus, a user
authenticated via SAML external authentication on Azure AD will not be disconnected
from their session on this tenant.
• access the contextual online help by clicking on the icon

• view the possible notifications by clicking on the icon.
3.1. “My preferences” menu

The “My preferences” page is accessible by hovering your mouse over your user name at the top
right of the screen.
This page can be used to change your personal settings. You can:
• change your contact email address

• change your display language (for displaying the GUI and messages on proxies)
• change your password
Warning:
Depending on the configuration set by your administrator, the “Password” tab may not
be displayed.
• drag-and-drop, upload or enter manually an SSH public key using RSA, ED25519 or ECDSA
algorithmn or delete an existing SSH public key
Warning:
Depending on the configuration set by your administrator, the “SSH public key” tab may
not be displayed.
This key must be in the OpenSSH format. Otherwise an error message is displayed.
If you use PuTTYgen to generate the key, you must save in a text file the public key
displayed in the OpenSSH format during the generation. As an example, this key is
labelled as follows:
“ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0yR9lBQov6[.....]c3xu9p/xNjw==
rsa-key-20151204”
You can then upload this key on the “SSH public key” tab on this page.
If a key already exists, you can load a private key using PuTTYgen in order to generate
the corresponding public key in the appropriate format.
• drag-and-drop, upload or display a GPG key, or delete an existing GPG key

• change the display size of WALLIX Bastion. This setting only applies for connections via the
current browser.
9
Note:
The area allowing the password change is not available on this page if your user
authentication is external (for example, when your authentication is linked to a company
directory or a Kerberos KDC).
A password may be rejected (accordingly to the configuration set by the WALLIX Bastion
administrator) in some cases:
• if the password is included in the list of forbidden trivial passwords by the WALLIX Bastion
administrator
• if the password is too short or does not include any special characters, numbers or capital letters
• if the password corresponds to your login
• if the password is the same as a previous password.
Figure 3.3. “My Preferences” page
3.2. Summary
On the pages of the Web interface, a summary is displayed on the right part of your screen. It gives
an overview of the data defined within WALLIX Bastion.
By clicking on the main entries of the summary, you are redirected to the concerned pages and
you can view, enter, add, edit or delete data. Note that you have the possibility to hide and show
this summary at any moment.
3.3. “My authorizations” menu - Session

authorizations
Warning:
The “Sessions” entry in “My authorizations” can only be managed if the WALLIX Session
Manager feature is associated with your license key (refer to Section 2.1, “WALLIX
Session Manager”, page 5).
10
From the “Sessions” page on the “My authorizations” menu, you can view the list of the targets to
which you are authorized to access.
On each line, you can have an access to the target by clicking on one of the following icons:
• : this icon allows you to download an RDP configuration file or a shell script with the SSH
command (WALLIX-PuTTY on Windows or SSH on other systems) you can save to establish a
connection from an RDP or an SSH client (filename suffix .puttywab or .xsh or .rdp under Windows
and .sh or .remmina under Linux). In this case, the WALLIX Bastion password is required for the
connection.
• : (“Instant access (one-time password, limited in time)”): this icon allows you to open the file to
immediately establish a connection from an RDP client (filename suffix .rdp under Windows and
.sh or .remmina under Linux). In this case, no password is required but the access is granted for
a limited period of time. This icon is also displayed for the connection to an application.
• : (“Instant access with WALLIX-PuTTY (one-time password, limited in time)”): this icon allows
you to open the file to immediately establish a connection from an SSH client (filename suffix
.puttywab or .xsh under Windows and .sh under Linux). In this case, no password is required
but the access is granted for a limited period of time. For SSH authentication, also refer to
Section 4.4.2.1, “Target connection in interactive mode for SCP and SFTP protocols”, page 25.
Note:
To use the .puttywab files on Windows, the WALLIX-PuTTY application has to be
downloaded and installed from the “Download WALLIX-PuTTY” link displayed at the top
of the page. This link is only displayed when the workstation is running under Windows
and you are also authorized to connect to at least one SSH target. The installation sets
the file association so that the application is started automatically. The installation does
not require administrative privileges. However, the installation is only operational for the
logged user and not for all users of the workstation.
The “Download RDP configuration file” link displayed at the top of the page allows you
to download an RDP configuration file with the RemoteApp mode enabled. You can then
save the file to establish a connection to an application in interactive mode via the RDP
client selector. This link is only displayed when the RemoteApp mode is enabled and
you are also authorized to connect to at least one application. The RemoteApp mode is
enabled by default when accessing applications.
Figure 3.4. “My authorizations” menu - “Sessions” page
11
If an approval workflow has been defined to be authorized to access the target, click on “Request” in
the “Approval” column to notify the approvers and get access to the target. For further information,
refer to Section 3.5, “Approval workflow”, page 13.
3.4. “My authorizations” menu - Password

authorizations
Warning:
The “Passwords” entry in “My authorizations” can only be managed if the WALLIX
Password Manager feature is associated with your license key (refer to Section 2.2,
“WALLIX Password Manager”, page 5).
From the “Passwords” page on the “My authorizations” menu, you can view the list of the target
accounts for which you are authorized to check out the account's credentials.
For each account, you can perform the following actions:
• click on “View” at the beginning of the line to display in another page the credentials of the related
account.
• click on “Check out” at the beginning of the line to display in another page the credentials of
the related account in another page. In this case, the lock has been enabled at the level of the
checkout policy associated with this account: only you can access the credentials at this time.
Important:
If an approval is not necessary to access the credentials or has been accepted
by approvers, you can directly check out the data. Otherwise, an error message
is displayed and you must send a request to access the credentials. For further
information, refer to Section 3.5, “Approval workflow”, page 13.
In the event of an ongoing password change, the concerned account cannot be

checked out. An error message is then displayed informing you that the account is
temporarily unavailable for checkout.
• click on “Check out remotely” at the beginning of the line to display in another page the credentials
of the related external vault account.
• identify the account being locked consequently to an ongoing checkout. In this case, no action
can be performed until the release of this lock.
• send a request to approvers to access the account's credentials by clicking on “Request” in the
“Approval” column at the end of the line. For further information, refer to Section 3.5, “Approval
workflow”, page 13.
When you have access to the page listing the account's credentials, you can view:
• the name of the account being checked out mentioned above the frame
• the login of the account
• the credentials of the account, which can be:
– the password if it has been defined for the account either on the local or the remote WALLIX
Bastion
12
– the SSH private key if it has been defined for the account either on the local or the remote
WALLIX Bastion. This key can be downloaded in the OpenSSH or PuTTY key formats and can
be encrypted with a passphrase entered in the dedicated field.
– the certificate (i.e. the signed SSH public key) if the account is defined on a domain associated
with a Certificate Authority. This certificate can be downloaded in the OpenSSH or ssh.com
formats.
On this page, you can also:
• click on the “Check in” button to end check out. You are then redirected to the page listing the
authorized target accounts. If the lock has been enabled in the checkout policy associated with
this account, this action also releases the lock of the account.
• click on the “Extend checkout” button if a checkout extension has been defined in the checkout
policy associated with the account. Otherwise this button is not displayed. This action extends
the checkout duration and can then be performed several times as long as the maximum duration
has not been reached.
When the lock has been enabled in the checkout policy associated with this account, the latter
remains locked for the period defined within this policy. It is then necessary to click on the “Check
in” button to release the lock of the account before the end of checkout duration. Nonetheless,
the account is automatically checked in at the end of this duration and the user is redirected to
the page listing the authorized target accounts. The remaining time before automatic check-in is
displayed below the credentials.
Figure 3.5. “My authorizations” menu - “Passwords” page
3.5. Approval workflow

If an approval workflow has been defined to be authorized to connect to a target or access the target
credentials, you must send a request for approval to notify the approvers and get the access.
3.5.1. Approval request for sessions

From the “Sessions” page on the “My authorizations” menu, click on “Request” in the “Approval”
column to notify the approvers and get access to the target. The “Approval request” page is then
displayed to allow you to submit the request (refer to Figure 3.6, “Approval request (WALLIX Bastion
GUI)”, page 14).
The “Approval request” page consists of the following fields:
13
• a start date. By default, this is the current date.

• a start time. By default, this is the current time.
• a duration, expressed in hours and minutes
• a comment to enter the reason for the approval request. This field is displayed if the corresponding
option was enabled during the authorization definition.
• a ticket reference. This field is displayed if the corresponding option was enabled during the
authorization definition.
The current requests are then listed at the bottom of the “Sessions” page as shown by Figure 3.4,
““My authorizations” menu - “Sessions” page”, page 11. By clicking on the notepad icon at the
beginning of the line it is possible to cancel the request (if its status is “pending” or “approved”) and
send an email to all the concerned approvers.
The statuses of a valid request (its duration has not expired) can be either of the following:
• a request is marked as “accepted” when the quorum (i.e. the minimum number of favorable
answers required for the authorization) has been reached
Note:
When the request is accepted by the first approver and the start date and time have
been reached:
– the start date and time of the request are then updated with the start date and time
of this action
– the end date and time are then extended for the request duration from this action
• a request is marked as “rejected” and subsequently dismissed as soon as an approver rejects it.
The user is then notified by email of the reason for the rejection.
• a request is “pending” as long as the quorum has not been reached and it has not been rejected.
If the request is no longer valid, it is then marked as “closed” and it is no longer possible for an
approver to answer the request.
Once a request is approved, it is possible to start a new session as long as the period defined by
the request's duration has not expired. During this period, it is also possible to restart the session
multiple times. It is then not necessary to keep open the initial connection.
In the case you want to start a session immediately (with an SSH or RDP client), the proxy
offers the possibility to fill in a request form, as shown by Figure 3.7, “Approval request (RDP
Proxy)”, page 15, if the selected target requires an approval.
Figure 3.6. Approval request (WALLIX Bastion GUI)
14
Figure 3.7. Approval request (RDP Proxy)
3.5.2. Approval request for passwords

From the “Passwords” page on the “My authorizations” menu, click on “Request” in the “Approval”
column to notify the approvers and get access to the target credentials. The “Approval request”
page is then displayed to allow you to submit the request (refer to Figure 3.6, “Approval request
(WALLIX Bastion GUI)”, page 14).
The “Approval request” page consists of the following fields:
• a start date. By default, this is the current date.

• a start time. By default, this is the current time.
• a duration, expressed in hours and minutes
• a comment to enter the reason for the approval request. This field is displayed if the corresponding
option was enabled during the authorization definition.
• a ticket reference. This field is displayed if the corresponding option was enabled during the
authorization definition.
The current requests are then listed at the bottom of the “Passwords” page (refer to Figure 3.5,
““My authorizations” menu - “Passwords” page”, page 13). By clicking on the notepad icon at
the beginning of the line it is possible to cancel the request (if its status is “pending”or “approved”)
and send an email to all the concerned approvers.
The statuses of a valid request (its duration has not expired) can be either of the following:
• a request is marked as “accepted” when the quorum (i.e. the minimum number of favorable
answers required for the authorization) has been reached
• a request is marked as “rejected” and subsequently dismissed as soon as an approver rejects it.
The user is then notified by email of the reason for the rejection.
• a request is “pending” as long as the quorum has not been reached and it has not been rejected.
If the request is no longer valid, it is then marked as “closed” and it is no longer possible for an
approver to answer the request.
Once a request is approved, it is possible to access the target credentials as long as the period
defined by the request's duration has not expired.
3.6. X509 strong authentication

WALLIX Bastion can provide strong authentication using an X509 certificate via the GUI if your
administrator authorizes its use for your user account.
15
In this case, your administrator must provide you with a certificate either in the form of software
certificate or on a physical device (USB key, smart card, etc.).
If your certificate is stored on a physical device, you should first insert the device so that the
certificate is available in the system.
If your certificate is stored in a file, you should first import the certificate into your browser so that it
can be used to provide your authentication. The procedure to follow depends on your browser:
• Under Firefox, select the “Tools” | “Options” menu command and click on “Privacy & Security”. In
the “Certificates” section, click on the “View Certificates” button. On the “Your Certificates” tab,
click on the “Import” button.
• Under Chrome, click on the “Customize and control Google Chrome” icon beside the address bar
In the menu, select “Settings”, click on “Privacy and security” and on the “Manage certificates”
button. Lastly, in the “Personal” tab, click on the “Import” button.
• Under Internet Explorer, click on the “Tools” menu and select “Internet options”. On the “Content”
tab, click on the “Certificates” button. On the “Personal” tab, click on the “Import...” button and
then follow the wizard’s instructions.
If X509 authentication mode is enabled, the login screen is displayed as follows:
Figure 3.8. Login screen with X509 authentication

You can then:
• either select “PASSWORD Authentication”, then enter a login and password and click on the
“LOG IN” button
• or select “X509 Authentication”, then click on the “LOG IN” button. In this case, your browser
will ask you to choose a certificate (if you have more than one and you have not yet saved your
choice) and then ask you to enter the certificate’s password if necessary. If the certificate has
been linked with a WALLIX Bastion account, you will immediately be authenticated and logged
on with this account.
Note:
If your certificate is stored in a physical form, the smart card or USB key concerned
must be inserted throughout the authentication phase.
16
If your administrator has set two-factor authentication, enter also the required
credentials during secondary authentication.
An alternative authentication mode is available for the sessions started directly via a client (SSH
or RDP) while you remain connected to the GUI in X509 authentication mode (refer to Section 4.3,
“Simplified authentication in X509 mode”, page 23).
17
Chapter 4. Connections to target

devices
4.1. General information
SSH, RDP, VNC, TELNET and RLOGIN connections can be established between WALLIX Bastion
and the target devices (trusted zone).
Only encrypted SSH and RDP connections are allowed between workstations and WALLIX Bastion
(hostile zone).
You can continue to use your usual tools with WALLIX Bastion such as SSH clients in text or graphic
mode or RDP clients on Unix, Windows or Mac OS X platforms.
However, the form of the command line and/or graphic client settings may change slightly to take
the indirection introduced by WALLIX Bastion into account (refer to the following sections).
4.2. Password or key authentication

WALLIX Bastion can perform “local” SSH authentication using either a password or a key. In the
case of key authentication, WALLIX Bastion does not request a password for an SSH connection.
However, users must always enter their password to log on to the WALLIX Bastion Web interface
and connect to target devices via RDP sessions, unless they have been provided with a Kerberos
authentication method or an X509 certificate by the WALLIX Bastion administrator.
Note:
Your SSH public key must be entered either by your administrator via the Web
administration interface or by yourself on the “My Preferences” page (refer to Section 3.1,
““My preferences” menu”, page 9).
The use of SSH key authentication also means that a resident agent can be used on the client
workstation. As a result, the authentication parameters can be used so that users are only asked
to enter their key protection password once: when the agent starts or the first time the key is used.
The key can then be reused without having to re-enter the password each time. The agent’s use
is transparent with all supported clients.
The authentication agent can optionally also be used to transfer the client’s authentication
parameters to WALLIX Bastion so that it can use them for authentication when logging on to target
devices. This functionality allows WALLIX Bastion to use the client’s private keys without users
needing to re-enter passwords or WALLIX Bastion needing to know the private keys concerned. For
this, you must usually explicitly activate the option when the clients are started, as they generally
do not activate it for security reasons.
Note:
Some clients that support agent use may not support the authentication transfer option.
4.2.1. Generating a key under Linux

Follow the steps below to generate and use an encryption key with OpenSSH under Linux.
18
You can also use the ~/.ssh/id_rsa file, which is the default identity used by all OpenSSH
commands. In this case, if the file already exists you can skip the first two steps in this section and
import the file ~/.ssh/id_rsa.pub into WALLIX Bastion (refer to Section 3.1, ““My preferences”
menu”, page 9).
In this example, the private key’s identity is wab_rsa2048, but you can use any other valid file name.
It is recommended to save this key in the .ssh directory of your HOME directory.
1. Run the following terminal command to generate the public/private key pair:
$ ssh-keygen -t rsa -f ~/.ssh/wab_rsa2048

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/martin/.ssh/wab_rsa2048.
Your public key has been saved in /home/martin/.ssh/wab_rsa2048.pub.
You can also use the parameter -b SIZE to change the key’s size. By default, an RSA key in
the current version of ssh-keygen is 2,048 bits, which is a reasonable size. If keys shall be used
later than 2030, however, a 4,096-bit key is recommended.
2. Import the file ~/.ssh/wab_rsa2048.pub into WALLIX Bastion. To do this, please refer to
Section 3.1, ““My preferences” menu”, page 9.
3. If you do not use an authentication agent, the “ssh”, “scp” and “sftp” commands will directly
use either the default identity key ~/.ssh/id_rsa or the private key passed as an argument
using the parameter -i KEY, for example:
$ ssh -t -i ~/.ssh/wab_rsa2048 -l root@asterix:martin wab.mycorp.lan

Enter passphrase for key '/home/martin/.ssh/wab_rsa2048':
4. If you use an authentication agent, you must import the private key whenever you restart the
agent.
$ ssh-add ~/.ssh/wab_rsa2048
Enter passphrase for /home/martin/.ssh/wab_rsa2048:
Identity added: /home/martin/.ssh/wab_rsa2048 (/home/martin/.ssh/wab_rsa2048)
You can then log on to the SSH proxy without having to re-enter the password and without the
parameter -i in the command line (SSH will automatically try all the identities added in the agent).
5. Start your SSH connection as described in Section 3.1, ““My preferences” menu”, page 9.
4.2.2. Generating a key under Windows

Follow the steps below to generate and use an SSH encryption key under Windows using PuTTY.
In this example, the private key is named wab_rsa2048, but you can use any other valid file name.
1. Launch PuTTYgen to open the PuTTY Key Generator window.

2. On the “Parameters” frame, change the options as shown below to generate an SSH-2 RSA
2,048-bit key.
Note: if the keys shall be used beyond 2030, a 4,096-bit key is recommended
19
Figure 4.1. PuTTY Key Generator window

3. Click on the “Generate” button and move the mouse randomly to increase entropy.
4. When PuTTY generates the key, enter the desired password in the “Key passphrase” (key
password) field and confirm it in the “Confirm passphrase” field.
5. Click on the “Save private key” button and save the key in your user directory, for example in
My Documents\wab_rsa2048.ppk.
6. Select all the text in the frame below “Public key for pasting into OpenSSH authorized_keys
file” (right-click and use the contextual menu or press Ctrl+A), then copy to the clipboard (using
the contextual menu or press Ctrl+C).
20
Figure 4.2. PuTTYgen Key Generator window with key generated

7. Open Notepad to create a new text document. Paste the text in the document, using either
the contextual menu or press Ctrl+V. Lastly, save this document containing the public key, for
example in My Documents\wab_rsa2048.pub.txt.
8. Close the PuTTY Key Generator window and Notepad.
9. Import this public key file into WALLIX Bastion. To do this, please refer to Section 3.1, ““My
preferences” menu”, page 9.
10. Import the private key into your SSH client to use it when you log on using any of the following
methods:
• If you use Pageant authentication:
Launch Pageant (if it is not already running), then double-click on the Pageant icon which
appears in the Windows taskbar notification area: the Pageant Key List window opens.
Click on the “Add Key” button and browse the directories to select the private key file in My
Documents\wab_rsa2048.ppk.
21
Figure 4.3. Pageant Key List window with key added
You can now log on to the SSH proxy using PuTTY, PSCP, PSFTP, FileZilla or WinSCP (unless
WinSCP is configured to prevent Pageant authentication).
Alternatively, you can simply double-click on the private key file in the File Explorer to add the
key. To do this, the “.ppk” file extension must first have been associated with Pageant.
• If you use PuTTY without Pageant:
Launch PuTTY to open the PuTTY Configuration window. In the “Category” tree-structure,
select “Connection” | “SSH” | “Auth”; on the “Authentication parameters” frame, click on the
“Browse” button and then select the private key file in My Documents\wab_rsa2048.ppk.
Remember to save the session configuration settings if you want to reuse them.
• If you use PSCP or PSFTP without Pageant:
Add the parameter -i KEY to the command line as shown below:
$ pscp -scp -i "C:\Documents and Settings\martin\My Documents\wab_rsa2048.ppk"

myfile martin@wab.mycorp.lan:root@asterix:/tmp
22
Passphrase for key "rsa-key-20120914":

• If you use FileZilla without Pageant:
Launch FileZilla then select the “Edit” menu command | “Settings” and select the “SFTP”
page. Click on the “Add key file” button and select the private key file, My Documents
\wab_rsa2048.ppk
Figure 4.4. FileZilla Settings page - SFTP category

• If you use WinSCP without Pageant:
Launch WinSCP. On the “Session” configuration category (refer to Figure 4.9, “WinSCP Login
window - Session category”, page 33 below), click on “...” near the “Private key file” field
and select the file My Documents\wab_rsa2048.ppk.
11. Launch your SSH connection as described in Section 4.4.3, “SSH connections from a Windows
workstation”, page 30
Note:
You must launch Pageant if you wish to use the SSH agent authentication transfer
functionality.
4.3. Simplified authentication in X509 mode

WALLIX Bastion can provide X509 certificate authentication via the Web interface, as described
in Section 3.6, “X509 strong authentication”, page 15. If you logged on in this way, a special
authentication mechanism applies for sessions started directly from clients logging on from the
same IP address as the one from which you logged on to the Web interface: the client is prompted
to wait while the browser displays a message asking whether you authorize the new connection.
If you click on “Accept”, the session connection will be established immediately without using keys
or entering passwords.
If you click on “Reject” or you do not reply within 30 seconds, the connection to WALLIX Bastion
for the desired session will be closed.
23
A frame allows you to save your choice to allow multiple automatic connections through a one-time
confirmation for either RDP sessions or SSH sessions or both, for a given validity period (expressed
in seconds).
Figure 4.5. Connection confirmation window
Warning:
For most clients, a message is displayed on the Web interface to inform you that WALLIX
Bastion is awaiting your authorization. This is not the case when you use SCP or SFTP
clients which wait silently as they are not designed to display server messages.
The browser and the RDP or SSH client must be both running on the same workstation
(and then use the same IP) to allow the display of this message on the Web interface.
To return to normal proxy authentication, simply log out from the Web interface.
4.4. SSH connections

4.4.1. SSH specific options
The following options, which mainly determine the channels authorized for the session, are provided
for the SSH protocol:
• SSH_SHELL_SESSION: starts a shell session

• SSH_REMOTE_COMMAND: runs remote commands
• SSH_SCP_UP: transfers files to a target device (SCP upload from client to server)
• SSH_SCP_DOWN: transfers files from a target device (SCP download from server to client)
• SSH_X11: displays X11 applications running on a target device
• SFTP_SESSION: bi-directional transfers files via SFTP protocol (SFTP session)
• SSH_DIRECT_TCPIP: allows direct TCP/IP port forwarding (from client to server)
• SSH_REVERSE_TCPIP: allows reverse TCP/IP port forwarding (from server to client)
• SSH_AUTH_AGENT: allows agent authentication forwarding (multi-hops auth-agent)
• SSH_DIRECT_UNIXSOCK: allows direct Unix socket forwarding (from client to server)
• SSH_REVERSE_UNIXSOCK: allows reverse Unix socket forwarding (from server to client)
Each of these subprotocols is covered by a specific authorization on WALLIX Bastion.

If you do not have rights for the appropriate subprotocol, you may not be authorized to start a remote
shell session or transfer a file.
Note:
Some clients also need the option SSH_SHELL_SESSION to list the directories when
they are used in SCP mode.
24
Some of these authorizations must be associated with others to be fully operational:

- SSH_X11 must be associated with SSH_SHELL_SESSION or
SSH_REMOTE_COMMAND (at least one of the two)
- SSH_AUTH_AGENT must be associated with SSH_SHELL_SESSION or
SSH_REMOTE_COMMAND (at least one of the two)
- SSH_REVERSE_TCPIP must be associated with SSH_SHELL_SESSION
- SSH_REVERSE_UNIXSOCK must be associated with SSH_SHELL_SESSION
4.4.2. SSH connections from a Unix/Linux workstation

This section describes how to use WALLIX Bastion with OpenSSH, the most widely-available client
suite for Linux and the different versions of Unix. Similar tools may be available for the different
variants of Unix, but they generally offer the same features as OpenSSH. In this case, refer to the
corresponding manual pages to check the correct syntax to use in your suite.
The examples provided in the sections 4.4.2.2, page 25 to 4.4.2.7, page 28 work with
password or key authentication and with or without an authentication agent.
4.4.2.1. Target connection in interactive mode for SCP and SFTP protocols
As SCP and SFTP protocols do not allow a secondary interactive mode, it is necessary to add
specific options during primary connection (i.e. the connection initiated between a user and WALLIX
Bastion) to be prompted for target connection information, displayed as prompts or dialog boxes,
using primary interactive keyboard (“keyboard interactive”). This system assumes that the client
supports the interactive keyboard authentication method (“keyboard interactive”).
The question mark “?” is a forbidden character in the user name (or login) but it can be used as
a separator to specify options (on the right) requesting clearly a prompt to enter the login and/or
a password to connect to the target.
The “p” option requests the target password.
The “l” option requests the target login.
The question mark “?” without any option requests the target password by default.
Examples:
Login: “wabuser”: no additional prompt
Login: “wabuser?”: target password is prompted
Login: “wabuser?p”: target password is prompted
Login: “wabuser?l”: target login is prompted
Login: “wabuser?lp”: target login is prompted first then target password is prompted
4.4.2.2. Launching Shell sessions

$ ssh -l root@asterix:OpenSSH:martin wab.mycorp.lan
martin's password:
• “martin” refers to a user declared on WALLIX Bastion and authorized to use

“SSH_SHELL_SESSION”. This login is not case-sensitive.
• “wab.mycorp.lan” is the Fully Qualified Domain Name (FQDN) for WALLIX Bastion.
25
• “root@asterix:OpenSSH” refers to the target account (root), machine (asterix) and service
(OpenSSH). This part is case-sensitive.
Note:
Depending on how the administrator has configured the account, machine and service,
you may be asked to authenticate as root@asterix:OpenSSH.
The following alternative syntax is also accepted for compatibility reason, although it has been
deprecated:
$ ssh -t martin@wab.mycorp.lan root@asterix:OpenSSH
martin's password:
Note:
The SSH command line option “-t” is essential in this case. It is used to allocate the
pseudo terminal needed in order to display the session.
If only one SSH, TELNET or RLOGIN service is declared on the target machine, you can omit the
service name as shown below:
$ ssh -t martin@wab.mycorp.lan root@asterix
martin's password:
4.4.2.3. Running commands remotely

WALLIX Bastion allows you to execute commands remotely on machines if you are authorized to
use “SSH_REMOTE_COMMAND” (refer to Section 4.4.1, “SSH specific options”, page 24). The
“Auto logon” mode must also be enabled for the target account.
$ ssh -l root@asterix:OpenSSH:martin wab.mycorp.lan halt
martin's password:
or using the old and deprecated syntax:

$ ssh martin@wab.mycorp.lan root@asterix:OpenSSH halt
martin's password:
or when there is only one SSH, TELNET or RLOGIN service on this machine:
$ ssh martin@wab.mycorp.lan root@asterix halt
martin's password:
The “halt” command is run on the “asterix” machine as a result without the shell being opened.
4.4.2.4. Transferring files using SCP

To transfer a file from the client to the target:
$ scp myfile root@asterix+OpenSSH+martin@wab.mycorp.lan:/tmp
martin's password:

“SSH_SCP_UP”(refer to Section 4.4.1, “SSH specific options”, page 24). This login is not
case-sensitive.
• “root@asterix+OpenSSH” refers to the target account (root), machine (asterix) and service
(OpenSSH). This part is case-sensitive. The “Auto logon” mode must be enabled for this account.
26
To transfer a file from the target to the client:

$ scp root@asterix+OpenSSH+martin@wab.mycorp.lan:/tmp/myfile /tmp
martin's password:

“SSH_SCP_DOWN” (refer to Section 4.4.1, “SSH specific options”, page 24). This login is not
case-sensitive.
• “root@asterix+OpenSSH” refers to the target account (root), machine (asterix) and service
deprecated:
$ scp myfile martin@wab.mycorp.lan:root@asterix:OpenSSH:/tmp
martin's password:
$ scp martin@wab.mycorp.lan:root@asterix:OpenSSH:/tmp/myfile /tmp

martin's password:
If only one SSH service is declared on the target machine, you can omit the service name as shown
below:
$ scp myfile martin@wab.mycorp.lan:root@asterix:/tmp
martin's password:
$ scp martin@wab.mycorp.lan:root@asterix:/tmp/myfile /tmp

martin's password:
4.4.2.5. Transferring files using SFTP

$ sftp root@asterix+OpenSSH+martin@wab.mycorp.lan
Connecting to wab.mycorp.lan...
martin's password:
sftp>

“SFTP_SESSION” (refer to Section 4.4.1, “SSH specific options”, page 24). This login is not
case-sensitive.
• “root@asterix:OpenSSH” refers to the target account (root), machine (asterix) and service
below:
$ sftp root@asterix+martin@wab.mycorp.lan
Connecting to wab.mycorp.lan...
martin's password:
sftp>
4.4.2.6. Launching X11 sessions

$ ssh -X -l root@asterix:OpenSSH:martin wab.mycorp.lan
martin's password:
• “martin” refers to a user declared on WALLIX Bastion and authorized to use “SSH_X11” (refer
to Section 4.4.1, “SSH specific options”, page 24). This login is not case-sensitive.
27
• “root@asterix:OpenSSH” refers to the target account (root), machine (asterix) and target
service (OpenSSH). This part is case-sensitive.
The SSH command line option “-X” tells WALLIX Bastion you want to start an “X11 Forwarding”
session: the graphics applications run on the target device during the session will be displayed on
the workstation.
deprecated:
$ ssh -t -X martin@wab.mycorp.lan root@asterix:OpenSSH
martin's password:
below:
$ ssh -t -X martin@wab.mycorp.lan root@asterix
martin's password:
4.4.2.7. Logging on without the name of the target

WALLIX Bastion allows you to list the devices to which you can access. This is done by unspecifying
the target in the logon command. Nevertheless, this is only possible with interactive sessions (shell
or X11).
Enter the following command to display the list of devices:
$ ssh -t martin@wab.mycorp.lan
martin's password:
| ID | Site (page 1/1)
|----|-----------------------------------
| 0 | root@centos:ssh_2222
| 1 | root@asterix:OpenSSH
Enter h for help, ctrl-D to quit
You can then select the desired target by entering its number.
4.4.2.8. Logging on with the authentication agent

If you want to use the authentication agent, you must launch it and add your authentication
parameters before you use the logon commands.
Note:
In some graphical environments, an agent containing all of your user identities is already
activated when you log on. The following commands are then unnecessary. This is
generally the case with Debian or Ubuntu distributions, but not with RedHat distributions.
However, this may vary depending on your configuration.
First, you must launch the resident agent in your shell session by entering the following command;
this adds the agent’s declaration to the shell environment so that the compatible programs can
automatically use it:
$ eval $(ssh-agent)
You must then add one or more identities to this agent:

$ ssh-add PRIVATE_KEY_PATH
Enter passphrase for PRIVATE_KEY_PATH:
28
“PRIVATE_KEY_PATH” refers to the path of the desired identity’s private key, which is generally
stored in the “~/.ssh” directory, for example “~/.ssh/id_rsa”.
You can then use one of the logon commands described in the previous sections
(4.4.2.2, page 25 to 4.4.2.7, page 28) without having to re-enter the password. These will
automatically use the agent for key-based authentication whenever it is available and declared in
the shell environment.
4.4.2.9. Logging on by activating the authentication transfer option

If you use the authentication agent, you can use the authentication transfer option if it is also
activated in WALLIX Bastion for the required target account. This is only possible with shell or
remote command sessions, by adding the option “-A” as shown below:
$ ssh -A -t martin@wab.mycorp.lan
The SSH command line option “-A” tells WALLIX Bastion you want to start a session using the
authentication transfer option: if the option is activated on the target device, the authentication
parameters used for connection to WALLIX Bastion will be reused to log on to the target.
Warning:
The authentication transfer option is incompatible with RSA keys more than 2,048 bits
long and cannot operate if the agent contains RSA and DSA identities simultaneously.
4.4.2.10. Logging on using SCP with authentication transfer

OpenSSH SCP client is not directly compatible with the authentication transfer option. However, the
SCP client can be used via a wrapper script and a launcher script which pass the correct options
to the underlying SSH command.
In a directory in your PATH, create the launcher script file named “scp-A” containing the following
lines:
#!/bin/sh
scp -oForwardAgent=yes -S scp-A-wrapper "$@"
Next, create the wrapper script file “scp-A-wrapper” in the same directory, containing the following
lines:
#!/usr/bin/perl
exec '/usr/bin/ssh', map {($_ =~ /^-oForwardAgent[ =]no$/) || ($_ eq '-a') ? (
) : $_} @ARGV;
Make both files executable with the “chmod” command:
$ chmod +x scp-A scp-A-wrapper
You can then use the launcher script file “scp-A” in place of the “scp” command:
$ scp-A myfile martin@wab.mycorp.lan:root@asterix:/tmp
$ scp-A martin@wab.mycorp.lan:root@asterix:/tmp/myfile /tmp
29
4.4.3. SSH connections from a Windows workstation

4.4.3.1. Shell session with PuTTY
Figure 4.6. PuTTY Configuration window - Session category
1. In the “Category” tree-structure, select “Session” and on “Specify the destination you want to
connect to”, enter the following information:
• Host Name: enter the FQDN or the IP address for WALLIX Bastion
• Port: enter 22 (the SSH proxy listening port for WALLIX Bastion)
2. In the “Category” tree-structure, select “Connection” | “Data” and enter the name of the target
account, device, service and WALLIX Bastion user login in the “Auto-login username” field (the
WALLIX Bastion user login is not case-sensitive but the other fields are):
30
Figure 4.7. PuTTY Configuration window - Connection category
Warning:
PuTTY does not allow you to save your password. If you use this authentication method,
you will be asked to enter your password when you log on.
If you want to use key-based authentication without using the authentication agent, you can also
specify the private key file in the “Private key file for authentication” field which can be accessed
from the tree-structure by selecting “Connection” | “SSH” | “Auth”. This is unnecessary if you use
the authentication agent.
Note:
In order to use the authentication agent (refer to Section 4.4.3.5, “Logging on with
the authentication agent”, page 34), you must ensure that the option “Attempt
authentication using Pageant” is selected. This field can be accessed from the tree-
structure by selecting “Connection” | “SSH” | “Auth”.
4.4.3.2. Transferring files using PSCP

C:\> pscp -scp myfile root@asterix+OpenSSH+martin@wab.mycorp.lan:/tmp
martin's password :
The above command transfers the file entitled “myfile” between the local workstation and the “/
tmp” directory using the “root” account on “asterix”. The “Auto logon” mode must be enabled
for this account.
deprecated:
C:\> pscp -scp myfile martin@wab.mycorp.lan:root@asterix:OpenSSH:/tmp
31
martin's password :
4.4.3.3. Transferring files using FileZilla

Enter the following information in the Site Manager window (which can be accessed from the “File”
menu command then “Site Manager”):
• Host: “wab.mycorp.lan” is the FQDN or IP address for WALLIX Bastion

• Port: 22 is the TCP listening port of the SSH proxy
• Protocol: select “SFTP – SSH File Transfer Protocol”
• Logon type: select “Normal”
• User:
– “martin” refers to a user declared on WALLIX Bastion and authorized to use
“SFTP_SESSION”. This login is not case-sensitive.
– “root@asterix:OpenSSH” refers to the target account (root), machine (asterix) and target
service (OpenSSH). This part is case-sensitive. The “Auto logon” mode must be enabled for
this account.
If only one SSH service is declared on the target machine, you can omit the service name as
follows: “root@asterix”
• Password: WALLIX Bastion password for user “martin”
Figure 4.8. FileZilla - Site Manager window
4.4.3.4. Transferring files using WinSCP

Enter the following information in the “Session” category on the tree-structure:
• File protocol: select “SFTP”
32
• Host name: “wab.mycorp.lan” is the FQDN or IP address for WALLIX Bastion

• Port number: “22” is the TCP listening port of the SSH proxy
• User name:
– “martin” refers to a user declared on WALLIX Bastion and authorized to use
“SFTP_SESSION”. This login is not case-sensitive.
– “root@asterix:OpenSSH” refers to the target account (root), machine (asterix) and target
service (OpenSSH). This part is case-sensitive. The “Auto logon” mode must be enabled for
this account.
If only one SSH service is declared on the target machine, you can omit the service name as
follows: “root@asterix”
• Password: WALLIX Bastion password for user “martin”
Figure 4.9. WinSCP Login window - Session category
In the “Preferences” category, select “Transfer” then enter the following information:
• 1st step: “Upload options” frame:

– select the check box of the option “Ignore permission errors”
• 2nd step: “Common options” frame:

– deselect the check box of the option “Preserve timestamp”
Note:
The above steps must be carried out in the order given. When the check box of the option
“Preserve timestamp” is deselected, the option “Ignore permission errors” is disabled.
Note:
In order to use the authentication agent (refer to Section 4.4.3.5, “Logging on with
the authentication agent”, page 34), you must ensure that the option “Attempt
33
authentication using Pageant” is selected. This field can be accessed by clicking on the
“Advanced...” button and then selecting “SSH” | “Authentication” from the tree-structure.
Figure 4.10. Preferences window - Transfer category
4.4.3.5. Logging on with the authentication agent

If you want to use the authentication agent, you must start it and add your authentication parameters
before using PuTTY, WinSCP or FileZilla.
First, launch the Pageant authentication agent. You must then add one or more identities to this
agent. To do so, right-click on the Pageant icon in the taskbar notification area and select “Add key”
in the contextual menu.
You can then use one of the logon commands described in the previous sections
(4.4.3.1, page 30 to 4.4.3.4, page 32) without having to re-enter the password. These will
automatically use the agent for key-based authentication whenever it is available and declared in
the shell environment.
4.4.3.6. Logging on with PuTTY by activating the authentication transfer option

If you use the authentication agent, you can use the authentication transfer option if it is also
activated for the required target account.
In the “Category” tree-structure, select “Connection” | “SSH” | “Auth”; on the “Authentication

parameters” frame, select the option “Allow agent forwarding” to tell WALLIX Bastion you want to
start a session with the authentication transfer option: if the option is activated on the target device,
the authentication parameters used for connection to WALLIX Bastion will be reused in order to
log on to the target.
Warning:
The authentication transfer option is incompatible with RSA keys more than 2,048 bits
long and cannot operate if the agent contains RSA and DSA identities simultaneously.
34
4.5. RDP connections

4.5.1. RDP specific options
The following options, which mainly determine the authorized actions for the session, are provided
for the RDP protocol:
• RDP_CLIPBOARD_UP: allows data transfer via the clipboard from the client to the RDP session
• RDP_CLIPBOARD_DOWN: allows data transfer via the clipboard from the session to the RDP
client
• RDP_CLIPBOARD_FILE: allows file transfer from the copy/paste function via the clipboard
• RDP_PRINTER: allows use of local printers in the remote session
• RDP_COM_PORT: allows use of local serial and parallel ports in the remote session
• RDP_DRIVE: allows use of local drives in the remote session
• RDP_SMARTCARD: allows use of local smartcards in the remote session
• RDP_AUDIO_OUTPUT: allows audio playback from the session to the RDP client
• RDP_AUDIO_INPUT: allows audio recording from the client to the RDP session
Each of these subprotocols is covered by a specific authorization on WALLIX Bastion.
If you do not have rights for the appropriate subprotocol, you may not be authorized to transfer data
via the clipboard or use your local drive in the remote session.
Note:
Some session options must be associated with others to be fully operational:
- RDP_CLIPBOARD_FILE must be associated with RDP_CLIPBOARD_UP to transfer a

file via the clipboard from the client to the RDP session
- RDP_CLIPBOARD_FILE must be associated with RDP_CLIPBOARD_DOWN to

transfer a file via the clipboard from the session to the RDP client
4.5.2. RDP connections from a Linux workstation

Under Linux, you can use the RDP client rdesktop or equivalent. This section describes only the
use of rdesktop.
Enter the following command to display the RDP logon window, “wab.mycorp.lan” being the IP
address for WALLIX Bastion:
$ rdesktop wab.mycorp.lan
35
Figure 4.11. RDP logon window
The “Target” field can be entered with a string labelled in this format:
“Admin@WindowsServer:RemoteDesktop”, referring to the account (“Admin”), machine
(“WindowsServer”) and service (“RemoteDesktop”) of a target declared on WALLIX Bastion and
authorized for access by the user. This part is case-sensitive.
If only one RDP or VNC service is declared on the target machine, the service name can be omitted
as follows: “Admin@WindowsServer”.
The “Login” field must refer to a user declared on WALLIX Bastion (e.g., “User”) with the appropriate
authorization to connect to the target. This login is not case-sensitive.
The “Password” field must be entered with the WALLIX Bastion password for the user “User”.
Click on the arrow icon to log on to the remote machine: the Windows remote session then appears
on your screen.
You can also enter the “login” parameter in the rdesktop command line as follows,
“wab.mycorp.lan” being the IP address for WALLIX Bastion:
$ rdesktop -u Admin@WindowsServer:RemoteDesktop:User wab.mycorp.lan
The RDP login window is then displayed.
36
Figure 4.12. RDP logon window - Login field pre-filled
It is then required to enter the password and click on the arrow icon to log on to the remote machine.
It is also possible to enter a WALLIX Bastion user name only. In this case, the list of accessible
servers is then displayed on an intermediate page:
Figure 4.13. RDP selector window
The RDP selector window shows the following information:
• all the available resources

• the group to which they belong
• the type of remote server (VNC or RDP)
37
If an accessible server belongs to different groups, several entries for the same remote resource
appear on the list. You can apply a filter by group, account or protocol to a long list in order to narrow
down your search.
You can then simply select the desired server by highlighting the corresponding line and then click
on the “Connect” button to log on.
Before the connection is actually established, the system may display a series of dialogue boxes
and/or ask for confirmation. This means that you may be warned that the session is being recorded
or your password is about to expire, or informed of the time at which the session will be disconnected
automatically.
Note:
Here are some useful options for rdesktop:
• “-u” to enter the login
• “-g 1024x768” to select the screen resolution (you can replace 1024x768 with the
desired resolution).
• “-a 24” to select the colour depth (bits per pixel). The values supported are 8, 15,
16 and 24
• “-0” to connect to the remote workstation console
Columns on the RDP selector may be resized to allow the correct display of truncated text by
clicking on the square icon available on the header of the concerned column headers as shown by
Figure 4.14, “RDP selector - Column header for "Authorization" shows icon for resizing truncated
text”, page 38 and Figure 4.15, “RDP selector - Column "Authorization" shows full text after
resizing”, page 39.
Figure 4.14. RDP selector - Column header for

"Authorization" shows icon for resizing truncated text
38
Figure 4.15. RDP selector - Column "Authorization" shows full text after resizing
4.5.3. RDP connections from a Windows workstation (XP,

Vista or 7, 8 or 10)
You can start an RDP session from a Windows workstation either from the Web interface or directly
from the Terminal Server client (“Remote Desktop Connection” window).
4.5.3.1. Logging on from the WALLIX Bastion Web interface (GUI)

From the “Sessions” page on the “My authorizations” menu, you can access the target by clicking
on one of the following icons (for RDP target accounts) at the beginning of the concerned line:
• : this icon allows you to download a configuration file you can save onto your workstation to
establish a connection from an RDP client. In this case, the WALLIX Bastion password is required
for the connection.
• : this icon allows you to open directly or download the file to immediately establish a connection
from an RDP client and access the remote machine. In this case, no password is required but
the access is granted for a limited period of time.
4.5.3.2. Logging on from the Terminal Server client

Log on to the WALLIX Bastion RDP proxy from the Terminal Server client:
39
Figure 4.16. Terminal Server client
Click on “Connect” to display the prompt shown in Figure 4.11, “RDP logon window”, page 36.
The “Login” field must contain an expression such as

“administrator@win2003:RemoteDesktop:martin”, where:
• “martin” refers to a user declared on WALLIX Bastion and authorized to use “RDP”. This login
is not case-sensitive.
• “administrator@win2003:RemoteDesktop” refers to the account (administrator), machine
(win2003) and service (RemoteDesktop) of a target declared on WALLIX Bastion and authorized
for access by the user “martin”. This part is case-sensitive.
If only one RDP or VNC service is declared on the target machine, you can omit the service name
as follows: “administrator@win2003”
The WALLIX Bastion password for user “martin” must be entered in the “Password” field.
Click on the “Connect” button to log on to the remote machine: the Windows session then appears
on your screen.
It is also possible to enter a WALLIX Bastion user name only. In this case, the list of accessible
servers is then displayed on an intermediate page:
40
Figure 4.17. RDP selector
The RDP selector window shows the following information:
• all the available resources

• the group to which they belong
• the type of remote server (VNC or RDP)
If an accessible server belongs to different groups, several entries for the same remote resource
appear on the list. You can apply a filter by group, account or protocol to a long list in order to narrow
down your search.
You can then simply select the desired server by highlighting the corresponding line and then click
on the “Connect” button to log on.
Before the connection is actually established, the system may display a series of dialogue boxes
and/or ask for confirmation. This means that you may be warned that the session is being recorded
or your password is about to expire, or informed of the time at which the session will be disconnected
automatically.
Note:
You can also log on to the remote console. To do this, start the MSTSC client from the
Windows “Run” prompt by entering “mstsc /admin” or “mstsc /console”, depending
on your version of Windows (“/admin” must be used for Windows Vista SP3 or later).
41
Device redirection
The RDP proxy embedded in WALLIX Bastion allows “device redirection”,
i.e. the option of displaying the local workstation’s resources: printer,
directory, notepad, etc. on the “Workstation” of the remote session.
This feature allows you to transfer files between two Windows machines
using the drag-and-drop method, even within the RDP session, or to copy and
paste text from the local machine to the remote machine and vice versa.
Important: you may need to enable the feature
from the “Terminal Server Client” interface.
Figure 4.18. MSTSC client startup settings under Windows 7
4.5.3.3. Logging on using smart card in interactive login

WALLIX Bastion offers the possibility to authenticate to Windows targets via the RDP protocol using
a smart card and the associated PIN code.
Note:
The smart card authentication is only possible for the connection to targets through the
interactive login mechanism.
To connect to a Windows target using a smart card:
1. Insert the smart card in the reader.

2. Connect through WALLIX Bastion to the RDP resource configured for the smart card
authentication.
3. Select the “Smart card” option in the “Sign-in options” field displayed on the Windows login
screen. Windows may take 5 to 30 seconds to display this field.
The user's login will automatically appear on the screen.
42
4. Enter the smart card PIN code.
4.6. Universal Tunneling connections

Universal Tunneling (or UT, previously called RAWTCPIP) allows the user to redirect TCP traffic
from their workstation to the target.
The main use cases are the following:
• the redirection of a fat client traffic in an IT environment (such as MySQL client)

• the redirection of a fat client traffic in an OT environment (such as Siemens TIA Portal client)
All application protocols based on TCP for the transport layer in the Open Systems Interconnection
model (OSI model) can be managed by Universal Tunneling. An SSH tunnel is used between
the user's workstation and WALLIX Bastion to encrypt and protect the data. For each Universal
Tunneling session, a PCAP file can be generated to ensure traceability after the session.
4.6.1. Prerequisites
UT sessions are compatible with the user workstations running under:
• Windows XP, Windows 7, Windows 8, Windows 10 for the redirection to the local address mode
and the redirection to a temporary interface mode
• any Linux distribution with OpenSSH, only for the redirection to the local address mode
4.6.2. Redirection modes

Two modes are available:
• the redirection to the local address: the fat client must be configured to redirect its traffic on the
local address (127.0.0.1) and on an access port defined on the user workstation. The traffic will
then be redirected through the SSH tunnel. This mode does not require any specific privileges
from the user.
• the redirection to a temporary interface: the fat client does not need to be configured as a
temporary network interface will be created on the user's workstation using the IP of the target.
The traffic sent on this interface will then be redirected through the tunnel. This mode requires
specific privileges from the user.
4.6.3. Universal Tunneling connections from a Windows

workstation
4.6.3.1. Logging in from the WALLIX Bastion Web interface
From the “Sessions” page on the “My authorizations” menu, you can access the target by clicking
on the icon. This icon allows you to download a configuration file to save onto your workstation
in order to establish a connection from the WALLIX-PuTTY client.
The WALLIX-PuTTY application has to be downloaded and installed from the “Download WALLIX-
PuTTY” link displayed at the top of the “My authorizations” page. This link is only displayed when
the user is authorized to connect to at least one Universal Tunneling target. The installation sets
the file association so that the application is started automatically. The installation does not require
43
administrative privileges. However, the installation is only operational for the logged user and not
for all users of the workstation.
Important:
Logging on using the configuration file only allows the redirection to a temporary interface
mode.
4.6.3.2. Logging in from WALLIX-PuTTY

Launch WALLIX-PuTTY to open the configuration window.
The WALLIX-PuTTY application has to be downloaded and installed from the “Download WALLIX-
PuTTY” link displayed at the top of the “My authorizations” page. This link is only displayed when
the user is authorized to connect to at least one Universal Tunneling target. The installation sets
the file association so that the application is started automatically. The installation does not require
administrative privileges. However, the installation is only operational for the logged user and not
for all users of the workstation.
1. In the “Session” category:

• enter the IP of the Bastion in the “Host Name (or IP address)” field
• enter 22 in the “Port” field (the SSH proxy listening port for WALLIX Bastion)
2. In “Connection” > “Data”, enter “Interactive@<device>:<service>:<authorization>:<user>” in the

“Auto-login username” field.
44
3. In “Connection” > “SSH” > “Tunnels”:
For the redirection to the local address:

• enter the local port in the “Source” field
• enter “<target_IP>:<port>” in the “Destination” field
• click on “Add”
• select “Local” and “Auto”
45
For the redirection to a temporary interface:

• enable “Map local ip to loopback”
• enter “<target_IP>:<port>” in the “Source” field
• enter “<target_IP>:<port>” in the “Destination” field
• click on “Add”
• select “Local” and “Auto”
46
4. Click on “Open”.
4.6.4. Universal Tunneling connections from a Linux

workstation
Use an SSH client and enter the following command:
> ssh -L <local_port>:<target_IP:port> Interactive@<device:user>@<IP_Bastion>
Important:
Logging in from a Linux workstation only allows the redirection to the local address mode.
47
Chapter 5. Managing approval requests

If you are a member of an approval group, you need to manage approval requests from users
wishing to connect or view the password of targets mapped with an authorization. As soon as a
user requests an approval, you are notified by email.
In order to approve or reject the request, go to the “My Current Approvals” page in the “My
authorizations” menu. This page lists all the pending requests addressed to you as shown by
Figure 5.1, ““My Current Approvals” page”, page 48.
Figure 5.1. “My Current Approvals” page
Select a request and click on the notepad icon at the beginning of the line to open the approval
request detail page as shown by Figure 5.2, “Approval request detail page”, page 49.
On this page, you can:
• click on the “Notify approvers” button to notify approvers again

• view the answers from the other approvers
• indicate in the “Comment” area the reason of your approval/rejection regarding the request
• reduce the request period by changing the value in the “Duration” field
• reduce the timeout set for the connection by changing the value in the “Timeout” field. If the
user has not connected to the target and this timeout has been reached, then the status of the
“accepted” request automatically switches to “closed”.
• click on the “Cancel”, “Reject” or “Approve” button to perform the corresponding action
Since a session or the target credentials can still be accessed as long as an accepted request has
not expired, you can cancel a request before its expiration to inhibit further access from a user to
the target by clicking on the “Cancel” button.
48
Figure 5.2. Approval request detail page
From the “My Approval History” page, you can view all the requests which are no longer pending
for approval as shown by Figure 5.3, ““My Approval History” page”, page 50.
You can define filters on the top of the page to facilitate the search and restrict the display to relevant
records. The available filters are based on:
• the definition of a period

• the definition of the last N days or last N weeks or last N months
• a search for text occurrences in the columns by entering terms for the search in the “Search:” field.
The wildcard symbol * can be used in this field to perform a search based on specific criteria. This
character can be placed anywhere to replace any string (including empty strings) in the search
terms.
The table below illustrates the possible search types using the wildcard symbol *:
Search string Returns only lines with at least one column matching...
rdp* any string starting with the word “rdp” (e.g.: RDPDevice1)
*rdp any string ending with the word “rdp” (e.g.: ServiceRdp)
*rdp* or rdp any string including the word “rdp”, regardless of the position of the keyword
in the character string found.
r*p any string starting with “r” and ending with “p”. (e.g.: Rdp, RP)
By clicking on the notepad icon at the beginning of the line, you are redirected to the detail of all
the answers for the request.
If the request’s status is “accepted”, you can cancel the request before expiration by clicking on
the “Cancel request” button.
All data in this page can be downloaded as a CSV file.
49
Figure 5.3. “My Approval History” page
50
Chapter 6. Troubleshooting
6.1. General information on login issues
A connection to a target account may fail for any of the following reasons:
• the WALLIX Bastion service is unavailable or inaccessible

• you entered an invalid login and/or password
• the target device is inaccessible
• the target account does not exist
• you entered an invalid target account password
• you are not authorized to access the target account
• you attempt to log on outside the authorized time frame
• the protocol is not authorized
• the maximum number of authorized concurrent connections has been reached (this information
is displayed on the “License” page accessible from the “Configuration” menu).
6.2. Silent SSH session

On some target platforms, the characters sent by the target device are not displayed on the screen
and there is no echo of the characters input on the keyboard.
This issue has mainly been detected on the following targets:
• TELNET Open Solaris servers

• TELNET Solaris 8 servers
The issue can be resolved by deallocating a pseudo terminal (TTY).
Under Linux/Unix, the related command line is:
$ ssh -T root@obelix:martin@wab.mycorp.lan
martin's password:
Launch PuTTY to open the PuTTY Configuration window. Then in the “Category” tree-structure,
select “Connection” | “SSH” | “TTY”and select the option “Don’t allocate a pseudo-terminal”.
51
Figure 6.1. Disabling TTY pseudo-terminal in PuTTY
52
Chapter 7. Contact WALLIX Bastion

Support
Our WALLIX Bastion Support Team is available to help you during hours defined in your support
contract:
Web: https://support.wallix.com/
Telephone: (+33) (0)1 70 36 37 50 for Europe, Middle East and Africa and (+1) 438-814-0255 for
the Americas
53

Bastion User Guide en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bastion User Guide en

Uploaded by

Copyright:

Available Formats

BASTION DOCUMENTATION

WALLIX Bastion 10.0

Copyright © 2023 WALLIX

• Amazon Web Services (AWS)

1.2. Copyright & Licenses

WALLIX Bastion is subject to the WALLIX software license contract.

1.4. About this document

This guide will help you to:

Chapter 2. General principles

• relay your SSH or RDP connections to the target devices

Your rights define:

• which target devices and accounts you can connect to

There are two target account logon modes:

2.1. WALLIX Session Manager

2.2. WALLIX Password Manager

This feature allows you to:

2.3. Session recording

Chapter 3. Using the WALLIX Bastion

Your browser must be configured to accept cookies and run JavaScript.

Figure 3.1. Login screen

Once you have logged in successfully, the following screen is displayed:

Figure 3.2. Home page

• access the contextual online help by clicking on the icon

3.1. “My preferences” menu

• change your contact email address

• drag-and-drop, upload or display a GPG key, or delete an existing GPG key

Figure 3.3. “My Preferences” page

3.3. “My authorizations” menu - Session

Figure 3.4. “My authorizations” menu - “Sessions” page

3.4. “My authorizations” menu - Password

For each account, you can perform the following actions:

In the event of an ongoing password change, the concerned account cannot be

On this page, you can also:

Figure 3.5. “My authorizations” menu - “Passwords” page

3.5. Approval workflow

3.5.1. Approval request for sessions

• a start date. By default, this is the current date.

Figure 3.6. Approval request (WALLIX Bastion GUI)

Figure 3.7. Approval request (RDP Proxy)

3.5.2. Approval request for passwords

• a start date. By default, this is the current date.

3.6. X509 strong authentication

If X509 authentication mode is enabled, the login screen is displayed as follows:

Figure 3.8. Login screen with X509 authentication

Chapter 4. Connections to target

4.2. Password or key authentication

4.2.1. Generating a key under Linux

$ ssh-keygen -t rsa -f ~/.ssh/wab_rsa2048

$ ssh -t -i ~/.ssh/wab_rsa2048 -l root@asterix:martin wab.mycorp.lan

4.2.2. Generating a key under Windows

1. Launch PuTTYgen to open the PuTTY Key Generator window.

Figure 4.1. PuTTY Key Generator window

Figure 4.2. PuTTYgen Key Generator window with key generated

Figure 4.3. Pageant Key List window with key added

Add the parameter -i KEY to the command line as shown below:

$ pscp -scp -i "C:\Documents and Settings\martin\My Documents\wab_rsa2048.ppk"

Passphrase for key "rsa-key-20120914":

Figure 4.4. FileZilla Settings page - SFTP category

4.3. Simplified authentication in X509 mode

Figure 4.5. Connection confirmation window

4.4. SSH connections

• SSH_SHELL_SESSION: starts a shell session

Each of these subprotocols is covered by a specific authorization on WALLIX Bastion.