Professional Documents
Culture Documents
Bastion Admin Guide En
Bastion Admin Guide En
Bastion Admin Guide En
Reference: https://doc.wallix.com/en/bastion/9.0.2/Bastion-admin-guide
Copyright © 2021 WALLIX
WALLIX Bastion 9.0.2 – Administration Guide
Table of Contents
1. Introduction .......................................................................................................................... 11
1.1. Preamble ................................................................................................................... 11
1.2. Copyright & Licenses ................................................................................................ 11
1.3. Third-party components ............................................................................................ 11
1.4. Legend ...................................................................................................................... 11
1.5. About this document ................................................................................................. 12
2. Compatibility and limits ........................................................................................................ 13
3. Glossary ............................................................................................................................... 14
4. Concepts .............................................................................................................................. 16
4.1. General information ................................................................................................... 16
4.2. Positioning of WALLIX Bastion in the network infrastructure ...................................... 16
4.3. The concept of WALLIX Bastion ACLs ...................................................................... 17
4.4. Roll-out ...................................................................................................................... 18
4.5. Rights of the user connected to WALLIX Bastion ...................................................... 18
4.6. Data encryption ......................................................................................................... 18
4.6.1. Administration with HTTPS protocol (Web interface and API) ......................... 19
4.6.2. Administration with SSH protocol ................................................................... 19
4.6.3. RDP (TLS based) primary connection algorithms ........................................... 20
4.6.4. SSH primary connection algorithms ............................................................... 21
4.6.5. Secondary connection algorithms ................................................................... 21
5. Specific features .................................................................................................................. 22
5.1. WALLIX Session Manager ........................................................................................ 22
5.2. WALLIX Password Manager ..................................................................................... 22
5.3. Password external vault ............................................................................................ 22
5.4. High-Availability ......................................................................................................... 23
6. Getting started with WALLIX Bastion ................................................................................... 24
6.1. Pre-configuration of TCP and UDP network ports ..................................................... 24
6.1.1. Communication from WALLIX Bastion ............................................................ 24
6.1.2. Communication to WALLIX Bastion ................................................................ 24
6.2. Using the command line to connect to WALLIX Bastion ............................................ 25
6.3. Browsing through the menu of the Web interface ..................................................... 26
6.4. Availability of specific management features ............................................................. 31
6.4.1. Session management ..................................................................................... 31
6.4.2. Password management .................................................................................. 31
6.5. Managing data search, sort and layout customization in the tables of the Web
interface ........................................................................................................................... 31
6.5.1. Search data ................................................................................................... 31
6.5.2. Sort data ........................................................................................................ 32
6.5.3. Customize layout ............................................................................................ 32
6.5.4. Delete data .................................................................................................... 33
7. Login on the Web interface ................................................................................................. 34
7.1. Access to the Web administration interface .............................................................. 34
7.2. Description of the home page ................................................................................... 36
7.3. Setting your preferences ........................................................................................... 36
7.4. Summary ................................................................................................................... 38
8. Appliance configuration ........................................................................................................ 39
8.1. Interface configuration ............................................................................................... 40
8.1.1. Configuring the Web user interface ................................................................ 40
8.1.2. Configuring the session timeout ..................................................................... 41
8.1.3. Configuring the debug mode .......................................................................... 41
8.1.4. Configuring the OEM ..................................................................................... 41
2
WALLIX Bastion 9.0.2 – Administration Guide
3
WALLIX Bastion 9.0.2 – Administration Guide
4
WALLIX Bastion 9.0.2 – Administration Guide
5
WALLIX Bastion 9.0.2 – Administration Guide
6
WALLIX Bastion 9.0.2 – Administration Guide
12.18.2. Enabling KeepAlive function for connection between the SSH proxy and
the SSH client ........................................................................................................ 251
12.18.3. Enabling KeepAlive function for connection between the SSH proxy and
the SSH target server ............................................................................................ 252
12.19. Using the session probe mode ............................................................................ 252
12.19.1. Default operating mode ............................................................................ 253
12.19.2. Choice of the launcher ............................................................................. 253
12.19.3. Prerequisites ............................................................................................ 253
12.19.4. Configuration ............................................................................................ 254
12.19.5. Launching the session probe from a specific directory .............................. 258
12.20. Using the session probe mode with the WALLIX BestSafe agent ........................ 259
12.20.1. Enabling the interaction with the WALLIX BestSafe agent ........................ 259
12.20.2. Event logging ........................................................................................... 259
12.20.3. Detection of outbound connections .......................................................... 259
12.20.4. Detection of process launching ................................................................ 260
12.21. Load balancing with Remote Desktop Connection Broker ................................... 260
12.21.1. Prerequisites ............................................................................................ 260
12.21.2. Configuration ............................................................................................ 261
12.22. Connection messages ......................................................................................... 261
13. Dashboards ...................................................................................................................... 263
13.1. Administration dashboard ...................................................................................... 263
13.1.1. View the data on the “Live” tab .................................................................. 263
13.1.2. View the data on the “KPIs” tab ................................................................. 264
13.1.3. Common features ....................................................................................... 265
13.2. Audit dashboard .................................................................................................... 265
13.2.1. View the data ............................................................................................. 266
13.2.2. Common features ....................................................................................... 267
14. Authorization management ............................................................................................... 269
14.1. Add an authorization ............................................................................................. 269
14.2. Edit an authorization ............................................................................................. 270
14.3. Delete an authorization ......................................................................................... 270
14.4. Import authorizations ............................................................................................. 271
14.5. View the current approvals .................................................................................... 273
14.6. View the approval history ...................................................................................... 274
14.7. Approval workflow ................................................................................................. 275
14.7.1. Workflow configuration ............................................................................... 276
14.7.2. Workflow steps ........................................................................................... 276
14.8. Time frames configuration ..................................................................................... 277
14.8.1. Add a time frame ....................................................................................... 278
14.8.2. Edit a time frame ....................................................................................... 278
14.8.3. Delete a time frame ................................................................................... 278
15. Specific commands .......................................................................................................... 279
15.1. Use the command line to connect to WALLIX Bastion ........................................... 280
15.2. Restore WALLIX Bastion to factory settings .......................................................... 280
15.3. Restore the factory-set administrator account ....................................................... 280
15.4. Change the password of the factory-set administrator account .............................. 281
15.5. Reset data encryption in WALLIX Bastion ............................................................. 281
15.6. Get the version information of WALLIX Bastion ..................................................... 281
15.7. Change the keyboard layout ................................................................................. 282
15.8. Get the GUI URL .................................................................................................. 282
15.9. Change the GRUB password ................................................................................ 282
15.10. Change the network configuration ....................................................................... 282
15.11. Change the security level configuration ............................................................... 282
7
WALLIX Bastion 9.0.2 – Administration Guide
8
WALLIX Bastion 9.0.2 – Administration Guide
9
WALLIX Bastion 9.0.2 – Administration Guide
10
WALLIX Bastion 9.0.2 – Administration Guide
Chapter 1. Introduction
1.1. Preamble
Thank you for choosing WALLIX Bastion.
The WALLIX Bastion solution is marketed in the form of a dedicated, ready-to-use server or as a
virtual device for the following virtual environments:
This product has been engineered with the greatest care by our teams at WALLIX and we trust that
it will deliver complete satisfaction.
All the product or company names mentioned herein are the registered trademarks of their
respective owners.
WALLIX Bastion is based on free software. The list and source code of GPL and LGPL licensed
software used by WALLIX Bastion are available from WALLIX. Please send your request on Internet
by creating a new case at https://support.wallix.com/ or in writing to:
WALLIX
Service Support
250 bis, Rue du Faubourg Saint-Honoré
75008 PARIS
FRANCE
1.4. Legend
prompt $ command to input <parameter to replace>
command output
on one or more lines
11
WALLIX Bastion 9.0.2 – Administration Guide
prompt $
• a Quick Start Guide to guide you through the initial start-up of your device (physical or virtual
appliance) for configuration or give you indication to access images for deployment of WALLIX
Bastion on virtual environments
• a User Guide to help you use WALLIX Bastion to connect to the devices you administer.
12
WALLIX Bastion 9.0.2 – Administration Guide
13
WALLIX Bastion 9.0.2 – Administration Guide
Chapter 3. Glossary
You will encounter the following technical terms as you work with WALLIX Bastion and you go
through the sections of this guide. This list is not exhaustive.
14
WALLIX Bastion 9.0.2 – Administration Guide
15
WALLIX Bastion 9.0.2 – Administration Guide
Chapter 4. Concepts
4.1. General information
WALLIX Bastion has been developed for the technical teams who administer IT infrastructure
(servers, network and security devices, etc.). This solution has been designed to meet the access
control and traceability needs of system administrators.
WALLIX Bastion includes access control lists (ACLs) and traceability features. It constitutes a
security buffer for administrators who wish to log on to devices by:
WALLIX Bastion also allows you to automate logons to target devices to enhance the security of
the information system by preventing disclosure of server authentication detail.
WALLIX Bastion offers a Web interface (also called "GUI"), compatible with Internet Explorer,
Chrome and Firefox to monitor activity and connections and also configure its components.
The high trust domain is represented by the set of devices isolated by WALLIX Bastion.
These devices and their related accounts are called "target accounts" in the WALLIX Bastion
terminology.
The low trust domain is represented by the population with direct access to WALLIX Bastion:
For users of the solution, access to the target accounts (in the high trust domain) is only possible
through WALLIX Bastion.
16
WALLIX Bastion 9.0.2 – Administration Guide
• users: i.e. physical users of WALLIX Bastion from internal and/or external user directory
• user groups: a set of users
• devices: i.e. physical or virtualized devices to which access is requested via WALLIX Bastion
• target accounts: the accounts declared on a device or an application
• target groups: a set of target accounts
• applications: any type of application and services running on a device or a set of devices
In WALLIX Bastion, an authorization must be set to grant a user the access to a target account.
Authorizations are declared between a group of users and a group of target accounts (which means
that each target account must belong to a target group, and that each user must belong to a user
group).
The authorization allows users in group X to access target accounts in group Y, via protocols A,
B, or C.
Other elements are added to these primary entities to allow you to define:
You can also define a number of various WALLIX Bastion administrator profiles, with a full access
to the WALLIX Bastion features or limited rights to specific features. As an example, you can define
that WALLIX Bastion auditors will only access audit data or allow WALLIX Bastion administrators
to add/edit users, configure the system administration, manage authorizations, etc.
17
WALLIX Bastion 9.0.2 – Administration Guide
4.4. Roll-out
WALLIX Bastion includes a set of import tools to facilitate roll-out.
However, to ensure WALLIX Bastion is successfully implemented, we recommend inventorying:
• the roles of users who must have access to the target accounts
• the roles of users who must administer WALLIX Bastion
• the target devices and target accounts to be accessed through WALLIX Bastion
You must be able to answer the following questions for each user:
• does this user have the right to administer the solution, and if so, which rights should be assigned
to him or her?
• does this user need to access target accounts?
• when does the user have the right to log on?
• can the user access critical resources?
You must be able to answer the following questions for each target device or target account:
• is this target account or device critical? (then each time a critical device is accessed, a notification
is sent to the administrator)
• should user sessions on this account be recorded?
• which protocol(s) can be used to access this target account or device?
18
WALLIX Bastion 9.0.2 – Administration Guide
Access to targets via the various services (RDP or SSH) generates data that is also encrypted.
Cryptography specifications to secure data gathered in WALLIX Bastion are described here below.
• TLS_AES_256_GCM_SHA384
• TLS_AES_128_GCM_SHA256
• TLS_CHACHA20_POLY1305_SHA256
TLSv1.2 cipher:
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• curve25519-sha256
• curve25519-sha256@libssh.org
• diffie-hellman-group-exchange-sha256
• ecdsa-sha2-nistp256
• ssh-ed25519
Cipher algorithms:
• aes128-ctr
• aes192-ctr
• aes256-ctr
• aes128-gcm@openssh.com
• aes256-gcm@openssh.com
• chacha20-poly1305@openssh.com
Integrity algorithms:
• hmac-sha2-256-etm@openssh.com
• hmac-sha2-512-etm@openssh.com
• hmac-sha2-256
• hmac-sha2-512
19
WALLIX Bastion 9.0.2 – Administration Guide
TLSv1.3 cipher:
• TLS_AES_256_GCM_SHA384
• TLS_AES_128_GCM_SHA256
• TLS_CHACHA20_POLY1305_SHA256
TLSv1.2 cipher:
• TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
• TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
• TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CCM
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• RSA_WITH_AES_256_CCM_8
• RSA_WITH_AES_256_CCM
• RSA_WITH_AES_128_CCM_8
• RSA_WITH_AES_128_CCM
• ECDHE-ARIA256-GCM-SHA384
• ECDHE-ARIA128-GCM-SHA256
• DHE_RSA_WITH_AES_256_CCM_8
• DHE_RSA_WITH_AES_128_CCM_8
• DHE_RSA_WITH_AES_128_CCM
• DHE-RSA-ARIA256-GCM-SHA384
20
WALLIX Bastion 9.0.2 – Administration Guide
• DHE-RSA-ARIA128-GCM-SHA256
• ARIA256-GCM-SHA384
• ARIA128-GCM-SHA256
• curve25519-sha256@libssh.org
• diffie-hellman-group-exchange-sha256
• ssh-ed25519
• ssh-rsa
• rsa-sha2-256
• rsa-sha2-512
Cipher algorithms:
• aes128-ctr
• aes192-ctr
• aes256-ctr
• chacha20-poly1305@openssh.com
Integrity algorithms:
• hmac-sha2-256
• hmac-sha2-512
21
WALLIX Bastion 9.0.2 – Administration Guide
• identify the users who are connected to specific devices and monitor their activity: sessions can
be viewed in real-time through the WALLIX Bastion Web administration interface or downloaded
to be viewed locally on the administrator's workstation
• review video-recorded activity from a privileged user session
• get a direct resource access using native clients such as PuTTY, WinSCP, MSTC or OpenSSH
• define and configure connection policies through mechanisms available for RDP, VNC, SSH,
TELNET, RLOGIN and RAW TCP/IP protocols
For further information, refer to Chapter 12, “Session management”, page 218.
For further information, refer to Chapter 11, “Password management”, page 201.
This setup allows a cluster of Bastions to handle sessions and user accesses related to accounts
managed by only one Bastion in the cluster. Account management in this context refers to concepts
such as credential change (password and SSH key) and checkout policy.
The local vault is the default vault. Accounts stored in this vault are managed by the local Bastion.
These accounts can be used either for session or credential access via the Web interface or the
REST API Web Service.
The external vaults are represented in the local Bastion via plugins. The plugins implement the link
allowing the local Bastion to communicate with the external vault.
22
WALLIX Bastion 9.0.2 – Administration Guide
Currently, the “Bastion” external password vault plugin is available to connect and use the password
vault provided by a WALLIX Bastion.
From the local Bastion's point of view, the “Bastion” plugin represents the password vault provided
by the remote Bastion. Accounts stored in this vault are managed by the remote Bastion and are
usable by the local Bastion either for session or credential access via the Web interface or the REST
API Web Service. In order to be used by the local Bastion these accounts need to be imported into
this local Bastion.
The local Bastion uses the remote Bastion's REST API Web Service to establish a secure
communication channel allowing to checkout or check in the accounts' credentials and also extend
the checkout duration (if set on the checkout policy on the remote Bastion).
“CyberArk Enterprise Password Vault”, “HashiCorp Vault” and “Thycotic Secret Server” external
password vault plugins are also embedded in WALLIX bastion to connect and use password vaults
of the privilege management solutions provided by these companies.
External vault accounts are mapped into the local Bastion through global domains acting as external
vault account containers. Several domains may point to the same external vault.
For further information on how to setup the local Bastion to use external vault accounts, refer to
Section 10.3, “Domains”, page 148, Section 10.7, “External password vault plugins”, page 187
and Section 11.1, “User authorizations on passwords”, page 201.
5.4. High-Availability
The High-Availability (HA) feature of WALLIX Bastion 9.0.2 delivers continuous WALLIX Bastion
service through a failover (also called "active/passive") bi-device cluster (access to target devices
and the Web console, session recordings), in the event that the "Master" device becomes
unavailable.
This automatic transfer to the second cluster node (i.e. the "Slave") works by:
• sharing a virtual IP address between the two Bastions in the cluster and hiding the actual IP
addresses from the users
• mirroring the configuration data, the connection logs and the files containing the session
recordings, as well as the WALLIX Bastion configuration files on the second cluster node using
DRBD (Distributed Replicated Block Device)
• an email notification mechanism advising the WALLIX Bastion administrator if:
– service is switched to degraded mode (the "Slave" node has taken over)
– the "Slave" node is unavailable
– a fault is detected (service unavailable, etc.)
– disk synchronization is ended.
23
WALLIX Bastion 9.0.2 – Administration Guide
• SSH: 22
• RDP: 3389
• HTTP/HTTPS: 80/443
• SMTP: 25
• SMTPS: 465
• SMTP+STARTTLS: 587
• NTP: 123
• DNS: 53
• Kerberos external authentication: 88
• LDAP external authentication: 389
• LDAP over SSL external authentication: 636
• RADIUS external authentication: 1812
• TACACS+ external authentication: 49
• NFS network storage: 2049
• SMB/CIFS network storage: 445
• SMB for password management: 139 | 445
• Syslog: 514
• SNMP: 162 for trap notifications
• SSH/SFTP/TELNET/RLOGIN proxy: 22
• RDP/VNC proxy: 3389
• SNMP: 161 for read/write access to OIDs
• WALLIX Bastion administration command line interface (SSHADMIN console): 2242
• WALLIX Bastion administration Web interface (GUI): 443
24
WALLIX Bastion 9.0.2 – Administration Guide
Important:
Please remember your new password as it is the only way to connect again.
When WALLIX Bastion is initially installed, a graphical mode displays dialog boxes to guide you
through the configuration steps.
The procedure below illustrates the main steps to configure the WALLIX Bastion connection.
1. First step: choose the keyboard layout language you wish to use
If the current keyboard layout language is detected, it is then highlighted in the list. If this
language is not in the list, you can select "More options..." to display more choices.
2. Second step: set the password for the "wabadmin" user
The default credentials are as follows:
• Password: SecureWabAdmin
You are requested to change the default password for the "wabadmin" user. Enter and confirm
this new password.
By default, the "wabadmin" user is configured with minimum privileges. Follow next step to
configure the "wabsuper" user to access higher privileges.
3. Third step: set the password for the "wabsuper" user
Once the new password for the "wabadmin" user has been confirmed, you are requested to
enter and confirm the new password for the "wabsuper" user.
The "wabsuper" password can be passed through the "super" command to access higher
privileges, including the ability to get access to "root" privileges using the "sudo" command,
which uses the same password. Once you are logged in as "root", you can use a set of scripts
to manage the day-to-day operation of WALLIX Bastion.
Follow next step to configure the GRUB password.
4. Fourth step: set the password for the "GRUB" user
Once the new password for the "wabsuper" user has been confirmed, you are requested to
change the default password for the "GRUB" user.
You will be given the option to use the same password as the one entered previously for the
"wabsuper" user or set a new password.
Important:
Only ASCII characters are supported. If the password specified for the "wabsuper"
user contains non-ASCII characters, then it cannot be used as the same password
for the "GRUB" user: you are required to set a different password.
25
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
Under VMware, once the initial installation has been performed and after the system
reboot, the input of the password for the "GRUB" user matches by default the US
QWERTY keyboard layout.
Use the following command if you wish to change this password later:
wabsuper@wab$ WABChangeGrub
Beware of special characters and typing errors as the input cannot be corrected.
However, the "Esc" key allows you to fully delete the input.
Follow next step to configure the password for the “wabupgrade” user.
5. Fifth step: set the password for the “wabupgrade” user
Once the new password for the “GRUB” user has been confirmed, you are requested to enter
and confirm the new password for the “wabupgrade” user.
Important:
The “wabupgrade” user can only perform upgrades to higher versions of WALLIX
Bastion or hotfix installations.
Once the new password for the “wabupgrade” user has been defined, you are requested to set
the network configuration.
26
WALLIX Bastion 9.0.2 – Administration Guide
27
WALLIX Bastion 9.0.2 – Administration Guide
28
WALLIX Bastion 9.0.2 – Administration Guide
29
WALLIX Bastion 9.0.2 – Administration Guide
See:
Section 9.1, “User accounts”, page 72,
30
WALLIX Bastion 9.0.2 – Administration Guide
Note:
When long data appears truncated within a table (for example: “abcdefghijk...”), its whole
textual value can be displayed in a tool tip by hovering the mouse over the data for 0.5
second.
It is also possible to search for data on multiple columns by repeating the previous actions in each
column concerned.
The wildcard symbol ✱ can also be used in the search fields to perform a search based on specific
criteria. This character can be placed anywhere to replace any string (including empty strings) in
the search terms.
The table below illustrates the possible search types using the wildcard symbol ✱:
Search string Returns only lines with at least one column matching...
rdp* any string starting with the word “rdp” (e.g.: RDPDevice1)
*rdp any string ending with the word “rdp” (e.g.: ServiceRdp)
*rdp* or rdp any string including the word “rdp”, regardless of the position of the keyword
in the character string found.
r*p any string starting with “r” and ending with “p”. (e.g.: Rdp, RP)
31
WALLIX Bastion 9.0.2 – Administration Guide
A search can be saved by activating the “Save search filter” button in the “Table settings” window
accessible via the icon . The search filter is then saved for the active table.
Note:
The search is not case-sensitive.
The search focuses on the entire table and not only on the active view.
The result of a single or multiple search can be deleted by clicking on the icon then on the “Reset”
button or, by clicking on the icon located in the upper right corner of the page.
Note that a multiple sort can be performed by enabling the “Multiple sorting” button in the “Table
settings” window accessible via the icon . The multiple sort is then saved for the active table.
Note:
The sort applies to all the data contained in the table and not only to those of the active
view.
The table settings can be restored by disabling the “Multiple sorting” button or by clicking on “Reset
table user preferences”. These options are accessible via the icon .
It is also possible to show or hide the columns of a table and to change the order in which they are
displayed via the “Table settings” window accessible via the icon .
• change the order in which the columns are displayed by using the up and down arrows
• hide or show a column by deselecting or selecting the check box at the beginning of the line of
the relevant column. The columns are checked by default.
Warning:
The first column of a table or any column that contains an access link to another page
of the interface cannot be moved or hidden.
• if necessary, restore the table settings by clicking on “Reset table user preferences” located in
the “Table settings” window
32
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
This action only deletes the data of the active view.
Any selection made using the check boxes can be canceled by clicking on the cross displayed
above the table, next to the summary for the number of selected entries.
33
WALLIX Bastion 9.0.2 – Administration Guide
https://bastion_ip_address/ui or https://<bastion_name>/ui
Warning:
Internet Explorer is not supported by the default interface.
For security reasons, WALLIX Bastion checks that the hostname received in the URL
matches its FQDN, hostname or the interface's IP address. If it is not recognized, the
user will be redirected to the IP address of the network interface used. To prevent any
redirection, it is possible to add trusted hostnames and IP addresses via the option
“Trusted hostnames for HTTP_HOST header” accessible from the menu “Configuration”
> “Configuration options” > “Global”, section “main”.
WALLIX Bastion comes as standard with a factory-set administrator account whose default
credentials are as follows:
This default password can be changed. For further information, refer to Section 15.4, “Change
the password of the factory-set administrator account”, page 281.
For security reasons, it is required to change the administrator account password on first login. For
further information, refer to Section 7.3, “Setting your preferences”, page 36.
The login page of WALLIX Bastion supports the following authentication methods: password,
Kerberos, LDAP, RADIUS, TACACS+, PINGID and X509. In the case of an authentication via
Kerberos or X509 certificate, click on the corresponding button in the “Other authentication
method” section to access the Web interface. For further information on the configuration of these
authentication methods, refer to Section 9.8, “External authentication configuration”, page 107
and Section 9.7, “X509 certificate authentication configuration”, page 100.
On the other hand, the AD user can be prompted for password change after expiration on this
screen or when connecting to the RDP or SSH sessions. The prerequisites are then as follows:
• the minimum required version for the Active Directory server is Windows Server 2008 R2
34
WALLIX Bastion 9.0.2 – Administration Guide
• the option “AD user password change” (accessible from the menu “Configuration” >
“Configuration Options” > “Global” > section “main”) must be selected and
• at least one encryption protocol (either StartTLS or SSL) must be set on the authentication
method associated with the domain. For further information, refer to Section 9.8.1.3, “Add an
LDAP external authentication”, page 109 and Section 9.9, “Configuration of LDAP or Active
Directory domain mapping”, page 114.
Note:
The logo image, the product name as well as the display of the copyright notice
on the login screen can be managed from the menu “Configuration” > “Configuration
Options” > “GUI” > “oem” section. For further information, refer to Section 8.1, “Interface
configuration”, page 40.
The warning message on the login screen can be managed from the menu “Configuration”
> “Connection messages”. For further information, refer to Section 12.22, “Connection
messages”, page 261.
Once you have successfully logged on, the following page is displayed:
35
WALLIX Bastion 9.0.2 – Administration Guide
Figure 7.2. WALLIX Bastion home page (displayed for an administrator profile)
• a header containing:
– the name of the user who is logged on. When hovering the mouse over the user name area, a
contextual menu displays the entry for the “My preferences” page, the “Legacy interface” icon
to access the legacy interface, and the logout icon.
– the icon providing a menu to access the technical documentation delivered as a contextual
on-line help
– the icon providing an access to the possible notifications (the approval requests for the user
with the approver profile and the password expiration warning)
• a vertical menu on the left of the screen from which you can access all the WALLIX Bastion
administration functions. The layout of the Web interface is subdivided vertically and horizontally
so as to clearly structure it.
• a working area on which is displayed a welcome message. The information introduced by this
message can be hidden by clicking on the “Do not show again” button.
• a dashboard located at the bottom of the screen which provides the shortcuts to the most used
administration functions.
36
WALLIX Bastion 9.0.2 – Administration Guide
• “Profile”: to change the email address and to select the preferred language
• “Password”: to change the password (only if the user has been declared locally with a
“local_password” authentication)
• “SSH public key”: to drag-and-drop, upload or enter manually an SSH public key using RSA,
ED25519 or ECDSA algorithm, or to delete an existing SSH public key (only if the user has been
declared locally with a “local_sshkey” authentication)
Warning:
In the “SSH public key” tab, it is not possible to drag-and-drop, upload or enter manually
a key if no algorithm is allowed for the SSH key on the “Local Password Policy” page
from the “Configuration” menu. For further information, refer to Section 9.6, “Local
password policy configuration”, page 98.
This key must be in the OpenSSH format. Otherwise an error message is displayed.
If you use PuTTYgen to generate the key, you must save in a text file the public key
displayed in the OpenSSH format during the generation. As an example, this key is
labelled as follow:
“ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0yR9lBQov6[.....]c3xu9p/xNjw==
rsa-key-20151204”
You can then upload this key on the “SSH public key” tab.
If a key already exists, you can load a private key using Puttygen in order to generate
the corresponding public key in the appropriate format.
• “GPG key”: to drag-and-drop, upload or display a GPG key, or delete an existing GPG key
Warning:
If the GPG key is not specified for the user with the “product_administrator” or
“operation_administrator” profile, then a warning email is sent daily to notify the user
of the missing declaration of the GPG key.
The sending of this warning email can be managed via the “Missing GPG key warning
email” option in the menu “Configuration” > “Configuration options” > “Global”. By
default, this option is enabled.
37
WALLIX Bastion 9.0.2 – Administration Guide
7.4. Summary
In the modification pages of the Web interface, a summary is displayed on the right part of your
screen. It gives an overview of the data previously defined.
By clicking on the main entries of the summary, you are redirected to the concerned pages and
you can enter, add, edit or delete data. Note that you have the possibility to hide and show this
summary at any time.
38
WALLIX Bastion 9.0.2 – Administration Guide
Click on the needed option in the list to display the related parameters which can be configured
on the dedicated page for:
• the data retention policy. For further information, refer to Section 9.4, “User data retention
policy”, page 92.
• the global parameters
• the Web interface (“GUI”). For further information, refer to Section 8.1, “Interface
configuration”, page 40.
• the legacy Web interface (“GUI (Legacy)”)
• the license configuration
• the logger
• the configuration of the external modules
• the OEM (“OEM (Legacy GUI)”)
• the RDP proxy
• the RDP proxy session manager
• the REST API
• the options regarding session log retention. For further information, refer to Section 15.19, “Export
and/or purge session recordings automatically”, page 286 and Section 15.22, “Check integrity
of session log files”, page 288.
• the SSH proxy
• the Watchdog
On each of these pages, a useful description can be displayed for all the fields by selecting the
check box of the “Help on options” field at the top right of the page. This description includes the
appropriate format to be specified in the concerned field.
Warning:
The options displayed when the check box of the “Advanced options” field at the top right
of the page is selected should ONLY be changed upon request of the WALLIX Support
Team! An orange exclamation mark is displayed near the concerned fields.
39
WALLIX Bastion 9.0.2 – Administration Guide
Figure 8.1. "Configuration Options" page for SSH proxy with field descriptions
If “current” is selected, then the user will be redirected to the login page of the default interface.
However, s/he will still have access to the legacy interface via the link “Legacy interface” that
appears when hovering over the user name at the top of the page.
If “legacy” is selected, then the user will be redirected to the login page of the legacy interface.
However, s/he will still have access to the default interface via the link “Switch to the default interface”
located at the top of the page or to both interfaces via:
40
WALLIX Bastion 9.0.2 – Administration Guide
Note:
If the configuration option “Link switch default interface” (accessible from “Configuration”
> “Configuration options” > “GUI (Legacy)”) is deselected, then the link “Switch to the
default interface” will not be displayed on the home page of the legacy interface. The user
will then not be able to access the default interface.
The session timeout value is set by default to 900 seconds. The timeout value cannot be lower
than 300 seconds.
The debug mode provides information in the browser's JavaScript console regarding display issues
of the Web interface pages. This information may be sent to the WALLIX Support Team, if need be.
• the product name displayed on the pages of the interface as well as on the Web browser tab
(“Product name”)
• the short version of the product name (“Product name short”)
• the name of the Support Team (“Product support name”)
• the display of WALLIX copyright on the login page (“Copyright login”)
• the small site icon displayed on the Web browser tab (“Favicon”)
• the logo displayed at the top of the left sidebar menu (“Logo”)
• the small version of the logo displayed at the top of the left sidebar menu when collapsed (“Logo
small”)
• the logo displayed on the login page (“Login page logo”)
• the welcoming title of the login page for each language supported by WALLIX Bastion (“Login
page title”)
• the color of the welcoming title and connection message displayed on the login page (“Login
page info color”)
• the background color of the login page's right side panel (“Login page background color”)
41
WALLIX Bastion 9.0.2 – Administration Guide
• the background image of the login page's left side panel (“Login page background image”)
Note that the images must be in PNG format and that it is possible to restore the default WALLIX
Bastion images by checking the box “Restore default image”.
Figure 8.2. "Configuration options" page for Web interface configuration (GUI) - Part 1
42
WALLIX Bastion 9.0.2 – Administration Guide
Figure 8.3. "Configuration options" page for Web interface configuration (GUI) - Part 2
8.2. License
The use of WALLIX Bastion is controlled by a license key. This key contains the elements included
in the sales contract and is provided by WALLIX. It is entered in WALLIX Bastion by the client via
the Web user interface.
From the "License" page on the "Configuration" menu, you can display the license properties and
update the license key.
• the license type for a perpetual license agreement (“Legacy Bastion license”)
• the pack for a subscription license agreement (“WALLIX license”)
• the add-ons for a subscription license agreement (“WALLIX license”)
• the license expiration date
43
WALLIX Bastion 9.0.2 – Administration Guide
Note:
When notifications are enabled for the license expiration warning, an email will be sent
15 days, 10 days, 5 days and 1 day before the license expiration date. For further
information, refer to Section 9.5, “Notification configuration”, page 93.
Note:
Connections of the administrator account with the "product_administrator" profile are
not counted.
Note:
Each target is only counted once, regardless of the number of groups into which it is
included.
Target accounts which can be used as scenario accounts are not counted.
• when WALLIX Password Manager is associated with the license key, the number of targets
included in groups which can be declared to check out the accounts' credentials
Note:
Each target is only counted once, regardless of the number of groups into which it is
included.
• when WALLIX Password Manager is associated with the license key, the number of
clients using WALLIX Application-to-Application Password Manager (also called “WAAPM”).
Documentation related to WAAPM can be downloaded from WALLIX Support portal (https://
support.wallix.com [https://support.wallix.com/]).
To obtain a license, a context file must be created and sent to WALLIX Support (https://
support.wallix.com/). To do so, click on the “Download context file” button to generate and
download a context file and send it to the WALLIX Support Team which will provide you with a
license key update.
Once you have received the license update file, upload or drag-and-drop it in the “License update”
section and click on the “Apply” button.
It is possible to revoke the licenses installed on WALLIX Bastion by clicking on the “Revoke” button.
The legacy licenses (“Legacy Bastion license”) are revoked immediately. The current licenses
(“WALLIX license”) will become invalid 15 days after performing the revocation.
44
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
In the context of a perpetual license (“Legacy Bastion license”), the latter is bound to the
MAC addresses of the first two interfaces of the Bastion (when more than one interface
is declared). If WALLIX Bastion is deployed on a virtual environment using two virtual
machines on two different nodes, make sure the MAC addresses are cloned to provide
redundancy. Moreover, we strongly recommend defining static MAC addresses to avoid
any change at reboot.
wab2:~# WABGetLicenseInfo
wab2:~# WABSetLicense -d
Warning:
The legacy licenses (“Legacy Bastion license”) are revoked immediately. The current
licenses (“WALLIX license”) will become invalid 15 days after performing the revocation.
8.3. Encryption
The encryption of WALLIX Bastion secures your sensitive data (such as target accounts' credentials,
local users' passwords, Web interface connections, RDP and SSH connections, etc.) by using a
strong cryptographic algorithm. For further information on the cryptography specifications to secure
data gathered in the Bastion, refer to Section 4.6, “Data encryption”, page 18.
This algorithm uses an encryption key which is secret and unique to your WALLIX Bastion and
totally hidden from users.
45
WALLIX Bastion 9.0.2 – Administration Guide
WALLIX Bastion and raises the protection of your data as no malicious user who does not know
the passphrase can access your product.
• when restoring the configuration of WALLIX Bastion (refer to Section 8.13, “Backup and
Restoration”, page 60). If you loose the passphrase, you will no longer be able to access your
data stored on remote storage.
• when rebooting the system. As long as the passphrase is not entered by the administrator with
the “product_administrator” profile in the Web administration interface, the “System” configuration
menu will be hidden and connections using WALLIX Bastion proxies will not be usable.
• when changing the passphrase. If you wish to change your passphrase, you have to enter the
current passphrase to be able to set a new one.
Important:
For security reasons, the passphrase can only be defined during the installation of
WALLIX Bastion. It will be impossible to define it afterwards.
Once a passphrase has been set, it can no longer be deleted. However, an existing
passphrase can be modified.
Once the encryption is configured, you can go back at any time to the “Encryption” page on the
“Configuration” menu either to check that your WALLIX Bastion is ready and secured or to change
the passphrase.
46
WALLIX Bastion 9.0.2 – Administration Guide
From the "Status" page on the "System" menu, you can view the following system information:
Note:
It corresponds to the list of active connections on the "Current Sessions" page
displayed from the "Audit" menu.
Note:
The RAM usage does not include the system cache.
All log and debugging information files can be downloaded as a .zip archive by clicking on the button
"Download debug information" on the bottom of the page.
All the files for these logs (with the .log extension) can be downloaded as a .zip archive by clicking
on the dedicated icon on the right part of the concerned page.
47
WALLIX Bastion 9.0.2 – Administration Guide
• "syslog" displayed from the "Syslog" page on the "System" menu. This log shows the session logs,
i.e. the majority of messages on proxy operation or the use of the Web administration interface.
• "dmesg" displayed from the "Boot Messages" page on the "System" menu. This log shows the
system start log.
• "wabaudit" displayed from the "Audit Logs" page on the "Configuration" menu. This log shows
the connections and operations performed by the auditors and the administrators.
Furthermore, all log and debugging information files can be downloaded from the "Status" page on
the "System" menu.
Note:
Some system logs saved in partition /var/log are stored for a maximum time period
of 5 weeks.
8.6. Network
From the "Network" page on the "System" menu, you can define/edit the network configuration of
the appliance.
Important:
The interface eth1 (port 2 on appliances) is only devoted to high-availability (HA)
interconnection. No other service can be mapped to this interface. For further
information, refer to Section 8.11.1, “Service mapping”, page 57.
To do so, select the desired mode ("active-backup" or 802.3ad (LACP)") for the new bonding
interface in the frame "Interface bonding" then click on the "+" button to add this interface. It is
then required to link this "master" bonding interface to a "slave" physical interface in the frame
"Interfaces" by selecting its name in the list of the "Bonding interface" field.
Important:
The interface eth1 (port 2 on appliances) is only devoted to high-availability (HA)
interconnection. It cannot be selected for interface bonding.
An interface can only be disabled by deselecting the option "Enable IP" when the latter
is not mapped to any services on the "Service Control" page. For further information,
refer to Section 8.11, “Service control”, page 57.
48
WALLIX Bastion 9.0.2 – Administration Guide
To perform interface bonding, the "slave" physical interface cannot be linked to neither
a VLAN nor a virtual interface nor a route.
For further information on the modes "active-backup" and "802.3ad (LACP)" supported
for interface bonding, refer to https://www.kernel.org/doc/Documentation/
networking/bonding.txt.
• add routes
• define the default egress interface and the related gateway
• enable IP source routing
To define IP source routing and thus enable inputs and outputs on the same physical interface,
it is required to select the option "Enable IP source routing" in the frame "Routes". Routing is
then enabled for the physical and VLAN interfaces for which the option "Enable IP" is selected
in the frame "Interfaces".
Important:
The interface eth1 (port 2 on appliances) is only devoted to high-availability (HA)
interconnection. It cannot be selected for IP source routing.
The default egress interface can be selected among a list including the physical and
VLAN interfaces for which the option "Enable IP" is selected in the frame "Interfaces".
An interface can only be disabled by deselecting the option "Enable IP" when the latter
is not mapped to any services on the "Service Control" page. For further information,
refer to Section 8.11, “Service control”, page 57.
The IP address specified for the gateway must match the sub-network configured for
the egress interface selected. If the default gateway is not specified, then outbound
connections from the Bastion may fail.
To define ICMP redirect, it is required to select the option "Enable ICMP redirect" in the frame
"Routes".
• define the entries in the "hosts" file
• add the DNS servers
Warning:
Before changing the WALLIX Bastion IP address used to communicate with the file server
configured with remote storage, we recommend disabling remote storage and re-enabling
it again once the address has been changed. For further information, refer to Section 8.8,
“Remote storage”, page 51.
49
WALLIX Bastion 9.0.2 – Administration Guide
• date and time in WALLIX Bastion must be synchronized with the Kerberos authentication servers
• WALLIX Bastion is the time reference for escalated audit information and time frame management
Note:
By default, the time service is active and synchronized with the Debian project time
servers.
50
WALLIX Bastion 9.0.2 – Administration Guide
Note:
WALLIX Bastion moves automatically the recordings of recently terminated sessions from
local storage to remote storage. For further information, refer to Section 15.20, “Move
local session recordings to remote storage”, page 287.
When remote storage is enabled but the file server is temporarily unavailable, the
various features of WALLIX Bastion can still be accessed. The session recordings are
nonetheless kept on local storage during server unavailability.
• the remote file system type: SMB/CIFS and NFS are supported
• the protocol version
Note:
If “Automatic” is selected, then WALLIX Bastion will try to detect the version
automatically.
For SMB/CIFS, “Automatic” detection does not support protocol versions prior to
SMBv2.1.
For NFS, “Automatic” detection does not support protocol versions NFSv4.1 and
NFSv4.2.
For Amazon EFS, only “Automatic” detection is available and selected by default.
51
WALLIX Bastion 9.0.2 – Administration Guide
• the remote directory in which the recordings will be stored (except for Amazon EFS)
Warning:
This page is only displayed when the “SIEM” feature is associated with the license key.
Specify the following elements to set the routing through a SIEM server:
Note:
It is also possible to configure the TLS client through the addition of a specific
configuration file. For further information, refer to Section 15.25, “Configure TLS client
for SIEM integration”, page 289.
52
WALLIX Bastion 9.0.2 – Administration Guide
Note:
When upgrading from a version earlier than WALLIX Bastion 6.2.3, the RFC 3164
format applies by default to all the servers previously configured on this page.
The RFC 3164 format always apply to backups created only on WALLIX Bastion version
6.x.
• the filter allowing to select the logged information categories to send through the server, i.e.
configuration changes, WALLIX Bastion audit and authentication logs, account activities, events
of RDP and SSH proxies and metadata of RDP, SSH and VNC sessions.
Note:
When upgrading from a version earlier than WALLIX Bastion 8.2, all the logged
information categories are selected by default for all the servers previously configured
on this page.
The logs will be sent to the selected IP address, port and via the selected transmission protocol
and also stored on the local file system so that they are always available on display on the "Audit
Logs" page, on the "Configuration" menu. For further information on this log, refer to Section 8.5,
“System logs”, page 47.
For further information on data export, refer to Chapter 17, “SIEM messages”, page 296.
8.10. SNMP
WALLIX Bastion includes an embedded SNMP agent with the following properties:
53
WALLIX Bastion 9.0.2 – Administration Guide
• Support of alert mechanisms ("traps") and notifications related to disk consumption and CPU load
• No ACL on the source IP address
Note:
Port 161 should be opened to allow communication to WALLIX Bastion for read/write
access to OIDs.
Port 162 should be opened to allow communication from WALLIX Bastion for trap
notifications.
A default minimum value set to 20 parallel connections is required for each port.
From the "SNMP" page on the "System" menu, you can configure this agent by defining the related
settings.
The "General Settings" section consists of the following fields:
• "Sysname": enter the name of the system, e.g., "WALLIX Bastion 9.0.2"
• "Syscontact": enter the email address of the system administrator, in format "root@yourdomain"
• "Syslocation": enter the system location
• "Sysdescr": enter a description, if needed. This field is empty by default.
• "Status": choose to enable or disable the SNMP agent. The agent is disabled by default.
• "Enable trap notifications": select the check box to enable SNMP trap notifications. Trap
notifications are disabled by default.
• "Trap sink": enter the address of the receiver. This field is displayed and required when trap
notifications are enabled.
• "Disable SNMPv2": select the option to disable the SNMP protocol version 2c
• "Community": enter the community name used to connect to WALLIX Bastion. This field is
displayed and required when the SNMP protocol version 2c has been enabled.
• "Trap community": enter the community name used when trap messages are sent. This field is
displayed and required when trap notifications and the SNMP protocol version 2c have been
enabled.
• "Authentication passphrase": enter and confirm the authentication passphrase. This field must
be longer than 8 characters. The authentication passphrase must be set at the same time as the
encryption passphrase.
• "Encryption passphrase": enter and confirm the secret key for encryption. This field must be longer
than 8 characters. The encryption passphrase must be set at the same time as the authentication
passphrase.
• "Trap receiver configuration": this sub-section is displayed when trap notifications have been
enabled and the SNMP protocol version 2c has been disabled. It consists of the following fields:
– "Trap user": enter the user name used to authenticate on the trap receiver. This field is empty
by default.
– "Security level": select the appropriate security level and specify the related fields depending
on the selection.
54
WALLIX Bastion 9.0.2 – Administration Guide
If "Authentication only" is selected, enter and confirm the authentication passphrase and select
the authentication ciphering scheme (SHA or MD5).
If "Authentication and encryption" is selected, enter and confirm both the authentication
and encryption passphrases and select the related ciphering schemes (SHA or MD5 for
authentication and AES or DES for encryption).
The "Threshold values ( % )" section allows to specify the values above which notifications are
triggered. It consists of the following fields:
• "Disk consumption": update the percentage value related to the disk consumption, if needed.
Notifications are sent when the disk consumption exceeds this value.
• "Average CPU load": update the percentage values related to the average CPU load for 1-minute,
5-minute and 15-minute time slices, if needed. Notifications are sent when these values are
exceeded.
The values entered in this section can be reset by clicking on the button "Reset default threshold
values" on the bottom-left of the section.
Warning:
By default, the SNMP agent is disabled and it can only be enabled via the Web interface.
By default, trap notifications are disabled and they can only be enabled via the Web
interface. When enabled, only acknowledged traps (i.e. INFORM traps) are sent.
By default, the SNMP protocol version 2c is disabled on a fresh WALLIX Bastion and can
only be enabled via the Web interface.
The SNMP protocol version 3 is always enabled. However, both authentication and
encryption passphrases must be set at the same time for proper operation.
When Bastions are configured in HA mode, the SNMP agent monitors all the nodes via
the virtual IP address.
55
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
The system OIDs are defined in the MIB "SNMPv2-MIB". Please make sure this MIB is
installed on your client environment.
The SNMP agent can trace some specific data of WALLIX Bastion. A list of the variables
showing the data is available by downloading the following files:
• /usr/share/snmp/mibs/wallix/WALLIX-SMI and
• /usr/share/snmp/mibs/wallix/WALLIX-BASTION-MIB. This file WALLIX-
BASTION-MIB includes the descriptions of the variables and can be open with a text
editor.
These MIB files can also be downloaded as a .zip archive by clicking on the button
“Download MIB files” on the the top-right of the page.
56
WALLIX Bastion 9.0.2 – Administration Guide
The "User & audit features" service group includes the access to targets and also historical data
and session recordings.
In order to be able to select the desired services, the network interfaces must be
previously configured on the "Network" page. For further information, refer to Section 8.6,
“Network”, page 48.
Important:
The interface eth1 (port 2 on appliances) is devoted, if present, to high-availability (HA)
interconnection. No other service can be mapped to it and the "High-Availability" service
cannot be mapped to any other interface. Therefore, the "High-Availability" service cannot
be selected if this interface is not present.
57
WALLIX Bastion 9.0.2 – Administration Guide
By default, the features specific to users (such as the target account access rights) and auditors
(such as the session audit rights) are not available on the Web administration interface but these can
be released by selecting the following check boxes: "User features (target account access rights)"
and "Audit features (session audit rights)".
A firewall is embedded in WALLIX Bastion, among other features, to protect WALLIX Bastion against
DDoS attacks. It is possible to restrict the parallel connections per IP to the Bastion to a pre-defined
number by selecting the option "Limit the number of parallel connections per IP" and specifying the
appropriate value in the field "Number of connections". The default value of this field is set to 10 and
the number of allowed parallel connections cannot exceed 999 connections per IP. As an example,
if the value entered in this field is "30" then a user can only perform 30 parallel connections to the
Bastion from his/her workstation.
The option "Enable path reverse filtering" is only relevant when WALLIX Bastion has two non-HA
interfaces configured with two different subnets (i.e. eth0 with subnet X and eth2 with subnet Y) and
the default route is set to one of the two interfaces (i.e. eth0).
By default, when a packet with a source IP address not belonging to subnet Y comes in through
interface eth2, WALLIX Bastion does not reply (no packet is going out through any of the two non-
HA interfaces). This is due to a reverse path filtering configuration set with the grsec kernel. For
further information on reverse path filtering, refer to http://tldp.org/HOWTO/Adv-Routing-
HOWTO/lartc.kernel.rpf.html.
If WALLIX Bastion should reply to the incoming packet (through the eth2 interface), then the reverse
path filtering should be unset.
When the option "Enable path reverse filtering" is selected, there is no reply from WALLIX Bastion
(on packets originating from a subnet different from the ingress interface).
When the option "Enable path reverse filtering" is deselected (by default), WALLIX Bastion replies
to all incoming packets (through the ingress interface).
When installing WALLIX Bastion, these services are automatically enabled by default.
In case of a restricted use of WALLIX Bastion, the administrator can activate/deactivate services
using a command line tool on the console or through the "ssh" command line interface (port 2242):
58
WALLIX Bastion 9.0.2 – Administration Guide
sshadmin : ENABLED
The option "--help" lists the arguments which can be used to perform the configuration.
actions:
list list services status
enable enable a service
disable disable a service
The administrator must enter the following command to deactivate the GUI service:
Then, the administrator must enter the following command to activate it again:
Caution:
The address specified in this field may also be used as a recipient for some system
alert emails.
59
WALLIX Bastion 9.0.2 – Administration Guide
To test the configuration, enter one or more destination addresses in the "Recipient emails for test"
field then click on the "Test" button.
Caution:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, the SMTP
server configuration is only spread out to the Slave node when the latter is switching from
Slave to Master.
Each backup is encrypted using a 16-character key. You must know the backup key before
performing a restore operation.
If a passphrase was defined on the backed-up Bastion, then it has to be entered again at restore
operation.
Warning:
• Only backups created from WALLIX Bastion version 6.0 or later can be restored
• Session recordings are not saved during a backup/restore operation
• All data edited or added after a backup will be lost if the backup is restored
• The administrator will be logged off. He/she must log on again with one of the accounts
included in the backup, which might be different from those in the system before the
backup/restore was performed
• It is possible to set the number of days during which backups are kept. This parameter
can be managed via "Configuration" > "Configuration Options" > "Global", then enter
a positive integer in the field "Remove backup older than". All backups older than this
value expressed in number of days are then removed.
60
WALLIX Bastion 9.0.2 – Administration Guide
To use these elements, you will have to delete the current configuration files and rename in their
place the files restored from the backup which bare as an additional extension the name of the
backup followed by a timestamp set to the restoration time.
After renaming the files by removing the additional extension, you must restart the corresponding
services by entering the following commands:
However, most of configuration files specific to given services, keys and certificates are overwritten
in the current configuration during restoration.
/var/wab/apache2/x509_ready
– the Apache server keys, certificates and CRLs for X509 authentication:
/var/wab/apache2/ssl.crt/*
/var/wab/apache2/ssl.crl/*
• /var/wab/etc/, as for example:
– the RDP proxy configuration:
61
WALLIX Bastion 9.0.2 – Administration Guide
/var/wab/etc/rdp/rdpproxy.ini
/var/wab/etc/rdp/*.pem
/var/wab/etc/rdp/rdpproxy.key
/var/wab/etc/rdp/rdpproxy.crt
/var/wab/etc/ssh/*
Caution:
Note that properties related to the license, the FQDN and the MySQL database
password in /var/wab/etc/wabengine.conf/ are not overwritten during
restoration.
Options:
-h, --help show this help message and exit
-d DIRECTORY, --directory=DIRECTORY
Directory where you want to store your backup.
-s, --sdcard Set this option to store the Backup in the sdcard.
DIRECTORY is the directory path in which the backup file will be created.
Option -s can be used to create a copy on an external drive (SD Card or USB).
Restores WALLIX Bastion backup from the specified file or from the sdcard. The
default behaviour is to restore the configuration part related to the network
page of the system settings menu only on the same host and in the same
standalone or HA mode. You can use options to ignore completely the system
settings and restore only the business data, or to force ignoring or restoring
62
WALLIX Bastion 9.0.2 – Administration Guide
Options:
-h, --help show this help message and exit
-f FILENAME, --file=FILENAME
Provide the full path of the Backup file (.wbk).
Conflicts with -s
-s, --sdcard Enter in interactive mode to select file on SDcard.
Conflicts with -f
-a, --aes Set this option to force use of AES256 instead of GPG
symmetric cipher (for compatibility with old backup
files).
-b, --blowfish Set this option to force use of Blowfish instead of
GPG symmetric cipher (for compatibility with old
backup files). Overridden by -a
-S, --nosystem Set this option to not restore any system settings.
-N, --nonetwork Set this option to never restore network and HA
settings. Overridden by -S
--forcenetwork Set this option to force restoration of network and HA
settings. (Not recommended). Overridden by -S
63
WALLIX Bastion 9.0.2 – Administration Guide
• MINUTE: from 0 to 59
• HOUR: from 0 to 23
• DAY_OF_MONTH: from 1 to 31
• MONTH: from 1 to 12
• DAY_OF_WEEK: from 0 to 7 (0 or 7 for Sunday)
Each field can also be filled with an asterisk "*" corresponding to all possible values. Lists are also
permitted, with the values separated by commas and intervals, separating the range with a hyphen,
e.g. "1,2,5-9,12-15,21".
You can also change the path and the value of the key used by editing the file /opt/wab/bin/
WABExecuteBackup and changing the DIR and KEY values at the beginning of the file.
It is possible to set a key used to encrypt the automatic backup at generation. This parameter can
be managed via "Configuration" > "Configuration Options" > "Global", then enter a 16-character
string in the field "Backup key".
Purge WALLIX Bastion backups. If enough free space, no backup is deleted even
if older than the given age threshold.
optional arguments:
-h, --help show this help message and exit
--age AGE, -A AGE Keep all traces younger than the given age in hours.
Valid suffixes are 'd[ays]' for days, or 'm[onths]'
for months. (default: 30d)
--min-free MIN_FREE, -F MIN_FREE
Free space minimum threshold in bytes. Valid suffixes
are 'KB' for 1000 bytes, 'KiB' for 1024 bytes, 'MB'
for 1.000.000 bytes, 'MiB' for 1.048.576 bytes, 'GB'
for 1.000.000.000 bytes, 'GiB' for 1.073.741.824
bytes, '%' for percentage of total disk space
(default: 10%)
--priorize-free, -p If provided, ignore AGE and try to free as much space
as possible until the free space threshold is reached.
When this command is launched, the purge is performed on the backup files until the threshold of
the minimum acceptable free space is greater than or equal to the MIN_FREE value.
Only backup files older than the AGE value are deleted except if the --priorize-free argument
is specified and until the value of the threshold of the minimum acceptable free space is greater
than or equal to the MIN_FREE value.
64
WALLIX Bastion 9.0.2 – Administration Guide
It is possible to set the number of days during which backups are kept from the Web interface. This
parameter can be managed via "Configuration" > "Configuration Options" > "Global", then enter a
positive integer in the field "Remove backup older than". All backups older than this value expressed
in number of days are then removed. When the WABBackupPurge command is launched, the value
in this field is then considered as the default value if the AGE argument is not specified.
8.14. High-Availability
8.14.1. Operating limitations and pre-requisites
The WALLIX Bastion 9.0.2 HA active/passive type cluster does not have a load balancing function.
Both devices must be linked directly to each other using a Ethernet crossover cable through RJ45
port labelled "2".
The HA interfaces on both the "Master" and the "Slave" nodes must be configured with static IP
addresses belonging to the same subnet.
Both cluster nodes must be strictly at the same level regarding their WALLIX Bastion version and
hotfix numbers.
Warning:
The WALLIX Bastion HA feature is designed to answer hardware issues related to disk,
motherboard, network card, etc and is not supported through virtual appliances.
Please also refer to the Quick Start Guide for further information.
Caution:
The following precautions need to be observed before implementing a new node in an
existing High-Availability configuration:
• the new node must be strictly at the same level as the other node regarding the WALLIX
Bastion version and hotfix numbers
• the new node must have the same number of configured interfaces, including VIPs and
VLANs but excluding HA VIPs (interfaces suffixed with “ha”).
• storage capacity for the hard drive coming with the new node must be equal to or
greater than the one of the former node
• System time of the new node must be synchronized with the one of the other node
65
WALLIX Bastion 9.0.2 – Administration Guide
Caution:
All data on the "Slave" will be permanently deleted!
4. Enter the "super" command then the "sudo -i" command to sign in as a super-user.
5. Check that the clocks of both cluster nodes are synchronized using the Linux "date" command
or by synchronization with an NTP server, as explained on Section 5.3.4, “Time service
configuration” in the Quick Start Guide.
6. Carry out the send notification test (refer to Section 5.3.5, “SMTP server configuration” in the
Quickstart Guide) to check that an SMTP server is configured and operational.
7. Check that both devices are configured with a static IP address, their "eth1" interfaces are setup
and they have different machine names. If not, proceed to the required adjustments on the GUI.
Note the IP address of the "eth1" interface of the "Slave" node which is required for answering
to the "Slave IP:" question during the execution of the "WABHASetup" command as described
in next step.
8. Run the "WABHASetup" command on the "Master" device console and follow the instructions:
wabsuper$ WABHASetup
Slave IP:
HA Virtual IP:
HA Virtual netmask:
HA Notification mail address:
...
Note:
A log file wabhasetup.log is created in the directory from which this command has
been launched and stores the output of the operation.
The WABHASetup command requests the interface configuration for all the physical
and VLAN interfaces which are mapped with services. For further information on
service mapping configuration, refer to Section 8.11, “Service control”, page 57.
66
WALLIX Bastion 9.0.2 – Administration Guide
This notification sums up your HA configuration. Initial MASTER node: ... Initial SLAVE node: ...
HA Virtual ip: ...
Note that "Start" and "Stop" commands will only apply to the local node.
Warning:
To avoid unintentional switch, we recommend stopping the "Slave" node before the
"Master" one and start the "Slave" node after the "Master" one.
To check the current state of a node, the administrator can use the following maintenance command:
wabsuper$ /opt/wab/bin/WABHAStatus
The WALLIX Bastion HA sends a notification raising the detection of a fatal error, then creates the
lock file and stops. The presence of this file prevents the HA from restarting thereby preventing it
from attempting to resolve the problem indefinitely.
After resolving the malfunction, you must manually delete this lock file using the following command :
affected_node# rm /etc/opt/wab/ha/fatal_error
When the connection is restored, the DRBD layer of the shared volume will detect the divergence
(known as "Split-Brain") and the cluster will stop working. Indeed, because both machines have
continued to operate independently, their data is incompatible and manual intervention is required.
As explained in the notification, it is up to the administrator to select the most up-to-date node to
resolve the divergence. The notification contains the list of the last files modified on both Bastions.
1. The outage was short and the nodes were not used (no sessions created, no accounts added,
etc.): in this case, the administrator can choose either of the nodes as the reference "Master".
67
WALLIX Bastion 9.0.2 – Administration Guide
2. The outage was short and/or only one of the nodes was actually used (shown by the presence of
session files and of more recent modification dates on only one of the nodes). The administrator
must select this node as the new reference "Master".
3. The outage was complex and both nodes were used in parallel (which is unlikely, related to a
serious network failure). The administrator must then select a node to be the new reference
"Master" (the one with the most modifications) and back up the data from the other node. Lastly,
the data must be manually imported to the new "Master".
Once the reference "Master" is chosen, follow the procedure below to restore the cluster:
When Bastions are configured in HA mode, it is no longer possible to make network changes, such
as IP addresses, from the GUI. As the disks of both machines are synchronized through the network,
you must connect to the "Master" node in SSH and run the following command:
In the event of a node replacement, first disconnect the faulty device and start the replacement
WALLIX Bastion. Make sure to configure it with the same static IP address as the faulty node, and
then enter this command on the operational node:
68
WALLIX Bastion 9.0.2 – Administration Guide
In the event of a file system integrity error, detectable through the kernel messages (i.e.: "File
system is now read-only due to the potential of on-disk corruption. Please
run fsck.ext4 once the file system is unmounted."), proceed as follows:
1. Enter "sudo -i WABHAInitd --force stop" to turn off HA on both nodes, starting with the "Slave".
2. Check that the shared file system is removed from both nodes by entering "sudo -i umount /
var/wab".
3. Disable DRBD on the "Slave" mode by entering "sudo -i drbdadm secondary wab".
4. Enable DRBD on the "Master" mode by entering "sudo -i drbdadm primary wab".
5. Enter "sudo -i fsck.ext4 -y -f /dev/drbd1" on the "Master" node.
69
WALLIX Bastion 9.0.2 – Administration Guide
Consequence: Both nodes will detect the fault (ssh not accessible)
Notifications: [WAB] - WALLIX Bastion HA master WabA error detected by WabA Reason: Service
ssh isn't responding and we couldn't restart it!
Notifications: [WAB] - WALLIX Bastion HA master WabA error detected by WabB Reason: Host
respond to ping but ssh service is down, will try to switch to master...
Result: the "Slave" will take over and the "Master" will be downgraded to "Slave"
Notification: [WAB] - The WALLIX Bastion HA master WabB is online
Notification: [WAB] - The WALLIX Bastion HA Slave WabA is online
Full resolution: repair the fault so that WabA can become the "Master" again
Consequence: both nodes will detect the fault. The "Master" will continue to operate in degraded
mode.
Notification: [WAB] - The WALLIX Bastion HA slave WabB is no longer connected to master WabA!
Master data replication isn't working.
70
WALLIX Bastion 9.0.2 – Administration Guide
Consequence: the "Slave" will assume that the "Master" is turned off and will switch over to "Master"
and will operate in degraded mode.
Notification: [WAB] - The WALLIX Bastion HA slave WabA isn't connected to the master master
WabB anymore! Master data replication isn't working.
Result: the shared volume will start to diverge between both nodes. The most probable case is that
one of the nodes is no longer on the network, in which case the resolution is simple: reconnect both
Bastions or if you have used iptables:
WabA# iptables -F
WabB# iptables -F
Notification: [WAB] - The WALLIX Bastion HA disks diverged (split brain detected) The WALLIX
Bastion HA drbd shared volume is now disconnected. Peers have lost connection with each other
and both have switched to master node... Data can't be synced cleanly! You need to manually
discard the changes on one of the nodes.
Once you find out the out-of-date node, follow the procedure below:
71
WALLIX Bastion 9.0.2 – Administration Guide
Chapter 9. Users
The "Users" menu allows you to create and manage WALLIX Bastion users/administrators.
You can also configure the user groups to which the authorizations apply. For further information,
refer to Chapter 14, “Authorization management”, page 269.
Note:
User account names are not case sensitive but case is preserved as account is created.
• list user accounts according to a filter on local accounts or domain accounts from LDAP and
Active Directory domains. When an LDAP or Active Directory domain is selected from the list,
then the users from the directory mapped with a user group in WALLIX Bastion are displayed.
For further information on this mapping, refer to Section 9.9, “Configuration of LDAP or Active
Directory domain mapping”, page 114.
• add/edit/delete a user account
• identify the users for whom the "Credential recovery" right is enabled in their profile: a key icon
is then displayed in the "Profile" column on the related line. These users receive an email
gathering the target account passwords in case of password change. For further information,
refer to Section 11.4, “"Break glass" mechanism configuration”, page 216.
For further information on user profiles, refer to Section 9.3, “User profiles”, page 86.
• release the lock of a user account by clicking on the padlock icon displayed in the "Status"
column on the related line. A user account is locked when the maximum number of allowed
authentication failures defined in the local password policy has been reached. For further
information, refer to Section 9.6, “Local password policy configuration”, page 98.
• identify the users for whom the account is active: a tick icon is then displayed in the "Status"
column on the related line.
• identify the users for whom the account has expired: an hourglass icon is then displayed in the
"Status" column on the related line. The account expiration date can be set during the creation
or modification of the account.
• identify the users for whom the account is disabled: a warning icon is then displayed in the
column "Status" column on the related line. The user account deactivation can be set during the
creation or modification of the account.
• access the detail of the account to view the user's rights on the GUI but also his/her authorizations
regarding devices, applications and target accounts
• import users from a .csv file which can be used to populate the WALLIX Bastion user database
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
72
WALLIX Bastion 9.0.2 – Administration Guide
• the user name used to log on to the Web user interface and proxies.
• a name, used to identify the person to whom the user name belongs
• an email address which can be modified later on by the user
• a field to upload a GPG public key: the user will receive the new password in an encrypted email.
This key can be modified later on by the user.
Warning:
If the GPG key is not specified for the user with the “product_administrator” or
“operation_administrator” profile, then a warning email is sent daily to notify the user
of the missing declaration of the GPG key.
The sending of this warning email can be managed via the “Missing GPG key warning
email” option in the menu “Configuration” > “Configuration options” > “Global”. By
default, this option is enabled.
• a preferred language, used to select the language in which the messages sent to the user from
the proxies are displayed. This choice can be modified later on by the user.
• a profile, used to define the user rights and limitations (refer to Section 9.3, “User
profiles”, page 86)
• a check box to indicate whether the user account is disabled. If so, this user will not be allowed to
log on to the WALLIX Bastion Web interface and proxies. This check box is deselected by default.
Caution:
If this check box is deselected and no rights are defined in the user profile, then the
user will not be allowed to log on to the WALLIX Bastion Web interface, the REST API
Web Service and RDP/SSH sessions.
73
WALLIX Bastion 9.0.2 – Administration Guide
• a field including a calendar (displayed with a right-click) to select, if needed, the account expiration
date
• a list of groups, used to select the groups into which the user should be included. You can
also add a user to a group in the add or edit page for a group (refer to Section 9.2, “User
groups”, page 82)
• an authentication procedure, which may be different for each user (refer to Section 9.8, “External
authentication configuration”, page 107). You can select several procedures to indicate the
backup servers for external authentications (LDAP, RADIUS, etc.)
• if the chosen authentication procedure is "local_password":
– a field to enter and confirm a password: there may be certain requirements regarding
the passwords the system will accept (refer to Section 9.6, “Local password policy
configuration”, page 98). This password can be modified later on by the user.
– a field to force the password change for the user. The latter will then receive a notification
message indicating that his/her account has been created and that the password must be
changed at first login (see also Section 8.12, “SMTP server”, page 59). If the administrator
forces password change, the user will have to change the password next time s/he will
authenticate either on the login screen of WALLIX Bastion or when connecting to the RDP or
SSH session. No access will be granted as long as the password is not changed.
• if the chosen authentication procedure is "local_sshkey", a field to upload or enter manually an
SSH public key using RSA, ED25519 or ECDSA algorithm. This key can be modified later on
by the user.
Warning:
It is not possible to set a key if no algorithm is allowed for the SSH public key on the
"Local Password Policy" page from the "Configuration" menu. For further information,
refer to Section 9.6, “Local password policy configuration”, page 98.
This key must be in the OpenSSH format. Otherwise an error message is displayed.
If you use PuTTYgen to generate the key, you must save in a text file the public key
displayed in the OpenSSH format during the generation. As an example, this key is
labelled as follow:
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0yR9lBQov6[.....]c3xu9p/xNjw==
rsa-key-20151204"
You can then upload this key on the dedicated area on this page.
If a key already exists, you can load a private key using Puttygen in order to generate
the corresponding public key in the appropriate format.
• if the chosen authentication procedure is "local_x509" a field to enter the DN (i.e. "Distinguished
Name") of the certificate to allow the user authentication (refer to Section 9.7.4, “User
authentication configuration”, page 103) when X509 authentication is set for WALLIX Bastion
• a source IP/subnet address or range of addresses to restrict the access to this address/range of
addresses for proxies and the Web interface.
74
WALLIX Bastion 9.0.2 – Administration Guide
The fields in this page are the same as those in the user creation page.
Note:
If the "password" field is not changed, the user password is not modified.
75
WALLIX Bastion 9.0.2 – Administration Guide
• "Authorizations on devices": this area shows the list of the devices which can be accessed by
this user
Click on the icon at the beginning of a line to download the configuration file to establish a
connection.
• "Authorizations on applications": this area shows the list of the applications which can be
accessed by this user
Click on the icon at the beginning of a line to download the configuration file to establish a
connection.
• "Authorizations on accounts": this area shows the list of the target accounts which can be
accessed by this user
• a .csv file or
• a company directory (LDAP or Active Directory) if you only want to replicate a snapshot of
your directory into the WALLIX Bastion database. You can use the LDAP domain integration
functionality that makes direct use of the directory (refer to Section 9.9, “Configuration of LDAP
or Active Directory domain mapping”, page 114).
• from the "CSV" page on the "Import/Export" menu. You can select the "Users" check box to import
the related data. The field and list separators can also be configured.
• or from the "Accounts" page on the "Users" menu. You can click on the "Import CSV file" icon at
the top right of the page to import the related data. You are then redirected to the "CSV" page on
the "Import/Export" menu: the "Users" check box is automatically selected to import the related
data. The field and list separators can also be configured.
The file must begin with a line containing the following tag:
#wab820 user
Important:
Data related to the users' password, SSH key or X509 DN is not provided in the .csv file
when exporting users. It must then be specified in the .csv file prior to import.
The update of existing data when importing a .csv file overwrites old data.
76
WALLIX Bastion 9.0.2 – Administration Guide
77
WALLIX Bastion 9.0.2 – Administration Guide
78
WALLIX Bastion 9.0.2 – Administration Guide
#wab820 user
martin;linuxadmins;Pierre Martin;;user;;local;;jMpdu9/
x2z;martin@wallix.com;False;0;;fr
;/C=FR/O=Wallix/CN=PKI_USER;False
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
79
WALLIX Bastion 9.0.2 – Administration Guide
From the "Users from LDAP/AD" page on the "Import/Export" menu, you can import the user data
stored in a remote directory to populate the WALLIX Bastion internal ACL database.
This procedure only allows you to import users from a remote directory. If you wish to include users to
an LDAP domain from a directory and remain synchronized with any updates made in this directory,
refer to Section 9.9, “Configuration of LDAP or Active Directory domain mapping”, page 114.
Warning:
If the imported users should authenticate on the directory used for the import, you
must first create the authentication method (see also Section 9.8.1, “Add an external
authentication”, page 107).
Case 1: Import users from an LDAP directory without using Active Directory
To import users from an LDAP directory without using Active Directory, enter the fields on the "Users
from LDAP/AD" page as follows:
Note:
For further information on TLS configuration, refer to Section 15.24, “Configure TLS
options for LDAP external authentication”, page 289.
Note:
The user must have read rights for the base DN used.
To import users from an LDAP directory using Active Directory, enter the fields on the "Users from
LDAP/AD" page as follows:
80
WALLIX Bastion 9.0.2 – Administration Guide
Note:
For further information on TLS configuration, refer to Section 15.24, “Configure TLS
options for LDAP external authentication”, page 289.
• "Base DN": depends on the domain name. For example, for the domain "mycorp.lan", the base
DN should be "dc=mycorp,dc=lan"
• "User name attribute": the connection attribute is "sAMAccountName"
• "User email attribute": enter the user’s email address attribute
• "Search filter": the query allowing to retrieve all the users from the directory is specified by default.
It can be modified to retrieve the appropriate users using AD syntax.
• "Bind method": select either the anonymous or the simple bind method. When the simple bind
method is selected, the "User" and "Password" fields are then displayed.
• "User" and "Password": specify a user name and a password to use for searching the user name
in the directory. These fields are not displayed when the anonymous bind method is selected.
Note:
The user must have read rights for the base DN used.
If the import is successful, a page listing the users extracted from the directory is displayed: choose
the users you wish to import in WALLIX Bastion by selecting the check box at the beginning of the
concerned line. Before final import, you must assign an authentication and a profile to the selected
users. A user group and a domain name can also be assigned to the selection.
Click on the "Import" button to import data on the user database of WALLIX Bastion.
Once the import operation is performed, a summary report is displayed. This report lists the number
of users which were created/rejected in the WALLIX Bastion database. In case of rejection, the
corresponding error is mentioned.
Note:
The user name of the imported user is based on the following syntax:
81
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The administrator cannot view on this page the profile defined for a group (displayed in
the “Profile” field) when this profile has at least one permission that the administrator's
profile cannot grant as a transferable right. For further information, refer to Section 9.3,
“User profiles”, page 86.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
82
WALLIX Bastion 9.0.2 – Administration Guide
Note:
If several time frames are selected, the time frame applied is the combination of all the
selected times frames.
Warning:
Character sequence detection is only enabled for data sent by the client to the
server and only for connections under specific protocols (available in the list from the
"Subprotocol" field).
Warning:
When there is no LDAP/AD domain configured in WALLIX Bastion, the "LDAP
authentication mapping" frame is not displayed on this page.
83
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The administrator cannot view the area “LDAP authentication mapping” when the
profile mapped to the group has at least one permission that the administrator's profile
cannot grant as a transferable right. For further information, refer to Section 9.3, “User
profiles”, page 86.
Warning:
You cannot delete a user group linked to active authorizations (refer to Chapter 14,
“Authorization management”, page 269).
84
WALLIX Bastion 9.0.2 – Administration Guide
#wab820 usersgroup
Important:
The update of existing data when importing a .csv file overwrites old data.
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
85
WALLIX Bastion 9.0.2 – Administration Guide
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
• "approver": this profile can accept/reject approval requests to access target accounts
• "auditor": this profile can view WALLIX Bastion audit data (refer to Section 12.3, “Audit
data”, page 223) but cannot access target accounts
• "operation_administrator": this profile can perform any operation. However, it has no access to
the following features: the "System" menu (including system backup and restoration), the "Audit"
menu, all the system logs and the target accounts.
• "disabled": this profile has no rights; it can be edited or deleted if unused but it should not be used
to disable a user account. We recommend selecting the "Disabled" option on the user account
add/edit page if you wish to disable a user. For further information, refer to Section 9.1, “User
accounts”, page 72.
Caution:
The "disabled" profile is only displayed on an upgraded version of WALLIX Bastion as it
is inherited by default from a former version. During the upgrade, users with the former
"disabled" profile are automatically linked to the "user" profile and the "Disabled" option
on the user account edit page is selected by default.
• "system_administrator": this profile has full system administration rights via the "System" menu.
It can change the appliance configuration, access the console to create and restore backups and
view all the system logs. However, this profile cannot access target accounts.
• "user": this profile has no administration rights but can access target accounts
• "product_administrator": this profile has full administration rights and can connect to target
accounts
Note:
The configuration for the factory-set administrator account is the
"product_administrator" profile.
86
WALLIX Bastion 9.0.2 – Administration Guide
From the "Profiles" page, click on "Add a profile" to display the user profile creation page.
The user profile creation page consists of the following fields:
On the "Rights" part, you can set the authorizations for the main features of the Web interface
displayed from the WALLIX Bastion menu:
• "None": no rights: the menu entry will not appear when the user logs on
• "View": the user can view the elements created but cannot edit them
• "Modify": the user can view and edit elements
• "Execute" (only for backup/restoration): the user can perform a system backup or restoration
(refer to Section 8.13, “Backup and Restoration”, page 60)
Another option can be used to enable/disable the access to the target accounts.
The "Transferable rights" part is displayed if the "Modify" right for the "Users", "User profiles" or
"Settings" feature is set on the "Rights" part.
On the "Transferable rights" part, you can set the authorizations which can be granted by the profile
members. These authorizations are inherited from the rights set for the profile. The rights which can
be transferred by the profile members cannot overtake their own rights. As a consequence, a profile
cannot give permissions to modify a feature if it has not the right to modify this specific feature and
is not allowed to transfer this right (except for the "Session audit" and the "Target account access"
rights).
Note:
A user cannot view the profiles and the profile members having at least one permission
that this user does not have (except for the "Session audit" and the "Target account
access" rights).
However, this rule does neither apply to the "Groups" sub-entry in the "Users" menu nor
to the entries in the "Audit" menu.
On the "Dashboards" part, you can select the dashboards which can be viewed by the profile
members. The list of dashboards displayed on this area is inherited from the authorizations set for
your profile.
By default, the user associated with the “product_administrator” or “operation_administrator” profile
is allowed to view the “Administration” entry in the “Dashboards” menu.
By default, the user associated with the “product_administrator” or “auditor” profile is allowed to
view the “Audit” entry in the “Dashboards” menu.
On the "Other features" part, you can define limitations for the profile members from the following
fields:
• "IP limitations": define the source IP(s) to which the access is restricted for primary connection.
This address can be defined as a single IP address, a sub-network mask or a hostname.
87
WALLIX Bastion 9.0.2 – Administration Guide
• "User group limitations" and "Target group limitations": select the user groups and/or the target
groups which can only be viewed and managed by the profile members. The authorizations set
for the profile members will apply to these groups and the addition of users and/or target accounts
will be restricted to these groups.
If you define limitations on target groups, select from the list of values the default group to which
the new target accounts will belong.
The limitations which are defined on this section apply to the users linked to the profile, these can be
either local users or users imported from an LDAP/AD directory or members of a WALLIX Bastion
user group linked through an authentication mapping to a group from the LDAP/AD directory.
Warning:
If the target account access is allowed for a profile, we do not recommend defining
limitations for the profile members from the "Other features" part as it may lead to
functional inconsistencies.
Warning:
A predefined profile can neither be deleted nor edited.
88
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
A predefined profile can neither be deleted nor edited.
You cannot delete a profile if at least one user is linked to this profile.
Important:
The update of existing data when importing a .csv file overwrites old data.
Possible values:
-: none
r: right to "View"
w: right to "Modify"
x: right to "Execute"
89
WALLIX Bastion 9.0.2 – Administration Guide
- Manage Authorizations:
right to "Modify"
- Settings: none
- Backup/Restore: right to
"Execute"
90
WALLIX Bastion 9.0.2 – Administration Guide
e.g.:
10.10.10.10;24.12.33.125
User group Boolean R True or False False
limitations
User groups Text O User groups defined N/A
Possible values:
-: none
r: right to "View"
w: right to "Modify"
x: right to "Execute"
91
WALLIX Bastion 9.0.2 – Administration Guide
- Manage Authorizations:
right to "Modify"
- Settings: none
- Backup/Restore: right to
"Execute"
- Credential recovery: none
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
92
WALLIX Bastion 9.0.2 – Administration Guide
In the process of compliance with the GDPR requirements, WALLIX Bastion allows you to define
retention periods for the user data.
Warning:
When WALLIX Bastion is configured in High-Availability mode with DRBD, the user data
retention configuration is only spread out to the “Slave” node when the latter becomes
“Master” node after a switchover. It is recommended to force a DRBD switch in order to
display the new configuration on all nodes.
The “Data retention policy” section, available from “Configuration” > “Configuration options”, allows
you to configure the following options:
• “Remove user data older than”: it consists of deleting the users' data contained in the databases
of WALLIX Bastion, i.e. the data located in the following tables: account activity, answer,
approval, auth_log, session_log and user. Thus, all data older than the value defined in
this field in number of weeks (with the suffix “w” such as “10w” for 10 weeks) or in number of days
(with the suffix “d” such as “24d” for 24 days) is deleted. If no suffix is specified, then the value
is considered to be expressed in number of weeks.
Note:
The deletion of user data from the WALLIX Bastion databases is based on:
– for the account activity table: the date of the user's activity
– for the answer table: the creation date of the approval answer
– for the approval table: the end date of the approval
– for the auth_log table: the timestamp of the authentication logs
– for the user table: the deactivation date of the user
For further information on the session purge, refer to Section 15.18, “Export and/or
purge session recordings manually”, page 284 and Section 15.19, “Export and/or
purge session recordings automatically”, page 286.
• “Max delete objects”: it consists of the maximum number of objects, per data type, to delete from
the database. This field is displayed when the check box of the "Advanced options" field at the
top right of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
• “Remove user logs older than”: it consists of deleting the users' data contained in the logs of
WALLIX Bastion, i.e. the data located in the files saved in partition /var/log: syslog, debug,
error, user.log, wabaudit.log and wabauth.log. Thus, all data older than the value
defined in this field in number of weeks (with the suffix “w” such as “20w” for 20 weeks) or in
number of days (with the suffix “d” such as “36d” for 36 days) is deleted. If no suffix is entered,
then the value is considered to be expressed in number of weeks. The maximum retention time
for the logs is 365 days or 52 weeks.
Warning:
If the defined value for the option “Remove user data older than” is higher than the one
set for “Remove user logs older than”, then the log retention time takes into account the
value defined for “Remove user data older than”.
93
WALLIX Bastion 9.0.2 – Administration Guide
WALLIX Bastion allows you to define notifications which are triggered and sent to the user if some
specific events are detected, such as:
Note:
When notifications are enabled for this event type, the email summarizes errors for
sessions older than 3 days by default. It is however possible to set a different value
for this number of days. To edit this parameter, go to “Configuration” > “Configuration
options” > “Session log policy”, then enter a positive integer in the field “Summarize
error older than” below section “IntegrityChecker”. If “0” is entered in this field, then
there is no error summary in the notification email.
• a RAID error
• a pattern detection during analysis of an RDP or SSH flow
• a license expiration warning
Note:
When notifications are enabled for this event type, the warning email will be sent 15
days, 10 days, 5 days and 1 day before the license expiration date.
It is also possible to define thresholds to trigger a notification to the administrator when
one of the license metrics has reached and/or exceeded these thresholds. For more
information, refer to Section 8.2.2, “Managing the sending of notifications”, page 45.
From the “Notifications” page of the “Configuration” menu, you can add, edit or delete notifications.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
94
WALLIX Bastion 9.0.2 – Administration Guide
Note:
Once you have entered a valid email address, click on “+” at the end of the field to
add it to the recipient list. Once an email address is added, you have the possibility to
delete it from the list by clicking on the “-” red icon.
You can add as many recipients as necessary.
Note:
You can configure the settings for sending emails on the “SMTP Server” page of the
“System” menu (refer to Section 8.12, “SMTP server”, page 59).
95
WALLIX Bastion 9.0.2 – Administration Guide
From the “Notifications” page of the “Configuration” menu, check the box at the beginning of the
line to select the notification you wish to delete, then click on the “Delete” button. WALLIX Bastion
displays a dialogue box requesting a confirmation before permanently deleting the notification.
• modify the subject and body of the notifications to your specific needs
• send notifications in HTML format
Note:
Once a custom notification template has been created, the notification will be sent in the
following order:
• First, the custom notification in the user's language if a corresponding template exists.
For example: approval_pending_user_fr.txt
• Or the custom notification in English if a corresponding template exists. For example:
approval_pending_user_en.txt
• Or the default notification of WALLIX Bastion in the user's language. For example:
approval_pending_user.txt
Caution:
The name of the custom notification templates must be the same as the name of the
default notification templates, followed by the language suffix.
To display the list of default notifications in order to copy the name, run
the following command: ls /opt/wab/lib/python3.7/site-packages/
wallixgenericnotifier/templates/mail.
The table below lists the additional variables available for the custom notifications:
96
WALLIX Bastion 9.0.2 – Administration Guide
The table below lists the variables available for the custom approval notifications sent to users
asking for approval (all the templates: approval_*_user.txt):
The table below lists the variables available for the custom approval notifications sent to
approvers (all the templates: approval_*_approver.txt):
97
WALLIX Bastion 9.0.2 – Administration Guide
--
Target: {{ target }}
• the password validity period in number of days. After this period, the user will be prompted for
password change on the login screen of WALLIX Bastion or when connecting to the RDP or SSH
session. We recommend configuring this setting for a period of less than one year.
• the period in number of days before the display of the first password expiration warning. We
recommend setting this period to a value of at least 20 days.
• the maximum number of authentication failures allowed per user. We recommend setting this
number to a value of at most 5 authentication attempts.
• the number of previous passwords which cannot be reused. We recommend rejecting at least
the last 4 passwords.
• the minimum length of the password. This value must be greater than the sum of the other length
constraints. We recommend setting this length to a value of at least 12 characters.
• the minimum number of special characters in the password. We recommend setting this number
to a value of at least 1 character.
• the minimum number of uppercase letters in the password. We recommend setting this number
to a value of at least 1 character.
98
WALLIX Bastion 9.0.2 – Administration Guide
• the minimum number of lowercase letters in the password. We recommend setting this number
to a value of at least 1 character.
• the minimum number of digits in the password. We recommend setting this number to a value
of at least 1 character.
• a list to select one or several algorithms allowed for the SSH public key. If the “RSA” algorithm is
selected, the minimum key length must be entered in the “Minimum RSA key length” field. This
value must not be lower than 1024 bits.
Note:
If no algorithm is selected, then the definition of the SSH public key cannot be performed
on the “My Preferences” page and the SSH public key cannot be set for the local user
on the “Accounts” page from the “Users” menu.
• a toggle button to allow passwords similar to the user name. We do not recommend allowing
similarity.
• a button to upload the file containing the list of banned passwords.
Note:
The file containing the list of banned passwords must be in a UTF-8 format.
99
WALLIX Bastion 9.0.2 – Administration Guide
• the public key in PEM format of the Certificate Authority which issued this server certificate. The
certificate may be auto-signed or issued by an accredited authority.
• the certificate in PEM format for the WALLIX Bastion Web server
• the private key in PEM format for this server certificate
Warning:
If the signature algorithm of the server certificate is too weak, an error message is
displayed during the upload. Please contact the WALLIX Support Team for more
information.
Warning:
If the X509 authentication is enabled, TLSv1.3 cryptographic algorithm for HTTPS
connection will be deactivated. However, this algorithm is activated by default when the
X509 authentication is disabled.
100
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The WALLIX Bastion Web interface and the REST API Web Service are not available
during this set-up phase. The connections on the interface are thus disconnected.
However, RDP and SSH sessions are not affected.
Note:
The CRL files are stored in the directory /var/wab/apache2/ssl.crl/.
An uploaded file gathering several CRLs will be divided into several unit CRL files.
An uploaded CRL will only replace an old one if the number corresponding to the
“CRLNumber” is greater than or equal to the one of this former version.
This list can also be updated using a dedicated command. For further information, refer
to Section 15.28, “Update the CRL (Certificate Revocation List)”, page 292.
101
WALLIX Bastion 9.0.2 – Administration Guide
On the “OCSP” page, please follow the following steps to manage the OCSP:
102
WALLIX Bastion 9.0.2 – Administration Guide
The “Local authentication - X509” section and the “Certificate DN” field appear on the page when
adding or editing a user (refer to Section 9.1, “User accounts”, page 72). To associate the user
with the certificate, the DN (i.e. "Distinguished Name") of the certificate must be entered in the
“Certificate DN” field as follows:
CN=Lucas Martin,O=MyCorp,L=PARIS,ST=IDF,C=FR
When the certificate is used, the associated user will then be authenticated on WALLIX Bastion.
Caution:
Some certificates include the attribute "emailAddress" mentioned as "E =... " in the
certificate DN. This attribute must be replaced by "emailAddress =... " in the field provided.
Note:
The certificates must be signed by the same Certificate Authority as the Web server
certificate.
The maximum supported length of a DN is 1,024 bytes (the exact number of characters
may be less depending on the length of the UTF-8 encoding).
103
WALLIX Bastion 9.0.2 – Administration Guide
Figure 9.14. "Accounts" page in modification mode with the "Certificate DN" field
104
WALLIX Bastion 9.0.2 – Administration Guide
Users and administrators can then log on using a saved certificate stored in the browser.
105
WALLIX Bastion 9.0.2 – Administration Guide
S/he can choose to accept or reject multiple automatic connections for RDP sessions, SSH
sessions or both for a given time period expressed in seconds by enabling the “Also applies to
all connections for:” button and configuring the fields underneath this button.
Warning:
The browser and the RDP or SSH client must be both running on the same workstation
(then use the same IP) to allow the connection confirmation request display.
The maximum duration value during which automatic connections are allowed can be
defined in the field “X509 automatic sessions timer” from “Configuration” > “Configuration
Options” > “Global”. This duration cannot exceed 60 seconds and is set to 15 seconds by
default. The user cannot specify in the popup window a duration greater than this value.
If the authentication is based on account mapping, the user must enter his/her password
on the target.
Warning:
The Web interface is restarted. Thus, no user connections must be active.
The default configuration is restored: the certificates are deleted and new auto-signed
certificates are generated.
106
WALLIX Bastion 9.0.2 – Administration Guide
• LDAP
• Active Directory
• Kerberos
• RADIUS
From the "External Authentications" page on the "Configuration" menu, you can add, edit or delete
external authentication configurations.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
Note:
The default authentication configured on WALLIX Bastion is "local". This external
authentication method allows users to log on using the product’s internal data engine.
107
WALLIX Bastion 9.0.2 – Administration Guide
From the "External Authentications" page, click on "Add an authentication" to display the external
authentication creation page.
• an authentication type: you must select the appropriate type to display the required fields for the
authentication definition
• an authentication name
• a server address (IP or FQDN)
• a connection port
Refer to the sections below to get specific information on the creation of external authentications
on this page.
Figure 9.19. "External Authentications" page in addition mode for LDAP authentication
• "Key distribution center": specify the domain name or the IP address of the KDC server
• "Realm name": specify the domain name (REALM)
• "Keytab file": the keytab files used for service authentication must be uploaded. Each uploaded
keytab file is merged with the previously loaded files.
If an HTTP service is present in the keytab file, the Kerberos support is activated for GUI
authentication; it requires to add the iwab suffix to the url: https://bastion_ip_address/
iwab or https://<bastion_name>/iwab
HOST services are used for Kerberos authentication with the SSH proxy. It is then possible
to use a "forwardable" ticket to connect to a target within the same Kerberos domain using
108
WALLIX Bastion 9.0.2 – Administration Guide
account mapping (refer to Section 10.4.1, “Add a target account to a global domain”, page 159,
Section 10.4.2, “Add a target account to a device”, page 163 or Section 10.4.3, “Add a target
account to an application”, page 165).
• "Use primary domain name": this option is only relevant when this authentication is used as a
second factor after first authenticating via LDAP. Select the check box to force the mention of the
domain name in the login (e.g. "user@domain") during second authentication.
In order for a Kerberos authenticated user (via the GUI or the SSH proxy) to be acknowledged by
WALLIX Bastion, at least one of the following two conditions is required:
• the user is defined locally on WALLIX Bastion and the appropriate Kerberos external
authentication is configured for this user or
• the user is an LDAP user mapped to a WALLIX Bastion defined group. In this case, at least one
of the following configurations is required:
– a mapping must be defined on WALLIX Bastion for the LDAP domain of the user and the
Kerberos domain name matches the LDAP domain name (case insensitive) or
– a default mapping is defined on WALLIX Bastion.
• "Key distribution center": specify the domain name or the IP address of the KDC server
• "Realm name": specify the domain name (REALM)
• "Keytab file": the keytab files used for service authentication must be uploaded. Each uploaded
keytab file is merged with the previously loaded files.
• "Use primary domain name": this option is only relevant when this authentication is used as a
second factor after first authenticating via LDAP. Select the check box to force the mention of the
domain name in the login (e.g. "user@domain") during second authentication.
• the user is defined locally on WALLIX Bastion and the appropriate Kerberos-Password external
authentication is configured for this user or
• Kerberos-Password is used as a second factor after first authenticating via LDAP with or without
using Active Directory
To add an LDAP external authentication without using Active Directory, enter the fields on the
"External Authentications" page as follows:
• "Timeout (s)": specify the maximum time period (expressed in seconds) for connection attempt
to the LDAP server. This value is set to 3 seconds by default.
109
WALLIX Bastion 9.0.2 – Administration Guide
Caution:
This timeout applies to all new LDAP external authentications. The LDAP external
authentications inherited from an earlier version of WALLIX Bastion keep the former
timeout value defined.
Note:
For further information on TLS configuration, refer to Section 15.24, “Configure TLS
options for LDAP external authentication”, page 289.
When the anonymous bind method is selected, the "User"/"Password" fields and the "Client key
and certificate" field are not displayed.
When the simple bind method is selected and no encryption protocol is specified, the "User" and
"Password" fields are required.
When the simple bind method is selected and the chosen encryption protocol is either "StartTLS"
or "SSL", the "User"/"Password" fields and the "Client key and certificate" field are optional.
However, it is required to enter at least one of them (either the "User"/"Password" pair or the
"Client key and certificate" field).
• "User" and "Password": specify a user name and a password to use for searching the WALLIX
Bastion user name in the directory. These fields are not displayed when the anonymous bind
method is selected.
Note:
The user must have read rights for the base DN used.
110
WALLIX Bastion 9.0.2 – Administration Guide
• "CA certificate": this field is displayed when either "StartTLS" or "SSL" is selected as the
encryption protocol. Browse a path to upload the CA certificate file. This certificate is checked
against the LDAP server during connection.
Important:
The hostname specified in the “Server” field must be copied to the “CN” field in the
certificate.
• "Client key and certificate": this field is displayed when the simple bind method is selected and the
chosen encryption protocol is either "StartTLS" or "SSL". Browse a path to upload the private key
and certificate used to connect and authenticate on the LDAP server by providing a PKCS#12
file. Once the file has been uploaded, a passphrase can be provided for the certificate on the
dedicated field. The certificate is checked against the CA certificate during connection.
• "Use primary domain name": this option is only relevant when this authentication is used as a
second factor after first authenticating via LDAP. Select the check box to force the mention of the
domain name in the login (e.g. "user@domain") during second authentication.
Once the fields are entered, it is possible to test the LDAP external authentication configuration by
clicking on the "Test" button. A test in progress can be cancelled at any time.
Important:
When using this method, the user can be prompted for password change after expiration
on the login screen of WALLIX Bastion or when connecting to the RDP or SSH session.
The prerequisites are then as follows:
• the minimum required version for the Active Directory server is Windows Server 2008
R2
• the option “AD user password change” (accessible from the menu “Configuration” >
“Configuration Options” > “Global” > section “main”) must be selected and
• at least one encryption protocol must be set for this method in the "Encryption" field
(i.e. either "StartTLS" or "SSL").
To add an LDAP external authentication using Active Directory, enter the fields on the "External
Authentications" page as follows:
• "Timeout (s)": specify the maximum time period (expressed in seconds) for connection attempt
to the LDAP server. This value is set to 3 seconds by default.
Caution:
This timeout applies to all new LDAP external authentications. The LDAP external
authentications inherited from an earlier version of WALLIX Bastion keep the former
timeout value defined.
111
WALLIX Bastion 9.0.2 – Administration Guide
Note:
For further information on TLS configuration, refer to Section 15.24, “Configure TLS
options for LDAP external authentication”, page 289.
• "Base DN": depends on the domain name. For example, for the domain "mycorp.lan", the base
DN should be "dc=mycorp,dc=lan".
• "Login attribute": specify the login attribute used for connection. By default, this connection
attribute corresponds to "sAMAccountName". The "mail" attribute can be specified in this field
to allow users associated with this authentication to use their email when logging on to the Web
interface. The following login formats are then supported:
– jdoe@mycompany.com@domain. The format is then "login@domain" with the email defined
as login (i.e. "jdoe@mycompany.com")
– domain\\jdoe@mycompany.com. The format is then "domain\\login" with the email defined as
login (i.e. "jdoe@mycompany.com")
– jdoe@mycompany.com with the domain defined as the default LDAP/AD domain.
The "UserPrincipalName" can also be specified in this field. If so, the user must use this attribute
as defined by the administrator to log on.
• "User name attribute": specify the user name attribute. By default, it corresponds to
"sAMAccountName".
• "Bind method": select either the anonymous or the simple or the SASL (based on GSS-API) bind
method.
Note:
The SASL bind method based on GSS-API must be selected when the LDAP user is
included in the "Protected Users" group.
When the anonymous bind method is selected, the "User"/"Password" fields and the "Client key
and certificate" field are not displayed.
When the simple bind method is selected and no encryption protocol is specified, the "User" and
"Password" fields are required.
When the simple bind method is selected and the chosen encryption protocol is either "StartTLS"
or "SSL", the "User"/"Password" fields and the "Client key and certificate" field are optional.
However, it is required to enter at least one of them (either the "User"/"Password" pair or the
"Client key and certificate" field).
When the SASL (based on GSS-API) bind method is selected and the chosen encryption protocol
is either "StartTLS" or "SSL", the "User and "Password" fields are required.
• "User" and "Password": specify a user name and a password to use for searching the WALLIX
Bastion user name in the directory. These fields are not displayed when the anonymous bind
method is selected.
Note:
The user must have read rights for the base DN used.
112
WALLIX Bastion 9.0.2 – Administration Guide
• "CA certificate": this field is displayed when either "StartTLS" or "SSL" is selected as the
encryption protocol. Browse a path to upload the CA certificate file. This certificate is checked
against the LDAP server during connection.
Important:
The hostname specified in the “Server” field must be copied to the “CN” field in the
certificate.
• "Client key and certificate": this field is displayed when the simple bind method is selected and the
chosen encryption protocol is either "StartTLS" or "SSL". Browse a path to upload the private key
and certificate used to connect and authenticate on the LDAP server by providing a PKCS#12
file. Once the file has been uploaded, a passphrase can be provided for the certificate on the
dedicated field. The certificate is checked against the CA certificate during connection.
• "Use primary domain name": this option is only relevant when this authentication is used as a
second factor after first authenticating via LDAP. Select the check box to force the mention of the
domain name in the login (e.g. "user@domain") during second authentication.
Once the fields are entered, it is possible to test the LDAP external authentication configuration by
clicking on the "Test" button. A test in progress can be cancelled at any time.
• “Timeout (s)”: specify the maximum time period (expressed in seconds) for connection attempt
to the server. This value is set to 5 seconds by default.
Caution:
This timeout applies to all new RADIUS external authentications. The RADIUS external
authentications inherited from an earlier version of WALLIX Bastion keep the former
timeout value defined.
Note:
In the context of second factor authentication, if a user performs several connections and
the client's IP address is the same as the one used for the previous authentication then
s/he is not prompted to authenticate again.
113
WALLIX Bastion 9.0.2 – Administration Guide
• "Timeout (s)": specify the maximum time period (expressed in seconds) for connection attempt
to the server. This value is set to 30 seconds by default.
• "Description": enter a description if needed
• "Properties file": browse a path to upload the PingID properties file (named
pingid.properties) containing several account-specific settings. This file can be downloaded
from the PingID administrator interface.
• "Force OTP": select the check box to force the one-time password (or “OTP”) authentication only.
In this case, no other authentication method will be suggested.
• "Use primary domain name": this option is only relevant when this authentication is used as a
second factor after first authenticating via LDAP. Select the check box to force the mention of the
domain name in the login (e.g. "user@domain") during second authentication.
Note:
The WALLIX Bastion administrator should remind the user to specify only the login field
to access the Web interface when authenticating via PingID.
Warning:
You cannot delete an external authentication if at least one user is linked to this
authentication.
114
WALLIX Bastion 9.0.2 – Administration Guide
From the "LDAP/AD Domains" page on the "Configuration" menu, you can define, configure, edit,
delete and import domains. You can also import LDAP authentication mappings from the "CSV"
page on the "Import/Export" menu.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
Note:
It is possible to configure the TLS options to allow the request of a given CA certificate to
authenticate on the LDAP server by editing the file /etc/ldap/ldap.conf. For further
information on this file, refer to http://www.openldap.org/software/man.cgi?
query=ldap.conf.
A domain gathers the attributes of the directory schema to use in order to find the necessary
attributes for an account in the Bastion.
These attributes are listed in the various areas on the "LDAP/AD Domains" page.
The area in the upper part of the page lists the following main properties for the domain:
Note:
Except for LDAP external authentication, all external authentications defined from the
"External Authentications" page on the "Configuration" menu can be used as secondary
authentications, after first LDAP authentication.
115
WALLIX Bastion 9.0.2 – Administration Guide
• the user: the schema’s attribute is indicated in the "User name attribute" field on the "External
Authentications" page (refer to Section 9.8.1, “Add an external authentication”, page 107). By
default, WALLIX Bastion uses “sAMAccountName” with AD or “uid” with LDAP.
• the group attribute: describes a user group membership. The default value is “memberOf” for
an AD server and “(&(ObjectClass=posixGroup)(memberUid=${uid}))” for an LDAP
server. This is an LDAP query used to find the groups containing the user defined by his or her
“uid”. By default, some servers may not support for each account the list of the groups to which it
belongs. It is therefore necessary to specify an additional query. The “${uid}” syntax is specific
to the Bastion; the “uid” attribute can be replaced by any user attribute. If the LDAP server
supports the “memberOf” value, its use is then recommended. This is the case with OpenLDAP
servers configured with the “memberOf” overlay.
It is possible to manage recursive groups with an AD server. In this case, the default value has
to be changed with the query below:
(&(ObjectClass=group)(member:1.2.840.113556.1.4.1941:=${distinguishedName}))
• an option to select X509 authentication: if this option is selected, users can only authenticate
on the LDAP/AD domain through X509 certificate authentication method. When this option is
selected, the fields on this area are then enabled.
• the condition to match an LDAP/AD domain with the X509 certificate. If no condition is specified
in the field “Matching condition”, the LDAP/AD domain can then be used for X509 authentication
regardless of the certificate.
This condition is formatted according to the following available variables retrieved from the
certificate:
116
WALLIX Bastion 9.0.2 – Administration Guide
For example, the matching condition below will associate the domain with a certificate issued
by an organization whose name (“issuer_o”) includes “Company Ltd.” OR a certificate whose
common name (“issuer_cn”) includes “Security Cert” and whose user's organization unit
(“subject_ou”) correspond to “Finance&Accounting”:
The operator “&&” (i.e. “AND”) has precedence over the operator “||” (i.e. “OR”). Values are case
sensitive whereas variables are not.
Important:
The format corresponds to the syntax used in advanced search filters in the REST API.
For further information, refer to the related online help page at this address:
https://bastion_ip_address/api/doc/Usage.html#search
• the LDAP/AD search filter to retrieve users within the domain. This data is expressed using LDAP
filter syntax but any available variables as listed for field “Matching condition” can also be used.
Note:
All the variables specified in the field “Search filter” must be present in the certificate
to provide a valid LDAP/AD filter and retrieve users accordingly.
For example, the filter syntax below will retrieve LDAP/AD users whose “cn” is the
“subject_cn” of the certificate or whose “uid” is the “subject_uid” of the certificate and whose
“preferredLanguage” attribute is “fr”:
(&(|(cn=${subject_cn})(uid=${subject_uid}))(preferredLanguage=fr))
117
WALLIX Bastion 9.0.2 – Administration Guide
For example, the filter syntax below will retrieve AD users whose local part of the
“userPrincipalName” is the “subject_cn” of the certificate and whose domain includes either
“company.com” or “biz.company.com”:
(|(userPrincipalName=${subject_cn}@company.com)(userPrincipalName=
${subject_cn}@biz.company.com))
• when using X509 authentication with an Active Directory server, the mention of the domain name
to match the SAN email. The domain is used to check the email field from the X509 Subject
Alternative Name (SAN) extension.
It is then necessary to create LDAP/AD authentication mappings by linking the groups from the
LDAP/AD directory with the WALLIX Bastion user groups in the area “LDAP authentication mapping”
at the bottom of the page.
A mapping links the WALLIX Bastion user group specified in the “User group” field with a group
from the directory by specifying the value to map for the group attribute defined above (e.g. its full
DN for “memberOf”) in the “LDAP group” field. If the WALLIX Bastion group is not already mapped,
you must also select the WALLIX Bastion profile for the group members in the “Profile” field.
If no mapping is found when a user connects, the latter can be placed in a default group. To do
this, select the available check box on the left of the line to declare the corresponding group as the
“Default group for users without group in this domain” option. This option provides WALLIX Bastion
access to any user defined in the directory.
The mappings can also be edited on the user group modification page (refer to Section 9.2, “User
groups”, page 82).
Note:
In the area “LDAP authentication mapping”, the administrator cannot view the mappings
whose profiles have at least one permission that the administrator's profile cannot
grant as a transferable right. For further information, refer to Section 9.3, “User
profiles”, page 86.
118
WALLIX Bastion 9.0.2 – Administration Guide
The fields in this page are the same as those in the external domain creation page, except the
"WALLIX Bastion domain name" field which is not displayed.
119
WALLIX Bastion 9.0.2 – Administration Guide
From the "LDAP/AD Domains" page, check the box at the beginning of the line(s) to select the
related authentication(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion
displays a dialogue box requesting a confirmation before permanently deleting the line(s).
Warning:
You cannot delete a domain if at least one user group is mapped to this domain.
Important:
The update of existing data when importing a .csv file overwrites old data.
120
WALLIX Bastion 9.0.2 – Administration Guide
(memberUid=
${uid}))"
Full name Text O [aA-zZ], [0-9], '-', '_' LDAP-AD:
attribute "displayName"
Full name attribute defined LDAP: "cn"
Email attribute Text O [aA-zZ], [0-9], '-', '_' "mail"
121
WALLIX Bastion 9.0.2 – Administration Guide
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
The file must begin with a line containing the following tag:
#wab820 usersgroupmappings
Important:
The update of existing data when importing a .csv file overwrites old data.
122
WALLIX Bastion 9.0.2 – Administration Guide
For example:
CN=Users,DC=2008,
DC=system,DC=enterprise'
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
123
WALLIX Bastion 9.0.2 – Administration Guide
10.1. Devices
A device is characterized by a physical or virtual equipment for which WALLIX Bastion manages
the access to sessions or passwords.
The “Devices” page on the “Targets” menu allows you to:
• list devices
• add, edit and delete a device
• filter devices using tags. For further information, refer to Section 10.1.3, “Use tags to organize
devices”, page 131.
It is possible to import devices from a .csv file to populate the WALLIX Bastion resource database.
For further information, refer to Section 10.1.5, “Import devices”, page 132.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
• the device name: this is the name users will use to access the device. It can be unrelated to the
machine’s DNS name. An existing name cannot be assigned to another device.
• an alias: it can be used as a second name for the device. The device name has priority over the
alias. An existing alias cannot be assigned to another device.
124
WALLIX Bastion 9.0.2 – Administration Guide
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the other tabs of the device creation page.
To add a service, click on the “+ Add” button and select the desired protocol from the list. A window
opens and allows you to select and enter the following fields:
• the service name: this is the name users will use to access the service. The name can be unrelated
to the protocol name and the port number.
• the default port
• a connection policy defining the authentication mechanism for the service on this device. For
further information, refer to Section 12.4, “Connection policies”, page 236.
You can declare a connection scenario for the connection policies based on the TELNET or
RLOGIN protocols. For further information, refer to Section 12.14, “TELNET/RLOGIN connection
scenario on a target device”, page 245.
You can declare a startup scenario for the connection policies based on the SSH protocol. For
further information, refer to Section 12.16, “SSH startup scenario on a target device”, page 247.
• a global domain: it is required to select a global domain in order to create targets for applications
and clusters
125
WALLIX Bastion 9.0.2 – Administration Guide
• a list of proxy options for RDP and SSH connections. For further information, refer to
Section 10.1.6, “SSH specific options”, page 134 and Section 10.1.7, “RDP specific
options”, page 135.
Note:
If you want to add more than one specific service, you can repeat this process as many
times as necessary.
Once you have added a service, you have the possibility to add it to a group in order to configure
a target group for session management through account mapping and/or interactive login. The
resource associations can also be managed from the “Groups” page (for further information, refer
to Section 10.5.1, “Add a target group”, page 172).
To add a service to a group, check the box at the beginning of the line of the concerned service
and click on the “Add to group” button. A window opens and allows you to enter and select the
following fields:
• the group name: you can select an existing group or create a new one
• a description
• the target type: either account mapping or interactive login
• the services
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to associate the service with another group and/or target type. Otherwise, click
on the “Add and close” button to save the data and close the window.
126
WALLIX Bastion 9.0.2 – Administration Guide
– a description
– the checkout policy
– a toggle button to enable or disable the automatic password change for this account
– a toggle button to enable or disable the automatic SSH key change for this account
• on the “Password” tab:
– a password and its confirmation
– a toggle button to enable or disable the manual change of the password and its propagation
on the target
Note:
You have the possibility to delete a password already set for this account by clicking
on the “Delete password” button.
Note:
You have the possibility to delete an SSH private key already set for this account by
clicking on the “Delete existing SSH private key” button.
Once you have added a local account on the device, you have the possibility to add it to a group
in order to configure:
• a target group for session management from an account (for further information, refer to
Section 10.5.1.2, “Configure a target group for session management from an account in the
vault”, page 172)
• a target group for session management for a scenario account (for further information,
refer to Section 10.5.1.3, “Configure a target group for a scenario account during SSH
session”, page 173)
• a target group for password management from an account (for further information, refer to
Section 10.5.1.6, “Configure a target group for password management from an account in the
vault”, page 175)
Note:
The resource associations can also be managed from the “Groups” page (for further
information, refer to Section 10.5, “Target groups”, page 172).
127
WALLIX Bastion 9.0.2 – Administration Guide
To add a local account to a group, check the box at the beginning of the line to select the concerned
local account, then click on the “Add to group” button. A window opens and allows you to enter and
select the following fields:
• the group name: you can select an existing group or create a new one
• a description
• the target type: either account for session management or scenario account for session
management or account for password management
• the service (if it is required for the selected target type)
• the local accounts
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to associate the local account with another group and/or target type and/or
service. Otherwise, click on the “Add and close” button to save the data and close the
window.
To add a global account, click on the “+ Add” button. A window opens and allows you to select and
enter the following fields:
Note:
You have the possibility to delete a password already set for this account by clicking
on the “Delete password” button.
128
WALLIX Bastion 9.0.2 – Administration Guide
Note:
You have the possibility to delete an SSH private key already set for this account by
clicking on the “Delete existing SSH private key” button.
This tab lists the references used to manage service accounts. The references for this global
account can be managed from the “References” tab in the account modification page, accessible
from “Targets” > “Accounts” > “Global accounts”. For further information, refer to Section 10.4.1.4,
“Define references for service account management”, page 162.
Once you have added a global account, you have the possibility to add it to a group in order to
configure a target group for session management from an account (for further information, refer
to Section 10.5.1.2, “Configure a target group for session management from an account in the
vault”, page 172).
Note:
The resource associations can also be managed from the “Groups” page (for further
information, refer to Section 10.5, “Target groups”, page 172).
To add a global account to a group, check the box at the beginning of the line to select the concerned
global account, then click on the “Add to group” button. A window opens and allows you to enter
and select the following fields:
• the group name: you can select an existing group or create a new one
• a description
• the target type: account for session management
• the service
• the global accounts
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to associate the global account with another group and/or service. Otherwise,
click on the “Add and close” button to save the data and close the window.
129
WALLIX Bastion 9.0.2 – Administration Guide
Note:
Target accounts and services must exist for the device to be able to manage associations.
By clicking on a group name, you are redirected to the data modification page of this group. You
can then configure, edit or delete the data related to this group. For further information, refer to
Section 10.5, “Target groups”, page 172.
To delete a certificate or a key, check the box at the beginning of the line to select the certificate or
the key you wish to delete, then click on the “Delete” button.
Caution:
A user is allowed to display the certificates on the device if the “View” right for the “Targets
& accounts” feature is set in his/her profile (refer to Section 9.3, “User profiles”, page 86).
A user is allowed to delete the certificates on the device if the “Modify” right for the “Targets
& accounts” feature is set in his/her profile (refer to Section 9.3, “User profiles”, page 86).
These tags allow you to organize your devices in a consistent and relevant way in order to quickly
identify a specific device. For further information, refer to Section 10.1.3, “Use tags to organize
devices”, page 131.
Note:
Each device can have a maximum of 64 tags.
To add a tag, click on the “+ Add” button. A window opens and allows you to select and enter the
following fields:
• “Key”: this is the key of the tag. You can select an existing key or create a new one. The key is
limited to 512 characters.
• “Value”: this is the value of the key. You can select an existing value or create a new one. The
value is limited to 256 characters.
Warning:
It is not possible to add tags with identical keys on the same device.
130
WALLIX Bastion 9.0.2 – Administration Guide
Keys and values are case sensitive and accept UTF-8 characters. Spaces are forbidden
at the beginning and end of the “Key” and “Value” fields.
A tag cannot be edited. In order to change a key and/or a value, it is necessary to delete
the tag and create a new one.
To delete a tag, check the box at the beginning of the line to select the tag you wish to delete, then
click on the “Delete” button.
Warning:
If you delete a device, the associated tags are also deleted.
Note:
Each device can have a maximum of 64 tags.
• “Key”: this is the key of the tag. You can select an existing key or create a new one. The key is
limited to 512 characters.
• “Value”: this is the value of the key. You can select an existing value or create a new one. The
value is limited to 256 characters.
Warning:
It is not possible to add tags with identical keys on the same device.
Keys and values are case sensitive and accept UTF-8 characters. Spaces are forbidden
at the beginning and end of the “Key” and “Value” fields.
A tag cannot be edited. In order to change a key and/or a value, it is necessary to delete
the tag and create a new one.
131
WALLIX Bastion 9.0.2 – Administration Guide
Once the fields are selected and entered, click on the “Add and continue” button to save the new
data and to continue the creation of tags. Otherwise, click on the “Add and close” button to save
the data and close the window.
Click on the icon in the header of the “Tags” column to display the search field. By clicking in
this field, you access a list of all the tag keys and tag values existing in WALLIX Bastion. Enter
then select the key or the value of the desired tag and click on the “Search” button. The devices
corresponding to the filter are listed in the table. An active filter is symbolized by the orange icon .
To delete a filter, click on the icon at the top right of the table or click on the icon then on
the “Restore” button.
Warning:
You cannot delete a device on which target accounts are declared.
Important:
The update of existing data when importing a .csv file overwrites old data.
132
WALLIX Bastion 9.0.2 – Administration Guide
name/PROTOCOL/port/
connection_policy//subprotocol1|
subprotocol2
133
WALLIX Bastion 9.0.2 – Administration Guide
To specify several subprotocols within the same protocol, do not repeat all the structure but separate
subprotocols using a pipe “|” as shown in the example below:
rdp/RDP/3389/RDP//RDP_CLIPBOARD_UP|RDP_CLIPBOARD_DOWN|RDP_PRINTER|RDP_COM_PORT|
RDP_DRIVE|RDP_SMARTCARD
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
134
WALLIX Bastion 9.0.2 – Administration Guide
If you do not have rights for the appropriate subprotocol, you may not be authorized to start a remote
shell session or transfer a file.
Note:
Some clients also need the option SSH_SHELL_SESSION to list the directories when
they are used in SCP mode.
• RDP_CLIPBOARD_UP: allows data transfer via the clipboard from the client to the RDP session
• RDP_CLIPBOARD_DOWN: allows data transfer via the clipboard from the session to the RDP
client
• RDP_CLIPBOARD_FILE: allows file transfer from the copy/paste function via the clipboard
• RDP_PRINTER: allows use of local printers in the remote session
• RDP_COM_PORT: allows use of local serial and parallel ports in the remote session
• RDP_DRIVE: allows use of local drives in the remote session
• RDP_SMARTCARD: allows use of local smartcards in the remote session
• RDP_AUDIO_OUTPUT: allows audio playback from the session to the RDP client
• RDP_AUDIO_INPUT: allows audio recording from the client to the RDP session
135
WALLIX Bastion 9.0.2 – Administration Guide
If you do not have rights for the appropriate subprotocol, you may not be authorized to transfer data
via the clipboard or use your local drive in the remote session.
Note:
Some session options must be associated with others to be fully operational:
- RDP_CLIPBOARD_FILE must be associated with RDP_CLIPBOARD_UP to transfer a
file via the clipboard from the client to the RDP session
- RDP_CLIPBOARD_FILE must be associated with RDP_CLIPBOARD_DOWN to
transfer a file via the clipboard from the session to the RDP client
10.2. Applications
WALLIX Bastion enables you to manage application sessions through a jump server on which
the application itself is installed. The user logs on to WALLIX Bastion and chooses an application
in the selector (refer to the figure 10.3, “Application session flow”, page 136). WALLIX Bastion
then initiates an RDP session and automatically launches the application by providing it with the
necessary account information (user name and password). The application session is then recorded
as an RDP session.
Important:
It is not possible to run an application whose linked target operates under a Windows 10
operating system as the remote desktop service does not support the "alternate shell"
function.
Warning:
In order to allow WALLIX Bastion to manage the connections to an application, the latter
must be able to receive the user name and password to be used for the connection as
command-line arguments.
• list applications
• add/edit/delete an application
136
WALLIX Bastion 9.0.2 – Administration Guide
• import applications from a .csv file which can be used to populate the WALLIX Bastion resource
database
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
Warning:
Please note that after the 120-day grace period expires, you must install Client Access
Licenses (CAL) in order to continue to use these services.
You must provide the user with the right to launch the application. This can be done by providing
access to unlisted programs or by adding the application to the authorized programs as described
below.
If you use the session probe mode, it is necessary to publish the command prompt (cmd.exe) as
the RemoteApp program. For further information regarding this mode and the configuration, we
strongly advise you to refer to Section 12.19, “Using the session probe mode”, page 252.
We recommend setting the lowest possible value as the maximum period during which a
disconnected user session is kept active on the server running Terminal Server. To do so, you can
proceed as follows:
137
WALLIX Bastion 9.0.2 – Administration Guide
You can allow several connections with the same target account on a jump server.
Alternatively, you can use the corresponding setting with an account policy.
Under Windows Server 2012 or later, you must set an additional setting in order to allow access to
a client that does not use network-level authentication. To do so:
1. Open the "Server Manager" application and select "Remote Desktop Services".
2. Select the needed collection in "Collections". "Quick Session Collection" corresponds to the
default collection.
3. In the "Properties" frame, select "Edit Properties".
4. In the "Security" section, deselect the "Allow connections only from computers running Remote
Desktop with Network Level Authentication (more secure)" check box.
The RemoteApp mode is enabled by default when accessing applications. This parameter can be
managed via "Configuration" > "Configuration Options" > "GUI (Legacy)", then select/deselect the
option "Rdp remote app mode".
The window resizing is enabled by default for the RemoteApp application. This parameter can be
managed via "Configuration" > "Configuration Options" > "RDP proxy", then select/deselect the
option "Allow resize hosted desktop" below section "remote program". When this functionality is
enabled, a pin icon is displayed on the right upper part of the RemoteApp window hosting the classic
RDP session. The window can be resized when the pin points to the left.
The RemoteApp session closes 20 seconds after the last window or taskbar icon has been closed.
This period can be shortened by defining a time period before the display of a disconnect message
to close the session. This period can be set on the field "Remote programs disconnect message
display" on the configuration page related to the connection policy for the RDP protocol. This page
can be accessed from "Session Management" > "Connection Policies".
On the other hand, it may be necessary to convert RemoteApp session to Alternate Shell session
to be able to access a published RemoteApp application via a jump server for a session initiated
by Access Manager. This can be done by selecting the option “Wabam uses translated remotapp”,
138
WALLIX Bastion 9.0.2 – Administration Guide
below section “rdp”, on the configuration page related to the connection policy for the RDP protocol.
This page can be accessed from "Session Management" > "Connection Policies".
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
Important:
The RemoteApp sessions of a user connected simultaneously on one or several
applications are split by default when displayed from the "Current Sessions" and
"Session History" pages below the "Audit" menu). If the option "Rdp enable sessions
split" (accessible from "Configuration" > "Configuration Options" > "GUI (Legacy)" >
"main" section) is deselected, it may be possible to get an overlay view of these sessions.
The client Remote Desktop Connection (MSTSC) connected to Windows Server 2008
or 2012 does not allow several RemoteApp programs to share the same RDP session.
There will be as many RDP sessions created as the number of RemoteApp programs
launched.
Display issues related to the Microsoft client have been reported when using RemoteApp
mode and multiple monitors. Dysfunctions occur when the primary monitor is not located
in the upper left part of the virtual screen. The recommended workaround is to locate
the primary monitor in the upper left part of the virtual screen. Refer to https://
go.microsoft.com/fwlink/?LinkId=191444 for further information on the virtual
screen.
The session probe mode can be used to run the applications defined within the Bastion.
This operating mode provides the benefit of blocking the launch of child processes.
This is not the case when using the RemoteApp native mode. However, the restrictions
defined during the creation of the RemoteApp program in Windows (which may concern
user groups, command-line arguments allowed, etc.) will not apply. This mode can
be managed via "Session Management" > "Connection Policies > "RDP", then select/
deselect the option "Use session probe to launch remote program" below section "rdp".
For further information regarding the "session probe" mode, refer to Section 12.19, “Using
the session probe mode”, page 252.
Business applications usually implement an authentication screen to allow a user to only access
the needed data. The authentication step checks the login and the password manually entered by
this user. The latter has then the knowledge of this sensitive information.
To restrict disclosing of such information, we recommend using AutoIt scripts. These scripts are
supported by WALLIX Bastion and can be used, in particular, to fill in credential forms automatically.
139
WALLIX Bastion 9.0.2 – Administration Guide
With this process, the application's credential information is retrieved through the RDP virtual
channel. In such a case, the user has no access to this information.
When technical constraint is strong and safety risk is low, the credential information can also be
passed the application to as command line arguments. However, we do not recommend using such
an approach as the application user may easily access the information.
To allow AutoIt scripts retrieving credential information through the RDP virtual channel, the latter
must be enabled from "Configuration" > "Configuration Options" > "RDP proxy" then enter the name
of this virtual channel in the field "Auth channel" below section "mod_rdp". The symbol "*" tells
WALLIX Bastion to use the default name being wablnch. Note that WALLIX Bastion and the AutoIT
script must both use the same virtual channel name to operate properly.
Once the virtual channel is enabled, the AutoIt script must be deployed on the server running
Terminal Server then added to the listed RemoteApp programs:
Note:
The WALLIX Support Team can provide you with a generic AutoIt connection script. Feel
free to contact the Team, should you have any other questions (refer to Chapter 18,
“Contact WALLIX Bastion Support”, page 328).
Next, when configuring the application from the "Applications" page on WALLIX Bastion:
Example:
In the above example, the script WABIELogon_VC_64.exe launches Internet Explorer, retrieves
the credential information from the virtual channel and establishes a connection to the application.
Once the application is configured, it can be linked to a target group from "Targets" > "Groups".
140
WALLIX Bastion 9.0.2 – Administration Guide
Note:
To automate connections to non Web-based applications, refer to Section 10.2.3,
“Automate connections to an application using AutoIt scripts”, page 139.
Application Driver retrieves the authentication information from the application via an RDP virtual
channel and connects the user automatically.
The authentication forms are thus filled without user intervention and sensitive data is not disclosed
during the authentication phase.
Application Driver can be used without specific deployment (refer to Section 10.2.4.1, “Using
WALLIX Application Driver without specific deployment”, page 141) or by manual deployment
(refer to Section 10.2.4.2, “Using WALLIX Application Driver via a manual deployment”, page 142).
Note:
WALLIX Bastion and Application Driver must use the same virtual channel's name to
operate properly.
To configure the virtual channel, it is necessary to enter the name of the RDP virtual
channel in the field “Auth channel” located in “Configuration” > “Configuration options” >
“RDP proxy” > [mod_rdp] section.
By default, the symbol “*” is already specified and tells WALLIX Bastion to use the virtual
channel's default name: wablnch.
1. In the “Application path” field, enter either the value “__APP_DRIVER_IE__” to select the launch
of the Web application using Internet Explorer or the value “__APP_DRIVER_CHROME_UIA__”
to select the launch of the Web application using Google Chrome or the value
__APP_DRIVER_EDGE_CHROMIUM_UIA__ to select the launch of the Web application using
Microsoft Edge based on Chromium.
2. In the “Parameters” field, specify the necessary parameters to launch the Web application
according to the selected browser. For further information, see Section 10.2.4.3, “Parameters
of WALLIX Application Driver for the launch of the Web application”, page 143.
141
WALLIX Bastion 9.0.2 – Administration Guide
Example for the launch of the Web application using Internet Explorer:
However, we recommend rather using WALLIX Application Driver in connection with the session
probe mode. For further information, refer to Section 10.2.4.1, “Using WALLIX Application Driver
without specific deployment”, page 141. You can, however, deploy Application Driver manually.
Note:
The script WABChromeLogonUIA.lua will be used to select the launch of the Web
application using Google Chrome and the script WABIELogon.lua will be used to
select the launch of the Web application using Internet Explorer.
The setup must be performed from the “Applications” page in the “Targets” menu:
142
WALLIX Bastion 9.0.2 – Administration Guide
1. In the “Parameters” field, specify either the path to the script WABChromeLogonUIA.lua or
the path to the script WABIELogon.lua according to the selected browser for the launch of
the Web application as well as the necessary parameters. For further information on the latter,
see Section 10.2.4.3, “Parameters of WALLIX Application Driver for the launch of the Web
application”, page 143.
2. In the “Application path”, enter the path to the AppDriver.exe file.
Example for the launch of the Web application using Google Chrome:
10.2.4.3. Parameters of WALLIX Application Driver for the launch of the Web
application
Mandatory parameters
Parameter Description
/e:URL=<URL> Defines the Website URL.
/lua_file:<Lua script file name> Applies only when using WALLIX Application Driver via
a manual deployment. Sets the Lua script's path used to
open the Web session.
143
WALLIX Bastion 9.0.2 – Administration Guide
144
WALLIX Bastion 9.0.2 – Administration Guide
WALLIX Bastion automatically replaces them with the appropriate information related to the
account selected by the user and the application ID.
• a list of values to select a connection policy defined on the RDP protocol for the connection on
the application target,
• the path of the application executable and the directory in which the application runs. In the case
of a cluster, you must provide these values for each device. For further information, refer to the
section 10.6, “Clusters”, page 184.
To enable users to connect to the application, you must now link the accounts with it as described in
Section 10.4, “Target accounts”, page 159. User access rights, like those of devices, are managed
using authorizations (permissions). The RDP protocol must therefore be used.
Warning:
You cannot delete an application on which target accounts are declared.
145
WALLIX Bastion 9.0.2 – Administration Guide
Click on "Add an account" to create an account for the application: you access the account
creation page. For further information, refer to Section 10.4.3, “Add a target account to an
application”, page 165.
Click on "Manage association" to manage the resource associations: you access a page with the
list of the available resource(s) and selected one(s) for the application. Move a resource from the
"Available accounts" frame to the "Selected accounts" one in order to perform the association. And
conversely, move a resource from the "Selected accounts" frame to the "Available accounts" one
in order to remove the association.
Important:
The update of existing data when importing a .csv file overwrites old data.
146
WALLIX Bastion 9.0.2 – Administration Guide
For an application on
a cluster: target1= 'path1'
target2='path2', for each target
of the cluster,with target1 in
format account@domain@my_
device:rdp
Startup Text O For an application on a cluster: N/A
directories
target1='wdir1' target2='wdir2'
Connection Text O Name of the connection policy on RDP
policy the RDP protocol
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
147
WALLIX Bastion 9.0.2 – Administration Guide
10.3. Domains
A global domain is a management entity grouping multiple target accounts which can be used to
authenticate across multiple devices. This entity offers the significant advantage of expanding and
synchronizing the password change at once for all the accounts on the devices associated with
the domain.
A global domain can also be associated with a password external vault. In this case, this domain
groups accounts which are managed externally through the association of an external vault plugin.
As a result, a password change mechanism cannot be applied to the related accounts within
WALLIX Bastion. For further information, refer to Section 5.3, “Password external vault”, page 22.
A local domain is a management entity grouping multiple target accounts which can be used to
authenticate on a single device only. This entity offers the significant advantage of expanding and
synchronizing the password change at once for all the accounts associated with the domain.
Local domains are created through the association with a device or a target account. For
further information, refer to Section 10.1, “Devices”, page 124 and Section 10.4, “Target
accounts”, page 159.
• list global or local domains according to a dedicated filter on the domain type
• identify domains which are associated with a Certificate Authority
• identify domains for which the password change is enabled
• identify domains which are associated with an external password vault
• add/edit/delete a global domain
• edit a local domain
• import global or local domains from a .csv file which can be used to populate the WALLIX Bastion
resource database
• change the passwords for all the accounts on the global domain
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
148
WALLIX Bastion 9.0.2 – Administration Guide
From the "Domains" page, make sure that "Global" is selected in the "Display domain type" field on
the top of the page. Click on "Add a global domain" to display the global domain creation page.
• the domain name: a WALLIX Bastion internal representation of the domain used to display
accounts and targets on the Web user interface or during RDP/SSH sessions
• the domain real name: the name of the external domain if the created domain is a mapping of
an external domain (LDAP, AD, NIS). The domain real name is ignored when password change
is performed on Unix-derived targets.
• a description
• the vault type: choose whether the domain is associated with an external password vault or a
local one
Warning:
This field is only displayed when the “External Vaults” feature is associated with the
license key.
• if the chosen vault type is "Local" or the “External Vaults” feature is not associated with the
license key, options to define an SSH Certificate Authority to be associated with the domain for
the connection. The Certificate Authority (or "CA") is represented by a private/public SSH key
pair. It is possible to:
– generate a key: in this case, select the appropriate key type and length from the list (RSA 2048
by default) or
– browse a path to upload the file containing an existing key (in the OpenSSH or PuTTY key
formats) and specify the corresponding passphrase (if any defined)
For further information, refer to Section 10.3.2, “Associate the domain with an SSH Certificate
Authority”, page 150.
• if the chosen vault type is "Local" or the “External Vaults” feature is not associated with the license
key, an option to enable the password change for the accounts on this domain and, if enabled:
– the password change policy to be selected for this domain. For further information, refer to
Section 11.3, “Password change policies”, page 214.
– the password change plugin to be selected for this domain and the related parameters to be
specified. For further information, refer to Section 11.2, “Password change plugins”, page 203.
Note:
The CA public key is transferred to the target device (for a local domain) or the target
server (for a global domain) when a password change plugin is set on the concerned
domain and the WALLIX Password Manager feature is associated with the license key.
149
WALLIX Bastion 9.0.2 – Administration Guide
• if the chosen vault type is "External", select the vault plugin for this domain and specify the related
parameters. For further information, refer to Section 5.3, “Password external vault”, page 22 and
Section 10.7, “External password vault plugins”, page 187.
Warning:
This field is only displayed when the “External Vaults” feature is associated with the
license key.
• the Kerberos parameters: the Kerberos parameters are only supported by the WindowsService
plugin. When the chosen password change plugin is “WindowsService” and the transport protocol
defined for this plugin is “Kerberos”, then specify the following fields on the global domain page of
the administrator account selected during the definition of the reference (for further information,
refer to Section 11.2.13, “WindowsService plugin”, page 213 and Section 10.4.1.4, “Define
references for service account management”, page 162):
– “Kerberos realm”: specify the Kerberos realm
– “Kerberos KDC”: specify the domain name or the IP address of the KDC server
– “Kerberos port”: specify the port number of the KDC server. The default port is 88.
150
WALLIX Bastion 9.0.2 – Administration Guide
allow SSH authentication using this account, the public key must be present on the target server
(usually in the file authorized_keys located in the home directory of the target account).
When a CA is associated with a domain, the public SSH keys for all the target accounts on this
domain are automatically signed by the CA. The summary page of an account on a domain which is
associated with a CA will therefore allow to download the corresponding signed certificate, instead
of an SSH public key. Furthermore, when a user wishes to check out the credentials of a target
account on a domain associated with a CA, the option to download the certificate is added. The
private key alone is not sufficient for authentication.
Warning:
The administrator account is required on the local domain when using Fortinet FortiGate
or IBM 3270 password change plugin. This account should be first added to the domain
from the "Domain accounts" area on the domain summary page, once the domain
creation step has been completed. For further information, refer to Section 10.3.4, “Add
an account to the global or a local domain”, page 152. Once the "Enable password
change" option has been selected on the domain modification page, select this account
from the list in the "Administrator account" field prior to select the plugin in the "Password
change plugin" field.
When the global domain is associated with an external vault, the related information is displayed on
the domain summary page, from the "External vault plugin" and the "Vault plugin parameters" fields.
If an SSH Certificate Authority has been set for this domain (domain type is "Global" or "Local for
a device"), a line with the CA private key type and length is displayed on the domain modification
page. It is then possible to:
Note:
If the CA private key defined for the domain is changed, then the SSH keys for all the
accounts on this domain are re-signed with the new Certificate Authority.
151
WALLIX Bastion 9.0.2 – Administration Guide
The CA public key is transferred to the target device (for a local domain) or the target
server (for a global domain) when a password change plugin is set on the concerned
domain and the WALLIX Password Manager feature is associated with the license key.
For further information, refer to Section 10.3.2, “Associate the domain with an SSH
Certificate Authority”, page 150.
Note:
The "Change passwords" button on the right part of the page is displayed when an
administrator account is defined for the domain.
The passwords are changed in accordance with the password change policy selected
for the global domain. For further information, refer to Section 11.3, “Password change
policies”, page 214.
Note:
The "Change passwords" button on the right part of the page is displayed when an
administrator account is defined for the domain.
152
WALLIX Bastion 9.0.2 – Administration Guide
The passwords are changed in accordance with the password change policy selected
for the local domain. For further information, refer to Section 11.3, “Password change
policies”, page 214.
• either revoke the certificates for all the accounts on the domain by clicking on "Revoke all" on
the header column
• or revoke the certificate of a given account by clicking on the "Revoke" button at the end of the
concerned line
A revocation list is automatically generated and transferred to the target server to mention that this
or these certificates can no longer be used for connection.
Important:
The update of existing data when importing a .csv file overwrites old data.
153
WALLIX Bastion 9.0.2 – Administration Guide
Format: key1=value1
key2=value2
Windows:
domain_controller_address
(required)
154
WALLIX Bastion 9.0.2 – Administration Guide
155
WALLIX Bastion 9.0.2 – Administration Guide
Format: key1=value1
key2=value2
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
156
WALLIX Bastion 9.0.2 – Administration Guide
From the "Domains" page, make sure that "Local for a device" or "Local for an application" is
selected in the "Display domain type" field on the top of the page. Click on the "Import CSV file" icon
at the top right of the page to import the related data. You are then redirected to the "CSV" page
on the "Import/Export" menu: the "Local domains" check box is automatically selected to import the
related data. The field and list separators can also be configured.
The file must begin with a line containing the following tag:
#wab820 localdomain
Important:
The update of existing data when importing a .csv file overwrites old data.
Format: key1=value1
key2=value2
157
WALLIX Bastion 9.0.2 – Administration Guide
For devices:
Oracle: port (optional),
service_name (required),
admin_mode (optional and set
as "Normal" by default if
not entered). The possible
values for the admin_mode
field are as follows: "Normal",
"SYSDBA", "SYSOPER" and
"SYSASM"
For applications:
Oracle: host (required),
port (optional), service_name
(required), admin_mode
(optional and set as "Normal"
by default if not entered).
The possible values for the
admin_mode field are as
follows: "Normal", "SYSDBA",
"SYSOPER" and "SYSASM"
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
158
WALLIX Bastion 9.0.2 – Administration Guide
• Global account: the account is defined on a global domain and is used to access services
on devices in this domain and to manage service accounts (for further information on the
management of service accounts, refer to Section 10.4.1.4, “Define references for service
account management”, page 162)
• Device account: the account is defined on a device and is only used for accessing a service on
this device
• Application account: the account is defined for an application only (an account to access the jump
server–the target device on which the application is running–might be necessary)
• list the target accounts and the domains, devices and applications declared on them
• add, edit and delete an account
It is possible to import target accounts from a .csv file to populate the WALLIX Bastion resource
database. For further information, refer to Section 10.4.8, “Import target accounts”, page 168.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
159
WALLIX Bastion 9.0.2 – Administration Guide
From the “Accounts” page on the “Targets” menu, select “Global accounts” from the drop-down list
then click on the “+ Add” button to display the global domain account creation page.
This page consists of the following tabs: “General”, “Password”, “SSH private key” and
“References”.
• the name of the global domain to which you want to add an account. It will not be possible to edit
the name of the global domain once you have clicked on “Apply”.
• the account name: this is the internal representation of the account in WALLIX Bastion. This
information is displayed on the session selector and on the account's credential checkout page
on the Web interface. This name must be unique within the WALLIX Bastion domain.
Important:
When the account is created on a global domain associated with an external
password vault linked to the Bastion plugin (refer to Section 10.7.1, “Bastion
plugin”, page 188 for further information), its name must be formed as
follows: “account_name\\global_domain” or “account_name\\local_domain\\device” or
“account_name\\local_domain\\application”. Note that “\\” must be used as a separator.
“account_name” corresponds to the name of an account on the remote WALLIX
Bastion.
“global_domain” and “local_domain” correspond respectively to a global and a local
domain on the remote WALLIX Bastion.
“device” and “application” correspond respectively to a device and an application on
the local domain on the remote WALLIX Bastion.
• the account login: this is the user name of the remote account. This information is not displayed
on the session selector or on the account's credential checkout page on the Web interface.
• a field to associate resources: a resource association is required to create targets for applications
and clusters. To associate resources, select a device and a service in the drop-down lists and
click on “+”. Once created, it is possible to delete this association by clicking on the “-” red icon.
You can associate as many resources as necessary.
• a description
• the checkout policy to associate with the account. For further information, refer to Section 10.8,
“Checkout policies”, page 193.
• a toggle button to enable or disable the automatic password change for this account. See
Section 4.6, “Data encryption”, page 18 for the data encryption information related to password
storage.
• a toggle button to enable or disable the automatic SSH key change for this account
• the certificate validity period if the account is defined on a domain associated with a Certificate
Authority. The appropriate format is as follows:
[number of weeks]wk[number of days]d[number of hours]h[number of
minutes]min[number of seconds]s
If no value is entered in this field, then the certificate is valid for an unlimited period.
160
WALLIX Bastion 9.0.2 – Administration Guide
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the other tabs of the global domain account creation page.
• or by uploading a key:
1. Select “Private key uploading” from the drop-down list.
2. Drag-and-drop a file or browse a path to upload the file containing an existing private key (in
the OpenSSH or PuTTY key format) in the “Upload SSH private key” section.
3. Specify the corresponding passphrase (if any defined) in the “Passphrase” field.
4. Enable the “Propagate credential change” button to change the SSH private key of the
account and instantly propagate it on the target.
161
WALLIX Bastion 9.0.2 – Administration Guide
Once you have defined the SSH private key for the account, click on “Apply”.
You have now the possibility to download the corresponding SSH public key in the OpenSSH or
ssh.com format from the “Download SSH public key” button.
Note that you can delete the SSH private key defined for this account by clicking on the “Delete
existing SSH private key” button.
Within the context of a service account password change, the password used by a service must
be updated with this new password.
The definition of references allows to simplify the password change process on services. These
references are used by WALLIX Bastion to launch the automatic propagation of the new password
on the device(s) on which the service is deployed.
To add a reference, click on the “+ Add” button. A window opens and allows you to select and enter
the following fields:
Warning:
The only purpose of this global domain is to configure the WindowsPlugin. No accounts
should be defined on this domain.
To delete a reference, check the box at the beginning of the corresponding line, then click on the
“Delete” button.
Warning:
If you delete a global account, the associated references are also deleted.
Note:
This association type can also be managed from the “Groups” page (for further
information, refer to Section 10.5, “Target groups”, page 172).
162
WALLIX Bastion 9.0.2 – Administration Guide
To add a global domain account to a group, check the box at the beginning of the line to select the
related global account, then click on the “Add to group” button. A window opens and allows you to
enter and select the following fields:
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to manage new resource associations. Otherwise, click on the “Add and close”
button to save the data and close the window.
This page consists of the following tabs: “General”, “Password” and “SSH private key”.
• the name of the device to which you want to add an account. It will not be possible to edit the
name of the device once you have clicked on “Apply”.
• the local domain name: you can select an existing local domain or create a new one. It will not
be possible to edit the name of the local domain once you have clicked on “Apply”.
• the account name: this is the internal representation of the account in WALLIX Bastion. This
information is displayed on the session selector and on the account's credential checkout page
on the Web interface. This name must be unique within the WALLIX Bastion domain.
• the account login: this is the user name of the remote account. This information is not displayed
on the session selector or on the account's credential checkout page on the Web interface.
• a field to associate resources: a resource association is required to create targets for applications
and clusters. To associate resources, select a service in the drop-down list and click on “+”. Once
created, it is possible to delete this association by clicking on the “-” red icon. You can associate
as many resources as necessary.
• a description
• the checkout policy to associate with the account. For further information, refer to Section 10.8,
“Checkout policies”, page 193.
• a toggle button to enable or disable the automatic password change for this account. See
Section 4.6, “Data encryption”, page 18 for the data encryption information related to password
storage.
163
WALLIX Bastion 9.0.2 – Administration Guide
• a toggle button to enable or disable the automatic SSH key change for this account
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the other tabs of the device account creation page.
• or by uploading a key:
1. Select “Private key uploading” from the drop-down list.
2. Drag-and-drop a file or browse a path to upload the file containing an existing private key (in
the OpenSSH or PuTTY key format) in the “Upload SSH private key” section.
3. Specify the corresponding passphrase (if any defined) in the “Passphrase” field.
4. Enable the “Propagate credential change” button to change the SSH private key of the
account and instantly propagate it on the target.
Once you have defined the SSH private key for the account, click on “Apply”.
You have now the possibility to download the corresponding SSH public key in the OpenSSH or
ssh.com format from the “Download SSH public key” button.
Note that you can delete the SSH private key defined for this account by clicking on the “Delete
existing SSH private key” button.
Note:
This association type can also be managed from the “Groups” page (for further
information, refer to Section 10.5, “Target groups”, page 172).
164
WALLIX Bastion 9.0.2 – Administration Guide
To add a device account to a group, check the box at the beginning of the line to select the related
device account, then click on the “Add to group” button. A window opens and allows you to enter
and select the following fields:
Warning:
The account is displayed in the list as many times as there are services defined on
the device to which it belongs. Make sure to select only the relevant account(s) for the
association to the group.
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to associate the local account with another group and/or target type. Otherwise,
click on the “Add and close” button to save the data and close the window.
• the name of the application to which you want to add an account. It will not be possible to edit
the name of the application once you have clicked on “Apply”.
• the local domain name: you can select an existing local domain or create a new one. It will not
be possible to edit the name of the local domain once you have clicked on “Apply”.
• the account name: this is the internal representation of the account in WALLIX Bastion. This
information is displayed on the session selector and on the account's credential checkout page
on the Web interface. This name must be unique within the WALLIX Bastion domain.
• the account login: this is the user name of the remote account. This information is not displayed
on the session selector or on the account's credential checkout page on the Web interface.
• a description
• the checkout policy to associate with the account. For further information, refer to Section 10.8,
“Checkout policies”, page 193.
• a toggle button to enable or disable the automatic password change for this account. See
Section 4.6, “Data encryption”, page 18 for the data encryption information related to password
storage.
165
WALLIX Bastion 9.0.2 – Administration Guide
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the “Password” tab of the application account creation page.
You also have the possibility to manually change and instantly propagate the password of the
account on the target by using the toggle button “Propagate credential change”.
Once you have defined the password for the account, click on “Apply”.
Note that you can delete a password already set for this account by clicking on the “Delete
password” button.
Note:
This association type can also be managed from the “Groups” page (for further
information, refer to Section 10.5, “Target groups”, page 172).
To add an application account to a group, check the box at the beginning of the line to select the
related application account, then click on the “Add to group” button. A window opens and allows
you to enter and select the following fields:
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to associate the local account with another group and/or target type. Otherwise,
click on the “Add and close” button to save the data and close the window.
For further information on how to enter data in the tabs, refer to Section 10.4.3, “Add a target account
to an application”, page 165 to edit a global domain account or refer to Section 10.4.2, “Add a
target account to a device”, page 163 to edit a device account or refer to Section 10.4.3, “Add a
target account to an application”, page 165 to edit an application account.
166
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
You cannot edit the login, password, SSH private key and checkout policy of a target
account on the Web interface or via the REST API when the related credentials are being
checked out. The credentials must first be checked in using the “Force check-in option”
to be able to edit the corresponding fields. For further information, refer to Section 12.3.6,
“Account history”, page 231.
When the global domain account is defined on a domain associated with a Certificate
Authority, it is possible to edit the certificate validity period or to enter it if it has not been
defined previously. The appropriate format is as follows:
However, if this value is edited or defined at this point, the former validity period still
applies and the new validity period for the certificate will apply at next SSH key change.
To do this:
The credentials are now changed on WALLIX Bastion and on the related target(s).
Note:
The automatic credential change is only possible for accounts belonging to a domain on
which the password change is enabled.
Once this change has been launched, the credentials are instantly changed on WALLIX
Bastion and propagated on the related target(s).
• in accordance with the password change policy selected for the domain. For further
information, refer to Section 11.3, “Password change policies”, page 214.
• when the checkout policy allows the password change at check-in. For further
information, refer to Section 10.8, “Checkout policies”, page 193.
167
WALLIX Bastion 9.0.2 – Administration Guide
To do this, select the desired account type from the drop-down list and click on the account name
in order to open the related modification page. You can then:
• on the “Password” tab: enter and confirm the new password of the account and enable the toggle
button “Propagate credential change”
• on the “Private key uploading” page of the “SSH private key” tab: upload the new key and enable
the toggle button “Propagate credential change”
Once you have entered the fields and enabled the propagation toggle button, click on “Apply” to
propagate the new password and/or SSH private key on the target.
Note:
The manual credential change is only possible for accounts belonging to a domain on
which the password change is enabled.
Once this change has been launched, the credentials are instantly changed on WALLIX
Bastion and propagated on the related target(s).
• in accordance with the password change policy selected for the domain. For further
information, refer to Section 11.3, “Password change policies”, page 214.
• when the checkout policy allows the password change at check-in. For further
information, refer to Section 10.8, “Checkout policies”, page 193.
The file must begin with a line containing the following tag:
#wab820 account
Important:
The update of existing data when importing a .csv file overwrites old data.
168
WALLIX Bastion 9.0.2 – Administration Guide
Authentication can be
performed either by password
or by a private key or both or
none of them.
Authentication can be
performed either by password
or by a private key or both or
none of them.
169
WALLIX Bastion 9.0.2 – Administration Guide
For an account on an
application:
170
WALLIX Bastion 9.0.2 – Administration Guide
#wab820 account
my_device_user;device_user_login;description;False;P4sSw0rD;;False;default;
local_domain_1;my_device;;my_domain_user;domain_user_login;description;True;
P4sSw0rD;;False;default;my_global_domain;;;device_on_domain:rdpmy_app_user;
app_user_login;description;False;P4sSw0rD;;True;default;local_domain_1;;my_application;
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
171
WALLIX Bastion 9.0.2 – Administration Guide
It is possible to import target groups from a .csv file to populate the WALLIX Bastion resource
database. For further information, refer to Section 10.5.4, “Import target groups”, page 183.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
This page consists of the following tabs: “General”, “Session management targets”, “Password
management targets” and “Restrictions”.
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the other tabs of the group creation page.
1. From the “Session management targets” tab, select “Account” from the drop-down list then click
on the “+ Add” button to display the resource association creation page.
2. In the “From” field, select the desired value to perform the association: “A device and related
local accounts”, “A device and global accounts”, “An application and related local accounts” or
“An application and global accounts”.
3. Depending on the chosen value, select the device or the application concerned by the
association in the next field.
4. In the “Service” field, select the service (if necessary) which will be used to access the target
account(s).
172
WALLIX Bastion 9.0.2 – Administration Guide
5. Once all the fields are entered, the list of available accounts is displayed. Check the box at the
beginning of the line of the desired target account(s) in order to perform the association.
6. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
Note:
At least one local and/or global account must exist for the device and the application to
be able to manage this association.
At least one service must exist on the device to be able to manage this association.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
10.5.1.3. Configure a target group for a scenario account during SSH session
This procedure consists in defining, within a group, the target accounts which can be used by a
startup scenario once the SSH session has been initiated. These accounts are called “scenario
accounts”. For further information, refer to Section 12.16, “SSH startup scenario on a target
device”, page 247.
1. From the “Session management targets” tab, select “Scenario account” from the drop-down list
then click on the “+ Add” button to display the resource association creation page.
2. In the “From” field, select the desired value to perform the association: “A device and related
local accounts” or “A global domain and related accounts”.
3. Depending on the chosen value, select the device or the global domain concerned by the
association in the next field.
4. Once the fields are entered, the list of available accounts is displayed. Check the box at the
beginning of the line of the desired target account(s) in order to perform the association.
5. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
Note:
At least one local account must exist on the device and/or one global account must exist
on the global domain to be able to manage associations.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
173
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
The authentication method PASSWORD_MAPPING must be selected in the connection
policy associated with the target to be able to connect to this target using the
account mapping mechanism (for further information, refer to Section 12.4, “Connection
policies”, page 236).
1. From the “Session management targets” tab, select “Account mapping” from the drop-down list
then click on the “+ Add” button to display the resource association creation page.
2. In the “From” field, select the desired value to perform the association: “A device and related
services” or “Applications”.
3. If you wish to access a device, select the one concerned by the association in the next field.
4. Once the fields are entered, the list of available services and applications is displayed. Check
the box at the beginning of the line of the desired service(s) or application(s) in order to perform
the association.
5. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
Note:
The authentication method PASSWORD_INTERACTIVE must be selected at the level of
the connection policy associated with the target to be able to connect to this target using
the interactive login mechanism (for further information, refer to Section 12.4, “Connection
policies”, page 236).
1. From the “Session management targets” tab, select “Interactive login” from the drop-down list
then click on the “+ Add” button to display the resource association creation page.
2. In the “From” field, select the desired value to perform the association: “A device and related
services” or “Applications”.
3. If you wish to access a device, select the one concerned by the association in the next field.
174
WALLIX Bastion 9.0.2 – Administration Guide
4. Once the fields are entered, the list of available services and applications is displayed. Check
the box at the beginning of the line of the desired service(s) or application(s) in order to perform
the association.
5. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
1. From the “Password management targets” tab, click on the “+ Add” button to display the
resource association creation page.
2. In the “From” field, select the desired value to perform the association: “A device and related
local accounts”, “A global domain and related accounts” or “An application and related local
accounts”.
3. Depending on the chosen value, select the device, the global domain or the application
concerned by the association in the next field.
4. Once the fields are entered, the list of available account(s) is displayed. Check the box at the
beginning of the line of the desired target account(s) in order to perform the association.
5. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
Note:
A set of allowed commands can be defined as regular expressions for remote command
execution for subprotocol SSH_REMOTE_COMMAND. For further information,
refer to Section 10.5.1.7.1.5, “Patterns of allowed commands for subprotocol
SSH_REMOTE_COMMAND”, page 179.
To add a restriction, click on the “Restrictions” tab then on the “+ Add” button to display the dedicated
creation window. The relevant actions must be selected in the “Action” field and the corresponding
rules must be defined in the “Rules” field.
175
WALLIX Bastion 9.0.2 – Administration Guide
In the event of detection, the corresponding action will apply: session disconnection for the “Kill”
action or sending of a notification for the “Notify” action.
Warning:
Character sequence detection is only enabled for data sent by the client to the server.
The list of patterns applied is the sum of those present in the user groups and the target groups.
The linked action is the most restrictive: if the “Kill” action is in one of the groups, then this action
will be selected.
The rules must be entered as regular expressions, with one expression per line.
Furthermore, pattern detection is case-sensitive.
E.g.: to prevent files from being deleted, the expressions to enter in the “Rules” field are as follows:
unlink\s+.*
rm\s+.*
Warning:
By default, the keyboard inputs not displayed on the terminal (e.g. passwords) are
not logged within WALLIX Bastion, unless the option “Log all kbd” is enabled on the
configuration page for the related connection policy. However, a malicious user can force
the display permanently during the session using the following command:
stty -echo
In such a case, the session can then be disconnected by defining the following “Kill” rule
in the “Restrictions” tab of the “Groups” page:
$filesize:>X
176
WALLIX Bastion 9.0.2 – Administration Guide
$downsize:>X
A trailing letter (such as “m”, “k”, “g”) can be specified to provide a scaling factor as described in
the table below:
CISCO routers under IOS are quite restrictive for command input but support auto completion and
partial input when command prefixes are unambiguous.
It is therefore necessary to use a specific extension of the rules syntax to forbid or allow some
commands in the most exhaustive way on such a system.
Warning:
A target having this type of detection rules will be considered as a CISCO IOS device.
It should therefore not be used for another kind of device such as Linux/Unix under risk
of malfunction.
This syntax extension can be used with subprotocols SSH_SHELL_SESSION, RLOGIN or TELNET
(according to the kind of connection), for any kind of action.
177
WALLIX Bastion 9.0.2 – Administration Guide
• White list of commands: only the listed commands are allowed. The syntax to use in the “Rules”
field is as follows: $acmd:[command list]
• Black list of commands: any commands are allowed except those in the list. The syntax to use
in the “Rules” field is as follows: $cmd:[command list]
The command list is delimited by square brackets, each command being separated by a comma.
For example: [enable, show kerberos, access-template, configure terminal]
A command can contain a “:” separator to indicate the end of the unambiguous prefix. The
command itself must not contain any “:” character. For example for the commands "en[able]",
"sh[ow] kerb[eros]", "access-t[emplate]", and "conf[igure] t[erminal]" the list would be: [en:able,
sh:ow kerb:eros, access-t:emplate, conf:igure t:erminal]
$cmd:[en:able, sh:ow]
In case of multiple declarations, all lists of the same kind are merged.
If both white and black lists are declared together, detection will be done from the white list where
commands from the black list have been removed.
By default, implicitly, the commands “alias” and “prompt” will be added to a black list and the
command “exit” will be added to a white list.
Example of detection using the white list: [w:here, sh:ow ke:rberos, co:nnect]
Input Detection
show Yes
show kerb No
sh ke c No
show kron schedule Yes
show ip arp Yes
config t Yes
where No
w No
alias show display Yes
exit No
Table 10.3. Cisco IOS Detection with white list
Example of detection using the black list: [w:here, sh:ow ke:rberos, co:nnect]
Input Detection
show No
show kerb Yes
178
WALLIX Bastion 9.0.2 – Administration Guide
Input Detection
sh ke c Yes
show kron schedule No
show ip arp No
config t No
where Yes
w Yes
alias show display Yes
exit No
Table 10.4. Cisco IOS Detection with black list
A set of allowed commands can be defined as regular expressions for remote command execution.
A command mismatch will then be detected.
$allow:<re_1>
Commands matching the regular expression <re_1> are thus allowed. The others are detected.
If several expressions prefixed with “allow” are defined, a command matching one of them will be
allowed.
$allow:<re_1>
$allow:<re_2>
...
$allow:<re_n>
Rules defined as standard regular expressions are also checked. Thus, a rule defined as an allowed
regular expression and a standard regular expression will be detected and, the corresponding action
will then be performed.
Input Detection
abc No
cde Yes
Table 10.5. Commands
$allow:abc
$allow:ps.*
179
WALLIX Bastion 9.0.2 – Administration Guide
Input Detection
abc No
cde Yes
ps aux No
ps aux | grep eggs No
ls Yes
Table 10.6. Commands
$allow:abc
$allow:ps.*
ps.*\|
Input Detection
abc No
cde Yes
ps aux No
ps aux | grep eggs Yes
ls Yes
Table 10.7. Commands
When creating/editing user groups or target groups, you can define “restrictions” through a set of
actions to apply when certain character sequences are detected in RDP keyboard flows (the data
analyzed is the data entered by the user) and or the window title bars (the data analyzed is the data
displayed on the screen). This is performed by enabling/disabling pattern detection.
To add a restriction, click on the “Restrictions” tab then on the “+ Add” button to display the dedicated
creation window. The relevant actions must be selected in the “Action” field and the corresponding
rules must be defined in the “Rules” field.
In the event of detection, the corresponding action will apply: session disconnection for the “Kill”
action or sending of a notification for the “Notify” action.
Warning:
Character sequence detection is only enabled for data sent by the client to the server.
The list of patterns applied is the sum of those present in the user groups and the target groups.
The linked action is the most restrictive: if the “Kill” action is in one of the groups, then this action
will be selected.
The rules must be entered as regular expressions, with one expression per line.
180
WALLIX Bastion 9.0.2 – Administration Guide
An expression prefixed with “$ocr:” or without any prefix will only match the title bars of active
windows (and not those of the inactive windows).
An expression prefixed with “$kbd-ocr:” or “$ocr-kbd:” will match keyboard input and title bars of
active windows.
E.g.: to ensure files are not deleted from the command prompt (cmd.exe), the expressions to enter
in the "Rules" field are as follows:
$kbd:del\s+.*
$kbd:erase\s+.*
$ocr:Command Prompt
$ocr:.*\\cmd.exe
“-” is the separator character for “$ocr:” and “$kbd:”. The supported separator characters are “-”
and “,”.
Warning:
If you choose to kill the session when a specific window title bar is displayed, users will
not be able to reconnect until this window is closed or its title changed because their
sessions will be killed again immediately.
You can import the restrictions defined during the creation or modification of user groups
or target groups. These restrictions define the actions to apply when certain character
sequences are detected in the upward flow from proxies (refer to Section 10.5.1.7.1, “SSH flow
analysis / Pattern detection”, page 175 and Section 10.5.1.7.2, “RDP flows analysis / Pattern
detection”, page 180).
From the “CSV” page on the “Import/Export” menu, select the “Restrictions” check box to import the
related data. The field and list separators can also be configured.
The file must begin with a line containing the following tag:
#wab820 restriction
Important:
The update of existing data when importing a .csv file overwrites old data.
181
WALLIX Bastion 9.0.2 – Administration Guide
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
Caution:
A user is allowed to export restrictions if at least the “View” right for the “Targets &
accounts” feature is set in his/her profile (refer to Section 9.3, “User profiles”, page 86).
If only the “View” right for the “Targets & accounts” feature is set in the profile, then the
user will be able to export restrictions on target groups only.
If the “View” right for the “Users” feature is also set in the profile, then the user will be able
to export the restrictions defined on the user groups he/she is allowed to view (depending
on the limitations set for the profile. For further information, refer to Section 9.3, “User
profiles”, page 86).
If only the “View” right for the “Users” feature is set in the profile, then the user will not
be able to export any restriction.
For further information on how to enter data in the tabs, refer to Section 10.5.1, “Add a target
group”, page 172.
182
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
You cannot delete a target group linked to active authorizations (refer to Chapter 12,
“Session management”, page 218).
Important:
The update of existing data when importing a .csv file overwrites old data.
account@domain@device:protocol
Account Text O Selected account mapping targets N/A
mapping
Format for account mapping
targets:
device:protocol
Interactive Text O Selected interactive login targets N/A
login
Format for interactive login targets:
device:protocol
Accounts Text O Selected target accounts for N/A
password management
183
WALLIX Bastion 9.0.2 – Administration Guide
account@domain@device or
account@domain@application
Scenario Text O Selected scenario accounts N/A
account@domain or
account@domain@device
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
10.6. Clusters
A cluster is a group of jump servers. The use of a cluster in place of a single device allows application
load sharing and High-Availability. The jump server used to run an application is selected in two
steps. WALLIX Bastion firstly sorts the servers, beginning with the one that has the fewest open
sessions, and then tries to connect to each server until it succeeds.
184
WALLIX Bastion 9.0.2 – Administration Guide
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
You can perform a search among the list of the frames by entering data in the area near the
magnifier icon.
185
WALLIX Bastion 9.0.2 – Administration Guide
From the "Clusters" page, click on a cluster name and then on "Edit this group" to display the cluster
modification page.
The fields in this page are the same as those in the cluster creation page.
#wab820 cluster
Important:
The update of existing data when importing a .csv file overwrites old data.
186
WALLIX Bastion 9.0.2 – Administration Guide
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
Warning:
This page is only displayed when the “External Vaults” feature is associated with the
license key.
187
WALLIX Bastion 9.0.2 – Administration Guide
An external password vault plugin can be selected during the creation of a global domain (refer to
Section 10.3, “Domains”, page 148) and several parameters can be set depending on the chosen
plugin.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
The parameters to be set for this plugin during the creation of a global domain (refer to Section 10.3,
“Domains”, page 148) are defined as follows:
• API URL: URL of the REST API to access the vault. This parameter is required. This URL must
start with “https://” and end with “/api/vX.Y”. The minimum API version supported is 2.3.
• API key: key to connect to the REST API. If a key is entered, it must be entered again for
confirmation. This key must be generated on the remote WALLIX Bastion.
• Service account login: login of the service account to connect to the REST API. This login must
correspond to the user name of an account on the remote WALLIX Bastion.
• Service account password: password of the service account to connect to the REST API. If a
password is entered, it must be entered again for confirmation.
The parameters to be set for this plugin during the creation of a global domain (refer to Section 10.3,
“Domains”, page 148) are defined as follows:
• API URL: URL of the REST API to access the vault. This parameter is required. This URL must
start with “https://” and end with “/PasswordVault”.
• Safe name: name of the container in the CyberArk Enterprise Password Vault privilege
management solution into which the secrets are stored. This parameter is required.
188
WALLIX Bastion 9.0.2 – Administration Guide
• Service account login: login of the service account to connect to the REST API. This login must
correspond to the user name of an account in the CyberArk Enterprise Password Vault privilege
management solution.
• Service account password: password of the service account to connect to the REST API. If a
password is entered, it must be entered again for confirmation.
• Maximum checkout duration (minutes): maximum time interval, expressed in minutes, during
which checkout can be performed. At the end of this period, an automatic check-in is performed
by the system. If "0" is entered in this field, then no automatic check-in is performed.
1. Vault root
└── 2. Name of the secret engine
├── 3. Account name in WALLIX Bastion
├── Login (field “login”)
The login and at least one credential (password or SSH key) are required.
The SSH key must be entered in the OpenSSH or PEM formats. The certificate corresponds to the
content of a signed public key which can be downloaded from the Web interface of WALLIX Bastion.
189
WALLIX Bastion 9.0.2 – Administration Guide
Figure 10.15. Example: Secret data for account “user1” within engine
“engine_one” in HashiCorp Vault secret management solution
• API URL: URL of the REST API to access the vault. This parameter is required.
• Secret engine path: access path to the vault secret engine. This parameter is required.
• Token: token to access the vault through the “Token” authentication method. If a token is entered,
it must be entered again for confirmation.
• Username: login of the account to access the vault through the “Userpass” authentication method.
This login must correspond to the user name of an account in the HashiCorp Vault secret
management solution.
• Password: password of the account to access the vault through the “Userpass” authentication
method. If a password is entered, it must be entered again for confirmation.
• PKCS#12 file: browse a path to upload a PKCS#12 file so as to provide the private and public
keys to access the vault through the “TLS Certificate” authentication method.
• PKCS#12 file passphrase: passphrase to unlock the keys provided via the PKCS#12 file for the
“TLS Certificate” authentication method. If a passphrase is entered, it must be entered again for
confirmation.
• Role name: name of the role associated with the Certificate Authority (or "CA") on the server of
the HashiCorp Vault secret management solution.
190
WALLIX Bastion 9.0.2 – Administration Guide
This plugin allows checkout and check-in operations on passwords and SSH keys of the target
accounts. However, it does not allow to extend the checkout duration for the credentials.
Some features in the Thycotic Secret Server secret management solution are not supported by
WALLIX Bastion. Therefore, the secrets managed by accounts enabling at least one of the following
features cannot be accessed:
• API URL: URL of the REST API to access the vault. This parameter is required. This URL
must start with “https://” and end with “/SecretServer”, e.g. “https://vault.mycompany.com/
SecretSever”.
• Service account login: login of the service account to connect to the REST API. This login must
correspond to the user name of an account in the Thycotic Secret Server secret management
solution.
• Service account password: password of the service account to connect to the REST API. If a
password is entered, it must be entered again for confirmation.
• Login field: name of the field storing the account login in the Thycotic Secret Server secret
management solution. This name is case-sensitive. This parameter is required and contains
“Username” as a default value.
Warning:
The “Service account login” and “Service account password” fields are optional. If no
service account is used, the user must then provide a password when authenticating
via RDP or SSH proxies or the Web interface to access the vault of the Thycotic Secret
Server secret management solution. As authentications through X509 certificate, SSH
key or Kerberos ticket do not work in this context, it is required to define a service account.
• If the user has authenticated using a login and a password, then these credentials are used to
access the server of the Thycotic Secret Server secret management solution.
• If the user has authenticated using a Kerberos ticket or an SSH key or X509 certificate (or any
other authentication method without providing a password), the service account is used to retrieve
the secret. In this case, the service account must have at least the same rights as the user.
• If none of these methods works, then access to the vault to retrieve a secret will fail.
191
WALLIX Bastion 9.0.2 – Administration Guide
The search is done through the specification of the secret ID number of the external vault's account
in the “Login” field of the target account in WALLIX Bastion. This target account is then used to map
the account in the vault of the Thycotic Secret Server secret management solution.
- On Thycotic Secret Server solution interface, the parameters of the account are as follows:
The URL mentioned on the above screenshot shows that the secret ID of the concerned account
is “26”.
- On WALLIX Bastion Web interface, the parameters defined for the Thycotic Secret Server plugin
are as follows:
As mentioned on the above screenshot, the value in “Login field” corresponds to the field
name storing the account login in the Thycotic Secret Server secret management solution, i.e.
“Username”. The value of the account login stored in the “Username” field is then “root”, as shown
on the previous screenshot.
- On WALLIX Bastion Web interface, the parameters defined for the target account are defined as
follows:
192
WALLIX Bastion 9.0.2 – Administration Guide
• the “Name” field contains the target account name which will be displayed on the selector of the
proxy client, i.e. “SSH_root”
• the “Login” field includes the secret ID number “26” to map the account in the Thycotic Secret
Server solution and retrieve the corresponding secret
Warning:
As the “Login” field includes the secret ID number, the option “copy from name” must
not be selected. This field must not correspond to the user name of the remote account.
• the password if it has been defined for the account either on the local or the remote WALLIX
Bastion
• the SSH private key if it has been defined for the account either on the local or the remote WALLIX
Bastion
• the certificate (i.e. the signed SSH public key) if the account is defined on a domain associated
with a Certificate Authority
The “Checkout policies” page on the “Targets” menu allows you to:
Warning:
A default checkout policy called “default” is configured on WALLIX Bastion. You can edit
this policy but you cannot delete it.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
193
WALLIX Bastion 9.0.2 – Administration Guide
This creation page consists of the following tabs: “General” and “Accounts”.
Note:
This field must be entered if both the checkout duration and checkout extension have
been set. Moreover, this duration must be greater than or equal to the sum of the
values defined for the checkout duration and the extension.
If the duration extension is not set, this field must be empty or the value entered must
be the same as the one defined for the checkout duration.
194
WALLIX Bastion 9.0.2 – Administration Guide
• list the accounts associated with the related checkout policy. To do so, select the desired account
type from the drop-down list.
• edit an account associated with the checkout policy. To do so, select the desired account type from
the drop-down list, then click on the name of the account to display the related modification page.
For further information, refer to Section 10.4.1, “Add a target account to a global
domain”, page 159 to edit a global domain account, to Section 10.4.2, “Add a target account
to a device”, page 163 to edit a device account and to Section 10.4.3, “Add a target account to
an application”, page 165 to edit an application account.
• delete accounts linked to the checkout policy. To do so, select the desired account type from the
drop-down list, then check the box at the beginning of the line of the account(s) and click on the
“Delete” button.
Warning:
If access to target accounts is not allowed for a profile, then the profile members can
neither delete nor edit a password checkout policy.
Warning:
You cannot delete a password checkout policy if at least one target account is linked to
this policy.
If access to target accounts is not allowed for a profile, then the profile members can
neither delete nor edit a password checkout policy.
10.9. Discovery
WALLIX Bastion embeds a specific module to provide continuous automatic discovery of assets on
configured networks and Active Directories and onboard the desired results.
The “Discovery” entry allows you to:
195
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The “Discovery” entry will not be displayed on the Web interface if the “Enable
modules” option, accessible from “Configuration” > “Configuration options” > “Module
configuration”, section “main” is deselected. This option is displayed when the check box
of the “Advanced options” field at the top right of the page has been selected. It should
ONLY be changed upon instructions from the WALLIX Support Team!
The “View” right for the “Targets & accounts” and the “Settings” features must be set in
the user profile in order to view the pages in the “Discovery” entry.
The “Modify” right for the “Targets & accounts” and the “Settings” features must be set in
the user profile in order to modify the pages in the “Discovery” entry.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
For example, if 0 0 * * * or @daily is entered in this field, then the scan job is set to
run once a day at midnight. For further information, refer to https://en.wikipedia.org/w/
index.php?title=Cron#CRON_expression.
List of values are available below this field to define clearly this period using the cron syntax.
196
WALLIX Bastion 9.0.2 – Administration Guide
• an option to enable the periodicity and thus set the automatic scan launch
• the email addresses of the recipients to be notified at the end of the scan. Once you have entered
an email, click on “+” at the end of the field. Once an email is added, you have the possibility to
delete it by clicking on the “-” red icon. You can add as many emails as necessary.
Once you have entered the fields, click on “Apply” to save the configuration or click on “Apply and
launch” to launch the scan immediately.
Once you have entered the fields, click on “Apply” to save the configuration or click on “Apply and
launch” to launch the scan immediately.
197
WALLIX Bastion 9.0.2 – Administration Guide
1. Check the box at the beginning of the line of the scan(s) you wish to launch.
2. Click on the “Launch manually” button to launch the scan(s) immediately.
Note:
The time at which the next scan job will be triggered is displayed in the “Next job”
column in the list of the configured scans.
198
WALLIX Bastion 9.0.2 – Administration Guide
• get information on a job by clicking on the data in the “Start date” column: it contains an access link
to a dedicated page. The “General” tab displays the scan configuration properties and the number
of discovered devices matching the scan filters. The “Raw results” tab lists all the discovered
assets during a successful job.
• cancel a running job if needed. To do so, select the desired job(s) whose status is “Running” by
checking the box at the beginning of the line(s) and click on the “Cancel” button.
• access the scan configuration page to edit the properties by clicking on the link in the “Scan
name” column.
1. Check the box at the beginning of the line of the devices you wish to onboard.
2. Click on the “Onboard” button. The devices are then onboarded within WALLIX Bastion and can
be managed from the “Devices” page on the “Targets” menu.
Note:
The status of the device is automatically set as “Onboarded” on the “General” tab
(accessible from the “Devices” page on the “Targets” menu).
1. Check the box at the beginning of the line of the device you wish to onboard.
2. Click on the data in the “Name” column and edit the desired data in the “Device to onboard”
window.
3. Click on the “Apply and onboard” button. The device is then onboarded within WALLIX Bastion
and can be managed from the “Devices” page on the “Targets” menu.
Note:
The status of the device is automatically set as “Onboarded” on the “General” tab
(accessible from the “Devices” page on the “Targets” menu).
• get information on the related jobs by clicking on the data in the “First discovery” and “Last
discovery” columns: they contain an access link to a dedicated page. The “General” tab displays
the scan configuration properties and the number of discovered devices matching the scan filters.
The “Raw results” tab lists all the discovered assets during the job.
• hide irrelevant devices if needed. To do so, select the desired devices by checking the box at the
beginning of the lines and click on the “Hide” button. The corresponding devices are then listed
on the “Hidden” view. They can be displayed again on the “To onboard” view by clicking on the
199
WALLIX Bastion 9.0.2 – Administration Guide
“Unhide” button. Hidden devices can also be onboarded if needed by clicking on the “Onboard”
button.
200
WALLIX Bastion 9.0.2 – Administration Guide
For each account, the user has the possibility to perform the following actions:
• click on "View" at the beginning of the line to display in another page the credentials of the related
account. In this case, the lock has been disabled at the level of the checkout policy associated
with this account: several users can then access the credentials at the same time.
• click on "Check out" at the beginning of the line to display in another page the credentials of
the related account in another page. In this case, the lock has been enabled at the level of the
checkout policy associated with this account: only this user can access the credentials at this
time. For further information, refer to Section 10.8, “Checkout policies”, page 193.
Important:
If an approval is not necessary to access the credentials or has been accepted by
approvers, the user can directly check outs the data. Otherwise, an error message
is displayed and the user must send a request to access the credentials. For
further information, refer to Section 11.1.1, “Password access through an approval
workflow”, page 202.
• click on "Check out remotely" at the beginning of the line to display in another page the credentials
of the related external vault account.
• identify the account being locked consequently to an ongoing checkout. In this case, no action
can be performed until the release of this lock.
• send a request to approvers to access the account's credentials by clicking on "Request" in the
"Approval" column at the end of the line. For further information, refer to Section 11.1.1, “Password
access through an approval workflow”, page 202.
When the user has access to the page listing the account's credentials, s/he can view:
• the name of the account being checked out mentioned above the frame
• the login of the account
• the credentials of the account, which can be:
– the password if it has been defined for the account either on the local or the remote WALLIX
Bastion
201
WALLIX Bastion 9.0.2 – Administration Guide
– the SSH private key if it has been defined for the account either on the local or the remote
WALLIX Bastion. This key can be downloaded in the OpenSSH or PuTTY key formats and can
be encrypted with a passphrase entered in the dedicated field.
– the certificate (i.e. the signed SSH public key) if the account is defined on a domain associated
with a Certificate Authority. This certificate can be downloaded in the OpenSSH or ssh.com
formats.
On the page listing the account's credentials, the user can also:
• click on the "Check in" button to end check out. The user is then redirected to the page listing
the authorized target accounts. If the lock has been enabled in the checkout policy associated
with this account, this action also releases the lock of the account. For further information, refer
to Section 10.8, “Checkout policies”, page 193.
• click on the "Extend checkout" button if a checkout extension has been defined in the checkout
policy associated with the account. Otherwise this button is not displayed. This action extends the
checkout duration and can then be performed several times as long as the maximum duration has
not been reached. For further information, refer to Section 10.8, “Checkout policies”, page 193.
When the lock has been enabled in the checkout policy associated with this account, the latter
remains locked for the period defined within this policy. It is then necessary to click on the "Check
in" button to release the lock of the account before the end of checkout duration. Nonetheless,
the account is automatically checked in at the end of this duration and the user is redirected
to the page listing the authorized target accounts. The remaining time before automatic check-
in is displayed below the credentials. For further information, refer to Section 10.8, “Checkout
policies”, page 193.
The user can click on the notepad icon at the beginning of the line to get a detailed view of the
request. The page provides a "Cancel request" button to cancel the approval requests which are
still valid.
202
WALLIX Bastion 9.0.2 – Administration Guide
Note:
A script can be called during the approval request creation, but also at the beginning and
end of each session within the request duration period, to manage the approval in an
external ticketing system. To do so, the path to this script is to be entered in the "Ticketing
interface path" field via "Configuration" > "Configuration Options" > "Global".
The script is then systematically called even if a ticket number is not specified in the
"Ticket" field. When the script receives a ticket number expected in format: "ticket=1234",
WALLIX Bastion takes into account this number and not the one specified in the "Ticket"
field.
A password change plugin can be selected during the creation/modification of a global or local
domain (refer to Section 10.3, “Domains”, page 148) and several parameters can be set depending
on the chosen plugin.
Table 11.1, “Plugin matrix - Part 1”, page 205, lists the following plugins:
203
WALLIX Bastion 9.0.2 – Administration Guide
• Cisco
• Dell iDRAC
• Fortinet FortiGate
• IBM 3270
• Juniper SRX
• LDAP and
• MySQL
204
Plugin Plugin TCP Password SSH key change SSH key Host Administrator Who is the
name version port no. change on global on global or and/or SSH key account Administrator
or local domain? local domain? certificate shared required on account?
supported? with domain?
proxies?
Cisco 1.0.2 22 Global/Local - - No No User with "superuser"
for a device privileges /
administrator account
set for the device
Dell 1.1 22 Global/Local - - No No Root user with
iDRAC for a device "Administrator"
account privileges
Fortinet 1.0 22 Global/Local Local for a Key Yes Yes "admin" account with
WALLIX Bastion 9.0.2 – Administration Guide
205
IBM 3270 1.0.0 623 Local for a - - No No User allowed to
device only change passwords
Juniper 1.0 22 Local for a - - No No "admin" user with
SRX device only "super-user" privileges
LDAP 1.0 389 Global/Local - - No No User allowed to
for a device change passwords
MySQL 1.0.3 3306 Global/Local for - - No No Superuser account
a device and with full privileges
an application
Table 11.1. Plugin matrix - Part 1
WALLIX Bastion 9.0.2 – Administration Guide
Table 11.2, “Plugin matrix - Part 2”, page 207, lists the following plugins:
• Oracle
• Palo Alto PA-500
• Unix
• Windows and
• WindowsService
206
Plugin Plugin TCP Password SSH key change SSH key Host Administrator Who is the
name version port no. change on global on global or and/or SSH key account Administrator
or local domain? local domain? certificate shared required on account?
supported? with domain?
proxies?
Oracle 1.0.2 1521 Global/Local for - - No No User with the "ALTER
a device and USER" system privilege
an application
Palo Alto 1.0 22 Local for a - - No No Administrative
PA-500 device only account with
superuser privileges
Unix 1.1.1 22 Global/Local Global/Local Key and Yes No Root account
for a device for a device certificate with UID="0"
WALLIX Bastion 9.0.2 – Administration Guide
207
account with the
"Reset password"
right set for the other
accounts on the domain
Windows 1.0 5985 and/ Global/Local - - No Yes Administrator
Service or 5986 for a device account with Remote
Management
(WinRM) enabled
Table 11.2. Plugin matrix - Part 2
WALLIX Bastion 9.0.2 – Administration Guide
• Host: device hostname or IP address. This parameter is only required for a global domain.
• Port: device port number (SSH default port: 22)
• Enable password: privilege elevation password of the "enable" command. This parameter is
required.
• Host: device hostname or IP address. This parameter is only required for a global domain.
• Port: device port number (SSH default port: 22)
• Index: index of the privileged account. By default, it corresponds to index 2. This parameter is
required.
• iDRAC version: device version. By default, it corresponds to Dell iDRAC8. This parameter is
required.
• Host: device hostname or IP address. This parameter is only required for a global domain.
• Port: device port number (SSH default port: 22)
• Configuration: character string referring to the section of the configuration. Only the configuration
for the default "System admin" is currently supported.
Warning:
The administrator account is required on the local domain for this plugin. This
account should be first added to the domain from the "Domain accounts" area on
the domain summary page, once the domain creation step has been completed. For
further information, refer to Section 10.3.4, “Add an account to the global or a local
domain”, page 152. Once the "Enable password change" option has been selected on the
domain modification page, select this account from the list in the "Administrator account"
field prior to select the Fortinet FortiGate plugin in the "Password change plugin" field.
• Port: system port number (3272 over TLS default port: 623). This parameter is required.
208
WALLIX Bastion 9.0.2 – Administration Guide
• Scenario: scenario labelled in plain text played by the plugin to change passwords. This
parameter is required.
This scenario includes the following commands and also accepts comments and empty lines:
• EXPECT: expects to receive a specific character string at a given offset which must be absolute,
starting from line 1 in the upper part of the terminal
• IF EXPECT/ELSE/FI: expects to receive a specific character string at a given offset which must
be absolute, starting from line 1 in the upper part of the terminal. If the string is found, the condition
in the TRUE block element is executed. Otherwise, the condition in the ELSE block element is
executed if the latter exists.
• MOVE_TO: moves the cursor to a given position starting from line and column 1 in the upper part
of the terminal (for example, command MOVE_TO:5:18 moves the cursor to line 5 column 18)
• PUT: writes a specific character string at the cursor position
• SEND_ENTER | SEND_PF3 | SEND_PF4 | SEND_PF5 | SEND_PF6 | SEND_PF7 | SEND_PF8: these
commands send the specific key (e.g. ENTER or PF7) to the terminal
• LOG_ERROR: writes the message specified as a parameter into the error logs
• LOG_SCREEN: writes the whole 3270 terminal screen and cursor position into the error logs
• QUIT: ends the session. The password is considered as unchanged.
Scenario example:
#######
# Script for MUSIC AS/390 emulator
# with TN3270 support
#######
####
# Welcome screen
EXPECT:16:Multi-User System for
SEND_ENTER
####
# Login screen
EXPECT:3:MUSIC Userid:
PUT:$account
MOVE_TO:5:18
PUT:$old_password
209
WALLIX Bastion 9.0.2 – Administration Guide
SEND_ENTER
####
# Login errors
IF EXPECT:7:Password incorrect
LOG_ERROR:Bad password !
QUIT
FI
####
#
EXPECT:1:Userid last signed
SEND_ENTER
####
# Change password
EXPECT:12:Change password
PUT:7
SEND_ENTER
####
# End of changing password
IF EXPECT:4:SELECT OPTION
PUT:X
ELSE
# Quit with an error
LOG_ERROR:Password has not been changed
# Print the terminal screen to syslog
LOG_SCREEN
QUIT
FI
Warning:
The administrator account is required on the local domain for this plugin when the
variables $admin_login and $admin_password are specified in the scenario. This
210
WALLIX Bastion 9.0.2 – Administration Guide
account should be first added to the domain from the "Domain accounts" area on
the domain summary page, once the domain creation step has been completed. For
further information, refer to Section 10.3.4, “Add an account to the global or a local
domain”, page 152. Once the "Enable password change" option has been selected on the
domain modification page, select this account from the list in the "Administrator account"
field prior to select the IBM 3270 plugin in the "Password change plugin" field.
Warning:
If an administrator account has been set on the domain for this plugin, then the
parameters of this account will be used to connect to the LDAP or Active Directory.
Those defined in the “Administrator Bind DN” and “Administrator password” fields are
then not considered.
This account should be first added to the domain from the "Domain accounts" area on
the domain summary page, once the domain creation step has been completed. For
further information, refer to Section 10.3.4, “Add an account to the global or a local
domain”, page 152. Once the "Enable password change" option has been selected on
the domain modification page, select this account from the list in the "Administrator
account" field prior to select the LDAP plugin in the "Password change plugin" field.
• Password attribute: password attribute required for password change. It corresponds to the LDAP
attribute “userPassword” by default. This parameter is required.
• User DN format: syntax of the user DN used to specify the account concerned by password
change. By default, it corresponds to the string “CN=${USER},DC=dev,DC=example,DC=com”
211
WALLIX Bastion 9.0.2 – Administration Guide
where parameter “${USER}” will be replaced by the user name. This format is also used for the
administrator account which may be set on the domain for this plugin. This parameter is required.
• Custom parameters: additional custom attributes to be specified for password change.
These parameters may be required by the server and depend on its configuration. Each
“parameter=value” pair must be labelled on a single line.
• Host: database hostname or IP address. This parameter is only required for a global domain.
• Port: database port number
The parameters to be set for this plugin during the creation/modification of a global or local domain
(refer to Section 10.3, “Domains”, page 148) are defined as follows:
• Host: database hostname or IP address. This parameter is only required for a global domain.
• Port: database port number
• Service name: database service name (SID). This parameter is required.
• Admin mode: connection mode for the administrator account. The relevant mode can be selected
from the list of values. This parameter is set to implement reconciliation. When reconciliation is
implemented, the password is changed and the locked account is released.
• Host: system hostname or IP address. This parameter is only required for a global domain.
• Port: system hostname or IP address (SSH default port: 22)
• Root password: password to connect as "root".
The root account may not be able to connect to the target to perform the password change via
SSH under certain circumstances, for security reasons. In this case, the plugin will refer to the
administrator account set for the domain to connect to the target and then use the root password
via the "su" command.
When reconciliation is needed, the authentication with password or SSH key is attempted for the
administrator account.
212
WALLIX Bastion 9.0.2 – Administration Guide
• Domain controller address: domain controller hostname or IP address. This parameter is only
required for a global domain.
• Administrator login and administrator password: login and password of a privileged account which
is allowed to change passwords of other accounts. These parameters are optional but note that
WALLIX Bastion cannot define the new password of an account if the former one is unknown.
These parameters correspond to the credentials of the account selected in the "Administrator
account" field defined on the domain page (refer to Section 10.3, “Domains”, page 148) and are
set to implement reconciliation.
To allow full operation of the automatic password change process on a standalone Windows
Server, this privileged account must be included in the administrator group.
To allow full operation of the automatic password change process on a Windows Server
configured with Active Directory, this privileged account must have the "Reset password" right
set for the other accounts on the domain. For further information on how to delegate permission
to reset passwords of Active Directory user accounts, refer to https://www.petri.com/delegate-
permission-reset-ad-user-account-passwords.
Warning:
To allow full operation of the automatic password change process in WALLIX Bastion, we
strongly recommend changing the default value set for the minimum password age at the
level of the Windows password policy. This value should be set to "0":
On the other hand, to avoid any timeout error when performing password change
on a target under Windows Server 2012, we recommend enabling the rule “Netlogon
Service(NP-In)” in the Windows firewall advanced settings.
Warning:
To allow full operation of the password change process on a Windows service, the
installation of PowerShell 3.0 or later and the activation of WinRM are required on the
Windows server.
213
WALLIX Bastion 9.0.2 – Administration Guide
The parameters to be set for this plugin during the creation/modification of a global domain (refer
to Section 10.3, “Domains”, page 148) are as follows:
• Name: name of the Windows Service for which the password must be changed. This parameter
is required.
• Transport: transport protocol used to authenticate to the WinRM server: Kerberos (default value),
CredSSP or NTLM. This parameter is required.
Warning:
If the transport protocol defined for this plugin is Kerberos, then the fields “Kerberos
realm”, “Kerberos KDC” and “Kerberos port” must be specified on the global domain
page of the administrator account selected during the definition of the reference. For
further information, refer to Section 10.3.1, “Add a global domain”, page 149.
• Restart the service: option to select if the Windows Service must be restarted after the password
change. When the Windows Service is deployed on multiple Windows servers, this service is
restarted successively on each server after the password change, in order to avoid an interruption
of the service.
Warning:
All passwords for which automatic change is configured, as described in Section 10.4.5,
“Change the credentials automatically for one or several accounts”, page 167, will be
replaced. You must therefore check that the emails containing the new passwords have
indeed been received and can be unencrypted. You are recommended to do so by testing
the process on a single, non-administrator account.
WALLIX Bastion's performances can be affected by a large number of password changes.
This number can be set in the “Credential change thread pool dimension” field, accessible
from “Configuration” > “Configuration options” > “Global” > “Main” section. This field is
displayed when the “Advanced options” check box at the top right of the page is selected
and should ONLY be changed upon instructions from the WALLIX Support Team!
From the “Password change policies” page on the “Password management” menu, you can list,
add, edit or delete password change policies.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
Warning:
A default password change policy called “default” is configured in WALLIX Bastion. This
policy can neither be deleted nor edited.
214
WALLIX Bastion 9.0.2 – Administration Guide
From the “Password change policies” page, click on “+ Add” to display the password change policy
creation page.
For example, if 0 0 * * * or @daily is entered in this field, then the password change job is set
to run once a day at midnight. For further information, refer to https://en.wikipedia.org/
w/index.php?title=Cron#CRON_expression.
List of values are available below this field to define clearly this period using cron syntax.
When the selected policy concerns a password change, the “Password generation” section
becomes accessible and lists the following fields:
• the password length, i.e. the number of characters the password must contain
• the number of non-alphanumeric ASCII characters (or special characters) which must be present
in the password
• the number of lowercase letters which must be present in the password
• the number of uppercase letters which must be present in the password
• the number of digits which must be present in the password
• the characters which must be excluded from the password. Once you have entered a character
in the field, click on “+” to add it to the forbidden character list. Once a character is added, you
have the possibility to delete it from the list by clicking on the “-” red icon.
When the selected policy concerns an SSH key change, the “SSH key generation” section becomes
accessible and lists the following fields:
You will find below a summary table of the SSH key types and the corresponding sizes allowed:
When the selected policy concerns a password change and an SSH key change as well, both
sections become accessible and list the fields described above.
215
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
If the target account access is not allowed for a profile, then the profile members can
neither delete nor edit a password change policy.
Warning:
If the target account access is not allowed for a profile, then the profile members can
neither delete nor edit a password change policy.
Credentials in the bastion are automatically sent to the user every night at 2:34 a.m. in the time
zone in which WALLIX Bastion is located (as defined in the "Time Service" page on the "System"
menu): s/he receives an encrypted email containing the list of all the credentials for the target groups
gathered in the Bastion, depending on the scope of the limitations set for his/her profile.
216
WALLIX Bastion 9.0.2 – Administration Guide
Furthermore, the user receives an encrypted email containing the new password and/or SSH key
for the target account whenever the latter is changed (automatically or manually), depending on
the password change and checkout policies linked to the account. For further information, refer to
Section 10.4.5, “Change the credentials automatically for one or several accounts”, page 167 and
Section 10.4.6, “Change the credentials manually for a given target account”, page 168.
Important:
The user is notified when the following conditions are fulfilled:
• a public GPG key is declared for the user (refer to Section 7.3, “Setting your
preferences”, page 36)
• the user has the right to get the list of all the credentials in WALLIX Bastion: the
"Execute" right for the "Credential recovery" feature is set in his/her profile (refer to
Section 9.3, “User profiles”, page 86)
• the change (either automatic or manual) must be enabled:
– at the level of the domain: a password change policy and a password change
plugin must be linked to the domain. For further information, refer to Section 10.3,
“Domains”, page 148, Section 11.3, “Password change policies”, page 214 and
Section 11.2, “Password change plugins”, page 203.
– at the level of the target account: a checkout policy must be linked to the account
and the automatic password and/or SSH key change must be set, if so. For further
information, refer to Section 10.4, “Target accounts”, page 159 and Section 10.8,
“Checkout policies”, page 193.
Note:
The email containing the list of all the credentials can be decrypted using a PGP-
compatible tool. It is then required to decrypt the attachment separately and use a CSV
or JSON-compatible tool to open the attachment in this format.
217
WALLIX Bastion 9.0.2 – Administration Guide
• : this icon allows the user to download an RDP configuration file or a shell script with the SSH
command (WALLIX-PuTTY on Windows or SSH on other systems) he/she can save to establish a
connection from an RDP or an SSH client (filename suffix .puttywab or .xsh or .rdp under Windows
and .sh or .remmina under Linux). In this case, the WALLIX Bastion password is required for the
connection.
• : “Instant access (one-time password, limited in time)”: this icon allows the user to open the file
to immediately establish a connection from an RDP client (filename suffix .rdp under Windows
and .sh or .remmina under Linux). In this case, no password is required but the access is granted
for a limited period of time. This icon is also displayed for the connection to an application.
• : “Instant access with WALLIX-PuTTY (one-time password, limited in time)”: this icon allows
the user to open the file to immediately establish a connection from an SSH client (filename suffix
.puttywab or .xsh under Windows and .sh under Linux). In this case, no password is required but
the access is granted for a limited period of time. For SSH authentication, see also Section 12.2,
“Target connection in interactive mode for SCP and SFTP protocols”, page 222.
Note:
The display of icons, and consequently the access to the file to establish a connection,
depends on the parameters set for the connection and file types related to RDP and SSH
according to the operating system via "Configuration" > "Configuration Options" > "GUI
(Legacy)", in the following fields:
When the authorization concerns a RAWTCPIP service, only the application WALLIX-
PuTTY allows the user to download or open the file to establish the connection (filename
218
WALLIX Bastion 9.0.2 – Administration Guide
Note:
In a load balancing process, it is possible to specify the WALLIX Bastion's FQDN or IP
address to which the user will be redirected to when accessing a target via "Configuration"
> "Configuration Options" > "GUI (Legacy)":
• in the field "Connection file fqdn standard": when the target is accessed by downloading
the configuration file
• in the field "Connection file fqdn otp": when the target is instantly accessed with one-
time password method.
To use the .puttywab files on Windows, the application WALLIX-PuTTY has to be downloaded and
installed from the link "Download WALLIX-PuTTY" displayed at the top of the page. This link is
only displayed when the workstation is running under Windows and the user is also authorized to
connect to at least one SSH target. The installation sets the file association so that the application
is started automatically. The installation does not require administrative privileges. However, the
installation is only operational for the logged user and not for all users of the workstation.
The "Options" area at the top left of the page allows the user to select the resolution and the color
depth for the RDP client window. The settings are saved for the workstation being used. Thus a user
can establish an RDP connection through a desktop or a laptop with different resolution settings
for each workstation.
For further information on RemoteApp mode, refer to Section 10.2.2, “Configure the application
launch using RemoteApp mode”, page 138.
Warning:
The RemoteApp sessions of a user connected simultaneously on one or several
applications are split by default when displayed from the "Current Sessions" and
"Session History" pages below the "Audit" menu). If the option "Rdp enable sessions
219
WALLIX Bastion 9.0.2 – Administration Guide
split" (accessible from "Configuration" > "Configuration Options" > "GUI (Legacy)" >
"main" section) is deselected, it may be possible to get an overlay view of these sessions.
The client Remote Desktop Connection (MSTSC) connected to Windows Server 2008
or 2012 does not allow several RemoteApp programs to share the same RDP session.
There will be as many RDP sessions created as the number of RemoteApp programs
launched.
Display issues related to the Microsoft client have been reported when using RemoteApp
mode and multiple monitors. Dysfunctions occur when the primary monitor is not located
in the upper left part of the virtual screen. The recommended workaround is to locate
the primary monitor in the upper left part of the virtual screen. Refer to https://
go.microsoft.com/fwlink/?LinkId=191444 for further information on the virtual
screen.
On the other hand, to allow glyphs support between iOS client and the RDP proxy and thus display
text properly on the selector when accessing sessions from mobile devices, the option "Bogus ios
glyph support level" is selected by default. This parameter can be managed via "Configuration" >
"Configuration Options" > "RDP proxy" > section "client".
Moreover, as the support of Unicode character set for keyboard event is necessary to operate
the Remote Desktop Connection client under iOS, the option "Unicode keyboard event support" is
selected by default. This parameter can be managed via "Configuration" > "Configuration Options"
> "RDP proxy" > section "globals".
As the keyboard behavior for VNC sessions depends on the target server environment, options
allow to declare this environment and allow the corresponding behavior. These options can be
managed below the "vnc" section on the configuration page related to the connection policy for the
VNC protocol. This page can be accessed from "Session Management" > "Connection Policies":
Once the request is performed, the user is redirected on the "Sessions" page and then he/she can
view the status of the sent approval requests on the bottom table.
220
WALLIX Bastion 9.0.2 – Administration Guide
The user can click on the notepad icon at the beginning of the line to get a detailed view of the
request. The page provides a "Cancel request" button to cancel the approval requests which are
still valid.
Note:
A script can be called during the approval request creation, but also at the beginning and
end of each session within the request duration period, to manage the approval in an
external ticketing system. To do so, the path to this script is to be entered in the "Ticketing
interface path" field via "Configuration" > "Configuration Options" > "Global".
The script is then systematically called even if a ticket number is not specified in the
"Ticket" field. When the script receives a ticket number expected in format: "ticket=1234",
WALLIX Bastion takes into account this number and not the one specified in the "Ticket"
field.
When this script is called, it receives as a parameter the path to a file providing all the
session information.
Example of information provided in the file during the approval request creation:
[request]
user=johndoe
target=target1@local@repo:SSH
date=2017-09-22 10:12:19
duration=300
ticket=1234
comment=I have to install patches
session_id=
session_start=0
session_end=0
target_host=
[request]
user=johndoe
target=target1@local@repo:SSH
date=2017-09-22 10:12:00
duration=300
ticket=1234
comment=I have to install patches
session_id=15ea8a529008635d5254006c3e07
session_start=2017-09-22 10:12:29
session_end=0
target_host=host1.mydomain.lan
221
WALLIX Bastion 9.0.2 – Administration Guide
[request]
user=johndoe
target=target1@local@repo:SSH
date=2017-09-22 10:12:00
duration=300
ticket=1234
comment=I have to install patches
session_id=15ea8a529008635d5254006c3e07
session_start=2017-09-22 10:12:30
session_end=2017-09-22 10:12:34
target_host=host1.mydomain.lan
The question mark “?” is a forbidden character in the user name (or login) but it can be used as
a separator to specify options (on the right) requesting clearly a prompt to enter the login and/or
a password to connect to the target.
The question mark “?” without any option requests the target password by default.
Examples:
222
WALLIX Bastion 9.0.2 – Administration Guide
Login: “wabuser?lp”: target login is prompted first then target password is prompted
The password is required when the authentication method PASSWORD_INTERACTIVE has been
selected at the level of the connection policy associated with the target (for further information, refer
to Section 12.4, “Connection policies”, page 236).
Note:
The generic term "connection" will be used throughout this section to refer to both SSH
and RDP connections.
On the top of the page, the auditor can choose to enable/disable automatic refresh of current session
data. When the corresponding option is enabled, you can set the refresh frequency. This may be
particularly useful when selecting the active connections to close.
Each line provides the following information:
Note:
Specific keywords must be entered in the “Search:” field above the table header to
search for RDP sessions:
– the rdp:app keyword to search for application sessions
– the rdp:notapp keyword to search for sessions which are not application sessions
The auditor can also close one or more connections on this page: to do so, it is necessary to check
the box at the beginning of the line(s) to select the related connection(s), then click on the red
icon, on the column header, to close the corresponding connection(s). WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently closing the connections(s).
223
WALLIX Bastion 9.0.2 – Administration Guide
Users connected through RDP or SSH are then informed that the connection has been closed by
the administrator, as shown below:
Note:
When closing a connection, the auditor can prevent the local user from connecting again.
This action can be set via "Configuration" > "Configuration Options" > "GUI (Legacy)",
then select the option "Audit kill session lock user". This option is deselected by default:
the function is disabled.
The auditor can click on the magnifying glass icon at the beginning of the concerned line in the
list to open a window to view the session in real-time. He/she can click again on this icon to close
the window.
Note:
The auditor can view the current SSH session even if the session recording option has
not been enabled at the level of the authorization defined for the user group and the target
group.
In the context of an RDP session, the auditor can enable the “Allow rt without recording”
option accessible from “Configuration” > “Configuration options” > “RDP proxy” > section
“video” to view the current RDP session for which the session recording option has not
been enabled in the authorization, defined for the user group and the target group. For
further information, refer to Chapter 14, “Authorization management”, page 269.
224
WALLIX Bastion 9.0.2 – Administration Guide
By enabling the “Enable osd 4 eyes” option accessible from “Configuration” >
“Configuration options” > “RDP proxy” > section “client”, a message is displayed for the
user to inform him/her that the session is being audited as soon as the auditor starts
viewing the RDP session in real-time.
Warning:
Session sharing and remote control on RDP current sessions are available through
WALLIX Bastion for targets under Windows Server 2012 and later versions supporting
“Remote Desktop Shadowing” feature for remote control.
The advanced configuration option “Session shadowing support” (accessible from
"Configuration" > "Configuration Options" > "RDP proxy" then section "mod_rdp") must
be enabled to allow session sharing and remote control on RDP current sessions through
WALLIX Bastion.
During this process, the auditor's session is recorded only if the user's session is also
recorded.
Note:
Only a single remote control request can be sent during the user's session.
The auditor will not be able to remotely control the user's session as long as the latter
has not accepted the request on the dedicated window.
225
WALLIX Bastion 9.0.2 – Administration Guide
Caution:
An auditor with limitations set on his/her profile can see the session history only if s/he is
allowed to view the authorization set for the session. This authorization is defined for a
user group and a target group s/he is allowed to view.
Warning:
This page shows only the closed sessions on targets. To get the view on the current
sessions, refer to Section 12.3.1, “Current sessions”, page 223.
This page does not show user authentications and thus user authentication failures
due to access rights. To get this information, refer to Section 12.3.8, “Authentication
history”, page 233. SIEM messages provide more information on authentications and
access rights. For further information, refer to Chapter 17, “SIEM messages”, page 296.
• the user name and source IP for the connection (set as follows: name@ipsource)
• the target accessed (set as follows: account@target:service)
• the target host or IP
• the source and destination protocols
Note:
Specific keywords must be entered in the “Search:” field above the table header to
search for RDP sessions:
– the rdp:app keyword to search for application sessions
– the rdp:notapp keyword to search for sessions which are not application sessions
226
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The file size of the session recording is not displayed when session has been initiated
from a version earlier than WALLIX Bastion 6.2.
• an icon representing the result of the connection. In the event of a failure, an auditor can get
more detail on the connection issue (e.g. wrong password, authentication to target failed, target
resource not available, session killed by the administrator or by a “Kill” action, etc.) by clicking
on the icon. This description can be updated if needed. In case of success, an auditor can add a
description in a dedicated area by clicking on the icon. The addition of comments into this area
is logged in the WALLIX Bastion audit log (i.e. "wabaudit"). For further information regarding this
log, refer to Section 8.5, “System logs”, page 47.
•
the icon is displayed when the session has been shared between the user and the auditor
with remote control. The information can then be displayed by hovering the mouse over the icon:
it corresponds either to the auditor's remote control session or the user's controlled session.
Filters can be defined on the top of the page to facilitate the search and restrict the display to relevant
records. The available filters are based on:
• a sort on the display of either all data or only the existing device or only the existing application
• the definition of a period
• the definition of the last N days
• a search for text occurrences in the columns. For further information, refer to Section 6.5.1,
“Search data”, page 31.
Note:
Only the last 1,000 records are displayed in the Web user interface. The occurrence filter
is applied to these 1,000 records. Older sessions can only be retrieved through the date
range filter.
227
WALLIX Bastion 9.0.2 – Administration Guide
Some icons may be displayed at the beginning of the lines to allow specific actions:
• : this icon allows the auditor to download the session recording in the unprocessed format
ttyrec for the SSH session or in the pcap format (which can be viewed with the packet analyzer
Wireshark) for the RAWTCPIP session
• : this icon allows the auditor to download the visible content of the SSH session in a flat text
format (txt)
• : this icon allows the auditor to display the page to view the recording of the session. Then a
viewer allows to go through the session video. The session information is displayed on the top
of the page.
When viewing an SSH session, it is possible to get the transcription of the video and the session
metadata but also download the files transferred during the session in the dedicated areas below
the viewer.
228
WALLIX Bastion 9.0.2 – Administration Guide
Note:
When replaying the video of a RemoteApp application session, the area of the
content displayed in the RDP viewer can be set. This parameter can be managed
from "Configuration" > "Configuration Options" > "RDP proxy" then below section
"video", select the appropriate value in "Smart video cropping".
The recording for a session based on the RDP protocol includes both video and
automatic OCR of the applications running on the remote machine by detecting title
bars.
The algorithm used to detect the title bar content is very fast and thus allows real-time
execution. However, it only works with "Windows Standard" windows and a default
font size of 96PPP with a colour depth of 15 bits or more (15, 16, 24 or 32 bits, it does
not work in 8-bit mode). In its current version, the OCR function will not work if the
title bar style is changed, even to a style that is visually very similar, for example to
"Windows classic", or if the title bar colour, style, font size or resolution is changed. In
addition, OCR is configured to detect only the title bars of applications closed using
229
WALLIX Bastion 9.0.2 – Administration Guide
the three icons: close icon, minimize icon and maximize icon. If the title bar contains
an icon, this will generally be replaced by question marks before the recognized text.
230
WALLIX Bastion 9.0.2 – Administration Guide
and displayed in this area. It is then possible to click on the entries in this list to browse quickly
through the film in the viewer.
On the "Activity" column, the auditor can click on "Show" to view the activity history for the account
on a dedicated page. This page displays a table listing the check-in and checkout operations on
the account's credentials recorded at a given date and time.
Caution:
An auditor with limitations set on his/her profile can see the activity history for the account
only if s/he is allowed to view both groups in the authorization set to view the account's
credentials.
On the "History" column, the auditor can click on "Show" to view the password change history for
the account on a dedicated page. This page displays information related to the password or SSH
key changes for the account at a given date and time.
Caution:
An auditor with limitations set on his/her profile can see the password change history for
the account only if s/he is allowed to view the related account.
On the "Actions" column, the "Force check-in" option is available for the accounts which are checked
out by users. The auditor can click on this option to check-in the credentials for the related account.
Note that the current RDP or SSH session will not be closed when the account's credential check-
in is forced.
231
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The "Force check-in" option is always available for the accounts defined on a global
domain associated with an external password vault. In this case, the "External vault"
column contains a check mark for the relevant accounts.
• checkout
• checkout duration extension
• check-in and automatic check-in
• forced check-in
This information can be sent to a SIEM software if the routing is configured on WALLIX Bastion.
For further information, refer to Section 8.9, “SIEM integration”, page 52.
Note:
Some system logs saved in partition /var/log are stored for a maximum time period
of 5 weeks.
When the auditor displays the detail of a "pending" request, this action is logged in the WALLIX
Bastion audit log (i.e. "wabaudit"). For further information regarding this log, refer to Section 8.5,
“System logs”, page 47.
Caution:
An auditor with limitations set on his/her profile can see the approval history only if s/he is
allowed to view the authorization set to demand an approval request. This authorization
is defined for a user group and a target group s/he is allowed to view.
232
WALLIX Bastion 9.0.2 – Administration Guide
Filters can be defined on the top of the page to facilitate the search and restrict the display to relevant
records. The available filters are based on:
Note:
Only the last 1,000 records are displayed in the Web user interface. The occurrence filter
is applied to these 1,000 records. Older sessions can only be retrieved through the date
range filter.
A click on the notepad icon at the beginning of the line allows the auditor to get a detailed view
of the request.
233
WALLIX Bastion 9.0.2 – Administration Guide
Filters can be defined on the top of the page to facilitate the search and restrict the display to relevant
records. The available filters are based on:
Note:
Only the last 1,000 records are displayed in the Web user interface. The occurrence filter
is applied to these 1,000 records. Older sessions can only be retrieved through the date
range filter.
234
WALLIX Bastion 9.0.2 – Administration Guide
Filters can be defined at the bottom of the page to facilitate the search and restrict the display to
relevant records. The available filters are based on the selection among the WALLIX Bastion users
and/or devices and/or targets.
Once the charts have been generated, the auditor can click on those related to the WALLIX Bastion
and target connections to get the corresponding detail on the "Authentication History" page (refer
to Section 12.3.8, “Authentication history”, page 233) or the "Session History" page (refer to
Section 12.3.4, “Session history”, page 225).
A table in the header of the generated graphs lists the selected filters and a button below the graphs
allows to download a .csv file presenting the related data.
If "Unused resources" is selected by the auditor, he/she can view the unused users or targets for a
given period of time. This period may be a date range or a number of days before the current date.
The data can either be displayed as a list directly on the current page or downloaded as a .csv file.
235
WALLIX Bastion 9.0.2 – Administration Guide
236
WALLIX Bastion 9.0.2 – Administration Guide
The mechanisms available for RDP, VNC, SSH, TELNET, RLOGIN and RAW TCP/IP protocols are
predefined in WALLIX Bastion and can neither be deleted nor edited.
On each of these pages, a useful description can be displayed for all the fields by selecting the check
box of the "Help on options" field on the right of the page. This description includes the required
format to be specified when entering data in the concerned field.
Warning:
The specific options displayed when the check box of the "Advanced options" field at
the top right of the page is selected should ONLY be changed upon instructions from
the WALLIX Support Team! An icon representing an exclamation mark on an orange
background is displayed near the concerned fields.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
237
WALLIX Bastion 9.0.2 – Administration Guide
• the definition of a transformation rule to get a login for secondary connection. For further
information, refer to Section 12.6, “Transformation rule to get a login for secondary
connection”, page 239.
• the definition of a transformation rule to get the credentials of an account in the vault. For further
information, refer to Section 12.7, “Transformation rule to get credentials of an account in the
vault of WALLIX Bastion”, page 240.
For the connection policies based on the TELNET or RLOGIN protocols, a sequence of commands
must be entered in the "Scenario" field to define an authentication. A connection scenario is defined
by default but it can be modified. For further information, refer to Section 12.14, “TELNET/RLOGIN
connection scenario on a target device”, page 245.
For the connection policies based on the SSH protocol, a startup scenario can be entered in the
"Scenario" field (below the "startup scenario section) to perform specific actions at the beginning
of the session. For further information, refer to Section 12.16, “SSH startup scenario on a target
device”, page 247.
The session probe can be enabled for the connection policies based on the RDP protocol. For
further information, refer to Section 12.19, “Using the session probe mode”, page 252.
Figure 12.14. "Connection Policies" page in addition mode for RLOGIN protocol
The fields in this page are the same as those in the connection policy creation page, except the
"Protocol" field which cannot be accessed.
Warning:
If the target account access is not allowed for a profile, then the profile members can
neither delete nor edit a connection policy.
238
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
You cannot delete a connection policy when the latter is linked to a device (at the level
of the service on the "Devices" page). For further information on how to link a connection
policy on a device, refer to Section 10.1.1, “Add a device”, page 124.
If the target account access is not allowed for a profile, then the profile members can
neither delete nor edit a connection policy.
These records can be viewed from the "Session History" page on the "Audit" menu. For further
information, refer to Section 12.3.4, “Session history”, page 225 and Section 12.3.5, “Session
recordings”, page 227.
The encrypted recordings can only be read by the WALLIX Bastion instance which created them.
The encryption algorithm used is AES 256 CBC. Signature is done by calculating an HMAC SHA
256 fingerprint. The fingerprint is checked at playback.
• a user account login if the target account is included in a group configured for account
mapping (for further information, refer to Section 10.5.1.4, “Configure a target group for session
management through account mapping”, page 173)
• a login of an account in the vault of WALLIX Bastion it the target account is included in a group
configured for session management from accounts in the vault (for further information, refer to
Section 10.5.1.2, “Configure a target group for session management from an account in the
vault”, page 172).
This rule is set in the "Transformation rule " field on the configuration page for the related connection
policy, accessible from "Session Management" > "Connection Policies".
239
WALLIX Bastion 9.0.2 – Administration Guide
The character string includes the required field ${LOGIN} and possibly the optional field ${DOMAIN}
in an LDAP mapping context.
The transformation rule returns the string and replaces the fields ${LOGIN} and ${DOMAIN} with
the appropriate values (i.e. the login and domain).
Note:
The transformation rule defined is ignored if the target account is included in a
group configured for interactive login (for further information, refer to Section 10.5.1.5,
“Configure a target group for session management through interactive login”, page 174).
• the target account is included in a group configured for account mapping (for further information,
refer to Section 10.5.1.4, “Configure a target group for session management through account
mapping”, page 173)
• the authentication method PUBKEY_VAULT and/or PASSWORD_VAULT must be selected at the
level of the connection policy associated with the target
This rule is set in the "Vault transformation rule " field on the configuration page for the related
connection policy, accessible from "Session Management" > "Connection Policies".
A regular expression (or "regex") can be specified for transformation using this syntax: ${USER:/
regex/substitution}. For example, all user logins beginning with "A" will be replaced by "B" if the
${USER} variable is specified as follows: ${USER:/^A/B}.
240
WALLIX Bastion 9.0.2 – Administration Guide
The transformation rule returns the string and replaces the fields with the appropriate values.
The result corresponds to the syntax of the existing account in the vault and for which credentials
are to be retrieved.
If the login of the connecting user begins with "adm_ ", this part is then replaced with
"adm_domain1_". Then, "@domain1" is added at the end of the login syntax.
In the above example, the user login "adm_jdoe" is then replaced with "adm_domain1_jdoe".
The files which can be verified are those transferred via subprotocols SFTP and SCP
(SFTP_SESSION, SSH_SCP_UP and SSH_SCP_DOWN) during SSH session and from the copy/
paste function via the clipboard (RDP_CLIPBOARD_FILE) during RDP session.
File verification does not interfere with file transfer. The status returned by the ICAP server is logged:
• in the session metadata displayed from the "Session History" page on the "Audit" menu,
in the "Session metadata" area. For further information, refer to Section 12.3.4, “Session
history”, page 225 and Section 12.3.5, “Session recordings”, page 227.
• in SIEM messages, if the routing to a SIEM software is configured on WALLIX Bastion. For
further information, refer to Section 8.9, “SIEM integration”, page 52 and Chapter 17, “SIEM
messages”, page 296.
• for the files transferred as an “upload” operation from client to server (e.g. an antivirus software)
and
• for the files transferred as a “download” operation from server to client (e.g. a DLP solution)
The settings of ICAP servers can be defined from "Configuration" > "Configuration Options" > "RDP
proxy" (for RDP protocol) or "SSH proxy" (for SSH protocol) within the following sections:
241
WALLIX Bastion 9.0.2 – Administration Guide
• [icap_server_up] to configure the ICAP server for files transferred as an “upload” operation and
• [icap_server_down] to configure the ICAP server for files transferred as an “download” operation
• “Enable up”: option to select to enable verification of files transferred as an “upload” operation
by the ICAP server. The latter is configured in section [icap_server_up] from the configuration
options of the related proxy (accessible from "Configuration" > "Configuration Options" > "RDP
proxy" or "SSH proxy").
• “Enable down”: option to select to enable verification of files transferred as a “download” operation
by the ICAP server. The latter is configured in section [icap_server_down] from the configuration
options of the related proxy (accessible from "Configuration" > "Configuration Options" > "RDP
proxy" or "SSH proxy").
When the connection policy is defined on the RDP protocol, the section [file_verification] also
allows to enter the following parameters:
• “Clipboard text up”: option to select to enable verification of text transferred as an “upload”
operation from the copy/paste function via the clipboard by the ICAP servers. The “Enable up”
option must be selected to allow this verification.
• “Clipboard text down”: option to select to enable verification of text transferred as a “download”
operation from the copy/paste function via the clipboard by the ICAP servers. The “Enable down”
option must be selected to allow this verification.
To do so, on the configuration page for the related connection policy, the parameters to be entered
in section [file_verification] are as follows:
• “Block invalid file up”: option to select to block file transfer for an “upload” operation when files
have been detected as invalid during verification
• “Block invalid file down”: option to select to block file transfer for a “download” operation when
files have been detected as invalid during verification
242
WALLIX Bastion 9.0.2 – Administration Guide
Note:
Session recording must be enabled for the authorization defined (see Section 14.1, “Add
an authorization”, page 269) to allow the auditor to view and download the transferred
files from the "Session History" page on the "Audit" menu.
Note:
Session recording must be enabled for the authorization defined (see Section 14.1, “Add
an authorization”, page 269) to allow the auditor to view and download the transferred
files from the "Session History" page on the "Audit" menu.
Note:
The smart card authentication is only possible for the connection to targets through the
interactive login mechanism.
243
WALLIX Bastion 9.0.2 – Administration Guide
• Select the “RDP SMARTCARD” proxy option for the RDP service associated with the related
device from the menu “Targets” > “Devices” then “Services” tab
• Select the “Force smartcard authentication” option accessible from “Session management” >
“Connection policies” > “RDP”, section [rdp].
Warning:
After enabling this option, Network Level Authentication (NLA) will be disabled.
The credentials of a possible associated target account can no longer be used.
• in the session metadata displayed from the "Session History" page on the "Audit" menu,
in the "Session metadata" area. For further information, refer to Section 12.3.4, “Session
history”, page 225 and Section 12.3.5, “Session recordings”, page 227.
• in SIEM messages, if the routing to a SIEM software is configured on WALLIX Bastion. For
further information, refer to Section 8.9, “SIEM integration”, page 52 and Chapter 17, “SIEM
messages”, page 296.
244
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
Rejecting dynamic virtual channels may disturb RDP connections.
Warning:
When this option is enabled, the passwords entered during session are logged and then
displayed as plain text.
The following sequence (supported on a 3Com Superstack switch accessible via TELNET):
SEND:\r\n
EXPECT:(?i)login:
SEND:$login\r\n
EXPECT:(?i)Password:
SEND:$password\r\n
is interpreted as follows:
245
WALLIX Bastion 9.0.2 – Administration Guide
This sequence should also work for TELNET servers running under Windows.
For TELNET servers running under Unix or Linux, you should rather use the following sequence:
EXPECT:(?i)login:
SEND:$login\n
EXPECT:(?i)Password:
SEND:$password\n
For RLOGIN devices, only the password is expected. As an example, the following authentication
sequence has been tested for a RLOGIN connection to a Debian 5.0 lenny system:
EXPECT:(?i)Password:
SEND:$password\n
Note:
As a rule of thumb, login is already provided for SSH connections (in keyboard interactive
mode) and RLOGIN connections. It is necessary to provide it in the sequence only for
TELNET connections.
Warning:
This section is displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. It should ONLY be changed upon instructions from
the WALLIX Support Team!
246
WALLIX Bastion 9.0.2 – Administration Guide
The cryptographic algorithms allowed on target devices can be declared by specifying them in
specific fields below the "rdp" section on the configuration page related to the connection policy for
the RDP protocol. This page can be accessed from "Session Management" > "Connection Policies".
These fields are as follows:
• “Tls min level”: minimum TLS version level supported. By default, no minimum level is set in this
field to ensure highest compatibility with target servers.
• “Tls max level”: maximum TLS version level supported. By default, no maximum level is set in
this field to ensure highest compatibility with target servers.
• “Cipher string”: additional cryptographic algorithms used for TLSv1.2 connections supported
by client. By default, no value is specified in this field to apply system-wide configuration
corresponding to SSL security level 2. The value “ALL” must be set to support all cryptographic
algorithms and ensure highest compatibility with target servers.
• “Show common cipher list”: option to select to show in log files the list of common algorithms
supported by client and server
Note:
A startup scenario can also be used for Shell sessions on TELNET and RLOGIN
protocols. It can be declared by specifying the “Scenario” field below the “startup
scenario” section on the configuration page related to the connection policy defined for the
TELNET or RLOGIN protocol. This page can be accessed from “Session management”
> “Connection policies”.
12.16.1. Commands
A scenario is a sequence of commands separated by a carriage return: a line of the scenario
corresponds to a command.
A command is defined by a type and value pair separated by a colon ':' TYPE:VALUE.
A command starting with # will be ignored.
This startup scenario consists of a sequence of commands based on response request and data
sending. These commands are executed at the beginning of a Shell session related to an SSH
target. The syntax includes the following commands:
• SEND: this command sends the value associated with the server and goes ahead with the
scenario.
The associated value may include a token (refer to Section 12.16.2, “Token”, page 248).
See the example below to send the interactive "sudo" command:
247
WALLIX Bastion 9.0.2 – Administration Guide
SEND:exec sudo -i
• EXPECT: this command waits for a response from the server in relation to the associated value
before continuing the execution of the scenario.
The associated value is a regular expression. It may include a token (refer to Section 12.16.2,
“Token”, page 248) which will be interpreted before the regular expression. This value must be
labelled in the server's language.
See the example below to wait for a command prompt:
EXPECT:.*@.*:~$
If after a given period of time, no response from the server corresponds to the associated value,
then the scenario fails.
12.16.2. Token
The value of a command may include a token.
A token is a part of the value which will be replaced by an attribute provided by the SSH proxy or
WALLIX Bastion.
A token is represented by the following syntax: ${type} or ${type:param} and is defined by a
type and an optional parameter.
The following token types can be used: login, password and user.
There is no parameter to provide for the user token type.
If no parameter is provided for the token types login and password, then the attribute will be the
one of the target account in the current session.
If a parameter is provided, it specifies the account in WALLIX Bastion for which the parameters
("login" and "password") are to be retrieved.
It is also possible to use placeholder attributes in the token parameter to specify a given scenario
account. The following placeholder attributes can be used:
248
WALLIX Bastion 9.0.2 – Administration Guide
See the example below of a script for switching user on a "root" account on the same device using
the "su" command:
SEND:exec su - root
EXPECT:Password:
SEND:${password:root@local@}
See the example below of an interactive access to a MySQL database on a global domain in WALLIX
Bastion:
SEND:exec mysql -u ${login:<account>_<device>@sqldomain} -p mybdd
EXPECT:password:
SEND:${password:login:<account>_<device>@sqldomain}
• "Enable": this check box allows to enable or disable the startup scenario. By default, this option
is disabled.
• "Scenario": a startup scenario can be declared in this field.
• "Show output": this check box allow to display or hide inputs/outputs on the Shell during the
scenario execution. By default, this option is enabled.
249
WALLIX Bastion 9.0.2 – Administration Guide
• "Timeout": this field allows to define the time period (expressed in seconds) before the failure of
an EXPECT command.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. It should ONLY be changed upon instructions from
the WALLIX Support Team!
• "Ask startup": this check box allows to enable or disable a prompt to ask the user if he/she wishes
to run the scenario. By default, the scenario is necessarily executed.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. It should ONLY be changed upon instructions from
the WALLIX Support Team!
• on the "RDP proxy" configuration page by selecting "Enable transparent mode" below section
"globals"
• on the "SSH proxy" configuration page by selecting "Enable transparent mode" below section
"main"
In order to use the transparent mode, the network should be configured in a way that the RDP or
SSH traffic going to the targets is first redirected to a WALLIX Bastion user network interface. It
could be achieved using routing rules. WALLIX Bastion then acts as a gateway.
The proxy intercepts the traffic sent to the TCP port 3389 (for RDP and VNC protocols). Any traffic
not destined to WALLIX Bastion but intercepted by the WALLIX Bastion on any other port (other
that 3389) is lost.
The proxy picks up automatically the target by looking at the destination IP address of the
connection. When only a single target is identified by the address, the connection is performed
automatically without the display of the selector. In the other cases, the selector displays the list of
targets matching this address.
Moreover, it is possible to define a set of targets belonging to a subnet. This is achieved by entering
a subnet instead of an IP address in the "Device host" field during the creation of the device, from
the "Devices" page, by using a CIDR notation (<network address>/<number of mask bits>). For
further information on this configuration, refer to Section 10.1.1, “Add a device”, page 124.
If the destination IP address of the connection corresponds to several targets and at least of one
these is defined by an IP address (or FQDN), then the targets defined by subnets are ignored.
When only a single target is identified by the address, the connection is performed automatically
without the display of the selector.
250
WALLIX Bastion 9.0.2 – Administration Guide
Once the RDP or SSH transparent mode is enabled, the following parameters can be set to control
the proxy behavior:
• The option "Auth mode passthrough" (accessible from "Configuration" > "Configuration Options"
> "SSH proxy" for SSH; or "Configuration" > "Configuration Options" > "RDP proxy sesman"
for RDP) enables or disables authentication delegation. The latter prevents WALLIX Bastion
from performing the authentication when it receives a connection request. The request is
then forwarded directly to the target and WALLIX Bastion authorizes the connection if the
authentication by the target is successful. It allows to deploy WALLIX Bastion in an environment
where only the target knows the credentials; this is the case for some configurations of VMware
Horizon View for instance.
• The "Default login" field (accessible from "Configuration" > "Configuration Options" > "SSH proxy"
for SSH; or "Configuration" > "Configuration Options" > "RDP proxy sesman" for RDP) allows to
specify WALLIX Bastion user different from the RDP or SSH identity. In this case, the sessions and
their records will be associated to this WALLIX Bastion user. The RDP or SSH identity information
is registered in the target field when available.
Warning:
RDP clients based on FreeRDP may conflict with KeepAlive messages.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
251
WALLIX Bastion 9.0.2 – Administration Guide
• "Server keepalive type": this option enables the sending of the Keepalive message to the server
and also allows to choose the packet type to send. The value "none" is selected by default: the
function is then disabled.
• "Server keepalive interval": this option allows to specify the time interval in seconds between two
KeepAlive messages, when the function has been enabled by selecting the packet type to send
from the option "Server keepalive type". This value is set to "0" by default: the function is then
disabled.
Warning:
These fields are displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. They should ONLY be changed upon instructions
from the WALLIX Support Team!
The session probe can also block the TCP jump connections. A jump connection passes through a
WALLIX Bastion target to access another machine on the internal network. The session probe can
then detect and stop this type of connection.
The session probe provides protection of the passwords entered in the session by detecting the
input cursor into password input fields or a UAC (User Account Control) window. When such an
252
WALLIX Bastion 9.0.2 – Administration Guide
event occurs in the session, the session probe informs WALLIX Bastion so that the latter can pause
the collection of keyboard input data.
If WALLIX Bastion detects that it is not possible to recover the RDP session, the current connection
is closed and a new one will take over in a transparent way for the user.
12.19.3. Prerequisites
The session probe operates under a Windows operating system with the Remote Desktop services
supporting the "alternate shell" function.
Environments under Windows XP and servers from Windows Server 2003 support the smart
launcher.
When the smart launcher is used:
• the redirection of clipboard must be allowed by Remote Desktop Services (or Terminal Services)
on the target. This is the default setting.
• the keyboard shortcut Windows+R must be enabled at the level of the group policies for
the target (this is the default setting). Keyboard shortcuts can be disabled via "Local Group
253
WALLIX Bastion 9.0.2 – Administration Guide
Policy Editor" > "User Configuration" > "Administrative Templates" > "Windows Components" >
"Windows Explorer" or "File Explorer" > "Turn off Windows+X hotkeys" or "Turn off Windows Key
hotkeys".
The standard launcher only operates on targets under Windows Server and Windows XP
environments. It does not support targets under Windows 7, 8.x and 10.
From Windows Server 2008 and only when the standard launcher is used, it is
necessary to publish the "Command Prompt" (cmd.exe) as the RemoteApp program.
For further information, refer to https://technet.microsoft.com/en-gb/library/
cc753788.aspx. Moreover, all command line parameters must be allowed for this
program by selecting the radio button "Allow any command-line parameters" in the
"Remote Desktop Connection Program properties" dialog box. For further information, refer
to https://blogs.technet.microsoft.com/infratalks/2013/02/06/publishing-
remoteapps-and-remote-session-in-remote-desktop-services-2012/.
The redirection of local disks must be allowed by Remote Desktop Services (or Terminal Services)
on the target. This is the default setting.
The temporary folder of the secondary account (Windows account) must allow at least 5MB free
disk space.
The Windows user account must be able to launch batch script and executables from his own
temporary directory (this is the default setting). It is possible to set a software restriction via "Local
Group Policy Editor" > "Computer configuration" > "Windows Settings" > "Security Settings" >
"Software Restriction Policies" by adding a new rule in "Additional Rules".
When opening a new RDP session, applications that launch automatically at startup and require a
user account control (UAC) confirmation request may block the session probe. We recommend not
configuring the automatic launch of applications requiring a UAC confirmation request.
12.19.4. Configuration
The configuration of the session probe is set on the configuration page related to the connection
policy for the RDP protocol, which can be accessed from "Session Management" > "Connection
Policies". The section "session probe" lists the following parameters:
Select/deselect the check box to enable/disable the use of the Smart Launcher when launching
the session probe.
Warning:
Targets under Windows XP and Windows Server 2003 and later versions are supported.
Unless you wish to use the session probe when running an application, it is not necessary
to publish the command prompt (cmd.exe) as the RemoteApp program to use the smart
launcher.
The redirection of clipboard must be enabled by Terminal Services to be able to use the
smart launcher (this is enabled by default).
254
WALLIX Bastion 9.0.2 – Administration Guide
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
Warning:
Only servers from Windows Server 2008 and above are supported!
255
WALLIX Bastion 9.0.2 – Administration Guide
This field allows to specify the maximum waiting time (expressed in milliseconds) between the
issue from WALLIX Bastion of a request from KeepAlive to the session probe and the receipt of
the corresponding response.
WALLIX Bastion sends KeepAlive messages to the session probe on a regular basis. Without a
response from the latter and at the expiration of the period defined here, WALLIX Bastion will
consider that the session probe is no longer active and will stop the connection.
WALLIX Bastion can also stop the connection when the behavior selected in the "On keepalive
timeout" field corresponds to "1: disconnect user".
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
Select the desired behavior when a loss of response to the KeepAlive message is detected.
The option "2: freeze session and wait for next keepalive response" freezes the current session
and displays an error message. The session will be reactivated upon receipt of the response to the
KeepAlive message.
If this check box is selected then disconnected sessions will be automatically closed by the session
probe.
Warning:
A network failure may cause the disconnection of the current RDP sessions. If this option
is enabled, any unsaved data will be lost.
If this check box is selected then the log files for the Windows session are stored on the user's
temporary directory.
We recommend not keeping this log active for a long period as it may be rather verbose and cause
hard disk saturation.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
Select/deselect the check box to enable/disable the interaction of the session probe with the
WALLIX BestSafe agent. For further information, refer to Section 12.20, “Using the session probe
mode with the WALLIX BestSafe agent”, page 259.
256
WALLIX Bastion 9.0.2 – Administration Guide
• an inclusive port range, e.g.: "1024-65535". One of the two range values can be omitted. In this
case, "1" is the default value for the range beginning and "65535" is the default one for the range
end.
An authorization rule is formed with the $allow prefix. It allows the connection to remote hosts.
A notification rule is formed with the $notify prefix. It allows the connection to remote hosts and
the generation of a notification.
A prohibition rule is formed with the $deny prefix. It prohibits the connection. The $deny prefix
can be omitted. A rule formed with the $deny prefix has precedence over a rule formed with the
$notification prefix for the same connection address.
As an example, to prohibit all RDP jump connections, the following rule can be entered:
"$deny:0.0.0.0/0:3389" or "0.0.0.0/0:3389".
"Process monitoring rules" field
This field allows to specify the monitoring rules when processes are launched.
These rules are generally formed as follows: <$prefix:><search pattern>.
The rules are separated between them by a comma (",").
A notification rule is formed with the $notify prefix. It allows to generate a notification.
E.g.: $notify:notepad.exe: the opening of the application notepad.exe is notified but not forbidden.
A prohibition rule is formed with the $deny prefix. In addition to notification, it allows to stop the
process. The $deny prefix can be omitted. A rule formed with the $deny prefix has precedence
over a rule formed with the $notification prefix.
E.g. 1: $deny:notepad.exe: the opening of the application notepad.exe is forbidden and notified.
E.g. 2: notepad.exe,cmd.exe: the opening of the applications notepad.exe and cmd.exe is
forbidden and notified.
E.g. 3: $notify:notepad.exe,$deny:notepad.exe: same result as for E.g. 1 above.
Moreover, the rules formed with <$prefix:><@> apply to all the child processes of the application
(as defined via "Targets" > "Applications"). Thus, if this rule is:
• $deny:@, then the opening of any child process (whatever the name) is forbidden and notified
257
WALLIX Bastion 9.0.2 – Administration Guide
• $notify:@, then the opening of any child process (whatever the name) is notified but not forbidden
This field allows to specify the processes which must be ignored at end of application detection.
If this check box is selected then the data entered (such as passwords) in top-level windows of
applications are masked when no graphic component has been detected.
Warning:
This parameter only works if the value “2: passwords and unidentified texts are masked”
has been selected in “Keyboard input masking level” below section “session log”, for
information display in the session metadata.
If application executable files (e.g. "chrome.exe") are specified in this field, then the data entered
in the windows generated by these applications are masked.
Warning:
This parameter only works if the value “2: passwords and unidentified texts are masked”
has been selected in “Keyboard input masking level” below section “session log”, for
information display in the session metadata.
To enable the launch of the session probe from another location than the temporary directory of the
Windows user account, the procedure is as follows:
1. Create a new directory on the target which will be used as the startup directory by the session
probe.
Important:
All Windows users must have write permission.
2. Set an environment variable for all Windows users on the target pointing to this new directory.
258
WALLIX Bastion 9.0.2 – Administration Guide
Important:
The maximum length of the environment variable name is restricted to 3 characters.
3. Specify the name of this environment variable in the field “Alternate directory environment
variable” (displayed as an advanced option) below section “session probe” on the configuration
page related to the connection policy for the RDP protocol. This page can be accessed from
“Session Management” > “Connection Policies”.
Warning:
The session probe executable file will thus remain in the directory. This file will be
overwritten on next connection.
Note:
The interaction is supported from WALLIX BestSafe Enterprise version 4.0.0.
By default, the interaction with the WALLIX BestSafe agent is disabled. This parameter can be
managed via "Session Management" > "Connection Policies" > "RDP", then select the option
"Enable bestsafe interaction" below section "session probe".
259
WALLIX Bastion 9.0.2 – Administration Guide
• allow users to reconnect to their existing sessions in a load-balanced RD Session Host server
farm
• enable you to evenly distribute the session load among RD Session Host servers in a load-
balanced RD Session Host server farm
• provide users access to virtual desktops hosted on RD Virtualization Host servers and to
RemoteApp programs hosted on RD Session Host servers through RemoteApp and Desktop
Connection.
12.21.1. Prerequisites
WALLIX Bastion supports Remote Desktop Connection Broker with the following configuration:
• at least one server must have access to the role service RD Connection Broker
• at least one server must have access to the role service RD Licensing
• at least one server must have access to the role service RD Web Access
• role services RD Connection Broker, RD Licensing and RD Web Access can share the same
server
260
WALLIX Bastion 9.0.2 – Administration Guide
• several servers must have access to the role service RD Session Host
Caution:
We recommend not installing the role service RD Session Host on a server having access
to the role service RD Connection Broker.
RD Connection Broker cannot be used with a WALLIX Bastion cluster as a result of
interferences between both services. We strongly recommend giving priority to RD
Connection Broker in the context of load balancing.
It is not necessary to choose among Remote Desktop or RemoteApp collections when resources
are accessed via the WALLIX Bastion Web interface. Indeed, WALLIX Bastion uses RemoteApp
collections for all connections.
RD Connection Broker must be set on RD Session Host servers. This can be performed locally (on
each RD Session Host) with Local Group Policy Editor (gpedit.exe).
The values to edit are located on the following subfolders:
12.21.2. Configuration
RD Connection Broker must be declared on WALLIX Bastion as a target.
In order to reach directly RD Connection Broker (and not one of the RD Session Host), the field "Load
balance info" must be specified at the level of the RDP connection policy, via "Session Management"
> "Connection Policies".
This field must be entered with the information retrieved from the field "loadbalanceinfo:s:" in the .rdp
file saved from the Work Resources page on RD Web Access (https://<ip-rd_web_access>/
rdweb/).
Here is an example of such information: tsv://MS Terminal Services Plugin.1.Sessions.
For further information on connection policies, refer to Section 12.4, “Connection
policies”, page 236.
261
WALLIX Bastion 9.0.2 – Administration Guide
From the “Connection messages” page on the “Configuration” menu, you can view and edit the
banner messages displayed to the users on primary and secondary connections according to their
preferred language. These messages are displayed on:
Note:
These messages are not displayed to users for the following sessions: SFTP, SCP
or remote command (SSH_REMOTE_COMMAND) with an SSH key for primary
authentication or a Kerberos ticket.
262
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The “Dashboards” entry will not be displayed on the Web interface if the “Enable
modules” option, accessible from “Configuration” > “Configuration options” > “Module
configuration”, section “main” is deselected. This option is displayed when the check box
of the “Advanced options” field at the top right of the page has been selected. It should
ONLY be changed upon instructions from the WALLIX Support Team!
The data viewable from this dashboard corresponds primarily to user connections and target
connections.
Important:
Only the user whose profile is associated with the “Administration” dashboard is allowed
to view the “Administration” entry in the “Dashboards” menu.
For further information on user profiles, refer to Section 9.3, “User profiles”, page 86.
• The “Time filter” area allows the user to define the period of time for which s/he wants to view
the data. By default, this period corresponds to the last 7 days and can be edited by clicking on
the “Last week” value under “Time range”. A window is then displayed: it is possible to select
a predefined period on the “Defaults” tab or to define a date range or a number of days before
the current date on the “Custom” tab. It is then necessary to click on “OK” to generate the charts
corresponding to this period.
• The “User group filter” area allows the user to restrict the display in the charts by selecting one
or more user groups, according to the selected period of time.
• The “Target group filter” area allows the user to restrict the display in the charts by selecting one
or more target groups, according to the selected period of time.
263
WALLIX Bastion 9.0.2 – Administration Guide
Each filter area displays an icon on the top right indicating the number of corresponding active
filters. It is possible to click on this icon to view the active filters under the “Applied filters” section in
a dedicated window. This window may also display the unset filters under the “Unset filters” section.
A click on each type of filters in these sections redirects to the corresponding filter area at the top
of the page to edit and/or add one or more criteria.
Once the relevant data is entered in the filter areas, a set of charts is displayed on the page and
the following actions are possible:
• highlight the desired data by clicking on the legend entry above the chart
• display the numerical data for a given day by hovering the mouse pointer over the chart
• edit the filters by clicking on the icon on the top right of the chart.
• the number of users connected over the defined period, the number of devices and accounts
declared within WALLIX Bastion
• the number of users connected, devices and accounts used for sessions over the last 7 days
compared to the previous week
• the number of users who have been inactive for 180 days and the number of devices and accounts
which have never been used for sessions.
A tabular view presents also the oldest connections by user groups and by target account groups.
264
WALLIX Bastion 9.0.2 – Administration Guide
• “Refresh dashboard”: this feature allows the user to instantly refresh all the components of the
dashboard
• “Set auto-refresh interval”: this feature allows the user to select a time interval between each
automatic refresh of the dashboard. This time interval is only saved for the current session.
• “Download as image”: this feature allows the user to download the dashboard in JPG format.
On the top right corner of each component of the “Live” and “KPIs” tabs, a contextual menu offers
the following actions:
• “Force refresh”: this feature allows the user to instantly refresh the data. The last refresh is also
indicated.
• “Maximize chart”: this feature allows the user to display the full screen view of the chart. It is
possible to return to the condensed view by clicking on the “Minimize chart” entry from this same
contextual menu.
• “Download chart”: this feature allows the user to download the chart in JPG format
• “Export CSV”: this feature allows the user to download the data of the chart as a .csv file.
From the “Audit” page on the “Dashboards” menu, it is possible to generate charts and tables from
statistical data defined in the filter areas.
The data viewable from this dashboard corresponds primarily to account, session, user group and
target account group activities.
265
WALLIX Bastion 9.0.2 – Administration Guide
Important:
Only the user whose profile is associated with the “Audit” dashboard is allowed to view
the “Audit” entry in the “Dashboards” menu.
By default, the user associated with the “product_administrator” or “auditor” profile can
access this menu entry.
For further information on user profiles, refer to Section 9.3, “User profiles”, page 86.
• The “Time filter” area allows the user to define the period of time for which s/he wants to view
the data. By default, this period corresponds to the last 7 days and can be edited by clicking on
the “Last week” value under “Time range”. A window is then displayed: it is possible to select
a predefined period on the “Defaults” tab or to define a date range or a number of days before
the current date on the “Custom” tab. It is then necessary to click on “OK” to generate the charts
corresponding to this period.
• The “User group filter” area allows the user to restrict the display in the chart by selecting one or
more user groups, according to the selected period of time.
• The “Target group filter” area allows the user to restrict the display in the chart by selecting one
or more target groups, according to the selected period of time.
Each filter area displays an icon on the top right indicating the number of corresponding active
filters. It is possible to click on this icon to view the active filters under the “Applied filters” section in
a dedicated window. This window may also display the unset filters under the “Unset filters” section.
A click on each type of filters in these sections redirects to the corresponding filter area at the top
of the page to edit and/or add one or more criteria.
Once the relevant data is entered in the filter areas, a set of charts and tables is displayed on the
page. These charts and tables include:
• highlight the desired data by clicking on the legend entry above the chart
• display the numerical data for a given day by hovering the mouse pointer over the chart
• edit the filters by clicking on the icon on the top right of the chart.
266
WALLIX Bastion 9.0.2 – Administration Guide
• “Refresh dashboard”: this feature allows the user to instantly refresh all the components of the
dashboard
• “Set auto-refresh interval”: this feature allows the user to select a time interval between each
automatic refresh of the dashboard. This time interval is only saved for the current session.
• “Download as image”: this feature allows the user to download the dashboard in JPG format.
On the top right corner of each component of the “Audit” dashboard, a contextual menu offers the
following actions:
267
WALLIX Bastion 9.0.2 – Administration Guide
• “Force refresh”: this feature allows the user to instantly refresh the data. The last refresh is also
indicated.
• “Maximize chart”: this feature allows the user to display the full screen view of the chart. It is
possible to return to the condensed view by clicking on the “Minimize chart” entry from this same
contextual menu.
• “Download chart”: this feature allows the user to download the chart in JPG format
• “Export CSV”: this feature allows the user to download the data of the chart as a .csv file.
268
WALLIX Bastion 9.0.2 – Administration Guide
Authorizations are applied to user groups linked to target groups. All users in the same group inherit
the same authorizations.
From the "Manage Authorizations" page on the "Authorizations" menu, you can:
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
An authorization is a link created between a user group and a target group. You can create several
authorizations between these two groups.
269
WALLIX Bastion 9.0.2 – Administration Guide
the protocol. And conversely, move a protocol from the "Selected protocols/subprotocols" frame
to the "Available protocols/subprotocols" one in order to remove the association.
• a check box to enable or disable session recording. The type of recording depends on the protocol
to access the device.
• a check box to enable or disable password checkout. This option is selected by default for the
new authorization.
• a check box to enable or disable an approval workflow for the new authorization. For further
information, refer to Section 14.7, “Approval workflow”, page 275.
270
WALLIX Bastion 9.0.2 – Administration Guide
#wab820 authorization
Important:
The update of existing data when importing a .csv file overwrites old data.
False if Approval
required = False
True if
Mandatory
comment = True
Mandatory Boolean R True or False False
comment
False if Approval
required = False
Has ticket Boolean R True or False False
271
WALLIX Bastion 9.0.2 – Administration Guide
272
WALLIX Bastion 9.0.2 – Administration Guide
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
273
WALLIX Bastion 9.0.2 – Administration Guide
Since a session or the target credentials can still be accessed as long as an accepted request has
not expired, the approver can cancel a request before its expiration to inhibit further access from a
user to the target by clicking on the "Cancel" button.
For further information, refer to Section 14.7, “Approval workflow”, page 275.
Filters can be defined on the top of the page to facilitate the search and restrict the display to relevant
records. The available filters are based on:
Note:
Only the last 1,000 records are displayed in the Web user interface. The occurrence filter
is applied to these 1,000 records. Older sessions can only be retrieved through the date
range filter.
274
WALLIX Bastion 9.0.2 – Administration Guide
By clicking on the notepad icon at the beginning of the line, the approver is redirected to a detailed
view of all the answers for the request.
Since a session or the target credentials can still be accessed as long as an accepted request has
not expired, the approver can cancel a request before its expiration to inhibit further access from a
user to the target by clicking on the "Cancel request" button.
For further information, refer to Section 14.7, “Approval workflow”, page 275.
Figure 14.6. "My Approval History" - Approval request history detail page
An approver is a user who has been designated by a WALLIX Bastion administrator with the right
to approve: the "Modify" right for the "Manage Authorizations" feature is set in the approver's profile
(refer to Section 9.3, “User profiles”, page 86).
Approvers can decide to allow or reject the connection to a target or the access to the target
credentials. A request is approved when a quorum has been reached. The quorum is the minimum
number of favorable answers required for a particular authorization.
275
WALLIX Bastion 9.0.2 – Administration Guide
• for active periods, by specifying a value in "Quorum in authorized time frames". A quorum for the
active periods equal to 0 means that approvals are not required for active periods.
• for inactive periods, by specifying a value in "Quorum outside authorized time frames". A quorum
for inactive periods equal to 0 means that no connections are ever possible during inactive
periods.
A single connection can be defined for the approval. The user is then restricted to connect only
once during the approval duration.
A timeout in format [hours]h[mins]m can be defined for the approval. If the user has not
connected to the target and this timeout has been reached, then the status of the "accepted" request
automatically switches to "closed". When the approver accepts the request, this value is set as the
maximum value in the "Timeout" field on the form. The approver can reduce this value.
276
WALLIX Bastion 9.0.2 – Administration Guide
Note:
When the first approver accepts the request and the start date and time have been
reached:
– the start date and time of the request are then updated with the start date and time
of this action
– the end date and time are then extended for the request duration from this action
• a request is marked as "rejected" and subsequently dismissed as soon as an approver rejects it.
The user is then notified by email of the reason for the rejection.
• a request is "pending" as long as the quorum has not been reached and it has not been rejected.
If the request is no longer valid (i.e. its duration has expired), it is then marked as "closed "and it
is no longer possible for an approver to answer the request. Likewise, it is not possible to answer
requests that have been accepted or rejected.
Note:
A request is also marked as "closed" if one of the following elements has been deleted:
the requesting user and/or the concerned target and/or the concerned authorization.
An "accepted" request switches automatically to the "closed" status if the user has not
connected to the target and the timeout defined for the approval has been reached.
Each approver is given the possibility to reduce the duration of a request. The duration is
incrementally decreased: a subsequent approver, when answering the same request, sees the
reduced period and not the original one.
Users can view approval statuses for their requests on the "My Authorizations" menu.
When the quorum is reached, the user is notified by email. The session can then be started or the
target credentials can then be accessed for the allocated duration. If the session is disconnected
before the end of the duration, the user can start a new session without a new approval as long
as the end of the period specified by the duration of the initial approval is not elapsed. In order to
prevent a user to reconnect after the initial session, approvers can cancel a request.
Warning:
A default time frame called "allthetime" is configured on WALLIX Bastion. This time frame
allows users to connect to targets at any time and on any day. You cannot delete this
time frame.
The reference time used is the WALLIX Bastion local time.
277
WALLIX Bastion 9.0.2 – Administration Guide
Each period is a calendar period during which users can log on:
The fields in this page are the same as those in the time frame creation page, except the "Time
frame name" field which cannot be accessed.
Warning:
You cannot delete a time frame when the latter is linked to a user group.
278
WALLIX Bastion 9.0.2 – Administration Guide
279
WALLIX Bastion 9.0.2 – Administration Guide
# WABInitReset
A message is then displayed to request confirmation before restoring the settings. By default, this
command only restore the configuration for the keyboard layout, the GRUB menu and the users.
It is possible to restore all settings or a specific one using option --reset, as shown below:
When option --reset is used, no message is displayed to request confirmation before restoring
the settings.
The option -h shows the help message listing the arguments which can be used to perform this
action.
280
WALLIX Bastion 9.0.2 – Administration Guide
# WABRestoreDefaultAdmin
This default password can be changed. For further information, refer to Section 15.4, “Change
the password of the factory-set administrator account”, page 281.
# WABRestoreDefaultAdmin -c
Note:
The previous default password is not requested when performing this action.
# WABResetCrypto
Caution:
All data in WALLIX Bastion (user accounts, session recordings, etc.) is deleted when
encryption is reset!
# WABVersion
The history of all the installation operations (installation and upgrades of your WALLIX Bastion but
also installation or removal of Hotfixes) can be displayed when executing the following command:
281
WALLIX Bastion 9.0.2 – Administration Guide
# WABVersion -H
# WABChangeKeyboard
# WABGetGuiUrl
# WABChangeGrub
# WABNetworkConfiguration
However, the advanced configuration can only be performed from the "Network" page on
the "System" menu on the Web interface. For further information, refer to Section 8.6,
“Network”, page 48.
Note:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, this command
can only be executed on the "Master" node.
# WABSecurityLevel
The security level set via this command affects both the HTTP and the SSH servers.
The default security level for the HTTP server is set to a high value. Only the following cryptographic
algorithms can then be used: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-
GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305,
ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-
AES256-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-
RSA-AES128-SHA256.
The default security level for the SSH server is set to a low value, allowing any cryptographic
algorithms to be used.
282
WALLIX Bastion 9.0.2 – Administration Guide
The security level set via this command is preserved during upgrade.
Caution:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, the security
level for the SSH server set via this command is only spread out to the Slave node when
the latter is switching from Slave to Master.
# WABServices
For further information, refer to Section 8.11.2, “Service activation”, page 58.
wabsuper$ WABHASetup
Note:
This command can only be executed on the "Master" node.
To check the current state of a node, you can use the following maintenance command:
wabsuper$ /opt/wab/bin/WABHAStatus
# WABGetLicenseInfo
You can execute the following command to generate the license context file:
283
WALLIX Bastion 9.0.2 – Administration Guide
# WABSetLicense -d
# WABConsole
To obtain the list of commands, simply enter help on the console prompt.
Help is available for each command by entering either help or -h.
The command currently available for a user with the "product_administrator" profile is:
change_user_password.
The command currently available for a regular user is: change_password.
# WABJournalCtl
# /opt/wab/bin/WABSessionLogExport -h
The option -h shows the help message listing the arguments which can be used to perform this
action.
284
WALLIX Bastion 9.0.2 – Administration Guide
Note:
Local archives are to be moved manually by the administrator to remote storage in /var/
wab/remote/recorded/export_sessions. However, a script allows to archive and/
or purge session recordings automatically. You can define options on the Web interface
of WALLIX Bastion to configure the actions which will be carried out by this script.
For further information, refer to Section 15.19, “Export and/or purge session recordings
automatically”, page 286.
All sessions for the period defined will also be removed, unless option -p has been used.
It is possible to archive and/or purge sessions according to their IDs using option --sessions.
It is possible to archive and/or purge only uncorrupted sessions using option --good-only.
It is possible to archive and/or purge only corrupted sessions using option -w or --wrong-only.
It is possible to archive and/or purge sessions depending on a given status (e.g. failed sessions,
interrupted sessions, etc.) using option --status.
It is possible to archive and/or purge only sessions stored on local storage using option --local-
storage.
It is possible to archive and/or purge only sessions stored on remote storage using option --
remote-storage.
It is possible to archive and/or purge traces related to targets under a given protocol (SSH, RDP,
etc.) using option --protocol.
It is possible to archive and/or purge only non-critical sessions using option --non-critical.
It is possible to archive and/or purge traces related to specific user(s) using option --user.
It is possible to archive and/or purge traces related to users in specific user group(s) using option
--user-group.
It is possible to archive and/or purge traces related to specific target(s) using option --target.
It is possible to archive and/or purge traces related to targets in specific target group(s) using option
--target-group.
It is possible not to archive traces using option -a. In this case, information on the concerned session
is displayed at the command line.
It is possible not to purge traces using option -p. In this case, information on the concerned session
is displayed at the command line.
It is possible to display orphan files related to purged sessions using option --show-orphans.
These files can be deleted using option -P or --purge-orphans. In this case, these files will not
be archived even if an archive is created.
It is possible to specify a passphrase for the archive using option --passphrase. The latter should
however not be used as the passphrase is displayed as a string on the command-line.
285
WALLIX Bastion 9.0.2 – Administration Guide
It is possible to specify a file descriptor to get the archive passphrase from using option --
passphrase-fd.
It is possible to specify a path to a file to get the archive passphrase from using option --
passphrase-file.
You can execute the following script to re-import the generated archive files:
# /opt/wab/bin/WABSessionLogImport -h
The option -h shows the help message listing the arguments which can be used to
perform this action. For further information, refer to Section 15.21, “Re-import archived session
recordings”, page 288.
A script allows to archive and/or purge session recordings automatically. You can define options
on the Web interface of WALLIX Bastion to configure the actions which will be carried out by
this script. For further information, refer to Section 15.19, “Export and/or purge session recordings
automatically”, page 286.
Another script also allows to move session recordings from a local storage to a remote
one. For further information, refer to Section 15.20, “Move local session recordings to remote
storage”, page 287.
• if a value is entered in the field “Remove sessions older than”, then all sessions older than this
value expressed in number of days (with suffix “d”, e.g. “20d” for 20 days) or in number of months
(with suffix “m”, e.g. “36m” for 36 months) are removed. If no suffix is entered, then the value is
considered by default as expressed in number of days.
• all the orphan files on remote storage are removed
• if a value is entered in the field “Archive sessions older than”, then all sessions older than this
value expressed in number of days (with suffix “d”, e.g. “20d” for 20 days) or in number of months
(with suffix “m”, e.g. “36m” for 36 months) are archived. If no suffix is entered, then the value is
considered by default as expressed in number of days. This operation applies to sessions on
both local and remote storage.
• if a path to a script is entered in the field “Post archive script”, then it is called to export archives.
Otherwise, archives are transferred on remote storage, if present.
• the elements on local storage are removed, starting from the oldest to the most recent and by
type, until a given size of free disk space is reached. This value is to be entered in the field
“Remove sessions below free space”. This size is expressed in bytes (with suffixes “kb”, “kib”,
“Mb”, “Mib”, “Gb” and “Gib”) or in percentage of disk space in partition /var/wab. This removal
is carried following the steps below:
– first, archives older than 24h
286
WALLIX Bastion 9.0.2 – Administration Guide
– next, non-critical sessions which are older than the value entered in the field “Prefer sessions
older than”
– then, critical sessions which are older than the value entered in the field “Prefer sessions older
than”
– then, non-critical sessions older than 24h
– then, critical sessions which are older than the value entered in the field “Keep critical newer
than” or older than 24h
– next, non-critical sessions newer than 24h
– then, archives newer than 24h
– lastly, critical sessions newer than 24h if no value is entered in the field “Keep critical newer
than”
• a notification is sent with the list of the archived and removed elements. A notification is also sent
when the value related to the size of available free disk space has not been reached.
Archives are removed regardless of the critical or non critical context for sessions.
Furthermore, it is also possible to modify the default passphrase defined in the field “Archive key”.
This passphrase is used to encrypt the archived elements.
You can also execute the following script to perform this action manually:
# /opt/wab/bin/bastion-traceman -h
The option -h shows the help message listing the arguments which can be used to perform this
action.
• info: this subcommand allows to display the status of the available disk space on the remote
storage
# bastion-traceman info
• move local: this subcommand allows to move session recordings from the remote storage
onto the local one
287
WALLIX Bastion 9.0.2 – Administration Guide
The available selection criteria are the same as those which can be used to export and/or
purge session recordings manually, except for the options --local-storage and --remote-
storage. For further information, refer to Section 15.18, “Export and/or purge session recordings
manually”, page 284.
Note:
When the session recordings are moved, the related folders are deleted when they
become empty. The following folders are considered:
• /var/wab/recorded/ssh/<YYYY-MM-DD>
• /var/wab/recorded/rdp/<YYYY-MM-DD>
• /var/wab/remote/recorded/ssh/<YYYY-MM-DD>
• /var/wab/remote/recorded/rdp/<YYYY-MM-DD>
Note that the folder related to the current day is never deleted.
From the "Remote Storage" page on the "System" menu, you can configure the export
of session video recordings to an external file system. For further information, refer to
Section 8.8, “Remote storage”, page 51.
# /opt/wab/bin/WABSessionLogImport -h
The option -h shows the help message listing the arguments which can be used to perform this
action.
It is possible to only list the content of the archive using option --list. The archive will not be
re-imported.
# /opt/wab/bin/WABSessionLogIntegrityChecker -h
The option -h shows the help message listing the arguments which can be used to perform this
action.
The available trace selection criteria are the same as those which can be used to export and/or
purge session recordings manually. For further information, refer to Section 15.18, “Export and/or
purge session recordings manually”, page 284.
When notifications are enabled for integrity errors, the email summarizes errors for sessions older
than 3 days by default. It is however possible to set another value for this number of days. This
288
WALLIX Bastion 9.0.2 – Administration Guide
parameter can be managed via "Configuration" > "Configuration Options" > "Session log policy",
then enter a positive integer in the field "Summarize error older than" below section "Integrity
Checker". If "0" is entered in this field, then there is no error summary on the notification email.
If this certificate or key is different, the WALLIX Bastion proxy will close the connection as it could
be considered as an attack. It is therefore necessary to inform WALLIX Bastion when this certificate
or key has been changed. To do so, you can delete the declared certificate or key on the device
and the new one will be automatically saved at the next access to the device through the RDP or
SSH proxy. For further information, refer to Section 10.1.1.7, “View and delete certificates or keys
on the device”, page 130.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
The following placeholders must be specified in the content of the file as described below:
• <SIEM_SERVER>
• <SIEM_PORT>
• <CA_DIR>
• <CLIENT_KEY>
• <CLIENT_CERT>
cat /etc/syslog-ng/conf.d/tls_siem.conf
destination d_rltp {
syslog( <SIEM_SERVER>
289
WALLIX Bastion 9.0.2 – Administration Guide
transport("tls")
port(<SIEM_PORT>)
tls(
peer-verify(required-trusted) ca_dir(<CA_DIR>)
key_file(<CLIENT_KEY>)
cert_file(<CLIENT_CERT>)
)
);
};
log {
source(s_src);
destination(d_rltp);
};
A TLS configuration can also be performed from the Web interface. For further information, refer
to Section 8.9, “SIEM integration”, page 52.
Note:
The new certificate generated as a .pem file must be converted into a .crt file prior to
be replaced in the directory.
Once the files have been replaced, it may be necessary to restart the Apache service by entering
the following command:
Note:
These files are also modified by applying the X509 authentication configuration
procedure. For further information, refer to Section 9.7, “X509 certificate authentication
configuration”, page 100.
If High-Availability is set, the directory into which the certificates are gathered is shared
between both nodes. The procedure is to be applied on the active node only.
You could later generate back a self-signed certificate with the following command:
290
WALLIX Bastion 9.0.2 – Administration Guide
# WABGuiCertificate selfsign -f
Once the files have been replaced, restart RDP proxy by entering the following command:
Note:
You could later generate back a self-signed certificate with the following command:
The host key must use RSA algorithm and a minimum 4,096-bit length is recommended.
To install your host key using ED25519 format, copy it on WALLIX Bastion in the directory /var/
wab/etc/ssh/server_ed25519.key location.
Note:
You can generate an SSH proxy host key on WALLIX Bastion by deleting the current host
keys and executing the generator script with the following command:
# rm /var/wab/etc/ssh/server_rsa.key
# rm /var/wab/etc/ssh/server_ed25519.key
# WABSshServerGenRsaKey.sh
291
WALLIX Bastion 9.0.2 – Administration Guide
To restore compatibility and therefore allow connections, it is then necessary to perform the following
actions at the level of the RDP proxy configuration from the "Configuration Options" page on the
"Configuration" menu, below the "client" section:
• for clients under Windows Server 2000 or lower: select the option "Tls fallback legacy"
• for clients supporting TLS from Windows XP: allow the minimum supported version for TLS
protocol by entering "0" in the "Tls min level" field and delete the value in the "Ssl cipher list" field.
Warning:
We remind you that these actions will lower the security level of the WALLIX Bastion
services.
• below the "main" section: “Hostkeys”, “Client kex algos”, “Client cipher algos”, “Client integrity
algos”, “Client compression algos”
• below the "front_algorithms" section: “Dh modulus min size”
We recommend keeping the default configuration for these algorithms to ensure the highest security
level with SSH clients.
Warning:
These fields are displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. They should ONLY be changed upon instructions
from the WALLIX Support Team!
# vim.tiny /etc/apache2/sites-enabled/wab-httpd.conf
SSLProtocol TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH
2. Comment out all other lines with the same keys.
292
WALLIX Bastion 9.0.2 – Administration Guide
• either copy the file on the WALLIX Bastion in PEM format. Then, execute the following command:
# WABCRLFetch -f CRL_FILE
• or from the SSH console (port 2242), execute the following command replacing parameters by
the relevant data and the full path of the local CRL file:
Example:
Note:
The CRL files are stored in the directory /var/wab/apache2/ssl.crl/.
An uploaded file gathering several CRLs will be divided into several unit CRL files.
An uploaded CRL will only replace an old one if the number corresponding to the
“CRLNumber” is greater than or equal to the one of this former version.
This list can also be updated using the Web interface. For further information, refer to
Section 9.7.2, “CRL management”, page 101.
293
WALLIX Bastion 9.0.2 – Administration Guide
https://bastion_ip_address/api/doc
https://bastion_ip_address/api/doc/APIChangelog.html
https://bastion_ip_address/api/v3.5/doc
https://bastion_ip_address/api/v3.5/doc/APIChangelog.html
https://bastion_ip_address/api/v3.3/doc
https://bastion_ip_address/api/v3.3/doc/APIChangelog.html
Note:
The REST API version 3.4 is deprecated and then no longer available for this version
of WALLIX Bastion.
https://bastion_ip_address/scim/doc
294
WALLIX Bastion 9.0.2 – Administration Guide
Important:
Only the administrator whose profile includes all rights together with transferable rights
(such as the “product_administrator” profile) can view the “API keys” entry in the
“Configuration” menu.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
Once the fields are specified and applied, a window opens and displays the generated API key.
Warning:
After closing the window, it will no longer be possible to view the API key.
The fields of this page are the same as those on the API key creation page.
295
WALLIX Bastion 9.0.2 – Administration Guide
The stream provides messages for the events described in following sections.
296
WALLIX Bastion 9.0.2 – Administration Guide
297
WALLIX Bastion 9.0.2 – Administration Guide
298
WALLIX Bastion 9.0.2 – Administration Guide
Examples:
Examples:
Examples:
299
WALLIX Bastion 9.0.2 – Administration Guide
Examples:
Examples:
Examples:
300
WALLIX Bastion 9.0.2 – Administration Guide
301
WALLIX Bastion 9.0.2 – Administration Guide
302
WALLIX Bastion 9.0.2 – Administration Guide
Examples:
Examples:
Examples:
Examples:
303
WALLIX Bastion 9.0.2 – Administration Guide
304
WALLIX Bastion 9.0.2 – Administration Guide
Examples:
Examples:
Example:
Examples:
305
WALLIX Bastion 9.0.2 – Administration Guide
pubkey_account_without_password@local@DEVICE_SSH_FORWARDING:SSH and 35
other(s)], Profiles_limit [], Timeframes [allthetime]"
[wabaudit] action="delete" type="Targetgroup"
object="target_group_154954938767" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="Targetgroup"
object="target_group_154954945465" user="ADMIN" client_ip="10.10.45.212"
infos="Description ['some desc' to 'some other desc']"
306
WALLIX Bastion 9.0.2 – Administration Guide
307
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The psid number is the same for all actions logged during the same session.
Note:
The psid number is the same for all actions logged during the same session.
308
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The psid number is the same for all actions logged during the same session.
Note:
The psid number is the same for all actions logged during the same session.
Note:
The psid number is the same for all actions logged during the same session.
309
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The session duration format (“duration”) is as follows:
h:mm:ss
“h”: the number of hours. Note that it is only labelled on a single digit from “0” to “9”.
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
duration="157:45:59"
310
WALLIX Bastion 9.0.2 – Administration Guide
311
WALLIX Bastion 9.0.2 – Administration Guide
312
WALLIX Bastion 9.0.2 – Administration Guide
17.3.14. End of file transfer on SFTP with file size and hash
[SSH Session] type=”SFTP_EVENT”
session_id="002ac1d68450742e1928b88df3ca15385d710b33"
client_ip="192.168.1.10" target_ip="192.168.1.200" user="maint"
device="debian" service="ssh" account="admin" data=”get /
var/log/syslog done, length= 338079, sha256 =
711cf730055826274d76ebb0505e13973f69d1b55d81199385362f5f319e9453”
313
WALLIX Bastion 9.0.2 – Administration Guide
17.3.17. End of file transfer on SCP with file size and hash
[SSH Session] type=”SCP_EVENT”
session_id="002ac1d68450742e1928b88df3ca15385d710b33"
client_ip="192.168.1.10" target_ip="192.168.1.200" user="maint"
device="debian" service="ssh" account="admin" data=”get /
var/log/syslog done, length= 338079, sha256 =
711cf730055826274d76ebb0505e13973f69d1b55d81199385362f5f319e9453”
Note:
This can be enabled by selecting the option "Log group membership" below the "trace"
section on the configuration page related to the connection policy for the SSH protocol.
This page can be accessed from "Session Management" > "Connection Policies".
314
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The status may change depending on the ICAP server.
Note:
The psid number is the same for all actions logged during the same session.
315
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The psid number is the same for all actions logged during the same session.
316
WALLIX Bastion 9.0.2 – Administration Guide
317
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The session duration format (“duration”) is as follows:
h:mm:ss
“h”: the number of hours. Note that it is only labelled on a single digit from “0” to “9”.
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
duration="157:45:59"
Note:
The session duration format (“duration”) is as follows:
h:mm:ss
“h”: the number of hours. Note that it is only labelled on a single digit from “0” to “9”.
318
WALLIX Bastion 9.0.2 – Administration Guide
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
duration="157:45:59"
Note:
This log is displayed when session ending is slow and then exceeds the timeout of the
RDP proxy.
319
WALLIX Bastion 9.0.2 – Administration Guide
320
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The session duration format (“duration”) is as follows:
h:mm:ss
“h”: the number of hours. Note that it is only labelled on a single digit from “0” to “9”.
“mm”: the number of minutes is always labelled on 2 digits
“ss”: the number of seconds is always labelled on 2 digits
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
duration="157:45:59"
321
WALLIX Bastion 9.0.2 – Administration Guide
322
WALLIX Bastion 9.0.2 – Administration Guide
323
WALLIX Bastion 9.0.2 – Administration Guide
Note:
The status may change depending on the ICAP server.
17.4.40.3. Verification of a valid text transferred from the copy/paste function via
the clipboard
[RDP Session] session_id=”SESSIONID-0000” client_ip=”192.168.1.10”
target_ip=”192.168.1.200” user=”maint” device=”win2k8” service=”rdp”
324
WALLIX Bastion 9.0.2 – Administration Guide
325
WALLIX Bastion 9.0.2 – Administration Guide
326
WALLIX Bastion 9.0.2 – Administration Guide
Examples:
• checkout
• checkout duration extension
• check-in and automatic check-in
• forced check-in
• credential change
Examples:
327
WALLIX Bastion 9.0.2 – Administration Guide
Web: https://support.wallix.com/
Telephone: (+33) (0)1 70 36 37 50 for Europe, Middle East and Africa and (+1) 438-777-9439 for
the Americas
328
WALLIX Bastion 9.0.2 – Administration Guide
329
WALLIX Bastion 9.0.2 – Administration Guide
330
WALLIX Bastion 9.0.2 – Administration Guide
configuration of log for keyboard input, 245 RDP current session remote control, 225
configuration of log for recorded sensitive data, RDP current session sharing, 225
244 real-time view, 224
configuration of RDP cryptographic settings, 247 Current sessions in real-time view
configuration of SSH cryptographic settings, 246 audit, 224
delete, 238 CyberArk Enterprise Password Vault plugin, 188
edit, 238
file storage, 243 D
menu, 236 Dashboards, 263
Remote Desktop Connection Broker, 260 administration, 263
session probe, 252 audit, 265
SSH startup scenario, 247 Dell iDRAC plugin, 208
TELNET/RLOGIN connection scenario, 245 Device accounts
transformation rule to get a login, 239 delete, 168
transformation rule to get credentials, 240 edit, 166
WALLIX BestSafe, 259 Devices, 124
Connection scenario accounts, 163
TELNET/RLOGIN, 245 add, 124
Connection statistics add tags, 131
audit, 234 add/list/delete a tag, 130
menu, 234 add/list/edit/delete a global account, 128
Credential checkout add/list/edit/delete a local account, 126
add a policy, 194 add/list/edit/delete a service, 125
delete a policy, 195 configuration of RDP cryptographic settings, 246
edit a policy, 195 configuration of SSH cryptographic settings, 246
Credentials delete, 132
automatic change for a target account, 167 delete certificates, 130
checkout policies, 193 discovery, 195
manual change for a target account, 168 configure a network scan, 196
CRL, 101 configure an Active Directory scan, 197
Cryptographic settings launch a scan manually, 198
RDP, 247 onboard discovered devices, 199
SSH, 246 set a periodic scan launch, 198
CSV discovery)
import applications, 146 view the results of a scan job, 198
import authorizations, 271 edit, 131
import clusters, 186 filter devices, 132
import devices, 132 global accounts, 128
import global domains, 153 import, 132
import LDAP/Active Directory domains, 120 local accounts, 126
import LDAP/Active Directory mappings, 122 local domains, 126
import local domains, 156 manage global accounts, 128
import target accounts, 168 manage local accounts, 126
import target groups, 183 manage local domains, 126
import user groups, 85 manage services, 125
import user profiles, 89 manage target group associations, 130
import users, 76 manage the tag association, 130
import/export restrictions, 181 menu, 124
import/export restrictions for target groups, 181 RDP specific options, 135
import/export restrictions for user groups, 181 remove tags, 132
Current sessions SSH specific options, 134
audit, 223 SSH startup scenario, 247
menu, 223, 224, 225 tags, 131
331
WALLIX Bastion 9.0.2 – Administration Guide
332
WALLIX Bastion 9.0.2 – Administration Guide
333
WALLIX Bastion 9.0.2 – Administration Guide
334
WALLIX Bastion 9.0.2 – Administration Guide
335
WALLIX Bastion 9.0.2 – Administration Guide
336
WALLIX Bastion 9.0.2 – Administration Guide
337
WALLIX Bastion 9.0.2 – Administration Guide
edit, 151 U
import, 153, 156 Unix plugin, 212
revoke the signed certificate for the accounts, User account mapping
153 configuration, 114
password vault plugins, 187 User accounts, 72
target account on a device User data retention policy, 92
add, 163 User groups, 82
target account on a global domain User interface, 40
add, 159 User profiles, 86
target account on an application Users
add, 165 data retention, 92
target accounts, 159 user accounts, 72
change the credentials automatically , 167 add, 73
change the credentials manually, 168 delete, 75
delete, 168 edit, 75
edit, 166 import, 76
import, 168 import from .csv file, 76
target groups, 172 import from LDAP/AD directory, 79
add, 172 view accessible applications, 76
configure for account mapping, 173 view accessible device, 76
configure for interactive login, 174 view accessible target accounts, 76
configure for password management from an view rights on the GUI, 75
account in the vault, 175 user groups, 82
configure for session management from an add, 82
account in the vault, 172 delete, 84
configure for startup scenario during SSH edit, 84
session, 173 import, 85
delete, 182 import/export restrictions, 181
edit, 182 view members, 85
import, 183 user profiles, 86
import/export restrictions, 181 add, 86
pattern detection in SSH flow, 175 default profiles, 86
RDP flows analysis/pattern detection in RDP delete, 88
flow, 180 edit, 88
TCP/UDP import, 89
port configuration, 24
TELNET V
configuration of log for keyboard input, 245 Virtual channel, 141
TELNET/RLOGIN connection scenario
connection policies, 245 W
Terminology, 14
WABChangeGrub, 282
Thycotic plugin, 190
WABChangeKeyboard, 282
Time frames, 277
WABConsole, 284
add, 278
WABCRLFetch, 292
delete, 278
WABGetGuiUrl, 282
edit, 278
WABGetLicenseInfo, 283
menu, 277
WABHASetup, 283
Time service, 50
WABInitReset, 280
menu, 50
WABJournalCtl, 284
Transformation rule
WABNetworkConfiguration, 282
connection policies, 239, 240
WABResetCrypto, 281
Transparent mode
WABRestoreDefaultAdmin, 280, 281
configuration, 250
WABSecurityLevel, 282
338
WALLIX Bastion 9.0.2 – Administration Guide
WABServices, 283
WABSessionLogExport, 284
WABSessionLogImport, 288
WABSessionLogIntegrityChecker, 288
WABSetLicense, 283
WABVersion, 281
WALLIX Bastion REST API, 294
WALLIX Bastion terminology, 14
WALLIX BestSafe
interaction with session probe, 259
WALLIX Password Manager
management, 31
password management, 201
presentation, 22
WALLIX Session Manager
management, 31
presentation, 22
session management, 218
Web Services
REST API, 294
Welcome page, 36
Windows plugin, 213
Windows Service, 162
WindowsService plugin, 213
X
X509, 100
X509 certificate authentication, 100
configuration, 100
CRL management, 101
disable, 106
OCSP management, 102
unset, 106
user configuration, 103
X509 authentication, 104
X509 configuration
menu, 100
339