My question is about connection policy between SPP and SPS : In SPP in Entitlements there is an option to choose what connection policy to use for RDP,SSH when connection trough SPS How to create the connection option in SPS, what to configure in connection options, that when the connection is selected in SPP , the system use the selected connection to go through the SPS ? So, the problem is , we have User1 in SPP that initiate an RDP,SSH connection and needs to connect to Asset and have a Content Policy that blocks some Windows title, some commands we have User2 in SPP that initiate an RDP,SSH connection and connects to Asset and this User2 must have Content policy without blocking In SPP in Entitlements there is an option to choose between different Connection Policies to use for SPS, but the system always use the first one in SPS, not that what is in the entitlement and regardless of what IP address is in the From field in SPS connection and what is the IP of the computer from where the connection is initiated In SPS there is 2 connections : Limited , that is coming from 192.168.1.11 Default , that is coming from 0.0.0.0 If we connect and initiate a connection from a computer with 192,168.1.11 IP address via SPP web console , the connection goes through 1.limited If we connect and initiate a connection from a computer with any other IP address via SPP web console , the connection goes again through 1.limited ( and not using the Default connection that is written in the Entitlement ) Please help me, how can we resolve this .

SPP Entitlements connect to SPS profile

kristijan gujas 8 months ago

My question is about connection policy between SPP and SPS :

In SPP in Entitlements there is an option to choose what connection policy to use for RDP,SSH when connection trough SPS
How to create the connection option in SPS, what to configure in connection options, that when the connection is selected in SPP , the system use the selected connection to go through the SPS ?

So, the problem is ,

we have User1 in SPP that initiate an RDP,SSH connection and needs to connect to Asset and have a Content Policy that blocks some Windows title, some commands
we have User2 in SPP that initiate an RDP,SSH connection and connects to Asset and this User2 must have Content policy without blocking
In SPP in Entitlements there is an option to choose between different Connection Policies to use for SPS, but the system always use the first one in SPS, not that what is in the entitlement
and regardless of what IP address is in the From field in SPS connection and what is the IP of the computer from where the connection is initiated

In SPS there is 2 connections :

Limited , that is coming from 192.168.1.11
Default , that is coming from 0.0.0.0

If we connect and initiate a connection from a computer with 192,168.1.11 IP address via SPP web console , the connection goes through 1.limited

If we connect and initiate a connection from a computer with any other IP address via SPP web console , the connection goes again through 1.limited ( and not using the Default connection that is written in the Entitlement )

Please help me, how can we resolve this .

Parents

0 Tawfiq.Ahmad 8 months ago

You may have to use a different RDP port in the SPS connection policy for example:

1. Limited from 192.168.1.11 > use RDP port in SPS as 3399

2. Default from 0.0.0.0 > use RDP port in SPS as 3389

That way you can separate each connection by port number, otherwise the first connection will always match on port 3389 and get denied on IP address due to limitation of from IP.

It may take few minutes after changing the ports for SPP to pickup the changes and you can test again.

If you need assistance with new configuration, I would recommend consulting with One Identity Professional Services team by discussing with your account manager.

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Mahmoud Emad 2 months ago in reply to Tawfiq.Ahmad

Dear Tawfiq,

I have a similar case, need to create multiple connection policies to apply different content policy per every one.

As we need to control access on some servers for all users, and allow others without content policy.

We have added a connection policy listen on 3399.

Added Assets with different RDP Session port (3399)

tried to open connection on that asset , but it failed.

in logs, i see that connection through the first connection policy and error: Target address is denied by policy.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Tawfiq.Ahmad 1 month ago in reply to Mahmoud Emad

Hi Mahmoud,

You can use the original connection policy with default 3389 port but instead you would create multiple Drawing channels with different target servers that require different content policies within the same original channel policy.

For example:

In the Channel Policy, add multiple Drawing channels:

Drawing #1 has From: blank | To: Server1 or more | Content policy: content1

Drawing #2 has From: blank | To: Server2 or more | Content policy: content2

.

.

Last Drawing #5 has From: blank | To: blank | Content policy: blank

Last Drawing channel allows all other servers that do not match what was specified in the preceding drawing channel's TO fields from above and so that would be without a content policy or any restrictions.

When the session arrives to SPS, it will verify the original connection policy which has the channel policy with the above channels from top to bottom and if the target server does not match it will check the next drawing policy and so on until there is a match then if the Drawing channel matches based on to target server, it will apply the content policy associated with that specific channel.

Note: you can still keep any other channel types below the Drawing channels as per normal as these are not linked to the content policy anyways.

Reference on how channel rules take precedence in the Channel Policy:

https://support.oneidentity.com/one-identity-safeguard-for-privileged-sessions/kb/4340316/how-do-rules-take-precedence-in-a-channel-policy

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 Tawfiq.Ahmad 1 month ago in reply to Mahmoud Emad

Hi Mahmoud,

You can use the original connection policy with default 3389 port but instead you would create multiple Drawing channels with different target servers that require different content policies within the same original channel policy.

For example:

In the Channel Policy, add multiple Drawing channels:

Drawing #1 has From: blank | To: Server1 or more | Content policy: content1

Drawing #2 has From: blank | To: Server2 or more | Content policy: content2

.

.

Last Drawing #5 has From: blank | To: blank | Content policy: blank

Last Drawing channel allows all other servers that do not match what was specified in the preceding drawing channel's TO fields from above and so that would be without a content policy or any restrictions.

When the session arrives to SPS, it will verify the original connection policy which has the channel policy with the above channels from top to bottom and if the target server does not match it will check the next drawing policy and so on until there is a match then if the Drawing channel matches based on to target server, it will apply the content policy associated with that specific channel.

Note: you can still keep any other channel types below the Drawing channels as per normal as these are not linked to the content policy anyways.

Reference on how channel rules take precedence in the Channel Policy:

https://support.oneidentity.com/one-identity-safeguard-for-privileged-sessions/kb/4340316/how-do-rules-take-precedence-in-a-channel-policy

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

No Data

Endpoint Privilege Management

SPP Entitlements connect to SPS profile