Two Policies for SPS vs SPP initiated

We have two different Connection Policies, one as the "safeguard_default" and one called "direct" that allows Users to enter the username and password as a normal SSH connection.

For the safeguard_default, the users are able to use the SPP to check out an account and connect through successfully with the connection string.

For the direct policy, users are able to proxy through the SPS to the server they want after entering the username and password.

However, we can't seem to have both active at the same time. If safeguard_default is first in the priority, connections will match that and work for SPP initiated, but fail with a gateway error if initiated directly through SSH.

If we have direct policy as first priority, the users can log on but the connection string given by SPP will not work, as it asks them for the password (rather than using the vault token).

How can we have these two different policies work in tandem for two different types of connections to the same servers? This seems like a fairly straightforward case, I must be missing something simple


  • Hi Andrew,

    You can assign a different port for the Direct SSH connection policy so that these do not conflict.

    Make sure if the SSH listening service for SPS itself is enabled that it also uses a different port for SSH into SPS console as well.

    For example:

    SSH service for SPS: if enabled set this to 2222

    SSH Control > safeguard_default > set this to 222

    SSH Control > Direct > set this connection policy to 22


    SSH service for SPS: if enabled set this to 2222

    SSH Control > safeguard_default > set this to 22

    SSH Control > Direct > set this connection policy to 222

    Which ever policy is NOT using the default SSH port 22 will need to modify the port field in PuTTy client for example to match the port used in SPS connection policy for the connection they wish to use.


  • Hi Tawfiq,

    Thanks, that's sort of what I was thinking after looking around the user forums.

    Two questions;

    1. Why do we select a Connection Policy in the Entitlement if it will just fall into whichever connection policy it matches? I would have thought choosing the connection policy in the Entitlement would force it to conform to that policy.

    2. In order to set the Safeguard Default to 222, do I just need to change the policy? Or do I also need to update the Assets themselves in the SPP to use 222 for SSH?


  • Hi Andrew,

    1. That can be used in a different use-case (SPS initiated workflow) where SPS fetches the credentials from SPP and therefore an entitlement is required to grant the credentials for the account connecting using the SPS initiated workflow via a different connection policy.

    2. If you change the safeguard_default to 222 then it will require updating the SPS connection policy and the Asset's > Connection tab > SSH Session Port


  • Hi Tawfiq,


    One final question;

    What setting can be used to have the resulting SPS to target server session be over 22? So from user to SPS it comes in as 222, then SPS to target is over 22?

    Thank you for all the help!

  • That would be set inside the SPS connection policy which should be already set to 22 (expand safegaurd_default > look under inband destination selection to show the port for target.)