Using different ports on various Connections Policies

Hi all,

I am configuring an onDemand environment with 2 different connection policies on SPS for both RDP and SSH.

The 2 SSH policies use port 22 and 2223 to determine which connection needs to be used.

On SPP i am configuring an SSH asset with SSH Session port 22 and Port 2223.

The connection works but it never gets to use the 2223 port policy. From the audits i see that the policy used is always the 22 port one.

I also tried switching the two ports (so SSH Session port 2223 and Port 22) but that way i cannot connect to the target asset since the port used is 2223 (which is closed on the asset) instead of port 22.

In the Access Request Policy i have selected the desired SPS Connection Policy to use for every session based on the different Assets, but it seems like that the field is not being used at all (while with RDP sessions it does work correctly).

Am i doing something wrong?

What i want to achieve is that the client connects to SPS on port 22 or 2223 based on which asset i am requesting the session for and then SPS connects to the asset always on port 22.

Can you please help me?

Thank you,

Simone

Parents
  • Hi,

    - In SPP change the SSH Session port on the assets to be 22 only

    You will need two separate SSH Access Request Policies:

    1. ARP1 > pointing at the SPS Connection policy as safeguard_default which has port 22 on the policy and on the inband destination selection port 22
    - In the Scope of this ARP1, add the Assets and Accounts that you want to SSH to using port 22 in SPS 

    2. ARP2 > pointing at the SPS Connection policy as safeguard_ssh_2223 which has port 2223 for the policy  and on the inband destination selection port 22

    - In the Scope of this ARP2, add the other Assets and Accounts that you want to SSH to using port 2223 in SPS

    When requesting the Asset + Account in SPP, you will need to fetch the connection string details and port so that you can copy these and paste in the SSH client with the correct destination SPS SSH port 22 or 2223

    Thanks!

  • Hello Tawfiq,

    recently i have been thinking about the field SPS Connection Policy in the ARP that is on SPP.
    From the description given by documentation, that field should be the one that forces the use of one Connection Policy instead of another.

    If that is true, is it possible to use the same port on every Connection Policy and then select the desired polcy from the ARP?

    Otherwise, if the field does not do what it is supposed to do, what is that field on the ARP used for?

    Thank you,

    Simone

  • you will need a unique port on the SPS connection policy side for this use-case, because if all connection policies have the same port then the first SPS connection policy on the top will always be a match and other SPS connection policies will not be used.

    The field selected in SPP side is not enough to force the connection to use a specific SPS connection policy because SPS will always pick the first connection policy that matches and so having a different Port criteria allows you to use a different policy.

    SPP uses the connection policy name to validate for SPS that the User + Asset + Account combination passing thru that connection policy via SPS is authorized on SPP side to access the session and credentials of that remote asset and account, otherwise, SPS will not be able to allow the connection and fetch the password from SPP for example if the user is not entitled for the session in SPP with that specific connection policy.

    Thanks!

Reply
  • you will need a unique port on the SPS connection policy side for this use-case, because if all connection policies have the same port then the first SPS connection policy on the top will always be a match and other SPS connection policies will not be used.

    The field selected in SPP side is not enough to force the connection to use a specific SPS connection policy because SPS will always pick the first connection policy that matches and so having a different Port criteria allows you to use a different policy.

    SPP uses the connection policy name to validate for SPS that the User + Asset + Account combination passing thru that connection policy via SPS is authorized on SPP side to access the session and credentials of that remote asset and account, otherwise, SPS will not be able to allow the connection and fetch the password from SPP for example if the user is not entitled for the session in SPP with that specific connection policy.

    Thanks!

Children
No Data