At our customer site, One Identity Safeguard (SPP + SPS) is deployed on physical appliances:
-
SPP in cluster
-
SPS in HA
-
All privileged sessions are currently initiated via SPP
An external partner needs SSH access to the core banking system using RefleXion X.
These connections are blocked by SPP because the tool is considered non-compliant with SPP security requirements.
Previously, the partner accessed the environment through an old Balabit SPS deployed in router mode, which provided full session tracking.
This legacy Balabit must now be decommissioned.Question
What is the recommended way to configure an SPS already joined to SPP so that it can:
-
continue handling SPP-initiated sessions, and
-
simultaneously operate in standalone router/bastion mode for specific SSH connections (non-SPP-compatible tools),
while still ensuring session monitoring and auditing?
Are there any official best practices or limitations documented for this hybrid use case?
