Telnet/SSH (Deprecated for 21.x)

About Telnet/SSH

The Telnet/SSH option enables users to connect to internal server hosts in the clear using Telnet protocols or to communicate over an encrypted Secure Shell (SSH) session through a Web-based terminal session emulation. This feature supports the following applications and protocols:

•Network Protocols-Supported network protocols include Telnet and SSH.

•Terminal Settings-Supported terminal settings include VT100, VT320, and derivatives and screen buffers.

•Security-Supported security mechanisms include Web/client security using SSL and host security (such as SSH if desired).

You can create secure terminal session bookmarks that appear on the welcome page for users mapped to a specific role. A terminal session bookmark defines Terminal Session information for Telnet or SSH sessions that users may launch. These sessions give users access to a variety of networked devices, including UNIX servers, networking devices, and other legacy applications, that utilize terminal sessions. The system supports SSH versions V1 and V2 and uses the following SSH versions: OpenSSH 5.2, OpenSSH_2.9.9p1, SSH protocols 1.5/2.0, and OpenSSL 0x0090607f.

When communicating over an encrypted Secure Shell (SSH) session, note that the Telnet/SSH feature does not support using the ^J character combination. (Some applications use this character combination to justify text). If you want to use this character combination, we recommend that you find a java applet that supports it and upload that applet through the system using the hosted Java applets feature.

Task Summary: Configuring the Telnet/SSH Feature

To configure the Telnet/SSH feature:

1.Create resource profiles that enable access to Telnet and SSH servers, include bookmarks that link to those servers, and assign the bookmarks to user roles using settings in the Users > Resource Profiles > Telnet/SSH page of the admin console.

We recommend that you use resource profiles to configure Telnet/SSH (as described above). However, if you do not want to use resource profiles, you can configure Telnet/SSH using role and resource policy settings in the following pages of the admin console instead:

•Create resource policies that enable access to Telnet and SSH servers using settings in the Users > Resource Policies > Telnet/SSH > Sessions page of the admin console.

•Determine which user roles may access the Telnet and SSH servers that you want to intermediate, and then enable Telnet/SSH access for those roles through the Users > User Roles > Select Role > General > Overview page of the admin console.

•Create bookmarks to your Telnet and SSH servers using settings in the Users > User Roles > Select Role > Telnet/SSH > Access page of the admin console.

2.After configuring Telnet/SSH using resource profiles or roles and resource policies, you can modify general role and resource options in the following pages of the admin console:

•(Optional) Enable users to create their own connections to Telnet and SSH sessions using settings in the Users > User Roles > Select Role > Telnet/SSH > Options page of the admin console.

•(Optional) Enable the system to match IP addresses to hostnames and disable the auto-allow bookmarks option using settings in the Users > Resource Policies> Telnet/SSH > Options page of the admin console.

Creating a Telnet/SSH Resource Profile

A Telnet/SSH resource profile is a resource profile that enables users to connect to internal server hosts in the clear using Telnet protocols or to communicate over an encrypted Secure Shell (SSH) session through a Web-based terminal session emulation.

To create a Telnet/SSH resource profile:

1.In the admin console, choose Users > Resource Profiles > Telnet/SSH.

2.Click New Profile.

3.From the Type list, specify the session type (Telnet or SSH) for this resource profile.

4.Enter a unique name and optionally a description for the resource profile. (This name becomes the default bookmark's name.)

5.In the Host field, enter the name or IP address of the server to which this resource profile should connect.

6.Select the Create an access control policy allowing Telnet/SSH access to this server check box to enable access to the server specified in the previous step (enabled by default).

7.In the Port field, enter the port on which the system should connect to the server. (By default, the system populates this field with port number 23 if you select Telnet and port number 22 if you select SSH.)

8.If you want to pass the user's credentials to the server, enter a static username, the <username> variable, or another appropriate session variable in the Username field. (Required for SSH sessions.)

9.Click Save and Continue.

10.In the Roles tab, select the roles to which the resource profile applies and click Add.

The selected roles inherit the autopolicy and bookmarks created by the resource profile. If it is not already enabled, the system also automatically enables the Telnet/SSH option in the Users > User Roles > Select Role > General > Overview page of the admin console for all of the roles you select.

11.Click Save Changes.

12.(Optional) In the Bookmarks tab, modify the default bookmark created by the system and/or create new ones. (By default, the system creates a bookmark to the server defined in the Host field and displays it to all users assigned to the role specified in the Roles tab.)

Associating Bookmarks with Telnet/SSH Resource Profiles

When you create a Telnet/SSH resource profile, the system automatically creates a bookmark that links to the host that you specified in the resource profile. The system enables you to modify this bookmark as well as create additional bookmarks to the same host.

You can use two different methods to create Telnet/SSH session bookmarks:

•Create bookmarks through existing resource profiles (recommended)-When you select this method, the system automatically populates the bookmark with key parameters (such as the host, port, username, and session type) using settings from the resource profile. Additionally, while you are creating the associated resource profile, the system guides you through the process of creating any required policies to enable access to the bookmark.

•Create standard bookmarks-When you select this option, you must manually enter all bookmark parameters during configuration. Additionally, you must enable access to the Telnet/SSH feature and create resource policies that enable access to the servers defined in the bookmark.

Creating Bookmarks Through Existing Resource Profiles

When configuring bookmarks, note that:

•To change the host, port, or username for a Telnet/SSH bookmark created through a resource profile, you must edit the values through the resource profile's Resource tab (not its Bookmark tab).

•You can only assign bookmarks to roles that you have already associated with the resource profile-not all of the roles defined on the system. To change the list of roles associated with the resource profile, use settings in its Roles tab.

•Bookmarks simply control which links are displayed to users-not which resources the users can access. For example, if you enable access to a Telnet server through a resource profile but do not create a corresponding bookmark to that server, the user can still access the server by entering it into the Address field of the home page.

•Make sure to enter a unique set of parameters when defining a Telnet/SSH bookmark. If you create two bookmarks that contain the same set of parameters, the system deletes one of the bookmarks from the end-user view. You will still be able to see both bookmarks, however, in the administrator console.

To associate bookmarks with Telnet/SSH resource profiles:

1.If you want to create a resource profile bookmark through the standard resource profiles page:

•Choose Users > Resource Profiles > Telnet/SSH> Select Resource Profile > Bookmarks.

•Click the appropriate link in the Bookmark column if you want to modify an existing bookmark. Or, click New Bookmark to create an additional bookmark.

Alternatively, if you want to create a resource profile bookmark through the user roles page:

•Choose Users > User Roles > Select Role > Telnet/SSH > Sessions.

•Click Add Session.

•From the Type list, choose Telnet/SSH Resource Profile. (The system does not display this option if have not already created a Telnet/SSH resource profile.)

•Select an existing resource profile. (The system automatically populates the Host and Port fields using settings from the selected resource profile.)

•Click OK. (If you have not already associated the selected role with the resource profile, the system automatically makes the association for you. The system also enables any access control policies for the role that are required by the resource profile.)

•If this role is not already associated with the selected resource profile, the system displays an informational message. If you see this message, click Save Changes to add this role to the resource profile's list of roles and to update the profile's autopolicies as required. Then, repeat the previous step to create the bookmark.

When you create a resource profile bookmark through the user roles page (instead of the standard resource profiles page), the system only associates the generated bookmark with the selected role. The system does not assign the bookmark to all of the roles associated with the selected resource profile.

•Optionally change the name and description of the bookmark. (By default, the system names the bookmark the same as the resource profile name.)

•If you want to change the font size in the server display window, choose one of the following options in the Font Size section:

•Fixed size of _ pixels-Enter a size from 8 to 36 pixels. (The default font size is 12.)

•Resize to fit window-Dynamically changes the font size as you resize the window. This option requires Internet Explorer. (Enabled by default.)

•If you want to change the size of the server display window, select an option from the Screen Size drop-down list. The default window size is 80 characters by 24 rows.

•If you want to change the number of rows that the server window retains to display during scrolling, change the value in the Screen Buffer field. The default buffer size is 100 rows.

•If you are configuring the bookmark through the resource profile pages, under Roles, specify the roles to which you want to display the bookmark:

•ALL selected roles-Select this option to display the bookmark to all of the roles associated with the resource profile.

•Subset of selected roles-Select this option to display the bookmark to a subset of the roles associated with the resource profile. Then select roles from the ALL Selected Roles list and click Add to move them to the Subset of selected roles list.

•Click Save Changes.

Creating Standard Bookmarks

Information in this topic is provided for backwards compatibility. We recommend that you configure access to Telnet and SSH servers through resource profiles instead, since they provide a simpler, more unified configuration method.

To create a bookmark for secure terminal sessions:

1.In the admin console, choose Users > User Roles > Select Role > Telnet/SSH > Sessions.

2.Click Add Session. The New Telnet/SSH Session page loads.

3.From the Type list, choose Standard. (The system only displays the Type list if you have already created a Telnet/SSH resource profile.)

4.Enter a bookmark name and description for the new Telnet/SSH session (optional). If you specify a bookmark name and description, this information appears on the Terminal Sessions page.

5.Enter the name or IP address of the remote host for this session in the Host field.

6.Select the Session Type, either Telnet or SSH Secure Shell, and specify the port if different from the pre-populated port assignment.

7.Provide a username or use the <username> or other appropriate session variable.

•Specify the Font Size by selecting one of the following:

•Fixed size of _ pixels-enter a size from 8 to 36 pixels.

•Resize to fit window-dynamically changes the font size as you resize the window. This option requires Internet Explorer.

•Select the Screen Size using the drop-down list.

•Specify the Screen Buffer size.

•Click Save Changes or Save + New.

In addition to creating bookmarks for secure terminal sessions, you must create a resource policy allowing Telnet/SSH sessions for the role, or enable Auto-allow role Telnet/SSH sessions on the Telnet/SSH > Options tab to automatically allow access to the resources defined in the session bookmark.

Make sure to enter a unique set of parameters when defining a Telnet/SSH bookmark. If you create two bookmarks that contain the same set of parameters, the system deletes one of the bookmarks from the end-user view. You will still be able to see both bookmarks, however, in the administrator console.

Configuring General Telnet/SSH Options

You can enable users to create their own Telnet/SSH bookmarks, browse to a terminal session, and to configure the system to create Telnet/SSH resource policies that allow access to the servers specified in the session bookmarks.

When you allow users to browse to a terminal session, note that they can use two different methods:

•Use the homepage-Users can enter the server and port that they want to access into the Address field of the home page. Valid formats for the URL include:

•Telnet://host:port

•SSH://host:port

For example: Telnet://terminalserver.yourcompany.com:3389

•Use the Web browser's address bar-Users can enter the server and port that they want to access (as well as session parameters such as font and window size) into the address bars of their Web browsers using standard Web protocol. For example:

https://iveserver/dana/term/newlaunchterm.cgi?protocol=telnet&host=termsrv.yourcompany.com&port=23&username=jdoe&fontsize=12&buffer=800&size=80x25

To specify general Telnet/SSH options:

1.In the admin console, choose Users > User Roles > Select Role > Telnet/SSH > Options.

2.Enable User can add sessions to allow users to define their own session bookmarks and to allows users to browse to a terminal session using telnet:// and ssh:// syntax as well as the /dana/term/newlaunchterm.cgi syntax. When you enable this option, the Add Terminal Session button appears on the Terminal Sessions page the next time a user refreshes the welcome page.

3.Enable Auto-allow role Telnet/SSH sessions to enable the system to automatically allow access to the resources defined in the session bookmark (rather than having to create resource policies). Note that this only applies to role bookmarks, not user bookmarks.

4.You may not see the Auto-allow option if you are using a new installation or if an administrator hides the option.

5.Click Save Changes.

Writing a Telnet/SSH Resource Policy

When you enable the Telnet/SSH access feature for a role, you need to create resource policies that specify which remote servers a user may access. If the system matches a user's request to a resource listed in a Telnet/SSH policy, it performs the action specified for the resource.

You can create resource policies through the standard interface (as described in this topic) or through resource profiles (recommended method).

When writing a Telnet/SSH resource policy, you need to supply key information:

•Resources-A resource policy must specify one or more resources to which the policy applies. When writing a Telnet/SSH policy, you need to specify remote servers to which a user may connect.

•Roles-A resource policy must specify the roles to which it applies. When a user makes a request, the system determines what policies apply to the role and then evaluates those policies that correspond to the request.

•Actions-A Telnet/SSH resource policy either allows or denies access to a server.

The engine that evaluates resource policies requires that the resources listed in a policy's Resources list follow a canonical format.

Writing Telnet/SSH Resource Policies

Information in this section is provided for backwards compatibility. We recommend that you configure access to Telnet and SSH servers through resource profiles instead, since they provide a simpler, more unified configuration method.

To write a Telnet/SSH resource policy:

1.In the admin console, choose Users > Resource Policies > Telnet/SSH > Access.

2.On the Telnet/SSH Policies page, click New Policy.

3.On the New Policy page, enter a name to label this policy and optionally a description.

4.In the Resources section, specify the servers to which this policy applies.

5.In the Roles section, specify:

•Policy applies to ALL roles-Use this field to apply this policy to all users.

•Policy applies to SELECTED roles-Use this field to apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

•Policy applies to all roles OTHER THAN those selected below-Use this field to apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

6.In the Action section, specify:

•Allow access-Use this field to grant access to the servers specified in the Resources list.

•Deny access-Use this field to deny access to the servers specified in the Resources list.

•Use Detailed Rules-Use this field to specify one or more detailed rules for this policy.

7.Click Save Changes.

8.On the Telnet/SSH Policies page, order the policies according to how you want to evaluate them. Keep in mind that once the system matches the resource requested by the user to a resource in a policy's (or a detailed rule's) Resource list, it performs the specified action and stops processing policies.

Matching IP Addresses to Hostnames

You can configure Telnet/SSH to match IP addresses to hostnames specified as resources in your Telnet/SSH resource policies. When you enable this option, the system looks up IP address corresponding to each hostname specified in a Telnet/SSH resource policy. When a user tries to access a server by specifying an IP address rather than the hostname, the system compares the IP to its cached list of IP addresses to determine if a hostname matches an IP. If there is a match, then the system accepts the match as a policy match and applies the action specified for the resource policy.

When you enable this option, the system compiles a list of hostnames specified in the Resources field of each Telnet/SSH resource policy. The system then applies the option to this comprehensive list of hostnames.

This option does not apply to hostnames that include wildcards and parameters.

To specify the Telnet/SSH resource option:

1.In the admin console, choose Users > Resource Policies > Telnet/SSH > Options.

2.Select IP based matching for Hostname based policy resources.

The system looks up the IP address corresponding to each hostname specified in a Telnet/SSH resource policy. When a user tries to access a server by specifying an IP address rather than the hostname, the system compares the IP to its cached list of IP addresses to determine if a hostname matches an IP. If there is a match, then the system accepts the match as a policy match and applies the action specified for the resource policy.

3.Click Save Changes.