Security settings
The following settings are available on the Host > Security tab of the host profile.
SSL
Use SSL |
Uses SSL to encrypt the information sent to the host. When this option is selected, the Port field for the host profile is changed to 992. You cannot use ConnectPro when SSL is enabled. |
Certificate
Certificate |
Click Upload certificate to add a valid certificate to devices for secure connections with a host. When added, all associated subject and thumbprint information is listed here. The host address shown in the certificate must match the host server location, or else the device will not trust the host. The certificate extensions supported includes .cer, .crt, and .pem. |
SSH
Use SSH |
Uses SSH to encrypt the information sent to the host. The Velocity Client can use SSH versions 1 and 2 and will automatically select the most secure protocol supported. There is no additional software for SSH on the device, but the host must be configured for SSH. When this option is selected, the Auto login user and Auto login password fields appear and must be filled out and the Port field is changed to 22. You can select this option or Use SSH tunnel, but not both. |
Use SSH tunnel |
Sets whether or not to use SSH tunneling. If you are using 5250 emulation with SSH, you must use SSH tunneling. When this option is selected, the Auto login user, Auto login password, Tunnel address, and Tunnel port fields appear below and the Port field is changed to 22. You can select this option or Use SSH, but not both. |
Auto login user |
The username for accessing the SSH server. This option is only available when Use SSH or Use SSH tunnel is selected. |
Auto login password |
The password associated with the SSH username. This option is only available when Use SSH or Use SSH tunnel is selected. |
Use private key |
Allows you to distribute an OpenSSH or ssh.com private key to devices to allow them to authenticate with the server. The private key should use either RSA or DSA encryption. Private keys with or without passphrases are supported. When you enable the option, click Add private key to add a private key. |
Accept new keys |
Determines whether the Client will connect to an SSH server that it doesn't have a public key for. By default, this is set to No. The following options are available: •No. The Client will connect to a host using one of the known host keys. If you do not provide a known host key, the user is prompted to accept a host key the first time it connects to a server. If the user accepts, the Client stores that key as the accepted known host key and will only connect to a host using that host key from then on. The user will not be prompted to accept any additional known host keys. If the device attempts to connect to an SSH server with a different host key, the connection will fail. If the user rejects the host key, the session fails to connect. If the user tries the same SSH server again, he is again prompted to accept the host key. •Prompt. The Client will connect to a host that uses one of the known host keys. Each time the Client attempts a connection to an SSH server that doesn’t match one of the known host keys, the Client displays the host fingerprint and prompts the user to accept the host key. If the user accepts, the Client stores the key and will connect that host without prompting from then on. If there is already a known host key, that host key is overwritten when the user accepts a new one. If the user rejects the host key, the session fails to connect. If the user tries the same SSH server again, he is again prompted to accept the host key. •Yes. The Client will connect to any host using SSH and will not attempt to match the known host keys. The user is not prompted to accept the host key. Choosing Prompt or Yes may make your environment vulnerable to man-in-the-middle attacks and is not recommended. |
SSH public keys |
Click the Add Public Key button to add SSH keys. A host's public key is used to verify the trusted host. When you provide a host key to devices, devices will only connect to the server if the server has a matching private key. The known host key should start with the algorithm type. For example, an RSA key starts with ssh-rsa, then has a space, and then the base-64 encoded key. If the value you have has colons in it, it is the fingerprint and not the public key. You must provide the public key and not the fingerprint. You can either paste the public key in to the text box, or connect to a host and retrieve the public key. To retrieve the public key from the host, click the Get current key button. The Console will attempt to connect to the host address specified on the Host Profile tab and get the public key. |
Tunnel address |
The IP address or host name for the SSH tunnel. This option is only available when Use SSH tunnel is selected. |
Tunnel port |
The TCP port number associated with the Tunnel address for SSH tunneling. This option is only available when Use SSH tunnel is selected. |
ConnectPro
ConnectPro (also known as TermProxy or Session Persistence Server) is a proxy server from Ivanti that connects the device to the host and maintains the connection to the host even if the device goes idle, enters power-saving mode, moves out of Wi-Fi range, or otherwise prematurely terminates the session.
Only use ConnectPro connections |
Indicates whether the Velocity Client should only connect to the host through a ConnectPro server. If you enable this checkbox, you cannot select the Use SSL setting in the SSL Settings section. |
Server type |
The version number of the ConnectPro server. |
Address |
The IP address or host name of the server. |
Port |
The TCP port number on which the proxy server is listening for emulation requests from clients. |
Terminate ConnectPro session |
Indicates when the ConnectPro server should terminate the connection to the host. Possible values include: •Never. The proxy server never terminates the session established with the host. The Client is responsible for manually terminating the session. •On Network Error. The proxy server terminates the session with the host when a network error occurs, such as a loss of network connectivity. •On Session Exit. The proxy server terminates the session with the host when the session is terminated by the Velocity Client. By default, this option is selected. •Always. The proxy server will terminate the session with the host on a network error or when the session is terminated. |
Client reconnects if unexpectedly disconnected |
Specifies if the Velocity Client will attempt to reconnect if the session with the proxy server is lost and the Client has not received a disconnect message from the proxy server. By default, this is set to Yes. |
Reconnect string |
Specifies the reconnect string that the device should use when connecting to the host. Alternately, you may configure reconnect strings in ConnectPro. |
Use SSL |
Uses SSL/TLS to encrypt the information sent to the host. There is no additional software needed for SSL/TLS, but the host must be configured for SSL/TLS. |
Use custom encryption |
Uses an Ivanti custom encryption method to encrypt the connection to the ConnectPro server. When you use custom encryption, provide an encryption key in the Key field below. |
Key |
Specifies a custom encryption key. |
Certificate |
Click Upload Certificate to add a valid certificate to devices for secure connections with a host. When added, all associated subject and thumbprint information is listed here. The host address shown in the certificate must match the host server location, or else the device will not trust the host. The certificate extensions supported includes .cer, .crt, and .pem. You may only attach one certificate to a project. |