Manual Chapter : Proxy SSH traffic with an SSH Proxy profile

Applies To:

Show Versions Show Versions


  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Proxy SSH traffic with an SSH Proxy profile

Configure an SSH proxy security profile to allow or deny SSH channel actions to specific users on a virtual server.
  1. On the Main tab, click
    Protocol Security
    Security Profiles
    SSH Proxy
    The Protocol Security: Security Profiles: SSH Proxy screen opens.
  2. Click
    The New SSH Profile screen opens.
  3. In the
    Profile Name
    field, type a unique name for the profile.
  4. From the
    Lang Env Tolerance
    list, select which connections with LANG environment variables set are allowed to pass through if the SSH Proxy profile has the
    channel type permission (in the SSH Proxy Permissions rules) set to
    Allows connections with any LANG environment value set.
    Allows only connections with the LANG environment value set to
    to pass through the Other restrictions.
    Disallows all connections with the LANG environment variable set.
  5. In the
    field, specify the idle timeout, in seconds, to maintain an SSH session if there is no activity.
    A setting of
    means that the SSH session never times out.
  6. Edit an existing rule, or add a new rule.
    • To edit an existing rule, click the name of the rule. For example, click
      Default Actions
      to edit the default rule for a profile.
    • To add a new rule, click
      Add New Rule
      . A new line is added to the list of rules. Add a name to the rule to begin editing.
  7. In the Users column, in the
    add new user
    field, type an SSH user name to which the rule applies, then click
    You cannot add users to the
    Default Actions
  8. Configure the settings for each SSH channel action.
    • To allow the session to be set up for the SSH channel action, select
    • To deny an SSH channel action, and send a
      command not accepted
      message, select
      . Note that many SSH clients disconnect when this occurs.
    • To terminate an SSH connection by sending a reset message when a channel action is received, select
    In non-default rules, SSH channels have an
    option, which means that for a specific user, if all the rules' actions (except default actions) are unspecified, then use the
    Default Action
  9. To enable logging for an SSH action, select the
    check box.
    Before events are logged, you need to set up a log publisher and logging profile.
  10. When you finish editing
    • An existing rule, click
      Done Editing
    • A new rule, click
      Add Rule
  11. When you are finished adding and editing rules, click
    Commit Changes to System
The SSH proxy profile is saved to the system.
To use an SSH proxy profile with a virtual server, attach the profile to a virtual server.