Using different ports on various Connections Policies

Hi,

- In SPP change the SSH Session port on the assets to be 22 only

You will need two separate SSH Access Request Policies:

1. ARP1 > pointing at the SPS Connection policy as safeguard_default which has port 22 on the policy and on the inband destination selection port 22
- In the Scope of this ARP1, add the Assets and Accounts that you want to SSH to using port 22 in SPS 

2. ARP2 > pointing at the SPS Connection policy as safeguard_ssh_2223 which has port 2223 for the policy  and on the inband destination selection port 22

- In the Scope of this ARP2, add the other Assets and Accounts that you want to SSH to using port 2223 in SPS

When requesting the Asset + Account in SPP, you will need to fetch the connection string details and port so that you can copy these and paste in the SSH client with the correct destination SPS SSH port 22 or 2223

Thanks!

Hello Tawfiq,

thank you for the reply.

I did set SSH session port on 22 for every Linux asset that needs to have a requestable session from SPP.

I did create the 2 different SPS Connection Policies:

1. Has port 2223 for the policy and inband destination set to star and port 22

2. Has port 22 for the policy and inband destination set to star and port 22

All the ARPs are pointing to the corresponding Connection Policy and every corresponding Asset has been set in the scope.

When requesting the session though the connection string returned uses always the second Connection policy (port 22 assigned) even if in the ARP is set to use the first one (port 2223 assigned).

Do i need to change the Port field (not the SSH Session Port) of the asset too or can i leave it has port 22?
Which field will SPS use to determine which policy to use?

Thank you

You mentioned using On Demand which is likely running 7.5.0 version of SPP at the moment, correct?

In your example, does the connection strings currently include the SPS connection policy port number at the end?

I did find a Change Request that was fixed in 7.5.1 and above so that SPP will not include the SPS connection policy port number in the connection string anymore but instead it will show as another separate field then you can copy each separately, for example in the SSH PuTTy client you would paste the connection string in Hostname field then separately in the PuTTy explicit port box, you would specify the port corresponding to correct SPS SSH connection policy that will appear of that ssh request

You mentioned using On Demand which is likely running 7.5.0 version of SPP at the moment, correct?

In your example, does the connection strings currently include the SPS connection policy port number at the end?

I did find a Change Request that was fixed in 7.5.1 and above so that SPP will not include the SPS connection policy port number in the connection string anymore but instead it will show as another separate field then you can copy each separately, for example in the SSH PuTTy client you would paste the connection string in Hostname field then separately in the PuTTy explicit port box, you would specify the port corresponding to correct SPS SSH connection policy that will appear of that ssh request

Yes, it is correct indeed, the Starling version is 7.5.0
Yes, the connection string includes the port number correctly.

In fact, now that you mention it, seems like that the problem is not the connection string (that does work fine), but is the Putty client. The field port seems to override the port specified in the connection string. If i change the default putty port (22) with the on i want to use, SPS uses the correct policy.

But what would happpen if i would use SCALUS to launch the session? How can i manage this?

I was able to make it work by doing the following:

- Modify the SCALUS application for putty-ssh in the Args field add the following:

-ssh,%user%@%host%,-P,%Port%

Thanks!

Perfect, it does work!

Thank you so much for the help!