1

TRAINING BOOK
For partners and integrators only

Copyright
This document is the property of WALLIX and is no to be reproduced without previous consent of the
company.
All product names or company names mentioned in this document are registered trademarks that belong to
their owner.

Introduction
This document was designed to help you better understand and implement Wallix AdminBastion (WAB). It
will be your reference if you wish to develop on the modules that were introduced to you.
We deliberately chose a practical and technical approach for this document: this will help you find the
answers to your questions about WAB at the end of training.
You will also find in this document several scenarios describing situations end-users may face in a usual
process of use of the WAB and the responses to bring depending on the encountered issue.

TABLE OF CONTENT
Module 1 : Introduction to the WAB
What is the WAB?
Technical composition of the WAB
How does the WAB work?
How to install a physical WAB?
How to directly connect through SSH from a Linux workstation?
How to initiate a SSH connection from a Windows workstation with Putty?
How to initiate a RDP connection from a Linux workstation?
How to initiate a RDP connection from Windows with TSE client?
How to initiate a RDP connection from the RDP selector?
How to initiate a connection http(s) from the navigator?
How to install a Virtual Appliance?
How to integrate a Virtual Appliance in ESX?
Configure the appliance through the web interface

6
7
8
9
10
12
14
15
16
17
18
19
26

Module 2 : What are the WAB commands?

WABs Useful commands in CLI mode
WAB-HA Commands
Theoretical functioning of the WAB-HA
Architecture and functioning of the WAB-HA cluster
Some useful system commands

30
30
31
32
33

Module 3 : The support scenarios

Scenario 1: Changing the GUI auto-signed certificate
Scenario 2: Unlocking super admin account
Scenario 3: WAB-HA split-brain
Scenario 4: The Telnet and Rlogin connection script
Scenario 5: The RDP connection options Copy / Paste

34
35
36
37
38

Module 4 : The WAB innovations

The HTTP / HTTPS protocol
SECONDARY PASSWORDS MANAGEMENT
The OCR in RDP sessions

44
46
47

Conclusion :

48

TC
INTRODUCTION TO THE WAB
"MODULE
1" \l
1MODULE
1

What is the WAB?

The WAB is a solution designed for technical teams, which administrate IT, infrastructures (servers, network
devices, security devices) within a company. WAB meets the needs for traceability of actions and
administrators access control and/or external providers.
The WAB is a multi-protocol authentication proxy integrating access control (ACLs), traceability and session
recordings features. It acts as a transit area for users who wish to connect to devices. The WAB checks
every authentication element provided by the user as well as the granted access rights before allowing the
connection to the target device.

Features of the WAB

The WAB supports SSH protocols (and its subsystems), Telnet, Rlogin, RDP, VNC, HTTP(S).
Connection automation to devices and single sign-on mean better ease of use and increase in productivity
for exploitation and maintenance teams.
WAB integrates a web-based graphic interface (also called GUI) that was validated under Mozilla Firefox
4.x, Safari 5, Google Chrome and Internet Explorer 7 and 8 and enables the supervision of its activity, the
monitoring of connections and the configuration of the various modules.
.

Technical composition of the WAB

The WAB integrates 5 modules

An application module in Python

An LDAP directory
An Apache Module
A MySQL database
A Linux Debian Squeeze operating system

Each module handles the following characteristics:

The LDAP directory handles the ACL engine and contains the WAB configuration concerning:

Users
Ressources (devices)
Groups
Connections through devices via proxys (SSH, RDP, HTTP)
Authentication phases
Session recordings

The GUI and backup are handled through the Apache Module:

Access to graphic interface

Handles the network configuration system
Backups

The MySQL database contains :

The history of connections except some configuration parameters such as distant storage recordings
and time services

Debian Operating System :

Connection to SSHD server on 2242 port

Video session files in the filesystem if the recording is done locally
System information (Syslog,SNMP, NTPD)

Open ports that can be accessed from outside:

22
3389
443

Comments

: SSH server listening port

: RDPproxy listening port
: Web interface (https) listening port

How does the WAB work?

Please find below an example of use that describes how users and administrators interact and how
the WAB internally works

This diagram gives a global vision on how WAB 3.0 internally works.
.

Comments

How to install a physical WAB?

By default, the IP address of the WAB is 192.168.10.5.
There are two ways to connect to the WAB appliance:
1) Direct mode: by connecting a screen to the VGA plug and a keyboard to the USB plug.
You can now connect to the appliance and open a system session with the following credentials:
Login : wabadmin
Password : SecureWabAdmin
2) Network mode: from a Linux, Windows or Mac OS X desktop, directly connected to the appliance
via a rj45 cable (does not come with the appliance) or on your network by attributing an IP
address to your machine in the sub-network 192.168.10.0/24 other than 192.168.10.5. Please
make sure you use the RJ45 connector marked GB1
Network mode:

with a ssh client on port 2242 (Linux, Mac OS X) or putty software (Windows Linux)
appliance IP address: 192.168.10.5

PLEASE NOTE: for security reasons, we recommend the changing of the webadmin account on the
very first connection (passwd command). This user is configured by default to gain root privileges thanks
to the sudo-i command.

Comments

10

How to directly connect through SSH from a Linux workstation?

Lets take the example of user Martin wishing to connect to the suse-248 server via the testwab account,
through the WAB.
If you know the target server, the command is the following:
# ssh testwab@suse-248:Martin@WAB

How to initiate a SSH connection through the selector connect_to

from a Linux workstation?
If you wish to connect through the SSH selector, the command is the following:

User Martin first has to initiate connection. The WAB then requests a password validation in order

11

to authorize User Martin to connect. As soon as the password is checked and accepted, a menu
listing User Martins access rights to target SSH servers appears. User Martin has to choose the ID
corresponding to the server he wishes to connect to.
Connection processes:
The credentials are checked in the LDAP directory
Proxy checks :

End-user IP address
If a restricted access has been defined
User account profile
Time schedules of the group to which belongs the user account
Users ACLs (allowed protocol and authorized resources)

If the user is authorized to connect to the device, the session recording starts shortly after the recording
agreement.
PLEASE NOTE: if the user refuses that the session is recorded at the RDPproxy level or if the MySQL
database is unavailable, then the connection to the server is rejected.
.

Comments

12

How to initiate a SSH connection from a Windows workstation with

Putty?

Fill in the WAB IP address or FQDN: wab.mycorp.lan

Specify the default port of the WAB proxy: 22

Comments

13

Specify the target account to reach: testwab@suse-248

The process is the same as for initiating a SSH connection from a LINUX account

Comments

14

How to initiate a RDP connection from a Linux workstation?

Connection processes:
The user wallix wants to connect to server Windows win2k3-103 with a domain account RADTEST\wallix
via the rdesktop command:

# rdesktop -u RADTEST\wallix@win2k3-103:wallix wab

User Wallix can then fill in his password to access target devices.

Comments

15

How to initiate a RDP connection from Windows with TSE client?

User launches the mstsc command from the Start & Execute menu.

1
2

User fills in the WAB IP address and FQDN wab.mycorp.lan

The user fills in the target server name and its account

16

Comments

How to initiate a RDP connection from the RDP selector?

For a user on a Unix/Linux desktop, use the rdesktop command as follows:
#rdesktop wab.mycorp.lan
For a user on a Windows desktop, initiate command mstsc (please see above) in order to fill in the IP
address of the WAB or its FQDN in the Computer field.
Then in the RDPproxy login zone, fill in the user login and password in order to reach the selector as
illustrated below:
You can now choose the server you want to access and click on the button connect to connect.

-ProxyRDP SelectorThe checking of the users information is done in the WAB through the WABRDPAuthentifier or
SESMAN process. Proxy connects to AD or Kerberos directory of the Windows server and submits the
credentials.
The LDAP directory of the WAB answers YES or NO to check that the user is mentioned in the directory.
If the password is valid and ACLs are checked, then SESMAN connects the user to the server through the
internal RDPproxy of the WAB redemption.

17

Comments

How to initiate a connection http(s) from the navigator?

Http(s) connection can be initiated from the GUI, in my authorizations area or a primary direct connection to
http(s)proxy can be made as follows.
https://ip_du_wab-ou-fqdn : 8080
After the credentials are checked and validated (login/password) in the proxy login area, the window below
opens. It is now time to choose and click on the target device to access.

-HTTP(S)proxy Selector-

18

Comments

How to install a Virtual Appliance?

By default, the IP address of the WAB is 192.168.10.5.
To connect to the appliance and open a system session, please use this account by default:
Login: wabadmin
Password: SecureWabAdmin
Connection from the network:

On your network by giving an IP address to your machine in the sub-network 192.168.10.0/24 other than
192.168.10.5. address
Then create the GUI to configure the new IP address and the other network parameters necessary to the
good functioning of the WAB

IM PORTANT: for security reasons, we recommend the changing of the wabadmin account on the
very first connection (passwd command). This user is configured by default to gain root privileges thanks
to the sudo-i command.

19

Comments

How to integrate a Virtual Appliance in ESX?

Minimal configuration required for a virtual appliance is:
RAM: 512 Mo
Disk space: 10 Go
CPU: 1 cpu
Unzip the archive VM WAB. Open the ESX hypervisor and click on the name of the ESX host which will
welcome the VM.

20

Comments

Go to the Configuration tab and in the Hardware menu, then click on Storage
Right click on Datastore on which the VM must be installed, select Browse Datastore

21

Comments

Click on Upload file to this datastore then select Upload folder

22

Comments

Then, select the file that contains the VM WAB and click OK.

23

Comments

Once the copy is finished, open the VM WAB file, right click on the file vmx and select add to inventory

24

Comments

Name your VM, in our example WAB and click next:

25

Comments

The VM WAB is now ready to work. We recommend you adjust the performance in accordance with your
needs (CPU, RAM etc.). Right click on the name of the VM, in our example WAB and select Edit Settings

26

Comments

Configure the appliance through the web interface

In order to access the WAB web interface, type in the following URL below in your navigator:
https://ip_address_of_WAB or FQDN
Then connect as an administrator:
Login: admin
Password: admin

- Login screen of the Wallix AdminBastion -

27

Network information
Access to network information is done via the left menu: Configuration of the system/network. Thanks to
the interface, all the network parameters necessary to the good functioning of the WAB appliance are
mentioned.

-System settings / Network-

Comments

28

License Key
The WAB integrates a license control mechanism that checks that the use of the product is compliant with
the terms and conditions of the business agreement.
The terms and conditions of this contract are coded in a license key provided by WALLIX.
Appliances are delivered with default license key that integrates the following information:

Validity duration : 30 days (from the first boot onwards)

Number of maximum devices : 15
Maximum number of simultaneous primary connections (connections between the client and the
WAB) :5
Maximum number of simultaneous secondary connections (between the WAB and the servers) : 5

The characteristics of the license can be accessed through the SystemConfiguration/Licence menu:

-System settings / License-

Comments

29

TC
WHAT ARE THE WAB
"MODULE
COMMANDS ?
1" \l
1MODULE
2

30

WABs Useful commands in CLI mode

COMMANDS
WABGetLicence
WABDropLicence
WABSetLicence
WABSessionExportLog
WABUpdateConfigurator

FEATURES
Gives informations on the
current license
Resets the license
Updates the license
Clears the WAB session
over a given period of time
Updates the WAB on the
WALLIX depository

USE ?
YES
YES
YES
YES
YES

OPTIONS
Type --help
Type --help
Use the h option to know
the options
Use the h option to know
the options

In the following directory, we find the script: /opt/wab/bin/.tools/WABResetConfig

WABResetConfig: resets the WAB by clearing all the data

WAB-HA Commands
COMMANDS
FEATURES
WABHASetup
Enables clustering
/etc/init.d/wabha stop
Stops HA services on the local node
/etc/init.d/wabha start
Initiate HA services on the local node
/etc/init.d/wabha stop_cluster Stops the WAB services on both nodes
/etc/init.d/wabha start_cluster Initiate the WAB services on both nodes
Network reconfiguration of the cluster
Screen sudo i
WABHASetup

Enables the network reconfiguration of

the WAB-HA
Options: --reconfigure_hosts

Replacement of faulty
WABHASetup
Enables the reintegration of a new slave
configure_new_slave
node
Recovery of a faulty volume
WABHAInitd force stop
Execute on both nods : master & slave
Then:
#umount /var/wab
{slave}
#drbdadm primary wab
{master}
#fsck.ocfs2 - y f /dev/drbd1 {master}

USE OR NOT?
YES
YES
YES
YES
YES

31

Theoretical functioning of the WAB-HA

Below, is a sequence diagram that shows how the WAB-HA processes interact with the system in
chronological order?

Comments

32

Architecture and functioning of the WAB-HA cluster

In that WAB-3.0 version, we privileged the DRBD technology, for better data synchronization in a failover
mode (active/passive). The DRBD is similar to a RAID over IP.

The implementation of DRBD gives access to a new /dev/drbd1 storage device. In case of a downtime in the
master node (serv-A), service switches to the slave node (serv-B) where data is already accessible.
The DRDB volume, also called /dev/drbd1 is then organized in file systems on the passive machine which
then become active.
For this kind of architecture, we privileged data synchronization in block mode rather than rsync
synchronization as it is the case in version 2 of the WAB.
Eventually, WALLIX will switch to the active/active mode. To do so, you need a file system able to interact
with a distributed architecture. Hence, the early choice and the integration of the Oracle file system,
OCFS2, also known as share disk file system in the version 3 of the WAB.

33

Some useful system commands

To get the WAB version:

# dpkg -l wab2
To get the active ports and services with their PID:

# netstat -nlpt
To get a service PID, slapd for instance:

# ps aux | grep slapd

To display the system logs in real time:

# tail -f /var/log/syslog
To get the WAB license infos:

# WABGetLicence
To get the LDAP Server content:

# slapcat
To get the WAB ip address (es):

# ip a l

Comments

34

TC
THE SUPPORT SCENARIOS
"MODULE
1" \l
1MODULE
3

Scenario 1: Changing the GUI auto-signed certificate.

Use Case:

Replace the files which are located in the /etc/opt/wab/apache2/ssl.crt

ca.crt (The root Authority Certificate)

server.pem (the public key)
server.key (the private key)
crl.pem (the Certificate Revocation List if available)

Once the files being replaced restart the GUI issuing the following command:

# /etc/init.d/wabgui restart

Comments

35

Scenario 2: Unlocking the admin account

Use Case:
Just after a WAB update, it can sometimes occur that the admin account used to connect on the portal
is locked for instance :
Fix:
Connect on the WAB console using wabdmin, then issue sudo -i to get the root rights.
Issue the following commands:

#ldapdelete -x -D cn=admin,dc=WAB -w admin cn=admin,ou=WAB_Users,dc=WAB

#/opt/wab/bin/WABRestoreDefaultAdmin

Comments

36

Scenario 3: WAB-HA Split-brain

Use Case:
The shutdown of the servers and their Return to Service can cause the disks to be desynced.
In such a case, the system is unable to know which appliance is more up-to-date and consequently has to be
elected as the Master.
Fix:
To fix the problem you have to firstly identify which node is master and which node is slave. Then apply the
following process:

On the slave node:

# drbdadm secondary wab
# drbdadm -- --discard-my-data connect wab

On the master node:

# drbdadm connect wab

Then on both nodes:

/etc/init.d/wabha start

Comments

37

Scenario 4: The Telnet and Rlogin connection scripts

Use Case:
The user will have to write the following script when setting up his device

Let's take the scenario for a 3Com Superstack switch as an example:

SEND:\r\n
EXPECT:(?i)login:
SEND:$login\r\n
EXPECT:(?i)Password:
SEND:$password\r\n

This script means:

1)
2)
3)
4)
5)

Send a Windows type CR

Wait for (no more than 10 seconds) the caracters strings login:
Send the login
Wait for (no more than 10 seconds) the caracters strings Password:
Send the password

For the Rlogin devices, only the password is awaited, thus the following connection script is ok for a
connection to a Rlogin System running Debian 5.0 Lenny:
EXPECT:(?i)Password:
SEND:$password\r\n

Comments

38

Scenario 5: The RDP connection options: Copy/Paste

Use Case:
The opening of a RDP session from a Windows workstation can be made following 2 ways:
From the WAB Web Interface or directly from the Terminal Server client ("Remote Desktop Connection").
If the user connects on the target device with the RDP configuration file, the copy/paste feature won't work.
Fix:
Download the RDP configuration file from the WAB Web Interface:
In my authorizations panel, one click on the floppy icon allows the user to download on his workstation the
RDP configuration file for his Terminal Server client.

Comments

39

The user can now sets his session parameters:

Comments

40

Then he clicks on the Local Resources tab and on the Options button:

Comments

41

To finish, the user checks the Drive checkbox to select the drive to mount on the remote device.

Comments

42

Connection the Windows TSE client:

In the /Menu Start/Search programs and files/ and tape the command: mstsc

1
2

The users fills-in the WAB IP address

The users fills-in the the target account and his login

43

Comments

TC
THE WAB INNOVATIONS
"MODULE
1" \l
1MODULE
3
The HTTP/HTTPS proxy
Secondary passwords management
The RDP sessions OCR

44

The HTTP / HTTPS protocol

To ensure the administration of web-based devices, we have integrated a http(s) proxy in our WAB.

In our case, the WAB through its http proxy will act as a buffer (as illustrated in the picture above) between
the user and the WEB server, so it can render the users actions as below:

45

-HTTP(S)/session-

We have successfully tested the proxy on the following devices:

BitDefender Remote Admin

Cisco Access Point Configuration Utility - AP541N-K9-2.0

Dell OpenManage Switch Administrator - PowerConnect 2848

Dell iDRAC Enterprise

Dell iDRAC Express

F5 BIG-IP 10.1 TLM

Interface D'administration GLPI - 0.78

Switch NetGear GS724T

Wallix AdminBastion Web UI - 3.0

Wallix LogBox Web UI - 2.1

Zabbix 1.8

Here are some limitations in using the HTTP(S) Proxy:

Even if we have tested the HTTP(S) proxy on several devices, it could face some issues when used with:

46

The use of Javascript code with for instance remote targets calls

The Java applets or Flash items which are communicating with other protocols than http(s)

The http(s) sessions based on cookies can't actually be cut

Comments

SECONDARY PASSWORDS MANAGEMENT

The WAB allows you to remotely change the Windows and Unix/Linux devices accounts passwords.
The supported systems are:
The Unix systems local accounts handled by the passwd command
The Windows 2003 and 2008 servers local accounts
The Active Directory accounts
In order to setup this target accounts changing policy, you have to follow the 3 steps diagram below:

47

Step-1
Setup the frequency
and Load the the
administrator
GPG/PGP keys

Step-2
Setup the administror
Rights.

Etape-3
Turn-on the changing
on each account
whether automatically
or manually

It is important to keep in mind that at each password change, the administrators whose keys have been
loaded, will receive an encrypted notification, warning them if the change has really occurred or precising the
failure cause in case of.
.

Comments

The OCR in RDP sessions

The OCR, (optical character recognition) is intended for the translation of pictures, printed texts in text-files.
To address this need inside the RDP sessions, we have integrated OCR software so that the WAB can catch
the text in the recording pictures and put it in a .meta file which can be used in a text-processor.

A0001297@10.10.9.57,administrateur@w2k3-104,20120114-233619,wab2.yourdomain,7353.flv
A0001297@10.10.9.57,administrateur@w2k3-104,20120114-233619,wab2.yourdomain,7353.meta
This feature allows the windows titles to be catched as show in the example below:

48

- WAB Audit / Connections history / Active Window titles -

Comments

Conclusion :
This guide is dedicated to the engineers who are intended to perform support level 1. Every technical point
has been addressed, but it will change following the product roadmap. For more complex issues, please
keep in mind that Wallix is at your disposal.

49