Beruflich Dokumente
Kultur Dokumente
TRAINING BOOK
For partners and integrators only
Copyright
This document is the property of WALLIX and is no to be reproduced without previous consent of the
company.
All product names or company names mentioned in this document are registered trademarks that belong to
their owner.
Introduction
This document was designed to help you better understand and implement Wallix AdminBastion (WAB). It
will be your reference if you wish to develop on the modules that were introduced to you.
We deliberately chose a practical and technical approach for this document: this will help you find the
answers to your questions about WAB at the end of training.
You will also find in this document several scenarios describing situations end-users may face in a usual
process of use of the WAB and the responses to bring depending on the encountered issue.
TABLE OF CONTENT
Module 1 : Introduction to the WAB
What is the WAB?
Technical composition of the WAB
How does the WAB work?
How to install a physical WAB?
How to directly connect through SSH from a Linux workstation?
How to initiate a SSH connection from a Windows workstation with Putty?
How to initiate a RDP connection from a Linux workstation?
How to initiate a RDP connection from Windows with TSE client?
How to initiate a RDP connection from the RDP selector?
How to initiate a connection http(s) from the navigator?
How to install a Virtual Appliance?
How to integrate a Virtual Appliance in ESX?
Configure the appliance through the web interface
6
7
8
9
10
12
14
15
16
17
18
19
26
30
30
31
32
33
34
35
36
37
38
44
46
47
Conclusion :
48
TC
INTRODUCTION TO THE WAB
"MODULE
1" \l
1MODULE
1
Users
Ressources (devices)
Groups
Connections through devices via proxys (SSH, RDP, HTTP)
Authentication phases
Session recordings
The GUI and backup are handled through the Apache Module:
The history of connections except some configuration parameters such as distant storage recordings
and time services
22
3389
443
Comments
This diagram gives a global vision on how WAB 3.0 internally works.
.
Comments
with a ssh client on port 2242 (Linux, Mac OS X) or putty software (Windows Linux)
appliance IP address: 192.168.10.5
PLEASE NOTE: for security reasons, we recommend the changing of the webadmin account on the
very first connection (passwd command). This user is configured by default to gain root privileges thanks
to the sudo-i command.
Comments
10
User Martin first has to initiate connection. The WAB then requests a password validation in order
11
to authorize User Martin to connect. As soon as the password is checked and accepted, a menu
listing User Martins access rights to target SSH servers appears. User Martin has to choose the ID
corresponding to the server he wishes to connect to.
Connection processes:
The credentials are checked in the LDAP directory
Proxy checks :
End-user IP address
If a restricted access has been defined
User account profile
Time schedules of the group to which belongs the user account
Users ACLs (allowed protocol and authorized resources)
If the user is authorized to connect to the device, the session recording starts shortly after the recording
agreement.
PLEASE NOTE: if the user refuses that the session is recorded at the RDPproxy level or if the MySQL
database is unavailable, then the connection to the server is rejected.
.
Comments
12
Comments
13
The process is the same as for initiating a SSH connection from a LINUX account
Comments
14
User Wallix can then fill in his password to access target devices.
Comments
15
1
2
The user fills in the target server name and its account
16
Comments
-ProxyRDP SelectorThe checking of the users information is done in the WAB through the WABRDPAuthentifier or
SESMAN process. Proxy connects to AD or Kerberos directory of the Windows server and submits the
credentials.
The LDAP directory of the WAB answers YES or NO to check that the user is mentioned in the directory.
If the password is valid and ACLs are checked, then SESMAN connects the user to the server through the
internal RDPproxy of the WAB redemption.
17
Comments
-HTTP(S)proxy Selector-
18
Comments
On your network by giving an IP address to your machine in the sub-network 192.168.10.0/24 other than
192.168.10.5. address
Then create the GUI to configure the new IP address and the other network parameters necessary to the
good functioning of the WAB
IM PORTANT: for security reasons, we recommend the changing of the wabadmin account on the
very first connection (passwd command). This user is configured by default to gain root privileges thanks
to the sudo-i command.
19
Comments
20
Comments
Go to the Configuration tab and in the Hardware menu, then click on Storage
Right click on Datastore on which the VM must be installed, select Browse Datastore
21
Comments
22
Comments
Then, select the file that contains the VM WAB and click OK.
23
Comments
Once the copy is finished, open the VM WAB file, right click on the file vmx and select add to inventory
24
Comments
25
Comments
The VM WAB is now ready to work. We recommend you adjust the performance in accordance with your
needs (CPU, RAM etc.). Right click on the name of the VM, in our example WAB and select Edit Settings
26
Comments
27
Network information
Access to network information is done via the left menu: Configuration of the system/network. Thanks to
the interface, all the network parameters necessary to the good functioning of the WAB appliance are
mentioned.
Comments
28
License Key
The WAB integrates a license control mechanism that checks that the use of the product is compliant with
the terms and conditions of the business agreement.
The terms and conditions of this contract are coded in a license key provided by WALLIX.
Appliances are delivered with default license key that integrates the following information:
The characteristics of the license can be accessed through the SystemConfiguration/Licence menu:
Comments
29
TC
WHAT ARE THE WAB
"MODULE
COMMANDS ?
1" \l
1MODULE
2
30
FEATURES
Gives informations on the
current license
Resets the license
Updates the license
Clears the WAB session
over a given period of time
Updates the WAB on the
WALLIX depository
USE ?
YES
YES
YES
YES
YES
OPTIONS
Type --help
Type --help
Use the h option to know
the options
Use the h option to know
the options
WAB-HA Commands
COMMANDS
FEATURES
WABHASetup
Enables clustering
/etc/init.d/wabha stop
Stops HA services on the local node
/etc/init.d/wabha start
Initiate HA services on the local node
/etc/init.d/wabha stop_cluster Stops the WAB services on both nodes
/etc/init.d/wabha start_cluster Initiate the WAB services on both nodes
Network reconfiguration of the cluster
Screen sudo i
WABHASetup
Replacement of faulty
WABHASetup
Enables the reintegration of a new slave
configure_new_slave
node
Recovery of a faulty volume
WABHAInitd force stop
Execute on both nods : master & slave
Then:
#umount /var/wab
{slave}
#drbdadm primary wab
{master}
#fsck.ocfs2 - y f /dev/drbd1 {master}
USE OR NOT?
YES
YES
YES
YES
YES
31
Comments
32
The implementation of DRBD gives access to a new /dev/drbd1 storage device. In case of a downtime in the
master node (serv-A), service switches to the slave node (serv-B) where data is already accessible.
The DRDB volume, also called /dev/drbd1 is then organized in file systems on the passive machine which
then become active.
For this kind of architecture, we privileged data synchronization in block mode rather than rsync
synchronization as it is the case in version 2 of the WAB.
Eventually, WALLIX will switch to the active/active mode. To do so, you need a file system able to interact
with a distributed architecture. Hence, the early choice and the integration of the Oracle file system,
OCFS2, also known as share disk file system in the version 3 of the WAB.
33
# dpkg -l wab2
To get the active ports and services with their PID:
# netstat -nlpt
To get a service PID, slapd for instance:
# tail -f /var/log/syslog
To get the WAB license infos:
# WABGetLicence
To get the LDAP Server content:
# slapcat
To get the WAB ip address (es):
# ip a l
Comments
34
TC
THE SUPPORT SCENARIOS
"MODULE
1" \l
1MODULE
3
Once the files being replaced restart the GUI issuing the following command:
# /etc/init.d/wabgui restart
Comments
35
Comments
36
Comments
37
For the Rlogin devices, only the password is awaited, thus the following connection script is ok for a
connection to a Rlogin System running Debian 5.0 Lenny:
EXPECT:(?i)Password:
SEND:$password\r\n
Comments
38
Comments
39
Comments
40
Then he clicks on the Local Resources tab and on the Options button:
Comments
41
To finish, the user checks the Drive checkbox to select the drive to mount on the remote device.
Comments
42
1
2
The users fills-in the the target account and his login
43
Comments
TC
THE WAB INNOVATIONS
"MODULE
1" \l
1MODULE
3
The HTTP/HTTPS proxy
Secondary passwords management
The RDP sessions OCR
44
In our case, the WAB through its http proxy will act as a buffer (as illustrated in the picture above) between
the user and the WEB server, so it can render the users actions as below:
45
-HTTP(S)/session-
Zabbix 1.8
46
The use of Javascript code with for instance remote targets calls
The Java applets or Flash items which are communicating with other protocols than http(s)
Comments
47
Step-1
Setup the frequency
and Load the the
administrator
GPG/PGP keys
Step-2
Setup the administror
Rights.
Etape-3
Turn-on the changing
on each account
whether automatically
or manually
It is important to keep in mind that at each password change, the administrators whose keys have been
loaded, will receive an encrypted notification, warning them if the change has really occurred or precising the
failure cause in case of.
.
Comments
A0001297@10.10.9.57,administrateur@w2k3-104,20120114-233619,wab2.yourdomain,7353.flv
A0001297@10.10.9.57,administrateur@w2k3-104,20120114-233619,wab2.yourdomain,7353.meta
This feature allows the windows titles to be catched as show in the example below:
48
Comments
Conclusion :
This guide is dedicated to the engineers who are intended to perform support level 1. Every technical point
has been addressed, but it will change following the product roadmap. For more complex issues, please
keep in mind that Wallix is at your disposal.
49