SSH Forwarding Service¶
We will add a new SSH service on port 443 as a forwarding service instead of a proxy. For Valtix Gateway to accept forwarding traffic it must be conifgured using AWS GWLB. If GWLB is not available in your region you cannot use forwarding. Forwarding service does not support Deep Packet Inspection (DLP). DLP and IPS cannot be used for this kind of service. However this helps in controlling other traffic (e.g. SMTP, SSH etc) that are non-HTTP, or, non TLS-SNI based traffic.
Valtix recommends that you use Forwarding for non-HTTP traffic only, or, if you cannot install a root CA on all the client instances. The example below sets up forwarding on port 22. This is used to clone github repositories using SSH keys instead of HTTP.
Add a Forwarding SSH service (port 22)
- Navigate to Manage -> Security Policies -> Services
- Click Create
- For the Service Type, select Forwarding
- Provide a name for the service (e.g. egress-fwd-ssh)
- Add a description (e.g. ssh egress service for github access)
- In the service table, enter the following values:
- Decryption Profile: Empty
- Dst Port: 22
- Protocol: TCP (Default)
- Click Save