Cloud Secure Edge Docs
Register an SSH Service for an Individual SSH Server
Overview
In most environments, SSH servers are not exposed to the public internet. In these instances, you can use SonicWall Cloud Secure Edge (CSE) SSH service to provide your end users with zero-trust access, regardless of their network location. SSH traffic will then flow through an Access Tier.
An Access Tier will check for a TrustCert (in the TLS handshake). Every connection from the user's device to a CSE-protected service is authenticated and wrapped in Mutual-Auth TLS encryption. The Access Tier then unwraps the encryption, and forwards the connection to the upstream service – your SSH server.
Mutual-Auth TLS requires both parties to provide certificates as proof of identity - the desktop app procures the TrustCert on behalf of the user.
CSE is agnostic to the underlying SSH authentication method (e.g., password, public-key, host-based, GSSAPI, etc.). If you wish to change how SSH authentication is set up for your organization, review our SSH Certificate Authentication capability.
Prerequisites
- A registered Access Tier or Connector, behind which your SSH server exists
- A registered domain that resolves to this Access Tier
Steps to create an SSH service
Setting up access to an SSH server is the same setup process followed to secure a TCP service, as described in Notes on Securing TCP Services.
In this doc, we lay out how to secure access to an SSH server using the following steps:
Step 1: Create a Role
Step 2. Create a Policy
Step 3. Register a Service
Step 4. Connect to the service through Banyan's desktop app
Test your Connection
Leverage the Test Connection functionality to diagnose any connection issues.
If you have configured User Attributes in your backend domain (in Step 2.4 above), testing the connection is not currently supported. Support for testing the connection with User Attributes will be available in an upcoming release.
In the Command Center, navigate from Private Access > Infrastructure, then select a Service Name. In your service, select Test Connection (the check icon in the upper right corner of the page). This will show you the status of your connection, detailing whether your domain name or hostname are resolvable and whether the Access Tier and backend port are reachable.
---
Notes
SSH Config file
When your end user Connects to the SSH service in the desktop app, the app will automatically update the device's SSH Config file with the banyanproxy settings needed.
The desktop app looks for an SSH Config file location depending on the Operating System of the device:
| Operating System | SSH Config File Location |
|---|---|
| macOS | $HOME/.ssh/config |
| Windows | %USERPROFILE%\.ssh\config |
| Linux | $HOME/.ssh/config |
Other SSH Clients
If your end users use an SSH client that doesn't use the SSH Config file (e.g., PuTTY), you must provide them slightly modified instructions.
