In the Command Center, navigate from Directory > Roles, and then select + Add Role. Create a User Role and then select + Add Role Attributes to apply it to specific sets of users (such as By Group contractors).

Navigate from Private Access > Access Policies, and then select + Create Policy. Select the Infrastructure Policy template.

Configure an SSH service for zero-trust access to your SSH Server.

3.1 Navigate from Private Access > Infrastructure, and then select + Register Service. Select SSH Service.

3.2 Under Service Details, enter a Service Name. Optionally, enter a Description and a Link.

3.3 Select a Cluster. Ensure that you select the Cluster (a logical grouping of Access Tiers, managed together) that contains the Access Tier or the Connector your SSH server sits behind.

3.4 Optional: Display the Service in the app by toggling on Show Service in Service Catalog within the App. This means that end users will be able to view the service in the desktop app.

3.5 Under Service Attributes, select an Access Tier (self-hosted private edge deployment) or a Connector (global edge deployment).

3.6 Assign a Service Domain Name for this service. Optionally, leave the port as 8443.

Note: the Service Domain Name must be a registered domain or a sub-domain of a registered domain that contains a wildcard (e.g.,mysshserver.corp.example.com, which is a sub-domain of *.corp.example.com).

3.7 To secure access to an individual SSH server, select Fixed Backend Domain. There is no need to specify using HTTP Connect, since there is only one SSH server; the Client specifies using HTTP Connect option is for admins securing access to multiple SSH servers.

3.8 Enter the Backend Domain of the SSH server you want to secure access to. If you want to configure a backend domain that leverages User Attributes, enter two curly brackets, and a dropdown menu will appear, with various user attribute options to select from.

The following are valid User Attributes that can be entered in the Backend Domain field (preceded and followed by two curly brackets):

• .Email.User
• .Email.Domain

3.9 In the field adjacent, enter the listening port of your SSH server. Optionally, leave the port number as 22, the default SSH port.

Note: In this field, you can enter the SSH server’s backend domain name or its IP address; both will work.

3.10 Optional: enter a Backend DNS Override.

3.11 Optional: In the SSH Desktop App Settings section, enter an SSH Host Directive. This is a short-cut name that can be used in SSH commands.

3.12 Select Only use the TrustCert (CSE’s Trust certificate) or select Use both the TrustCert and the SSHCert, if your SSH server already requires certificate authentication.

3.13 Select whether the desktop app should update the SSH config file on the device.

Admins should select Yes, unless they prefer to update the SSH config file themselves. Note that independent management of the SSH config file may create difficulty in using the desktop app, which is configured to update the SSH config file. Contact CSE for further support.

3.14 Optional: Attach the policy created in Step 2, and then choose an Enforcement Mode (i.e., Permissive or Enforcing).

4.1 Ensure your end users install the latest desktop app and register their device.

4.2 Once the service is registered (i.e., Step 3 is completed), your end users will see it in their desktop app. End users must then select Connect, and the desktop app will add an entry to the SSH config file (typically located in ~/.ssh/config).

They can then access the SSH server as:

ssh user@myserver.corp.example.com

The SSH client will use banyanproxy to automatically tunnel the SSH session over the Mutual-Auth TLS channel set up by CSE.