Symptoms

Native-client connections via PrivX Extender fail with  Error "Administratively prohibited"


Causes and Solutions

This section describes the possible causes and solutions of the symptom.


PrivX Configuration

Your PrivX deployment may not be configured for proxying native-client connections. Verify your PrivX settings and adjust as necessary:

- In  the Extender configuration (/opt/privx/etc/extender-config.toml on your PrivX Extenders), privx_ssh_proxy_enabled  = true 

- In the Authorizer configuration (/opt/privx/etc/authorizer.toml on PrivX servers), the setting ssh_default_extensions includes the keywords permit-port-forwarding and permit-X11-forwarding

- In the SSH-proxy configuration (/opt/privx/etc/ssh-proxy.toml on PrivX servers), forwarder_enabled = true

- If connecting to loopback addresses (localhost, 127.0.01, ::1), allow_connect_to_loopback = true and allow_connect_to_local_addresses = true in the SSH-proxy configuration.

- If connecting to local FQDN or IP (PrivxX front-end FQDNs and/or IPs) then only the allow_connect_to_local_address must be set to true.

- If connecting to other addresses, make sure the target address is not listed in the target_blacklist setting in SSH-proxy configurations.

- The target-host IP address must belong in the allowed Subnets of the Extender. These can be verified on the PrivX GUI→Settings→Deployment→Deploy VPC/VPN extenders page, under the Extender configuration.

- Session recording is disabled on the target host. You can check this in the host settings, on the PrivX GUI→Settings→Hosts page.



Other Causes

Also ensure the following:

- The ssh-proxy can establish connections to connection manager.

- Your PrivX license is valid.