Symptoms

Port forwarding(proxy) connections when using the native client might fail with  Error "Administratively prohibited"


Causes and Solution:

Ensure the following PrivX settings:

- Ensure that setting "ssh_default_extensions" includes the keywords permit-port-forwarding and permit-X11-forwarding in the Authorizer config file (/opt/privx/etc/authorizer.toml)

- The forwarder must be enabled on the Extender. In the Extender-configuration file (/opt/privx/etc/ssh-proxy.toml on the Extender host), ensure that the 'forwarder_enabled' setting is 'true'.

- If connecting to localhost, ensure you have set allow_connect_to_loopback = true and allow_connect_to_local_addresses = true the Extender-configuration file.

- The target-host IP address must belong in the allowed Subnets of the Extender. These can be verified via the PrivX GUI->Settings->Deployment->Deploy VPC/VPN extenders, under the Extender configuration.

- Ensure session recording is disabled for the target host. You can check this in the host settings, via the PrivX GUI->Settings->Hosts.



Also ensure that:

- The ssh-proxy can establish connections to connection manager.

- Your PrivX license is valid.