Error "Administratively prohibited" with Native Clients and Extenders
Symptoms
Native-client connections via PrivX Extender fail with Error "Administratively prohibited"
Causes and Solution
This section describes the possible causes and solutions of the symptom.
PrivX Configuration
Your PrivX deployment may not be configured for proxying native-client connections. Verify your PrivX settings and adjust as necessary:- In the Extender configuration (/opt/privx/etc/extender-config.toml on your PrivX Extenders),
privx_ssh_proxy_enabled = true
- In the Authorizer configuration (/opt/privx/etc/authorizer.toml on PrivX servers), the setting
ssh_default_extensions
includes thekeywords permit-port-forwarding
andpermit-X11-forwarding
- On PrivX GUI→Administration→Settings→SSH Proxy
- set
forwarder_enabled
totrue
- If connecting to loopback addresses (localhost, 127.0.01, ::1), set
allow_connect_to_loopback
andallow_connect_to_local_addresses
totrue
. - If connecting to local FQDN or IP (PrivX front-end FQDNs and/or IPs) then only the
allow_connect_to_local_address
must be set totrue
. - If connecting to other addresses, make sure the target address is not listed in the
target_blacklist
.
- set
- The target-host IP address must belong in the allowed Subnets of the Extender. These can be verified on the PrivX GUI→Administration→Deployment→Deploy VPC/VPN extenders page, under the Extender configuration.
- Session recording is disabled on the target host. You can check this in the host settings, on the PrivX GUI→Administration→Hosts page.
- In the Extender configuration (/opt/privx/etc/extender-config.toml on your PrivX Extenders),
Other Causes
Also ensure the following:- The ssh-proxy can establish connections to connection manager.
- Your PrivX license is valid.