Error "Administratively prohibited" with Native Clients and Extenders

Symptoms

Native-client connections via PrivX Extender fail with Error "Administratively prohibited"

Causes and Solutions

This section describes the possible causes and solutions of the symptom.

  • PrivX Configuration
    Your PrivX deployment may not be configured for proxying native-client connections. Verify your PrivX settings and adjust as necessary:

    • In the Extender configuration (/opt/privx/etc/extender-config.toml on your PrivX Extenders), privx_ssh_proxy_enabled = true
    • In the Authorizer configuration (/opt/privx/etc/authorizer.toml on PrivX servers), the setting ssh_default_extensions includes the keywords permit-port-forwarding and permit-X11-forwarding
    • In the SSH-proxy configuration (/opt/privx/etc/ssh-proxy.toml on PrivX servers), forwarder_enabled = true
    • If connecting to loopback addresses (localhost, 127.0.01, ::1), allow_connect_to_loopback = true and allow_connect_to_local_addresses = true in the SSH-proxy configuration.
    • If connecting to local FQDN or IP (PrivxX front-end FQDNs and/or IPs) then only the allow_connect_to_local_address must be set to true.
    • If connecting to other addresses, make sure the target address is not listed in the target_blacklist setting in SSH-proxy configurations.
    • The target-host IP address must belong in the allowed Subnets of the Extender. These can be verified on the PrivX GUIAdministrationDeploymentDeploy VPC/VPN extenders page, under the Extender configuration.
    • Session recording is disabled on the target host. You can check this in the host settings, on the PrivX GUIAdministrationHosts page.
  • Other Causes
    Also ensure the following:

    • The ssh-proxy can establish connections to connection manager.
    • Your PrivX license is valid.

Did this page help you?