Error "Administratively prohibited" with Native Clients and Extenders

Symptoms

Native-client connections via PrivX Extender fail with Error "Administratively prohibited"

Causes and Solutions

This section describes the possible causes and solutions of the symptom.

• PrivX Configuration
  Your PrivX deployment may not be configured for proxying native-client connections. Verify your PrivX settings and adjust as necessary:

  • In the Extender configuration (/opt/privx/etc/extender-config.toml on your PrivX Extenders), privx_ssh_proxy_enabled = true
  • In the Authorizer configuration (/opt/privx/etc/authorizer.toml on PrivX servers), the setting ssh_default_extensions includes the keywords permit-port-forwarding and permit-X11-forwarding
  • In the SSH-proxy configuration (/opt/privx/etc/ssh-proxy.toml on PrivX servers), forwarder_enabled = true
  • If connecting to loopback addresses (localhost, 127.0.01, ::1), allow_connect_to_loopback = true and allow_connect_to_local_addresses = true in the SSH-proxy configuration.
  • If connecting to local FQDN or IP (PrivxX front-end FQDNs and/or IPs) then only the allow_connect_to_local_address must be set to true.
  • If connecting to other addresses, make sure the target address is not listed in the target_blacklist setting in SSH-proxy configurations.
  • The target-host IP address must belong in the allowed Subnets of the Extender. These can be verified on the PrivX GUI→Administration→Deployment→Deploy VPC/VPN extenders page, under the Extender configuration.
  • Session recording is disabled on the target host. You can check this in the host settings, on the PrivX GUI→Administration→Hosts page.

• Other Causes
  Also ensure the following:

  • The ssh-proxy can establish connections to connection manager.
  • Your PrivX license is valid.