HomeDocumentationAPI Reference
Log In

Network Target Extender Support

PrivX supports routing TCP connections to network targets via PrivX Extenders.


When a network-access session to an Extender destination is opened, PrivX sets up Extender tunneling and configures PrivX Router to direct TCP connections to the Extender tunnel using destination NAT.

The connection between the user client and the Extender destination is routed over three segments:

  1. TCP connection from the user is directed by PrivX Router to the PrivX server's Extender service, which terminates the TCP connection.
  2. The Extender service forwards the application data over the Extender tunnel to the PrivX Extender in the target network.
  3. Extender establishes a second TCP connection to the network target and forwards application data from the Extender tunnel to the target TCP connection.

Network targets will see incoming TCP connections originating from the Extender.

Network-Target Configuration

Extender destinations are configured in network targets (like other destinations), but with the following restrictions:

  • Destination selector must specify a single IP address, TCP protocol and a single port.
  • Destination NAT address must include the Extender prefix and may optionally specify a NAT port.

Using Extender prefix in the NAT address field implicitly enables source NAT for the destination.

Extender Service Settings

Configure the following Extender service settings via the PrivX GUI, at Administration→Settings→Extender Service:

Listener address mode controls the logic for resolving the IP address that is used for connecting to Extender listeners.

When set to dynamic, the Extender service will select the first IP address from the available interface addresses that is not a loopback address and that has the same IP version as the Extender destination IP address. Listener addresses can be further used for specifying a list of IP addresses and CIDRs used for filtering the available interface addresses.

When set to static the listener addresses is expected to contain a list of IP addresses from which the Extender service selects the first address that has the same IP version as the Extender destination IP address.

Listener port range specifies the inclusive range from which Extender service opens Extender listener ports. It is allowed to specify listener port range as (0 - 0) in which case the port is selected by PrivX server's network stack.

Access control to network targets is done in PrivX Router before performing DNAT for Extender destinations. Therefore network access manager can combine all ongoing network access sessions to a specific Extender destination to use the same Extender listener. The Extender listener port range should be large enough to accommodate all Extender destinations that have ongoing network access sessions simultaneously.



PrivX install and upgrade process does not automatically configure the firewall rules to allow connections to Extender listener port range. This needs to be done manually when starting to use the network target Extender destinations and whenever changing the Extender listener port range setting.

Network Access Manager Settings

The PrivX Router Configuration in network access manager settings can specify the Router source addresses from which connections to the Extender listeners are allowed. The addresses can be given as IP address, CIDR, or hostname. When a hostname is used the Extender service will resolve the hostname when a connection is accepted at the Extender listener.

In configuration for linux-iptables and sshexec Router types the Router sources is optional. If not defined, the network access manager will use the Router's hostname as the allowed Router source address.

In configurations for exec Router type the Router sources must be specified.



Router source address verification at Extender listener complements the firewall rules, but does not remove the need for them.