Skip to main content
Version: v39

Error "Administratively prohibited" with Native Clients and Extenders

Symptoms

Native-client connections via PrivX Extender fail with Error "Administratively prohibited"

Causes and Solution

This section describes the possible causes and solutions of the symptom.

  • PrivX Configuration
    Your PrivX deployment may not be configured for proxying native-client connections. Verify your PrivX settings and adjust as necessary:

    • In the Extender configuration (/opt/privx/etc/extender-config.toml on your PrivX Extenders), privx_ssh_proxy_enabled = true
    • In the Authorizer configuration (/opt/privx/etc/authorizer.toml on PrivX servers), the setting ssh_default_extensions includes the keywords permit-port-forwarding and permit-X11-forwarding
    • On PrivX GUIAdministrationSettingsSSH Proxy
      • set forwarder_enabled to true
      • If connecting to loopback addresses (localhost, 127.0.01, ::1), set allow_connect_to_loopback and allow_connect_to_local_addresses to true.
      • If connecting to local FQDN or IP (PrivX front-end FQDNs and/or IPs) then only the allow_connect_to_local_address must be set to true.
      • If connecting to other addresses, make sure the target address is not listed in the target_blacklist.
    • The target-host IP address must belong in the allowed Subnets of the Extender. These can be verified on the PrivX GUIAdministrationDeploymentDeploy VPC/VPN extenders page, under the Extender configuration.
    • Session recording is disabled on the target host. You can check this in the host settings, on the PrivX GUIAdministrationHosts page.

  • Other Causes
    Also ensure the following:

    • The ssh-proxy can establish connections to connection manager.
    • Your PrivX license is valid.