Error "Administratively prohibited" with Native Clients and Extenders
Symptoms
Native-client connections via PrivX Extender fail with Error "Administratively prohibited"
Causes and Solution
This section describes the possible causes and solutions of the symptom.
-
PrivX Configuration
Your PrivX deployment may not be configured for proxying native-client connections. Verify your PrivX settings and adjust as necessary:- In the Extender configuration (/opt/privx/etc/extender-config.toml on your PrivX Extenders),
privx_ssh_proxy_enabled = true
- In the Authorizer configuration (/opt/privx/etc/authorizer.toml on PrivX servers), the setting
ssh_default_extensions
includes thekeywords permit-port-forwarding
andpermit-X11-forwarding
- On PrivX GUI→Administration→Settings→SSH Proxy
- set
forwarder_enabled
totrue
- If connecting to loopback addresses (localhost, 127.0.01, ::1), set
allow_connect_to_loopback
andallow_connect_to_local_addresses
totrue
. - If connecting to local FQDN or IP (PrivX front-end FQDNs and/or IPs) then only the
allow_connect_to_local_address
must be set totrue
. - If connecting to other addresses, make sure the target address is not listed in the
target_blacklist
.
- set
- The target-host IP address must belong in the allowed Subnets of the Extender. These can be verified on the PrivX GUI→Administration→Deployment→Deploy VPC/VPN extenders page, under the Extender configuration.
- Session recording is disabled on the target host. You can check this in the host settings, on the PrivX GUI→Administration→Hosts page.
- In the Extender configuration (/opt/privx/etc/extender-config.toml on your PrivX Extenders),
-
Other Causes
Also ensure the following:- The ssh-proxy can establish connections to connection manager.
- Your PrivX license is valid.