Marci@BalaBit

The latest Shell Control Box release (3.1) has been out for more than a month now, so it is definitely time to write about the new features it introduces. The development started approximately one year ago and there are for sure some very interesting and useful changes in the release.

The biggest and probably most important news is the support for the Citrix ICA ™ protocol that is used in Citrix’s XenApp ™ servers (formerly Presentation Server). In SCB 3.0 release we introduced support for the VMWare View ™ protocol and with this release we moved forward supporting desktop virtualization environments. With this latest addition Shell Control Box is able to control and audit 6 remote access/administration protocols, such as SSH, RDP, TELNET, TN3270, VNC, ICA covering all the widely used solutions and providing a unified solution for all control and audit purposes.

Support for Citrix ICA protocol is very similar to the current RDP protocol, it is possible to control which channels are permitted, which are denied  independently of the server while all passing session capture could be stored in audit trail files (encrypted, signed, timestamped) for the usuall movie-like replay and search latter. Searching the graphical screen is possible with the same OCR based technology that is used in case of RDP or VNC and tailored content based activity reporting is available as well.

SCB 3.1 supports XenApp version 5 and 6, Presentation Server 4.5,  Citrix Program Neighborhood ™ and the Citrix Online Client ™ as well. SCB could be deployed both in transparent and non-transparent (bastion) mode, while both simple, reliable and SSL encrypted ICA protocol transports are supported.

As a result of the Citrix ICA protocol support SCB 3.1 is also Citrix Ready verified.

This release also includes support for Terminal Services Gateway (TSGW) technology which allows inband destination selection for RDP protocol. The Microsoft Terminal Services Client (mstsc) can be configured to use SCB as a Terminal Services Gateway to access Terminal Services or Remote Desktops. Thus, the integration of SCB in environments with a large number of RDP servers became much easier in non-transparent or so-called bastion mode.

By using SCB as a TSGW server, inband gateway authentication of the users becomes also much easier for RDP connections. In TSGW mode connection between the client and SCB is established using HTTPS protocol, while connection towards the server is plain RDP. This way proxying client connection through a corporate network or allowing SSL-VPN like connection from externals become an easier integration task into existing environment.

The third major change introduced with this release was to move from a 32bit based system to a completely 64bit based one. As a result of this development, performance of SCB increased and now SCB could fully utilize all the capabilities of the underlying hardware. The upgrade from 32bit to 64bit is seamless, though the upgrade process could take longer than in normal cases.

As always we are eager to hear your feedback on this release or on Shell Control Box in general!

Happy auditing!