Administrators' guide to managing your BastionZero targets and connections
BastionZero manages the lifecycle of both connections and targets. There are features in place for different connection types, such as shells, SSH tunnels, and k8s clusters, as well as targets, which may be long-lived, shutdown and restarted, or ephemeral.
BastionZero clients and targets make websocket connections to the service. Across the websockets, users make shell, SSH tunnel, HTTP, or native TCP connections based on the access technology. All of these connections transparently use MrZAP technology.
Shell connections can be made using the zli. The shell terminal runs in the BastionZero SaaS. This provides users the ability to run a long-lived shell connection, like during a database migration, without concern for keeping the end user's device active. Idle shell connections are maintained by BastionZero for up seven days or until the user or administrator closes them. Future versions of BastionZero will provide the administrator the ability to control this time frame.
SSH tunnels or shell sessions run over an SSH tunnel are unique in that the data sent through BastionZero is fully encrypted to BastionZero. Thus command logs and session recordings are not available for any connections that run over this type of connection. SSH tunnels are only supported by the zli. When a user logs out of BastionZero, all SSH tunnels are terminated. In addition, if a user's authentication token is invalidated by the SSO provider for any reason (like a 1 hour ID_token expiration), SSH tunnels will also be invalidated.
SSH tunneling is a very powerful feature. It can be used to forward any protocol to any destination behind a perimeter like a database, webserver, or any legacy application, or target not natively supported by BastionZero. By default, all BastionZero target access policies disable SSH tunnels.
Native TCP connections are used for database and webserver targets (in lieu of SSH tunnels) where an administrator wants simplified deployment as well as connection and query logs for these types of targets. This feature is offered through the zli, and like SSH Tunnels, the native TCP connection is terminated by a user logout or SSO token expiration.
After successfully completing the registration process, all targets make a websocket connection to BastionZero. This outbound connection to the BastionZero SaaS is the only connection that is made from the target to BastionZero. All other connections are initiated by a client request and go through this websocket.
The target will maintain a keepalive across the websocket. This keepalive is used to determine whether the target is online or offline by the BastionZero SaaS. If a target goes offline no new connection attempts are made and all existing connections are closed.
A targets online / offline status also plays a role in its target table appearance. Recall that groups of targets may be placed in an environment. Environments have a target lifecycle management feature called the Offline Target Removal Policy. This is an expiration timer that can be set from 1 hour to 90 days. Any target that is offline for that time period will be removed from the target table. An administrator may set this time by visiting the (Manage environments page.