All Products
Search
Document Center

Bastionhost:FAQ about basic configurations of Bastionhost

Last Updated:May 27, 2024

This topic provides answers to some frequently asked questions about the basic configurations of Bastionhost.

How do I go to the management page of a bastion host?

  1. Log on to the Bastionhost console.

  2. In the top navigation bar, select the region in which your bastion host resides.

  3. In the left-side navigation pane, click Basic Edition & Enterprise Edition.

  4. On the Instances page, find the bastion host that you want to manage and click Manage.

Why am I unable to view a bastion host after it is purchased?

You may have selected an invalid region. In the top navigation bar of the Bastionhost console, select the region in which your bastion host resides.地域

How do I allow access to a host or database only from a bastion host?

You can use the following methods:

  • For an Elastic Compute Service (ECS) or ApsaraDB RDS instance, you can create a security group rule for the ECS instance or configure an IP address whitelist for the RDS instance to allow access only from the egress IP addresses of the bastion host. Alternatively, you can use Cloud Firewall to allow only the egress IP addresses of the bastion host. |

    Note
  • For a host or database that is deployed on a third-party cloud or in a data center, you can configure policies on access control devices, such as a firewall, to allow access only from the egress IP addresses of the bastion host.

The following figure shows how to obtain the egress IP addresses of a bastion host in the Bastionhost console.出口IP

Does a bastion host support only access by using a domain name?

To ensure the security of the Bastionhost console, a bastion host of V3.2.X supports only access by using a domain name. A bastion host of V3.1 or V2 supports access only by using an IP address.

How do I allow access from the egress IP addresses of a bastion host in a security group of an ECS instance?

Before you use a bastion host to perform O&M operations on an ECS instance, you must create a security group rule for the ECS instance to allow access from the egress IP addresses of the bastion host. After you create a security group rule for the ECS instance to allow access from the egress IP addresses of the bastion host, the bastion host can communicate with the ECS instance. Then, you can use the bastion host to perform O&M operations on the ECS instance. You can perform the following steps to create the security group rule:

  1. Log on to the Bastionhost console.

  2. In the top navigation bar, select the region in which your bastion host resides.

  3. In the left-side navigation pane, click Basic Edition & Enterprise Edition.

  4. On the Basic Edition & Enterprise Edition page, find the bastion host that you want to manage and move the pointer over Egress IP.出口IP

    Note

    If the bastion host accesses the public IP address of a server, the source IP address is the egress public IP address of the bastion host. If the bastion host accesses the private IP address of a server, the source IP address is the egress private IP address of the bastion host.

  5. Copy and save the public and private IP addresses of the bastion host.

  6. Create a security group rule for the ECS instance to allow access from the public and private IP addresses and ports 22 (SSH) and 3389 (RDP). For more information about how to create a security group rule, see Add a security group rule.

How do I disable O&M over the Internet by using public for a bastion host?

  1. Log on to the Bastionhost console.

  2. In the top navigation bar, select the region in which your bastion host resides.

  3. In the left-side navigation pane, click Basic Edition & Enterprise Edition.

  4. On the Basic Edition & Enterprise Edition page, find the bastion host that you want to manage and click the 关闭 icon.运维

Can I directly connect to the IP address of an ECS instance after I purchase a bastion host?

By default, no access control policies on IP addresses of ECS instances are configured on bastion hosts. If no access control policies are configured on the ECS instance, you can connect to the IP address of the ECS instance.

Note

To ensure the compliance and integrity of server O&M, we recommend that you configure access control policies to allow only bastion host-based O&M operations on the ECS instance. For more information about how to configure access control policies, see Create a control policy.

What ports are enabled for a bastion host? Can I change the ports?

By default, the following ports are enabled for a bastion host:

  • HTTPS port 443 for accessing web-based O&M pages

  • Port 60022 for SSH-compliant O&M

  • Port 63389 for RDP-compliant O&M

  • Port 9443 for auditing

Note

You cannot change the ports in Bastionhost V2 and V3.1. You can change the ports in Bastionhost V3.2. Ports 1 to 1024 are reserved for Bastionhost. Do not change the default ports that are enabled for a bastion host to reserved ports.

How do I access an ECS instance from my bastion host by using a private IP address?

You can use one of the following methods:

  • Method 1: Import an ECS instance. By default, you access the ECS instance by using a private IP address. For more information, see Import ECS instances.

  • Method 2: Change the IP address type of the ECS instance to private.

    1. In the left-side navigation pane of the console of your bastion host, choose Assets > Hosts. On the Hosts page, select the host whose O&M IP address you want to change and choose Batch > Modify O&M IP Address.

    2. In the Modify O&M IP Address dialog box, set Host IP Address Type to Private IP Address and click OK.

How do I configure my bastion host to access an ECS instance by using a port other than the SSH- or RDP-compliant standard port?

Bastionhost allows you to configure custom O&M ports. You can change the O&M port in the console of your bastion host. To do so, perform the following steps:

  1. In the left-side navigation pane of the console of your bastion host, choose Assets > Hosts. On the Hosts page, select the host whose O&M port you want to change and choose Batch > Modify O&M Port.

  2. In the Modify O&M Port dialog box, configure the Protocol and Port parameters and click OK.

What do I do if configuration backups fail to be uploaded or an error is reported when I upload configuration backups?

Perform the following operations to identify the cause:

  • Check whether the versions of the two bastion hosts are the same. For example, the configuration backups of a bastion host of V3.2.37 cannot be imported to a bastion host of V3.2.38.

  • Check whether the configuration backups of a bastion host that has low specifications are imported to a bastion host that has high specifications. In this scenario, the import fails.

  • Check whether the configuration backups of a bastion host that runs the Enterprise edition are imported to a bastion host that runs the Basic edition. In this scenario, the import fails.

Important

Configuration backups do not contain configurations of password change tasks. If a password change task is configured on the bastion host whose configurations are backed up, you must manually configure a password change task on the bastion host to which the configuration backups are imported. If a password change task is configured on the bastion host to which the configuration backups are imported, the configurations of the password change task are cleared after the configuration backups are synchronized.

Why is "The source from which the user is imported is deleted" displayed in the Status column of an AD- or LDAP-authenticated user?

Bastionhost periodically synchronizes user status from the Active Directory (AD)-authenticated server and Lightweight Directory Access Protocol (LDAP)-authenticated server. If an AD-authenticated user or an LDAP-authenticated user is deleted from the server or the base distinguished name (DN) of a user is different from the base DN that is configured on the bastion host, the status of the user is displayed as The source from which the user is imported is deleted.

Note

When an AD-authenticated user or an LDAP-authenticated user logs on to a bastion host, authentication is performed by the AD-authenticated server or LDAP-authenticated server.

What do I do if the passwords of assets do not exist in the exported asset file?

When you export the asset list, no characters are displayed in the password column if the passwords of the assets include only digits. You must change the cell format to the fraction format to view the passwords.