Configure the Advanced Server Access server agent
This topic explains how to configure the Advanced Server Access server agent.
- Command line options
- Configuration file
- Environment variables
- Related topics
--conf: Provides an alternative configuration file path.
--debug-device-info: Prints detected device information to stderr and then exits.
-h, --help: Displays help.
-v, --version: Displays version.
--syslog: Forces syslog logging.
You can control the Advanced Server Access server agent by manually creating a configuration file. The location of the configuration file depends on the operating system running the server agent.
- Windows: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\sftd.yaml
If a configuration file hasn't been created or is unavailable, the server agent uses the following default values.
You must restart the server agent before changes to the configuration file take effect.
|AutoEnroll||True||Forces the server agent to attempt to automatically enroll during the initial startup.|
|Specifies the path to a separate file containing an enrollment token. The default value depends on the operating system running the server agent.
After the server is enrolled, the server agent deletes this token file.
If using this option, you must manually create the token file and add an enrollment token created on the Advanced Server Access platform. See Server Enrollment.
Note: This option is only used by legacy installations not hosted by Advanced Server Access instances.
The location of the log file depends on the operating system running the server agent.
- Linux: sftd uses the system logger when available
- Windows: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\Logs
Log files are rotated after 5MB and only the 10 most recent log files are kept.
|LogLevel||INFO||Controls the verbosity of the logs.
Valid values include:
|AccessAddress||unset||Specifies the network address (IPv4 or IPv6) used by clients to access servers with multiple interfaces or behind DNATs.|
|AccessInterface||unset||Specifies the interface used by clients to negotiate connections to the host. Only needed by hosts with a specific public IP address associated with a known interface.
Specifies a list of alternative server hostnames. These names can be used as targets for sft ssh.
AltNames: ["web01", "web01.example.com"]
|Bastion||unset||Specifies a bastion host used automatically by clients when connecting to this server.|
|BufferFile||/var/lib/sftd/buffer.db||Specifies the path prefix to the files used for the server agent local buffer store. Individual buffer file names consist of the path prefix, followed by a period and an incremental number (for example, buffer.db.1). Buffer files are automatically removed after being synchronized.|
|CanonicalName||unset||Specifies the name that clients should use when connecting to this host. This option overrides the name returned by the hostname command.|
|ForwardProxy||unset||Specifies the URL of an HTTP CONNECT proxy that the server agent uses for outbound network connectivity to the Advanced Server Access platform. Alternatively, the HTTPS_PROXY environment variable can be used to configure this proxy.
|ServerFile||/var/lib/sftd/device.server||Specifies the path to a file used to store the server URL of the server that it will connect to.|
|SSHDConfigFile||/etc/ssh/sshd_config||Specifies the path to the sshd configuration file.
Note: The server agent will modify this file.
|Specifies a port to use when negotiating SSH connections. This option is only needed if the default port (22) is not being used.|
|TokenFile||/var/lib/sftd/device.token||Specifies the path to a file used to store the secret authentication token for Advanced Server Access.|
|Specifies the path to a file used by the server agent to store a list of trusted SSH certificate authorities.|
The Advanced Server Access server agent automatically runs an access broker process. The access broker authenticates clients using certificates issued by the Advanced Server Access platform.
When using on-demand user provisioning for a project, the access broker must be accessible on a specific port (4421 by default). See On-demand users. On Windows servers, the access broker is also responsible for proxying RDP connections. See Windows Internals.
|BrokerAccessPort||4421||Specifies a port used by clients to reach the access broker.|
|BrokerListenHost||unset||Specifies the network address (IPv4 or IPv6) used by the access broker to listen for connections. By default, the access broker listens for connections on every available interface.|
|BrokerListenPort||4421||Specifies a port used by the access broker to listen for connections.|
|DisableBroker||unset||Controls the operation status of the access broker. Set to
Note: Disabling the access broker process is not recommended on Windows. See Windows.
This is an Early Access feature. To enable it, contact Okta Support.
PolicySync labels allow teams to define key:value pairs used to control server access to specific groups. Labels are formatted as key:value pairs to allow teams to define a schema that best fits their needs. Teams can add labels within the server configuration file or directly from Advanced Server Access. See PolicySync: Attribute-Based Access Control.
You must indent any key pairs within a Labels YAML dictionary using two spaces:
On startup, the server agent reads the following variables:
- SFT_DEBUG: Prints additional debugging to stderr when set.