Configure and use the Advanced Server Access server agent

This topic explains how to configure the Advanced Server Access server agent.

Command line options

    --conf: Provides an alternative configuration file path.

    --debug-device-info: Prints detected device information to stderr and then exits.

    -h, --help: Displays help.

    -v, --version: Displays version.

    --syslog: Forces syslog logging.

Configuration file

You can control the Advanced Server Access server agent by manually creating a configuration file. The location of the configuration file depends on the operating system running the server agent.

  • Linux: /etc/sft/sftd.yaml

  • Windows: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\sftd.yaml

If a configuration file hasn't been created or is unavailable, the server agent uses the following default values.

You must restart the server agent before changes to the configuration file take effect.


Enrollment Options

Option Default value Description
AutoEnroll True Forces the server agent to attempt to automatically enroll during the initial startup.
EnrollmentTokenFile Linux: /var/lib/sftd/enrollment.token

Windows: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\enrollment.token

Specifies the path to a separate file containing an enrollment token. The default value depends on the operating system running the server agent. After the server is enrolled, the server agent deletes this token file.

If using this option, you must manually create the token file and add an enrollment token created on the Advanced Server Access platform. See Enroll a server.

InitialURL unset When AutoEnroll is set to True, this option specifies a URL used to automatically enroll the server. If the EnrollmentTokenFile option is also configured, this option is ignored.

Note: This option is only used by legacy installations not hosted by Advanced Server Access instances.

Log Options

The location of the log file depends on the operating system running the server agent.

  • Linux: sftd uses the system logger when available
  • Windows: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\Logs

Log files are rotated after 5MB and only the 10 most recent log files are kept.

Option Default value Description
LogLevel INFO Controls the verbosity of the logs.

Valid values include:

  • warn
  • info
  • debug

Connection Options

Option Default value Description
AccessAddress unset Specifies the network address (IPv4 or IPv6) used by clients to access servers with multiple interfaces or behind DNATs.
AccessInterface unset Specifies the interface used by clients to negotiate connections to the host. Only needed by hosts with a specific public IP address associated with a known interface.

Example:

AccessInterface: eth0

AltNames unset Specifies a list of alternative server hostnames. These names can be used as targets for sft ssh.

Example:

AltNames: ["web01", "web01.example.com"]

Bastion unset Specifies a bastion host used automatically by clients when connecting to this server.
BufferFile /var/lib/sftd/buffer.db Specifies the path prefix to the files used for the server agent local buffer store. Individual buffer file names consist of the path prefix, followed by a period and an incremental number (for example, buffer.db.1). Buffer files are automatically removed after being synchronized.
CanonicalName unset Specifies the name that clients should use when connecting to this host. This option overrides the name returned by the hostname command.
ForwardProxy unset Specifies the URL of an HTTP CONNECT proxy that the server agent uses for outbound network connectivity to the Advanced Server Access platform. Alternatively, the HTTPS_PROXY environment variable can be used to configure this proxy.

Example:

ForwardProxy: https://myproxydomain.com:8080

ServerFile /var/lib/sftd/device.server Specifies the path to a file used to store the server URL of the server that it will connect to.
SSHDConfigFile /etc/ssh/sshd_config Specifies the path to the sshd configuration file.

Note: The server agent will modify this file.

SSHDPort

unset

Specifies a port to use when negotiating SSH connections. This option is only needed if the default port (22) is not being used.
TokenFile /var/lib/sftd/device.token Specifies the path to a file used to store the secret authentication token for Advanced Server Access.

TrustedUserCAKeysFile

/var/lib/sftd/ssh_ca.pub

Specifies the path to a file used by the server agent to store a list of trusted SSH certificate authorities.

Access Broker Options

The Advanced Server Access server agent automatically runs an access broker process. The access broker authenticates clients using certificates issued by the Advanced Server Access platform.

When using on-demand user provisioning for a project, the access broker must be accessible on a specific port (4421 by default). See On-demand users. On Windows servers, the access broker is also responsible for proxying RDP connections. See Windows Internals.

Option

Default value

Description

BrokerAccessPort 4421 Specifies a port used by clients to reach the access broker.
BrokerListenHost unset Specifies the network address (IPv4 or IPv6) used by the access broker to listen for connections. By default, the access broker listens for connections on every available interface.
BrokerListenPort 4421 Specifies a port used by the access broker to listen for connections.
DisableBroker unset Controls the operation status of the access broker. Set to True to restrict the access broker from running on the server.

Note: Disabling the access broker process is not recommended on Windows. See Windows.

PolicySync Labels

This is an Early Access feature. To enable it, contact Okta Support.

PolicySync labels allow teams to define key:value pairs used to control server access to specific groups. Labels are formatted as key:value pairs to allow teams to define a schema that best fits their needs. Teams can add labels within the server configuration file or directly from Advanced Server Access. See PolicySync: Attribute-Based Access Control.

You must indent any key pairs within a Labels YAML dictionary using two spaces:

Labels:
  label_1: value_1
  label_2: value_2

Environment variables

On startup, the server agent reads the following variables:

  • SFT_DEBUG: Prints additional debugging to stderr when set.

Related topics

Verify server enrollment

Deploy cloud servers