Skip to main content

Inbound Nodes

An Inbound Node defines the virtual server configuration on a USP Server instance that handles incoming client connections. It includes several key settings that control how connections are matched, authenticated, and processed:

  • The priority and address filter determine how the USP Server selects the appropriate node for an incoming connection.
  • The associated Rule specifies the authentication policies applied to the connection.
  • The SSH host private key is used to identify the USP Server to connecting clients.
  • Optional parameters allow fine-tuning of protocol-specific behavior, such as supported ciphers, MACs, and key exchange algorithms.
info

To be operational, a Route must include at least one Inbound Node. Additional Inbound Nodes are optional and may be added to support more complex routing requirements.

Before You Begin

Priority and IP Address Filter

When an inbound connection is received, USP Server performs the following matching process:

  1. Sort by Priority: All Inbound Nodes that belong to the Route are ordered by Priority, highest to lowest.
  2. Evaluate each Inbound Node: The connection's source IP is checked against the Node's assigned IP Address Filter List.
  3. Select the first match: The first Inbound Node that matches the connection is used. If no Inbound Nodes match, the connection is rejected.

Unlike USP Admin UI IP Filtering, Inbound Nodes must always reference an IP Filter and may reference an empty one.

The effect of an empty IP Filter depends on its Default Action:

  • If it is Block, all connections are denied. This can be used intentionally to shut down access to an Inbound Node.
  • If it is Allow, all connections are permitted, effectively disabling IP-based restrictions for that node.

Advanced Flow

When a Route contains multiple Inbound Nodes, the evaluation flow becomes more complex, as the USP Server must account for both node Priority and each Node's assigned IP Filter.

Connections are always processed in descending Priority order, and the first node whose filter criteria are satisfied determines the outcome. The following example (and diagram) illustrates how different source IPs are evaluated across three Inbound Nodes.

Diagram showing Priority and IP Filtering Logic

Example

Consider a Route with three Inbound Nodes:

Inbound NodePriorityIP Filter (Block Rule)IP Filter (Allow Rule)IP Filter (Default Action)
Node A100 (highest)10.0.0.510.0.0.0/24Block
Node B50172.16.1.1172.16.0.0/16Block
Node C10 (lowest)192.168.1.42192.168.1.0/24Block

Evaluation follows the Priority and IP Address Filter rules: highest Priority first, Block before Allow, stop at the first match.

Source IPNode ANode BNode CResult
10.0.0.25
  1. Not on Block list.
  2. Matches Allow list.
Accepted by Node A
172.16.1.2
  1. Not on Block list.
  2. Not match Allow list.
  3. Goes to Inbound Node B.
  1. Not on Block list.
  2. Matches Allow list.
Accepted by Node B
10.0.0.5
  1. Matches Block rule.
  2. Goes to Inbound Node B.
  1. Not on Block list.
  2. Not on Allow list.
  3. Goes to Inbound Node C.
  1. Not on Block list.
  2. Not on Allow list.
Rejected

SSH-Specific Configuration

Optional SSH-specific parameters can be configured under the Advanced – SSH Configuration section. These settings provide fine-grained control over the protocol behavior for inbound connections, supporting alignment with internal security policies and compliance requirements.

info

These settings are optional but recommended when stricter protocol-level security controls are required.

Inbound Nodes Administration via USP Admin UI

Adding an Inbound Node

To add an Inbound Node, follow these steps:

  1. From the Sidebar, click Configuration > Routes.
  2. Click the Name of the Route where you want to add the Inbound Node.
  3. Go to the Inbound Nodes tab.
  4. Click the Add Inbound Node button above the Route details.
  5. Complete the Inbound Node details using the Field Descriptions table as a guide.
  6. Click Save.

Field Descriptions

NameDescriptionSpecificationsRequired
NameThe name of the Inbound Node.Must be unique.Yes
DescriptionThe description of the Inbound Node.No
IP Address Filter ListThe name of the IP Filter that an incoming connection must surpass to be accepted.Must reference an already-created IP Filter.Yes
Priority NumberAn integer that defines the priority of the Inbound Node. Nodes with higher values are evaluated first when matching inbound connections.Must be within 1 and 100000.Yes
RuleThe Rule associated with the node, which defines the authentication behavior for external incoming connections.Must reference an already-created Rule.Yes
Host Private KeyThe name of the Private Key used as the virtual server's host key.Must reference an already-created Private Key.Yes
Server VersionThe version identification string that is announced during the SSH public handshake.Default value: SSH-2.0-USP.Yes
BannerA string that, if present, is sent to the Client after the SSH Key Exchange is completed, but before authentication.No
Key Exchange Algorithms

The allowed key exchange algorithms.

Options (multi-select):

  • ecdh-sha2-nistp521
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp256
  • curve25519-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group-exchange-sha256
No
Ciphers

The allowed cipher algorithms.

Options (multi-select):

  • aes256-ctr
  • aes192-ctr
  • aes128-ctr
  • aes128-gcm
  • aes256-gcm
  • chacha20-poly1305
No
MACs

The allowed MAC algorithms.

Options (multi-select):

  • hmac-sha2-256-etm
  • hmac-sha2-512-etm
  • hmac-sha2-256
  • hmac-sha2-512
  • hmac-sha2-1
No

Editing an Inbound Node

To edit an Inbound Node, follow these steps:

  1. From the Sidebar, click Configuration > Routes.
  2. Click the Name of the Route where the Inbound Node is added.
  3. Go to the Inbound Nodes tab.
  4. Click the Name of the Inbound Node you want to edit.
  5. Click the Edit button above the Inbound Nodes details.
  6. Edit the Inbound Node details using the Field Descriptions table as a guide.
  7. Click Save.
warning

If you modify a Inbound Node that is currently in use by a USP Server instance, the changes will not take effect until you manually apply the updated configuration by pushing it to the server. To apply the changes:

  1. Navigate to Monitoring > Status.
  2. Click the Name of the associated USP Server instance.
  3. Go to the Configuration tab.
  4. Review the pending changes in the Updated Configuration column.
  5. If the changes are correct, click Push Configuration.

Inbound Nodes details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:

Inbound Node Metadata

NameDescription
IDUniversally Unique Identifier of this Inbound Node.
Route IDThe ID of the Route where the node belongs.
Created AtDate and time this Inbound Node was created.
Updated AtDate and time this Inbound Node was last updated.

Deleting an Inbound Node

To delete an Inbound Node, follow these steps:

  1. From the Sidebar, click Configuration > Routes.
  2. Click the Name of the Route where the Inbound Node is added.
  3. Go to the Inbound Nodes tab.
  4. Click the Name of the Inbound Node you want to delete.
  5. Click the Delete button above the Inbound Nodes details.
  6. You will be asked to confirm the deletion. Click Delete.
warning

USP Manager prevents deletion of an Inbound Node if it is currently referenced by a Route.

Additionally, if the Inbound Node is used by a USP Server instance, the updated configuration must be manually applied. To apply the changes:

  1. Navigate to Monitoring > Status.
  2. Click the Name of the associated USP Server instance.
  3. Go to the Configuration tab.
  4. Review the pending changes in the Candidate Configuration - Preview section.
  5. If the changes are correct, click Push Configuration.

The changes do not take effect on the server until this step is completed.