Outbound Nodes
An Outbound Node defines the configuration for the internal target to which the USP Server connects. It includes the following elements:
- The hostname and port of the internal target.
- The SSH host public key used to validate the internal target's identity.
- Optional parameters allow fine-tuning of protocol-specific behavior, such as supported ciphers, MACs, and key exchange algorithms.
To be operational, a Route must include at least one Outbound Node. You may add additional Outbound Nodes, but only one is used per Listener and the selection is determined by the Listener's Default Outbound Node.
Before You Begin
Remote Host Key
The Remote Host Key is used to verify the identity of the internal target system during the SSH handshake. It represents the expected SSH public key of the remote host.
During connection establishment, the USP Server compares the host key presented by the target system against the configured Remote Host Key in the Outbound Node. If the keys do not match, the connection is rejected.
This verification step helps prevent man-in-the-middle (MITM) attacks and ensures that outbound connections are established only with trusted internal systems.
Outbound Authentication Source
The credentials used by the USP Server to authenticate with the outbound internal target are determined by the Rule associated with the matching Inbound Node.
Each Rule specifies an Outbound Authentication Source, which defines how outbound credentials are selected. The available options are:
- Passthrough Credentials: Reuses the credentials provided by the client during the external incoming connection.
- Dedicated Credentials: Uses a fixed set of pre-configured credentials.
This mechanism allows decoupling how clients authenticate to the USP Server (inbound) from how the USP Server authenticates to internal systems (outbound), providing flexibility in aligning with different security models and target system requirements.
For more information on this topic, refer to Configuration and Rules.
SSH-Specific Configuration
Optional SSH-specific parameters can be configured under the Advanced – SSH Configuration section. These settings provide fine-grained control over the protocol behavior for outbound connections, supporting alignment with internal security policies and compliance requirements.
These settings are optional but recommended when stricter protocol-level security controls are required.
Outbound Node Administration via USP Admin UI
Adding an Outbound Node
To add an Outbound Node, follow these steps:
- From the Sidebar, click Configuration > Route.
- Click the Name of the Route where you want to add the Outbound Node.
- Go to the Outbound Nodes tab.
- Click the Add Outbound Node button above the Route details.
- Complete the Outbound Node details using the Field Descriptions table as a guide.
- Click Save.
Field Descriptions
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the Outbound Node. | Must be unique. | Yes |
| Description | The description of the Outbound Node. | No | |
| Hostname | The hostname of the internal target. | Yes | |
| Port | The port number of the internal target. | Must be within 1 and 65535. | Yes |
| Remote Host Key | The name of the Public Key used to validate the internal server identity. | Must reference an already-created Public Key. | Yes |
| Client Version | The version identification string that is announced during the SSH public handshake. | Default value: SSH-2.0-USP. | Yes |
| Key Exchange Algorithms | The allowed key exchange algorithms. Options (multi-select):
| No | |
| Ciphers | The allowed cipher algorithms. Options (multi-select):
| No | |
| MACs | The allowed MAC algorithms. Options (multi-select):
| No |
Editing an Outbound Node
To edit an Outbound Node, follow these steps:
- From the Sidebar, click Configuration > Route.
- Click the Name of the Route where the Outbound Node is added.
- Go to the Outbound Nodes tab.
- Click the Name of the Outbound Node you want to edit.
- Complete the Outbound Node details using the Field Descriptions table as a guide.
- Click Save.
If you modify a Outbound Node that is currently in use by a USP Server instance, the changes will not take effect until you manually apply the updated configuration by pushing it to the server. To apply the changes:
- Navigate to Monitoring > Status.
- Click the Name of the associated USP Server instance.
- Go to the Configuration tab.
- Review the pending changes in the Updated Configuration column.
- If the changes are correct, click Push Configuration.
Outbound Node details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
Outbound Node Metadata
| Name | Description |
|---|---|
| ID | Universally Unique Identifier of this Outbound Node. |
| Route ID | The ID of the Route where the node belongs. |
| Created At | Date and time this Outbound Node was created. |
| Updated At | Date and time this Outbound Node was last updated. |
Deleting an Outbound Node
To delete an Outbound Node, follow these steps:
- From the Sidebar, click Configuration > Route.
- Click the Name of the Route where the Outbound Node is added.
- Go to the Outbound Nodes tab.
- Click the Name of the Outbound Node you want to delete.
- Click Delete.
- You will be asked to confirm the deletion. Click Delete.
USP Manager prevents deletion of an Outbound Node if it is currently referenced by a Route.
Additionally, if the Outbound Node is used by a USP Server instance, the updated configuration must be manually applied. To apply the changes:
- Navigate to Monitoring > Status.
- Click the Name of the associated USP Server instance.
- Go to the Configuration tab.
- Review the pending changes in the Candidate Configuration - Preview section.
- If the changes are correct, click Push Configuration.
The changes do not take effect on the server until this step is completed.