Parameter:
Allow_Passthru_TargetsShort description: List of servers that passthru connections via this server are allowed to reach (target side of the passthru hop).
Profile
Parameter | Allow_Passthru_Targets |
Category | Security / TLS |
Component | Server |
Available since | 9.0.1 |
Supported versions | 9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | Server document (Security → Destinations allowed) |
Possible values | Comma-separated name list (server DNs); empty = any (mandatory together with Allow_Passthru_Access) |
Description
While
Allow_Passthru_Clients controls who is allowed to use the server as a hop, Allow_Passthru_Targets restricts where the journey may lead. This prevents a DMZ server from unintentionally serving as a stepping stone to arbitrary internal servers.Empty = no restriction on the target side; it is safer to maintain an explicit whitelist of relevant backend servers.
Example configuration
Allow_Passthru_Targets=*/MailServers/acme,*/AppServers/acme
Notes & pitfalls
- Maintain on DMZ servers as an additional safety net.
- Only effective in combination with
Allow_Passthru_Access/Clients/Callers.
- Enable auditing via
Log_Passthru=1during rollout.
- On server reorgs (renaming of backend servers), adjust this list as well.
- The change takes effect after a server restart.