| Location (XPath) | Required | Description |
|---|---|---|
| /NPSX | yes | The "NPSX" element is the root element of the XML document. |
| /NPSX/@version | yes | For this version of the format, the "version" attribute must be set to "1.1". |
| /NPSX/@passwordsEncrypted | no | The "passwordsEncrypted" attribute indicates that all passwords and authentication keys are encrypted using a user-specified passphrase. Use the npsxutil tool to generate encrypted values. The same passphrase must be used for all entries. If omitted, the value is assumed to be "false". |
| /NPSX/proxies | no | The "proxies" element may contain one or more nested "proxy" elements. |
| /NPSX/proxies/proxy[n] | no | The "proxy" element defines a proxy server. |
| /NPSX/proxies/proxy[n]/@name | yes | The "name" attribute specifies the display name of the proxy server. It must be a non-empty string of up to 35 characters. The name must be unique among proxy server and proxy chain names. The value "(default)" is reserved. |
| /NPSX/proxies/proxy[n]/@comment | no | An optional comment of up to 100 characters. |
| /NPSX/proxies/proxy[n]/@type | yes | The "type" attribute specifies the proxy server type. Its value must be one of: "HTTP", "HTTPS", "SOCKS4", "SOCKS5", "SSH1", "SSH2". |
| /NPSX/proxies/proxy[n]/@host | yes | The "host" attribute specifies the hostname or IP address of the proxy server. International domain names are supported. |
| /NPSX/proxies/proxy[n]/@port | yes | The "port" attribute specifies the proxy server port number. |
| /NPSX/proxies/proxy[n]/@isDefault | see description |
The "isDefault" attribute indicates whether the proxy server is the default proxy. Its value must be either "true" or "false". If at least one proxy server is defined, exactly one must be marked as the default. If omitted, the value is assumed to be "false". |
| /NPSX/proxies/proxy[n]/@authentication | no | The "authentication" attribute specifies the authentication method used to authenticate to the proxy. Its value must be one of: "password", "key", "integrated", "gssapi". Multiple methods can be specified for an SSH2 server to enable Multi-Factor Authentication (MFA). |
| /NPSX/proxies/proxy[n]/@username | see description |
The "username" attribute specifies the username used to authenticate to the proxy. It is required with the "password" and "key" authentication methods, and also with authentication-less SSH. With SOCKS4, it is optional. |
| /NPSX/proxies/proxy[n]/@password | see description |
The "password" attribute specifies the password used to authenticate to the proxy. It is required with the "password" authentication method and should otherwise be omitted. |
| /NPSX/proxies/proxy[n]/@key | see description |
The "key" attribute specifies the key used to authenticate to the proxy. The key must be base64 encoded. Use the npsxutil tool to convert an OpenSSH authentication key to a compatible format. If "/NPSX/@passwordsEncrypted" is set to "true", the key must be encrypted. This attribute is required with the "key" authentication method and should otherwise be omitted. |
| /NPSX/proxies/proxy[n]/@hostKey | no | The "hostKey" attribute specifies the key used to verify the SSH server host key. The key must be base64 encoded. Use the npsxutil tool to convert an OpenSSH host key to a compatible format. |
| /NPSX/proxies/proxy[n]/@preferredCipher | no | The "preferredCipher" attribute specifies the preferred SSH2 cipher used to encrypt data. Its value must be one of: "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour". |
| /NPSX/proxies/proxy[n]/@enableCompression | no | The "enableCompression" attribute enables SSH2 data compression. Its value must be either "true" or "false". If omitted, the value is assumed to be "false". |
| /NPSX/proxies/proxy[n]/@GSSLevel | no | The "GSSLevel" attribute specifies the SOCKS5 message protection level. Its value must be one of: "authenticationOnly", "integrity", "integrityAndConfidentiality". If omitted, the value is assumed to be "authenticationOnly". |
| /NPSX/chains | no | The "chains" element may contain one or more nested "chain" elements. |
| /NPSX/chains/chain[n] | no | The "chain" element defines a proxy chain. A proxy chain must contain at least two proxies. |
| /NPSX/chains/chain[n]/@name | yes | The "name" attribute specifies the display name of the proxy chain. It must be a non-empty string of up to 35 characters. The name must be unique among proxy chain and proxy server names. The value "(default)" is reserved. |
| /NPSX/chains/chain[n]/@comment | no | An optional comment of up to 100 characters. |
| /NPSX/chains/chain[n]/proxy[m] | yes | The "proxy" element references a proxy server. |
| /NPSX/chains/chain[n]/proxy[m]/@name | yes | The value of the "name" attribute must be either the display name of a proxy server defined in "/NPSX/proxies" or the special value "(default)", indicating the default proxy. |
| /NPSX/rules | no | The "rules" element may contain one or more nested "rule" elements. |
| /NPSX/rules/rule[n] | no | The "rule" element defines a rule. |
| /NPSX/rules/rule[n]/@name | yes | The "name" attribute specifies the display name of the rule. It must be a non-empty string of up to 35 characters. The name must be unique among rule names. |
| /NPSX/rules/rule[n]/@comment | no | An optional comment of up to 100 characters. |
| /NPSX/rules/rule[n]/@action | yes | The "action" attribute specifies the rule action. Its value must be one of: "tunnelThroughProxy", "allowDirectConnection", "block", "blockUDP". |
| /NPSX/rules/rule[n]/@isDisabled | no | The "isDisabled" attribute indicates whether the rule is disabled. Its value must be either "true" or "false". If omitted, the value is assumed to be "false". |
| /NPSX/rules/rule[n]/proxyOrChain | see description |
The "proxyOrChain" element references a proxy server or proxy chain. It must be present if the rule action is "tunnelThroughProxy" and should otherwise be omitted. |
| /NPSX/rules/rule[n]/proxyOrChain/@name | yes | The value of the "name" attribute must be either the display name of a proxy server defined in "/NPSX/proxies", the display name of a proxy chain defined in "/NPSX/chains", or the special value "(default)", indicating the default proxy. |
| /NPSX/rules/rule[n]/programs | no | The "programs" element, if present, must contain one or more nested "program" elements. If omitted, the rule applies to all programs. |
| /NPSX/rules/rule[n]/programs/program[m] | yes | The "program" element specifies a program to which the rule applies. |
| /NPSX/rules/rule[n]/programs/program[m]/@value | yes | The "value" attribute specifies the program location. |
| /NPSX/rules/rule[n]/programs/program[m]/@type | yes | The "type" attribute specifies the type of location specified by the "value" attribute. It must be one of: "filePath", "folderPath", "fileName". |
| /NPSX/rules/rule[n]/programs/program[m]/@comment | no | An optional comment of up to 100 characters. |
| /NPSX/rules/rule[n]/targetPorts | no | The "targetPorts" element, if present, specifies target ports. If omitted, the rule applies to all target ports. |
| /NPSX/rules/rule[n]/targetPorts/portOrRange[m] | yes | The "portOrRange" element specifies a port or port range. |
| /NPSX/rules/rule[n]/targetPorts/portOrRange[m]/@isRange | yes | The "isRange" attribute indicates whether the element specifies a single port or a port range. Its value must be either "true" or "false". |
| /NPSX/rules/rule[n]/targetPorts/portOrRange[m]/@value | yes | The "value" attribute specifies the port or ports. For a port range, the start and end ports must be separated by a hyphen ("-"). |
| /NPSX/rules/rule[n]/targetPorts/portOrRange[m]/@comment | no | An optional comment of up to 100 characters. |
| /NPSX/rules/rule[n]/targetHosts | no | The "targetHosts" element, if present, must contain one or more nested "addressRange" elements. If omitted, the rule applies to all target hosts. |
| /NPSX/rules/rule[n]/targetHosts/addressRange[m] | yes | The "addressRange" element specifies an address, such as an IP address or hostname, or an address range. |
| /NPSX/rules/rule[n]/targetHosts/addressRange[m]/@type | yes | The "type" attribute specifies the address range type. It must be one of: "IPAddressOrSubnet", "IPAddressRange", "hostname". |
| /NPSX/rules/rule[n]/targetHosts/addressRange[m]/@value | yes |
The "value" attribute specifies address(es) according to the address range type:
|
| /NPSX/rules/rule[n]/targetHosts/addressRange[m]/@comment | no | An optional comment, up to 100 characters long. |
| /NPSX/DNS | yes | The "DNS" element defines how target hostnames are resolved. |
| /NPSX/DNS/@value | yes | Specifies one of the following values: "resolveNamesLocally", "resolveNamesRemotely", "attemptLocalThenRemote". |
| /NPSX/DNS/@namesToResolveLocally | no | A comma-separated list of hostnames that are always resolved locally. The wildcard characters (*) and (?) are supported. |
| /NPSX/DNS/@namesToResolveRemotely | no | A comma-separated list of hostnames to always resolve remotely when the matching rule action is "tunnelThroughProxy". The wildcard characters (*) and (?) are supported. |
| /NPSX/DNS/@spoofedIPAddresses | no | A comma-separated list of IP addresses to treat as spoofed DNS replies. If a matching address is returned, the hostname is resolved remotely instead. Each entry must be in one of the following "addressRange" formats: "IPAddressOrSubnet", "IPAddressRange". |