Location (XPath) Required Description
/NPSX yes The "NPSX" element is the root element of the XML document.
/NPSX/@version yes For this version of the format, the "version" attribute must be set to "1.1".
/NPSX/@passwordsEncrypted no The "passwordsEncrypted" attribute indicates that all passwords and authentication keys are encrypted using a user-specified passphrase. Use the npsxutil tool to generate encrypted values. The same passphrase must be used for all entries. If omitted, the value is assumed to be "false".
/NPSX/proxies no The "proxies" element may contain one or more nested "proxy" elements.
/NPSX/proxies/proxy[n] no The "proxy" element defines a proxy server.
/NPSX/proxies/proxy[n]/@name yes The "name" attribute specifies the display name of the proxy server. It must be a non-empty string of up to 35 characters. The name must be unique among proxy server and proxy chain names. The value "(default)" is reserved.
/NPSX/proxies/proxy[n]/@comment no An optional comment of up to 100 characters.
/NPSX/proxies/proxy[n]/@type yes The "type" attribute specifies the proxy server type. Its value must be one of: "HTTP", "HTTPS", "SOCKS4", "SOCKS5", "SSH1", "SSH2".
/NPSX/proxies/proxy[n]/@host yes The "host" attribute specifies the hostname or IP address of the proxy server. International domain names are supported.
/NPSX/proxies/proxy[n]/@port yes The "port" attribute specifies the proxy server port number.
/NPSX/proxies/proxy[n]/@isDefault see
description
The "isDefault" attribute indicates whether the proxy server is the default proxy. Its value must be either "true" or "false". If at least one proxy server is defined, exactly one must be marked as the default. If omitted, the value is assumed to be "false".
/NPSX/proxies/proxy[n]/@authentication no The "authentication" attribute specifies the authentication method used to authenticate to the proxy. Its value must be one of: "password", "key", "integrated", "gssapi". Multiple methods can be specified for an SSH2 server to enable Multi-Factor Authentication (MFA).
/NPSX/proxies/proxy[n]/@username see
description
The "username" attribute specifies the username used to authenticate to the proxy. It is required with the "password" and "key" authentication methods, and also with authentication-less SSH. With SOCKS4, it is optional.
/NPSX/proxies/proxy[n]/@password see
description
The "password" attribute specifies the password used to authenticate to the proxy. It is required with the "password" authentication method and should otherwise be omitted.
/NPSX/proxies/proxy[n]/@key see
description
The "key" attribute specifies the key used to authenticate to the proxy. The key must be base64 encoded. Use the npsxutil tool to convert an OpenSSH authentication key to a compatible format. If "/NPSX/@passwordsEncrypted" is set to "true", the key must be encrypted. This attribute is required with the "key" authentication method and should otherwise be omitted.
/NPSX/proxies/proxy[n]/@hostKey no The "hostKey" attribute specifies the key used to verify the SSH server host key. The key must be base64 encoded. Use the npsxutil tool to convert an OpenSSH host key to a compatible format.
/NPSX/proxies/proxy[n]/@preferredCipher no The "preferredCipher" attribute specifies the preferred SSH2 cipher used to encrypt data. Its value must be one of: "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour".
/NPSX/proxies/proxy[n]/@enableCompression no The "enableCompression" attribute enables SSH2 data compression. Its value must be either "true" or "false". If omitted, the value is assumed to be "false".
/NPSX/proxies/proxy[n]/@GSSLevel no The "GSSLevel" attribute specifies the SOCKS5 message protection level. Its value must be one of: "authenticationOnly", "integrity", "integrityAndConfidentiality". If omitted, the value is assumed to be "authenticationOnly".
/NPSX/chains no The "chains" element may contain one or more nested "chain" elements.
/NPSX/chains/chain[n] no The "chain" element defines a proxy chain. A proxy chain must contain at least two proxies.
/NPSX/chains/chain[n]/@name yes The "name" attribute specifies the display name of the proxy chain. It must be a non-empty string of up to 35 characters. The name must be unique among proxy chain and proxy server names. The value "(default)" is reserved.
/NPSX/chains/chain[n]/@comment no An optional comment of up to 100 characters.
/NPSX/chains/chain[n]/proxy[m] yes The "proxy" element references a proxy server.
/NPSX/chains/chain[n]/proxy[m]/@name yes The value of the "name" attribute must be either the display name of a proxy server defined in "/NPSX/proxies" or the special value "(default)", indicating the default proxy.
/NPSX/rules no The "rules" element may contain one or more nested "rule" elements.
/NPSX/rules/rule[n] no The "rule" element defines a rule.
/NPSX/rules/rule[n]/@name yes The "name" attribute specifies the display name of the rule. It must be a non-empty string of up to 35 characters. The name must be unique among rule names.
/NPSX/rules/rule[n]/@comment no An optional comment of up to 100 characters.
/NPSX/rules/rule[n]/@action yes The "action" attribute specifies the rule action. Its value must be one of: "tunnelThroughProxy", "allowDirectConnection", "block", "blockUDP".
/NPSX/rules/rule[n]/@isDisabled no The "isDisabled" attribute indicates whether the rule is disabled. Its value must be either "true" or "false". If omitted, the value is assumed to be "false".
/NPSX/rules/rule[n]/proxyOrChain see
description
The "proxyOrChain" element references a proxy server or proxy chain. It must be present if the rule action is "tunnelThroughProxy" and should otherwise be omitted.
/NPSX/rules/rule[n]/proxyOrChain/@name yes The value of the "name" attribute must be either the display name of a proxy server defined in "/NPSX/proxies", the display name of a proxy chain defined in "/NPSX/chains", or the special value "(default)", indicating the default proxy.
/NPSX/rules/rule[n]/programs no The "programs" element, if present, must contain one or more nested "program" elements. If omitted, the rule applies to all programs.
/NPSX/rules/rule[n]/programs/program[m] yes The "program" element specifies a program to which the rule applies.
/NPSX/rules/rule[n]/programs/program[m]/@value yes The "value" attribute specifies the program location.
/NPSX/rules/rule[n]/programs/program[m]/@type yes The "type" attribute specifies the type of location specified by the "value" attribute. It must be one of: "filePath", "folderPath", "fileName".
/NPSX/rules/rule[n]/programs/program[m]/@comment no An optional comment of up to 100 characters.
/NPSX/rules/rule[n]/targetPorts no The "targetPorts" element, if present, specifies target ports. If omitted, the rule applies to all target ports.
/NPSX/rules/rule[n]/targetPorts/portOrRange[m] yes The "portOrRange" element specifies a port or port range.
/NPSX/rules/rule[n]/targetPorts/portOrRange[m]/@isRange yes The "isRange" attribute indicates whether the element specifies a single port or a port range. Its value must be either "true" or "false".
/NPSX/rules/rule[n]/targetPorts/portOrRange[m]/@value yes The "value" attribute specifies the port or ports. For a port range, the start and end ports must be separated by a hyphen ("-").
/NPSX/rules/rule[n]/targetPorts/portOrRange[m]/@comment no An optional comment of up to 100 characters.
/NPSX/rules/rule[n]/targetHosts no The "targetHosts" element, if present, must contain one or more nested "addressRange" elements. If omitted, the rule applies to all target hosts.
/NPSX/rules/rule[n]/targetHosts/addressRange[m] yes The "addressRange" element specifies an address, such as an IP address or hostname, or an address range.
/NPSX/rules/rule[n]/targetHosts/addressRange[m]/@type yes The "type" attribute specifies the address range type. It must be one of: "IPAddressOrSubnet", "IPAddressRange", "hostname".
/NPSX/rules/rule[n]/targetHosts/addressRange[m]/@value yes The "value" attribute specifies address(es) according to the address range type:
  • IPAddressOrSubnet: An IP address and optional mask, separated by a slash ("/"). The mask specifies the number of leading 1 bits in the network mask. For example, 24 corresponds to 255.255.255.0 for IPv4 and FFFF:FF00:: for IPv6.
  • IPAddressRange: An IP address range. The start and end addresses must be separated by a hyphen ("-").
  • hostname: A hostname. The wildcard characters (*) and (?) are supported.
/NPSX/rules/rule[n]/targetHosts/addressRange[m]/@comment no An optional comment, up to 100 characters long.
/NPSX/DNS yes The "DNS" element defines how target hostnames are resolved.
/NPSX/DNS/@value yes Specifies one of the following values: "resolveNamesLocally", "resolveNamesRemotely", "attemptLocalThenRemote".
/NPSX/DNS/@namesToResolveLocally no A comma-separated list of hostnames that are always resolved locally. The wildcard characters (*) and (?) are supported.
/NPSX/DNS/@namesToResolveRemotely no A comma-separated list of hostnames to always resolve remotely when the matching rule action is "tunnelThroughProxy". The wildcard characters (*) and (?) are supported.
/NPSX/DNS/@spoofedIPAddresses no A comma-separated list of IP addresses to treat as spoofed DNS replies. If a matching address is returned, the hostname is resolved remotely instead. Each entry must be in one of the following "addressRange" formats: "IPAddressOrSubnet", "IPAddressRange".