Connection Actions and Configurations

21 minutes to read

As explained in the previous document, the Connections tab offers you a comprehensive view of all the resources that are owned by you and/or shared to you as well as the accounts belonging to them. In this document, you will learn about the various actions and all possible configurations that can be performed on connections.

Click each of the below links to learn in detail about the different connection actions and configurations in detail:

  1. Different Resource Pane Scenarios
  2. Launching Secure Remote Sessions
  3. Website Connections
  4. Working with Files present in the Remote Machines
  5. Requesting Passwords for Accounts with Controlled Access
  6. Accessing RemoteApps
  7. Configuring Connection Settings for Accounts
  8. Configuring Gateway Settings for Remote Sessions
  9. Configuring SSH Command Control (Filtering)

1. Different Resource Pane Scenarios

Based on the type of resource you select from the Resources pane, the view in the Accounts pane will change. Consider the following scenarios:

Scenario 1: You have selected a Windows Domain resource named CHNPRODTEST-01 in the Resources pane.

In this case, the Accounts pane will display two columns:

  1. Domain Accounts - the domain accounts belonging to CHNPRODTEST-01 will be listed here with all the available logon options. You may search for accounts with keywords using the search bar.
  2. Other Domain Accounts - the Domain accounts belonging to the other Windows Domain resources available to you will be listed in this column along with the available logon options.


Scenario 2: You have selected a non-Windows Domain resource, such as a Windows or a Linux resource in the Resources pane.

In this case, the Accounts pane will display two columns:

  1. Local Accounts - the local accounts belonging to the selected resource will be listed here with all the available logon options.
  2. Domain Accounts - the Domain accounts belonging to the other Windows Domain resources available to you will be listed in this column along with the available logon options.

Note: Apart from the SSH protocol, Telnet, Legacy SSH, and other auto logon helpers will be disabled for the accounts applied with SSH command control (filtering).

Scenario 3: You have logged into PAM360 using your Active Directory (AD), Microsoft Entra ID, or LDAP credentials.

Here, you will see two tabs based on your choice of resources in Scenarios 1 and 2. In addition to that, the Accounts pane will also show the following tab as the third one:
Logged in AD/Microsoft Entra ID/LDAP Account - the AD/Microsoft Entra ID/LDAP account with which you have currently logged in will be displayed here. You can use this account to log in to other resources. Click here to learn about this in detail.

Note: The logon options available for Logged in AD/Microsoft Entra ID/LDAP Account will be Windows Remote Desktop for Windows and SSH for Linux systems.

Scenario 4:

For certain resource types like PostgreSQL, MySQL, and Oracle DB Server, both Domain accounts and AD/Microsoft Entra ID/LDAP accounts will not be shown. For those types, the Accounts pane will display only the Local Accounts tab.

Note: In the Accounts pane, you can pin a specific tab for quick access and reference. For example, if you pin the Local Accounts tab, whenever you choose a resource, the local accounts of the resource will be displayed first. This operation is user-specific and does not affect the view for other users accessing the same installation.

2. Launching Secure Remote Sessions

PAM360 allows you to establish privileged remote sessions to RDP, SSH, VNC and SQL systems through HTML-5 compatible browsers. PAM360 carries out remote sessions and file transfer operations using secure protocols such as the Remote Desktop Protocol (RDP), SSH File Transfer Protocol (SFTP), Secure Copy Protocol (SCP), File Transfer Protocol (FTP). As the privileged remote sessions are tunneled through the PAM360 server, it creates a secure channel to protect your remote connections from third-party interceptions. The passwords needed to establish the remote connections are securely stored in PAM360. There is also a provision to enforce password access control the resources. These safety measures ensure your data stored in the PAM360 repository and remote sessions carried out from PAM360 always remain secure. In addition to launching secure remote sessions, you can record, playback, and archive the remote sessions launched from PAM360. The archived files support forensic audits and compliance requirements of organizations.

To launch a remote session to a resource, follow the below steps:

  1. Navigate to the Connections tab and click the required resource name under the Resources pane.
  2. If you have selected a Windows Domain resource, all the local accounts of the selected domain resource and the accounts of other Windows Domain resources will be displayed on the right in two separate tabs. Hover your mouse over the thumbnail of the required account and click Connect. Depending on the resource type, multiple logon options will appear in a pop-up menu. For example: If you select a Windows resource, you will get the following options for Local accounts: Windows Remote Desktop, RDP Console Session, and VNC. And these logon options for Domain accounts: Windows Remote Desktop and RDP Console Session.
  3. Click the type of remote session you want to launch. Now, a new tab will open up and the remote session will begin once PAM360 authenticates the connection using the password stored in the repository.

When a privileged remote session is active, you can view the details from the Notifications panel, the Password Dashboard, and under Audit >> Active Privileged Sessions. All remote connections can be recorded and archived. Click here to learn about session recording in detail.

2.1 Single-click Auto Logon using AD, Microsoft Entra ID, and LDAP

PAM360 allows users to launch a direct RDP connection with the target resource using any domain account that is owned by you or shared with you. Users can select the required Domain account or can use the currently logged in AD/Microsoft Entra ID/LDAP account to connect to the desired resource.

For a selected set of resource types, PAM360 allows you to log into resources that are shared to you or owned by you using the AD/Microsoft Entra ID/LDAP credentials with which you have currently logged in. When you are logged into PAM360 using your AD/Microsoft Entra ID/LDAP credential, you will find your details displayed in the Connections tab as a separate column named Logged in AD/Microsoft Entra ID/LDAP account. For example, this option will not be available for resource types that do not support Domain accounts login such as PostgreSQL and MySQL.

From this space, you can log into the required resource with a single click using the auto logon options that are displayed with a mouse hover.

  1. Navigate to the Connections tab and under the Resources pane, click the required resource. Now all the local accounts belonging to the resource as well as other available Domain accounts will be displayed in the Accounts pane.
  2. Here, to log into a resource using a Domain account, simply hover over the Domain account which you want to use and click Connect. PAM360 will authorize your connection to the selected resource using the Domain account you chose.
  3. Alternatively, you may use your currently logged in AD/Microsoft Entra ID/LDAP credentials to log into a resource (as explained in scenario 3). To do this, select the required resource from the left pane and switch to the Logged-in AD/Microsoft Entra ID/LDAP account tab on the right.
  4. Here, hover over the connection icon and click Connect. You will see Windows Remote Desktop as the logon option for Windows resources and SSH for Linux-based resources.
    connections-5
  5. To reauthenticate the connection, must enter your AD/Microsoft Entra ID/LDAP password once in the pop-up that appears. Click Connect to open the remote connection.
    connections-6
  6. Enter the Reason for establishing the connection (mandatory) and click Connect.
  7. Now, you have successfully established a connection with that resource.

Click to learn about enabling Active Directory, Microsoft Entra ID or LDAP authentication in PAM360.

3. Website Connections

3.1 Launching Secure Website Connections

PAM360 allows users to initiate secure website sessions for sensitive web applications and services directly from the application. Users can utilize this feature to access privileged web applications and services seamlessly from the PAM360 interface. To launch a website session:

  1. Navigate to the Connections tab and select Web App Connections from the left pane.
  2. You will see a list of all the web app resources shared with you on the Web App Connections page.
    connections-website
  3. Hover over the desired resource and click the Connect button to launch a website session.

    4. Notes:

    (Procedure Applicable from Builds 7400 and Above)
    1. If session recording is enabled for website connections, users should be logged into the PAM360 extension to ensure the sessions are recorded.
    2. The website connections are recorded for 30 minutes.

3.2 Autofill Support for Websites and Applications

PAM360 supports autofill for website sessions launched from the PAM360 web interface via an active browser extension. The credentials must be stored within a resource in PAM360 to autofill them on a website or application. When you attempt to log into a website, click the PAM360 extension icon that appears beside the credentials field on the target site and choose an account. The corresponding username and password will be auto-filled, and you can manually hit enter to log into the website.

Notes:

  1. When you enter a new login credential while accessing a website or application, the extension will prompt you to save it rather than asking you to select an account for autofill. Upon saving, you can add the credential as an enterprise or personal account to the PAM360 server directly from the browser extension.
  2. The autofill functionality will work only if the PAM360 browser extension is installed.

4. Working with Files Present in the Remote Machines

PAM360 allows you to transfer large files between two systems using the SSH File Transfer Protocol (SFTP). To use this feature, the SFTP server must be installed in the target remote systems. Apart from bi-directional file transfer, PAM360 lets you upload and download files between the user's machine and the remote connection they have established, without the need for a remote session. This upload and download mechanism is made possible through the Secure Copy Protocol (SCP). For upload and download mechanisms, there is a file size limit of 6 GB.

Note: Starting from build 7500, the maximum file transfer limit via SFTP is set at 2 GB by default. Administrators can adjust this limit within the general settings, increasing it up to 10 GB or reducing it to 50 MB, depending on operational needs. However, for optimal performance, it is recommended to maintain the transfer limit at 2 GB or lower. Additionally, PAM360 allows users to delete files and folders within the remote directory during an SFTP session.

Click here to know in detail about how to perform SFTP-based file transfer in PAM360.

5. Requesting Passwords for Accounts with Controlled Access

When dealing with accounts that are secured using the password access control workflow, the Connections tab serves as a one-stop place to make all the password request-related options easily accessible. When an account protected by the access control workflow is shared to you, you may gain access to it by requesting for the password and getting it approved by the resource owner/administrator. In case of Domain accounts, the Connections tab helps you send password requests directly from the Domain Accounts view.

Click the below links to learn more about the three possible operations you can do:

5.1 Request for the Password

5.2 Check out the Password

5.3 Check in the Password

5.1 Request for the Password

  1. Navigate to the Connections tab and click the required resource name under the Resources pane.
  2. All accounts corresponding to the selected resource and any Windows Domain accounts that are also shared to you will be displayed on the right as per the scenarios detailed above. Hover your mouse over the thumbnail of the required account and click Request.
  3. Now, a request will be sent to the authorized administrators. Once the request is approved, you can check out the password and launch a remote session to the account.

When the password of the account is available for request, you will see the Request option. After you send a request and it is yet to be approved by an admin, the status will change to Waiting.

5.2 Check Out the Password

  1. Once the administrators approve your password request, navigate to the Connections tab and find the account.
  2. Hover your mouse over the thumbnail of the required account and click Check Out to check out the password and gain access to the account. You can use the account for 30 minutes after which the password will be automatically checked in and your access will expire.

The green icon indicates that the password request is approved and the password is available for check out.

If a user has checked out the password and is currently using it, other users will not be able to request for access. During this time, you can see the option In Use and a red icon on the thumbnail to indicate that the password is currently in use.

5.3 Check In the Password

Once you are done using the password, hover your mouse over the thumbnail of the account and click Check In to check in the password. Now, the password will be available for request again.

6. Accessing RemoteApps

Configure RemoteApp for Windows and Windows Domain resources to allow access only to specific applications in an account. Click here to learn in detail about how to configure RemoteApp in PAM360. Once you have configured the RemoteApps and associated them with the resources, you will find the option to launch a remote session and open the particular app alone.

To launch a RemoteApp:

  1. Navigate to the Connections tab and find the resource which is associated with the RemoteApp.
  2. Hover your mouse over the thumbnail of the required account and click Windows Remote Desktop. A list of RemoteApps associated with this account will pop up. Click the required RemoteApp name and it will open up in a new tab.

    Note: RemoteApp configuration overrides the access level provided to a user while sharing the resource.

6.1 Use Case Scenarios

Let's assume that CHNPROD-WIN10 is a Windows resource and CHNWinDom-01 is a Windows Domain resource.
     
Scenario 1: RemoteApp is configured in the Windows resource

The Windows resource is shared to User A with RemoteApp Only access level and the Windows Domain resource is shared with View level access.

RemoteApp is configured at a resource-level in CHNPROD-WIN10 for the Notepad application.

In this case, if User A tries to log into CHNPROD-WIN10 using the Domain accounts of CHNWinDom-01, PAM360 will allow them to connect to the Notepad application only.

Scenario 2: RemoteApp is configured in the Windows Domain resource

RemoteApp is configured at a resource-level in CHNWinDom-01 for the Notepad application.

If User A tries to log into CHNPROD-WIN10 using the Domain accounts of CHNWinDom-01, PAM360 will allow unrestricted access to the CHNPROD-WIN10 resource. That is because, in this case, User A's target resource is not the Windows Domain resource for which the RemoteApp is configured. The domain accounts belonging to CHNWinDom-01 are only being used to log into the target resource, which is CHNPROD-WIN10 and User A's View level access to CHNPROD-WIN10 will be invoked as it has no RemoteApp configuration to override it.

Scenario 3: Windows resource and Windows Domain resource are configured with different RemoteApps.

At a resource-level, Notepad is configured as the RemoteApp for CHNPROD-WIN10 and Calculator is configured for CHNWinDom-01.

If User A tries to log into CHNPROD-WIN10 using the domain accounts belonging to CHNWinDom-01, they will be able to access only the Notepad application.

Similarly, if they try to access CHNWinDom-01 using the domain accounts, they will be able to access the Calculator. To access the Calculator application instead, User A must log into CHNWinDom-01 using one of the domain accounts available.

7. Configuring Connection Settings for Accounts

Customize the accounts added to PAM360 using the advanced configuration settings provided by PAM360. Through this customization, you can optimize SSH, RDP, and VNC connections launched from PAM360 and improve the overall user experience. Please note that all the configuration changes made here will be applied locally to the remote system also.

Click here to learn how to configure Connection Settings in detail.

8. Configuring Gateway Settings for Remote Sessions

Customize gateway settings from the Admin tab to set up a different port, customize HTTP header log settings, choose SSL protocols to be used for securing remote connections initiated from the PAM360 interface. Here, you can also edit and control the cipher suites used for SSL communication.

Click here to learn how to configure gateway settings in detail.

9. Configuring SSH Command Control (Filtering)

SSH command control (filtering) is a feature that allows users to execute a set of predefined commands in remote sessions. In PAM360, this is achieved by configuring command groups at different group levels that include accounts, resources, and resource groups. The entire process minimizes the privilege for highly privileged accounts, thus making them more secure and constrained from internal exploitation.

Click here to learn how to configure SSH command control (filtering) in detail.
Top
Back to Top