HTTPS Gateway Server
PAM360 now allows you to configure a secure HTTPS gateway server to act as an intermediary proxy, facilitating the launch of privileged connections to resources that support URLs and are not accessible from PAM360 user devices. The connections are established using HTTPS-based web links, where the target URL can be an internal or external resource URL or an intranet link. You can also configure the HTTPS gateway server with a preferred port, KeyStore path, and KeyStore password to secure the connection to the target URL.
For additional information on the configurations and limitations of the HTTPS gateway server, please refer to the following sections.
- Roles and Permissions
- Configuring HTTPS Gateway Server
- Configuring Resources for HTTPS Gateway Connections
- Functional Behavior in Multi-Server Environment
- Limitations of HTTPS Gateway Server
3.1 Configuring Auto Logon Helper for HTTPS Gateway Connections
3.2 Adding URL (HTTPS-Based) to the Resources
1. Roles and Permissions
By default, users with the administrator role can configure the HTTPS gateway server, and users with administrator and connection user roles can take HTTPS connections through the gateway server. Apart from the user roles described above, administrators can allow other PAM360 users to either configure the HTTPS gateway server and(or) to take HTTPS connections through the configured gateway by enabling the custom roles that follow:
1.1 HTTPS Gateway Server
Navigate to 'Admin >> Customization >> Roles >> Add Role >> PAM360 Settings', and enable the custom role 'HTTPS Gateway Server'. Enabling this custom role will allow the users to configure the HTTPS gateway server.
1.2 HTTPS Gateway Connection
Navigate to 'Admin >> Customization >> Roles >> Add Role >> Remote Access', and enable the 'HTTPS Gateway Connection'. Enabling this custom role will allow the users to launch HTTPS connections through the configured gateway server.
2. Configuring HTTPS Gateway Server
Post PAM360 installation, by default, the HTTPS gateway server will be configured and running in PAM360. To reconfigure the HTTPS gateway server as per your requirements mentioned below, navigate to 'Admin >> Configuration >> HTTPS Gateway Server' and follow the below steps:
- Port - The HTTPS gateway server is configured with port 8285 by default. If you have port 8285 configured for another application/instance in your organization, update the port at your convenience as available.
- KeyStore Path - By default, a KeyStore file named 'httpsCerts.keystore' will be available in the conf folder of the PAM360 installation directory to save all the HTTPS connection-related certificates. If you need:
- A unique KeyStore file for greater security reasons to save all your HTTPS connection-related certificates
- To make your HTTPS gateway connection secure
- KeyStore Password: If you have created a new KeyStore file specific to this HTTPS gateway server, enter the respective KeyStore password that you have added while generating the new KeyStore file.
- Click Update to save and start the HTTPS gateway server with the updated configuration.
- Most HTTPS connections will work securely through the HTTPS gateway server. A few specific HTTPS connection URLs require their respective root certificate to connect securely through the HTTPS gateway server. For those URLs to work securely, their relevant root certificates have to be imported into the HTTPS gateway server's KeyStore. To import those certificates into the KeyStore, do the steps that follow:
- Navigate to 'Admin >> HTTPS Gateway Server >> Connection Certificates'.
- Browse the path of the respective URL's root certificate.
- Click Import to save the added certificate in the configured KeyStore file for further secure HTTPS connections.
- After importing each certificate, the HTTPS gateway server has to be restarted. To do so, you can use the toggle button in the Server Settings tab.
For the HTTPS gateway server to work efficiently in an organization with load balancer(s) configured for PAM360 web service, do the steps that follow:
- Configure the remote host feature of PAM360.
- Navigate to <PAM360 Installation Directory/conf> and open the file named system_properties.
- Add a new system property https.gateway.server.loadbalancer.enabled=true.
Note:
Without the configured remote host feature and new system property, the server will receive the load balancer IP address for all the received requests instead of the actual one, which allows the IP address to reach the maximum HTTPS gateway threshold than the permitted value.
3. Configuring Resources for HTTPS Gateway Connections
Once done with the HTTPS gateway server configuration, you can proceed with auto-logon configuration and adding resource URLs from the Resources tab for further use of HTTPS gateway connections.
3.1 Configuring Auto Logon Helper for HTTPS Gateway Connections
By default, the HTTPS Gateway connection supports resources of types - Web Site Accounts, Windows, WindowsDomain, and Linux. If you want to use this HTTPS gateway for other resources that support web-based URLs, do the steps that follow:
- Navigate to 'Admin >> Customization >> Auto Logon Helper'.
- Click the edit icon beside the HTTPS Gateway.
- Select the resource types that support web-based URLs and move them to the right column.
- Click Save to update the supported resource types.
3.2 Adding URL (HTTPS-Based) to the Resources
You can add URLs to the resources in two different scenarios. You can add it either while adding a new resource or for the existing available resources using the resource edit option. For the available resources in PAM360:
- Navigate to the Resources tab.
- Under the Resource Actions column, beside the respective resource for which the remote connection is to be taken via HTTPS gateway connection type, select Edit Resource.
- In the pop-up that appears, enter a valid URL of type HTTPS web link in the Resource URL field.
- Click Save to update.
- Now the respective resource will have an HTTPS gateway connection as a type for the remote connection.
3.3 HTTPS Gateway Connections
Users with the HTTPS Gateway Connection role (administrators, connection users, users with custom roles) can take remote connections using the following methods:
- From Connections >> Remote Connections >> HTTPS Gateway Connections.
- In the Resources tab, beside the configured resources, from the Open HTTPS Gateway Connections option in the Remote Connection.
Once the session to the target URL is launched from the respective page, the web page will open in a new tab with the server URL and the custom port as provided. (E.g., https://server-name:8285/GS_36c1cc2f_/{uri})
Notes:
- The HTTPS gateway server is limited to the configuration in the MSP Org and cannot be configured in client Orgs. Nevertheless, resources at client Orgs can be set up with resource URLs to use the HTTPS gateway server configured at the MSP Orgs for their HTTPS gateway connection.
- Adjust the PAM360 cookie settings to authenticate a session to the ManageEngine products through the HTTPS gateway server. This update is necessary as ManageEngine application services like ADMP and ADFS have similar cookie names as in PAM360.
4. Functional Behavior in Multi-Server Environment
- Disabling the HTTPS gateway server on a single server within the application scaling-configured environment will not stop the gateway server entirely. Further, to stop the HTTPS gateway server entirely, you need to restart the PAM360 application on all the remaining available servers.
- For the HTTPS gateway connection functions to work seamlessly on multiple servers (primary and secondary):
- The KeyStore path must be provided in the form of a common UNC path.
- The port should be the same across multiple servers.
- It is not possible to set up the HTTPS gateway server on the Read-Only server.
5. Limitations of HTTPS Gateway Server
- We support adding only HTTPS-based web links as connections in PAM360.
- If users navigate to sites different from the configured target URLs, their actions will no longer be routed through the HTTPS proxy server. This rule also pertains to websites utilizing external sites for authentication and related functions.
- Currently, one can enter just the host name or domain name as the target URL, while the use of the target URL with the Uniform Resource Identifier (URI) is still unsupported.
- We do not support websites that contain absolute css and js source paths.
- We do not support websites that allow requests only from trusted domains.
- Connections to other ManageEngine product URLs such as Password Manager Pro, ServiceDesk Plus cannot be authenticated as they share common cookies with PAM360.