Create TCP/UDP Services to Access a Device

Examples of such clients include: 
capam32
HID_TCPUDPServicesPanel
Create a TCP/UDP Service to invoke a local third-party application on a client to connect to a device. The target device does not have to host the client application, which must reside on the user client computer.
Examples of such clients include: 
You can also import Services in batch mode using a CSV file. See Import or Export Services for instructions. 
Configure a TCP/UDP Service
To add a TCP/UDP Service, follow these steps:
  1. Select 
    Services
    Manage TCP/UDP Services
    .
  2. Select
     Add
     for a new TCP/UDP service.
  3. For 
    Service Name
    , enter a name for the customized service.
  4. For 
    Local IP
    , enter a local IPv4 address for this service. The 
    Local IP
     column on the TCP/UDP Services page lists the existing IP addresses for other services. 
  5. Ports: 
    Define all ports that the client application opens to gain access to the device, using one of these formats:
    • Port combination/redirection
       syntax: 
      RemotePort:LocalPort
       or 
      RemotePort:
      * (separated by a colon)
      RemotePort
       is on the destination device. Specify an integer.
      LocalPort 
      is the local port over which the listener waits for connections on the local user desktop. Enter an * (asterisk) to let 
      Privileged Access Manager
       set the value to any available port. Always specify an * (asterisk) for the local port in Citrix XenApp environments. To enter a specific port number, enter an integer.
      Example: 22:*
      Example: 22:8855
    • Multiple ports 
      syntax: Each port is separated by a space, comma, or comma and space.
      Example: 67 3450 23
      Example: 5740, 3221, 31225
    • Port range
       syntax is: 
       
      FirstPort
      LastPort
       
       (minimum and maximum value that is separated, by dash). The port range limit is 500. A single range is allowed.
      Example: 14575–15004
    Do not combine multiple ports with port ranges. Use only one entry type. The following example is incorrect: 51000-51002, 55555
  6. Protocol: 
    Select the transport protocol that the service uses from the drop-down list.
  7. Select the 
    Enable
     checkbox. Disabled services appear shaded in the Devices page, and do not work for any user, including 
    super
  8. Show in Column:
     Select this check box to show the service as a button on the Access page. Otherwise, Services appear in a drop-down list, which is more compact.
  9. Application Protocol: 
    Select a protocol for communication to the remote target. If you want to invoke an application on a client (other than SSH), accept the default, "Disabled." 
  10. For 
    Client Application
    , enter the path if you want to invoke the client automatically. The path that you specify here is launched when a user accesses the service. The user can also set or override this path at launch time. To use a path that requires embedded spaces, enclose the directory path, including the application executable filename, in quotation marks. Do not enclose the entire string in quotes or the command does not execute.
    Use these literal strings as variables that 
    Privileged Access Manager
     substitutes:
    • <Local IP> is replaced with the IP address in the 
      Local IP
       field. Do not repeat the local IP here.
    • <First Port> is replaced with the first local port (after the colon) that is defined in 
      Ports
      . Do not repeat the first port here.
    • <User> is replaced with the account name that is used in the access method. Do not repeat the account name here. 
    • <Second Port> is replaced with the second local port (if any) that is defined in 
      Ports
      . Do not repeat the second port here.
    • <Device Name> is replaced with the Name of the Device. Some application connection arguments can use this variable. For example, in WinSCP, 
      /sessionname=<Device Name>
       displays the device name instead of the IP address in the application title bar. 
    For Example: If WinSCP is the application on the client, enter the following path:
    "C:\Software\WinSCP\WinSCP.exe" scp://<User>:<Password>@<Local IP>
    Important!
     In the WinSCP example, use the literal strings 
    <User>
    ,
     <Password>
    , and
     <Local IP>
    . Do not enter the actual values for these strings. 
    The <Password> variable poses a security risk. It exposes the password to the client, which might log it or might expose it as an argument. When the user connects, a "View Credential" link is shown. You can mitigate this risk by configuring the  with the 
    Change Password On View
     option.
  11. Select 
    OK
    .
  12. Create a Device that corresponds to the target device.
    1. In 
      Devices
      Manage Devices
      , create a Device with the target IP address (do not use FQDN) in the 
      Address
       field. 
    2. On the 
      Services
       tab, use the controls to move the service that you created from the Available Services to the Selected Services.
    3. Select 
      OK
      .
  13. Create a 
    Target Application
     using the target device as 
    Host Name
    . See Add Target Applications for more information.  
  14. Create a 
    Target Account
     using the target application as 
    Application Name
    . The 
    Account Name
     is substituted for <User> and the 
    Password
     for <Password>. See Add Target Accounts for more information. 
  15. Create a 
    Policy 
    linking the Target Device to a User or Group.
    1. On the 
      Services
       tab, select the Service that you created.
    2. In the Target Account column, use the Edit magnifying glass icon to select the Account. 
    The Service appears on the Access page for the select User or Group. 
Next Steps