Access Methods

Access Methods are the out-of-the-box communications applets that provide connectivity and session recording. The applets support VNC, TELNET, SSH, RDP, and serial connections. You can change default ports and you can disable protocols for the whole system. Access method applets are downloaded from 
Symantec PAM
 to a local computer and rely on locally installed Java.
capam33
HID_AccessMethodPanel
Access Methods are the out-of-the-box communications applets that provide connectivity and session recording. The applets support VNC, TELNET, SSH, RDP, and serial connections. You can change default ports and you can disable protocols for the whole system. Access method applets are downloaded from 
Symantec PAM
 to a local computer and rely on locally installed Java.
Configuring an Access method is a two-step process:
  1. Select the Access Method from the Global Settings menu in the UI.
  2. Assign an access method to one or more target devices.
This topic describes the following information and tasks:
2
Access Method Options
Symantec PAM
 provides the following different access methods:
GUI Access Methods
  • VNC
      (Virtual Network Computing) is a graphical desktop remote access application that enables access to the device being monitored. A Mac, Windows, UNIX, or X Windows desktop can be accessed directly using this feature. VNC sessions can be graphically recorded. This feature requires installation of the VNC service on each of the monitored devices.
    VNC limitations:
    • If an SFA is installed on a Windows system, the SFA filters do not get applied to VNC connections.
    • VNC access does not support auto-login to a remote Windows device.
  • RDP
     - Remote Desktop Protocol (RDP) is an access method for connecting to Microsoft Terminal Services. RDP is commonly used for administration of Windows servers. The RDP applet takes advantage of RDP 6.x compression types, which reduce file size that is compared to RDP 5.2. RDP sessions can be graphically recorded.
CLI Access Methods
  • Telnet
     provides standard Telnet access to a host. A Telnet service must run on the accessed device for this access method to work. See the specific device manufacturer documentation on how to set it up. The product does not support Telnet sessions to itself.
  • SSH
     -  The product supports SSH Version 1 & 2. SSH must be running on the accessed device for this access method to work. See the specific device or system manufacturer documentation on how set it up.
Mainframe
TN3270 and TN5250 are Telnet clients for the IBM AS/400 that emulate 5250 terminals and printers. SSL versions are available for SSL/TLS support.
  • TN3270
  • TN5250
  • TN3270SSL
  • TN5250SSL
Symantec PAM
 also supports AS/400-class applet display names only for TN5250 and TN5250SSL only.
To use a display name, follow these steps:
 
  1. Select your user name in the upper right corner of the appliance display.
    The User Information window appears.
  2. On the 
    Basic Info
     tab, enter a Mainframe display name.
  3. Select 
    OK
    .
Select Access Methods
  1. Select 
    Settings
    Access Methods
    .
  2. Select the methods to be made generally available for a device configuration.
    If you do not want to use a particular access method, clear the checkbox it to disable it. If you disable a particular access method, it is unavailable for all devices.
RDP Client Applet Security Requirement
If you select the RDP Client applet, the applet supports TLS 1.2 connections and the applet supports the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite. The RDP Client also supports forward secrecy using the following supported cipher suites:
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
For the highest level of security, ensure your RDP target device, that is the Windows server, is configured to use forward secrecy with TLS 1.2 communication.
If 
Symantec PAM
 is operating in FIPS mode, but the RDP server does not support FIPS-compliant communication, you receive an error. The error says 
"Cannot connect to 
target_server
 because the server did not offer a FIPS-compliant option for communication."
 Ask your Administrator to verify the server configuration.
SSH Applet Requirement
Beginning with version 3.3, the SSH applet uses these cryptographic algorithms:
  • Ciphers
     = aes256-ctr, aes256-cbc,aes192-ctr, aes192-cbc, aes128-ctr
  • Hashes 
    = hmac-sha2-512, hmac-sha2-256
  • Key Exchange methods
      = ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group-exchange-sha256 with DH 4096-bit key
To launch the SSH applet from a Java-based browser and support these algorithms, verify that the installed JRE installed has the necessary policy JARs installed.
 
Follow these steps to obtain the policy JARs:
 
  1. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from a third party.
  2. Extract the new policy files and replace your existing policy files in your JRE.
Customize Access Methods
You can customize the access method. Changes apply globally.
Follow these steps:
 
  1. Go to 
    Settings
    Access Methods
    .
  2. Select an access method to customize, and select 
    Update
    .
  3. Modify the settings.
    If you update the default ports, only one port number can be specified per Access Method. No port ranges are allowed.
  4. Select 
    OK
    .
The set of Access Methods available depends on which license you have. You must have a mainframe license for the TN applets to be available. Otherwise, those applets do not appear as options.
Assign an Access Method to a Device
The following procedure assumes you already configured a target device.
 
To assign an access method to a device:
 
  1. From the UI, select Devices, Manage Devices.
  2. Double-click the target device entry to open it.
  3. Select the 
    Access Methods
     tab.
  4. Add an Access Method by selecting the plus sign. In the Name column, select an Access Method from the field drop-down list. 
  5. Select 
    Save and Configure Target  Applications
    . Repeat as necessary to allow more methods to be used.
    You can remove any entry by selecting the X at the end of the entry row.
  6. When you finish adding methods, and making other changes to the Device record, select the 
    Save
     button.
Set Up File Transfer Capability (Optional)
Some access methods need further configuration for functionality, such as file transfers. 
Symantec PAM
 supports file transfer to and from remote target devices through the SSH access method using the Mindterm applet. File transfers can be recorded. SCP and SFTP protocols are supported. SSH file transfer is globally enabled or disabled on a per 
Symantec PAM
 appliance basis.
The MindTerm applet command line window has a 512-column by 512-row limit. If you require a larger window, use PuTTY with TCP/UDP Services.
Enable SSH Terminal File Transfer (Administrator)
To set up file transfers using the SSH applet:
  1. Log in to the UI as an administrator with privileges to access global settings.
  2. Navigate to 
    Settings
    Global Settings, 
     
    Applet Customization.
     
  3. Select the 
    SSH Terminal File Transfer
     checkbox.
  4. Select 
    Save
    .
  5. Set up a policy for a 
    Symantec PAM
     user to use the SSH as the access method for applicable target devices.
Accessing a Target Device using the SSH Access Method (User)
After SSH terminal file transfers are enabled, the user has access to the SCP and SFTP file transfers.
The following procedure explains how a 
Symantec PAM
 user selects the SSH access method:
  1. Log in to the UI as a User with permissions to execute the SSH access method.
  2. If necessary, navigate to the Access page.
  3. On the Access page, select an 
    SSH
     icon to open a MindTerm applet to the configured target device.
  4. In the MindTerm Java applet window (labeled with your  device name), select 
    Plugins
    SCP File Transfer
     to open a file transfer window.
  5. Use the 
    MindTerm – SCP 
     
    internal_IP_address
     applet file transfer window to perform the following functions:
    • Move files between your local client computer and the remote target Device. Use the arrows to move between directories in the list.
    • Use the following commands to execute tasks between the two system directories:
      • Double-click
        [..]
          – to jump to the parent directory, or 
        directory_name
         to enter it.
      • ChDir
         – to specify a directory to jump to
      • MkDir
         – to create a directory
      • Rename
         – to change the name of the selected directory
      • Delete
         –  to delete the currently selected file or directory
      • Refresh
         – to reload the current directory
Logging for File Transfer Transactions (Optional)
This table describes the types of log entries that are effected by file transfer transactions.
UI Button
Log Entry Syntax
 
 
Transaction
 
Log Entry Details
 
-->
put
Upload 
localpath/filename
* (
size
) to 
remotepath/filename
 as user 
remote_user.
 
<--
get
Download 
localpath/filename
* (
size
) from
 remotepath/filename
 as user 
remote_user.
 
*A directory (with or without files) can also be copied, but that action is not logged. Files within copied directories are each copied and logged.
ChDir
 
 
(no log entry)
 
Delete
 
alert
[Remote | Local] [file | folder] 
pathname
 has been deleted by user 
remote_user.
 
MkDir
 
alert
[Remote | Local] folder 
pathname
 has been created by user 
remote_user.
 
Refresh
 
 
(no log entry)
 
Rename
 
alert
[Remote | Local] [file | folder] 
path/old name
 has been renamed to 
path/new name
 by user 
remote user.