Devices are categorized into three types. A Device object can represent any physical device logically using one or more of these types:
Device Licenses(Licensing page):
- Access Device: Network-addressable computing Device (identified by the label "Access" in Global Settings and in a Device template)
- PasswordDevice: Device for which passwords are managed (pushed fromPrivileged Access Manager) are identified by the label "Password Management" in Global Settings and in a Device template.
- A2ADevice: Device running application clients that connect toPrivileged Access Managerto retrieve passwords (identified by the label "A2A" in Global Settings and in a Device template).
A Device Type license permits a maximum number of Devices for each Device Type. The maximum number and the current count of each Device Type appear on the Access Dashboard under License Usage. The same numbers also appear on the System Information dialog.
License Usage(Dashboard page):
- Session Managementlicense: for an Access Device (can co-exist with Credential Manager Device)
- Credential Managerlicense: for a Credential Manager Device (can co-exist with Access Device)
- A2AManagementlicense: for an A2A Device
Privileged Access Managerenables secure access to devices, and does not allow connection to any device until it has been approved at the device level. To complete this approval, access methods must be selected. This choice can be made when creating or updating the device, or when changing methods for existing devices.
- Prepackaged: Standard access methods have been built asAccess Methodappletsand do not require any additional software to be installed on a user desktop.
- Custom: In addition to the default applet access, virtually any connection application can be configured to allow access by configuring localPrivileged Access ManagerServices
Several prepackaged Access Method applets are available, with support for VNC, TELNET, SSH, RDP, and serial connections. Default ports can be modified if the application is running on a different port from the one indicated.
Configuration is required at the following levels:
- Global-level: For an access method to be available, it must first be permitted (or "switched on") through the Global Settings interface.
- Device-level: In addition to the default applet access,Privileged Access Managercan be configured to allow access to virtually any connection application.
Graphical and CLI Applets
- VNC: VNC (Virtual Networking Computing) is a graphical desktop remote access application that transmits keyboard and mouse movements. VNC applet access requires a VNC server to be running on the destination device. To use recording, the VNC server must be set in basic unencrypted mode.
- Telnet: Administrators often use this tool to connect to UNIX hosts running the TELNET daemon.
- SSH: Secure Shell protocol. The SSH applet connects to servers running the SSH daemon. It does not require the client end user to have SSH client software such as Putty loaded.
- RDP: RDP is an access method for connecting to Microsoft Terminal Services and is commonly used for administration of Windows servers. The RDP applet is optimized to take advantage of RDP 6.x compression types, with noticeable reductions in file size in comparison with RDP 5.2.RDP remote device usernames are not prepopulated fromPrivileged Access Managerlogin usernames. Instead, the User can populate this name through a field on theDue to limitations in XRDP compression support, RDP-to-XRDP sessions use more bandwidth. Session recordings can be much larger than recordings for RDP-to-RDP sessions. Encryption support requires a setting in the xrdp.ini file on the XRDP host.
- TLS levels:As of release 2.6, the RDP client (the applet) supports TLS 1.2 connections and supports the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite.
- Performance: Sometimes, it is not possible to write an RDP recording to storage as fast as it is being created. In such cases,Privileged Access Managerthrottles interaction. From the User point of view, it "slows down." The overall data transfer rate is reduced and writing to the share can be completed.
- XRDP: ThePrivileged Access ManagerRDP client applet can also be used to connect with an XRDP server running on a managed Linux Device.
TN3270 and TN5250 are Telnet clients for the IBM mainframe or AS/400 server that emulate 3270 and 5250 terminals and printers. SSL versions are available to provide SSL/TLS support. Support for AS/400-class applet Display Names (TN5250 and TN5250SSL only) is provided on the User Information page with the Mainframe Display Name field.
- TN3270: IBM 3270 Telnet class
- TN3270SSL: IBM 3270 Telnet class with SSL
- TN5250: IBM 5250 Telnet class
- TN5250SSL: IBM 5250 Telnet class with SSL
Due to the variety of target mainframe applications, we do not have a standard automatic login option for the mainframe applets. For TN3270 and TN3270SSL, we offer built-in macros for the username (Ctrl-U) and password (Ctrl-P). During login, the user enters these key combinations to enter the configured user name and password. The password macro only works when the password entry field is hidden, so the password is not visible to the user.
Services are a way to customize access to the devices. An administrator can create services on known ports and to specific applications. These services can include: fat client access such as SQL query front ends, mainframe clients, or any proprietary applications, which use TCP or UDP connections.
Services that are prepackaged with the product are identified here.
Privileged Access Managerships with several preconfigured SFTP/FTP Services. These services currently support several SFTP/FTP servers including OpenSSH‐derived Linux, AIX, and Solaris SFTP implementations. Microsoft IIS SFTP/FTP implementations are also supported with a known limitation when multiple hard drives are present.
While other FTP servers might be compatible,
Privileged Access Managerdoes not test or verify them. The preconfigured services must be used to track target device SFTP/FTP activity to meet compliance requirements for many customers. The activity is tracked in session logs. The service names that are suffixed with "
emb" provide the WinSCP client to users without any FTP client application installed. We encourage input on any FTP servers that appear incompatible with
Privileged Access Manager, and consider adding support for more FTP servers as business needs permit. Our goal is to provide the most comprehensive access solution for our customers while balancing the need for Access Control and Audit.
- sftpftp:With use of an SFTP client, transports files to and from FTP servers.
- sftpsftp:With use of an SFTP client, transports files to and from SFTP servers.
- sftpftpemb: This service downloads an WinSCP client to the user desktop. WinSCP is a free and open source SFTP and FTP client for Microsoft Windows.
- sftpsftpemb: This service downloads the WinSCP client to the user desktop.
When running SFTPFTPemb or SFTPSFTPemb, a default option for WinSCP file transfer causes the resulting file to be partially saved. Change the setting for
Other general options: Preferences,
transfer resume/transfer to temporary filename
for. Change the default setting of "Files above: 100KB" to "Disable", then users can successfully "PUT" files onto the remote server.
With Microsoft Terminal Services, single target-hosted applications can be published through RDP instead of allowing access to the entire desktop. This functionality is only available to servers running Microsoft Terminal Server. On Windows Server 2008, more setup is required.