Create TCP/UDP Services to Access a Device

Examples of such clients include:
Create a TCP/UDP Service to invoke a local third-party application on a client to connect to a device. The target device does not have to host the client application, which must reside on the user client computer.
Examples of such clients include:
You can also import Services in batch mode using a CSV file. See Import or Export Services for instructions.
Configure a TCP/UDP Service
To add a TCP/UDP Service, follow these steps:
  1. Select
    Manage TCP/UDP Services
  2. Select
    for a new TCP/UDP service.
  3. For
    Service Name
    , enter a name for the customized service.
  4. For
    Local IP
    , enter a local IPv4 address for this service. The
    Local IP
    column on the TCP/UDP Services page lists the existing IP addresses for other services.
  5. Ports:
    Define all ports that the client application opens to gain access to the device, using one of these formats:
    • Port combination/redirection
      * (separated by a colon)
      is on the destination device. Specify an integer.
      is the local port over which the listener waits for connections on the local user desktop. Enter an * (asterisk) to let
      Privileged Access Manager
      set the value to any available port. Always specify an * (asterisk) for the local port in Citrix XenApp environments. To enter a specific port number, enter an integer.
      Example: 22:*
      Example: 22:8855
    • Multiple ports
      syntax: Each port is separated by a space, comma, or comma and space.
      Example: 67 3450 23
      Example: 5740, 3221, 31225
    • Port range
      syntax is:
      (minimum and maximum value that is separated, by dash). The port range limit is 500. A single range is allowed.
      Example: 14575–15004
    Do not combine multiple ports with port ranges. Use only one entry type. The following example is incorrect: 51000-51002, 55555
  6. Protocol:
    Select the transport protocol that the service uses from the drop-down list.
  7. Select the
    checkbox. Disabled services appear shaded in the Devices page, and do not work for any user, including
  8. Show in Column:
    Select this check box to show the service as a button on the Access page. Otherwise, Services appear in a drop-down list, which is more compact.
  9. Application Protocol:
    Select a protocol for communication to the remote target. If you want to invoke an application on a client (other than SSH), accept the default, "Disabled." 
  10. X11:
    For the SSH protocol, this option enables the X11 protocol for the user interface.
  11. Send keep-alive interval:
    For the SSH protocol, this option tells SSH to save keep-alive sessions so that they do not time out. Valid values are 60 seconds (minimum) to 172800 seconds (48 hours). Default is 0 (disabled mode).
    This setting changes how SSH rekey operations, background jobs, and activity in SSH sessions (such as running commands like
    that update the terminal at regular intervals), impact the applet timeout functionality of PAM. See the following table for examples of how this setting behaves in relation to the rekey operation.
    Keep Alive Setting
    If Rekey > Applet Timeout
    If Rekey < Applet Timeout
    Background Job
    Activity in SSH
    Background Job
    Activity in SSH
    0 (Disabled)
    No timeout
    No timeout
    No timeout
    Keep-alive is less than applet timeout (overrides original timeout behavior)
    Keep-alive is greater than applet timeout
    Same as 0 (Disabled)
  12. For
    Client Application
    , enter the path if you want to invoke the client automatically. The path that you specify here is launched when a user accesses the service. The user can also set or override this path at launch time. To use a path that requires embedded spaces, enclose the directory path, including the application executable filename, in quotation marks. Do not enclose the entire string in quotes or the command does not execute.
    Use these literal strings as variables that
    Privileged Access Manager
    • <Local IP> is replaced with the IP address in the
      Local IP
      field. Do not repeat the local IP here.
    • <First Port> is replaced with the first local port (after the colon) that is defined in
      . Do not repeat the first port here.
    • <User> is replaced with the account name that is used in the access method. Do not repeat the account name here.
    • <Second Port> is replaced with the second local port (if any) that is defined in
      . Do not repeat the second port here.
    • <Device Name> is replaced with the Name of the Device. Some application connection arguments can use this variable. For example, in WinSCP,
      /sessionname=<Device Name>
      displays the device name instead of the IP address in the application title bar.
    For Example: If WinSCP is the application on the client, enter the following path:
    "C:\Software\WinSCP\WinSCP.exe" scp://<User>:<Password>@<Local IP>
    In the WinSCP example, use the literal strings
    , and
    <Local IP>
    . Do not enter the actual values for these strings.
    The <Password> variable poses a security risk. It exposes the password to the client, which might log it or might expose it as an argument. When the user connects, a "View Credential" link is shown. You can mitigate this risk by configuring the with the
    Change Password On View
  13. Select
  14. Create a Device that corresponds to the target device.
    1. In
      Manage Devices
      , create a Device with the target IP address (do not use FQDN) in the
    2. On the
      tab, use the controls to move the service that you created from the Available Services to the Selected Services.
    3. Select
  15. Create a
    Target Application
    using the target device as
    Host Name
    . See Add Target Applications for more information. 
  16. Create a
    Target Account
    using the target application as
    Application Name
    . The
    Account Name
    is substituted for <User> and the
    for <Password>. See Add Target Accounts for more information.
  17. Create a
    linking the Target Device to a User or Group.
    1. On the
      tab, select the Service that you created.
    2. In the Target Account column, use the Edit magnifying glass icon to select the Account.
    The Service appears on the Access page for the select User or Group.
Next Steps