Create TCP/UDP Services to Access a Device
Examples of such clients include:
Create a TCP/UDP Service to invoke a local third-party application on a client to connect to a device. The target device does not have to host the client application, which must reside on the user client computer.
Examples of such clients include:
- PuTTY: For PuTTY or another SSH client, see Create an SSH Service to Access a Device.
- IBM TN3270 and TN5250 clients: See Set Up a Native TN3270 or TN5250 Client.
- Web Portal: To provide access to websites automatically, see Configure a Service to Access a Web Portal.
- SQL query front ends, mainframe clients, and other proprietary applications that uses TCP or UDP connections: see Configure a TCP/UDP Service
You can also import Services in batch mode using a CSV file. See Import or Export Services for instructions.
Configure a TCP/UDP Service
To add a TCP/UDP Service, follow these steps:
- SelectServices,Manage TCP/UDP Services.
- SelectAddfor a new TCP/UDP service.
- ForService Name, enter a name for the customized service.
- ForLocal IP, enter a local IPv4 address for this service. TheLocal IPcolumn on the TCP/UDP Services page lists the existing IP addresses for other services.
- Ports:Define all ports that the client application opens to gain access to the device, using one of these formats:
- Port combination/redirectionsyntax:RemotePort:LocalPortorRemotePort:* (separated by a colon)RemotePortis on the destination device. Specify an integer.LocalPortis the local port over which the listener waits for connections on the local user desktop. Enter an * (asterisk) to letPrivileged Access Managerset the value to any available port. Always specify an * (asterisk) for the local port in Citrix XenApp environments. To enter a specific port number, enter an integer.Example: 22:*Example: 22:8855
Do not combine multiple ports with port ranges. Use only one entry type. The following example is incorrect: 51000-51002, 55555
- Multiple portssyntax: Each port is separated by a space, comma, or comma and space.Example: 67 3450 23Example: 5740, 3221, 31225
- Port rangesyntax is:FirstPort–LastPortExample: 14575–15004
- Protocol:Select the transport protocol that the service uses from the drop-down list.
- Select theEnablecheckbox. Disabled services appear shaded in the Devices page, and do not work for any user, includingsuper.
- Show in Column:Select this check box to show the service as a button on the Access page. Otherwise, Services appear in a drop-down list, which is more compact.
- Application Protocol:Select a protocol for communication to the remote target. If you want to invoke an application on a client (other than SSH), accept the default, "Disabled."
- X11:For the SSH protocol, this option enables the X11 protocol for the user interface.
- Send keep-alive interval:For the SSH and telnet protocols, this option sends keep-alive messages so that sessions will not time out.The PAM Applet Timeout still applies. Valid values are 60 seconds (minimum) to 172800 seconds (48 hours). Default is 0 (disabled mode). For more information about the Applet Timeout setting, see Basic Settings in the Apply Global Settings topic.This setting changes how SSH rekey operations, background jobs, and activity in SSH sessions (such as running commands likeFor SSH Only:topthat update the terminal at regular intervals), impact the applet timeout functionality of PAM. See the following table for examples of how this setting behaves in relation to the rekey operation.Keep Alive SettingIf Rekey > Applet TimeoutIf Rekey < Applet TimeoutBackground JobActivity in SSHBackground JobActivity in SSH0 (Disabled)TimeoutNo timeoutNo timeoutNo timeoutKeep-alive is less than applet timeout (overrides original timeout behavior)TimeoutTimeoutTimeoutTimeoutKeep-alive is greater than applet timeoutSame as 0 (Disabled)
- ForClient Application, enter the path if you want to invoke the client automatically. The path that you specify here is launched when a user accesses the service. The user can also set or override this path at launch time. To use a path that requires embedded spaces, enclose the directory path, including the application executable filename, in quotation marks. Do not enclose the entire string in quotes or the command does not execute.Use these literal strings as variables thatPrivileged Access Managersubstitutes:
For Example: If WinSCP is the application on the client, enter the following path:"C:\Software\WinSCP\WinSCP.exe" scp://<User>:<Password>@<Local IP>Important!In the WinSCP example, use the literal strings<User>,<Password>, and<Local IP>. Do not enter the actual values for these strings.The <Password> variable poses a security risk. It exposes the password to the client, which might log it or might expose it as an argument. When the user connects, a "View Credential" link is shown. You can mitigate this risk by configuring theChange Password On Viewoption.
- <Local IP> is replaced with the IP address in theLocal IPfield. Do not repeat the local IP here.
- <First Port> is replaced with the first local port (after the colon) that is defined inPorts. Do not repeat the first port here.
- <User> is replaced with the account name that is used in the access method. Do not repeat the account name here.
- <Second Port> is replaced with the second local port (if any) that is defined inPorts. Do not repeat the second port here.
- <Device Name> is replaced with the Name of the Device. Some application connection arguments can use this variable. For example, in WinSCP,/sessionname=<Device Name>displays the device name instead of the IP address in the application title bar.
- Create a Device that corresponds to the target device.
- InDevices,Manage Devices, create a Device with the target IP address (do not use FQDN) in theAddressfield.
- On theServicestab, use the controls to move the service that you created from the Available Services to the Selected Services.
- Create aTarget Applicationusing the target device asHost Name. See Add Target Applications for more information.
- Create aTarget Accountusing the target application asApplication Name. TheAccount Nameis substituted for <User> and thePasswordfor <Password>. See Add Target Accounts for more information.
- Create aPolicylinking the Target Device to a User or Group.
- On theServicestab, select the Service that you created.
- In the Target Account column, use the Edit magnifying glass icon to select the Account.