About Devices

A device represents a managed, IP-addressable network node. A device is a potential target for access or password management by a 
PAM
 user. For A2A deployments, a device can be considered a request server, Devices are displayed and managed through the Devices menu on the Administration menu in the UI.
capam32
A device represents a 
PAM
-managed, IP-addressable network node. A device is a potential target for access or password management by a 
PAM
 user. For A2A deployments, a device can be considered a request server, Devices are displayed and managed through the Devices menu on the Administration menu in the UI.
You do configure other devices in 
PAM
 that are not  Access or Password Management target systems. For example, a RADIUS authentication server or syslog server provide resources to 
PAM
, but they are not access targets. These systems are not listed or managed from the Devices page in the UI. These servers are typically configured as third-party systems.
Access to Devices
Privileged Access Manager
 enables secure access to devices. It does not allow connection to any device until it has been approved at the device level. To complete this approval, access methods must be selected. This can be done either when initially creating the device, finishing edits before access is enabled, or to change methods for existing devices.
Access Types
Software: Access Methods
The first way that 
PAM
 provides controlled access is to specify fully the communication software that is used to implement a connection. The appliance downloads communication executables (implemented as Java applets) from the appliance to the user workstation or other local computer that wraps the user communication within 
Privileged Access Manager
-controlled communication channels.
One of these applets is a master communication applet that is named the UP (Universal Ports). UP is customized by the policy for each 
user
, and is always downloaded at each User login session. Meanwhile, the user can download other applets to communicate with the UP to set up and maintain controlled communication to a 
device
 through 
Privileged Access Manager
. These applets also have custom features, such as command filtering capability. When the session is finished, the applet disappears. These applets are known as 
Access Methods
.
Privileged Access Manager
-Controlled Local Software: Services
Another approach is to use ordinary (third party) communication software users have on their computers. This software might already be installed, or 
Privileged Access Manager
 can supply it (temporarily). Using parameters that are configured by the 
PAM
 administrator, the product directs that software to communicate with the UP so that, like an Access Method, a controlled session can be implemented. These are known as 
Privileged Access Manager
 
Services
.
An administration user on known ports and to specific applications can create services. These services can include: fat client access such as SQL query front-ends, mainframe clients, and any proprietary applications, which use TCP or UDP connections. The appliance has several ways to do this:
  • Download 
    Privileged Access Manager
     packaged third-party software, such as a commercial SFTP/FTP package.
  • Use a local software installation; for example, PuTTY can be available to implement SSH.
  • Use Microsoft Windows RDP if the local computer is a Windows device.
  • Establish a console.
  • Access a web portal using the local default browser.
Restrict Access to a Windows Application: RDP Applications
Configure RDP applications With Microsoft Remote Desktop Services (RDS), single target hosted applications can be published through RDP instead of allowing access to the entire target device desktop.
Terminal Configuration for Device Access
For line-mode communication, you have a range of options to package the interface. These can be imposed generally, and then specifically for each Device Group or individual Device.
Device Types
From these features come these Device types, each with separate functionality and licensing:
  • Access Devices
  • Password Management Devices
  • A2A Devices
Grouping Devices
To provisioning and manage multiple devices, you can use the following two mechanisms:
  • Device Groups
     – A set of devices that inherit the same attributes from the group.
  • Tags
     – Tags are a device attribute that allow a you to assign labels to any particular device, and share the labels across many devices. You can filter on the labels to identify sets of devices.