Configure a Service to Access a Web Portal

Configure the Web Portal application protocol to access websites automatically. This application automatically launches a new browser window and navigates to a preset local IP and launch path.
Configure the Web Portal application protocol to access websites automatically. This application automatically launches a new browser window and navigates to a preset local IP and launch path.
Establish a portal for every web server that the user accesses. Some servers provide content to the web pages that call them (through embedded links) but do not face users. See the
Hide From User
VMware NSX API is no longer supported as of PAM 3.3.
Follow these steps:
  1. Select
    Manage TCP/UDP Services
  2. Select
    for a new TCP/UDP service.
  3. For
    Service Name
    , enter a name for the customized service.
  4. For
    Local IP
    , enter a valid local loopback address.
    To set up a Web Portal for Microsoft SharePoint® and Mac client access, set the
    Local IP
    to and provide a valid
    Host Header
  5. For
    , enter
    (for HTTP) or
    (for HTTPS). Optionally, specify a local port mapping.
    For example, add
    to map
  6. Select the
  7. For
    Application Protocol
    , select the
    Web Portal
    option from the drop-down list.
  8. Auto Login Method
    defaults to "Disabled." If you specify an automatic login method, such as SAML 2.0 SSO POST, two new tabs activate. For more information, see How to Configure Automatic Login to Web Portals.
  9. Enter a value for the
    Launch URL
    field. The URL specified here is launched when the web portal enabled service is accessed. Use the literal phrases "<Local IP>" and "<First Port>", which use the values in the
    Local IP
    fields. Use the following syntax:
    http[s]://<Local IP>:<First Port>/
    • <Local IP> is a literal placeholder for the IP address in the
      Local IP
      field. Do not repeat the local IP address here.
    • <First Port> is a literal placeholder for the first local port (after the colon) that is defined in
      . Do not repeat the first port here.
    • path_to_target_page
      is the path component of the URL. Create any legal subdirectory path, including:
      /[…]] ] - optional directory path
      ]- optional terminal page/program
      http://<Local IP>:<First Port>/index.html
      https://<Local IP>:<First Port>/dashboard.jspa
  10. Select the
    Browser Type:
    • Native Browser:
      Invoke a window to the Web Portal using the same browser that the User has used to access
      Privileged Access Manager
    • CA PAM Browser:
      Invoke a custom restricted-function browser. CA PAM Browser is required for web portal recording and all Auto-Login methods except SAML 2.0 SSO POST.
  11. Specify the applicable FQDN hostname in
    Host Header
    so that the portal is able to distinguish between multiple hosted websites, for example,
    . If the IP address of the server hosts only one (FQDN) site, this field is not required. However, it is good practice to specify it explicitly.
    • Host Header is not applicable to HTTPS (SSL) sites.
    • Host Header is required for Microsoft SharePoint sites.
    • Host Header applies to a native browser only.
  12. If any alias host names are used to reach the portal, enter these names in the
    field. Separate the names with commas. These aliases are mapped by
    Privileged Access Manager
    to the true host (see Host Header). This field applies to a native browser only.
  13. If the portal is to be used in the background, select
    Hide From User
    . This option specifies that a server is available for
    Privileged Access Manager
    -internal access, but is not to be accessible to an end user. For example, a server that delivers graphic files that are requested from a browser after a baseline website delivers an HTML page. This field applies to a native browser only.
  14. An
    Access List
    applies to the CA PAM Browser only. In the
    Access List
    field, include each host to which access is allowed. A good practice is to examine session logs to find blocked access attempts.
    1. Enter one host per line.
    2. An asterisk acts as a wildcard. For example:
    3. Exclude any hosts that pose security risks.
    In addition to hosts listed in the access list, the web portal can access any device configured in PAM which has an access policy that includes both the web portal itself and the user, whether directly or through groups.
  15. Select the
    Route Through
    checkbox so that all traffic is directed through
    Privileged Access Manager
    . Otherwise, traffic goes directly to the web service from the client workstation.
  16. Select 
  17. Create a Device that corresponds to the web server you are aiming to reach. In Devices, Manage Devices, create a Device with the web server IP address (do not use FQDN) in the
Next Step