Access Methods are the out-of-the-box communications applets that provide connectivity and session recording. The applets support VNC, TELNET, SSH, RDP, and serial connections. You can change default ports and you can disable protocols for the whole system. Access method applets are downloaded from PAM to a local computer and rely on locally installed Java.
Access Methods are the out-of-the-box communications applets that provide connectivity and session recording. The applets support VNC, TELNET, SSH, RDP, and serial connections. You can change default ports and you can disable protocols for the whole system. Access method applets are downloaded from
PAMto a local computer and rely on locally installed Java.
Configuring an Access method is a two-step process:
- Select the Access Method from the Global Settings menu in the UI.
- Assign an access method to one or more target devices.
This topic describes the following information and tasks:
Access Method Options
PAMprovides the following different access methods:
GUI Access Methods
- VNC(Virtual Network Computing) is a graphical desktop remote access application that enables access to the device being monitored. A Mac, Windows, UNIX, or X Windows desktop can be accessed directly using this feature. VNC sessions can be graphically recorded. This feature requires installation of the VNC service on each of the monitored devices.VNC limitations:
- If an SFA is installed on a Windows system, the SFA filters do not get applied to VNC connections.
- VNC access does not support auto-login to a remote Windows device.
- RDP- Remote Desktop Protocol (RDP) is an access method for connecting to Microsoft Terminal Services. RDP is commonly used for administration of Windows servers. The RDP applet takes advantage of RDP 6.x compression types, which reduce file size that is compared to RDP 5.2. RDP sessions can be graphically recorded.
CLI Access Methods
- Telnetprovides standard Telnet access to a host. A Telnet service must run on the accessed device for this access method to work. See the specific device manufacturer documentation on how to set it up. The product does not support Telnet sessions to itself.
- SSH- The product supports SSH Version 1 & 2. SSH must be running on the accessed device for this access method to work. See the specific device or system manufacturer documentation on how set it up.
TN3270 and TN5250 are Telnet clients for the IBM AS/400 that emulate 5250 terminals and printers. SSL versions are available for SSL/TLS support.
PAMalso supports AS/400-class applet display names only for TN5250 and TN5250SSL only.
To use a display name, follow these steps:
- Select your user name in the upper right corner of the appliance display.The User Information window appears.
- On theBasic Infotab, enter a Mainframe display name.
Select Access Methods
- SelectSettings,Access Methods.
- Select the methods to be made generally available for a device configuration.If you do not want to use a particular access method, clear the checkbox it to disable it. If you disable a particular access method, it is unavailable for all devices.
RDP Client Applet Security Requirement
If you select the RDP Client applet, the applet supports TLS 1.2 connections and the applet supports the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite. The RDP Client also supports forward secrecy using the following supported cipher suites:
For the highest level of security, ensure your RDP target device, that is the Windows server, is configured to use forward secrecy with TLS 1.2 communication.
PAMis operating in FIPS mode, but the RDP server does not offer a FIPS-compliant communication option, you receive an error. The error says
Cannot connect toAsk your Administrator to verify the server configuration.
target_serverbecause the server did not offer a FIPS-compliant option for communication."
Customize Access Methods
You can customize the access method. Changes apply globally.
Follow these steps:
- Go toSettings,Access Methods.
- Select an access method to customize, and selectUpdate.
- Modify the settings.If you update the default ports, only one port number can be specified per Access Method. No port ranges are allowed.
The set of Access Methods available depends on which license you have. You must have a mainframe license for the TN applets to be available. Otherwise, those applets do not appear as options.
Assign an Access Method to a Device
The following procedure assumes you already configured a target device.
To assign an access method to a device:
- From the UI, select Devices, Manage Devices.
- Double-click the target device entry to open it.
- Select theAccess Methodstab.
- Add an Access Method by selecting the plus sign. In the Name column, select an Access Method from the field drop-down list.
- SelectSave and Configure Target Applications. Repeat as necessary to allow more methods to be used.You can remove any entry by selecting the X at the end of the entry row.
- When you finish adding methods, and making other changes to the Device record, select theSavebutton.
Set Up File Transfer Capability (Optional)
Some access methods need further configuration for functionality, such as file transfers.
PAMsupports file transfer to and from remote target devices through the SSH access method using the Mindterm applet. File transfers can be recorded. SCP and SFTP protocols are supported. SSH file transfer is globally enabled or disabled on a per
Enable SSH Terminal File Transfer (Administrator)
To set up file transfers using the SSH applet:
- Log in to the UI as an administrator with privileges to access global settings.
- Navigate toSettings,Global Settings,Applet Customization.
- Select theSSH Terminal File Transfercheckbox.
- Set up a policy for aPAMuser to use the SSH as the access method for applicable target devices.
Accessing a Target Device using the SSH Access Method (User)
After SSH terminal file transfers are enabled, the user has access to the SCP and SFTP file transfers.
The following procedure explains how a
PAMuser selects the SSH access method:
- Log in to the UI as a User with permissions to execute the SSH access method.
- If necessary, navigate to the Access page.
- On the Access page, select anSSHicon to open a MindTerm applet to the configured target device.
- In the MindTerm Java applet window (labeled with your device name), selectPlugins,SCP File Transferto open a file transfer window.
- Use theMindTerm – SCPinternal_IP_addressapplet file transfer window to perform the following functions:
- Move files between your local client computer and the remote target Device. Use the arrows to move between directories in the list.
- Use the following commands to execute tasks between the two system directories:
- Double-click:[..]– to jump to the parent directory, ordirectory_nameto enter it.
- ChDir– to specify a directory to jump to
- MkDir– to create a directory
- Rename– to change the name of the selected directory
- Delete– to delete the currently selected file or directory
- Refresh– to reload the current directory
Logging for File Transfer Transactions (Optional)
This table describes the types of log entries that are effected by file transfer transactions.
Log Entry Syntax
Log Entry Details
*A directory (with or without files) can also be copied, but that action is not logged. Files within copied directories are each copied and logged.
(no log entry)
[Remote | Local] [file | folder]
pathnamehas been deleted by user
[Remote | Local] folder
pathnamehas been created by user
(no log entry)
[Remote | Local] [file | folder]
path/old namehas been renamed to
path/new nameby user