Deploying and Managing PAM360 Application Gateways

In organizations with complex network setups, such as DMZs, segmented networks, and secure subnets, managing privileged resources can be challenging as there will not be direct communication between the PAM360 server and the privileged resources due to strict security policies. This document offers comprehensive guidance on deploying and managing PAM360 Application Gateways to support the efficient management of privileged resources in such scenarios. By following the steps outlined in this guide, administrators can ensure secure and seamless privileged access management across segmented networks without compromising compliance or network isolation policies.

  1. Prerequisites
  2. System Requirements
  3. Roles and Privileges
  4. Deploying Application Gateways
  5. Managing Application Gateways
  6. Managing Resources With Application Gateway
  7. Task Monitoring and Audit Logs
  8. Deleting Application Gateways
  9. Emergency Measures
  10. Troubleshooting Tips

1. Prerequisites

  1. When deploying the Application Gateway, ensure that the server hosting the Application Gateway has seamless connectivity to the PAM360 server and the network where the remote resources reside.
  2. Ensure that port 8288 is open on the machine where the PAM360 server is hosted to facilitate secure communication between the PAM360 server and the Application Gateway. If port 8288 is already in use, you can configure a custom port for secure communication while setting up the Application Gateway.
  3. Additionally, you will need the following details from the PAM360 server for a successful deployment:
    • PAM360 server certificate to establish a secure connection between the PAM360 web server and the Application Gateway.
    • Hostname or IP address of the PAM360 server to ensure the accurate Application Gateway configuration.
  4. If you are deploying the Application Gateway on a Windows machine, ensure Microsoft Visual C++ Redistributable for Visual Studio 2015 and above is available on that machine.
  5. Ensure the Microsoft .NET framework is available on the machine where you are deploying the Application Gateway.
  6. A service account that has either domain admin rights or local admin rights in the PAM360 server and in the target systems that you would like to manage.
  7. Ensure that port 8283 is open on the machine where the Application Gateway is being deployed to allow secure remote access to the resources it manages. If port 8283 is already in use, you can configure a custom port and update the port number in the gateway.conf file located within the <PAM360ApplicationGateway_Installation_Directory>/Conf folder.

    8. Note: It is not necessary to open this port for external communication. The Application Gateway server will utilize this port exclusively to facilitate secure remote sessions.

  8. Ensure that port 8289 is open on the machine where the PAM360 server is hosted to facilitate secure remote sessions to the resources managed using Application Gateways. If you want to configure a custom port in your environment for this purpose, you should update the corresponding port number in the PAM360 server. To configure a custom port, navigate to Admin >> Server Settings >> PAM360 Server Configuration. In the PAM360 Server Configuration pop-up window that appears, switch to the Auto Logon tab, enter the desired port number in the Application Gateway Session Port field, and click the Save button.

    Note: It is essential to restart the PAM360 service after updating the port number for the changes to take effect.

2. System Requirements

This section covers the hardware and software requirements for the PAM360 Application Gateway.

2.1 Software Requirements

Windows Linux
  • Windows Server 2025
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Ubuntu 18.04 and above
  • CentOS 6 and above
  • Red Hat Linux 9.0
  • Red Hat Enterprise Linux 5.X and above
  • AlmaLinux 9.x and above

Note: The PAM360 Application Gateway generally works well with all flavors of Windows and Linux and can also be deployed on virtual machines running these operating systems.

2.2 Hardware Requirements

Organization Size Processor RAM Hard Disk

Small (<2500 servers)

Dual Core or above

8GB

2GB for Product

Medium (<8000 servers)

Quad Core or above

16GB

2GB for Product

Large (>8000 servers)

Octa Core or above

32GB

2GB for Product

3. Roles and Privileges

By default, users with the Privileged Administrator and Administrator roles can add, configure, and manage Application Gateways. Additionally, any user with the Application Gateway privilege enabled in their role is permitted to add and manage the Application Gateways.

4. Deploying Application Gateways

The process involves downloading the application gateway configuration file from the PAM360 web interface, installing the Application Gateway on the desired machine, and configuring the Application Gateway using the configuration file downloaded from the PAM360 web interface. This section covers the detailed steps to deploy an Application Gateway in your environment.

4.1 Steps to Download Application Gateway Configuration File

Caution: If the certificate used for the PAM360 server is in PKCS11 or PKCS12 format, perform the following steps before adding an Application Gateway and downloading the configuration file from the PAM360 web interface:

  1. Navigate to the <PAM360-Installation-Directory/conf/sslcerts> folder and open the appgateway.properties file using any text editor.
  2. Now, add the following entry, depending on your PAM360 server certificate format:
    • keystoretype=PKCS11 (or)
    • keystoretype=PKCS12
  3. Save the configured changes and restart the PAM360 server.

Follow these steps to add an Application Gateway and download the configuration file from the PAM360 web interface:

  1. Navigate to Admin >> PAM360 Gateways >> Application Gateway.
  2. In the PAM360 Application Gateway window, click the Add button.
  3. In the Add Application Gateway window, enter the following details:
    1. PAM360 Server Hostname / IP Address - Enter the hostname or IP address of the PAM360 server to which the Application Gateway should establish a secure communication channel. You can enter a maximum of three values in the comma-separated format.

      2. Note: We recommend providing both the hostname and IP address of the PAM360 server in this field to ensure seamless communication and task execution.

    2. Application Gateway Name - Enter a suitable name to uniquely identify this Application Gateway on the PAM360 Application Gateway window.
    3. Hostname / IP Address - Specify the hostname or IP address of the machine where you wish to deploy the Application Gateway. You can enter the values in a comma-separated format. You enter a maximum of three values in this field.

      4. Note: We recommend providing both the hostname and IP address of the machine where you want to deploy the Application Gateway in your environment to ensure seamless communication and task execution.

    4. Description - Provide a brief description of the Application Gateway for easy reference.
    5. Remote Sessions - Select how the remote sessions to the resources managed by this Application Gateway should be routed.
      • Connect Via Application Gateway - To establish remote sessions directly through the Application Gateway.
      • Connect Via Landing Server - To route the remote sessions through a designated landing server. Select the landing server machine (added as a resource in PAM360) and its corresponding account from the respective drop-down fields.

      Note:

      1. If you choose to tunnel remote sessions through a landing server for resources managed by Application Gateways, ensure the following:
        • Ensure that the landing server is added as a resource in PAM360 and has connectivity to the PAM360 server.
        • The landing server should reside in the same network as the target machines while maintaining connectivity with the PAM360 server as it facilitates the connection.
  4. Click Save to configure the Application Gateway details successfully.
  5. In the Download Configuration File window, click the Download button to download the configuration file to your machine.
  6. Alternatively, you can click the Copy icon beside the Configuration Key field, paste the key in a .txt file, and save it. You need to upload this file while configuring the Application Gateway.

4.2 Steps to Install the PAM360 Application Gateway

4.2.i Windows

This section outlines the steps to download and install ManageEngine's PAM360 Application Gateway on a Windows machine.

  1. Visit PAM360's official Website to download the Application Gateway setup.
  2. Before downloading the software, verify if your system meets the necessary prerequisites. This step is crucial to ensuring a smooth installation process.
  3. Download the PAM360 Application Gateway software to your target system.
  4. Double-click on the ManageEngine_PAM360_Applicationgateway.exe icon to proceed with the installation.
  5. The InstallShield Wizard for the PAM360 Application Gateway will appear on the screen. Click Next to proceed with the installation process.
  6. The Software License Agreement will appear on the screen. Read the agreement carefully, and click Yes to agree and proceed with the installation. Click Back to return to the previous section, or click No to exit the setup. You can also Print the License Agreement for future reference.
  7. Choose the destination folder to install the PAM360 Application Gateway on your machine. You can either go with the default location, C:\Program Files\ManageEngine\ManageEngine_PAM360_ApplicationGateway, or click Browse to install the Application Gateway at a different location. Click Next to proceed to the next step, and click the Back button to go back to the previous section.
  8. After the installation is complete, click the Configure button to configure the PAM360 server details. On the screen that appears, click the Browse button and select the applicationgateway.config file downloaded from the PAM360 web server. After selecting the applicationgateway.config file, click Open to upload the configuration file and click the Configure button to save the uploaded configuration file. Explore this link for the detailed steps to add an Application Gateway configuration on the PAM360 interface and download the configuration file.
  9. In the subsequent window, enter the following details:
    • Hostname / IP Address - The hostname or IP address of the machine where the PAM360 server is hosted.
    • WSS Port - The WSS port number opened on the PAM360 server.
    • HTTPS Port - The HTTPS port number opened on the PAM360 server.
    • PAM360 Server Certificate - Click Browse, select the PAM360 server certificate from your machine, and click Open. Click Configure to configure the Application Gateway on your machine.

      • Notes:

      1. If you are using a self-signed certificate for the PAM360 server, ensure that the certificate includes the Subject Alternative Name (SAN) field for secure communication.
      2. If you are an existing PAM360 customer upgrading to PAM360 Build 8000 or above, follow these steps to update the SAN field in the PAM360 server certificate.
        1. Navigate to the <PAM360_Installation_Directory>/scripts folder and execute the command updateCertSAN.bat (Windows) or sh updateCertSAN.sh (Linux) depending on the OS type of the machine where the PAM360 server is deployed.
        2. Restart the PAM360 service, download the updated PAM360 server certificate, and use it while configuring the Application Gateway.
  10. Once the configuration is complete, you will see the success message on the screen. Access your PAM360 instance and navigate to the PAM360 Application Gateway page to see the details and status of the deployed Application Gateway.

4.2.ii Linux

This section outlines the steps to download and install ManageEngine's PAM360 Application Gateway on a Linux machine.

  1. Visit PAM360's official Website to download the Application Gateway setup.
  2. Before downloading the software, verify if your system meets the necessary prerequisites. This step is crucial to ensuring a smooth installation process.
  3. Navigate to the download section and download the file ManageEngine_PAM360_Application_Gateway.bin for Linux.
  4. Execute the command chmod a+x <file-name> to assign the executable permission.
  5. The InstallAnywhere wizard for PAM360 Application Gateway will appear on the screen. Click Next to continue the installation.
  6. The Software License Agreement will appear on the screen. Read the agreement carefully, and click Yes to agree and proceed with the installation. Click Back to return to the previous section, or click No to exit the setup. You can also Print the License Agreement for future reference.
  7. Choose the destination folder to install the PAM360 Application Gateway on your machine. You can either install the Application Gateway in the default location or click Choose to install it in a different location. Click Next to proceed to the next step, and click the Back button to go back to the previous section.
  8. After the installation is complete, click the Configure button to configure the PAM360 server details. On the screen that appears, click the Browse button and select the applicationgateway.config file downloaded from the PAM360 web server during the Application Gateway configuration. After selecting the applicationgateway.config, click Open to upload the configuration file, and click the Configure button to save the uploaded configuration file. Explore this link for the detailed steps to add an Application Gateway configuration on the PAM360 interface and download the configuration file.
  9. In the subsequent window, enter the following details:
    • Hostname / IP Address - The hostname or IP address of the machine where the PAM360 server is hosted.
    • WSS Port - The WSS port number opened on the PAM360 server.
    • HTTPS Port - The HTTPS port number opened on the PAM360 server.
    • PAM360 Server Certificate - Click Browse, select the PAM360 server certificate from your machine, and click Open. Click Configure to configure the Application Gateway on your machine.

      • Notes:

      1. If you are using a self-signed certificate for the PAM360 server, ensure that the certificate includes the Subject Alternative Name (SAN) field for secure communication.
      2. If you are an existing PAM360 customer upgrading to PAM360 Build 8000 or above, follow these steps to update the SAN field in the PAM360 server certificate.
        1. Navigate to the <PAM360_Installation_Directory>/scripts folder and execute the command updateCertSAN.bat (Windows) or sh updateCertSAN.sh (Linux) depending on the OS type of the machine where the PAM360 server is deployed.
        2. Restart the PAM360 service, download the updated PAM360 server certificate, and use it while configuring the Application Gateway.
  10. Once the configuration is complete, you will see the success message on the screen. Access your PAM360 account and navigate to the PAM360 Application Gateway page to see the details and status of the deployed Application Gateway.

Follow these steps if you are installing the Application Gateway on a headless Linux server:

  1. Download the file PAM360_ApplicationGateway.bin for linux.
  2. Execute the chmod a+x <file-name> command to assign the executable permission.
  3. Execute the command ./<file_name> or ./<file_name> -i console.
  4. Follow the step-by-step instructions as they appear on the screen. Now, PAM360 Application Gateway will be installed in your machine in the chosen location.
  5. Once the installation is complete, navigate to the <PAM360ApplicationGateway_Installation_Directory>/bin folder and execute the command sh importCert.sh to import the PAM360 server certificate.
  6. Copy the applicationgateway.config file downloaded from the PAM360 server and paste it into the <PAM360ApplicationGateway_Installation_Directory>/conf folder.

    7. Note: Ensure the configuration file is named as applicationgateway.config.

  7. Navigate to <PAM360ApplicationGateway_Installation_Directory>/bin folder and execute the ./wrapper -c ../conf/wrapper_lin.conf command. Upon successful execution, a success message will be displayed. Execute the same command again to start the Application Gateway service.

You have successfully deployed and configured the Application Gateway on the desired machine within your environment. Once the installation is complete, the Application Gateway will be enabled on the PAM360 Application Gateway page. You can hover over the Application Gateway name to check its status and the last sync time.

4.3 Steps to Start the Application Gateway as a Service

4.3.i Windows

Once the Application Gateway executable (.exe) has been successfully installed, you can start or manage the service using either of the following methods:

  1. Using the Tray icon - Click the Show Hidden Icons option on the bottom-right corner of the Taskbar, right-click on the Application Gateway tray icon, and select Start Application Gateway from the displayed options.
  2. From the Services console - Press Windows + R, type services.msc, and click Ok. In the Services window, locate the service named ManageEngine PAM360 - ApplicationGateway, right-click the service and select Start.

4.3.ii Linux

Follow these steps to install PAM360 Application Gateway as a start up service on a Linux machine:

  1. Log in as a root user.
  2. Open the console and navigate to <PAM360ApplicationGateway_Installation_Directory>/bin folder.
  3. Execute the sh applicationGateway.sh install (In Ubuntu, execute bash applicationGateway.sh install) command.
  4. Subsequently, execute the following commands:
    • systemctl start pam360ApplicationGateway.service - To start the Application Gateway service.
    • systemctl restart pam360ApplicationGateway.service - To restart the Application Gateway service.
  5. To check the status of the Application Gateway service, execute the systemctl status pam360ApplicationGateway.service command.

Notes:

  1. Currently, the PAM360 Application Gateway can be installed on Windows and Linux-type resources.
  2. Ensure the PAM360 server certificate that you are uploading during the Application Gateway installation contains the SAN name.

5. Managing Application Gateways

From the PAM360 Application Gateway page, you can efficiently manage the deployed Application Gateways in your environment. You can add or remove their configurations, associate or dissociate resources with them, edit the configuration details, and monitor the status of the tasks executed by the Application Gateways. Additionally, you can view the hostname or IP address of the machines where the Application Gateways are deployed, the resource type of host machines, and the description. This centralized configuration ensures seamless management of all the Application Gateways within your environment, enhancing usability and simplifying resource management. To access the PAM360 Application Gateway page, navigate to Admin >> PAM360 Gateways >> Application Gateway. You will see the list of Application Gateways deployed in your environment on the PAM360 Application Gateway page.

Follow these steps to manage the configured Application Gateways in your environment:

  1. Hover over the Application Gateway name to view key details, including its status, last sync time, and the number of ongoing tasks.
  2. Click the Settings icon under the Actions column and choose from the following options:
    1. Manage Resources - Associate or dissociate resources individually or in bulk with the selected Application Gateway.
    2. Task monitor - View the status of tasks executed or pending execution by the Application Gateway.
    3. Edit Application Gateway - Modify Application Gateway details such as the name, the hostname or IP address of the machine where it is deployed, and its description.
    4. While adding an Application Gateway configuration in the PAM360 interface, you can either copy the Configuration Key and save it manually as a text file with the file name applicationgateway.config, or simply use the Download Configuration File option to download the applicationgateway.config file to your machine.
      • Copy Configuration Key - Copy the configuration key required to configure the Application Gateway on the desired machine and enable secure communication with the PAM360 server.
      • Download Configuration File - Download the applicationgateway.config file containing the configuration file necessary for the Application Gateway setup.
  3. Toggle the switch under the Status column beside the desired Application Gateway to enable or disable it as required.

To add an Application Gateway on the PAM360 Application Gateway page, explore the detailed steps provided in section 4.1. To delete an Application Gateway configuration, follow the steps detailed in this section.

Note: Application Gateway configurations can be deleted only when all the resources associated with that Application Gateway have been dissociated.


5.1 Managing Session Recording Storage

The session playback option in the audit is available only for sessions whose recording files are stored in the destination path set under Session Recording Storage in the Session Configuration window. For remote sessions launched via Application Gateways, recording files are saved in <PAM360ApplicationGateway_Installation_Directory>/recorded_files folder by default. To enable playback for such sessions, you can perform either of the following:

  1. Configure a network path accessible to both the PAM360 server and the Application Gateway servers as the session recording directory. This allows files to be saved directly in the configured path and makes them immediately available for playback without manual intervention.
  2. Manually move the files from the default directory to the storage location configured under Session Recording Storage.

If you are configuring a common network path in the Session Configuration window, follow these steps to set it as the default directory for the Application Gateway:

  1. Stop the ManageEngine PAM360 - ApplicationGateway service.
  2. Navigate to the <PAM360ApplicationGateway_Installation_Directory>/conf folder, open the application.properties file using any text editor, and add the following entries:
    1. ag.session.recorded_files_primary_path=<Destination_Path>
    2. ag.session.recorded_files_secondary_path=<Destination_Path>
  3. Save the file and restart the ManageEngine PAM360 - ApplicationGateway service.

Notes:

  1. While specifying the destination directory, replace <Destination_Path> with the actual directory path. For example, ag.session.recorded_files_primary_path=/opt/ManageEngine/PAM360.
  2. While specifying the destination directory in Windows environments, always use double backslashes (\\) instead of single backslashes (\). For example, ag.session.recorded_files_primary_path=C:\\Program Files\\ManageEngine\\PAM360.
  3. While specifying the network path, if the directory where you wish to store the session recordings is \\JOHN-1234\recordings\primary, then the destination directory should be specified as \\\\JOHN-1234\\recordings\\primary.

5.2 Reconfigure Application Gateway

Follow these steps to reconfigure the Application Gateway setup:

  1. Navigate to the PAM360 Application Gateway page and click the Settings icon under the Actions column beside the desired Application Gateway you want to reconfigure.
  2. Select Edit Application Gateway from the displayed options.
  3. On the window that appears, click the Download button beside the Application Gateway Configuration File field to download the applicationgateway.config file to your machine.
  4. After downloading the applicationgateway.config file, follow these steps:
    1. Through Command Line Interface:
      • Copy and replace the applicationgateway.config to the <PAM360ApplicationGateway_Installation_Directory>/conf folder on the machine where the Application Gateway is installed and execute the following commands:
        • systemctl restart pam360ApplicationGateway.service
        • systemctl start pam360ApplicationGateway.service
    2. Windows:
      • Navigate to the <PAM360ApplicationGateway_installation_Directory>\bin folder and execute the AGConfiguration.bat command.
      • Browse and upload the applicationgateway.config file downloaded from the PAM360 server and restart the ManageEngine PAM360 - ApplicationGateway service.
    3. Linux:
      • Navigate to the <PAM360ApplicationGateway_installation_Directory>/bin folder and execute the AGConfiguration.sh command.
      • Browse and upload the applicationgateway.config file downloaded from the PAM360 server and restart the ManageEngine PAM360 - ApplicationGateway service by executing the systemctl restart pam360ApplicationGateway.service command.

If you have updated the PAM360 server certificate in your environment, you should update the new certificate on all deployed Application Gateways to ensure seamless and uninterrupted communication. Follow the steps below to update the PAM360 server certificate on the machines where the Application Gateways are installed:

  1. Stop the Application Gateway service.
  2. Copy the updated PAM360 server certificate to the machine where the Application Gateway is deployed.
  3. Navigate to the <PAM360ApplicationGateway_Installation_Directory>/bin folder and execute the following command to import the PAM360 server certificate to the Application Gateway server.
    • Windows - importCert.bat <Certificate_Path>
    • Linux - sh importCert.sh <Certificate_Path>
  4. Restart the Application Gateway service.

5.3 Managing Application Gateway Encryption Keys

All communication between the PAM360 server and the Application Gateway is encrypted using AES-256 to secure sensitive information. Additionally, authentication tokens are used to authenticate and authorize communication between PAM360 and the Application Gateway, ensuring secure access and preventing unauthorized connections. These authentication tokens are automatically generated and unique to each Application Gateway installation. By default, these authentication tokens are stored in the appgateway.key and authed.keystore files within the <ApplicationGateway_Installation_Directory>/conf folder. Follow these steps if you want to store these files outside the machine where the Application Gateway is installed:

  1. Stop the Application Gateway service on the machine where it is deployed.
  2. Move the files to the desired location.
  3. After moving these files, open the application.properties file using any text editor, and enter the full path to the new file locations in the key-value format, as shown below:
    1. Add a new entry as ag.ed.keypath and specify the full path to the appgateway.key file as its value. E.g., ag.ed.keypath=<Full_Path_to_appgateway.key_file>
    2. Add a new entry as ag.default.auth.keystore.path and specify the full path to the authed.keystore file as its value. E.g., ag.default.auth.keystore.path=<Full_Path_to_authed.keystore_file>
  4. Restart the Application Gateway service.

You can move these files to another machine within the network, a network drive, or an external USB device. Ensure that the Application Gateway server has read access to the specified paths every time the service is started.

6. Managing Resources with Application Gateway

Before you can manage the privileged resources that are not directly accessible from the PAM360 server, you should first associate them with the deployed Application Gateways. Conversely, you can dissociate a resource from an Application Gateway if you do not wish to manage that resource using that specific gateway. This section covers the detailed steps to associate or dissociate the privileged resources available within your environment with the deployed Application Gateways.

6.1 Mapping Individual Resources

PAM360 allows you to associate individual resources with an Application Gateway in two different ways: from the Resources tab and the PAM360 Application Gateway page.

Follows these steps to associate a resource with an Application Gateway from the Resources tab:

  1. Navigate to the Resources tab and click the Resource Actions icon beside the desired resource you wish to associate with an Application Gateway.
  2. From the displayed options, select Associate >> Application Gateway.
  3. On the Associate Resource window, select the desired Application Gateway from the drop-down field and click Save.

Follow these steps to associate a resource with an Application Gateway from the PAM360 Application Gateway page:

  1. Navigate to Admin >> PAM360 Gateways >> Application Gateway.
  2. You will see the list of Application Gateways deployed in your environment on the PAM360 Application Gateway page.
  3. Click the Settings icon under the Actions column beside the desired Application Gateway to which you wish to associate resources.
  4. Select Manage Resources from the displayed options.
  5. In the Manage Resources window, you will see the list of all the resources available in your environment along with the relevant details such as the Resource Name, Resource Type, DNS Name, and its Status. You can use the filter option to view all resources, resources already associated with the selected Application Gateway, or unassociated resources, making it easier to identify the desired resources for association.
  6. Click the Associate Resource or Dissociate Resource button beside the desired resource to associate or dissociate them with the selected Application Gateway.
  7. Alternatively, select the desired resources you wish to associate or dissociate from the Application Gateway and click the Associate or Dissociate button on the Top pane.

6.2 Managing Resources in Bulk

PAM360 provides the flexibility to associate or dissociate the resources available in your environment with the desired Application Gateway in a single operation. The bulk mapping feature simplifies the process by allowing administrators to associate or dissociate all the resources to an Application Gateway or based on criteria. Follow these steps to associate or dissociate resources in bulk with an Application Gateway:

  1. On the PAM360 Application Gateway page, click the Settings icon under the Actions column beside the desired Application Gateway to which you wish to associate resources.
  2. Select Manage Resources from the displayed options.
  3. In the Manage Resources window that appears, click the Bulk Actions drop-down button on the top pane, and select the Associate or Dissociate option based on your requirement. From the displayed options, choose one of the following:
    1. All - Choose this option to associate all the resources in your environment to the selected Application Gateway server.
    2. Criteria - Choose this option to associate resources with the selected Application Gateway based on specific criteria.
  4. To associate all resources with the selected Application Gateway, select Bulk >> Associate >> All Resources. You will see the Bulk Associate window with the list of all the resources in your environment that will be associated with the selected Application Gateway. Verify the resources and click the Associate button to associate all the resources in your environment.
  5. To dissociate resources, select Bulk >> Dissociate >> All on the Manage Resources window, and the list of resources currently associated with the selected Application Gateway will be displayed on the Bulk Dissociate window. Click the Dissociate button to dissociate all the resources from the selected Application Gateway.
  6. Alternatively, if you choose to associate or dissociate resources based on a criteria, you can define a criteria based on various resource parameters such as resource name, resource type, DNS name, resource description, and domain name. After defining the criteria, click the Associate or Dissociate button. The resources matching the specified criteria will be associated or dissociated from the selected Application Gateway.

Notes:

  1. A resource can be mapped with only one Application Gateway.
  2. Resources managed using the PAM360 agent or a landing server cannot be associated with an Application Gateway.

7. Task Monitoring and Audit Logs

PAM360 provides comprehensive visibility into tasks executed by the Application Gateways. Administrators can track the task status from the Task Monitor window and configure resource audits for all the operations performed by Application Gateways. The Task Monitor provides real-time visibility into resource discovery, account discovery, and password management activities executed via the deployed Application Gateway. In addition, a detailed audit trail is maintained on the Resource Audits page, capturing all gateway-related events. Administrators can also fine-tune the audit preferences to log only specific gateway-related operations and set up email notifications for critical events. This section covers the Task Monitor window, detailed steps to review audit records, and the detailed steps to configure audit settings specific to Application Gateway-related operations.

7.1 Application Gateway Task Monitor

The status of all the tasks executed by the Application Gateways can be tracked from the Task Monitor window available on the PAM360 Application Gateway page. Follow these steps to access the Task Monitor window:

  1. Navigate to Admin >> PAM360 Gateways >> Application Gateway.
  2. On the PAM360 Application Gateway page, click the settings icon under the Actions column beside the desired Application Gateway.
  3. On the drop-down menu that appears, select Task Monitor from the displayed options.
  4. The Task Monitor window provides a detailed list of all the tasks executed by the selected Application Gateway, including the following details: Task Name, Resource Name, Account Name, Status, Start Time, and End Time. The window also includes Search and Filter options to help you locate specific tasks efficiently.

7.2 Viewing Executed Tasks in Resource Audits

All operations executed by the Application Gateway, including password resets, verifications, and periodic tasks, are recorded on the Resource Audits page, providing a comprehensive log with relevant information. The resource audits will include a new column titled Executed By, which the administrators can add to the Resource Audits page using the Custom Column Chooser. This column indicates whether the task was executed by the PAM360 server or by a deployed Application gateway, along with the name of the gateway that performed the action. Administrators can use the Search and Filter options on the Resource Audits page to find the specific tasks executed by an Application gateway. Explore this link for more details about resource audits in PAM360.

7.3 Configuring Resource Audits for Application Gateway

PAM360 offers the flexibility to record audit trails only for specific events related to the Application Gateways, such as when an Application Gateway is added, deleted, enabled, disabled, modified, or down, based on your requirements. By default, the audit trails for all these events are enabled. Explore this link for more details about managing resource audits and notifications.

8. Deleting Application Gateway Servers

PAM360 allows you to remove an existing Application Gateway configuration when it is no longer required for managing remote resources. Follow these steps to delete an Application Gateway configuration from the PAM360 console:

  1. Navigate to Admin >> PAM360 Gateways >> Application Gateway.
  2. On the PAM360 Application Gateway page, select the desired Application Gateway configuration you wish to delete and click the Delete button on the top pane.
  3. In the Delete Application Gateway window, review the Application Gateway details and click the Delete button to delete the selected Application Gateway.

Notes:

  1. If there are resources associated with an Application Gateway, you must dissociate them before attempting to delete the Application Gateway. Application Gateways with associated resources cannot be deleted from the PAM360 console.
  2. Deleting the Application Gateway from the PAM360 console only removes its configuration from the application. You must manually uninstall the Application Gateway from the machine where it was originally installed.

9. Emergency Measures

To protect against potential attack vectors, administrators can restrict the Application Gateway's access to the PAM360 server by disabling it. This measure is especially useful if the server or network where the Application Gateway is deployed is compromised, as it helps prevent unauthorized communication with the PAM360 server. Follow these steps to disable the Application Gateway's access to the PAM360 server:

  1. Navigate to Admin >> Server Hardening >> Emergency Measures.
  2. In the Emergency Measures page, tick the checkbox beside the Disable Application Gateway Access field to disable all the Application Gateways deployed in your environment from communicating with the PAM360 server.

10. Troubleshooting Tips

1. Why do I see the Setup Interrupted error message during the Application Gateway configuration?

The Setup Interrupted error message is displayed when an invalid PAM360 server certificate is uploaded during the Application Gateway configuration. Follow the steps given below to resolve this issue:

  1. Click the Show Hidden Icons option in the bottom right corner of the Taskbar.
  2. Right-click on the Application Gateway tray icon and select Edit Application Gateway Configuration from the displayed options. You will see the Application Gateway configuration window.
  3. Click the Browse button beside the PAM360 Server Certificate field and upload a valid certificate from the machine.
  4. Click Save and complete the setup.

2. Why is the Application Gateway in an inactive state?

The Application Gateway may appear in an inactive state due to one of the following reasons:

  1. If there is no active network connection between the PAM360 server and the Application Gateway, the status may show as inactive. To resolve this issue:
    1. Ensure that the machine where the Application Gateway is installed has a stable network connection.
    2. Verify that the PAM360 server is reachable from the Application Gateway host (you can use the ping or telnet command to test connectivity on the required port).
    3. Confirm that no firewall or proxy is blocking the communication between the two components.
  2. If the service associated with the Application Gateway is stopped or not responding, it will be marked as inactive. To resolve this issue:
    1. Click the Show Hidden Icons option in the bottom-right corner of the Taskbar.
    2. Locate the Application Gateway tray icon, right-click it, and select Start Application Gateway.
    3. If the tray icon is not visible, open the Services console (services.msc), search for the ManageEngine PAM360 - ApplicationGateway service, and start it manually.
    4. If the Application Gateway is installed on a Linux machine, execute the following commands:
      • To check the status of the Application Gateway service - systemctl status pam360ApplicationGateway.service
      • To start the Application Gateway service - systemctl start pam360ApplicationGateway.service
Top