Auto Logon Helper
PAM360 stores the passwords of remote systems and applications. Normally, organizations use tools such as remote desktop applications, Putty or SecureCRT to connect to remote target systems. PAM360's Auto Logon Gateway feature provides an option to automatically connect to the remote target systems and applications without the need for handling passwords in plaintext.
- How the Auto Logon Gateway Feature Works
- How to Set Up Auto Logon Gateway
- Invoking Auto Logon Through Gateway
1. How the Auto Logon Gateway Feature Works
PAM360 comes bundled with RDP, SSH, and SQL gateway engines. This feature allows the users to launch remote terminal sessions from within their browser. All the sessions invoked from the Connections tab are initiated and tunneled through the PAM360 server. This allows the administrators to disable RDP, SSH, and SQL permissions in the end user systems such as laptops and desktops but still allow users to access the target systems through tunneled remote sessions. The remote terminal sessions are emulated inside the browser tab and hence there is no need for installing any plug-in or agent in the end points. The only requirement is that the browser should be HTML 5 compatible (For example, IE 9 or above, Firefox 3.5 or above, Safari 4 or above, and Chrome).
As soon as an administrator adds a resource that supports one of these remote terminal session types, the feature becomes available to all users in the system who have access to that resource, with no further configuration anywhere. In addition, the Connections tab will allow users to easily locate remote accounts and launch a session with a single click. The entries in the Connections page with the names RDP and VNC Connections, SSH Connections, and SQL Connections belong to this type and come bundled with the product.
2. How to Set Up Auto Logon Gateway
You can set up Auto Logon Gateway in three ways:
- RDP and VNC Connections
- SSH Connections
- SQL Connections
2.1 RDP and VNC Connections
- All Windows systems can be automatically connected to an RDP session. To log into a Windows resource, you need to configure either a domain account or a local account that can be used by users to authenticate and launch a Windows RDP session with the remote host. Alternatively, an administrator can also allow users to launch RDP sessions using their AD account with which they have logged into the PAM360 vault.
- To configure a domain account, go to the Resources tab and select the desired resource(s).
- Click Resource Actions >> Configure >> Auto Logon Helper from the drop-down.
- In the Configure Auto Logon Helper window that opens, configure the domain account by choosing the required domain from the Domain Name drop-down, specify the Username and the RDP Port for Auto Logon.
- Click Save.
- Once you have configured your domain account, it will appear under the Connections tab as shown below:
- To customize the port for RDP and VNC for each resource, go to the Resources tab, select the desired resource(s) and click Resource Actions >> Edit Resource.
- In the Edit Resource window that opens, enter the RDP and VNC ports in the respective fields, and click Save.
2.2 SSH Connections
- Any SSH based device such as Linux servers or network devices can be added into PAM360 as a resource. This allows administrators and other users to connect to the target system via a remote SSH session.
- You can configure the SSH port in which the SSH service is listening on the remote host. PAM360 will use this port for launching the session. To do this, navigate to the Resources tab, select the desired resource(s), and choose Resource Actions >> Edit Resource from the drop-down beside the resource(s).
- In the Edit Resource window that opens, enter the SSH port through which you want to connect to the remote system, and click Save.
- The end users will be able to launch SSH sessions using the local SSH accounts that are shared with them by the administrators.
2.3 SQL Connections
You can add a database instance as a resource in PAM360 to enable remote connections. This feature is supported for PostGres and MS-SQL databases. Note that the SQL connections are CLI based, meaning they allow users to execute queries to perform operations.
- To configure an SQL connection for remote sessions, navigate to the Resources tab, click Resource Action present next to the SQL resource and select the Configure Remote Password Reset.
- Specify the port number that needs to be used for SQL connection. The SQL session will be initiated in this port with the account that is shared with the users.
2.4 Port Requirements for Client Access
- The Windows RDP Auto Logon Gateway listens at port 8283 in PAM360 server by default. This is a secure web socket port (wss://) and you should allow traffic to this port from the end user machines for this feature to work.
- You can change this port by navigating to Admin >> Configuration >> PAM360 Server.
- In the new window that opens, switch to Auto Logon tab and then enter the port in the Remote Desktop Gateway Port field.
- PAM360 web server (8282 in PAM360 server) and this gateway should open and listen at different ports. The SSH and Telnet Gateways have no such requirement as they use the same PAM360 web server port for all communication.
Note: When PAM360 is installed, it generates a self-signed SSL certificate for the instance which is also used by the Auto Logon Gateway to encrypt the traffic. It is recommended that you apply a CA signed certificate to the PAM360 instance before opening it out for end users. In case of a self-signed certificate, connecting to the gateway is not possible unless users explicitly mention the gateway port in the URL, accept the warning and install the self-signed certificate. (For steps to generate unique SSL certificate, refer to this section of our site).
3. Invoking Auto Logon Through Gateway
As soon as an administrator adds a resource that supports one of the three remote terminal session types (Windows RDP, SSH and SQL sessions), the feature becomes available to all users in the system who have access to that resource, with no further configuration anywhere. The Connections tab will allow users to easily locate remote accounts and launch a session with a single click.