SSH Proxy for Remote Connections

PAM360 Remote Connect is a native desktop application that allows users to launch secure remote sessions to target systems using credentials managed in PAM360. By default, the Remote Connect application establishes a direct connection from the user’s machine to the target endpoint. While effective, this approach may not align with strict security policies that require network isolation between end-user devices and critical systems. To avoid direct communication between the PAM360 Remote Connect application and the target endpoints during remote sessions for enhanced security, configure the SSH proxy available in PAM360 for the PAM360 Remote Connect application. When configured, all remote connect requests are routed through a designated proxy resource managed within PAM360, ensuring better network control, reduced attack surface, and improved compliance with organizational security standards.

This document outlines the roles required, prerequisites, and SSH proxy configuration within the PAM360 web interface. Read further to know more about them in detail.

Roles and Permissions
Prerequisites
Configuring SSH Proxy for PAM360 Remote Connect

1. Roles and Permissions

By default, users with the Privilege Administrator and Administrator user roles can configure SSH proxy for PAM360 Remote Connect in PAM360. Additionally, users with the Configure SSH Proxy privilege enabled in their user role can configure the SSH proxy.

2. Prerequisites

Below are the prerequisites for the SSH proxy to work seamlessly to attain a secured remote connection:

Add the endpoint that will act as the proxy between the PAM360 Remote Connect and the target machine as a resource in PAM360.
The user machine installed with the PAM360 Remote Connect must be able to communicate with the PAM360 server.
Similarly, the PAM360 server must be able to communicate with the resource configured as a proxy, and the proxy resource must be able to communicate with the target endpoints.
While configuring Windows resource as an SSH proxy, ensure that the OpenSSH Server runs as a service in the Windows resource. This requirement does not apply to Linux resources as it has the OpenSSH Server running by default.
For a successful connection between machines installed with the Remote Connect application and the PAM360 server configured with SSH Proxy for Remote Connect, ensure that the TCP ports 50100 to 50300 are open. Contact our support team to opt for a customized set of ports range.

3. Configuring SSH Proxy for PAM360 Remote Connect

Note: To bind the necessary ports to PAM360's IP address or FQDN instead of the default 'localhost', we recommend you to add the system property sshtunnel.tunnelapi.bindaddress=<PAM360 Installed Server's IP or FQDN> to the system_properties.conf file, which is located in the PAM360 installation directory's conf folder.

To configure the SSH proxy for PAM360 Remote Connect from the PAM360 web interface, follow these steps:

Log in to PAM360 and navigate to Admin >> PAM360 Gateways >> SSH Proxy - Remote Connect.
In the pop-up that opens, select the resource that acts as an SSH proxy in the Resource Name dropdown.

Note: You can set the PAM360 installed server/resource as the SSH proxy resource. However, you cannot set the Windows Domain Server as an SSH proxy.
Select a account from the Account Name dropdown, which is used to access the above-selected resource.
Click Save to make the selected resource act as an SSH proxy between the PAM360 server and the target endpoints.


SSH Proxy for Remote Connections PAM360 Remote Connect is a native desktop application that allows users to launch secure remote sessions to target systems using credentials managed in PAM360. By default, the Remote Connect application establishes a direct connection from the user’s machine to the target endpoint. While effective, this approach may not align with strict security policies that require network isolation between end-user devices and critical systems. To avoid direct communication between the PAM360 Remote Connect application and the target endpoints during remote sessions for enhanced security, configure the SSH proxy available in PAM360 for the PAM360 Remote Connect application. When configured, all remote connect requests are routed through a designated proxy resource managed within PAM360, ensuring better network control, reduced attack surface, and improved compliance with organizational security standards. This document outlines the roles required, prerequisites, and SSH proxy configuration within the PAM360 web interface. Read further to know more about them in detail. Roles and Permissions Prerequisites Configuring SSH Proxy for PAM360 Remote Connect 1. Roles and Permissions By default, users with the Privilege Administrator and Administrator user roles can configure SSH proxy for PAM360 Remote Connect in PAM360. Additionally, users with the Configure SSH Proxy privilege enabled in their user role can configure the SSH proxy. 2. Prerequisites Below are the prerequisites for the SSH proxy to work seamlessly to attain a secured remote connection: Add the endpoint that will act as the proxy between the PAM360 Remote Connect and the target machine as a resource in PAM360. The user machine installed with the PAM360 Remote Connect must be able to communicate with the PAM360 server. Similarly, the PAM360 server must be able to communicate with the resource configured as a proxy, and the proxy resource must be able to communicate with the target endpoints. While configuring Windows resource as an SSH proxy, ensure that the OpenSSH Server runs as a service in the Windows resource. This requirement does not apply to Linux resources as it has the OpenSSH Server running by default. For a successful connection between machines installed with the Remote Connect application and the PAM360 server configured with SSH Proxy for Remote Connect, ensure that the TCP ports 50100 to 50300 are open. Contact our support team to opt for a customized set of ports range. 3. Configuring SSH Proxy for PAM360 Remote Connect Note: To bind the necessary ports to PAM360's IP address or FQDN instead of the default 'localhost', we recommend you to add the system property sshtunnel.tunnelapi.bindaddress=<PAM360 Installed Server's IP or FQDN> to the system_properties.conf file, which is located in the PAM360 installation directory's conf folder. To configure the SSH proxy for PAM360 Remote Connect from the PAM360 web interface, follow these steps: Log in to PAM360 and navigate to Admin >> PAM360 Gateways >> SSH Proxy - Remote Connect. In the pop-up that opens, select the resource that acts as an SSH proxy in the Resource Name dropdown. Note: You can set the PAM360 installed server/resource as the SSH proxy resource. However, you cannot set the Windows Domain Server as an SSH proxy. Select a account from the Account Name dropdown, which is used to access the above-selected resource. Click Save to make the selected resource act as an SSH proxy between the PAM360 server and the target endpoints.