Deploy the HTML5 gateway for PSM
This topic provides an overview and the system requirements for deploying the HTML5 gateway for PSM.
Overview
You can configure PSM to provide secure remote access to a target machine through an HTML5 gateway. The HTML5 gateway tunnels the session between the end user and the PSM machine using a secure WebSocket protocol (port 443). Rather than opening an RDP connection, the end user requires only a web browser to establish a connection to a remote machine through PSM.
Live session monitoring, by an authorized auditor, is also performed through the HTML5 gateway.
Secure access through HTML5 requires running an HTML5 gateway Docker container on a Linux server. For this, the gateway uses a software called Apache Guacamole.
You can configure each PSM server to work with an HTML5 gateway. Multiple PSM servers can work with the same gateway or with different gateways. When an end user connects with an account, the PVWA redirects the connection through the gateway that is configured for the PSM server.
You can deploy farms of PSM HTML5 gateway servers behind a load balancer. When adding a configured PSM gateway server, use the relevant farm's virtual IP (VIP) in the Address parameter. For more information, see Add the PSM HTML5 gateway server.
Pre-installation considerations
-
Make sure you can log into the PSM HTML5 gateway host machine with a user who has sudo permissions.
-
Make sure you can log into PAM - Self-Hosted as a user with administrative permissions.
-
Make sure RDP connections between the PSM HTML5 gateway host machine and the PSM server are allowed. This is usually through TCP port 3389.
-
Make sure to use the same name for multiple gateways. If you plan to install more than one HTML5 gateway instance for high availability, you will need to use the same name in the installation process.
PSM HTML5 gateway limitations
The gateway does not support:
- Smart card redirection
- Printers redirection
- Connections to target systems where NLA is enabled on the PSM server
Installation modes
You can install the HTML5 gateway for PSM and the Remote Access connector Docker containers side-by-side on the same host, or standalone on separate hosts. Each mode of installation has its own considerations.
-
More efficient resource and performance consumption
-
The HTML5 gateway for PSM is available for any connections from the PVWA, not only those from Remote Access.
-
You can use copy file capabilities with multiple standalone HTML5 gateways for PSM by configuring the load balancer with sticky sessions so that all requests for a particular user session are routed through the same HTML5 gateway for PSM.
For details about installing a standalone HTML5 gateway for PSM, see Install the HTML5 gateway for PSM (standalone).
-
Minimal on-prem customer footprint
-
The HTML5 gateway for PSM is only accessible via Remote Access initiated sessions.
-
Copy file capabilities are not available if you have more than one host with the Remote Access connector and HTML5 gateway for PSM installed.
-
Requires Ubuntu 18.04, 20.04, 22.04 or Red Hat Linux 7.x, 8.x
For details about installing a side-by-side HTML5 gateway for PSM, see Install the HTML5 Gateway for PSM (side-by-side).
If you are using multiple connectors with HTML5 gateway in a side-by-side configuration, consider the following:
-
The HTML5 gateway needs to be installed on both connectors.
-
Make sure you use the same name and hostname for all HTML5 gateway instances. Using the same names ensures end users are directed to the intended domain. To do this, make sure that the data entered for the Nested Application in the Remote Access portal corresponds to the data entered for the PSM Gateway Server in the PVWA .
-
The same certificates should be used for all HTML5 gateway instances.
-
Copy files capabilities are not available when using multiple connectors with HTML5 gateway side-by-side configuration.