Architecture

This topic describes how users can connect to target systems through Privileged Session Manager (PSM).

Overview

Users can connect through the PVWA portal, or alternatively through PSM for Windows, that is, directly from their desktops using any standard RDP client application, such as MSTSC, different Connection Managers or an RDP file.

By default, the user connects to the PSM machine through port 3389, using the RDP protocol. This is required to facilitate remote access, although this port is not usually opened in the corporate firewall, and in some cases it is not permitted.

You can configure PSM to provide secure remote access to a target machine through an HTML5 gateway when connecting with the PVWA portal. The HTML5 gateway tunnels the session between the end user and the PSM machine using a secure WebSocket protocol (port 443). This eliminates the requirements to open an RDP connection from the end-user's machine. Instead, the end user only requires a web browser to establish a connection to a remote machine through PSM.

Alternatively, PSM can be configured to work with the Microsoft Remote Desktop Gateway (RDGateway) which tunnels the RDP session between the user and the PSM machine using the HTTPS protocol (port 443). This provides a secure connection without needing to open the firewall. All information that is transferred between the user and the PSM machine is encrypted and protected by the HTTPS protocol, which enables secure cross-network and remote access.

For more information about Microsoft Remote Desktop Gateway, refer to Microsoft's official documentation.

For details, see:

Connect through the web portal (PVWA)

This section describes how a connection to a monitored target session is established through the PVWA.

  1. The user begins the logon process by logging onto the PVWA, selecting the account to use to log onto the target system, and the native protocol to use for this connection. With these selections, the user requests to connect transparently to the target system.

  2. The PVWA redirects the user to the PSM server that will allow access to the desired target system.

  3. The user is connected to the PSM server using the RDP protocol. SSL can be enabled for enhanced security.

  4. PSM fetches the account credentials for accessing the target system from the Vault.

  5. PSM connects to the target system with the fetched credentials, using the native protocol chosen by the user.

  6. The activities that are performed in the privileged session are recorded by PSM and uploaded to the Vault, where they can be accessed and viewed by auditors and other authorized users.

Connect through PSM for Windows

  1. The user configures an RDP client application (such as MSTSC, different connection managers, an RDP file, or any other standard RDP client) which is installed on their desktop to connect to a target system through PSM.
  2. The user is requested to authenticate with their Vault credentials. This is because the connection is made through PSM. Once authorized, the user is connected to the PSM server using the RDP protocol. SSL can be enabled for enhanced security.
  3. PSM fetches the account credentials for accessing the target system from the Vault.
  4. PSM connects to the remote machine with the fetched credentials, using the native protocol chosen by the user.
  5. The activities that are performed in the privileged session are recorded by PSM and uploaded to the Vault where they can be accessed and viewed by auditors and other authorized users.
 
TruePrivileged Access Security11.1