Configure ad hoc connections

PAM - Self-Hosted enables users to connect securely to remote machines through the PSM from their own workstations using all types of accounts, including accounts that are not managed in PAM - Self-Hosted.

 
  • When using ad hoc connections, part of the PSM security benefits are lost since the privilege credentials that are used to connect are not secured and vaulted. When possible, it is recommended to take a more secure approach by storing the credentials in the Vault and using standard PSM connections.
  • SSH keys cannot be used with unmanaged accounts using the ad hoc connection capability.

Configure multiple ad hoc connections

PAM - Self-Hosted enables you to configure multiple ad hoc connections so that users can access different platforms and networks from a central point. You can also customize each ad hoc connections with its own specific settings, such as the recording Safe and other session settings.

Configure multiple ad hoc connections

  1. In the PVWA, click the Administration button, and then click Platform Management.

  2. In the Target Platforms tab, select the PSM Secure Connect platform, click the ellipsis button next to that platform, and then click Duplicate. Follow the instructions in Add a new platform (duplicate).

     

    If you have configured multiple ad hoc connection platforms, duplicate the platform that is closest in configuration.

  3. Select the new target account platform, click the ellipsis button next to that platform, and then click Edit.

  4. Edit the platform as required, as described in Edit a platform.

Ad hoc connections for specific users and groups

By default, all users and groups can use ad hoc connections. However, you can customize it so that only specific users and groups can use it. After you specify at least one user or group, only those users can use ad hoc connections.

To enable ad hoc connections for specific users and groups:

  1. In the PVWA, click Administration > Configuration Options, and then click Options.

  2. In the left pane, expand Privileged Session ManagementGeneral SettingsServer Settings.

  3. Right -click Secure Connect Settings, and click Add Secure Connect User or Group.

  4. Expand Secure Connect Users and Groups, and then click User or Group.
  5. In the Properties pane, specify the name of the user or group for whom you are applying ad hoc connections.

  6. Save your changes.

Customize ad hoc connections

Ad hoc connection platforms enable you to control PSM settings for ad hoc connection sessions, by overriding the general PSM settings.

To customize PSM settings for ad hoc connections, edit the PSMSecureConnect platform or any other platform you duplicated for ad hoc connections, as described in Edit a platform. Edit as required. For example, set the ShowRecordedSessionNotification to Yes to make sure that a notification is displayed on the remote machine console whenever an ad hoc connection session begins.

Customize PSM connectors for ad hoc connections

You can add and remove specific connection clients to the list of available clients or customize any internal settings in the following ways:

  • Customize existing ad hoc connection clients
  • Customize existing PSM connectors to override parameters set at system level.
 

If you are using a PSM connector with the PSMRemoteMachine parameter for ad hoc connections, then you must connect from the classic interface (go to Additional details and actions in classic interface).

To add new connection components to the list of ad hoc connection clients:

  1. Open the PSMSecureConnect platform or any other platform you duplicated for ad hoc connections for editing, as described in Edit a platform.

  2. Expand UI & Workflows, and then Connection Components.

    All the connection components that can be used to connect to remote machines with ad hoc connections are listed.

  3. Right-click Connection Components,and click select Add Connection Component.

  4. In the new connection component, specify the following properties:

    • Id – The unique ID that identifies the connection component you created.

    • Enable – Whether or not this connection component will be enabled for the PSMSecureConnect platform. Specify Yes.

  5. To define a subsection of override parameters, right-click on the component to configure, then select Add Override User Parameters.

    A new section for these override parameters is created. These parameters override corresponding user parameters that were defined at system level. For more information about overriding configurations set at system level, see Connection Component Configuration.

  6. To add parameters to these sections, right-click the name of the section, then select Add Parameter. You can add as many new parameters as you require.

  7. Save your changes.

For more information about configuring audit records, commands, and other features for Secure Connect, refer to Configuration.

To remove connection components from the list of ad hoc connection clients:

You can disable connection components in the PSMSecureConnect platform and remove them from the list of ad hoc connection clients in the Ad Hoc Connections page. Any time you wish to display them again in the list, just enable them.

  1. Open the PSMSecureConnect platform or any other platform you duplicated for ad hoc connections for editing, as described in Edit a platform.

  2. Set Enable to No to disable the connection component for this platform.

  3. Save your changes.

To customize existing connection components:

You can customize connection components for the PSMSecureConnect platform by overriding certain features of connection components at platform level, overriding the general configuration. For example, you can override the port that will be used to connect to a remote machine with a particular client, or the protocol that will be used.

  1. Open the PSMSecureConnect platform or any other platform you duplicated for ad hoc connections for editing, as described in Edit a platform.

  2. Select a connection component to modify, then expand the list of default override parameters to display the predefined parameters.

  3. Select the override parameter to change then, in the Properties list, change any of the available values. For example, you can determine whether or not a parameter is required, whether it’s visible, and the default value that is displayed in the ad hoc connections page when a particular client is selected.

  4. Save your changes.

Enable ad hoc connections for specific subnets

You can limit ad hoc connections to specific subnets for specific user groups.

  1. On the PVWA console, go to Options > PIM Suite Configuration > Privileged Session Management UI and set DisplaySubnetRulesConfiguration to Yes.

  2. In PVWA, go to Administration > PSM Configuration.

  3. Select Connect User Access rules.

  4. Click Add to select groups and assign them to specific subnets. You can assign multiple groups to multiple subnets.

    1. Search and select the user groups to allow to access specific subnets and click Next.

    2. Enter each subnet that the groups can access and click Add.

  5. Click Allow access to allow all other groups to access any subnet, or click Block access to block all other groups from accessing any subnet.

  6. On the PVWA console, go to Options > PIM Suite Configuration > Privileged Session Management > General Settings and set EnforceSubnetRules to Yes.

    Do not set EnforceSubnetRules to Yes until after you define the subnet rules. When this enforcement is activated, any group that does not have subnet rules defined will be blocked for all ad hoc connections.