Connect through the PVWA

This topic describes connecting to target systems from the PVWA through the PSM.

From the PVWA, you can connect through PSM to a variety of systems and applications such as Windows machines, SSH devices such as UNIX, Linux, routers and switches, VMWare machines, databases.

You require Use account permissions in the Safe to connect to remote machines.

Supported PSM end user platforms

The following table lists the end user platforms that you can use to connect through the PSM.

End user platform Connection methods
Windows

  • RDPFile

  • HTML5
Mac

  • RDPFile

  • HTML5
Unix/Linux

  • HTML5

Supported PSM connection methods

The following methods are available to establish PSM connections:

Method Description
RDP File

This method is available when connecting through any browser from a Window or Mac environment.

This method does not require any installation on the client side. The user will be prompted to download an RDP file and will have to open this file to establish the connection. It is recommended to allow these RDP files to open automatically in order to streamline the connection process. This is the default method.

This method does not support connections to target systems where NLA is enabled on the PSM server.

For each connection, an RDP file is downloaded to the Downloads folder of your browser. To use these RDP files, either open them manually from the browser or configure them to open automatically as recommended above. After the session has ended, its RDP file isn’t valid anymore and cannot be reused. In addition, these RDP files are valid for connections for only a short time after they are downloaded and cannot be used after this time. You can delete these files manually from the Downloads folder.

Make sure that the folder to which the RDP files are downloaded is a private and protected storage, which is only accessible to the user who downloaded these files.

  • Use the official Microsoft Remote Desktop app, which can be downloaded from: https://itunes.apple.com/us/app/microsoft-remote-desktop/id715768417?mt=12

  • Clipboard redirection is not supported.

HTML5

This method is available when connecting through the PVWA from Windows, Mac, or Unix/Linux desktops. You need only a web browser to establish a connection to a remote machine through PSM.

For configuration details, see Secure Access with an HTML5 Gateway.

The HTML5 gateway enables interaction between your local workstation and the remote target, such as copying text. For details, see Interaction between the local and remote machines.

The AllowSelectHTML5 parameter enables you to use a single account for both RDP file and HTML5-based sessions. This option is only available in the Version 10 interface.

For more information about configuring PSM connection methods and their impact on the user experience, refer to Privileged Session Management Interface.

For information on the different PSM implementations that are supported with each connection method described above, refer to Supported PSM connection methods .

Remote Windows Server (RDP)

Use one of the following procedures to connect to a remote windows server through PSM from the Web Portal:

From the Account Details page, connect to the remote machine:

  1. Display the Accounts Details page of the account to use to log onto the remote device.

    If multiple connection components have been configured for this account, from the connection component drop-down list, select the connection component to use to log on.

    The built-in connection component for RDP connections via PSM is PSM-RDP, which is automatically invoked for Windows accounts and does not require the user to select it manually.

  1. Click Connect.

From the Accounts List page or the Account Details > Version page:

  1. From the connection component drop-down list, select the connection component to use to log on, then click Connect

  2. If you are required to provide additional information before you can use the password, a window prompts you for the relevant information.

    For more information, refer to .

    If you do not need to provide any additional information, the password will be used to log you onto the remote device.

If you are connecting to a remote device with a domain/NIS user that requires you to specify the name or address of the remote device, enter the required details on the Connect with Account window.

  1. To connect your local drives to the remote computer, select Map local drives.

     

    This is not supported for remote devices that run on Windows 2000.

  2. To connect to the machine console, select Connect to machine console.

  3. In Remote Machine, specify the remote machine to connect to.

    • A drop-down list displays the most recent remote machine addresses used to connect with your user account.

    • If a list of addresses was preconfigured for this account, in addition to the most recent addresses used, an additional list of addresses appear, from which you select the remote machine to which you will connect.

      You can enter or select one of the listed recent or configured addresses.

      If the account is configured to enable you to connect to addresses not found in the list, you can specify any address

      If you are connecting to a remote Windows device with a local user, you will not be asked to specify the remote machine that will be logged on to.

  4. In Logon To, specify the NETBIOS domain that this user belongs to. For example, mycompany_dom.

    The PVWA can try to detect the NETBIOS domain name automatically based on the address property of the account. For example, a domain whose full name is mycompany.com might have a NETBIOS name mycompany_dom, which users would specify here.

  5. If you are required to create a request for confirmation before you can use this password, and you are prompted to specify one or more machines in the request, you will only be able to log onto the machine(s) you specified in the request after you receive confirmation.

    If a list of addresses is defined for this account, you can only specify a machine which appears in the All Addresses list.

    If this list of addresses is configured to allow you to connect to addresses tht do not appear in list, you can enter any address.

    Specify multiple machine addresses in either of the following ways:

    Any machine – In Remote Machine, specify ‘*’ (asterisk).

    Multiple machines – In Remote Machine, specify multiple machine addresses separated with a comma. For example, 1.1.1.174, 1.1.1.228, 1.1.1.235.

    The next time you are prompted for remote connection details, these remote machine addresses will be listed in a drop-down list.

  6. If the connection is configured to connect your local drives to the remote computer, one of the following windows will appear depending on the version of the RDP application on the remote machine:

    Click Run to make the remote connection and begin the privileged session.

    • If the following window appears, make sure that Connect your local disk drives to the remote computer is selected, then click OK.

      connection components 3

    • If the following window appears, check Drives, then click Connect.

      connection components 4

    The PVWA will use the remote connection details to logon to the remote device.

  7. If your system requires a special tool to connect to a remote device, the first time you connect, the following window prompts you for a confirmation to run this tool.

    multiple addresses 3.PNG

Use the native span method to extend a Remote Desktop Connection across multiple monitors to benefit from extra desktop space and near seamless experience with the client desktop.

To extend the session window across all monitors, do the following:

  1. Exit full screen mode

  2. Manually expand the window by dragging the window frame across the desired screens.

If you maximize your session window, it is maximized on one screen only.

Connecting with multiple monitors requires additional configuration. For details, see Enable multiple monitors.

Remote SSH device

Use one of the following procedures to connect to a remote SSH device through PSM from the PVWA:

In the Accounts Details page:

  1. Display the Accounts Details page of the account to use to log onto the remote device.

  2. If multiple connection components have been configured for this account, from the connection component drop-down list, select the connection component to use to log on.

  3. Click Connect.

In the Accounts List page or the Versions tab of the Account Details page:

  1. In the Accounts List page, display the account to use to log onto the remote database,

    or

    In the Account Details page of the account to use to log onto the remote database, display the Versions tab.

  2. From the connection component drop-down list, select the connection component to use to log on, then click Connect.

    • If you are required to provide additional information before you can use the password, a window prompts you for the relevant information. For more information, refer to Control Account Retrieval.
    • If you do not need to provide any additional information, the password will be used to log you onto the remote machine.

If you try to connect to with a domain/NIS user that requires you to specify the name or address of the remote machine, the Connect with Account window appears to enable you to specify the required details.

In Remote Machine, specify the remote machine to connect to.

  • A drop-down list displays the most recent remote machine addresses used to connect with your user account.

  • In addition, the drop-down displays list of addresses defined for this account.

  1. Enter or select one of the listed recent or configured addresses.

    If a list of addresses was defined for this account, but configured to enable you to connect to addresses which do not appear in the list, you can specify any address.

    For more information about requests, refer to Dual Control.

  2. Click OK; the PVWA will use the remote connection details to logon to the specified remote machine.

  3. If you are required to create a request for confirmation before you can use this password, and you are prompted to specify one or more machines in the request, you will only be able to log onto the machine(s) you specified in the request after you receive confirmation.

    • If a list of addresses was defined for this account, you can specify a machine which appears in the All Addresses list.

    • If a list of addresses was defined for this account, but configured to enable you to connect to addresses which do not appear in the list, you can specify any address.

      For more information about requests, refer to Dual Control.

Remote devices with X-forwarding

You can connect to remote SSH systems through PSM using X-Forwarding in addition to SSH protocol. As in all PSM connections, you do not need to know the privileged password or key content and the entire session can be recorded for auditing.

To connect with X-Forwarding requires additional configuration. This is described in Connection Component Configuration.

In the Accounts Details page:

  1. Display the Accounts Details page of the account to use to log onto the remote device.

  2. If multiple connection components have been configured for this account, from the connection component drop-down list, select the connection component to use to log on.

  3. Click Connect.

    or,

In the Accounts Details page or the Versions tab of the Account Details page:

  1. In the Accounts List page, display the account to use to log onto the remote database,

    or,

  2. In the Account Details page of the account to use to log onto the remote database, display the Versions tab.

  3. From the connection component drop-down list, select the connection component to use to log on, then click Connect.

    • If you are required to provide additional information before you can use the password, a window prompts you for the relevant information. For more information, refer to Control Account Retrieval.

    • If you do not need to provide any additional information, the password will be used to log you onto the remote machine.

  4. PSM opens a second window in which you issue commands to the remote device. You can type any X commands that the logged on user is authorized to perform.

     

    There is no need to specify the DISPLAY variable.

    The following example shows the network configuration X application screen displayed on the PSM connection window to the remote device.

     

    To switch between open X windows. use ‘Alt + Page up’ or ‘Alt + Page down’.

Databases

The PVWA enables you to log onto remote databases through PSM.

You can log onto remote Oracle databases using a different user during the log on procedure.

The built-in connection components for Oracle database connections via PSM are PSM-Toad and PSM-SQLPlus.

You can log onto remote SQL Server databases with a Microsoft SQL Server account for SQL Server authentication, or with a Windows Domain account for Windows authentication.

The Built in connection components for SQL Server databases connections via PSM are:

  • PSM-SQLServerMgmtStudio for SQL Server authentication

  • PSM-SQLServerMgmtStudio-Win for Windows authentication

In the Accounts List:

  1. In the Accounts List, display the account to use to log onto the remote database.

  2. From the connection component drop-down list, select the connection component to use to log on.

  3. If there is only one available connection component, click the Connect with icon:

  4. If there is more than one available connection component, click the Action menu icon, then click Connect with, and select the connection component to use to connect to the remote machine:

  5. The PVWA will use the specified details to logon to the remote database using the specified PSM connection component.

    Or,

In the Accounts Details page:

a. Display the Accounts Details page of the account to use to log onto the remote database.
b. From the connection component drop-down list, select the connection component to use to log on.
c. Click Connect.

If the connection component enables this user to log onto the remote database with a different user, the Connect with Account window appears.

d. When connecting with the SYS user or any other registered privileged user to an Oracle database, a Connect As drop-down list is displayed. From the Connect As drop-down list, select the role that will be used to connect to the remote database.
e. When connecting with a Windows Domain account to a Microsoft SQL Server database, the Connect with Account window appears to enable you to specify the required database Server\Instance.
f. Click OK; the PVWA will use the specified details to logon to the remote database using the specified PSM connection component.

VMWare Administrative Tools

You can log onto VM Administrative tools through PSM.

In the Accounts List page:

  1. In the Accounts List page, display the account to use to log onto the remote machine.

  2. From the connection component drop-down list, select the connection component to use to log on.

    or,

In the Accounts Details page:

  1. In the Accounts Details page:

  2. Display the Accounts Details page of the account to use to log onto the remote machine.

  3. From the connection component drop-down list, select the connection component to use to log on, then click Connect.

    The PVWA will log onto the remote ESX using the specified PSM connection component.

In the Accounts List page:

  1. In the Accounts List page, display the machine account to use to log onto the remote machine.

  2. From the connection component drop-down list, select the connection component to use to log on.

    or,

In the Accounts Details page:

  1. Display the Accounts Details page of the machine account to use to log onto the remote machine.

  2. From the connection component drop-down list, select the connection component to use to log on, then click Connect.

The user is prompted for their password again and then is logged onto the remote vCentre machine using the specified PSM connection component.

In the Accounts List page:

  1. In the Accounts List page, display the machine account to use to log onto the remote machine.

  2. From the connection component drop-down list, select the connection component to use to log on.

    or,

In the Accounts Details page:

  1. Display the Accounts Details page of the machine account to use to log onto the remote machine.

  2. From the connection component drop-down list, select the connection component to use to log on, then click Connect.

    The PVWA will log onto the remote vCenter machine with the shared account, using the specified PSM connection component.

Mainframes

In the Accounts List page:

  1. In the Accounts List page, display the machine account to use to log onto the remote machine, then click the Connect with button.

  2. If more than one connection component has been defined for this platform, select the connection component to use to log on.

or,

In the Accounts Details page:

  1. Display the Accounts Details page of the machine account to use to log onto the remote machine.

  2. From the connection component drop-down list, select the connection component to use to log on, then click Connect.

    The PVWA will log onto the remote machine with the AS/400 account, using the specified PSM connection component.

In the Accounts List page:

  1. In the Accounts List page, display the machine account to use to log onto the remote machine.

  2. From the connection component drop-down list, select the connection component to use to log on.

or,

In the Accounts Details page:

  1. Display the Accounts Details page of the machine account to use to log onto the remote machine.

  2. From the connection component drop-down list, select the connection component to use to log on, then click Connect.

    The PVWA will log onto the remote machine with the OS/390 (Z/OS) account, using the specified PSM connection component.

Cloud Services Management Tools

1. Select the account to use, to log onto the AWS management console.
In the Accounts List page, select the account to use to log onto the management console, or,
Display the Accounts Details page of the account to use to log onto the management console.
2. From the connection component drop-down list, select AWS Console with STS.

Click Connect to start the remote session and log onto the AWS Management Console.

  1. Display the account to use, belonging to the relevant platform, to log onto the management console.

    • From the Accounts List page, select the relevant connection component from the drop-down list, which you will use to use to log onto the management console, or

    • Display the Accounts Details page of the account, and select the relevant connection component from the drop-down list, which you will use to log onto the management console.

  2. From the connection component drop-down list, select one of the following Azure components:

    • For the Azure portal, select PSM-MS-Azure.

    • For the Classic Azure portal, select PSM-MS-Azure-Old.

  3. Click Connect to start the remote session and log onto the Azure management console.

CyberArk Administrative Interfaces

  1. Display the account to use to log onto the PrivateArk client.

    • In the Accounts List page, display the account to use to log onto the PrivateArk client or,

    • Display the Accounts Details page of the account to use to log onto the PrivateArk client.

  2. From the connection component drop-down list, select PSM-PrivateArkClient.

  3. Click Connect to start the remote session and log onto the PrivateArk client.

  1. Display the account to use to log onto PVWA.

    • In the Accounts List page, display the account to use to log on to the PVWA or,

    • Display the Accounts Details page of the account to use to log on to PVWA.

  2. From the connection component drop-down list, select PSM-PVWA.

  3. Click Connect to start the remote session and log on to PVWA.

Connect from Web Portal to a target device

This topic describes connecting to target systems through the PVWA .

After selecting an account in the PVWA you will be able to select the connection components that are available to you from the drop-down list.

Connection components through Web Portal do not have a prefix. For example, RDP.

You require the Retrieve accounts permissions in the Safe to connect to remote machines.

In the Accounts Details page:

  1. Display the Accounts Details page of the account to use to log onto the remote device.

  2. If multiple connection components have been configured for this account, from the connection component drop-down list, select the connection component to use to log on.

    The following connection methods are available for EPV Connections through RDP. The system automatically selects the relevant connection, based on the browser type and the operating system from which the user connects:

    • Select Map local drives to connect your local drives to the remote computer.

      This option is not supported for remote devices that run on Windows 2000.

    • Select Connect to machine console to connect to the machine console.

      1. In Remote Machine, specify the remote machine to connect to.

        A drop-down list displays the most recent remote machine addresses to which this account was used to connect with your user account.

      2. If a list of addresses is configured for this account, in addition to the most recent addresses used, an additional list of addresses appear, from which you select the remote machine to which you will connect.

    The PVWA will use the remote connection details to logon to the remote device.

    Note:  RDP connections are not displayed in full screen view if the browser zoom is greater than 100%.

In the Accounts Details page:

  1. Display the Accounts Details page of the account to use to log onto the remote device.

  2. If multiple connection components have been configured for this account, from the connection component drop-down list, select the connection component to use to log on.

  3. Click Connect.

or,

In the Accounts Details page or the Versions tab of the Account Details page:

  1. In the Accounts List page, display the account to use to log onto the remote database,

    or,

    In the Account Details page of the account to use to log onto the remote database, display the Versions tab.

  2. From the connection component drop-down list, select the connection component to use to log on, then click Connect.

    If you are required to provide additional information before you can use the password, a window prompts you for the relevant information. For more information, refer to Control Account Retrieval.

    If you do not need to provide any additional information, the password will be used to log you onto the remote machine.

  3. If you try to connect to with a domain/NIS user that requires you to specify the name or address of the remote machine, the Connect with Account window appears to enable you to specify the required details.

You can enter a different address, or addresses from the ones that appear in the list If the account is configured to allow it.

For more information about requests, refer to Dual Control.

Interaction between the local and remote machines

When working in HTML5 browser-based PSM sessions, you can copy files and text between the local workstation and the remote target.

Copy files

This capability is supported when the PSM HTML5 gateway is installed.

You can copy up to 2GB or 120 files per session.

To copy files, the AllowMappingLocalDrives parameter must be valued with Yes. For details, see User Parameters.

  1. Connect from the PVWA. See Connect through Privileged Session Manager for Windows.

    You can also connect using PSM-WinSCP. If you are connecting in this way, configure WinSCP to copy large files. See WinSCP for details.

  2. Drag and drop the required file(s) to the remote machine. The Upload Files window appears, showing the progress of the file upload.

    Optionally for a specific file:

    • Click Cancel to cancel the upload. Any canceled or failed uploads are shown with a red X.

    • Click Clear to remove a specific file upload from the list.

    Optionally, for all files in the list:

    • Click Clear Failed Files to remove all canceled and failed uploads from the list.

    • Click Clear Completed Files to remove all completed uploads from the list.

    Click Close to close the window. You can also minimize the window to show only a summary of the number of current, completed, and failed or canceled file uploads.

    The file is copied to a new drive, usually the Z: drive, that is mapped to the remote target to support the file transfer.

    In non-RDP connections, the drive is named File Transfer. In RDP connections, the drive name is the PSM host name.

  3. Open the new drive, or refresh it if it is already opened, and drag each file from the new drive to the desired location on the remote target to complete the copy process. The new drive is deleted at the end of the session.

  4. After completing your session, it is recommended to close the connection.

You can copy files from the remote target to your local workstation.

  1. Drag the file to the Download folder in the new drive that is mapped to the remote target to support the file transfer. This is usually the Z: drive.

    In non-RDP connections, the drive is named File Transfer.

    In RDP connections, the drive name is the PSM hostname.

    The file is automatically downloaded to the local workstation using the browser download.

  2. After completing your session, it is recommended to close the connection.

You can configure WinSCP during your session and the configuration will remain for all your sessions.

  1. In WinSCP, click Options > Preferences.
  2. Select Transfer > Endurance.
  3. Under Enable transfer resume/transfer to temporary filename for, select Disable.

For security reasons, CyberArk recommends that you disable the auto open downloaded files option in the browser settings.

CyberArk does not perform any scanning on customer data provided by the customer or any of its authorized users (including any files or their content) uploaded to or transferred via the service, including any anti-virus scanning or other detection of malicious code.

You are solely responsible for scanning your customer data (including any files and their content) for detection of malware prior to uploading or transferring it via the service.

CyberArk recommends that you apply malware scanning tools according to industry best practices.

Copy text

When you connect to the remote target through the PVWA, you can click Alt + Ctrl + Shift to display the Clipboard Control tool on the remote desktop.

Copy the text from the local workstation and paste the text to the Clipboard Control tool. In the Clipboard Control tool, click Ctrl + V or right-click and select Paste . In the desired location on the remote target, paste the text.

You can copy text from the remote target to the Clipboard Control tool and click to select the text to copy to the local workstation.