Remote privileged access over the internet

This page explains in detail the options available to publish Securden Unified PAM application to the internet and the steps to enable remote connections for external users and third-party vendors over the internet. This can typically be achieved through one of the three methods mentioned below:

  1. Using Unified PAM Cloud Edition to route remote connections over the internet (doesn’t require inbound port opening within the client environment)
  2. Using Unified PAM On-premises Edition to route remote connections over the internet (Requires inbound port opening in the client environment. Optional certificate-based authentication on browsers to prevent unauthorized access)
  3. Using Unified PAM On-premises Edition without opening inbound ports (in beta now)


1. Using Unified PAM Cloud Edition

If you are using the cloud edition of Securden Unified PAM, the application is already hosted on the internet (AWS cloud), and it doesn’t require any additional configuration to be made within the application UI. Third-party vendors and external users can connect to Securden Unified PAM via the already-exposed HTTPS (443) TCP ports.

However, within the client environment, you need to deploy a remote connector / API server (default procedure for account discovery) and enable outbound connections on the following ports:

Port Name Outbound Ports Source Destination Description
Cloud server port 443 API server Securden-hosted cloud services To establish connection between the API server and Securden over the internet.
Websocket port 8686 API server Securden-hosted cloud services To create a bi-directional web socket that facilitates remote password operations like password reset triggered from Securden Unified PAM Cloud to privileged systems on the client network over the internet.

To deploy a remote connector / API server in the client environment,

  • Navigate to Admin >> Remote Connector in the Securden Unified PAM interface.
  • Click on Add Remote Connector and follow the step-by-step instructions in the GUI to set up the API server in the client environment.
  • Enable outbound connections for the above ports on the API server.

Once the above configurations are made, target resources to which remote connections need to be established are sent as HTTPS links over email to external users and third-party vendors. Connection to the required target resources can successfully be established over the internet via Securden.


2. Using Unified PAM On-premises Edition

If you are using the on-premises edition of Securden Unified PAM, you need to open the following ports on the Securden PAM server for external users and third-party vendors to launch remote connection to target devices over the internet.

Port Name Ports Source Destination Description
Web server port 5959 End user machines Securden Unified PAM server This port needs to be opened to the internet for external users to access the Unified PAM GUI.
Web-RDP 5626 End user machines Securden Unified PAM server To enable external users, launch wen-based RDP connections over the internet
Web-SSH 5622 End user machines Securden Unified PAM server To enable external users, launch wen-based SSH connections over the internet

Once the following configurations are made, target resources to which remote connections need to be established are sent as HTTPS links over email to external users and third-party vendors. Connection to Securden Unified PAM server and the required target resources can successfully be established over the internet.

Certificate-based authentication for an additional layer of security

Securden Unified PAM provides a more secure method for external users and third-party vendors to launch privileged remote connections over the internet.


This secure approach can be implemented in one of the following two methods.

  • Using CA-signed certificates: If you’re using CA-signed certificates, you need to import the root certificate to Securden (.p12 or .pfx or .keystore) and only users with valid certificates (signed using the root CA) will be authenticated into the application
  • Using keypairs generated from Securden: Alternatively, you can generate private keypairs from Securden (.pfx) and distribute it to your users. These keypairs will have to be added to the browsers of users accessing the Unified PAM interface. Upon verification, users with valid keypairs will be authenticated.

The following ports within your client environment needs to be opened to the internet:

Port Name Ports Source Destination Description
Web server port 6969 End user machines Securden Unified PAM server This port needs to be opened to the internet for external users to access the Unifed PAM GUI.
Web-RDP 6626 End user machines Securden Unified PAM server To enable external users, launch wen-based RDP connections over the internet
Web-SSH 6622 End user machines Securden Unified PAM server To enable external users, launch wen-based SSH connections over the internet

3. Remote Access without Opening Ports

Alternatively, there’s another way to use Securden Unified PAM On-premises edition for remote access over the internet without actually opening any ports on the client environment to the internet.

In this scenario, all remote connections to Securden Unified PAM are routed through a cloud-hosted server. A separate user access link is generated and is provided to the client by Securden. Users will have to access this link to login to Securden Unified PAM. Administrators just need to do this simple configuration in the client environment:

  • Enable outbound connections on port 443 in the Securden Unified PAM primary server.

This enables external users to access Securden Unified PAM and establish connection to remote privileged devices over the internet. (via the cloud-hosted server through reverse SSH tunneling) eliminating the need for opening any inbound ports within the client network.

Note: The above architecture is now in Beta and will be generally available by the end of August 2024.

Securden Help Assistant
What's next?
Request a Demo Get a Price Quote

Thanks for sharing your details.
We will be in touch with you shortly

Thanks for sharing your details.
We will be in touch with you shortly