This page explains in detail the options available to publish Securden Unified PAM application to the internet and the steps to enable remote connections for external users and third-party vendors over the internet. This can typically be achieved through one of the three methods mentioned below:
If you are using the cloud edition of Securden Unified PAM, the application is already hosted on the internet (AWS cloud), and it doesn’t require any additional configuration to be made within the application UI. Third-party vendors and external users can connect to Securden Unified PAM via the already-exposed HTTPS (443) TCP ports.
However, within the client environment, you need to deploy a remote connector / API server (default procedure for account discovery) and enable outbound connections on the following ports:
Port Name | Outbound Ports | Source | Destination | Description |
---|---|---|---|---|
Cloud server port | 443 | API server | Securden-hosted cloud services | To establish connection between the API server and Securden over the internet. |
Websocket port | 8686 | API server | Securden-hosted cloud services | To create a bi-directional web socket that facilitates remote password operations like password reset triggered from Securden Unified PAM Cloud to privileged systems on the client network over the internet. |
To deploy a remote connector / API server in the client environment,
Once the above configurations are made, target resources to which remote connections need to be established are sent as HTTPS links over email to external users and third-party vendors. Connection to the required target resources can successfully be established over the internet via Securden.
If you are using the on-premises edition of Securden Unified PAM, you need to open the following ports on the Securden PAM server for external users and third-party vendors to launch remote connection to target devices over the internet.
Port Name | Ports | Source | Destination | Description |
---|---|---|---|---|
Web server port | 5959 | End user machines | Securden Unified PAM server | This port needs to be opened to the internet for external users to access the Unified PAM GUI. |
Web-RDP | 5626 | End user machines | Securden Unified PAM server | To enable external users, launch wen-based RDP connections over the internet |
Web-SSH | 5622 | End user machines | Securden Unified PAM server | To enable external users, launch wen-based SSH connections over the internet |
Once the following configurations are made, target resources to which remote connections need to be established are sent as HTTPS links over email to external users and third-party vendors. Connection to Securden Unified PAM server and the required target resources can successfully be established over the internet.
Certificate-based authentication for an additional layer of security
Securden Unified PAM provides a more secure method for external users and third-party vendors to launch privileged remote connections over the internet.
This secure approach can be implemented in one of the following two methods.
The following ports within your client environment needs to be opened to the internet:
Port Name | Ports | Source | Destination | Description |
---|---|---|---|---|
Web server port | 6969 | End user machines | Securden Unified PAM server | This port needs to be opened to the internet for external users to access the Unifed PAM GUI. |
Web-RDP | 6626 | End user machines | Securden Unified PAM server | To enable external users, launch wen-based RDP connections over the internet |
Web-SSH | 6622 | End user machines | Securden Unified PAM server | To enable external users, launch wen-based SSH connections over the internet |
Alternatively, there’s another way to use Securden Unified PAM On-premises edition for remote access over the internet without actually opening any ports on the client environment to the internet.
In this scenario, all remote connections to Securden Unified PAM are routed through a cloud-hosted server. A separate user access link is generated and is provided to the client by Securden. Users will have to access this link to login to Securden Unified PAM. Administrators just need to do this simple configuration in the client environment:
This enables external users to access Securden Unified PAM and establish connection to remote privileged devices over the internet. (via the cloud-hosted server through reverse SSH tunneling) eliminating the need for opening any inbound ports within the client network.
Note: The above architecture is now in Beta and will be generally available by the end of August 2024.