Remote privileged access over the internet
This page explains in detail the options available to publish Securden Unified PAM application to the internet and the steps to enable remote connections for external users and third-party vendors over the internet. This can typically be achieved through one of the three methods mentioned below:
- Using Unified PAM Cloud Edition to route remote connections over the internet (doesn’t require inbound port opening within the client environment)
- Using Unified PAM On-premises Edition to route remote connections over the internet (Requires inbound port opening in the client environment. Optional certificate-based authentication on browsers to prevent unauthorized access)
- Using Unified PAM On-premises Edition without opening inbound ports (in beta now)
1. Using Unified PAM Cloud Edition
If you are using the cloud edition of Securden Unified PAM, the application is already hosted on the internet (AWS cloud), and it doesn’t require any additional configuration to be made within the application UI. Third-party vendors and external users can connect to Securden Unified PAM via the already-exposed HTTPS (443) TCP ports.
However, within the client environment, you need to deploy a remote connector / API server (default procedure for account discovery) and enable outbound connections on the following ports:
| Port Name | Outbound Ports | Source | Destination | Description |
|---|---|---|---|---|
| Cloud server port | 443 | API server | Securden-hosted cloud services | To establish connection between the API server and Securden over the internet. |
| Websocket port | 8686 | API server | Securden-hosted cloud services | To create a bi-directional web socket that facilitates remote password operations like password reset triggered from Securden Unified PAM Cloud to privileged systems on the client network over the internet. |
To deploy a remote connector / API server in the client environment,
- Navigate to Admin >> Remote Connector in the Securden Unified PAM interface.
- Click on Add Remote Connector and follow the step-by-step instructions in the GUI to set up the API server in the client environment.
- Enable outbound connections for the above ports on the API server.
Once the above configurations are made, target resources to which remote connections need to be established are sent as HTTPS links over email to external users and third-party vendors. Connection to the required target resources can successfully be established over the internet via Securden.
2. Using Unified PAM On-premises Edition
If you are using the on-premises edition of Securden Unified PAM, you need to open the following ports on the Securden PAM server for external users and third-party vendors to launch remote connection to target devices over the internet.
| Port Name | Ports | Source | Destination | Description |
|---|---|---|---|---|
| Web server port | 5959 | End user machines | Securden Unified PAM server | This port needs to be opened to the internet for external users to access the Unified PAM GUI. |
| Web-RDP | 5626 | End user machines | Securden Unified PAM server | To enable external users, launch wen-based RDP connections over the internet |
| Web-SSH | 5622 | End user machines | Securden Unified PAM server | To enable external users, launch wen-based SSH connections over the internet |
Once the following configurations are made, target resources to which remote connections need to be established are sent as HTTPS links over email to external users and third-party vendors. Connection to Securden Unified PAM server and the required target resources can successfully be established over the internet.
Certificate-based authentication for an additional layer of security
Securden Unified PAM provides a more secure method for external users and third-party vendors to launch privileged remote connections over the internet.
This secure approach can be implemented in one of the following two methods.
- Using CA-signed certificates: If you’re using CA-signed certificates, you need to import the root certificate to Securden (.p12 or .pfx or .keystore) and only users with valid certificates (signed using the root CA) will be authenticated into the application
- Using keypairs generated from Securden: Alternatively, you can generate private keypairs from Securden (.pfx) and distribute it to your users. These keypairs will have to be added to the browsers of users accessing the Unified PAM interface. Upon verification, users with valid keypairs will be authenticated.
The following ports within your client environment needs to be opened to the internet:
| Port Name | Ports | Source | Destination | Description |
|---|---|---|---|---|
| Web server port | 6969 | End user machines | Securden Unified PAM server | This port needs to be opened to the internet for external users to access the Unifed PAM GUI. |
| Web-RDP | 6626 | End user machines | Securden Unified PAM server | To enable external users, launch wen-based RDP connections over the internet |
| Web-SSH | 6622 | End user machines | Securden Unified PAM server | To enable external users, launch wen-based SSH connections over the internet |
3. Remote Access without Opening Ports
Alternatively, there’s another way to use Securden Unified PAM On-premises edition for remote access over the internet without actually opening any ports on the client environment to the internet.
In this scenario, all remote connections to Securden Unified PAM are routed through a cloud-hosted server. A separate user access link is generated and is provided to the client by Securden. Users will have to access this link to login to Securden Unified PAM. Administrators just need to do this simple configuration in the client environment:
- Enable outbound connections on port 443 in the Securden Unified PAM primary server.
This enables external users to access Securden Unified PAM and establish connection to remote privileged devices over the internet. (via the cloud-hosted server through reverse SSH tunneling) eliminating the need for opening any inbound ports within the client network.
Note: The above architecture is now in Beta and will be generally available by the end of August 2024.
