This chapter describes:

  • Adding targets for users to connect to.

  • Different ways in which PrivX users can connect to targets. Additional setup instructions for methods that require them.

  • Proxying connections, for targets not directly accessible from PrivX servers.

Setting up Known Targets

This section describes manual target setup. For information about importing targets from existing directories, see the section called “Importing Known Targets from Directories” instead.

PrivX users can connect to accounts and hosts that have been set up as known targets.

You can add known targets to PrivX by adding hosts. To do this, go to Settings→Hosts and click Add Host. PrivX host entries are used for specifying, among other things:

  • The host address.

  • Who should be allowed to access the host, and as what identity. For example, allow members of Example Role 01 to log in as exampleuser on the host.

  • What methods (host services) can be used to access the host: SSH, RDP, and Web.

Known targets offer the following benefits:

  • To see and connect to known targets, PrivX users can go to the Connections page and select Search from known hosts. PrivX users will only see those known targets that they are authorized to.

  • Known targets support additional authentication methods (instead of just user-provided password). For more information about the configurations required for additional authentication methods, see Chapter 7.

  • PrivX can periodically check the status of known targets and indicate when targets are unreachable. Settings related to status checks are under the [health-check-options] section in the host-store configuration /opt/privx/etc/hoststore.toml

Proxying Connections to Hosts

For target hosts that are inaccessible from PrivX servers (such as hosts in protected networks), you may set up PrivX Extenders for relaying connections.

Any target host accessed via an Extender must specify the Extender name in its Address. Example Address syntax in IPv4 and IPv6 format:

exampleextender/192.0.2.100
exampleextender/2001:DB8::64

Save your host changes. Subsequent connections to the host are proxied via the PrivX Extender.

For more information about PrivX-Extender requirements and setup, see the section called “Optional Components” and the section called “PrivX Extender Setup” respectively.

SSH Targets

Note

You can use the PrivX host-deployment script to automatically add SSH targets (while also enabling certificate-based authentication). For more information about using the host-deployment script, see the section called “Enabling Certificate-Based Authentication for SSH Connections”.

To allow connections to SSH hosts, add a host entry with the following considerations in mind:

  • Add a Service with the type SSH, specifying the address and the port of the SSH server on the host.

    When the Trust on first use option is disabled, SSH host keys must also be added here. In this case regular PrivX users can connect only if the host key matches one of the provided values. PrivX administrators can establish connections even if the host key is missing or incorrect.

  • Add Accounts specifying which PrivX roles may access the host, and which target accounts they are given access as.

    The access options of the accounts can be limited under the Allowed Service Options:

    Shell

    Shell/terminal access.

    File Transfer

    File transfers through subsystem/sftpand exec/scpchannels.

    Exec

    All execchannel functions except exec/scp.

    Tunnels

    direct-tcpipchannel for local and forwarded-tcpipchannel for remote port forwarding.

    X11 Forwarding

    x11channel for X Window Systemgraphical access.

    Other

    Other SSH channels.

    By default allAllowed Service Options are enabled. The default values can be edited in the Host Store configuration file, located under the following path on PrivX servers:

    /opt/privx/etc/hoststore.toml

RDP Targets

To allow connections to RDP hosts, add a host entry with the following considerations in mind:

  • Add a Service with the type RDP, specifying the address and the port of the RDP server on the host.

  • Add Accounts specifying which PrivX roles may access the host, and which target accounts they are given access as.

    The access options of the accounts can be limited under the Allowed Service Options:

    • File Transfer

    • Audio

    • Clipboard

    By default all Allowed Service Options are enabled. The default values can be edited in the Host Store configuration file, located under the following path on PrivX servers:

    /opt/privx/etc/hoststore.toml

    You may also provide Windows application restrictions, for limiting users to certain applications. Note that the target Windows host must be configured to allow the listed applications to be used over RDP.

Web Targets

You can use PrivX to connect to websites . To allow connections to websites, add a host entry with the following considerations in mind:

  • Add a Service with the type Web, specifying the address of the website.

    Note

    Since connections to web targets are provided via a PrivX Web Proxy, you need to provide the address in proxy format. For example (replace exampleproxy with your Web access gateway name, and https://www.example.com/ with the address of the website):

    exampleproxy/https://www.example.com/

    If you want PrivX to automatically fill in login credentials for the website, also provide the following Additional settings:

    • Login-request address: The verified address of the login request. For example, in form logins this may be the URL of the webpage plus the URL specified by the action attribute of the form. Recommended for improved security.

    • Password property: The verified id of the password field in the login form. Recommended for improved security.

    • Login-page address: The login-page address. Only needed if the login page is not under the Address of this web service. For example, while you could have an AWS service with the Address:

      exampleproxy/https://example.signin.aws.amazon.com/console

      That website may redirect you to a different address for login:

      https://us-east-1.signin.aws.amazon.com

    • Authentication type: Set to Automatic for most websites, such as websites using forms for authentication. Set to Basic for websites using the Basic HTTP Authentication Scheme (defined in RFC 7617).

    • Username-field name: The name of the username field in the login form. Only required if PrivX is unable to automatically detect this field.

    • Password-field name: The name of the password field in the login form. Only required if PrivX is unable to automatically detect this field.

  • Add Accounts specifying which PrivX roles may access the website. If you want PrivX to automatically fill in login credentials for the website, also provide Usernames and Passwords in the account mappings.

    The access options of the accounts can be limited under the Allowed Service Options:

    • File Transfer

    • Audio

    • Clipboard

    By default all Allowed Service Options are enabled. The default values can be edited in the Host Store configuration file, located under the following path on PrivX servers:

    /opt/privx/etc/hoststore.toml

Note

When set up to do so, PrivX automatically fills up login credentials, but will not actually log into the web service. Users must manually click any Login buttons to log in.

For HTTPS targets, by default PrivX only allows connections using TLSv1.2 and later.

Connecting via the PrivX GUI

To connect to targets via the PrivX GUI:

  1. Log into the PrivX GUI using your PrivX account.

  2. On the Home page under New Connection, provide target details (such as the target-host address) to receive suggestions about available targets, then select a target to connect to it. Your accessible targets are also listed and selectable on the Connections→Available Hosts page.

    You may alternatively go to Connections→Manual Connection page and manually specify your target. The user must have the connections-manual permission to use this method.

Note

Connections are authenticated according to the role-based rules and the enabled authentication methods.

You may need to adjust locale settings for keyboard commands to be transferred correctly.

Tip

Quickly access a recent target from the Home page by clicking an entry under Recent connections, or on the Connections→Connection History page.

SSH GUI Features

Open multiple terminals

On the tab bar, click + to open additional terminals.

Copy-paste
  • On a Mac, you can select text and use command-c and command-v to copy-paste, or right-click and use the context menu.

  • On a Windows or Linux you can select text and right-click to use the context menu. Alternatively you can select some text, pres ctrl on its own and then press ctrl-c or ctrl-v within the next second.

  • The left Alt (option on a Mac) key also functions as the Meta key (for example in Emacs).

Transfer files

You can upload, download, and remove files from the File Transfers tab.

To change directory, click a directory or . You can perform additional actions on files via their menus.

  • To download a file: Double-click the file, or perform a Download action via its menu.

  • To upload a file: Drag-and-drop the file to the file-transfer view. Alternatively, click Upload next to the file-transfer view and select the local file to upload.

Change text, locale and theme

From the Settings tab, you can set the font size, character encoding, and the locale used for the connection. You can also switch between a dark and a light theme.

Open URLs

To open HTTP/HTTPS links in a new tab on Windows or Linux, hold Ctrl and double-click the link. To open links on Mac, hold command and double-click.

RDP GUI Features

Copy-paste

To copy-paste text to the target host, place the text into the Clipboard tab, then paste normally on the target host. Text copied on the target host is automatically made available in the Clipboard.

Transfer files

Upon connecting, PrivX automatically mounts a network drive called Transfers on PrivX to the target host. File downloads and uploads must be performed via this network drive.

You can copy files from the target host to Transfers on PrivX, then download them from the Files tab. Similarly, you can upload files by placing them to Transfers on PrivX on the Files tab, then move the file to another location on the target host.

  • To download a file: Double-click the file, or perform a Download action via its menu.

  • To upload a file: Drag-and-drop the file to the file-transfer view. Alternatively, click Upload next to the file-transfer view and select the local file to upload.

Set keyboard layout

To change your keyboard layout, go to the Settings tab, select your layout, then restart the connection to apply the changes. Set this to match the keyboard layout defined for the server (not the client-side layout).

Fullscreen view

To toggle fullscreen view, click

Note

Toggling fullscreen mode also re-establishes the RDP connection.

Importing Known Targets from Directories

This section describes automatic target import. For information about manually setting up targets, see the section called “Setting up Known Targets” instead.

You can set up PrivX to automatically add existing hosts from cloud platforms. Such hosts can later be connected to via PrivX.

For example, to add hosts from Amazon Web Services (AWS):

  1. In your AWS, add a policy to allow host scans. To do this, access your AWS and navigate to IAM→Policies, then create a policy with the following JSON:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": "ec2:Describe*",
    "Resource": "*"
    }
    ]
    }
  2. Create an IAM user with permissions to use the host-scan policy. This can be done on the IAM→Users page.

    The IAM user must have Programmatic access, and be attached with the host-scan policy.

    Note the Access key ID and the Secret access key of the user. These are required later for configuring PrivX against AWS.

  3. Configure PrivX to scan and add the AWS hosts.

    Log into PrivX as superuser (or other privx-admin user). On the Settings→Directories page, click Add Directory.

    Fill in the basic information of the directory. To allow PrivX to detect AWS hosts, add the Access key ID and the Secret access key of the IAM user.

    Save the directory settings. PrivX begins importing hosts from AWS.

    After a moment, you may verify the directory status back on the Settings→Directories page. The Connection should be in the OK state, and list the number of instances found on AWS.

    To list the imported hosts, click List Hosts.

    You may then Edit hosts to add services and account mappings to them, from Settings→Hosts page.

Removing Hosts from Directories

When PrivX notices that non-local hosts were deleted at the directory source, PrivX marks the associated host entries as deleted. After deleted entries reach a certain age, they are removed completely from PrivX.

The interval is controlled by the following settings in role-store settings /opt/privx/etc/host-store.toml

  • host_housekeeping_run_interval - The interval at which PrivX checks for and removes old deleted-host entries. 168 hours (1 week) by default.

  • hosts_deleted_age - The duration for which deleted-host entries are preserved. 168 hours (1 week) by default.

SSH Connections with Native Clients

This section describes how to establish SSH connections with native clients.

Users can connect to target hosts/accounts using the SSH clients installed on their workstations, without needing to use the PrivX GUI. Connections are authenticated against PrivX. For example, if PrivX allows you to access a target account with certificate authentication, your native clients will also connect using certificate authentication without prompting you for target-account credentials.

Prerequisites

  • Specify which roles may be used for SSH-native-client connections.

    When using the GUI, PrivX users have access to targets provided by any of their roles. However with SSH-native-client connections, access is further limited to roles with the Allow PrivX agent option.

    The Allow PrivX agent option is enabled at Settings→Roles, under the SSH Options of each role.

  • Your PrivX license must allow using native client connections. For more information about licenses, see the section called “PrivX License Management”.

  • After ugrading PrivX, you may need to re-download the extender-config.toml file for the native client connections to work with via Extenders. For more instructions about extender configuration file, see the section called “PrivX Extender Setup”.

  • For agent-based connections only: PrivX agent must be set up on the user's workstation. For instructions setting up PrivX agents, see the section called “PrivX Agent Setup”.

Connecting with Native SSH Clients using PrivX Bastion

Using native SSH clients, you can connect to targets via PrivX SSH Bastion. PrivX SSH Bastion provides the following connection modes:

  • Interactive: Access PrivX Bastion to list and select possible targets.

  • Direct: Specify your connection target directly to the native client.

Note

PrivX-Bastion connections are verified against the PrivX-Bastion host key. You may verify and install these host keys from the Connections→Native Clients page.

Connecting Interactively

To connect via PrivX Bastion interactively:

  1. Connect to PrivX SSH Bastion using your PrivX account. For example, with ssh, sftp, or scp:

    ssh -p 2222 privxuser@privx.example.com
    sftp -P 2222 privxuser@privx.example.com
    scp -P 2222 local/path privxuser@privx.example.com:remote/path
    scp -P 2222 privxuser@privx.example.com:remote/path local/path

    Replace the example values as follows:

    • privxuser - Your PrivX-user name.

    • privx.example.com - Your PrivX-server address.

    • local/path - Local file/directory path for scp.

    • remote/path - Remote file/directory path for scp.

    Provide your PrivX-user password when prompted.

  2. You will be presented with a list of possible targets. Select a target to connect to it.

Connecting Directly

To directly connect via PrivX Bastion, provide:

  • Target-user name

  • Target-host address

  • PrivX-user name

  • PrivX-server address

  • (Optional) Extender name

  • (Optional) Target port

By default bastion runs on your PrivX servers, port 2222.

Full bastion syntax is as follows:

targetuser%extender%targethost%targetport%privx-user@privx.example.com

Common case leaves out the extender and the target port, leaving the syntax as following:

targetuser%targethost%privx-user@privx.example.com

Following are examples of ssh, scp and sftp usage with the connection string:

ssh -p 2222 targetuser%targethost%privx-user@privx.example.com
scp -P 2222 targetuser%targethost%privx-user@privx.example.com:example.txt \
/target/directory
sftp -P 2222 targetuser%targethost%privx-user@privx.example.com

Following is an example using PrivX Extender:

ssh -P 2222 targetuser%extender%targethost%privx-user@privx.example.com
scp -P 2222 example.txt \
targetuser%extender%targethost%privx-user@privx.example.com:/tmp

If you use native-client connections with bastion syntax often, consider specifying the connection parameters in the users' client configuration (typically at /etc/ssh/ssh_config or ~/.ssh/config) using Host blocks. For example:

Host targethost.example.com
Port 2222
User targetuser%targethost%privx-user
Hostname privx.example.com

After which you can connect with much simpler syntax:

$ ssh targethost.example.com

User sessions with native SSH clients can be monitored. For more information about viewing session audit data, see the section called “Viewing Audit Data”. For more information about setting up session recording for a host, see the section called “Session Recording Setup”.

Optionally you can use the PrivX agent to connect using the native clients; for more information see the section called “Connecting with Native SSH Clients Using PrivX Agent (Unix and MacOS)” and the section called “Connecting with Native SSH Clients Using PrivX Agent (Windows)”.

Note

When connecting via PrivX Bastion you must verify the PrivX host keys (instead of the target server host keys). You can add the PrivX host keys to your known_hosts file by running (replace privx.example.com with your PrivX-server address:

ssh-keyscan -p 2222 privx.example.com >> ~/.ssh/known_hosts

Connecting with Native SSH Clients Using PrivX Agent (Unix and MacOS)

After PrivX agent is set up for your workstation account, you can establish connections to targets using native clients with the agent. To do this on Unix or MacOS:

  1. Log into the workstation as the user for whom native clients have been set up.

    You may verify that the agent is running with:

    $ privx-agent-ctl status

    The command should return a message similar to the following:

    PrivX SSH Agent Status
    PrivX Server          https://privx.example.com
    Login status          logged out

    If necessary, you can manually start the PrivX agent with:

    $ ./privx-agent-unix bash
  2. Via the terminal, authenticate against PrivX using your PrivX credentials. For example (replace username with your PrivX user name):

    $ privx-agent-ctl login username

    You may verify your login status with:

    $ privx-agent-ctl status

    After entering your PrivX credentials correctly, your native SSH clients (such as ssh) will authenticate connections via PrivX. For a list of valid connection targets, run:

    $ privx-agent-ctl target list
    
    Accessible targets and granting roles:
    
    bilberry
    alice@10.1.55.144:222           Example Role 01
    ...

    You could then connect to one of the listed targets. In this example, by running:

    $ ssh alice@10.1.55.144 -p 222

Connecting with Native SSH Clients Using PrivX Agent (Windows)

After PrivX agent is set up for your workstation account, you can establish connections to targets using native clients with the agent. To do this on Windows:

  1. Use the PrivX agent to authenticate with PrivX. To do this, right click the PrivX-agent tray icon, then click Login. Log in using your PrivX credentials. Complete multi-factor authentication if required.

    Note

    If PrivX-agent login fails with Failed: Login through web UI is required, then please use a web browser to login in to PrivX GUI and complete MFA setup as described in the section called “Multi-Factor Authentication for PrivX Users”.

  2. To connect to a target host, right click PrivX agent tray icon, and click Connections.

    Provide the following connection settings:

    • Role (optional): You may choose to log in with the permissions of a specifc PrivX role. By default, you are logged in using any applicable role.

    • Target: The target host

    • Client: The native client used for connecting; PuTTY for connecting through SSH or PSFTP through SFTP.

    After providing the connection settings, click Connect. Alternatively, you can directly use your SSH client for connecting.

RDP Connections with Native Clients

This section describes how to establish RDP connections with native clients.

Users can connect to target hosts/accounts using the RDP clients installed on their workstations, without needing to use the PrivX GUI. Connections are authenticated against PrivX.

PrivX provides the following connection modes:

  • Interactive: Access PrivX RDP Bastion to list and select possible targets.

  • Direct: Specify your connection target directly to the native client.

Note

PrivX-Bastion connections are verified against the PrivX-Bastion host certificate. You may verify the certificate from the Connections→Native Clients page.

Connecting Interactively

To connect to targets with native clients interactively:

  1. Use your native client to connect to a PrivX server.

  2. Provide your PrivX credentials when prompted.

  3. You are shown the targets where you are allowed access. Select a target to connect to it.

Connecting Directly

To directly connect to a target you know, provide the native client with the following parameters:

  • Host: Address of a PrivX server.

  • User: Credentials and target identification in the following format:

    <target_username>%<extender_name>%<target_hostname>%<privx_hostname>

    Where the <extender_name> is only required for target hosts behind Extenders.

    Note

    % characters in user names must be escaped with %%. For example, %example%user% becomes %%example%%user%%

    Values may be separated using either % or | - The separator character can be escaped by doubling (%% or ||).

  • Password: Your PrivX-user password.

Direct-connection example with Windows Remote Desktop Client

Figure 8.1. Direct-connection example with Windows Remote Desktop Client


Note

When MFA is enabled, users must connect using the interactive method.

RDP certificate authentication is only supported through the PrivX GUI.

RDP with native clients via PrivX does not support file transfers via drive redirection when session recording is enabled. In such scenarios users may copy-paste to transfer files.

Website Access via PrivX

This section describes how to log into web services via PrivX.

You can use PrivX to connect to HTTP and HTTPS websites. Web connections established via PrivX offer the following benefits:

  • Session-recording support for improved auditability.

  • For sites that require login, you may store credentials in PrivX. PrivX automatically fills in the credentials, allowing users to log in without knowing any passwords. Access is provided in a role-based fashion.

To enable web connections your deployment must include at least one PrivX Carrier, and one PrivX Web Proxy. For system requirements and setup instructions, see the section called “Optional Components” and the section called “PrivX Carrier and Web Proxy Setup” respectively.

After the required components are set up, add HTTP/HTTPS targets as described in the section called “Web Targets”.

AWS CLI Connection with Native Client

You can use PrivX to authenticate and authorize users of the AWS Command Line Interface (AWS CLI). For instructions about the required configurations, see the section called “Authentication to AWS Services”.

Monitoring and Managing Connections

You can monitor ongoing and prior connections on the Monitor page. The page allows you to:

  • See which user is currently connecting or has connected to which destination via SSH or RDP. Note that the page does not show agent-based connections.

  • Filter connections by their status and search words.

  • Terminate a connection.

Restricting Users' Access to Applications in RDP Connections

On RDP connections you can restrict which applications each user is able to access on the target Windows host. When adding or editing a host, the Applications entry allows you to specify restricted applications to each host user seperately:

  • Application Name (Required): is the name of the application visible to the user when connecting to said application. The name should be unique, and can be searched.

  • Identifier (Required): the name of the application's executable, otherwise known as alias (for example, mspaint, wordpad)

  • Arguments: command-line arguments to be passed to the application.

  • Directory: the working directory for the application.

Note that you need to configure the target Windows host to accept and use the remote applications you specify. For instructions about configuring applications for RDP, see https://social.technet.microsoft.com/wiki/contents/articles/10817.publishing-remoteapps-in-windows-server-2012.aspx