Table of Contents
- Setting up Known Targets
- Connecting via the PrivX GUI
- Importing Known Targets from Directories
- SSH Connections with Native Clients
- RDP Connections with Native Clients
- Website Access via PrivX
- Automatic SSH Connections
- AWS CLI Connection with Native Client
- Monitoring and Managing Connections
- Restricting Users' Access to Applications in RDP Connections
This chapter describes:
Adding targets for users to connect to.
Different ways in which PrivX users can connect to targets. Additional setup instructions for methods that require them.
Proxying connections, for targets not directly accessible from PrivX servers.
This section describes manual target setup. For information about importing targets from existing directories, see the section called “Importing Known Targets from Directories”instead.
PrivX users can connect to accounts and hosts that have been set up as known targets.
You can add known targets to PrivX by adding hosts. To do this, go to Settings→Hosts and click Add Host. PrivX host entries are used for specifying, among other things:
Basic host information - Such as the host name and address(es).
Services - Available methods for accessing the host: SSH, RDP, and Web.
Accounts - Who can access the host, and as what identity. For example, allow members of Example Role 01 to log in as
exampleuser
on the host.
Known targets offer the following benefits:
To see and connect to known targets, PrivX users can go to the Connections page and select Search from known hosts. PrivX users will only see those known targets that they are authorized to.
Known targets support additional authentication methods (instead of just user-provided password). For more information about the configurations required for additional authentication methods, see Chapter 7.
PrivX can periodically check the status of known targets and indicate when targets are unreachable. Settings related to status checks are under the
[health-check-options]
section in the host-store configuration/opt/privx/etc/hoststore.toml
Note
All known targets must have unique machine IDs: If you need to add cloned machines to PrivX, ensure the uniqueness of the machine's ID and regenerate it if necessary.
For more information about configuring SSH, RDP, and Web services; see the section called “SSH Targets”,the section called “RDP Targets”, and the section called “Web Targets”respectively. For more information about account types, see the section called “Account Types”.
For target hosts that are inaccessible from PrivX servers (such as hosts in protected networks), you may use PrivX Extenders for relaying connections.
To proxy connections to the host via Extenders, go to the Settings add either of the following to the host Address:
An Extender name: Connections to the host are proxied via the named Extender.
A Routing prefix: Connections to the host are proxied via any Extender with the specified Routing prefix.
Example Address syntax in IPv4 and IPv6 format:
exampleextender/192.0.2.100 exampleextender/2001:DB8::64
Save your host changes. Subsequent connections to the host are proxied via the PrivX Extender.
For more information about PrivX-Extender requirements and setup, see the section called “Optional Components”and the section called “PrivX Extender Setup”respectively.
Note
You can use the PrivX host-deployment script to automatically add SSH targets (while also enabling certificate-based authentication). For more information about using the host-deployment script, see the section called “Enabling Certificate-Based Authentication for SSH Connections”.
To allow connections to SSH hosts, add a host entry with the following considerations in mind:
Add a Service with the type SSH, specifying the address and the port of the SSH server on the host.
When the Trust on first use option is disabled, SSH host keys must also be added here. In this case regular PrivX users can connect only if the host key matches one of the provided values. PrivX administrators can establish connections even if the host key is missing or incorrect.
Add Accounts specifying which PrivX roles may access the host, and which target accounts they are given access as.
The access options of the accounts can be limited under the Allowed Service Options:
- Shell
Shell/terminal access.
- File Transfer
File transfers through subsystem/sftpand exec/scpchannels.
- Exec
All execchannel functions except exec/scp.
- Tunnels
direct-tcpipchannel for local and forwarded-tcpipchannel for remote port forwarding.
- X11 Forwarding
x11channel for X Window Systemgraphical access.
- Other
Other SSH channels.
By default allAllowed Service Options are enabled. The default values can be edited in the Host Store configuration file, located under the following path on PrivX servers:
/opt/privx/etc/hoststore.toml
To allow connections to RDP hosts, add a host entry with the following considerations in mind:
Add a Service with the type RDP, specifying the address and the port of the RDP server on the host.
Add Accounts specifying which PrivX roles may access the host, and which target accounts they are given access as.
The access options of the accounts can be limited under the Allowed Service Options:
File Transfer
Audio
Clipboard
By default all Allowed Service Options are enabled. The default values can be edited in the Host Store configuration file, located under the following path on PrivX servers:
/opt/privx/etc/hoststore.toml
You may also provide Windows application restrictions, for limiting users to certain applications. Note that the target Windows host must be configured to allow the listed applications to be used over RDP.
You can use PrivX to connect to websites. To allow connections to websites, add a host entry with the following considerations in mind:
Add a Service with the type Web, specifying the address of the website.
Note
Since connections to web targets are provided via a PrivX Web Proxy, you need to provide the address in proxy format. For example (replace
exampleproxy
with your Web access gateway name, andhttps://www.example.com/
with the address of the website):exampleproxy
/https://www.example.com/
Replace the example values as follows:
: The Name or the Routing prefix of the web-access gateway(s) used for proxying the connection.exampleproxy
: The address of the website.https://www.example.com/
If you want PrivX to automatically fill in login credentials for the website, also provide the following Additional settings:
Login-request address: The verified address of the login request. For example, in form logins this may be the URL of the webpage plus the URL specified by the
action
attribute of the form. Recommended for improved security.Password property: The verified id of the password field in the login form. Recommended for improved security.
Login-page address: The login-page address. Only needed if the login page is not under the Address of this web service. For example, while you could have an AWS service with the Address:
exampleproxy/https://example.signin.aws.amazon.com/console
That website may redirect you to a different address for login:
https://us-east-1.signin.aws.amazon.com
Authentication type: Set to Automatic for most websites, such as websites using forms for authentication. Set to Basic for websites using the Basic HTTP Authentication Scheme (defined in RFC 7617).
Username-field name: The name of the username field in the login form. Only required if PrivX is unable to automatically detect this field.
Password-field name: The name of the password field in the login form. Only required if PrivX is unable to automatically detect this field.
Add Accounts specifying which PrivX roles may access the website. If you want PrivX to automatically fill in login credentials for the website, also provide Usernames and Passwords in the account mappings.
The access options of the accounts can be limited under the Allowed Service Options:
File Transfer
Audio
Clipboard
By default all Allowed Service Options are enabled. The default values can be edited in the Host Store configuration file, located under the following path on PrivX servers:
/opt/privx/etc/hoststore.toml
Note
When set up to do so, PrivX automatically fills up login credentials, but will not actually log into the web service. Users must manually click any Login buttons to log in.
For HTTPS targets, by default PrivX only allows connections using TLSv1.2 and later.
To prevent users from accessing websites other than the intended web targets, configure additional access rules as described in the section called “Access Restrictions for Web Connections”.
The following account types are available for granting access to target hosts:
Explicit - Allow access to a certain user.
Directory - Allow access to the users' Windows username or Linux username. For PrivX directory users these default to their userPrincipalName and sAMAccountName respectively.
User-defined - Allow users to input the username when connecting. Similar to manual connections, except restricted to the target host.
Note
If the provided user name matches other Account entries, then the most-preferred authentication method among matching Accounts is used for login. Otherwise the user is prompted for password.
For example, if a host has the following Accounts:
Explicit: Example role 01 to
alice
with certificate authentication.User-defined: any role to any account with user-provided passphrase.
Then if a member of Example role 01 connects with the user-defined rule and provides
alice
as the user name, the explicit rule is considered matching, and certificate authentication is used since it is preferred over user-provided password.For more information about the preference order of authentication methods, see the section called “Supported Authentication Methods”.
To connect to targets via the PrivX GUI:
Log into the PrivX GUI using your PrivX account.
On the Home page under New Connection, provide target details (such as the target-host address) to receive suggestions about available targets, then select a target to connect to it. Your accessible targets are also listed and selectable on the Connections→Available Hosts page.
You may alternatively go to Connections→Manual Connection page and manually specify your target. The user must have the connections-manual permission to use this method.
Note
Connections via Connections→Available Hosts are authenticated according to the role-based rules and the enabled authentication methods. Connections via Connections→Manual Connection always prompt for password.
You may need to adjust locale settings for keyboard commands to be transferred correctly.
Tip
Quickly access a recent target from the Home page by clicking an entry under Recent connections, or on the Connections→Connection History page.
- Open multiple terminals
On the tab bar, click + to open additional terminals.
- Copy-paste
On a Mac, you can select text and use Command-C and Command-V to copy-paste, or right-click and use the context menu.
On a Windows or Linux you can select text and right-click to use the context menu. Alternatively you can select some text, then press Ctrl-C or Ctrl-Insert to copy. Paste using Ctrl-V or Shift-Insert.
Note
To use applications that specifically require Ctrl-V for other things than pasting, enable Send Ctrl-V to server under terminal Settings. Enabling this setting also disables pasting with Ctrl-V.
The left Alt (option on a Mac) key also functions as the Meta key (for example in Emacs).
- Find in terminal
Use the following commands to activate terminal-specific search:
On a Mac, use Command-F while focused in the terminal.
On Windows or Linux, use Ctrl-Shift-F while focused in the terminal
Use arrow keys to navigate between next/previous matches. Press Esc or X to close the terminal-specific search.
- Transfer files
You can upload, download, and remove files from the File Transfers tab.
To change directory, click a directory or
. You can perform additional actions on files via their
menus.
To download a file: Double-click the file, or perform a Download action via its
menu.
To upload a file: Drag-and-drop the file to the file-transfer view. Alternatively, click Upload next to the file-transfer view and select the local file to upload.
- Change text, locale and theme
From the Settings tab, you can set the font size, character encoding, and the locale used for the connection. You can also switch between a dark and a light theme.
- Open URLs
To open HTTP/HTTPS links in a new tab on Windows or Linux, hold Ctrl and double-click the link. To open links on Mac, hold command and double-click.
- Copy-paste
To copy-paste text to the target host, place the text into the Clipboard tab, then paste normally on the target host. Text copied on the target host is automatically made available in the Clipboard.
- Transfer files
Upon connecting, PrivX automatically mounts a network drive called Transfers on PrivX to the target host. File downloads and uploads must be performed via this network drive.
You can copy files from the target host to Transfers on PrivX, then download them from the Files tab. Similarly, you can upload files by placing them to Transfers on PrivX on the Files tab, then move the file to another location on the target host.
To download a file: Double-click the file, or perform a Download action via its
menu.
To upload a file: Drag-and-drop the file to the file-transfer view. Alternatively, click Upload next to the file-transfer view and select the local file to upload.
- Set keyboard layout
To change your keyboard layout, go to the Settings tab, select your layout, then restart the connection to apply the changes. Set this to match the keyboard layout defined for the server (not the client-side layout).
- Fullscreen view
To toggle fullscreen view, click
Note
Toggling fullscreen mode also re-establishes the RDP connection.
- Send keys
To send keys such as Ctrl+Alt+Del, click Send Keys, then select the keys to send.
This section describes automatic target import. For information about manually setting up targets, see the section called “Setting up Known Targets”instead.
You can set up PrivX to automatically add existing hosts from cloud platforms. Such hosts can later be connected to via PrivX.
For example, to add hosts from Amazon Web Services (AWS):
In your AWS, add a policy to allow host scans. To do this, access your AWS and navigate to IAM→Policies, then create a policy with the following JSON:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" } ] }
Create an IAM user with permissions to use the host-scan policy. This can be done on the IAM→Users page.
The IAM user must have Programmatic access, and be attached with the host-scan policy.
Note the Access key ID and the Secret access key of the user. These are required later for configuring PrivX against AWS.
Configure PrivX to scan and add the AWS hosts.
Log into PrivX as superuser (or other privx-admin user). On the Settings→Directories page, click Add Directory.
Fill in the basic information of the directory. To allow PrivX to detect AWS hosts, add the Access key ID and the Secret access key of the IAM user.
Save the directory settings. PrivX begins importing hosts from AWS.
After a moment, you may verify the directory status back on the Settings→Directories page. The Connection should be in the OK state, and list the number of instances found on AWS.
To list the imported hosts, click List Hosts.
You may then Edit hosts to add services and account mappings to them, from Settings→Hosts page.
When PrivX notices that non-local hosts were deleted at the directory source, PrivX marks the associated host entries as deleted. After deleted entries reach a certain age, they are removed completely from PrivX.
The interval is controlled by the following settings in role-store settings /opt/privx/etc/host-store.toml
host_housekeeping_run_interval
- The interval at which PrivX checks for and removes old deleted-host entries. 168 hours (1 week) by default.hosts_deleted_age
- The duration for which deleted-host entries are preserved. 168 hours (1 week) by default.
This section describes how to establish SSH connections with native clients.
Users can connect to target hosts/accounts using the SSH clients installed on their workstations, without needing to use the PrivX GUI. Connections are authenticated against PrivX. For example, if PrivX allows you to access a target account with certificate authentication, your native clients will also connect using certificate authentication without prompting you for target-account credentials.
Your PrivX license must allow using native client connections. For more information about licenses, see the section called “PrivX License Management”.
After ugrading PrivX, you may need to re-download the extender-config.toml file for the native client connections to work with via Extenders. For more instructions about extender configuration file, see the section called “PrivX Extender Setup”.
For agent-based connections only:
The Use with PrivX agent option is enabled in the relevant users' roles, at Settings→Roles.
PrivX agent must be set up on the users' workstations. For instructions setting up PrivX agents, see the section called “PrivX Agent Setup”.
Using native SSH clients, you can connect to targets via PrivX SSH Bastion. PrivX SSH Bastion provides the following connection modes:
Interactive: Access PrivX Bastion to list and select possible targets.
Direct: Specify your connection target directly to the native client.
Note
PrivX-Bastion connections are verified against the PrivX-Bastion host key. You may verify and install these host keys from the Connections→Native Clients page.
Connecting Interactively
To connect via PrivX Bastion interactively:
Connect to PrivX SSH Bastion using your PrivX account. For example, with
ssh
,sftp
, orscp
:ssh -p 2222
privxuser
@privx.example.com
sftp -P 2222privxuser
@privx.example.com
scp -P 2222local/path
privxuser
@privx.example.com
:remote/path
scp -P 2222privxuser
@privx.example.com
:remote/path
local/path
Replace the example values as follows:
privxuser
- Your PrivX-user name.privx.example.com
- Your PrivX-server address.local/path
- Local file/directory path for scp.remote/path
- Remote file/directory path for scp.
Provide your PrivX-user password when prompted.
You will be presented with a list of possible targets. Select a target to connect to it.
Connecting Directly
To directly connect via PrivX Bastion, provide:
Target-user name
Target-host address
PrivX-user name
PrivX-server address
(Optional) Extender name
(Optional) Target port
By default bastion runs on your PrivX servers, port 2222.
Full bastion syntax is as follows:
targetuser%extender%targethost%targetport%privx-user@privx.example.com
Common case leaves out the extender and the target port, leaving the syntax as following:
targetuser%targethost%privx-user@privx.example.com
Following are examples of ssh, scp and sftp usage with the connection string:
ssh -p 2222 targetuser%targethost%privx-user@privx.example.com scp -P 2222 targetuser%targethost%privx-user@privx.example.com:example.txt \ /target/directory sftp -P 2222 targetuser%targethost%privx-user@privx.example.com
Following is an example using PrivX Extender:
ssh -P 2222 targetuser%extender%targethost%privx-user@privx.example.com scp -P 2222 example.txt \ targetuser%extender%targethost%privx-user@privx.example.com:/tmp
If you use native-client connections with bastion syntax often, consider specifying the connection parameters in the users' client configuration (typically at /etc/ssh/ssh_config
or ~/.ssh/config
) using Host
blocks. For example:
Host targethost.example.com Port 2222 User targetuser%targethost%privx-user Hostname privx.example.com
After which you can connect with much simpler syntax:
$ ssh targethost.example.com
User sessions with native SSH clients can be monitored. For more information about viewing session audit data, see the section called “Viewing Audit Data”. For more information about setting up session recording for a host, see the section called “Session Recording Setup”.
Optionally you can use the PrivX agent to connect using the native clients; for more information see the section called “Connecting with Native SSH Clients Using PrivX Agent (Unix and MacOS)”and the section called “Connecting with Native SSH Clients Using PrivX Agent (Windows)”.
Note
When connecting via PrivX Bastion you must verify the PrivX host keys (instead of the target server host keys). You can add the PrivX host keys to your known_hosts file by running (replace privx.example.com with your PrivX-server address:
ssh-keyscan -p 2222 privx.example.com >> ~/.ssh/known_hosts
After PrivX agent is set up for your workstation account, you can establish connections to targets using native clients with the agent. To do this on Unix or MacOS:
Log into the workstation as the user for whom native clients have been set up.
You may verify that the agent is running with:
$ privx-agent-ctl status
The command should return a message similar to the following:
PrivX SSH Agent Status PrivX Server https://privx.example.com Login status logged out
If necessary, you can manually start the PrivX agent with:
$ ./privx-agent-unix bash
Via the terminal, authenticate against PrivX using your PrivX credentials. For example (replace
username
with your PrivX user name):$ privx-agent-ctl login
username
You may verify your login status with:
$ privx-agent-ctl status
After entering your PrivX credentials correctly, your native SSH clients (such as
ssh
) will authenticate connections via PrivX. For a list of valid connection targets, run:$ privx-agent-ctl target list Accessible targets and granting roles: bilberry alice@10.1.55.144:222 Example Role 01 ...
You could then connect to one of the listed targets. In this example, by running:
$ ssh alice@10.1.55.144 -p 222
After PrivX agent is set up for your workstation account, you can establish connections to targets using native clients with the agent. To do this on Windows:
Use the PrivX agent to authenticate with PrivX. To do this, right click the PrivX-agent tray icon, then click
Login
. Log in using your PrivX credentials. Complete multi-factor authentication if required.Note
If PrivX-agent login fails with Failed: Login through web UI is required, then please use a web browser to login in to PrivX GUI and complete MFA setup as described in the section called “Multi-Factor Authentication for PrivX Users”.
To connect to a target host, right click PrivX agent tray icon, and click Connections.
Provide the following connection settings:
Role (optional): You may choose to log in with the permissions of a specifc PrivX role. By default, you are logged in using any applicable role.
Target: The target host
Client: The native client used for connecting; PuTTY for connecting through SSH or PSFTP through SFTP.
After providing the connection settings, click Connect. Alternatively, you can directly use your SSH client for connecting.
This section describes how to establish RDP connections with native clients.
Users can connect to target hosts/accounts using the RDP clients installed on their workstations, without needing to use the PrivX GUI. Connections are authenticated against PrivX.
PrivX provides the following connection modes:
Interactive: Access PrivX RDP Bastion to list and select possible targets.
Direct: Specify your connection target directly to the native client.
Note
PrivX-Bastion connections are verified against the PrivX-Bastion host certificate. You may verify the certificate from the Connections→Native Clients page.
Connecting Interactively
To connect to targets with native clients interactively:
Use your native client to connect to a PrivX server.
Provide your PrivX credentials when prompted.
You are shown the targets where you are allowed access. Select a target to connect to it.
Connecting Directly
To directly connect to a target you know, provide the native client with the following parameters:
Host: Address of a PrivX server.
User: Credentials and target identification in the following format:
<target_username>
%<extender_name>
%<target_hostname>
%<privx_username>
Where the
<extender_name>
is only required for target hosts behind Extenders.Note
%
characters in user names must be escaped with%%
. For example,%example%user%
becomes%%example%%user%%
Values may be separated using either
%
or|
- The separator character can be escaped by doubling (%%
or||
).Password: Your PrivX-user password.
Note
When MFA is enabled, users must connect using the interactive method.
RDP certificate authentication is only supported through the PrivX GUI.
RDP with native clients via PrivX does not support file transfers via drive redirection when session recording is enabled. In such scenarios users may copy-paste to transfer files.
This section describes how to log into web services via PrivX.
You can use PrivX to connect to HTTP and HTTPS websites. Web connections established via PrivX offer the following benefits:
Session-recording support for improved auditability.
For sites that require login, you may store credentials in PrivX. PrivX automatically fills in the credentials, allowing users to log in without knowing any passwords. Access is provided in a role-based fashion.
To enable web connections your deployment must include at least one PrivX Carrier, and one PrivX Web Proxy. For system requirements and setup instructions, see the section called “Optional Components”and the section called “PrivX Carrier and Web Proxy Setup”respectively.
After the required components are set up, add HTTP/HTTPS targets as described in the section called “Web Targets”.
Noninteractive connections can be used with service accounts as part of automated processes.
To enable noninteractive connections via SSH Bastion:
Set up public-key authentication for the relevant PrivX users, as described in the section called “Public-Key Authentication for SSH Bastion”. Use passphraseless keys to avoid interactive prompts.
Set up access from users' roles to target accounts using any noninteractive authentication method (certificate, public key, or stored passphrase). For more information about authentication methods, see Chapter 7.
After you have set up access with the required authentication methods, users can connect to targets noninteractively by using the direct Bastion syntax, as described in the section called “Connecting with Native SSH Clients using PrivX Bastion”.
You can use PrivX to authenticate and authorize users of the AWS Command Line Interface (AWS CLI). For instructions about the required configurations, see the section called “Authentication to AWS Services”.
You can monitor ongoing and prior connections on the Monitor page. The page allows you to:
See which user is currently connecting or has connected to which destination via SSH or RDP. Note that the page does not show agent-based connections.
Filter connections by their status and search words.
Terminate a connection.
On RDP connections you can restrict which applications each user is able to access on the target Windows host. When adding or editing a host, the Applications entry allows you to specify restricted applications to each host user seperately:
Application Name (Required): is the name of the application visible to the user when connecting to said application. The name should be unique, and can be searched.
Identifier (Required): the name of the application's executable, otherwise known as alias (for example, mspaint, wordpad)
Arguments: command-line arguments to be passed to the application.
Directory: the working directory for the application.
Note that you need to configure the target Windows host to accept and use the remote applications you specify. For instructions about configuring applications for RDP, see https://social.technet.microsoft.com/wiki/contents/articles/10817.publishing-remoteapps-in-windows-server-2012.aspx