This chapter describes:
Adding targets for users to connect to.
Different ways in which PrivX users can connect to targets. Additional setup instructions for methods that require them.
Proxying connections, for targets not directly accessible from PrivX servers.
This section describes manual target setup. For information about importing targets from existing directories, see Importing Known Targets from Directories instead.Importing Known Targets from Directories
PrivX users can connect to accounts and hosts that have been set up as known targets.
You can add known targets to PrivX by adding hosts. To do this, go to Settings→Hosts and click Add Host. PrivX host entries are used for specifying, among other things:
The host address.
Who should be allowed to access the host, and as what identity. For example, allow members of Example Role 01 to log in as
exampleuseron the host.What methods (host services) can be used to access the host: SSH, RDP, and Web.
Known targets offer the following benefits:
To see and connect to known targets, PrivX users can go to the Connections page and select Search from known hosts. PrivX users will only see those known targets that they are authorized to.
Known targets support additional authentication methods (instead of just user-provided password). For more information about the configurations required for additional authentication methods, see PrivX Administrator Manual > Authentication Methods for Host Connections.
For target hosts that are inaccessible from PrivX servers (such as hosts in protected networks), you may set up PrivX Extenders for relaying connections.
Any target host accessed via an Extender must specify the Extender name in its Address. Example Address syntax in IPv4 and IPv6 format:
exampleextender/192.0.2.100 exampleextender/2001:DB8::64
Save your host changes. Subsequent connections to the host are proxied via the PrivX Extender.
For more information about PrivX-Extender requirements and setup, see PrivX Administrator Manual > Preparing for Deployment > Prerequisites for Installation > Optional Components and PrivX Administrator Manual > Setting Up PrivX > Setting Up Optional Components > PrivX Extender Setup respectively.
Note
You can use the PrivX host-deployment script to automatically add SSH targets (while also enabling certificate-based authentication). For more information about using the host-deployment script, see PrivX Administrator Manual > Authentication Methods for Host Connections > Enabling Certificate-Based Authentication for SSH Connections.
To allow connections to SSH hosts, add a host entry with the following considerations in mind:
-
Add a Service with the type SSH, specifying the address and the port of the SSH server on the host.
When the Trust on first use option is disabled, SSH host keys must also be added here. In this case regular PrivX users can connect only if the host key matches one of the provided values. PrivX administrators can establish connections even if the host key is missing or incorrect.
-
Add Accounts specifying which PrivX roles may access the host, and which target accounts they are given access as.
The access options of the accounts can be limited under the Allowed Service Options:
- Shell
Shell/terminal access.
- File Transfer
File transfers through subsystem/sftp and exec/scp channels.
- Exec
All exec channel functions except exec/scp.
- Tunnels
direct-tcpip channel for local and forwarded-tcpip channel for remote port forwarding.
- X11 Forwarding
x11 channel for X Window System graphical access.
- Other
Other SSH channels.
To allow connections to RDP hosts, add a host entry with the following considerations in mind:
Add a Service with the type RDP, specifying the address and the port of the RDP server on the host.
-
Add Accounts specifying which PrivX roles may access the host, and which target accounts they are given access as.
The access options of the accounts can be limited under the Allowed Service Options:
File Transfer
Audio
Clipboard
You may also provide Windows application restrictions, for limiting users to certain applications. Note that the target Windows host must be configured to allow the listed applications to be used over RDP.
You can use PrivX to connect to websites . To allow connections to websites, add a host entry with the following considerations in mind:
-
Add a Service with the type Web, specifying the address of the website.
Note
Since connections to web targets are provided via a PrivX Web Proxy, you need to provide the address in proxy format. For example (replace
exampleproxywith your Web access gateway name, andhttps://www.example.com/with the address of the website):exampleproxy/https://www.example.com/If you want PrivX to automatically fill in login credentials for the website, also provide the following Additional settings:
Login-request address: The verified address of the login request. For example, in form logins this may be the URL of the webpage plus the URL specified by the
actionattribute of the form. Recommended for improved security.Password property: The verified id of the password field in the login form. Recommended for improved security.
-
Login-page address: The login-page address. Only needed if the login page is not under the Address of this web service. For example, while you could have an AWS service with the Address:
exampleproxy/https://example.signin.aws.amazon.com/consoleThat website may redirect you to a different address for login:
https://us-east-1.signin.aws.amazon.com Username-field name: The name of the username field in the login form. Only required if PrivX is unable to automatically detect this field.
Password-field name: The name of the password field in the login form. Only required if PrivX is unable to automatically detect this field.
-
Add Accounts specifying which PrivX roles may access the website. If you want PrivX to automatically fill in login credentials for the website, also provide Usernames and Passwords in the account mappings.
The access options of the accounts can be limited under the Allowed Service Options:
File Transfer
Audio
Clipboard
Note
When set up to do so, PrivX automatically fills up login credentials, but will not actually log into the web service. Users must manually click any Login buttons to log in.
For HTTPS targets, by default PrivX only allows connections using TLSv1.2 and later.
To connect to targets via the PrivX GUI:
Log into the PrivX GUI using your PrivX account.
-
On the Connections→New connection page, specify where you want to connect to, and which connection type to use.
With Search from known hosts, the GUI displays all the known targets to which you have access. Select a target to connect to it.
With Enter details manually you can manually specify the target host and account. This method allows connecting to unknown destinations. The user must have the connections-manual permission to use this method.
Click Connect. Provide the target-account password if required (depends on the available authentication methods). You are then logged into the target account on the target host.
Note
Connections are authenticated according to the role-based rules and the enabled authentication methods.
You may need to adjust locale settings for keyboard commands to be transferred correctly.
Tip
Quickly access a recent target from the Home page by clicking an entry under Recent connections.
- Open multiple terminals
On the tab bar, click + to open additional terminals.
- Copy-paste
On a Mac, you can select text and use command-c and command-v to copy-paste, or right-click and use the context menu.
On a Windows or Linux you can select text and right-click to use the context menu. Alternatively you can select some text, pres ctrl on its own and then press ctrl-c or ctrl-v within the next second.
The left Alt (option on a Mac) key also functions as the Meta key (for example in Emacs).
- Transfer files
-
You can upload, download, and remove files from the File Transfers tab.
To change directory, click a directory or
. You can perform additional actions on files via their 
menus.To download a file: Double-click the file, or perform a Download action via its
menu.To upload a file: Drag-and-drop the file to the file-transfer view. Alternatively, click Upload next to the file-transfer view and select the local file to upload.
- Change text, locale and theme
From the Settings tab, you can set the font size, character encoding, and the locale used for the connection. You can also switch between a dark and a light theme.
- Open URLs
To open HTTP/HTTPS links in a new tab on Windows or Linux, hold Ctrl and double-click the link. To open links on Mac, hold command and double-click.
- Copy-paste
To copy-paste text to the target host, place the text into the Clipboard tab, then paste normally on the target host. Text copied on the target host is automatically made available in the Clipboard.
- Transfer files
-
Upon connecting, PrivX automatically mounts a network drive called Transfers on PrivX to the target host. File downloads and uploads must be performed via this network drive.
You can copy files from the target host to Transfers on PrivX, then download them from the Files tab. Similarly, you can upload files by placing them to Transfers on PrivX on the Files tab, then move the file to another location on the target host.
To download a file: Double-click the file, or perform a Download action via its
menu.To upload a file: Drag-and-drop the file to the file-transfer view. Alternatively, click Upload next to the file-transfer view and select the local file to upload.
- Set keyboard layout
To change your keyboard layout, go to the Settings tab, select your layout, then restart the connection to apply the changes. Set this to match the keyboard layout defined for the server (not the client-side layout).
- Fullscreen view
-
To toggle fullscreen view, click
Note
Toggling fullscreen mode also re-establishes the RDP connection.
This section describes how to establish SSH connections with native clients.
Users can connect to target hosts/accounts using the SSH clients installed on their workstations, without needing to use the PrivX GUI. Connections are authenticated against PrivX. For example, if PrivX allows you to access a target account with certificate authentication, your native clients will also connect using certificate authentication without prompting you for target-account credentials.
-
Specify which roles may be used for SSH-native-client connections.
When using the GUI, PrivX users have access to targets provided by any of their roles. However with SSH-native-client connections, access is further limited to roles with the Allow PrivX agent option.
The Allow PrivX agent option is enabled at Settings→Roles, under the SSH Options of each role.
Your PrivX license must allow using native client connections. For more information about licenses, see PrivX Administrator Manual > Setting Up PrivX > PrivX License Management.
After ugrading PrivX, you may need to re-download the extender-config.toml file for the native client connections to work with the extender. For more instructions about extender configuration file, see PrivX Administrator Manual > Setting Up PrivX > Setting Up Optional Components > PrivX Extender Setup.
If you plan to use agent-based connections, the PrivX agent must be set up on the user's workstation. For instructions about setting up PrivX agents, see PrivX Administrator Manual > Setting Up PrivX > Setting Up Optional Components > PrivX Agent Setup.
Connections to target hosts using native SSH clients are formed through the PrivX SSH Bastion. The bastion address can be found in PrivX GUI from Connections → New Connection → Read about how to use a native client.
To connect via PrivX Bastion, provide:
Target-user name
Target-host address
PrivX-user name
PrivX-server address
(Optional) Extender name
(Optional) Target port
By default bastion runs on your PrivX servers, port 2222.
Full bastion syntax is as follows:
targetuser%extender%targethost%targetport%privx-user@bastionhost
Common case leaves out the extender and the target port, leaving the syntax as following:
targetuser%targethost%privx-user@bastionhost
Following are examples of ssh, scp and sftp usage with the connection string:
ssh -p 2222 targetuser%targethost%privx-user@privx.example.com scp -P 2222 targetuser%targethost%privx-user@privx.example.com:example.txt \ /target/directory sftp -P 2222 targetuser%targethost%privx-user@privx.example.com
Following is an example using PrivX Extender:
ssh -P 2222 targetuser%extender%targethost%privx-user@privx.example.com scp -P 2222 example.txt \ targetuser%extender%targethost%privx-user@privx.example.com:/tmp
If you use native-client connections with bastion syntax often, consider specifying the connection parameters in the users' client configuration (typically at /etc/ssh/ssh_config or ~/.ssh/config) using Host blocks. For example:
Host targethost.example.com
Port 2222
User targetuser%targethost%privx-user
Hostname privx.example.com
After which you can connect with much simpler syntax:
$ ssh targethost.example.com
User sessions with native SSH clients can be monitored. For more information about viewing session audit data, see PrivX Administrator Manual > Auditing > Viewing Audit Data. For more information about setting up session recording for a host, see PrivX Administrator Manual > Auditing > Session Recording Setup.
Optionally you can use the PrivX agent to connect using the native clients; for more information see PrivX Administrator Manual > Establishing and Managing Connections > SSH Connections with Native Clients > Connecting with Native SSH Clients using PrivX Agent (Unix and MacOS) and PrivX Administrator Manual > Establishing and Managing Connections > SSH Connections with Native Clients > Connecting with Native SSH Clients using PrivX Agent (Windows) .
Note
When connecting via PrivX Bastion you must verify the PrivX host keys (instead of the target server host keys). You can add the PrivX host keys to your known_hosts file by running (replace privx.example.com with your PrivX-server address:
ssh-keyscan -p 2222 privx.example.com >> ~/.ssh/known_hosts
After PrivX agent is set up for your workstation account, you can establish connections to targets using native clients with the agent. To do this on Unix or MacOS:
-
Log into the workstation as the user for whom native clients have been set up.
You may verify that the agent is running with:
$ privx-agent-ctl status
The command should return a message similar to the following:
PrivX SSH Agent Status PrivX Server https://privx.example.com Login status logged out
If necessary, you can manually start the PrivX agent with:
$ ./privx-agent-unix bash
-
Via the terminal, authenticate against PrivX using your PrivX credentials. For example (replace
usernamewith your PrivX user name):$ privx-agent-ctl login
usernameYou may verify your login status with:
$ privx-agent-ctl status
After entering your PrivX credentials correctly, your native SSH clients (such as
ssh) will authenticate connections via PrivX. For a list of valid connection targets, run:$ privx-agent-ctl target list Accessible targets and granting roles: bilberry alice@10.1.55.144:222 Example Role 01 ...You could then connect to one of the listed targets. In this example, by running:
$ ssh alice@10.1.55.144 -p 222
After PrivX agent is set up for your workstation account, you can establish connections to targets using native clients with the agent. To do this on Windows:
-
Use the PrivX agent to authenticate with PrivX. To do this, right click the PrivX-agent tray icon, then click
Login. Log in using your PrivX credentials. Complete multi-factor authentication if required.Note
If PrivX-agent login fails with Failed: Login through web UI is required, then please use a web browser to login in to PrivX GUI and complete MFA setup as described in PrivX Administrator Manual > PrivX Users and Permissions > Advanced Authentication for PrivX Users > Multi-Factor Authentication for PrivX Users.
-
To connect to a target host, right click PrivX agent tray icon, and click Connections.
Provide the following connection settings:
Role (optional): You may choose to log in with the permissions of a specifc PrivX role. By default, you are logged in using any applicable role.
Target: The target host
Client: The native client used for connecting; PuTTY for connecting through SSH or PSFTP through SFTP.
After providing the connection settings, click Connect. Alternatively, you can directly use your SSH client for connecting.
This section describes how to establish RDP connections with native clients.
Users can connect to target hosts/accounts using the RDP clients installed on their workstations, without needing to use the PrivX GUI. Connections are authenticated against PrivX.
To connect to targets with native clients interactively:
Use your native client to connect to a PrivX server.
Provide your PrivX credentials when prompted.
You are shown the targets where you are allowed access. Select a target to connect to it.
Alternatively, to directly connect to a target you know, connect with the native client using the following parameters:
Host: Address of a PrivX server.
-
User: Credentials and target identification in the following format:
<privx_username>|<target_username>|<target_hostname> Password: Your PrivX-user password.
Note
When MFA is enabled, users must connect using the interactive method.
You cannot use the RDP connections through a HA setup load balancer; the native clients must connect to the PrivX server address.
This section describes how to log into web services via PrivX.
You can use PrivX to connect to HTTP and HTTPS websites. Web connections established via PrivX offer the following benefits:
Session-recording support for improved auditability.
For sites that require login, you may store credentials in PrivX. PrivX automatically fills in the credentials, allowing users to log in without knowing any passwords. Access is provided in a role-based fashion.
To enable web connections your deployment must include at least one PrivX Carrier, and one PrivX Web Proxy. For system requirements and setup instructions, see PrivX Administrator Manual > Preparing for Deployment > Prerequisites for Installation > Optional Components and PrivX Administrator Manual > Setting Up PrivX > Setting Up Optional Components > PrivX Carrier and Web Proxy Setup respectively.
After the required components are set up, add HTTP/HTTPS targets as described in PrivX Administrator Manual > Establishing and Managing Connections > Setting up Known Targets > Web Targets.
You can use PrivX to authenticate and authorize users of the AWS Command Line Interface (AWS CLI). For instructions about the required configurations, see PrivX Administrator Manual > Authentication Methods for Host Connections > Authentication to AWS Services.
You can monitor ongoing and prior connections on the Monitor page. The page allows you to:
See which user is currently connecting or has connected to which destination via SSH or RDP. Note that the page does not show agent-based connections.
Filter connections by their status and search words.
Terminate a connection.
On RDP connections you can restrict which applications each user is able to access on the target Windows host. When adding or editing a host, the Applications entry allows you to specify restricted applications to each host user seperately:
Application Name (Required): is the name of the application visible to the user when connecting to said application. The name should be unique, and can be searched.
Identifier (Required): the name of the application's executable, otherwise known as alias (for example, mspaint, wordpad)
Arguments: command-line arguments to be passed to the application.
Directory: the working directory for the application.
Note that you need to configure the target Windows host to accept and use the remote applications you specify. For instructions about configuring applications for RDP, see https://social.technet.microsoft.com/wiki/contents/articles/10817.publishing-remoteapps-in-windows-server-2012.aspx