This chapter describes:

  • Adding targets for users to connect to.

  • Different ways in which PrivX users can connect to targets. Additional setup instructions for methods that require them.

  • Proxying connections, for targets not directly accessible from PrivX servers.

Setting up Known Targets

This section describes manual target setup. For information about importing targets from existing directories, see Importing Known Targets from Directories instead.Importing Known Targets from Directories

PrivX users can connect to accounts and hosts that have been set up as known targets.

You can add known targets to PrivX by adding hosts. To do this, go to Settings→Hosts and click Add Host. PrivX host entries are used for specifying, among other things:

  • The host address.

  • Who should be allowed to access the host, and as what identity. For example, allow members of Example Role 01 to log in as exampleuser on the host.

  • What methods (host services) can be used to access the host: SSH, RDP, and Web.

Known targets offer the following benefits:

  • To see and connect to known targets, PrivX users can go to the Connections page and select Search from known hosts. PrivX users will only see those known targets that they are authorized to.

  • Known targets support additional authentication methods (instead of just user-provided password). For more information about the configurations required for additional authentication methods, see PrivX Administrator Manual > Authentication Methods for Host Connections.

Proxying Connections to Hosts

For target hosts that are inaccessible from PrivX servers (such as hosts in protected networks), you may set up PrivX Extenders for relaying connections.

Any target host accessed via an Extender must specify the Extender name in its Address. Example Address syntax in IPv4 and IPv6 format:

exampleextender/192.0.2.100
exampleextender/2001:DB8::64

Save your host changes. Subsequent connections to the host are proxied via the PrivX Extender.

For more information about PrivX-Extender requirements and setup, see PrivX Administrator Manual > Preparing for Deployment > Prerequisites for Installation > Optional Components and PrivX Administrator Manual > Setting Up PrivX > Setting Up Optional Components > PrivX Extender Setup respectively.

SSH Targets

Note

You can use the PrivX host-deployment script to automatically add SSH targets (while also enabling certificate-based authentication). For more information about using the host-deployment script, see PrivX Administrator Manual > Authentication Methods for Host Connections > Enabling Certificate-Based Authentication for SSH Connections.

To allow connections to SSH hosts, add a host entry with the following considerations in mind:

  • Add a Service with the type SSH, specifying the address and the port of the SSH server on the host.

    When the Trust on first use option is disabled, SSH host keys must also be added here. In this case regular PrivX users can connect only if the host key matches one of the provided values. PrivX administrators can establish connections even if the host key is missing or incorrect.

  • Add Accounts specifying which PrivX roles may access the host, and which target accounts they are given access as.

    The access options of the accounts can be limited under the Allowed Service Options:

    Shell

    Shell/terminal access.

    File Transfer

    File transfers through subsystem/sftp and exec/scp channels.

    Exec

    All exec channel functions except exec/scp.

    Tunnels

    direct-tcpip channel for local and forwarded-tcpip channel for remote port forwarding.

    X11 Forwarding

    x11 channel for X Window System graphical access.

    Other

    Other SSH channels.

RDP Targets

To allow connections to RDP hosts, add a host entry with the following considerations in mind:

  • Add a Service with the type RDP, specifying the address and the port of the RDP server on the host.

  • Add Accounts specifying which PrivX roles may access the host, and which target accounts they are given access as.

    The access options of the accounts can be limited under the Allowed Service Options:

    • File Transfer

    • Audio

    • Clipboard

    You may also provide Windows application restrictions, for limiting users to certain applications. Note that the target Windows host must be configured to allow the listed applications to be used over RDP.

Web Targets

You can use PrivX to connect to websites . To allow connections to websites, add a host entry with the following considerations in mind:

  • Add a Service with the type Web, specifying the address of the website.

    Note

    Since connections to web targets are provided via a PrivX Web Proxy, you need to provide the address in proxy format. For example (replace exampleproxy with your Web access gateway name, and https://www.example.com/ with the address of the website):

    exampleproxy/https://www.example.com/

    If you want PrivX to automatically fill in login credentials for the website, also provide the following Additional settings:

    • Login-request address: The verified address of the login request. For example, in form logins this may be the URL of the webpage plus the URL specified by the action attribute of the form. Recommended for improved security.

    • Password property: The verified id of the password field in the login form. Recommended for improved security.

    • Login-page address: The login-page address. Only needed if the login page is not under the Address of this web service. For example, while you could have an AWS service with the Address:

      exampleproxy/https://example.signin.aws.amazon.com/console

      That website may redirect you to a different address for login:

      https://us-east-1.signin.aws.amazon.com

    • Username-field name: The name of the username field in the login form. Only required if PrivX is unable to automatically detect this field.

    • Password-field name: The name of the password field in the login form. Only required if PrivX is unable to automatically detect this field.

  • Add Accounts specifying which PrivX roles may access the website. If you want PrivX to automatically fill in login credentials for the website, also provide Usernames and Passwords in the account mappings.

    The access options of the accounts can be limited under the Allowed Service Options:

    • File Transfer

    • Audio

    • Clipboard

Note

When set up to do so, PrivX automatically fills up login credentials, but will not actually log into the web service. Users must manually click any Login buttons to log in.

For HTTPS targets, by default PrivX only allows connections using TLSv1.2 and later.

Connecting via the PrivX GUI

To connect to targets via the PrivX GUI:

  1. Log into the PrivX GUI using your PrivX account.

  2. On the Connections→New connection page, specify where you want to connect to, and which connection type to use.

    • With Search from known hosts, the GUI displays all the known targets to which you have access. Select a target to connect to it.

    • With Enter details manually you can manually specify the target host and account. This method allows connecting to unknown destinations. The user must have the connections-manual permission to use this method.

  3. Click Connect. Provide the target-account password if required (depends on the available authentication methods). You are then logged into the target account on the target host.

Note

Connections are authenticated according to the role-based rules and the enabled authentication methods.

You may need to adjust locale settings for keyboard commands to be transferred correctly.

Tip

Quickly access a recent target from the Home page by clicking an entry under Recent connections.

SSH GUI Features

Open multiple terminals

On the tab bar, click + to open additional terminals.

Copy-paste
  • On a Mac, you can select text and use command-c and command-v to copy-paste, or right-click and use the context menu.

  • On a Windows or Linux you can select text and right-click to use the context menu. Alternatively you can select some text, pres ctrl on its own and then press ctrl-c or ctrl-v within the next second.

  • The left Alt (option on a Mac) key also functions as the Meta key (for example in Emacs).

Transfer files

You can upload, download, and remove files from the File Transfers tab.

To change directory, click a directory or up.png. You can perform additional actions on files via their ham.png menus.

  • To download a file: Double-click the file, or perform a Download action via its ham.png menu.

  • To upload a file: Drag-and-drop the file to the file-transfer view. Alternatively, click Upload next to the file-transfer view and select the local file to upload.

Change text, locale and theme

From the Settings tab, you can set the font size, character encoding, and the locale used for the connection. You can also switch between a dark and a light theme.

Open URLs

To open HTTP/HTTPS links in a new tab on Windows or Linux, hold Ctrl and double-click the link. To open links on Mac, hold command and double-click.

RDP GUI Features

Copy-paste

To copy-paste text to the target host, place the text into the Clipboard tab, then paste normally on the target host. Text copied on the target host is automatically made available in the Clipboard.

Transfer files

Upon connecting, PrivX automatically mounts a network drive called Transfers on PrivX to the target host. File downloads and uploads must be performed via this network drive.

You can copy files from the target host to Transfers on PrivX, then download them from the Files tab. Similarly, you can upload files by placing them to Transfers on PrivX on the Files tab, then move the file to another location on the target host.

  • To download a file: Double-click the file, or perform a Download action via its ham.png menu.

  • To upload a file: Drag-and-drop the file to the file-transfer view. Alternatively, click Upload next to the file-transfer view and select the local file to upload.

Set keyboard layout

To change your keyboard layout, go to the Settings tab, select your layout, then restart the connection to apply the changes. Set this to match the keyboard layout defined for the server (not the client-side layout).

Fullscreen view

To toggle fullscreen view, click fullscreen_rdp.png

Note

Toggling fullscreen mode also re-establishes the RDP connection.

SSH Connections with Native Clients

This section describes how to establish SSH connections with native clients.

Users can connect to target hosts/accounts using the SSH clients installed on their workstations, without needing to use the PrivX GUI. Connections are authenticated against PrivX. For example, if PrivX allows you to access a target account with certificate authentication, your native clients will also connect using certificate authentication without prompting you for target-account credentials.

Native-Client Prerequisites

  • Specify which roles may be used for SSH-native-client connections.

    When using the GUI, PrivX users have access to targets provided by any of their roles. However with SSH-native-client connections, access is further limited to roles with the Allow PrivX agent option.

    The Allow PrivX agent option is enabled at Settings→Roles, under the SSH Options of each role.

  • Your PrivX license must allow using native client connections. For more information about licenses, see PrivX Administrator Manual > Setting Up PrivX > PrivX License Management.

  • After ugrading PrivX, you may need to re-download the extender-config.toml file for the native client connections to work with the extender. For more instructions about extender configuration file, see PrivX Administrator Manual > Setting Up PrivX > Setting Up Optional Components > PrivX Extender Setup.

  • If you plan to use agent-based connections, the PrivX agent must be set up on the user's workstation. For instructions about setting up PrivX agents, see PrivX Administrator Manual > Setting Up PrivX > Setting Up Optional Components > PrivX Agent Setup.

Connecting with Native SSH Clients using PrivX Bastion

Connections to target hosts using native SSH clients are formed through the PrivX SSH Bastion. The bastion address can be found in PrivX GUI from Connections → New Connection → Read about how to use a native client.

To connect via PrivX Bastion, provide:

  • Target-user name

  • Target-host address

  • PrivX-user name

  • PrivX-server address

  • (Optional) Extender name

  • (Optional) Target port

By default bastion runs on your PrivX servers, port 2222.

Full bastion syntax is as follows:

targetuser%extender%targethost%targetport%privx-user@bastionhost

Common case leaves out the extender and the target port, leaving the syntax as following:

targetuser%targethost%privx-user@bastionhost

Following are examples of ssh, scp and sftp usage with the connection string:

ssh -p 2222 targetuser%targethost%privx-user@privx.example.com
scp -P 2222 targetuser%targethost%privx-user@privx.example.com:example.txt \
/target/directory
sftp -P 2222 targetuser%targethost%privx-user@privx.example.com

Following is an example using PrivX Extender:

ssh -P 2222 targetuser%extender%targethost%privx-user@privx.example.com
scp -P 2222 example.txt \
targetuser%extender%targethost%privx-user@privx.example.com:/tmp

If you use native-client connections with bastion syntax often, consider specifying the connection parameters in the users' client configuration (typically at /etc/ssh/ssh_config or ~/.ssh/config) using Host blocks. For example:

Host targethost.example.com
    Port 2222
    User targetuser%targethost%privx-user
    Hostname privx.example.com

After which you can connect with much simpler syntax:

$ ssh targethost.example.com

User sessions with native SSH clients can be monitored. For more information about viewing session audit data, see PrivX Administrator Manual > Auditing > Viewing Audit Data. For more information about setting up session recording for a host, see PrivX Administrator Manual > Auditing > Session Recording Setup.

Optionally you can use the PrivX agent to connect using the native clients; for more information see PrivX Administrator Manual > Establishing and Managing Connections > SSH Connections with Native Clients > Connecting with Native SSH Clients using PrivX Agent (Unix and MacOS) and PrivX Administrator Manual > Establishing and Managing Connections > SSH Connections with Native Clients > Connecting with Native SSH Clients using PrivX Agent (Windows) .

Note

When connecting via PrivX Bastion you must verify the PrivX host keys (instead of the target server host keys). You can add the PrivX host keys to your known_hosts file by running (replace privx.example.com with your PrivX-server address:

ssh-keyscan -p 2222 privx.example.com >> ~/.ssh/known_hosts

Connecting with Native SSH Clients using PrivX Agent (Unix and MacOS)

After PrivX agent is set up for your workstation account, you can establish connections to targets using native clients with the agent. To do this on Unix or MacOS:

  1. Log into the workstation as the user for whom native clients have been set up.

    You may verify that the agent is running with:

    $ privx-agent-ctl status

    The command should return a message similar to the following:

    PrivX SSH Agent Status
      PrivX Server          https://privx.example.com
      Login status          logged out

    If necessary, you can manually start the PrivX agent with:

    $ ./privx-agent-unix bash
  2. Via the terminal, authenticate against PrivX using your PrivX credentials. For example (replace username with your PrivX user name):

    $ privx-agent-ctl login username

    You may verify your login status with:

    $ privx-agent-ctl status

    After entering your PrivX credentials correctly, your native SSH clients (such as ssh) will authenticate connections via PrivX. For a list of valid connection targets, run:

    $ privx-agent-ctl target list
    
    Accessible targets and granting roles:
    
      bilberry
          alice@10.1.55.144:222           Example Role 01
      ...

    You could then connect to one of the listed targets. In this example, by running:

    $ ssh alice@10.1.55.144 -p 222

Connecting with Native SSH Clients using PrivX Agent (Windows)

After PrivX agent is set up for your workstation account, you can establish connections to targets using native clients with the agent. To do this on Windows:

  1. Use the PrivX agent to authenticate with PrivX. To do this, right click the PrivX-agent tray icon, then click Login. Log in using your PrivX credentials. Complete multi-factor authentication if required.

    Note

    If PrivX-agent login fails with Failed: Login through web UI is required, then please use a web browser to login in to PrivX GUI and complete MFA setup as described in PrivX Administrator Manual > PrivX Users and Permissions > Advanced Authentication for PrivX Users > Multi-Factor Authentication for PrivX Users.

  2. To connect to a target host, right click PrivX agent tray icon, and click Connections.

    Provide the following connection settings:

    • Role (optional): You may choose to log in with the permissions of a specifc PrivX role. By default, you are logged in using any applicable role.

    • Target: The target host

    • Client: The native client used for connecting; PuTTY for connecting through SSH or PSFTP through SFTP.

    After providing the connection settings, click Connect. Alternatively, you can directly use your SSH client for connecting.

RDP Connections with Native Clients

This section describes how to establish RDP connections with native clients.

Users can connect to target hosts/accounts using the RDP clients installed on their workstations, without needing to use the PrivX GUI. Connections are authenticated against PrivX.

To connect to targets with native clients interactively:

  1. Use your native client to connect to a PrivX server.

  2. Provide your PrivX credentials when prompted.

  3. You are shown the targets where you are allowed access. Select a target to connect to it.

Alternatively, to directly connect to a target you know, connect with the native client using the following parameters:

  • Host: Address of a PrivX server.

  • User: Credentials and target identification in the following format:

    <privx_username>|<target_username>|<target_hostname>

  • Password: Your PrivX-user password.

Figure 6. Direct-connection example with Windows Remote Desktop Client

Direct-connection example with Windows Remote Desktop Client

Note

When MFA is enabled, users must connect using the interactive method.

You cannot use the RDP connections through a HA setup load balancer; the native clients must connect to the PrivX server address.

Website Access via PrivX

This section describes how to log into web services via PrivX.

You can use PrivX to connect to HTTP and HTTPS websites. Web connections established via PrivX offer the following benefits:

  • Session-recording support for improved auditability.

  • For sites that require login, you may store credentials in PrivX. PrivX automatically fills in the credentials, allowing users to log in without knowing any passwords. Access is provided in a role-based fashion.

To enable web connections your deployment must include at least one PrivX Carrier, and one PrivX Web Proxy. For system requirements and setup instructions, see PrivX Administrator Manual > Preparing for Deployment > Prerequisites for Installation > Optional Components and PrivX Administrator Manual > Setting Up PrivX > Setting Up Optional Components > PrivX Carrier and Web Proxy Setup respectively.

After the required components are set up, add HTTP/HTTPS targets as described in PrivX Administrator Manual > Establishing and Managing Connections > Setting up Known Targets > Web Targets.

AWS CLI Connection with Native Client

You can use PrivX to authenticate and authorize users of the AWS Command Line Interface (AWS CLI). For instructions about the required configurations, see PrivX Administrator Manual > Authentication Methods for Host Connections > Authentication to AWS Services.

Monitoring and Managing Connections

You can monitor ongoing and prior connections on the Monitor page. The page allows you to:

  • See which user is currently connecting or has connected to which destination via SSH or RDP. Note that the page does not show agent-based connections.

  • Filter connections by their status and search words.

  • Terminate a connection.

Restricting Users' Access to Applications in RDP Connections

On RDP connections you can restrict which applications each user is able to access on the target Windows host. When adding or editing a host, the Applications entry allows you to specify restricted applications to each host user seperately:

  • Application Name (Required): is the name of the application visible to the user when connecting to said application. The name should be unique, and can be searched.

  • Identifier (Required): the name of the application's executable, otherwise known as alias (for example, mspaint, wordpad)

  • Arguments: command-line arguments to be passed to the application.

  • Directory: the working directory for the application.

Note that you need to configure the target Windows host to accept and use the remote applications you specify. For instructions about configuring applications for RDP, see https://social.technet.microsoft.com/wiki/contents/articles/10817.publishing-remoteapps-in-windows-server-2012.aspx