Gatekeeper User Interface

The Imprivata Customer Privileged Access Management Gatekeeper is a piece of software use to broker the secure connection between you and your Vendor.

To activate the Gatekeeper once it is downloaded and installed on one of your servers:

  1. Navigate to the Gatekeeper web page

  2. Enter the registration key supplied to you by your Vendor.

  3. Once the Gatekeeper is registered, you are able to control how and when your Vendor connects.

Connection Status

The current CPAM Gatekeeper connection status appears in the Connection Status window. This window allows you to control when your Vendor can connect.

If you disable access, your Vendor cannot connect to the Gatekeeper.

When access is enabled, the following options are available:

  • Disable access now: access remains disabled until you manually enable it again.

  • Disable access in: access is automatically disabled after the specified duration.

  • Disable access at: access is automatically disabled at the specified date and time.

  • Use an Access Schedule: access is controlled by the defined Access Schedule.

If a connection is active when the access time expires, it disconnects immediately, and no further access is allowed.

If access is disabled, the following options are available:

  • Enable Gatekeeper: access remains enabled until you manually disable it.

  • Enable Gatekeeper for the next: access is automatically disabled after the specified duration.

  • Enable access until: access is enable until the specified date.

  • Use an Access Schedule: access is controlled by the defined Access Schedule.

Select the Use an Access Schedule option to display the access schedule form.

When an Access Schedule is active, the Gatekeeper status line shows via Schedule. The schedule details also appear in the Current Access Schedule section under the status.

For example, you can configure the access to be enabled on weekdays from 8:00 AM to 5:00 PM.

If a gatekeeper is disabled or expired, a user can request the Gatekeeper to be activated. When a user creates a new request, it is placed in an approval queue so you can decide if and when to allow access.

To access this queue:

  1. Click New Approval Requests.

  2. Click Modify Status to grant access to the requested gatekeepers.

If the user requesting approval has entered a request message, the message appears here and in the approval email you receive.

You can Enable Access indefinitely, Enable for a certain time, or Deny User Access. You can also add an optional message to the user, explaining your reason for approving or denying access. This message is included in the email notification sent to the user.

Reports

The CPAM server records detailed audit information about connections to your Gatekeeper. Audit information is available in real-time.

  1. Click Reports when viewing a Gatekeeper to display the Session History.

  2. Click View to get details about a particular session.

The Session History feature provides an archive of previously recorded sessions. It allows users to view details of past activity, with the most recent sessions displayed at the top of the list. This enables easy access to important historical data related to each session.

The following fields are shown in the Session History:

  • Session Start: The date and time when the session began.
  • Duration: Indicates how long the session was active from start to finish.
  • Owner: The user or entity responsible for initiating or owning the session.
  • Users: The number of users in the session.
  • Services: The services accessed during the session.

This section provides detailed information about a specific historical session.

For each Vendor user who connected, the following information is shown: their ID, user name, connection time, and duration of connection.

For each service accessed, the following details are provided: service name, user who accessed the service, host and port accessed, along with the time and duration of access.

Click Return to most recent activity to go back to the Session History.

NOTE:

A View option is shown if there is additional information available for the service access, such as file activity, command prompt auditing, or desktop sharing data.

If any FTP-based File Transfer service is used, including the built-in File Transfer service provided by the CPAM Gatekeeper, the file activity details are audited and accessible through the Activity Report.

Command prompt activity details of any Telnet-based command service are audited and accessible through the Activity Report. Some SSH terminal sessions are also captured in this manner.

The following is a sample audit log for a telnet session, with the commands highlighted in bold text:

Telnet Activity Log

CYGWIN_NT-5.1 1.5.12(0.116/4/2) (Myhost) (tty1)

SYSTEM@Myhost /

$ ls -l

total 2

drwx------+ 0 Sep 8 00:15 bin

-rwxrwx--- 47 Oct 9 16:08 cyghome.bat

-rwx------+ 15 Dec 29 2004 cyghome.txt

drwx------+ 0 Sep 8 00:15 etc

drwx------+ 0 Oct 9 14:13 home

drwx------+ 0 Sep 8 00:15 lib

drwx------+ 0 Sep 8 00:15 tmp

drwx------+ 0 Sep 8 00:15 usr

SYSTEM@Myhost /

$ ls

bin cyghome.bat cyghome.txt etc home lib tmp usr

SYSTEM@Myhost /

$ cmd

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SecureLink\shell>dir

Volume in drive C has no label.

Volume Serial Number is 4461-8B1D

Directory of C:\Program Files\SecureLink\shell

09/26/2006 03:47 PM <DIR> .

09/26/2006 03:47 PM <DIR> ..

01/07/2007 04:09 PM 54 .bash_history

09/08/2006 12:15 AM <DIR> bin

10/09/2006 04:08 PM 47 cyghome.bat

12/30/2004 12:44 AM 15 cyghome.txt

09/08/2006 12:15 AM <DIR> etc

10/09/2006 02:13 PM <DIR> home

09/08/2006 12:15 AM <DIR> lib

09/08/2006 12:15 AM <DIR> tmp

09/08/2006 12:15 AM <DIR> usr

3 File(s) 116 bytes

8 Dir(s) 13,518,458,880 bytes free

C:\Program Files\SecureLink\shell>exit

exit

SYSTEM@Myhost /

$ exit

logout

The Desktop Sharing service records usage for most RDP and VNC-based desktop sharing sessions, including the built-in Desktop Sharing service provided by the CPAM Gatekeeper.

To convert recorded data into a playable movie:

  1. Click on the name of the recording file in the service usage details section. The movie conversion page opens.
    2. NOTE:

    Ensure that Java is installed on your system in order to use the movie converter.

  2. Select a file type for the movie and then click Launch Java Web Start Converter.
  3. After downloading the file, double-click it to run via Java Web Start. A file chooser dialog opens.
  4. Navigate to the location where you want to save the movie, and click Save to begin the conversion process.
  5. A PIN number appears in your web browser. Enter this PIN into the converter to proceed with the conversion.
    6. NOTE:

    The conversion process may take several minutes, especially for longer sessions.

  6. If you want the video to play immediately after the conversion finishes, select the option Launch video after saving.

Once the conversion is complete, you can view the recorded desktop session as a movie.

NOTE:

Desktop Sharing movie conversion is only supported on Windows systems.

Users

Gatekeeper users can be responsible for managing your vendor's access to the CPAM Gatekeeper, reviewing audit report history, or simply be interested in receiving connection notification and session summary emails. Gatekeeper Admins can add new users for a gatekeeper or disable access to that Gatekeeper for other users.

To view the list of users for a particular Gatekeeper:

  1. Click View on Gatekeepers window.

  2. Click Users.

  3. The list of Gatekeeper users appears.

NOTE:

The users can choose to receive notifications or not, by selecting Notifications.

There are three Gatekeeper user roles, which determine user permissions and capabilities:

Role Description
Admin Admin users can set access schedules, view audit reports, add credentials, and create other Gatekeeper Users.
Read Only Read-only users can login to view history, and toggle Gatekeeper access, but cannot create other Gatekeeper users or modify permissions.
Email Only Email Only users are limited to receiving connection notification and session activity summary emails.

Users can have one of the following status values:

User Status Description
Logged In The User is currently logged-in.
Authorizing The User has entered their login and password, but has not entered the Authorization Key sent to their email.
Registered The User has an Active account; their email address has been confirmed.
Unregistered The User has not yet confirmed their email address.

When new Users are added to the system, a registration email is sent to their address:

  1. Follow the link in the email to activate the account.

  2. Once the email address is verified, choose a password.

  3. The account status becomes Registered.

A user may have access to multiple Gatekeepers within your organization. The Gatekeepers column in the user list displays the total number of Gatekeepers available to each user.

 

Gatekeeper Admin users can control whether Vendor users are allowed to manage Gatekeeper users. Disabling Vendor management prevents Vendors from assisting with administrative access recovery for the Gatekeeper.

  • Enabled: Vendor-defined users can manage Gatekeeper users.
  • Disabled: Vendor-defined users are prevented from managing Gatekeeper users.

To add a new user:

  1. Click Add New User on the Users page.

  2. Enter the email address (the user's email becomes their user ID), name, select a role, and click Save.

  3. An account activation email is sent to the user.

The Actions column provides common administrative tasks:

  • Edit: Change user account settings.

    IMPORTANT:

    If you delete an account, the user can no longer log in.

  • Disable Access: Prevent the user from accessing this Gatekeeper.

  • Enable Access: Enable the user's access to this Gatekeeper.

  • Resend Email: Resend the account activation email. This action is only available for unregistered accounts.

Settings

The Settings menu provides access to several categories of CPAM Gatekeeper administration. These categories include options for security, and network connectivity.

Creating credentials enables you to store username and password credentials for services like RDP, SSH, and telnet so that Vendors can connect without needing to know the password.

In order to add new credentials:

  1. Click Settings on the gatekeeper menu.

  2. Click RDP/SSH/HTTP(s)/Telnet Credentials.

  3. Click New and fill out the form.

NOTE:

To associate a credential with a particular service, see Add New Service.

This section allows you to create and modify PAM (Privileged Access Management) Server Configuration. These configurations are used by PAM provider plugins to connect to third-party PAM solutions and vaults within your networks.

NOTE:

For third-party plugin installation, contact the System Administrator for the CPAM server.

When creating a PAM Server Configuration you must select one of your managed Sites. This site acts as a tunnel for the server to reach the vault or PAM provider, allowing the CPAM server to use PAM solutions that reside within your networks and would otherwise be unreachable.

Prerequisites

Before creating a PAM Server Configuration, ensure the following:

  • Select a Managed Site: Choose the tunneling point. The site should have network access to the third-party vault or PAM provider and be able to communicate via the API.
  • Access to URL: The provided URL for the third-party vault must be accessible from the selected tunneling site.

Configuration Steps

Follow these steps to configure the PAM Server:

  1. Provide Configuration Details:
    • Name: Give the server configuration a descriptive name.
    • Description: Provide a detailed description of the configuration.
    • URL: Enter the URL that the plugin need for requests. This URL must be accessible from the selected tunneling site.
  2. Choose a Plugin: Select a PAM provider plugin that is loaded on the server.
  3. Configure Connection Parameters: Fill in the required connection parameters as per the plugin specifications.
  4. Use Placeholders: You can use placeholders for dynamic values (For example, service, host, and user). To view the list of available placeholders, hover over Help in the top-right corner. These placeholders are automatically resolved when credentials are requested.
Vendor Privilege Settings

Hosts and Services

This interface controls the default services available to your Vendor. Every time a Vendor accesses one of these services, a detailed log entry is created and stored in the Session History.

NOTE:

For more information on using the Host and Services interface, refer to the Services section.

Allow Vendor-defined Services

This option determines whether your Vendor can add services to the Host and Services list. If disabled, the Vendor can only access the predefined services and cannot modify the list. In this case, if the Vendor requires access to an additional service, they must contact you to add it. Regardless of how a service is added, any access to it by the Vendor is permanently recorded in the audit report.

The Service Access Rules list controls access to specific hosts and services. When Allow Vendor-defined Services option is enabled, a Vendor's attempt to access a service must first match an allow entry, then not match any deny entries. If no allow entry is defined, any port on any host is considered allowed, except those that are explicitly denied.

A host name of localhost refers to the host where the CPAM Gatekeeper is installed. Access to any port on localhost is allowed by default, so adding an allow rule for localhost, ANY is unnecessary unless you want to restrict access to specific services on the Gatekeeper host. If this is the case, you can either allow specific ports on localhost or deny any ports on localhost.

New Rule

To add a new Service Access Rule:

  1. Click Add.

  2. Fill the New Service Access Rule form with a Host (or IP address), Port, and Access mode for the Service Access Rule. To apply a rule to any host or any port, select ANY.

    The errors you may receive from this form are:

    Error message Explanation
    Invalid Host The Host field cannot be blank, or contain space or tab characters, or ":", "{", "}", or "/".
    Invalid Port The Port field cannot be blank, and must contain only numbers.
    "ANY" cannot be set for both Host and Port A rule cannot apply to all hosts and all ports at the same time.

  3. Click Save to submit the form.

  4. You receive the Service Access Rules with the new rule included.

Edit rule

To edit a new Service Access Rule:

  1. Click Edit for that rule.

  2. You can edit the Service Access Rule form.

  3. Click the Save.

Delete a Service Access Rule

To remove a new Service Access Rule:

  1. Click Delete next to the rule.

  2. Click OK to the confirmation box.

  3. The deleted rule disappears from the list.

To enable Remote Audit Logging:

  1. Select Enable syslogd remote audit logging.

  2. Enter the host or IP address of a syslog daemon running on your network. The Gatekeeper machine must be able to reach this server.

Ensure the syslogd host is configured to allow remote logging. This device receives syslogd audit events, such as when a connection opens or closes, a user connects or disconnects, and when a service is accessed.

Services

This section manages the services that your Vendor can access on your network. You can disable, add, edit, or delete services, as well as configure built-in services.

This interface controls the default services available to your Vendor. The list shows the hosts and services that your Vendor can access once a connection is established. Vendors can also access additional services when the Allow Vendor-defined Services option is enabled.

NOTE:

For more details, see Vendor Privilege Settings in the Settings section.

Every time a Vendor accesses a service, a detailed audit is logged and stored in the Activity Report.

Click the service description to view detailed information for each service.

Some services are built into the CPAM Gatekeeper and are typically displayed automatically in the Service List. These services provide essential tools for your Vendor to support the system, regardless of the services offered by your network.

NOTE:

The built-in services cannot be modified, but they can be disabled if needed.

The following are the built-in services:

File Transfer – Remote File Transfer

This service enables your Vendor to transfer diagnostic log files from your network.

Command Shell – Remote Command Shell Interface

This service allows your Vendor to access a command prompt for advanced support on Unix-based systems.

Desktop Sharing – Remote Graphical Desktop Sharing

This service gives your Vendor access to a graphical desktop to support GUI-based programs and services.

Sometimes, it may be necessary to disable a service without deleting it entirely.

To disable a service, follow these steps:

  1. Select the service by clicking on its description.
  2. Click Disable.

Disabling a service makes it unavailable to your Vendor. However, if the Allow Vendor-defined Services option is enabled, your Vendor may still be able to add a similar service manually to their session. This action is logged in the Activity Report.

The description of a disabled service appears in gray and italics.

To enable a service, select its italicized description and click Enable.

To provide access to a specific host and port on your network, you must add a service:

  1. Click Add New Port.
  2. Complete the Port Information form that appears.

In the form, provide the following details:

Service Name and Description

Specify a name and description for the service. These fields help identify the service in the list and provide context to the Vendor.

Port #

Enter the valid port number for the service. For example, the Telnet service typically uses port 23. This field ensures the service is properly routed to the correct port on your network.

Type

The Type field is optional. If you choose to specify it, select from the following options:

  • Plain (default)
  • HTTP
  • HTTPS
  • FTP
  • TELNET
  • RDP
  • SSH

If you select any type other than Plain, the service appears as an option on the Vendor interface. Click the option to open the appropriate client (For example, TELNET opens the built-in telnet client).

Default Local Port

This field is optional. If filled in, it sets the port on the Vendor’s machine to connect to the remote service. By default, this matches the Port you entered. Modify this field only if there are port conflicts on the Vendor's desktop.

Credentials

The Credentials field allows you to store and pass username and password credentials for the service. This option is available for RDP, SSH, and TELNET services.

NOTE:

For more details on setting up credentials, refer to the RDP/SSH/Telnet Credentials help page.

Click Save when finished. The new service appears on the left side.

The errors you may receive from this form are:

Error Message Explanation
Name is required The Service Name field cannot be blank.
Port is required The Port # field cannot be blank, and can be up to 5 numeric characters.
Specified Port already exists The same port value has already been defined in a Service for this host.
Description is required The Description field cannot be blank, and can be up to 128 characters.

To provide access to a service on a host other than the one on which the Gatekeeper is installed, add a new host.

To add access to a new host, follow these steps:

  1. Click Add New Host.
  2. Complete the Add New Host form.

Host (or IP) specifies the host computer name or IP address within your network where the desired service resides. This field is case insensitive.

Description is optional and can provide additional context for the host.

Host Alias is optional. If filled in, users can use the alias to access services on the host. Ensure that the CPAM Server is configured to allow host name alias mapping.

Click Save, or press Enter to submit the host information.

The Add New Service form appears for this new host.

NOTE:

See Adding a Service for a description of these fields and any errors that the form may generate.

Click Save when finished. A section for the new host appears, displaying the added service.

To edit a service, follow these steps:

  1. Select the service by clicking its description.
  2. Click Edit.

The service form appears, allowing you to edit the following details:

  • Description
  • Port
  • Port Type
  • Default Local Port
NOTE:

For more information on these fields and possible errors, refer to Adding a Service.

NOTE:

For details on setting up credentials, see the Credentials help page.

To remove a service, follow these steps:

  1. Select the service by clicking its description.
  2. Click Delete.
  3. A confirmation pop-up appears. Click OK to confirm the deletion.

The selected service is then removed from the available services list.