Services

A Service refers to a Host and Port on the Remote Network. This can include applications, web servers, or databases. Accessing these services enables you to perform essential tasks, such as querying a database table, transferring files, or logging into a server via Telnet.

Connecting to a Service

To gain access to a remote service, you must first connect to a Session, which is associated with a Gatekeeper that provides access to the desired service.

Once you connect, the remote services are made available directly on your local desktop.

Some services, such as built-in services, may include hyperlinks. These services are defined with port types like HTTP, HTTPS, FTP, RDP, SSH, or TELNET. Depending on the port type, the appropriate client (Such as a Telnet client) is launched automatically through your browser.

  • On Windows systems, Customer Privileged Access Management offers RDP and SSH clients that support stored credentials.
  • You can also use your preferred client for any service, if desired.

Session Services

The following explanation demonstrates the available services for the Gatekeeper host, as well as services for an additional host. Each time a service is accessed, an audit record is permanently logged, which can be reviewed via the Session History.

When a user connects to a Session, they can see a list of available services for that session. This allows the user to interact with and access the services directly.

To connect to a service using your preferred client, you need to know the interface and port the service is mapped to. This information is available in the Description area. As you hover over a service in the list, the interface and port details appear to the right.

To modify the interface or port for a service, click Edit.

NOTE:

These changes only affect your individual connection.

To change settings that apply to all users in the session, click Edit Services next to the Gatekeeper name.

Typically, remote services are accessed using a local interface, such as 127.0.0.2. On Windows systems, CPAM can map remote host names and IP addresses locally. This allows users to access services using the remote host’s actual name or alias.

For instance, the Gatekeeper has an alias of oracle-db-svr, which can be used to directly access the RDP service. The alias for each host can be configured in Edit Services.

To disable host name mapping, click Disable Host Name Mapping in the Description area. This action affects all hosts, and you must disconnect and reconnect to the session for the change to take effect. To re-enable host name mapping, click Enable Host Name Mapping in the Description area for each service.

If host name mapping fails (for example, due to lack of permission to edit the system hosts file or because a local host shares the same name as a remote host), the following message are displayed:

Host name HostA failed to map to interface 127.0.0.2.

In this case, use the local interface value (127.0.0.2) to access the service.

If the remote Gatekeeper cannot detect a service at the specified port, the port appears red. Hovering over the unavailable port displays the following message in the port information area on the right:

The Service doesn't seem to be responding at this port

This indicates that the remote service may not be running. For example, if the Gatekeeper cannot contact the Oracle port, it shows as red.

If you see a port description with a faint pink background, this indicates that the normal default local port could not be used. CPAM detected a conflict and automatically selected a different local port number. For services like databases and debuggers, select the updated local port value in the port information area on the right of the port description.

Service Access

The Gatekeeper may restrict service access through the use of Service Access Rules. These rules govern which services are available and under which conditions. The rules specify allowed and denied access for certain service types, which are listed under Edit Services.

To successfully add a service, the port and host must meet the following conditions:

  • The port and host must match an Allow entry (if defined).
  • The port and host must not match any Deny entries.

The Service Access Rules can be described as follows:

  • Some services may be allowed for certain hosts, while others may be denied access. For example, a service could be allowed for one host, but denied for others.
  • For some services, access might be restricted based on specific service ports, ensuring that only certain types of communication can occur.
  • In some cases, access to specific services may be allowed only from specific local hosts or remote hosts, and other services may be restricted based on the access rules.

In addition to the general service rules, here are some specific restrictions that may apply:

  • Access to certain services may be entirely restricted for some hosts.
  • Other services may only be accessible from a specific host or range of hosts.
  • Some services may be universally allowed across all hosts, except for a few specific services that are explicitly denied.
  • If a service has been defined with restrictions on specific ports or hosts, attempts to access it from other locations are blocked.

These access restrictions ensure that only authorized users and services are allowed to interact with the system. The system enforces security by blocking access to services that are not explicitly allowed by the rules, based on the designated restrictions.

When accessing services, you can view the available services on the host where the Gatekeeper is installed, as well as on additional hosts (For example HostA). Each time a service is accessed by your Vendor, a detailed audit is permanently logged. These logs can be accessed through the Activity Report.

Service information, including detailed descriptions, is available when you click on the Service Description for a specific service. The credentials required to access the service are managed within the Customer system.

NOTE:

For more information, see Customer Credentials.

Credentials are specifically created for RDP, SSH, and Telnet services. After the credentials are created, they can be associated with a service. The system uses the provided username and password to access the service.

You can edit the names of non-Gatekeeper hosts. To do so, click on the host name you wish to edit. After renaming the host, all existing services associated with the host remain accessible through the new name.

Built-In Services

Some services are built into the CPAM Gatekeeper and are generally displayed automatically in the Service List. These services provide the necessary tools for system support, regardless of other services offered by your network.

Built-in services cannot be modified, but you may choose to disable them if needed.

This service allows you to transfer files to and from the remote network using the built-in FTP client in your browser. To access the client, click the service name File Transfer.

If you are using the read-only version of File Transfer, you can log in to the FTP server as the Anonymous user, which provides read-only access. You are not able to delete files or create directories. To gain full access, click Read / Write to log in as admin with full permissions.

If you choose to manually launch an FTP client, use the FTP URL:

ftp://admin@localhost:18021/

When prompted for a password, enter admin.

If your FTP client cannot parse the FTP URL, manually specify the remote host as localhost and the port as 18021. The interface and port number are visible when you hover over the File Transfer service in the Services list. When prompted for a user name, use Anonymous for read-only access or admin for full privileges.

If the remote system is Windows, the directory structure represents the drive on which the CPAMGatekeeper is installed. To access additional drives, manually specify the correct drive letter, such as:

ftp://localhost:18021/D:/

This service allows you to control a remote graphical desktop. For Windows systems, it takes over the Console Desktop. For Linux or Unix-like systems, it controls a virtual desktop separate from the system console. When you click on Desktop Sharing, an additional browser window opens.

Depending on system configuration and platform, you may need authorization to access the remote desktop. If prompted for a password, enter securelink, then click OK. You have complete control of the remote desktop. The interface you receive depends on the remote system’s operating system. To access functions like the clipboard, press F8 in the remote desktop window to display the menu.

Disabling a Service

At times, you may find it necessary to disable a service without permanently deleting it. To disable a service in the Edit Services window:

  1. Click the description of the service you want to disable.
  2. Click Disable.

Disabling the service makes it unavailable to users who connect to the session.

To enable a disabled service:

  1. Click the description of the disabled service.
  2. Click Enable.

Adding a Service

To access a specific host and port on the remote network, you must add a service.

Follow these steps to add a service to the Gatekeeper or a particular host:

  1. Click Add New Port.
  2. A form appears where you can specify the service details.

In this form, you need to provide the following information:

  • Service Name: Enter the name of the service.
  • Description: Provide a description for the service.
  • Port: Specify the valid port number for the service. For example, Telnet typically uses port 23.

The form also allows you to specify the Type and Default Local Port:

  • Type: This is optional. If specified, you can choose from the following types: Plain (default), HTTP, HTTPS, FTP, TELNET, RDP, or SSH. Selecting a non-Plain type allows the service to automatically launch the default browser client for that protocol (For example, selecting TELNET opens the browser's built-in Telnet client).
  • Default Local Port: This is optional. It specifies the local port to which users can connect when accessing the remote service. If left blank, the port defaults to the Port value. You can change this if you encounter conflicts with other services on your desktop.

If you are connected to a session, you can see two options for saving:

  • Save: Saves the new service and returns you to the Session Services list.
  • Save & New: Saves the service and allows you to continue editing and adding new services.

If you're not connected to a session, only the Save & New option is available.

The following table lists potential errors that may occur when adding a service:

Error message Reason
Name is required Service Name cannot be blank.
Port is required Port cannot be blank, and can be up to 5 numeric characters.
The port you have entered already exists The same port value has already been defined in a Service for this host.
Description is required Description cannot be blank, and can be up to 128 characters.

Adding a New Host

To access a service on a remote network that is not on the Gatekeeper host, you must first add a new host.

Follow these steps to add a new host:

  1. Click Add New Host.
  2. A form opens where you can enter the details for the new host.

In this form, the following fields are available:

  • Host (or IP): Enter the host computer name or IP address of the remote network where the desired service is located. This field is case-insensitive.
  • Description: This is optional. Provide a meaningful description of the remote host to help identify it.
  • Host Alias: This is optional. If provided, the alias can be used to access services on the remote host instead of the host name or IP address.

The fields on the right side of the form are the same as when adding a service.

Editing a Service

To edit a service, follow these steps:

  1. Click the service description for the service you want to edit.
  2. Click Edit to open the form.

The form that appears is the same as the one used for Adding a Service, with the exception that the Service Name is not editable.

You can modify the following fields for the service:

  • Description: Modify the service description.
  • Port: Update the port number if necessary.
  • Port Type: Change the port type if required.
  • Default Local Port: Modify the default local port if needed.
NOTE:

For more information on the fields and the possible errors this form may generate, see Adding a Service.

Deleting a Service

To remove an existing service, follow these steps:

  1. Click the service description of the service you want to remove.
  2. Click Delete to initiate the deletion process.

A confirmation pop-up appears, prompting you to confirm the deletion.

Click OK to confirm. Once confirmed, the specified service is no longer be available.