Remote Gateways in PAM

By default, all remote sessions launched from end user machines are tunneled through the Securden server, which acts as the gateway. There will not be any direct connectivity between the end user machines and the target device.

For enhanced security, you may route all remote operations originating from Securden through a single, dedicated gateway (instead of Securden server acting as the gateway). Once configured, Securden will route all operations, including remote connections, session recording, and password resets through the gateway.

When Should you Consider Deploying a Remote Gateway?

You should consider deploying a remote gateway in the following scenarios:

If you want to manage the IT assets/accounts that are distributed across multiple networks with interconnectivity
If you want to route all remote operations through a common gateway instead of direct connections to target devices from endpoints
If you want to record remote sessions

The remote gateway comprises two components:

Securden Session Manager (Handles remote connections and session recording)
Securden Application Server (Handles remote password reset operations and serves as a remote broker)

How to Configure Remote Gateways and Associate Application Servers?

Gateway configuration is a four-step process:

Create a remote gateway
Deploy Securden Session Manager and/or Securden Application Server
Associate devices with the remote gateway
Associate domains with the remote gateway

Create a remote gateway

Prior to carrying out any configuration, you first need to add the required gateway as an entity giving it a name and description. Securden remote gateway is a virtual entity - something similar to a folder that holds files. So, you will first give it a name and description. In the next step, you will go about carrying out the actual configuration of the gateway.

To add a gateway, navigate to Admin >> Remote Sessions and Recordings >> Remote Gateway >> Add.

In the GUI that opens, enter the following details:

Remote Gateway Name: This step helps you to identify the gateway you are creating now among the existing ones in the list.
Description: A brief explanation of the purpose of that specific remote gateway.

Click ‘Save’.

Configure the Remote Gateway

Configuring the remote gateway that you created in step 1 above, involves deploying one or both the components below:

Securden session manager
Securden application server

Based on your network structure and requirements, you should decide on having one or both the above components.

If your IT assets/accounts are distributed across multiple networks with interconnectivity, you should deploy both the above components on the remote gateway.
On the other hand, if all your devices are present in the same network and if you want to handle only remote connections and session recording through a common gateway, install Securden Session Manager alone.
If you want to handle remote connections as well as remote password resets through a common gateway, deploy both.

How to Deploy the Securden Session Manager?

To launch remote sessions and record them, you need to deploy Securden Session Manager (SSM), a lightweight tool on the machine that is identified to serve as the gateway. You need to choose the machine first and then deploy the SSM package.

Prerequisite: The server in which you want to deploy SSM should have been already discovered/added to Securden. In the interface, you can only choose from the already available accounts. If the server has not yet been added to Securden, add/discover and then follow the step below.

To deploy SSM, navigate to Admin >> Remote Sessions and Recordings >> Remote Gateway and select the required gateway. In the RHS, you will see the ‘Configure Gateway’ section. Within that you will see the option “Deploy Securden Session Manager” and click the “Configure” button.

In the GUI that opens, you need to perform two actions:

Select the machine in which you will be deploying SSM
Download the SSM package and deploy it on the machine selected.

Select the machine to install SSM

As mentioned above, the server in which you want to deploy SSM should have been already discovered/added to Securden. You will only be able to select among the machines that are listed in the drop-down.

Click the button “Select and Configure”.

Once you select the intended machine, you need to enter its IP address or DNS to enable Securden to connect to the device. In addition, you need to specify an account using which connections are to be established with the machine. Typically, when a user tries to launch a remote connection with a target resource, Securden first logs into the machine where SSM is installed using the login account selected here. From there, it connects to the target machine using the target machine's credentials.

The remote login account has to be chosen from only among the accounts already added to Securden. The login account can either be a domain account or a local account. For security reasons, it is recommended to use only an account with standard user privilege.

Select the required account and click “Save”.

Download the SSM package

After completing this step, you are ready to install the SSM package on the machine identified above.

Download the .msi package from the GUI and follow the instructions given in the document link provided in the interface.

Associate an Application Server

If you have decided to deploy a Securden application server as well (for reasons explained on components selection above), you need to associate each such application server with a remote gateway. Once the association is done, all remote connections originating from the application servers will be routed through the gateway.

Prerequisite: You should have added at least one Application Server before proceeding further. If you haven’t added any yet, navigate to Admin >> Remote Distributors >> Application Server.

To associate an existing application server with the remote gateway, navigate to Admin >> Remote Sessions and Recordings >> Remote Gateway and select the required gateway. In the RHS, you will see the ‘Configure Gateway’ section. Within that you will see the option “Associate Application Server” and click the “Configure” button.

In the GUI that opens, you need to select the application server that is to be associated. Once you select the required application server, you will see three URLs below - the URL through which the Securden server could be connected, and the URLs for web-based RDP and SSH connections. Ensure that the URLs are correct.

Click ‘Save’.

Step 3 and 4: Associate the required devices and/or domains

Steps 1 and 2 above mark the creation of the remote gateway, which is like a container. You need to associate the container with the required devices (IT assets) or domains. Once configured, all remote connections originating from the respective devices will go through the gateway.

You have the option to associate specific devices alone and/or an entire domain. When a domain is associated with the gateway, all remote connections originating from the members of the domain will go through the gateway. When adopting a combination approach (associating both devices and domains), in case you have configured a different remote gateway for any of the computers that are part of the domain, the device level configuration will take effect for that computer alone.

Prerequisite: You can only associate the devices and domains that are already added to Securden. In

To associate devices and/or domains with the gateway, navigate to Admin >> Remote Sessions and Recordings >> Remote Gateway and select the required gateway. In the RHS, you will see the ‘Configure Gateway’ section. Within that you will see the options “Associate Devices” and “Associate Domains”. Click the “Configure” button in the required option.

In the GUI that opens, click the button “Associate Devices” or “Associate Domains” as the case may be. Then do a search for the required devices or domains using the search filters. You may select as many devices/domains as you want. To clear a selected device click the ‘x’ beside the device, to clear all selected devices use the ‘Clear all’ icon to the right.

Click “Save”.

These steps complete the remote gateway configuration. You may repeat the steps and configure multiple gateways.

Verify remote gateway configuration and associations

Once you complete all the steps above, you can verify all associations in the form of a report. Securden depicts the list of all devices and domains associated with the remote gateway. You can also view the Securden packages (Application server and/or Securden Session Manager) associated with the gateway.

To view the report, navigate to Admin >> Remote Sessions and Recordings >> Remote Gateway and select the required gateway. In the RHS, you will see the ‘Report’ section.

How to Edit an Existing Remote Gateway?

The existing remote gateways, their configurations, device/domain associations can be edited anytime by visiting the same pages as they were configured in Admin -> Remote Gateway section.