Safeguard Remote Access Hosted - Administration Guide

Configuring Usermapping policy Configuring a Credential store Upload Authentication and Authorization plugin Configuring Authentication and Authorization plugin Configuring a connection policy HTTPS proxy Joining SPS to Starling Enabling One Identity Safeguard Remote Access

Administrator-side use cases

Administrator web interface location Adding a new connection to an existing target server Importing connections from a CSV file Configuring maximum client resolution Adding Azure Active Directory users directly Granting connection access to AAD users Enabling role-based access control Enabling semi-managed network Enabling Wallpaper background Cloning connections Deleting a connection Inviting a collaborator Restoring a deleted Administrator (or root) connection tile

User-side use cases

User web interface location Connecting to the target server Session window Next generation SSH client

Transferring files in active remote sessions

User Preferences tab

Appendix

Configuring usermapping policies Configuring local Credential Stores Using credential stores for server-side authentication Using plugins Configuring connections HTTPS proxy Joining SPS to One Identity Starling Starling integration

Glossary

Upload Authentication and Authorization plugin

Getting started > Configure One Identity Safeguard for Privileged Sessions > Upload Authentication and Authorization plugin

An Authentication and Authorization (AA) plugin must be used in One Identity Safeguard for Privileged Sessions (SPS) connection policies that are intended for use with One Identity Safeguard Remote Access (SRA).

In the SRA use case, the authentication of the end-user is performed on the web when the end-user navigates to remote-access.cloud.oneidentity.com. In SPS terminology, the end-user authentication is called gateway authentication. Gateway authentication is required to be able to audit the end-user. SPS can delegate the gateway authentication to SRA, if a suitable AA plugin is in use.

There are two options:

Use a dummy AA plugin that does nothing and delegates gateway authentication fully to the cloud:

https://github.com/OneIdentity/safeguard-sessions-plugin-skeleton-aa/releases/tag/1.1.0

Figure 6: Downloading the AA plugin

Download the first .zip file.
Use an official AA plugin that performs Multi-Factor Authentication:

https://support.oneidentity.com/one-identity-safeguard-for-privileged-sessions/6.8.1/download-new-releases?filterType=software&filterValue=Plugins

Alternatively, download from Github (not officially supported):

https://github.com/search?q=topic%3Aoi-sps-plugin+org%3AOneIdentity

NOTE: Official plugins are built with an open source Plugin SDK: https://pypi.org/project/oneidentity-safeguard-sessions-plugin-sdk/

Uploading the plugin

Navigate to Basic Settings > Plugins.
Click Upload plugin.

Expected outcome: The plugin that you have uploaded is displayed:

Figure 7: Uploading the plugin

For more information on the HTTPS proxy setting, see the One Identity Safeguard for Privileged Sessions Administration Guide or part of it in Using plugins in the Appendix.

Configuring Authentication and Authorization plugin

Getting started > Configure One Identity Safeguard for Privileged Sessions > Configuring Authentication and Authorization plugin

To configure the AA plugin

Navigate to Policies > AA plugin configurations.
Create a new configuration item and configure the selected plugin.

The following example is applicable if you downloaded the dummy SPS_AA_skeleton plugin:

Figure 8: SPS_AA_skeleton plugin

Configuring a connection policy

Getting started > Configure One Identity Safeguard for Privileged Sessions > Configuring a connection policy

Create connection policies for RDP and SSH connections as needed. The connection policies define what is reachable via the One Identity Safeguard for Privileged Sessions appliance and what policies are enforced.

NOTE: When creating RDP connections in SPS, the checkbox for the Act as a Remote Desktop Gateway functionality must be left empty, as SRA does not support the usage of RDP gateways.

Figure 9: RDP Control > Connections > Act as a Remote Desktop Gateway - Disabling the Remote Desktop Gateway functionality

For more information about RDP gateways, see Using One Identity Safeguard for Privileged Sessions (SPS) as a Remote Desktop Gateway in the One Identity Safeguard for Privileged Sessions Administration Guide.

NOTE: When creating SSH connections, the authentication policy must not include gateway authentication.

Figure 10: SSH Control > Authentication Policies > Gateway authentication method - All possible options (Password, Public key, and Kerberos) must be left unchecked

For more information, see Client-side authentication settings in the One Identity Safeguard for Privileged Sessions Administration Guide.

Some parameters have special meaning and requirements regarding One Identity Safeguard Remote Access (SRA).

Name

The name of the connection policy will be displayed on the SRA Connections page. The name appears on the connection tiles if the target of the connection policy is a fixed address. In case of inband target selection, the name is displayed below a horizontal separator line and becomes the name of the group of targets reachable via this connection policy. In the example, linux_servers is the name of the connection policy:

Figure 11: Setting the name and target address of the connection policy

In this example, linux_servers is the group containing one connection towards the 192.168.122.1 target.

Figure 12: Connection groups

From

The From parameter of the connection policy defines the IPv4 or IPv6 networks where the clients may connect from. In case of SRA, the client could be anywhere on the Internet, so to cover all IPv4 clients, fill this field with 0.0.0.0/0.

CAUTION: To handle clients connecting from internal networks (that is, LAN or VPN) differently, you must add a similar connection policy right above the connection policy for SRA. The To and Port fields must match and the From field should specify the internal network, for example, 10.0.0.0/8 or similar. This is especially useful when introducing a different kind of (gateway) authentication for locally connected clients that bypass SRA.

To

The To parameter specifies what address the clients make requests to. In the case of SRA, set this also to 0.0.0.0/0 to enable the automated handling of this parameter.

Target

Only the options Use fixed address and Inband destination selection are compatible with SRA. In case of inband destination selection, the connection tiles will display only the target domains that either specify specific IPv4 or IPv6 addresses, or contain a hostname. Subdomains and networks are ignored.

Policies

Use the configuration for AA plugin (Configuring Authentication and Authorization plugin), credential store (Configuring a Credential store) and usermapping policy (Configuring Usermapping policy) that you have previously created while you were configuring SPS. Every other configuration can be left either on default or be defined by the user.

Figure 13: Connection policy settings

For more information on the HTTPS proxy setting, see the One Identity Safeguard for Privileged Sessions Administration Guide or part of it in Configuring connections in the Appendix.

HTTPS proxy

Getting started > Configure One Identity Safeguard for Privileged Sessions > HTTPS proxy

One Identity Safeguard for Privileged Sessions requires an HTTPS access to One Identity Safeguard Remote Access in the cloud. If the One Identity Safeguard for Privileged Sessions appliance has no direct connectivity to the Internet (for example, it is behind a firewall), you can configure a HTTPS proxy in Basic Settings > Network configuration page.

For more information on the HTTPS proxy setting, see the One Identity Safeguard for Privileged Sessions Administration Guide, or to the relevant part of it in HTTPS proxy section of the Appendix.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.