Chat now with support
Chat with Support

Safeguard Remote Access Hosted - Administration Guide

Configuring Authentication and Authorization plugin

To configure the AA plugin

  1. Navigate to Policies > AA plugin configurations.

  2. Create a new configuration item and configure the selected plugin.

The following example is applicable if you downloaded the dummy SPS_AA_skeleton plugin:

Figure 8: SPS_AA_skeleton plugin

Configuring a connection policy

Create connection policies for RDP and SSH connections as needed. The connection policies define what is reachable via the One Identity Safeguard for Privileged Sessions appliance and what policies are enforced.

NOTE: When creating RDP connections in SPS, the checkbox for the Act as a Remote Desktop Gateway functionality must be left empty, as SRA does not support the usage of RDP gateways.

Figure 9: RDP control > Connections > Act as a Remote Desktop Gateway - Disabling the Remote Desktop Gateway functionality

For more information about RDP gateways, see Using One Identity Safeguard for Privileged Sessions (SPS) as a Remote Desktop Gateway in the One Identity Safeguard for Privileged Sessions Administration Guide.

NOTE: When creating SSH connections, the authentication policy must not include gateway authentication.

Figure 10: SSH Control > Authentication Policies > Gateway authentication method - All possible options (Password, Public key, and Kerberos) must be left unchecked

For more information, see Client-side authentication settings in the One Identity Safeguard for Privileged Sessions Administration Guide.

Some parameters have special meaning and requirements regarding One Identity Safeguard Remote Access (SRA).

  1. Name

    The name of the connection policy will be displayed on the SRA Connections page. The name appears on the connection tiles if the target of the connection policy is a fixed address. In case of inband target selection, the name is displayed below a horizontal separator line and becomes the name of the group of targets reachable via this connection policy. In the example, linux_servers is the name of the connection policy:

    Figure 11: Setting the name and target address of the connection policy

    and linux_servers became the group containing one connection towards the 192.168.122.1 target.

    Figure 12: Connection groups

  2. From

    The From parameter of the connection policy defines the IPv4 or IPv6 networks where the clients may connect from. In case of SRA, the client cloud be anywhere on the Internet, so to cover all IPv4 clients, fill this field with 0.0.0.0/0.

    CAUTION: To handle clients connecting from internal networks (that is, LAN or VPN) differently, you must add a similar connection policy right above the connection policy for SRA. The To and Port fields must match and the From field should specify the internal network, for example, 10.0.0.0/8 or similar. This is especially useful when introducing a different kind of (gateway) authentication for locally connected clients that bypass SRA.

  3. To

    The To parameter specifies what address the clients make requests to. In the case of SRA, set this also to 0.0.0.0/0 to enable the automated handling of this parameter.

  4. Target

    Only the options Use fixed address and Inband destination selection are compatible with SRA. In case of inband destination selection, the connection tiles will display only the target domains that either specify specific IPv4 or IPv6 addresses, or contain a hostname. Subdomains and networks are ignored.

  5. Policies

    Use the configuration for AA plugin (Configure Authentication and Authorization plugin), credential store (Credential store) and usermapping policy (User mapping policy) that you have previously created while you were configuring SPS. Every other configuration can be left either on default or be defined by the user.

    Figure 13: Connection policy settings

For more information on the HTTPS proxy setting, refer to the One Identity Safeguard for Privileged Sessions Administration Guide or part of it in Configuring connections in the Appendix.

HTTPS proxy

One Identity Safeguard for Privileged Sessions requires an HTTPS access to One Identity Safeguard Remote Access in the cloud. If the One Identity Safeguard for Privileged Sessions appliance has no direct connectivity to the Internet (for example, it is behind a firewall), you can configure a HTTPS proxy in Basic Settings > Network configuration page.

For more information on the HTTPS proxy setting, refer to the One Identity Safeguard for Privileged Sessions Administration Guide, or to the relevant part of it in HTTPS proxy section of the Appendix.

Joining SPS to Starling

Join the One Identity Safeguard for Privileged Sessions (SPS) appliance to One Identity Starling. This enables the appliance to integrate with One Identity Safeguard Remote Access (SRA) and share data.

To join SPS to Starling

  1. Navigate to Basic Settings > Starling Integration > Join to Starling.

  2. Click Start join and follow the instructions.

    NOTE: If asked, select the United States data center.

    Figure 14: Join SPS to Starling

For more information on the HTTPS proxy setting, refer to the One Identity Safeguard for Privileged Sessions Administration Guide, or the relevant part of it in Joining SPS to One Identity Starling in the Appendix.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating