Creating Connections
Managing and creating connections to your infrastructure
Last updated
Was this helpful?
Managing and creating connections to your infrastructure
Last updated
Was this helpful?
Connections specify the protocol and customizable parameters that define the authentication and customized behavior. Connections can be created from the Settings menu. Only users with "Create new connections" permission can create connections.
Administrators can define which connections are available for users and groups.
Connections can be created and utilized in several ways. Connections can be privileged (credentials hidden from the user) and the connections can support user-specified credentials. Additionally, the connections can pull credentials from one or more Keeper Vaults via the Keeper Secrets Manager integration.
When setting up a privileged connection, the authentication credentials to the target can be saved in the connection parameters, or in the designated Keeper Vault. When the credentials are stored directly to the connection or in the Keeper Vault, they are never exposed to the end-user. This allows you to create privileged sessions in which the user does not have access to the underlying credentials.
When setting up the connection, you can skip the authentication details parameters and Keeper Connection Manager will prompt the end-user for their authentication credentials on every login.
For example, with an RDP connection, simply remove the credentials from the connection parameters and the user will be prompted to authenticate.
KCM can connect to a Keeper Vault and search for the necessary credentials needed based on Host, User and Domain. See the Vault Integration section to learn more about this capability.
The New Connection form is separated into multiple sections each with multiple inputs. Connections have many different options and capabilities, depending on the protocol.
To begin, click Settings > Connections > New Connection which will open the new connection form.
The name of the connection, this is how it will appear in the connections list.
The location of the new connection in the connections list. You can select "ROOT" to put the new connection at the top level of the connections list, or select a collection to place the new connection under an existing collection.
Select the type of connection to create. The current available connection types are:
RDP
SSH
Kubernetes
Telnet
VNC
MySQL
PostgreSQL
Microsoft SQL Server
Remote Browser Isolation
Other options in the connection form are affected by the protocol selection
For more information about connection types, see the supported protocols section.
Create multiple connections via API or by uploading a CSV, JSON, or YAML file. Visit the following page for more information:
The maximum allowed number of concurrent sessions for this connections. If the maximum number is sessions are already in use, other users will not be able to connect to this connection.
Set this value to 0 to allow unlimited concurrent sessions.
The maximum allowed number of concurrent sessions for this connection for each user. If the maximum number is sessions are already in use by a user, the user will not be able to open a new session for this connection.
Set this value to 0 to allow unlimited concurrent sessions.
Keeper Connection Manager can use load balancing among connections in a group to give multiple concurrent users the best experience.
Enter a number to use as a multiplier of connection assignment. For example, if one connection in a group has a weight of 1, and another has a weight of 2, the second connection will be assigned twice as many concurrent users as the first.
If checked, this connection will only be used if all other connections in the group fail
If you are establishing a connect through a guacd service which is operating on a separate server (other than localhost), you would specify the proxy parameters here. In most default installations, this section is not needed and should be left empty. For more information see the guacd documentation.
Hostname and port of the proxy
Choose if the connection traffic should be encrypted. You can choose unencrypted or TLS/SSL encryption.
Details to facilitate the new RDP connection. Set network and authentication details.
Enter the hostname and port of the RDP connection
Enter the following connection fields for you RDP connection:
Username
Password
Domain
Select the security mode to use, the supported modes are:
Any
NLA (Network Level Authentication)
RDP Encryption
TLS Encryption
Hyper-V / VMConnect
If you would like users to be prompted for manual authentication, you may need to select "NLA" security mode and leave the authentication parameters empty.
Choose to turn off authentication for this RDP connection
Choose to ignore the server certificate. In most cases, this is required to establish a connection.
Fill in the following details about the remote desktop gateway:
Hostname and Port
Username
Password
Domain
Start a program on connection. Enter the location of the program to run
Set a name for the computer this connection is connecting to
Choose the type of keyboard to use with this RDP connection
Use the dropdown menus to select the timezone to use with this connection
Choose to allow multi-touch input for this RDP connection
Choose to allow access to the Administrator Console for users connecting to this RDP connection
Choose settings that affect how the new connection will look.
Choose the dimensions and resolution of the screen in pixels (pixels per inch for resolution).
Choose the color depth of the screen over the RDP connection.
Use lossless compression. Check this option for better visual quality, but it may impact performance.
Choose what the connection should do if the window is resized. Keeper Connection Manager supports "Display Update" Visual channel for RDP 8.1 or higher. For older versions of RDP, use the reconnect method.
If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.
If selected, users will not be able to copy from the connection
If selected, users will not be able to paste values into the connection
Choose options for connected devices
Choose if audio is supported within the console
Choose if audio from the connection should be disabled
Choose if the user's microphone can be used within the connection
Choose if users can print from the connection
If allowing printing, choose the name of the printer to use
If you would like to transfer files to this target with Drag and Drop, select this option. Along with this, make sure to fill out a "Drive Name", "Drive Path", and select "Automatically Create Drive".
If file transfer is enabled, the name of the drive to use. For example "My Drive".
Choose if files can be downloaded to the connected drive
The path of the drive to use if enabled. A typical default Drive Path would be something like /var/lib/guacamole/drives/${GUAC_USERNAME}
If selected, Keeper Connection Manager will automatically create a drive to use with the connection
A comma-separated list of static channel names to open and expose as pipes. If you wish to communicate between an application running on the remote desktop and JavaScript, this is the best way to do it. KCM will open an outbound pipe with the name of the static channel. If JavaScript needs to communicate back in the other direction, it should respond by opening another pipe with the same name. KCM allows any number of static channels to be opened, but protocol restrictions of RDP limit the size of each channel name to 7 characters.
These options can be used to optimize the performance of the Windows Remote Desktop Connection.
Choose to enable or disable the following optional Windows features:
Enable Wallpaper
Enable Theming
Enable Font Smoothing (ClearType)
Enable Full-window Drag
Enable Desktop Composition (Aero)
Enable Menu Animations
Disable Bitmap Caching
Disable Off-screen Caching
Disable Glyph Caching
Recent versions of Windows provide a feature called RemoteApp which allows individual applications to be used over RDP, without providing access to the full desktop environment. If your RDP server has this feature enabled and configured, you can configure KCM connections to use those individual applications.
Specifies the RemoteApp to start on the remote desktop. If supported by your remote desktop server, this application, and only this application, will be visible to the user.
Windows requires a special notation for the names of remote applications. The names of remote applications must be prefixed with two vertical bars. For example, if you have created a remote application on your server for notepad.exe and have assigned it the name “notepad”, you would set this parameter to: “||notepad”.
The working directory, if any, for the remote application. This parameter has no effect if RemoteApp is not in use.
The command-line arguments, if any, for the remote application. This parameter has no effect if RemoteApp is not in use.
Keeper Connection Manager can use load balancing among connections in a group to give multiple concurrent users the best experience.
Enter a number to use as a multiplier of connection assignment. For example, if one connection in a group has a weight of 1, and another has a weight of 2, the second connection will be assigned twice as many concurrent users as the first.
If checked, this connection will only be used if all other connections in the group fail
Options for recording of the screen. See the Session Recording section for more information.
Enter the path to save the session recording. We recommend using the below value:
${HISTORY_PATH}/${HISTORY_UUID}
Enter the name of the recording file
Choose to exclude graphics or streams from the recording
Choose to exclude the mouse from the screen recording
Choose to exclude the touch events the user made from the recording
If selected, include key events that would not otherwise be visible in the recording
If selected, Keeper Connection Manager will automatically create a path for the recording file
Options for file transfers to the connection using SFTP. For more information see the File Transfer section.
Choose to enable SFTP file transfers
If enabled, enter the following information to connect to and authenticate connection to your SFTP server:
Hostname Port
Public Host Key (Base64)
Username and Password
Private Key
Passphrase for the private key if applicable
The root directory of the SFTP server to display within this connection
If users upload a file from the connection, the directory that the file will go to by default
Enter the keepalive interval as a number
If SFTP is enabled, check this option to exclude users from downloading files from the server to this connection
If SFTP is enabled, check this option to exclude users from uploading files to the server from this connection
Options to facilitate waking the connected device upon connection if supported.
Enable Wake-on-Lan and send a signal from Keeper Connection Manager
Identify the device to send the signal to by Mac Address
Where to send the WoL signal
How long to wait for the device to wake
Details to facilitate the new SSH connection. Set network and authentication details.
Enter the hostname and port for the SSH connection
Enter the Public Key for this SSH connection in Base64 format
The username and password (if required) for this SSH connection.
If you would like the user to be prompted for their password, leave the "password" field empty.
The private key used for connecting to this SSH connection
The passphrase (if any) for the private key
Choose settings that affect how the new connection will look.
Select a color theme for the terminal.
There are built in themes, and a custom theme option.
Enter the name of a font for the terminal to use
Select the pixel size of the font
Select how far back a user can scroll through past commands. Leave blank for unlimited.
If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.
If selected, users will not be able to copy from the connection
If selected, users will not be able to paste values into the connection
Settings for basic environment setup
Enter a command to execute on connection start
Set the language/local for the connection, this sets the $LANG environment variable
Set the time zone for the connection. This sets the $TZ environment variable
Set an interval for a keepalive signal
The Terminal Behavior section contains options about the terminal for applicable connections.
Choose what action is sent when you click the backspace key. The options are:
Delete
Backspace
Choose the type of terminal to use. The options are:
ansi
linux
vt100
vt220
vterm
vterm-256color
Options for recording of the screen. See the Session Recording section for more information.
Enter the path to save the session recording. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}
Enter the name of the recording file
Choose to exclude graphics or streams from the recording
Choose to exclude the mouse from the screen recording
If selected, include key events that would not otherwise be visible in the recording
If selected, Keeper Connection Manager will automatically create a path for the recording file
Options for file transfers to the connection using SFTP. For more information see the File Transfer section.
Choose to enable SFTP file transfers
The root directory of the SFTP server to display within this connection
If SFTP is enabled, check this option to exclude users from downloading files from the server to this connection
If SFTP is enabled, check this option to exclude users from uploading files to the server from this connection
Options to facilitate waking the connected device upon connection if supported.
Enable Wake-on-Lan and send a signal from Keeper Connection Manager
Identify the device to send the signal to by Mac Address
Where to send the WoL signal
How long to wait for the device to wake
Details to facilitate the new VNC connection. Set network and authentication details.
Hostname and port information for the VNC connection
Choose encryption method for connection traffic. The options are:
No Encryption
TLS/SSL Encryption
Login credentials for the VNC connection. If you would like to prompt users for the password, leave this field empty.
Choose settings that affect how the new connection will look.
If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.
Choose if the red and blue channels should be swapped for this connection.
Choose to use the cursor of the local machine, or of the remote machine.
Choose the color depth of the screen over the VNC connection.
Use lossless compression. Check this option for better visual quality, but it may impact performance.
Choose which encoding to use when copying and pasting. The options are:
CP1252
ISO 8859-1
UTF-16
UTF-8
If selected, users will not be able to copy from the connection
If selected, users will not be able to paste values into the connection
There exist VNC repeaters, such as UltraVNC Repeater, which act as intermediaries or proxies, providing a single logical VNC connection which is then routed to another VNC server elsewhere. Additional parameters are required to select which VNC host behind the repeater will receive the connection.
Set the host and port to use
Options for recording of the screen. See the Session Recording section for more information.
Enter the path to save the session recording. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}
Enter the name of the recording file
Choose to exclude graphics or streams from the recording
Choose to exclude the mouse from the screen recording
If selected, include key events that would not otherwise be visible in the recording
If selected, Keeper Connection Manager will automatically create a path for the recording file
Options for file transfers to the connection using SFTP. For more information see the File Transfer section.
Choose to enable SFTP file transfers
If enabled, enter the following information to connect to and authenticate connection to your SFTP server:
Hostname Port
Public Host Key (Base64)
Username and Password
Private Key
Passphrase for the private key if applicable
The root directory of the SFTP server to display within this connection
If users upload a file from the connection, the directory that the file will go to by default
Enter the keepalive interval as a number
If SFTP is enabled, check this option to exclude users from downloading files from the server to this connection
If SFTP is enabled, check this option to exclude users from uploading files to the server from this connection
Choose to enable audio for the connection
Name of the audio server to use
Options to facilitate waking the connected device upon connection if supported.
Enable Wake-on-Lan and send a signal from Keeper Connection Manager
Identify the device to send the signal to by Mac Address
Where to send the WoL signal
How long to wait for the device to wake
Details to facilitate the new Telnet connection. Set network and authentication details.
Hostname and port information for the Telnet connection.
Authentication credentials for the Telnet connection. To prompt users for the password, leave this field empty.
The regular expression to use when waiting for the username prompt. This parameter is optional. If not specified, a reasonable default built into KCM will be used. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep).
The regular expression to use when waiting for the password prompt. This parameter is optional. If not specified, a reasonable default built into KCM will be used. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep).
The regular expression to use when detecting that the login attempt has succeeded. This parameter is optional. If specified, the terminal display will not be shown to the user until text matching this regular expression has been received from the telnet server. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep).
The regular expression to use when detecting that the login attempt has failed. This parameter is optional. If specified, the connection will be closed with an explicit login failure error if text matching this regular expression has been received from the telnet server. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep).
Choose settings that affect how the new connection will look.
Select a color theme for the terminal.
There are built in themes, and a custom theme option.
Enter the name of a font for the terminal to use
Select the pixel size of the font
Select how far back a user can scroll through past commands. Leave blank for unlimited.
If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.
If selected, users will not be able to copy from the connection
If selected, users will not be able to paste values into the connection
The Terminal Behavior section contains options about the terminal for applicable connections.
Choose what action is sent when you click the backspace key. The options are:
Delete
Backspace
Choose the type of terminal to use. The options are:
ansi
linux
vt100
vt220
vterm
vterm-256color
Options for text recording. See the Session Recording section for more details about session recording.
Enter a file path location to save text session recordings to.
Enter a name for the text session recording file
Have Keeper Connection Manager automatically create the path location for the text session recording
Options for recording of the screen. See the Session Recording section for more information.
Enter the path to save the session recording. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}
Enter the name of the recording file
Choose to exclude graphics or streams from the recording
Choose to exclude the mouse from the screen recording
If selected, include key events that would not otherwise be visible in the recording
If selected, Keeper Connection Manager will automatically create a path for the recording file
Options to facilitate waking the connected device upon connection if supported.
Enable Wake-on-Lan and send a signal from Keeper Connection Manager
Identify the device to send the signal to by Mac Address
Where to send the WoL signal
How long to wait for the device to wake
Details to facilitate the new connection. Set network and authentication details.
The hostname and port of the Kubernetes connection
Choose to use SSL/TLS encryption
Choose to ignore the server certificate
Paste the Certificate Authority Certificate into this text box
Fill in the following information about the Kubernetes container:
Namespace
Pod Name
Container Name
The certificate to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. This parameter is optional. If omitted, SSL client authentication will not be performed.
The key to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. This parameter is optional. If omitted, SSL client authentication will not be performed.
Choose settings that affect how the new connection will look.
Select a color theme for the terminal.
There are built in themes, and a custom theme option.
Enter the name of a font for the terminal to use
Select the pixel size of the font
Select how far back a user can scroll through past commands. Leave blank for unlimited.
If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.
The Terminal Behavior section contains options about the terminal for applicable connections.
Choose what action is sent when you click the backspace key. The options are:
Delete
Backspace
Options for text recording. See the Session Recording section for more details about session recording.
Enter a file path location to save text session recordings to. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}
Enter a name for the session recording file.
Choose to exclude graphics and streams that may appear on the terminal from the recording.
Choose to include keys that are clicked in the session recording. Events like ctrl+c will be recorded.
Have Keeper Connection Manager automatically create the path location for the session recording
Details to facilitate the MySQL connection. Set network and authentication details.
Enter the hostname and port for the MySQL connection
Unix Socket
Enter the socket name if a host is not present
The username and password for this MySQL connection. To prompt users for the password, leave this field empty.
Default Database
Specify the default database schema when establishing a connection.
Disable CSV Export
Disable the ability for users to export data through "select .. into local infile"
Disable CSV Import
Disable the ability for users to import data through "load data local infile..."
Choose settings that affect how the new connection will look.
Select a color theme for the terminal.
There are built in themes, and a custom theme option.
Enter the name of a font for the terminal to use.
Select the pixel size of the font.
Select how far back a user can scroll through past commands. Leave blank for unlimited.
If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.
If selected, users will not be able to copy from the connection
If selected, users will not be able to paste values into the connection
Settings for basic environment setup
Set the language/local for the connection, this sets the $LANG environment variable
Set the time zone for the connection. This sets the $TZ environment variable
Set an interval for a keepalive signal
Options for recording of the screen. See the Session Recording section for more information.
Enter the path to save the session recording. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}
Enter the name of the recording file.
Choose to exclude graphics or streams from the recording.
Choose to exclude the mouse from the screen recording.
If selected, include key events that would not otherwise be visible in the recording.
If selected, Keeper Connection Manager will automatically create a path for the recording file.
Options for file transfers to the connection using SFTP. For more information see the File Transfer section.
Choose to enable SFTP file transfers.
The root directory of the SFTP server to display within this connection.
If SFTP is enabled, check this option to exclude users from downloading files from the server to this connection.
If SFTP is enabled, check this option to exclude users from uploading files to the server from this connection.
Options to facilitate waking the connected device upon connection if supported.
Enable Wake-on-Lan and send a signal from Keeper Connection Manager.
Identify the device to send the signal to by Mac Address.
Where to send the WoL signal.
How long to wait for the device to wake.
Terminal based protocols (Kubernetes, SSH, MySQL and Telnet) allow for custom color themes. To use a custom theme first select "custom" from the Theme dropdown, this will open the custom theme builder.
To use the custom theme builder, click each color to select a new color to use in its place. The foreground and background colors are labeled, other colors represent the standard terminal colors.
For example: to replace all red highlighted text in the terminal with orange text, click the red color and choose orange in the color picker.
Details to facilitate the RBI connection. Set network and authentication details.
Enter the hostname and port for the remote browser isolation connection
Allowed URL Patterns
Defines the allowed URLs to be loaded by the browser
Allowed Resource URL Patterns
Defines the page resources (such as Javascript, Images, etc) allowed to be loaded.
Browser Profile Storage Directory
Browser session data can be retained with the specified path in the container.
Example: /var/lib/guacamole/rbi-profiles/this-site/${GUAC_USERNAME}
Automatically Create Profile Directory
Creates the path on the container if it doesn't exist.
Login value or reference to Keeper vault field for filling a username on a login form
Password value or reference to Keeper vault field for filling a password on a login form
CSS selector for the page and field elements to autofill. More info here.
Example:
Options for recording of the screen. See the Session Recording section for more information.
Enter the path to save the session recording. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}
Enter the name of the recording file.
Choose to exclude graphics or streams from the recording.
Choose to exclude the mouse from the screen recording.
If selected, include key events that would not otherwise be visible in the recording.
If selected, Keeper Connection Manager will automatically create a path for the recording file.
Allows the connection to write the session recording to a file that already exists. Prior to this option, attempting to write to an existing file would result in a numeric suffix being appended to the new file to avoid overwriting.
If you are editing an existing connection, the usage history of the connection is shown in this section
The usage history table displays the username, date, duration of connection and remote IP address of users connecting to this connection.
If you would like to establish a connection to a target server with restricted Ingres connections, check out the documentation on Creating Connections via reverse SSH tunnel.
