# Getting Started

## Overview

In this guide, you will learn how to setup connections for all the supported protocols on your PAM Record types in your Keeper Vault.

An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers.

* [KeeperPAM Homepage](https://www.keepersecurity.com/privileged-access-management/)
* [Request a Demo](https://www.keepersecurity.com/contact.html?t=b\&r=sales)
* [Contact Support](https://www.keepersecurity.com/support.html)

## Prerequisites

Prior to configuring Connections, make sure to have the following:

### Connection Enforcement Policies

The following Enforcement Policies affect user's permissions to use Connections and need to be enabled.

Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under **Admin** > **Roles** > **Enforcement Policies** > **Privileged Access Manager**.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FWjChJvfoO14GjFwRqbVj%2FScreenshot%202025-01-21%20at%2011.50.51%E2%80%AFAM.png?alt=media&#x26;token=979ba299-1710-4c92-adfc-36437e9631ce" alt=""><figcaption><p>KeeperPAM Enforcement Policies</p></figcaption></figure>

<table><thead><tr><th width="196">Enforcement Policy</th><th width="274">Commander Enforcement Policy</th><th>Definition</th></tr></thead><tbody><tr><td>Can configure connection settings</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS
</code></pre></td><td>Allow users to configure Tunnel settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Records Types</td></tr><tr><td>Can start connections</td><td><pre data-overflow="wrap"><code>ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION
</code></pre></td><td>Allow users to start tunnels on PAM Machine, PAM Directory and PAM Database Record Types</td></tr><tr><td>Can view recordings</td><td><pre><code>ALLOW_VIEW_KCM_RECORDINGS
</code></pre></td><td>Allow users to view session Recordings.</td></tr></tbody></table>

Tunnels can also be enabled on the [Keeper Commander CLI](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/secrets-manager-commands#overview) using the `enterprise-role` command:

```
enterprise-role "My Role" --enforcement "ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS":true
enterprise-role "My Role" --enforcement "ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION":true
enterprise-role "My Role" --enforcement "ALLOW_VIEW_KCM_RECORDINGS":true
```

#### Enforcement Policy Use Cases

If a user should only have access to launching connections and not configuring connections, then only "Can start connections" policy should be enabled for the user.

In addition to launching connections, If a user should also have access to configure connections, then "Can configure connections settings" and "Can start connections" should be enabled for the user.

### Session Recordings

Launched connections can also be recorded. These recordings are available on the PAM Machine, PAM Database, or PAM Directory record types and can be played back on your Vault. For more details on session recording and playback, visit this [page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/session-recording-and-playback).

### Installing the Keeper Gateway

The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.

For more details on installing and setting up your gateway, visit this [page](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways).

### PAM Configuration

The **PAM Configuration** contains essential information of your target infrastructure, settings and [Keeper Gateway](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways). Setting up a PAM Configuration for your infrastructure is required. For more information on creating and configuring the PAM Configuration, visit this [page](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-configuration).

### PAM Machine, PAM Database and PAM Directory

A **Keeper Connection** is a secure, encrypted interactive session established between your vault client to the target endpoint. The target endpoint needs to be defined on one of the following PAM Record types:

<table><thead><tr><th width="215">PAM Record Type</th><th>Target Endpoint type</th></tr></thead><tbody><tr><td><a href="../getting-started/pam-resources/pam-machine">PAM Machine</a></td><td>Windows/MacOS/Linux Machines, EC2 Instances, Azure VMs</td></tr><tr><td><a href="../getting-started/pam-resources/pam-database">PAM Database</a></td><td>MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle</td></tr><tr><td><a href="https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-directory">PAM Directory</a></td><td>Active Directory, OpenLDAP</td></tr><tr><td><a href="https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-remote-browser">PAM Remote Browser</a></td><td>Web-based applications</td></tr></tbody></table>

Depending on your target endpoint, visit the corresponding PAM Record Type page for more information on setup.

## Supported Connection Protocols

The following table lists all the supported connection protocol that can be configured in your Keeper Vault. Visit the associated link for each protocol for more details on configuration.

<table><thead><tr><th width="157">Protocol</th><th width="169">PAM Record Type</th><th>Definition</th></tr></thead><tbody><tr><td><a href="https://docs.keeper.io/keeperpam/privileged-access-manager/connections/session-protocols/ssh-connections">SSH</a></td><td>PAM Machine</td><td>Connecting to the target defined on the PAM Machine Record with the SSH connection protocol</td></tr><tr><td><a href="https://docs.keeper.io/keeperpam/privileged-access-manager/connections/session-protocols/rdp-connections">RDP</a></td><td>PAM Machine</td><td>Connecting to the target defined on the PAM Machine Record with the RDP connection protocol</td></tr><tr><td><a href="https://docs.keeper.io/keeperpam/privileged-access-manager/connections/session-protocols/rbi-connections">RBI</a></td><td>PAM Browser</td><td>Connecting to the URL defined in the PAM Browser Record with the Remote Browser Isolation (http/https) protocol</td></tr><tr><td><a href="https://docs.keeper.io/keeperpam/privileged-access-manager/connections/session-protocols/mysql-connections">MySQL</a></td><td>PAM Database</td><td>Connecting to the target defined on the PAM Database Record with the MySQL connection protocol</td></tr><tr><td><a href="https://docs.keeper.io/keeperpam/privileged-access-manager/connections/session-protocols/sql-server-connections">SQL Server</a></td><td>PAM Database</td><td>Connecting to the target defined on the PAM Database Record with the SQL Server connection protocol</td></tr><tr><td><a href="https://docs.keeper.io/keeperpam/privileged-access-manager/connections/session-protocols/postgresql-connections">PostgreSQL</a></td><td>PAM Database</td><td>Connecting to the target defined on the PAM Database Record with the PostgreSQL connection protocol</td></tr><tr><td><a href="https://docs.keeper.io/keeperpam/privileged-access-manager/connections/session-protocols/vnc-connections">VNC</a></td><td>PAM Machine</td><td>Connecting to the target defined on the PAM Machine Record with the VNC connection protocol</td></tr><tr><td><a href="https://docs.keeper.io/keeperpam/privileged-access-manager/connections/session-protocols/telnet-connections">Telnet</a></td><td>PAM Machine</td><td>Connecting to the target defined on the PAM Machine Record with the Telnet connection protocol</td></tr></tbody></table>

## Connection Authentication Methods

Keeper Connections can be authenticated using one of the following methods:

* [**Launch Credential**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#launch-credential)\
  The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
* [**Personal/Private Credential**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#personal-private-credentials)\
  When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
* [**Ephemeral Accounts**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#ephemeral-account)\
  When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for [Just-In-Time access](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/just-in-time-access-jit) with no persistent account on the target system.

## Connection Templates

The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:

{% content-ref url="connection-templates" %}
[connection-templates](https://docs.keeper.io/en/keeperpam/privileged-access-manager/connections/connection-templates)
{% endcontent-ref %}