# On-Prem Connection Manager

<figure><img src="/files/S6rJkYRrQc76tpRZBmS4" alt=""><figcaption></figcaption></figure>

## Overview

For use cases where a self-hosted or air-gapped PAM solution is required, customers can deploy the Keeper Connection Manager product. Keeper Connection Manager self-hosted licenses are included in the purchase of KeeperPAM.

<figure><img src="/files/ai70rct32EwgelS2HxrU" alt=""><figcaption><p>Keeper Connection Manager (on-prem)</p></figcaption></figure>

### What is Keeper Connection Manager On-Prem? <a href="#what-is-keeper-connection-manager-on-prem" id="what-is-keeper-connection-manager-on-prem"></a>

Keeper Connection Manager (KCM) On-Prem is an agentless remote desktop gateway that provides instant and secure access to desktops, servers, databases and web applications from a web browser. KCM is deployed as a container, and does not require connectivity to Keeper's cloud.

Benefits of the KCM On-Prem platform:

* Self-hosted
* Support air-gapped environments
* Agentless
* Mobile and tablet friendly
* Customizable with plug-in architecture
* Custom authentication modules

Features include:

* Support for RDP, SSH, VNC, K8s remote access protocols
* Support for MySQL, PostgreSQL, SQL Server database protocols
* Support for web application protection through Remote Browser Isolation technology
* Session Recording and playback
* Privileged Session Management
* Multi-User Session Sharing
* Role-Based Access Controls
* MFA Options: TOTP, Duo
* PIV/CAC smart card authentication
* SSO, OpenID Connect, Active Directory, LDAP Integration
* Custom Branding

### KeeperPAM vs. Keeper Connection Manager <a href="#keeperpam-vs.-keeper-connection-manager" id="keeperpam-vs.-keeper-connection-manager"></a>

KeeperPAM is a cloud-native privileged access solution that requires only a lightweight gateway installation, while Keeper Connection Manager (KCM) is a fully self-hosted solution.

KeeperPAM works through outbound-only connections with zero-knowledge encryption, eliminating the need for inbound firewall rules or direct line-of-sight to resources. In contrast, KCM is fully hosted by the customer with control over the authentication, database, web server, reverse proxy and session recordings.

Customers who purchase KeeperPAM may use either the cloud version (described in this documentation) or the self-hosted connection manager as part of the license.

### Integration with KeeperPAM

Keeper Connection Manager can pull credentials from the Keeper vault through an integration with Keeper Secrets Manager.

### References

* [Setup and Installation of Keeper Connection Manager](/en/keeper-connection-manager/readme.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/on-prem-connection-manager.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.