Setting up RBI

Setting up Tunnels in your Desktop Vault

Overview

In this guide, you will learn how to setup Remote Browser Isolation (RBI) in your Keeper Vault. RBI works from both Web Vault and Desktop App.

An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers.

Prerequisites

Prior to configuring RBI, make sure to have the following:

Remote Browser Isolation Enforcement Policies

Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.

Remote Browser Isolation Policies

The following Enforcement Policies affect user's permissions to use Remote Browser Isolation and need to be enabled:

Enforcement Policy
Commander Enforcement Policy
Definition

Can configure remote browsing settings

ALLOW_CONFIGURE_RBI

Allow users to configure Remote Browser and session recording settings on PAM Remote Browsing and PAM Configuration Records Types

Can launch remote browsing

ALLOW_LAUNCH_RBI

Allow users to launch remote browsing on PAM Remote Browsing Record Types

Can view remote browser recordings

ALLOW_VIEW_RBI_RECORDINGS

Allow users to view RBI Session Recordings.

The above enforcement policies can also be enabled on the Keeper Commander CLI using the enterprise-role command:

enterprise-role "My Role" --enforcement "ALLOW_CONFIGURE_RBI":true
enterprise-role "My Role" --enforcement "ALLOW_LAUNCH_RBI":true
enterprise-role "My Role" --enforcement "ALLOW_VIEW_RBI_RECORDINGS":true

Enforcement Policy Use Cases

If a user should only have access to launch RBI sessions and not configuring RBI settings, then only "Can launch remote browsing" policy should be enabled for the user.

In addition to launching RBI sessions, If a user should also have access to configure RBI settings, then "Can configure remote browsing settings" and "Can launch remote browsing" policies should be enabled for the user.

To allow users to view RBI session recordings, then "Can configure remote browsing settings" policy should be enabled for the user.

Session Recordings

Launched RBI sessions can also be recorded. These recordings are available on the PAM Browser record types and can be played back on your Vault. For more details on session recording and playback, visit this page.

Installing the Keeper Gateway

The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.

For more details on installing and setting up your gateway, visit this page.

PAM Configuration

The PAM Configuration contains essential information of your target infrastructure, settings and Keeper Gateway. Setting up a PAM Configuration for your infrastructure is required. For more information on creating and configuring the PAM Configuration, visit this page.

PAM Remote Browser

When launching an RBI session, the Web and Desktop Vault Client will render a chromium browser window with a established connection to the specified URL defined on the PAM Browser record. For more information on how to setting up the PAM Browser Record, visit this page.

PAM Settings - Remote Browser Isolation

Accessing RBI Settings

After creating a PAM Browser Settings with the target URL, navigate to the PAM Settings by:

  1. Editing the PAM Browser Record

  2. Clicking on "Set Up" in the PAM Settings section

Configuring RBI Settings

After opening up the PAM Settings screen. The following table lists all the configurable fields for RBI:

Field
Definition

PAM Configuration

Required

This is the PAM Configuration the PAM Record is part of

Enable Connection

Required To enable RBI for this record, this toggle needs to be enabled

Graphical Session Recording

When enabled, graphical session recordings will be enabled for this record

Allow navigation via direct URL manipulation

If checked, the user will be presented with an URL navigation bar

Allow URL Patterns

The patterns of all URLs that the user should be allowed to visit, regardless of whether via manual navigation (URL bar) or interacting with the current page. Multiple patterns may be specified, separated by newlines.

If specified, only pages matching patterns in the list are permitted.

By default, all URLs are permitted. Detailed Information here

Allow Resource URL Patterns

The patterns of all URLs that the page should be allowed to load as a resource, such as an image, script, stylesheet, font, etc. Multiple patterns may be specified, separated by newlines. If specified, only resources matching patterns in the list are permitted to be loaded.

By default, no restrictions are imposed on resources loaded by pages. Detailed Information here

Browser Autofill - Credentials

RBI sessions launched from the Keeper Vault provides the capability of autofilling a username and password into a target website login screen. A vault record that is shared to a KSM application can be linked here. The credentials on this linked record will be autofilled in the target website login screen based on the autofill rules defined in the Autofill Targets section Detailed Information here

Browser Autofill - Autofill Targets

This section will contain the autofill rules, which are a JSON/YAML array of objects, where each object specifies contains an autofill rule Detailed Information here

Can copy to clipboard

If enabled, text copied within the RBI session will be accessible by the user

Can paste from clipboard

If enabled, user can paste text from clipboard within the connected RBI session

Session Recordings - RBI

PreviousRemote Browser IsolationNextURL Patterns & Resource URL Patterns

Last updated

Was this helpful?