Setting up Tunnels
Setting up Tunnels in your Desktop Vault
Last updated
Was this helpful?
KeeperPAM and Secrets Manager
Setting up Tunnels in your Desktop Vault
Last updated
Was this helpful?
KeeperPAM Tunnels provide secure, ephemeral connections for accessing infrastructure without requiring a direct network path to the target system. They enable just-in-time access by establishing encrypted tunnels for RDP, SSH, LDAPS, databases, and other protocols. Users can authenticate through the KeeperPAM platform, which brokers the connection and ensures strict policy enforcement.
Tunnels are available in the Keeper Desktop application and Keeper Commander CLI.
Prior to configuring Tunnels, make sure to have the following:
On the Admin Console, the following Enforcement Policies affect user's permissions to use Keeper Tunnels and need to be enabled.
Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.
Can configure tunnel settings
Allow users to configure Tunnel settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Records Types
Can start tunnels
Allow users to start tunnels on PAM Machine, PAM Directory and PAM Database Record Types
Tunnels can also be enabled on the Keeper Commander CLI using the enterprise-role command:
If a user should only have access to start tunnels and not configuring tunnels, then only "Can start tunnels" policy should be enabled for the user.
In addition to starting tunnels, If a user should also have access to configure tunnels, then "Can configure tunnel settings" and "Can Start tunnels" should be enabled for the user.
The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.
For more details on installing and setting up your gateway, visit this page.
The PAM Configuration contains essential information of your target infrastructure, settings and Keeper Gateway. Setting up a PAM Configuration for your infrastructure is required. For more information on creating and configuring the PAM Configuration, visit this page.
Keeper Tunnel is a secure, encrypted TCP/IP connection established between your vault client to the target endpoint. The target endpoint needs to be defined on one of the following PAM Record types:
Windows/MacOS/Linux Machines, EC2 Instances, Azure VMs
MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle
Active Directory, OpenLDAP
Depending on your target endpoint, visit the corresponding PAM Record Type page for more information on setup.
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Tunnel Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Tunnel" section in the prompted window
After navigating to the Tunnel Section on the PAM Settings screen. The following table lists all the configurable fields for Tunnels:
PAM Configuration
Required
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record
Enable Tunnel
Required When checked, enable tunnels for this record
Reuse Last Port
When checked, the last used tunnel port will be reused. This ensures that the port number doesn't change every time.
Tunneling Port
The port which is used to connect from the Keeper Gateway to the target infrastructure. If not specified, the gateway will use the "rotation port" specified in the Keeper record view. If the specified port is in use, Tunnels will fail to start.
The following image shows a PAM Machine record where:
Tunnel is enabled
Tunnel will be open on localhost to the remote server port 3306
Subsequent tunnels will use the same local port
Once tunnels have been configured on the PAM Record, your PAM Record will have the "Start Tunnel" button:
Once tunnels have been configured on the PAM Record, click on "Start Tunnel" button to start a tunnel. The local port number is selected in this case as 49644. Subsequent tunnels for this resource will use the same local port and tunnel.
In the above screenshots, the target endpoint, a MySQL Database running in the AWS Cloud, was defined and configured on a PAM Machine record. After configuring the tunnel settings, a tunnel has been started on local hostname 127.0.0.1 and local port 59644.
This MySQL Database can then be accessed by using a native application of choice. For example, the MySQL Workbench tool can be used to access the database:
Likewise, using the CLI on the local device can initiate a connection to the database using this command:
Keeper Commander provides Tunneling capabilities in addition to using the Keeper Desktop UI.
Related commands:
A tunnel provides a path from the user's local device to the target infrastructure using end-to-end encryption. For security reasons, Keeper does not intercept or interfere in the low level communications. Therefore, any authentication required for a protocol, such as a password or SSH key must be available to the user on their local device. Keeper does not intercept the protocol layer.
If tunnels are provided to users along with the necessary credentials, we recommend automatic rotation of the credential to ensure that the credentials are ephemeral and invalidated on a scheduled basis. For more information about rotation, see the Password Rotation section.
KeeperPAM provides two methods of accessing remote infrastructure without the need to share credentials:
Connections to establish interactive sessions across many different protocols
Remote Browser Isolation with Autofill to establish web-based interactive sessions
An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers.
