Instantly access your infrastructure with zero-trust security from your Keeper Vault
Keeper Connections allow users to instantly and securely access assets within their target infrastructure, such as servers, databases, web apps and workloads directly from their Keeper Vault. Keeper Connections are configured on PAM Machine, PAM Database, PAM Directory and PAM Remote Browser record types, and once configured, connections are launched directly from these records.
One of the key features of Keeper Connections is the agentless and clientless architecture. Organizations need to install only a Keeper Gateway in each managed environment. This streamlined approach simplifies deployment and enhances security by centralizing access management.
Connections are launched directly from the Vault interface with one click. The connection is established between the Keeper Gateway and the target machine, and the session is visually projected into the Vault where you can interact seamlessly.
Full screen mode and zoom controls are available from the upper right corner of the window.
The Connection Dock provides instant switching between active sessions. The dock can be moved to any desired location on the screen.
The dock can be minimized and moved anywhere on the screen.
When launching a connection, the Web and Desktop Vault Client will render a window with the established connection protocol to the specified target defined on the PAM record. This is done by:
The Vault Client communicating with the Keeper Gateway with the relevant connection info through a secure tunnel
The Keeper Gateway then establishes the connection protocol to the target defined on the PAM Record
After establishing the connection, the Keeper Gateway projects the visual session to the Keeper vault client.
For more information on the architecture, see this page.
IT Admins, DevOps and development teams struggle with protecting access to cloud and on-prem infrastructure to endpoints like remote desktops, Windows machines, Linux Servers, critical web-based apps, Kubernetes clusters and Databases.
Keeper Connections protects your business, your employees and your customers against data breaches by providing a unified vault for all access and control. Reducing risk and simplifying access are the core tenants of the Keeper platform.
Lower complexity: All zero trust access is managed by the Keeper Vault
Lower employee risk: No VPNs, No ZTNAs and no Agents
Lower supply chain risk: No client-side connection apps
Lower attack surface risk: Zero-knowledge encryption and networking
Support for RDP, SSH, VNC, K8s, telnet remote access protocols
Support for MySQL, PostgreSQL, SQL Server database protocols
Remote browser isolation (http/https) protocol for web-based apps
Drag-and-drop file transfer via SFTP to target machines
Session Recording and playback
Privileged Session Management
Role-Based Access Controls
To get started with Keeper Connections, proceed to the next section.
Getting Started with configuring connections on your PAM Record types
In this guide, you will learn how to setup connections for all the supported protocols on your PAM Record types in your Keeper Vault.
Prior to configuring Connections, make sure to have the following:
The following Enforcement Policies affect user's permissions to use Connections and need to be enabled.
Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.
If a user should only have access to launching connections and not configuring connections, then only "Can start connections" policy should be enabled for the user.
In addition to launching connections, If a user should also have access to configure connections, then "Can configure connections settings" and "Can start connections" should be enabled for the user.
The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.
A Keeper Connection is a secure, encrypted interactive session established between your vault client to the target endpoint. The target endpoint needs to be defined on one of the following PAM Record types:
Depending on your target endpoint, visit the corresponding PAM Record Type page for more information on setup.
The following table lists all the supported connection protocol that can be configured in your Keeper Vault. Visit the associated link for each protocol for more details on configuration.
Loading...
Keeper Connections - SSH Protocol
KeeperPAM enables zero-trust privileged session management for target infrastructure using the SSH protocol. This guide explains how to set up SSH connections on your PAM Machine Records in the Keeper Vault. Secure SSH sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
This guide will use a Linux server to represent a PAM Machine record.
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the SSH protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the SSH protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the SSH protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For SSH, the port is 22
Public Host Key (Base64)
The known hosts entry for the SSH server, in the same format as would be specified within an OpenSSH known_hosts file. If not provided, no verification of host identity will be performed.
Color Scheme
The color scheme to use for the terminal emulator used by SSH connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black on white" - Black text over a white background
"gray on black" - Gray text over a black background (the default)
"green on black" - Green text over a black background
"white on black" - White text over a black background
"Custom" - custom color scheme
Default value is "white-black"
Font Size
Font size displayed for the terminal session
SFTP
If enabled, the user can drag and drop files into the terminal session to transfer one or more files.
File Browser Root Directory
If SFTP is enabled, file transfers will be saved to the specified folder path.
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user.
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session.
Once you have configured the SSH Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:
In the above image, a Linux server has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:
If the SFTP file transfer feature is enabled, the user can drag and drop files into the terminal session to transfer the files to the machine.
Keeper supports one or more files transferred simultaneously through drag-and-drop.
While the files are being uploaded to the target machine, a file transfer status is displayed in the dock area of the Keeper Vault:
The SSH protocol can also be used to access Windows servers for execution of PowerShell commands or other administrative actions.
Learn more on how to activate SSH on Windows
Loading...
Keeper Connections - Remote Browser Isolation (http/https) Protocol
KeeperPAM enables zero-trust privileged session management for web applications using the Remote Browser Isolation (RBI) protocol. This guide explains how to configure RBI connections on your PAM Remote Browser Records in the Keeper Vault. Secure web sessions are initiated from the Vault, routed through the Keeper Gateway, and delivered directly to target applications.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure.
PAM Remote Browser
The PAM Remote Browser record contains information of the endpoint you want to establish a web session to.
PAM User Record
The PAM User record contains the user credentials that will be used to autofill credentials on the web page.
This guide will use a Jenkins web application.
After creating a PAM Remote Browser with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the RBI protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable settings for the RBI protocol on the PAM Settings:
Enable Remote Browser Isolation
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Allow navigation via direct URL manipulation
Ignore server certificate
Allowed URL Patterns
Allowed Resource URL Patterns
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session
Browser Autofill
Loading...
Loading...
Keeper Connections - PostgreSQL Protocol
KeeperPAM enables zero-trust privileged session management for PostgreSQL databases through an interactive CLI. This guide shows how to configure PostgreSQL connections on your PAM Database Records in the Keeper Vault. Sessions are securely initiated from the Vault, routed via the Keeper Gateway, and connected to target databases.
The following PAM records are needed in order to successfully setup this protocol:
This guide will use a PostgreSQL Database. For more details on how this is setup, visit the following page:
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the PostgreSQL protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the SQL Server protocol on the PAM Settings:
Insert Configured PAM Settings Pic
Keeper Connections - VNC Protocol
KeeperPAM enables zero-trust privileged session management for target infrastructure using the VNC protocol. This guide explains how to set up VNC connections on your PAM Machine Records in the Keeper Vault. Secure VNC sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Machine Record
The PAM Machine record contains information of the endpoint you want to establish an VNC protocol connection to.
PAM User Record
The PAM User record contains the VNC credentials that will be used to connect to the machine
This guide will use a Azure VM. For more details on how this is setup on the PAM Machine Record, visit the following page:
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the VNC protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable settings for the VNC protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the VNC protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For VNC the port is 5900
Destination Host
Required if using a VNC Repeater such as UltraVNC Repeater
The destination host to request when connecting to a VNC proxy such as UltraVNC Repeater
Destination Port
Required if using a VNC Repeater such as UltraVNC Repeater
The destination port to request when connecting to a VNC proxy such as UltraVNC Repeater
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session
Loading...
Loading...
Establish a connection to a Linux Machine directly from your Vault
In this guide, you will learn how to configure a Linux Machine on your PAM Machine and configure the SSH protocol to successfully launch a zero-trust connection to the Linux Machine — directly from your Keeper Vault.
For this setup, you need to do the following:
After completing the above, you can launch zero-trust connections to the Linux Machine directly from your Keeper Vault.
Prior to creating the PAM Record types in your Vault, the Keeper Gateway needs to be installed in your infrastructure. Visit the following guides based on your needs:
After setting up your Gateway and PAM Configuration Record, the Linux Machine and its users need to be configured on PAM Record types in your Vault:
Refer to this example on how to configure Linux Machine on a PAM Machine record type:
The PAM Machine record type contains the necessary information required for the Keeper Gateway to locate and establish a connection with the machine, while the PAM User record type contains the necessary information to authenticate the connection.
The PAM Settings need to be configured to enable connections or tunnels on the target defined on the PAM Machine Record. To configure the SSH protocol, visit the following page:
Once you have configured the SSH Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:
In the above image, a Linux Machine has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:
PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Linux Machine, the recipient can connect to the Linux Machine on the PAM Machine record without having direct access to the linked credentials.
Loading...
Loading...
Loading...