Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Details on the available connection protocols in KeeperPAM for interactive privileged sessions
Example connection records
A few example guides explain how to set up Connections:
PAM Machine
Connecting to the target defined on the PAM Machine Record with the SSH connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the RDP connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the MySQL connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the SQL Server connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the PostgreSQL connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the VNC connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the Telnet connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine record with K8s
PAM Remote Browser
Connecting to the target defined on the PAM Machine Record with http or https protocol in an isolated Chromium browser session
Instantly access your infrastructure with zero-trust security from your Keeper Vault
Keeper Connections allow users to instantly and securely access assets within their target infrastructure, such as servers, databases, web apps and workloads directly from their Keeper Vault. Connections can be established without exposing the underlying credentials to the user, ensuring zero-trust and zero-knowledge access.
Keeper Connections are configured on PAM Machine, PAM Database, PAM Directory and PAM Remote Browser record types, and once configured, connections are launched directly from these records.
One of the key features of Keeper Connections is the agentless and clientless architecture. Organizations need to install only a in each managed environment. This streamlined approach simplifies deployment and enhances security by centralizing access management.
Connections are launched directly from the Vault interface with one click. The connection is established between the Keeper Gateway and the target machine, and the session is visually projected into the Vault where you can interact seamlessly.
Click "Launch" to open a privileged session.
Sessions are opened directly inside the Keeper vault, establishing a zero trust encrypted connection to the target.
Full screen mode and zoom controls are available from the upper right corner of the window.
The Connection Dock provides instant switching between active sessions. The dock can be moved to any desired location on the screen.
The dock can be minimized and moved anywhere on the screen.
When launching a connection, the Web and Desktop Vault Client will render a window with the established connection protocol to the specified target defined on the PAM record. This is done by:
The Vault Client communicating with the Keeper Gateway with the relevant connection info through a secure tunnel
The Keeper Gateway then establishes the connection protocol to the target defined on the PAM Record
After establishing the connection, the Keeper Gateway projects the visual session to the Keeper vault client.
For more information on the architecture, see this .
IT Admins, DevOps and development teams struggle with protecting access to cloud and on-prem infrastructure to endpoints like remote desktops, Windows machines, Linux Servers, critical web-based apps, Kubernetes clusters and Databases.
Keeper Connections protects your business, your employees and your customers against data breaches by providing a unified vault for all access and control. Reducing risk and simplifying access are the core tenants of the Keeper platform.
Lower complexity: All zero trust access is managed by the Keeper Vault
Lower employee risk: No VPNs, No ZTNAs and no Agents
Lower supply chain risk: No client-side connection apps
Lower attack surface risk: Zero-knowledge encryption and networking
Support for RDP, SSH, VNC, K8s, telnet remote access protocols
Support for MySQL, PostgreSQL, SQL Server database protocols
Remote browser isolation (http/https) protocol for web-based apps
Drag-and-drop file transfer via SFTP to target machines
To get started with Keeper Connections, proceed to the .
Different methods of authentication with Keeper Connections
Session Recording and playback
Privileged Session Management
Role-Based Access Controls
To configure the launch credential:
Open the PAM Settings on a PAM Machine, PAM Database, or PAM Directory record type
Navigate to the Connection Tab
In the Launch Credentials Dropdown, choose the PAM User record to be used as the Launch credentials
After configuring the Launch Credential, close the PAM settings by clicking "Update" and save the record.
Enabling the "Rotate launch credentials upon session termination" checkbox will automatically rotate the launch credential after every session.
After configuring the Launch credential, the PAM Record type will show the launch credential:
PAM Machine, PAM Database, and PAM Directory record types can be configured to allow users to authenticate sessions using personal/private credentials stored in their own Keeper Vault. When this is configured, users are able to select a credential from their Keeper Vault at session launch.
To enable users to use their own credential:
Open the PAM Settings on a PAM Machine, PAM Database, or PAM Directory record type
Navigate to the Connection Tab
Enable the "Allow users to select credentials from their vault" checkbox:
After enabling step 3, close the PAM settings by clicking "Update" and save the record.
When users click on the launch button, they are presented with the ability to select a credential from their Keeper Vault:
PAM Machine, PAM Database, and PAM Directory record types can be configured to allow users to authenticate sessions using ephemeral accounts.
Ephemeral accounts is a system-generated, time-limited privileged account that is created specifically for the session. This account is temporary and deleted automatically after the session ends. This method is used for Just-In-Time access with no persistent account on the target system.
To enable ephemeral accounts:
Open the PAM Settings on a PAM Machine, PAM Database, or PAM Directory record type
Navigate to the "JIT" tab
Enable "Create ephemeral account for connection"
Note: For machines, you will need to specify the type of system to generate the user for. For example, ephemeral account for linux will be a linux user.
(Optional) Enable "Elevate account during connection" to elevate the account used to authenticate the session to the specified group or role. The group or role must be valid.
After enabling the above, close the PAM settings by clicking "Update" and save the record. Your record should look the following:
For additional configuration details on your protocol, visit the following page:
The following Enforcement Policies affect user's permissions to use Connections and need to be enabled.
Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.
Can configure connection settings
Allow users to configure Tunnel settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Records Types
Can start connections
Allow users to start tunnels on PAM Machine, PAM Directory and PAM Database Record Types
Can view recordings
Allow users to view session Recordings.
Tunnels can also be enabled on the Keeper Commander CLI using the enterprise-role command:
If a user should only have access to launching connections and not configuring connections, then only "Can start connections" policy should be enabled for the user.
In addition to launching connections, If a user should also have access to configure connections, then "Can configure connections settings" and "Can start connections" should be enabled for the user.
Launched connections can also be recorded. These recordings are available on the PAM Machine, PAM Database, or PAM Directory record types and can be played back on your Vault. For more details on session recording and playback, visit this page.
The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.
For more details on installing and setting up your gateway, visit this page.
The PAM Configuration contains essential information of your target infrastructure, settings and Keeper Gateway. Setting up a PAM Configuration for your infrastructure is required. For more information on creating and configuring the PAM Configuration, visit this page.
A Keeper Connection is a secure, encrypted interactive session established between your vault client to the target endpoint. The target endpoint needs to be defined on one of the following PAM Record types:
Windows/MacOS/Linux Machines, EC2 Instances, Azure VMs
MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle
Active Directory, OpenLDAP
Web-based applications
Depending on your target endpoint, visit the corresponding PAM Record Type page for more information on setup.
The following table lists all the supported connection protocol that can be configured in your Keeper Vault. Visit the associated link for each protocol for more details on configuration.
PAM Machine
Connecting to the target defined on the PAM Machine Record with the SSH connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the RDP connection protocol
PAM Browser
Connecting to the URL defined in the PAM Browser Record with the Remote Browser Isolation (http/https) protocol
PAM Database
Create Launch-ready connection templates
PAM Machine, PAM Database, and PAM Directory record types can be configured as Connection Templates. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential.
A connection template just requires configuration of the Keeper Gateway and the associated connection protocol settings. Once configured, these templates can be shared with other users. When a user attempts to launch a session using the template, they are prompted to:
Specify the target hostname
Use a credential from their own Keeper Vault to authenticate
Create a PAM Machine, PAM Database or PAM Directory record type
Enable the "Allow shared users to select their own host and credentials" checkbox:
Open the PAM settings and configure the PAM Configuration. This will associate the Keeper Gateway with the template
Navigate to the Connection tab and configure the Connection protocol along with any protocol-specific settings depending on your .
After the above, close the PAM settings by clicking "Update" and save the record.
The following image shows a connection template with the SSH protocol:
Once you have configured a connection template, you can share it with other users in your organization.
Users can use these templates to launch a session by either:
Inputting the target hostname and specifying a personal/private credential from their own Keeper Vault
Specifying a Record type from their Vault that contains both the hostname and credentials
Specifying the target hostname and personal/private Launch Credentials:
Specifying Launch Credentials that contains both the hostname and credentials
Keeper Connections - MySQL Protocol
KeeperPAM enables zero-trust privileged session management for MySQL databases through an interactive CLI. This guide shows how to configure MySQL connections on your PAM Database Records in the Keeper Vault. Sessions are securely initiated from the Vault, routed via the Keeper Gateway, and connected to target databases.
enterprise-role "My Role" --enforcement "ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS":true
enterprise-role "My Role" --enforcement "ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION":true
enterprise-role "My Role" --enforcement "ALLOW_VIEW_KCM_RECORDINGS":true
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Database Record
The PAM Database record contains information of the endpoint you want to establish an MySQL protocol connection to.
PAM User Record
The PAM User record contains the MySQL user credentials that will be used to connect to the endpoint
This guide will use a MySQL Database. For more details on how this is setup, visit the following page:
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the MySQL protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable settings for the MySQL protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the MySQL protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Inlcude Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Database. The port specified here will override the default port. For MySQL, the port is 3306
Connecting to the target defined on the PAM Database Record with the MySQL connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the SQL Server connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the PostgreSQL connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the VNC connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the Telnet connection protocol
Establish a connection to a MySQL Database directly from your Vault
In this guide, you will learn how to configure a MySQL Database on your PAM Database and configure the MySQL protocol to successfully launch a zero-trust connection to the MySQL Database — directly from your Keeper Vault.
For this setup, you need to do the following:
After completing the above, you can launch zero-trust connections to the MySQL Database directly from your Keeper Vault.
From the Admin Console, enable the corresponding for connections:
Prior to creating the PAM Record types in your Vault, the Keeper Gateway needs to be installed in your infrastructure. Visit the following guides based on your needs:
Additionally, the Keeper Gateways needs to be configured with the Gateway token. For more information, visit this .
Steps 3 and Step 4 can be automated with the Gateway Wizard. For more information, visit this .
The contains critical information on your infrastructure, settings and associated Keeper Gateway. Visit the following pages for more details based on your target infrastructure:
After setting up your Gateway and PAM Configuration Record, the MySQL Database and its users need to be configured on PAM Record types in your Vault:
- The MySQL Database is configured on this record type
- The MySQL Database User is configured on this record type
Refer to this example on how to configure MySQL Database on a PAM Database record type:
The PAM Database record type contains the necessary information required for the Keeper Gateway to locate and establish a connection with the database, while the PAM User record type contains the necessary information to authenticate the connection.
The PAM Settings need to be configured to enable connections or tunnels on the target defined on the PAM Database Record. To configure the MySQL protocol, visit the following page:
Once you have configured the MySQL Protocol connection on your PAM Database Record, your record will contain the following connection banner with the "Launch" Button:
In the above image, a MySQL Database has been configured on the PAM Database Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target.
PAM Database records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a MySQL Database, the recipient can connect to the MySQL Database on the PAM Database record without having direct access to the linked credentials.
Establish a connection to an Azure Virtual Machine directly from your Vault
In this guide, you will learn how to configure a Azure Virtual Machine on your PAM Machine and configure the RDP protocol to successfully launch a zero-trust connection to the Azure Virtual Machine — directly from your Keeper Vault.
For this setup, you need to do the following:
After completing the above, you can launch zero-trust connections to the Azure Virtual Machine directly from your Keeper Vault.
From the Admin Console, enable the corresponding for connections:
Prior to creating the PAM Record types in your Vault, the Keeper Gateway needs to be installed in your infrastructure. Visit the following guides based on your needs:
Additionally, the Keeper Gateways needs to be configured with the Gateway token. For more information, visit this .
Steps 3 and Step 4 can be automated with the Gateway Wizard. For more information, visit this .
The contains critical information on your infrastructure, settings and associated Keeper Gateway. Visit the following pages for more details based on your target infrastructure:
After setting up your Gateway and PAM Configuration Record, the Azure Virtual Machine and its users need to be configured on PAM Record types in your Vault:
- The Azure Virtual machine is configured on this record type
- The Azure Virtual User is configured on this record type
Refer to this example on how to configure Azure Virtual Machine on a PAM Machine record type:
The PAM Machine record type contains the necessary information required for the Keeper Gateway to locate and establish a connection with the machine, while the PAM User record type contains the necessary information to authenticate the connection.
The PAM Settings need to be configured to enable connections or tunnels on the target defined on the PAM Machine Record. To configure the RDP protocol, visit the following page:
Once you have configured the RDP Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:
In the above image, an Azure Virtual Machine has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:
PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with an Azure Virtual Machine, the recipient can connect to the Azure Virtual Machine on the PAM Machine record without having direct access to the linked credentials.
Keeper Connections - PostgreSQL Protocol
KeeperPAM enables zero-trust privileged session management for PostgreSQL databases through an interactive CLI. This guide shows how to configure PostgreSQL connections on your PAM Database Records in the Keeper Vault. Sessions are securely initiated from the Vault, routed via the Keeper Gateway, and connected to target databases.
Keeper Connections - Kubernetes
KeeperPAM enabled zero-trust privileged session management for Kubernetes containers using Kubernetes' REST API. This guide shows how to configure Kubernetes connections on your PAM Machine Records in the Keeper Vault. Secure Kubernetes sessions are established from the Vault, through the Keeper Gateway, and directly to the target container.
Establish a connection to a Linux Machine directly from your Vault
ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGSALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTIONALLOW_VIEW_KCM_RECORDINGSCan configure connection settings
Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types
Can launch connections
Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types
Can view session recordings
Allow users to view Session Recordings
Can configure connection settings
Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types
Can launch connections
Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types
Can view session recordings
Allow users to view Session Recordings
ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGSALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTIONALLOW_VIEW_KCM_RECORDINGSALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGSALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTIONALLOW_VIEW_KCM_RECORDINGSPrior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Database Record
The PAM Database record contains information of the endpoint you want to establish an PostgreSQL protocol connection to.
PAM User Record
The PAM User record contains the PostgreSQL user credentials that will be used to connect to the endpoint
This guide will use a PostgreSQL Database. For more details on how this is setup, visit the following page:
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the PostgreSQL protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the SQL Server protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the PostgreSQL protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Database. The port specified here will override the default port. For PostgreSQL, the port is 5432
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
The PAM Configuration contains information of your target infrastructure
Record
The PAM Machine record contains information of the endpoint you want to establish a Kubernetes REST API connection to.
Record
The PAM User record contains the user credentials that will be used to connect to the endpoint
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the Kubernetes protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the Kubernetes protocol on the PAM Settings:
Protocol
Required The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the Kubernetes protocol should be selected
Enable Connection
Required To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
Connection Port
The port used to establish the selected protocol connection. By default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For Kubernetes, the port is 8080.
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
For this setup, you need to do the following:
After completing the above, you can launch zero-trust connections to the Linux Machine directly from your Keeper Vault.
From the Admin Console, enable the corresponding PAM Enforcement Policies for connections:
Can configure connection settings
Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types
Can launch connections
Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types
Can view session recordings
Allow users to view Session Recordings
Prior to creating the PAM Record types in your Vault, the Keeper Gateway needs to be installed in your infrastructure. Visit the following guides based on your needs:
Additionally, the Keeper Gateways needs to be configured with the Gateway token. For more information, visit this page.
Steps 3 and Step 4 can be automated with the Gateway Wizard. For more information, visit this page.
The PAM Configuration contains critical information on your infrastructure, settings and associated Keeper Gateway. Visit the following pages for more details based on your target infrastructure:
After setting up your Gateway and PAM Configuration Record, the Linux Machine and its users need to be configured on PAM Record types in your Vault:
PAM Machine - The Linux machine is configured on this record type
PAM User - The Linux User is configured on this record type
Refer to this example on how to configure Linux Machine on a PAM Machine record type:
The PAM Machine record type contains the necessary information required for the Keeper Gateway to locate and establish a connection with the machine, while the PAM User record type contains the necessary information to authenticate the connection.
The PAM Settings need to be configured to enable connections or tunnels on the target defined on the PAM Machine Record. To configure the SSH protocol, visit the following page:
Once you have configured the SSH Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:
In the above image, a Linux Machine has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:
PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Linux Machine, the recipient can connect to the Linux Machine on the PAM Machine record without having direct access to the linked credentials.
Launch Credentials
When configured, these credentials will be used to authenticate the connection. More details here
Allow users to select credentials from their vault
When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details here
Rotate launch credentials upon session termination
When enabled, the configured launch credentials will be automatically rotated when the session is closed
Default Database
The database schema selected when connecting to the specified database server.
Can export CSV
Enables CSV export of data when using the SQL statement "select ... into local outfile"
Can import CSV
Enables CSV import of data when using the SQL statement "load data local infile ... into table"
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from local clipboard into the connected protocol session
Font name
The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.
Maximum scrollback size
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
Read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
Establish a connection to a PostgreSQL Database directly from your Vault
In this guide, you will learn how to configure a PostgreSQL Database on your PAM Database and configure the PostgreSQL protocol to successfully launch a zero-trust connection to the PostgreSQL Database — directly from your Keeper Vault.
For this setup, you need to do the following:
Enable the Connection Enforcement Policies
Install and Configure the Keeper Gateway
Create and configure the PAM Configuration File
Create the PAM Database and PAM User record types
After completing the above, you can launch zero-trust connections to the PostgreSQL Database directly from your Keeper Vault.
From the Admin Console, enable the corresponding for connections:
Prior to creating the PAM Record types in your Vault, the Keeper Gateway needs to be installed in your infrastructure. Visit the following guides based on your needs:
Additionally, the Keeper Gateways needs to be configured with the Gateway token. For more information, visit this .
Steps 3 and Step 4 can be automated with the Gateway Wizard. For more information, visit this .
The contains critical information on your infrastructure, settings and associated Keeper Gateway. Visit the following pages for more details based on your target infrastructure:
After setting up your Gateway and PAM Configuration Record, the PostgreSQL Database and its users need to be configured on PAM Record types in your Vault:
- The PostgreSQL Database is configured on this record type
- The PostgreSQL Database User is configured on this record type
Refer to this example on how to configure PostgreSQL Database on a PAM Database record type:
The PAM Database record type contains the necessary information required for the Keeper Gateway to locate and establish a connection with the database, while the PAM User record type contains the necessary information to authenticate the connection.
The PAM Settings need to be configured to enable connections or tunnels on the target defined on the PAM Database Record. To configure the PostgreSQL protocol, visit the following page:
Once you have configured the PostgreSQL Protocol connection on your PAM Database Record, your record will contain the following connection banner with the "Launch" Button:
In the above image, a PostgreSQL Database has been configured on the PAM Database Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target.
PAM Database records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a PostgreSQL Database, the recipient can connect to the PostgreSQL Database on the PAM Database record without having direct access to the linked credentials.
An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers.
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
Keeper Connections - Remote Browser Isolation (http/https) Protocol
KeeperPAM enables zero-trust privileged session management for web applications using the Remote Browser Isolation (RBI) protocol. This guide explains how to configure RBI connections on your PAM Remote Browser Records in the Keeper Vault. Secure web sessions are initiated from the Vault, routed through the Keeper Gateway, and delivered directly to target applications.
Keeper Connections can be authenticated using one of the following methods:
Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.
Keeper Connections can be authenticated using one of the following methods:
Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.
Can configure connection settings
Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types
Can launch connections
Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types
Can view session recordings
Allow users to view Session Recordings
ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGSALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTIONALLOW_VIEW_KCM_RECORDINGSALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGSALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTIONALLOW_VIEW_KCM_RECORDINGSPrior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure.
PAM Remote Browser
The PAM Remote Browser record contains information of the endpoint you want to establish a web session to.
PAM User Record
The PAM User record contains the user credentials that will be used to autofill credentials on the web page.
This guide will use a Jenkins web application.
After creating a PAM Remote Browser with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the RBI protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable settings for the RBI protocol on the PAM Settings:
Enable Remote Browser Isolation
Required
To enable connection for this record, this toggle needs to be enabled.
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record.
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Allow navigation via direct URL manipulation
Shows a website address tool in the user interface that allows the user to navigate.
Ignore server certificate
Instructs RBI to ignore invalid or expired SSL certificates on the website that is explicitly set in the URL field for the record. Certificates are required for any other domains during the session.
Allowed URL Patterns
The patterns of all URLs that the user should be allowed to visit, regardless of whether via manual navigation (URL bar) or interacting with the current page. Multiple patterns may be specified, separated by newlines. If specified, only pages matching patterns in the list are permitted. By default, all URLs are permitted.
Disable Audio
If checked (set to true), audio will not be forwarded within the RBI session. Pages will still be able to attempt to play audio; the audio will simply be ignored.
Channels
The number of separate audio channels that should be used for audio data sent through KCM. Valid values are:
1 (monaural audio with only a single, center channel, more commonly called ("mono")
2 (stereophonic audio with left and right channels, more commonly called "stereo").
Bit Depth
Valid values are:
8 (8-bit audio, a relatively low quality)
16 (16-bit audio, a standard level of quality)
Sample Rate
The sample rate (in Hz) that should be used for any audio data sent through Keeper.
Launch Credential
When configured, these credentials will be used to authenticate the connection. More details here
Allow users to select credentials from their vault
When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details here
Rotate launch credentials upon session termination
When enabled, the configured launch credentials will be automatically rotated when the session is closed
Default Database
The database schema selected when connecting to the specified database server.
Can export CSV
Disables CSV export of data when using the PSQL statement \COPY
FROM "input.csv" With CSV
Can import CSV
Disables CSV import of data when using the PSQL statement \COPY () TO ".csv" With CSV HEADER
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from local clipboard into the connected protocol session
Font name
The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.
Font size
The size of the font to use, in points. By default, the size of rendered text will be 12 point.
Maximum scrollback size
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
Read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
Keeper Connections can be authenticated using one of the following methods:
Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.
For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this page.
Learn more about Session Recording and Playback
Launch Credentials
When configured, these credentials will be used to authenticate the connection. More details here
Allow users to select credentials from their vault
When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details here
Rotate launch credentials upon session termination
When enabled, the configured launch credentials will be automatically rotated when the session is closed
Namespace
The name of the Kubernetes namespace of the pod containing the container being attached to. If omitted, the namespace "default" will be used.
Pod Name
The name of the Kubernetes pod with the container being attached to.
Container Name
The name of the container to attach to. If omitted, the first container in the pod will be used.
Ignore Server Certificate
If checked, the validity of the SSL/TLS certificate used by the Kubernetes server will be ignored if it cannot be validated. By default, SSL/TLS certificates are validated.
Certificate Authority Certificate
The certificate of the certificate authority that signed the certificate of the Kubernetes server, in PEM format. If omitted, verification of the Kubernetes server certificate will use only system-wide certificate authorities.
Client Certificate
The certificate to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. If omitted, SSL client authentication will not be performed.
Client Key
The key to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. If omitted, SSL client authentication will not be performed.
Color Scheme
The color scheme to use for the terminal emulator used by Kubernetes connections. Each color scheme dictates the default foreground and background color of the terminal. Programs which specify colors when printing text will override these defaults.
Font Size
The size of the font to use, in points. By default, the size of rendered text will be 12 point.
Maximum scrollback size
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
Read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
Keeper Connections can be authenticated using one of the following methods:
Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.
For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this page.
Learn more about Session Recording and Playback
Keeper Connections can be authenticated using one of the following methods:
Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.
For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this page.
Learn more about Session Recording and Playback
Keeper Connections - VNC Protocol
KeeperPAM enables zero-trust privileged session management for target infrastructure using the VNC protocol. This guide explains how to set up VNC connections on your PAM Machine Records in the Keeper Vault. Secure VNC sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's .
The following PAM records are needed in order to successfully setup this protocol:
This guide will use a Azure VM. For more details on how this is setup on the PAM Machine Record, visit the following page:
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the VNC protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable settings for the VNC protocol on the PAM Settings:
Keeper Connections - Telnet Protocol
KeeperPAM enables zero-trust privileged session management for target infrastructure using the Telnet protocol. This guide explains how to set up Telnet connections on your PAM Machine Records in the Keeper Vault. Secure sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's .
The following PAM records are needed in order to successfully setup this protocol:
This guide will use a Linux Machine. For more details on how this is setup on the PAM Machine Record, visit the following page:
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the Telnet protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the Telnet protocol on the PAM Settings:
In most cases, the default behavior of the Keeper Connection Manager terminal emulator works without modification. However, when connecting to certain systems (particularly operating systems other than Linux), the terminal behavior may need to be tweaked to allow it to operate properly. Keeper's telnet support provides parameters for controlling the control code sent for backspace, as well as the terminal type claimed via the TERM environment variable.
Keeper Connections - SSH Protocol
KeeperPAM enables zero-trust privileged session management for target infrastructure using the SSH protocol. This guide explains how to set up SSH connections on your PAM Machine Records in the Keeper Vault. Secure SSH sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's .
The following PAM records are needed in order to successfully setup this protocol:
This guide will use a Linux server to represent a PAM Machine record.
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the SSH protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the SSH protocol on the PAM Settings:
By default, SSH sessions will start an interactive shell. The shell which will be used is determined by the SSH server, normally by reading the user's default shell previously set with chsh or within /etc/passwd. If you wish to override this and instead run a specific command, you can do so by specifying that command in the configuration of the SSH connection.
In most cases, the default behavior of the Keeper Connection Manager terminal emulator works without modification. However, when connecting to certain systems (particularly operating systems other than Linux), the terminal behavior may need to be tweaked to allow it to operate properly. Keeper's SSH support provides parameters for controlling the control code sent for backspace, as well as the terminal type claimed via the TERM environment variable.
Once you have configured the SSH Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:
In the above image, a Linux server has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:
If the SFTP file transfer feature is enabled, the user can drag and drop files into the terminal session to transfer the files to the machine.
Keeper supports one or more files transferred simultaneously through drag-and-drop.
While the files are being uploaded to the target machine, a file transfer status is displayed in the dock area of the Keeper Vault:
To transfer files from the SSH remote connection to the local filesystem, you can download a tool called guacctl into the remote system and use it for performing outbound transfers.
Download guacctl and set as executable:
Initiate the file download using this syntax:
The SSH protocol can also be used to access Windows servers for execution of PowerShell commands or other administrative actions.
Learn more on how to
Keeper Connections - SQL Server Protocol
KeeperPAM enables zero-trust privileged session management for SQL Server databases through an interactive CLI. This guide shows how to configure SQL Server connections on your PAM Database Records in the Keeper Vault. Sessions are securely initiated from the Vault, routed via the Keeper Gateway, and connected to target databases.
PAM Configuration
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.
Administrative Credential Record
This is the linked PAM User that will be used to authenticate to the target and perform administrative operations on it.
PAM Configuration
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.
Administrative Credential Record
This is the linked PAM User that will be used to authenticate to the target and perform administrative operations on it.
PAM Configuration
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.
Administrative Credential Record
This is the linked PAM User that will be used to authenticate to the target and perform administrative operations on it.
Allow users to select credentials from their vault
When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details
Rotate launch credentials upon session termination
When enabled, the configured launch credentials will be automatically rotated when the session is closed
Destination Host
Required if using a VNC Repeater such as UltraVNC Repeater
The destination host to request when connecting to a VNC proxy such as UltraVNC Repeater
Destination Port
Required if using a VNC Repeater such as UltraVNC Repeater
The destination port to request when connecting to a VNC proxy such as UltraVNC Repeater
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session
Read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will only see the desktop and whatever other users using that same desktop are doing.
Swap red/blue components
If the colors of your display appear wrong (blues appear orange or red, etc.), it may be that your VNC server is sending image data incorrectly, and the red and blue components of each color are swapped. If this is the case, set this parameter to "true" to work around the problem.
Force lossless compression
Whether this connection should use lossless compression only. If set to "true", all graphical updates will use lossless compression algorithms. By default, lossy compression will automatically be used when Keeper detects that doing so would likely outperform lossless compression.
Encoding
The encoding to assume for the VNC clipboard. By default, the standard encoding ISO 8859-1 will be used. Only use this parameter if you are sure your VNC server expects a different, non-standard encoding.
Possible values are:
"ISO8859-1" - The clipboard encoding mandated by the VNC standard.
"UTF-8"
Cursor
If set to "remote", the mouse pointer will be rendered remotely, and the local position of the mouse pointer will be indicated by a small dot. A remote mouse cursor will feel slower than a local cursor, but may be necessary if the VNC server does not support sending the cursor image to the client.
Color depth
The color depth to request, in bits per pixel. Legal values are 8, 16, 24, or 32. Note that, regardless of what value is chosen here, Keeper will always attempt to optimize image transmission, automatically using fewer bits per pixel if doing so will not visibly alter image quality.
Enable audio
If set to "true", audio support will be enabled, and a second connection for PulseAudio will be made in addition to the VNC connection. By default, audio support within VNC is disabled.
Destination host
The destination host to request when connecting to a VNC proxy such as UltraVNC Repeater. This is only necessary if the VNC proxy in use requires the connecting user to specify which VNC server to connect to. If the VNC proxy automatically connects to a specific server, this parameter is not necessary.
Destination port
The destination port to request when connecting to a VNC proxy such as UltraVNC Repeater. This is only necessary if the VNC proxy in use requires the connecting user to specify which VNC server to connect to. If the VNC proxy automatically connects to a specific server, this parameter is not necessary.
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Machine Record
The PAM Machine record contains information of the endpoint you want to establish an VNC protocol connection to.
PAM User Record
The PAM User record contains the VNC credentials that will be used to connect to the machine
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the VNC protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For VNC the port is 5900
Launch Credentials
When configured, these credentials will be used to authenticate the connection. More details here
PAM Configuration
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.
Administrative Credential Record
This is the linked that will be used to authenticate to the target and perform administrative operations on it.
Keeper Connections can be authenticated using one of the following methods:
Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
Connection TemplatesLaunch Credentials
When configured, these credentials will be used to authenticate the connection. More details
Allow users to select credentials from their vault
When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details
Rotate launch credentials upon session termination
When enabled, the configured launch credentials will be automatically rotated when the session is closed
Username Regular Expression
The regular expression to use to detect the username prompt when the username cannot be provided. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Password Regular Expression
The regular expression to use to detect the password prompt. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Login Success Regular Expression
The regular expression to use when detecting that the login attempt has succeeded. If specified, the terminal display will not be shown to the user until text matching this regular expression has been received from the telnet server. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Login Failure Regular Expression
The regular expression to use when detecting that the login attempt has failed. If specified, the connection will be closed with an explicit login failure error if text matching this regular expression has been received from the telnet server. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session
Color Scheme
The color scheme to use for the terminal emulator used by Telnet connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black on white" - Black text over a white background
"gray on black" - Gray text over a black background (the default)
"green on black" - Green text over a black background
Maximum scrollback size
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
Read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Machine Record
The PAM Machine record contains information of the endpoint you want to establish an Telnet protocol connection to.
PAM User Record
The PAM User record contains the user credentials that will be used to connect to the endpoint
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the Telnet protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For Telnet, the port is 23
Backspace key sends
The integer value of the terminal control code that should be sent when backspace is pressed. Under most circumstances this should not need to be adjusted; however, if, when pressing the backspace key, you see control characters (often either ^? or ^H) instead of seeing the text erased, you may need to adjust this parameter. By default, the control code 127 (Delete) is sent.
Terminal type
The terminal type string that should be passed to the SSH server. This value will typically be exposed within the SSH session as the TERM environment variable and will affect the control characters sent by applications. By default, the terminal type string "linux" is used.
PAM Configuration
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.
Administrative Credential Record
This is the linked that will be used to authenticate to the target and perform administrative operations on it.
Keeper Connections can be authenticated using one of the following methods:
Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.
For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this page.
Learn more about Session Recording and Playback
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
Connection TemplatesLaunch Credentials
When configured, these credentials will be used to authenticate the connection. More details
Allow users to select credentials from their vault
When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details
Rotate launch credentials upon session termination
When enabled, the configured launch credentials will be automatically rotated when the session is closed
Public Host Key (Base64)
The known hosts entry for the SSH server, in the same format as would be specified within an OpenSSH known_hosts file. If not provided, no verification of host identity will be performed.
Color Scheme
The color scheme to use for the terminal emulator used by SSH connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black on white" - Black text over a white background
"gray on black" - Gray text over a black background (the default)
"green on black" - Green text over a black background
Font Size
Font size displayed for the terminal session
Font Name
The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.
Maximum scrollback size
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
SFTP
If enabled, the user can drag and drop files into the terminal session to transfer one or more files.
File Browser Root Directory
If SFTP is enabled, file transfers will be saved to the specified folder path.
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user.
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session.
Read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the SSH protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For SSH, the default port is 22
Execute command
The command to execute over the SSH session, if any. If not specified, the SSH session will use the user's default shell.
Language/Locale ($LANG)
The specific locale to request for the SSH session. This may be any value accepted by the LANG environment variable of the SSH server. If not specified, the SSH server's default locale will be used.
As this parameter is sent to the SSH server using the LANG environment variable, the parameter will only have an effect if the SSH server allows the LANG environment variable to be set by SSH clients.
Time zone ($TZ)
The time zone to request for the SSH session. This may be any value accepted by the TZ environment variable of the SSH server, typically the standard names defined by the IANA time zone database. If not specified, the SSH server's default time zone will be used.
As this parameter is sent to the SSH server using the TZ environment variable, the parameter will only have an effect if the SSH server allows the TZ environment variable to be set by SSH clients.
Server keepalive interval
The interval in seconds between which keepalive packets should be sent to the SSH server, where "0" indicates that no keepalive packets should be sent at all (the default behavior). The minimum legal value is "2".
Backspace key sends
The integer value of the terminal control code that should be sent when backspace is pressed. Under most circumstances this should not need to be adjusted; however, if, when pressing the backspace key, you see control characters (often either ^? or ^H) instead of seeing the text erased, you may need to adjust this parameter. By default, the control code 127 (Delete) is sent.
Terminal type
The terminal type string that should be passed to the SSH server. This value will typically be exposed within the SSH session as the TERM environment variable and will affect the control characters sent by applications. By default, the terminal type string "linux" is used.
PAM Configuration
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.
Administrative Credential Record
This is the linked that will be used to authenticate to the target and perform administrative operations on it.
Keeper Connections can be authenticated using one of the following methods:
Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.
For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this page.
Learn more about Session Recording and Playback
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
Connection TemplatesPrior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Database Record
The PAM Database record contains information of the endpoint you want to establish an SQL Server protocol connection to.
PAM User Record
The PAM User record contains the SQL Server user credentials that will be used to connect to the endpoint
This guide will use a SQL Database. This is similar to setting up a MySQL database, for more details on how this is setup, visit the following page:
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the SQL Server protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the SQL Server protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the SQL Server protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Database. The port specified here will override the default port. For SQL Server, the port is 1433
Keeper Connections can be authenticated using one of the following methods:
The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for
For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this .
Learn more about
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
Allowed Resource URL Patterns
The patterns of all URLs that the a page should be allowed to load as a resource, such as an image, script, stylesheet, font, etc. Multiple patterns may be specified, separated by newlines. If specified, only resources matching patterns in the list are permitted to be loaded. By default, no restrictions are imposed on resources loaded by pages.
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user.
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session.
Browser Autofill
KeeperPAM provides the capability of autofilling a username, password and TOTP code into a target website login screen.
PAM Configuration
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.
Administrative Credential Record
This is the linked PAM User that will be used to authenticate to the target and perform administrative operations on it.
wget https://raw.githubusercontent.com/apache/guacamole-server/master/bin/guacctl
chmod +x guacctl./guacctl -d <filename>"Custom" - custom color scheme
Default value is "white-black"
Launch Credentials
When configured, these credentials will be used to authenticate the connection. More details here
Allow users to select credentials from their vault
When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details here
Rotate launch credentials upon session termination
When enabled, the configured launch credentials will be automatically rotated when the session is closed
Default Database
The database schema selected when connecting to the specified database server.
Can export CSV
Enables CSV export of data when using the SQL statement "select ... into local outfile"
Can import CSV
Enables CSV import of data when using the SQL statement "load data local infile ... into table"
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from local clipboard into the connected protocol session
Font name
The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.
Font size
The size of the font to use, in points. By default, the size of rendered text will be 12 point.
Font size
The size of the font to use, in points. By default, the size of rendered text will be 12 point.
Maximum scrollback size
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
Read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
PAM Configuration
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.
Administrative Credential Record
This is the linked PAM User that will be used to authenticate to the target and perform administrative operations on it.
UTF-16""CP1252" - Code page 1252, a Windows-specific encoding for Latin characters which is mostly a superset of ISO 8859-1.
For this protocol, graphical data, including timing information, is recorded. For more details on the recordings and how to access them, see the docs.
"Custom" - custom color scheme
Default value is "white-black"
For this protocol, graphical data, including timing information, is recorded. For more details on the recordings and how to access them, see the docs.
The PAM Configuration contains information of your target infrastructure
PAM Machine Record
The PAM Machine record contains information of the endpoint you want to establish an SSH protocol connection to.
PAM User Record
The PAM User record contains the user credentials that will be used to connect to the endpoint
Keeper Connections - RDP Protocol
KeeperPAM enables zero-trust privileged session management for target infrastructure using the RDP protocol. This guide explains how to set up RDP connections on your PAM Machine Records in the Keeper Vault. Secure RDP sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's .
The following PAM records are needed in order to successfully setup this protocol:
This guide will use a Azure VM as an example. For more details on how this is setup on the PAM Machine Record, visit the following page:
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the RDP protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable settings for the RDP protocol on the PAM Settings:
Keeper vault client will automatically choose an appropriate display size for RDP connections based on the size of the browser window and the DPI of the device. The size of the display can be forced by specifying explicit width or height values. To reduce bandwidth usage, you may also request that the server reduce its color depth.
Keeper vault client provides bidirectional access to the clipboard by default for RDP connections. This behavior can be overridden on a per-connection basis, restricting access to the clipboard.
Device redirection refers to the use of non-display devices over RDP. Keeper vault client RDP support currently allows redirection of audio (both output and input), some of which require additional configuration in order to function properly:
Audio output is always enabled by default. Configuration changes for audio output need only be made if this should be disabled.
Audio input, if enabled, allows users to make use of their local microphone within the remote desktop session. Enabling this typically also requires additional configuration within Windows, as group policy is often configured to disable this. Older versions of Windows may lack support for audio input via remote desktop entirely.
Device redirection refers to the use of non-display devices over RDP. Keeper vault client RDP support currently allows redirection of audio (both output and input), printing, and disk access, some of which require additional configuration in order to function properly:
Audio output is always enabled by default. Configuration changes for audio output need only be made if this should be disabled.
Audio input, if enabled, allows users to make use of their local microphone within the remote desktop session. Enabling this typically also requires additional configuration within Windows, as group policy is often configured to disable this. Older versions of Windows may lack support for audio input via remote desktop entirely.
Printing, if enabled, allows users to print arbitrary documents directly to PDF. When documents are printed to the redirected printer, the user will receive a PDF download of that document within their web browser.
RDP provides several flags which control the availability of features that decrease performance and increase bandwidth for the sake of aesthetics, such as wallpaper, window theming, menu effects, and smooth fonts. These features are all disabled by default within Keeper such that bandwidth usage is minimized, but you can manually re-enable them on a per-connection basis if desired.
Windows Server provides a feature called which allows individual applications to be used over RDP, without providing access to the full desktop environment, through the role. If your Windows Server has this feature enabled and configured OR you have RemoteApp configured and enabled in a different manner, you can configure Keeper Connection Manager to use those individual applications.
Key Benefits of using Keeper to access RemoteApps.
Centralized management: Admins control apps, updates and permissions from a single pane.
Seamless user experience: RemoteApps run in the browser and feel native to users.
Cost efficiency: No per-endpoint installs or plugins; reduces desktop software deployment/maintenance and security.
Enhanced security: Data/apps stay on the secured server; supports RBAC, MFA and session recording.
If your remote desktop servers are behind a load balancer, sometimes referred to as a "connection broker" or "TS session broker", that balancer may require additional information during the connection process to determine how the incoming connection should be routed. RDP does not dictate the format of this information; it is specific to the balancer in use.
If you are using a load balancer and are unsure whether such information is required, you will need to check the documentation for your balancer. If your balancer provides .rdp files for convenience, look through the contents of those files for a string field called "loadbalanceinfo", as that field is where the required information/cookie would be specified.
Some RDP servers host multiple logical RDP connections behind a single server listening on a single TCP port. To select between these logical connections, an RDP client must send the "preconnection PDU" - a message which contains values that uniquely identify the destination, referred to as the "RDP source". This mechanism is defined by the for the RDP protocol, and is implemented by Microsoft's Hyper-V hypervisor.
If you are using Hyper-V, you will need to specify the ID of the destination virtual machine as the "preconnection BLOB". This value can be determined using PowerShell:
The preconnection PDU is intentionally generic. While its primary use is as a means for selecting virtual machines behind Hyper-V, other RDP servers may use it as well. It is up to the RDP server itself to determine whether the preconnection ID, BLOB, or both will be used, and what their values mean.
If you do intend to use Hyper-V, beware that its built-in RDP server uses slightly different parameters for both authentication and the port number, and Keeper's defaults will not work. In most cases, you will need to do the following when connecting to Hyper-V:
Specify both the username and password appropriately, and set the security mode to "vmconnect". Selecting the "vmconnect" security mode will configure Keeper to automatically negotiate security modes known to be supported by Hyper-V, and will automatically select Hyper-V's default RDP port (2179).
If necessary, ignore the TLS certificate used by Hyper-V, which may be self-signed.
Keeper can provide file transfer over SFTP even when the remote desktop is otherwise being accessed through RDP and not SSH. This support is independent of the file transfer implemented through RDP's own "drive redirection" (RDPDR), and is particularly useful for RDP servers which do not support RDPDR. The SFTP server does not need to be the same server as the RDP server.
SSH Key or Password Based authentication must be set up and enabled for the target "SFTP User" on that target system. If you have not setup OpenSSH on the target system, please visit Microsoft's Official Site on
The following Screenshots illustrate the file "client_id.txt" being uploaded to the target system using the drag-and-drop feature into the connection session window. As you see, in the second image, the file gets uploaded and saved to its Default Upload Directory. Multiple files can be dragged-and-dropped for upload.
Currently, the only way to trigger a download of a file from a remote Windows system to the local machine is using a KeeperPAM ssh connection with a script called guacctl.
The remote machine needs to be running WSL2 with your preferred linux distro in order to use the guacctl script.
To download guacctl onto the target system, Launch a KeeperPAM SSH session to the target system and run the following command in your desired directory.
Change the file to be executable:
Initiate the file download using the following syntax below:
example:
To download multiple files, use a space separator between file names, as shown with the syntax below:
example:
Full Screenshot example below.
The "Save File" window will appear on your local computer allowing you to save the file to your desired location. If multiple files are being downloaded, the Save File window will appear for each file in succession.
When troubleshooting authentication and connection issues, check the following:
Ensure the user specified in the linked PAM User record has the rights to RDP to the target machine.
Adjust your group policy or add the user to the "Remote Desktop Users" group on Windows to grant access.
For additional troubleshooting, refer to the Gateway logs which will contain additional information. The location of the Gateway logs depends on the .
Allow users to select credentials from their vault
When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details
Rotate launch credentials upon session termination
When enabled, the configured launch credentials will be automatically rotated when the session is closed
Security Mode
The security mode to use for the RDP connection. This mode dictates how data will be encrypted and what type of authentication will be performed, if any. By default, security mode negotiation is performed.
Legal values are:
"any" - Negotiate with the server, allowing the RDP server to choose its preferred security mode (the default).
"NLA" - Network Level Authentication, sometimes also referred to as "hybrid" or CredSSP (the protocol that drives NLA) and uses TLS encryption.
"RDP Encryption" - Standard RDP encryption. Newer Windows servers generally have this mode disabled by default, and instead require NLA.
Disable Authentication
If enabled, authentication will be disabled. Note that this refers to authentication that takes place while connecting. Any authentication enforced by the server over the remote desktop session (such as a login dialog) will still take place. By default, authentication is enabled and only used when requested by the server.
If you are using NLA, authentication must be enabled by definition.
Ignore Server Certificate
If enabled, the certificate returned by the server will be ignored, even if that certificate cannot be validated. This is useful if you universally trust the server and your connection to the server, and you know that the server's certificate cannot be validated (for example, if it is self-signed)
Load Balance Info/Cookie
The load balancing information or cookie which should be provided to the connection broker. If no connection broker is being used, this should be left blank
RDP Source ID
The numeric ID of the RDP source. This is a non-negative integer value dictating which of potentially several logical RDP connections should be used. This parameter is only required if the RDP server is documented as requiring it. If using Hyper-V, this should be left blank.
Preconnection BLOB (VM ID)
An arbitrary string which identifies the RDP source - one of potentially several logical RDP connections hosted by the same RDP server. This parameter is only required if the RDP server is documented as requiring it, such as Hyper-V. In all cases, the meaning of this parameter is opaque to the RDP protocol itself and is dictated by the RDP server. For Hyper-V, this will be the ID of the destination virtual machine.
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, users can paste text from clipboard within the connected protocol session
Enable SFTP
If enabled, users can upload files securely, to the target system, through SFTP. SSH Key or Password Based authentication must be set up and enabled on the target system. If you have not setup OpenSSH on the target system, please visit Microsoft's Official Site on
Disable Audio
Audio output is always enabled by default. If you are concerned about bandwidth usage, or audio is causing problems, you can explicitly disable audio output
Initial program
The full path to the initial program to run immediately upon connecting.
Client name
When connecting to the RDP server, Keeper will normally provide its own hostname as the name of the client "client-name". If this parameter is specified, Keeper will use its value instead.
On Windows RDP servers, this value is exposed within the session as the CLIENTNAME environment variable.
Keyboard layout
The server-layout that the RDP server will be using. Legal values are:
"da-dk-qwerty" - Danish
"de-ch-qwertz" - Swiss German
"de-de-qwertz" - German
Time zone
The timezone that the client should send to the server for configuring the local time display of that server. The format of the timezone is in the standard IANA key zone format, which is the format used in UNIX/Linux. This will be converted by RDP into the correct format for Windows.
Support for forwarding the client timezone varies by RDP server implementation. For example, with Windows, support for forwarding timezones is only present in Windows Server with Remote Desktop Services (RDS, formerly known as Terminal Services) installed. Windows Server installations in admin mode, along with Windows workstation versions, do not allow the timezone to be forwarded. Other server implementations, such as XRDP, may not implement this feature at all. Consult the documentation for the RDP server to determine whether or not this feature is supported.
Enable multi-touch
Set to "true" if enable-touch support should be enabled for the RDP connection. Enabling RDP support for multi-touch allows touch events to be passed through to the remote desktop, and requires that the RDP server support the RDPEI channel.
This parameter does not control whether Keeper itself supports touch events. Keeper always supports touch events and will use any touch events to emulate a mouse by default. This parameter controls only whether touch events should be passed directly through to the RDP server instead of emulating a mouse.
Administrator console
If set to "true", you will be connected to the console (admin) session of the RDP server.
Read-only
If set to "true", no input will be accepted on the connection at all. Users will be able to see the desktop or application but will be unable to interact.
Drive name - Coming Soon
The name of the filesystem used when passed through to the RDP session. This is the drive-name that users will see in their Computer/My Computer area along with client name, and is also the name of the share when accessing the special \\tsclient network location.
If drive redirection is not enabled, this parameter is ignored.
Drive path - Coming Soon
The directory on the Keeper Gateway in which transferred files should be stored.
If drive-path redirection is not enabled, this parameter is ignored.
Disable bitmap caching
If set to "true", the RDP bitmap cache will not be used. By default, caching of bitmaps is enabled.
This is generally only useful when dealing with an RDP server that has known bugs in its implementation of bitmap caching, and should remain enabled in most circumstances.
Disable off-screen caching
If set to "true," caching of regions of the screen that are not currently visible will be disabled. By default, caching of off-screen regions is enabled.
This is generally only useful when dealing with an RDP server that has known bugs in its implementation of off-screen caching, and should remain enabled in most circumstances.
Disable glyph caching
If set to "true", the RDP glyph cache will not be used. By default, caching of glyphs is enabled.
This is generally only useful when dealing with an RDP server that has known bugs in its implementation of glyph caching, and should remain enabled in most circumstances.
Cross-platform access: Users on macOS, Linux and mobile can access Windows-only apps and other systems via RDP/SSH/VNC/DB.
The PAM Configuration contains information of your target infrastructure
The PAM Machine record contains information of the endpoint you want to establish an RDP protocol connection to.
The PAM User record contains the user credentials that will be used to connect to the endpoint
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the RDP protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For RDP, the port is 3389
Launch Credentials
When configured, these credentials will be used to authenticate the connection. More details here
Width
The width of the display to request, in pixels. If this value is not specified, the width of the connecting client display will be used instead.
Height
The height of the display to request, in pixels. If this value is not specified, the height of the connecting client display will be used instead.
Resolution (DPI)
The desired effective resolution of the client display, in dpi. If this value is not specified, the resolution and size of the client display will be used together to determine, heuristically, an appropriate resolution for the RDP session.
Color dept
The color-depth to request, in bits per pixel. Legal values 8, 16, or 24. Note that, regardless of what value is chosen here, Keeper will always attempt to optimize image transmission, automatically using fewer bits per pixel if doing so will not visibly alter image quality.
Force lossless compression
If set to "true", all graphical updates will use lossless compression algorithms. By default, lossy compression will automatically be used when Keeper detects that doing so would likely outperform lossless compression.
Resize method
Resize method used to update the RDP server when the width or height of the client display changes. If this value is not specified, no action will be taken when the client display changes size.
Normally, the display size of an RDP session is constant and can only be changed when initially connecting. As of RDP 8.1, the "Display Update" channel can be used to request that the server change the display size. For older RDP servers, the only option is to disconnect and reconnect with the new size. Legal values are:
"display-update" - Use the "Display Update" channel (added in RDP 8.1) to signal the server when display size has changed
"reconnect" - Automatically disconnect and reconnect the RDP session when the client display size has changed
Disable copying from remote desktop
If set to "true", copied text within the RDP session will not be accessible by the user at the browser side of the Keeper session, and will be usable only within the remote desktop. By default, the user will be given access to the copied text.
Disable pasting from client
If set to "true", text copied at the browser side of the Keeper session will not be accessible within the RDP session. By default, the user will be able to paste data from outside the browser within the RDP session.
Support audio in console
If set to "true", audio will be explicitly enabled in the console (admin) session of the RDP server. Setting this option to "true" only makes sense if the "Administrator Console" parameter is also set to "true".
Disable audio
Audio output is always enabled by default. If you are concerned about bandwidth usage, or audio is causing problems, you can explicitly disable audio output by setting this parameter to "true".
Enable audio input (microphone)
If set to "true", audio input support (microphone) will be enabled, leveraging the standard "AUDIO_INPUT" channel of RDP. By default, audio input support within RDP is disabled.
Support audio in console
If set to "true", console-audio will be explicitly enabled in the console (admin) session of the RDP server. Setting this option to "true" only makes sense if the console parameter is also set to "true".
Disable audio
Audio output is always enabled by default. If you are concerned about bandwidth usage, or audio is causing problems, you can explicitly disable-audio output by setting this parameter to "true".
Enable audio input (microphone)
If set to "true", enable-audio-input support (microphone) will be enabled, leveraging the standard "AUDIO_INPUT" channel of RDP. By default, audio input support within RDP is disabled.
Enable printing
If set to "true", a redirected printer will be made available within the RDP session that users can use to print to a PDF. The PDF is received and automatically downloaded by the user's browser. By default, enable-printing is disabled.
Redirected printer name
The name of the redirected printer-name device that is passed through to the RDP session. This is the name that the user will see in their applications and within the Devices and Printers control panel. If printer redirection is not enabled, this parameter has no effect.
Enable drive - Coming Soon
If set to "true", a redirected enable-drive will be made available within the RDP session that users can use to transfer files. The contents of the virtual drive are persisted on the Keeper Gateway in the directory specified by the "drive-path" parameter. By default, drive redirection is disabled.
Enable wallpaper
If set to "true", enables rendering of the desktop wallpaper. By default, wallpaper will be disabled, such that unnecessary bandwidth need not be spent redrawing the desktop.
Enable theming
If set to "true", enables use of theming of windows and controls. By default, theming within RDP sessions is disabled.
Enable font smoothing (ClearType)
If set to "true", text will be rendered with smooth edges. Text over RDP is rendered with rough edges by default, as this reduces the number of colors used by text, and thus reduces the bandwidth required for the connection.
Enable full-window drag
If set to "true", the contents of windows will be displayed as windows are moved. By default, the RDP server will only draw the window border while windows are being dragged.
Enable desktop composition (Aero)
If set to "true", graphical effects such as transparent windows and shadows will be allowed. By default, such effects, if available, are disabled.
Enable menu animations
If set to "true", menu open and close animations will be allowed. Menu animations are disabled by default.
Program
This is the Remote Application to start on the RDS Host or target system configured with RemoteApp. This application and only this application will be available to the user upon launching the connection.
Typically, for an application to be available, it must first be published as a "RemoteApp" program in a current or newly created "Collection". You can specify the "Alias" you have set of a RemoteApp, such as "||cmd" or use full paths to launch a program instead of an alias such as "C:\Windows\system32\cmd.exe" or "%windir%\system32\cmd.exe".
More information about Remote Desktop Services collection for remote apps can be officially found here.
Working Directory
This will be the working directory of the remote application, if any and or supported. Not all applications support working directory, such as Notepad for example.
In the context of Microsoft's RemoteApp, the working directory is the default folder that a remote application uses to open and save files. It is the starting location for file operations and is particularly important for legacy applications that expect to find specific files in a certain place to function correctly such as data or configurations.
To specify "Working Directory" simply add the directory path such as "C:\remoteworkingdir\"
Parameters
This is where you would put "command-line arguments" to pass to the remote application, if any. Not all applications have command-line arguments.
Please refer to the command line documentation for your application's "command-line arguments" and usage.
For example, if you wanted the RemoteApp, "cmd.exe" to enable command extensions, change background/foreground colors and list out the contents of your working directory, upon Launching the RemoteApp connection, you can add the following command-line arguments "/e:on /t:06 /k dir", specifically for "cmd.exe", to this field.
More examples of "command-line arguments", for "cmd.exe" can be found here if you would like to use for testing.
Load balance info/cookie
The load balancing information or cookie which should be provided to the connection broker. If no connection broker is being used, this should be left blank.
RDP source ID
The numeric ID of the RDP source. This is a non-negative integer value dictating which of potentially several logical RDP connections should be used. This parameter is only required if the RDP server is documented as requiring it. If using Hyper-V, this should be left blank.
Preconnection BLOB (VM ID)
An arbitrary string which identifies the RDP source - one of potentially several logical RDP connections hosted by the same RDP server. This parameter is only required if the RDP server is documented as requiring it, such as Hyper-V. In all cases, the meaning of this parameter is opaque to the RDP protocol itself and is dictated by the RDP server. For Hyper-V, this will be the ID of the destination virtual machine.
Enable SFTP
Whether file transfer should be enabled. If set to "true", the user will be allowed to upload or download files from the specified server using SFTP. If omitted, SFTP will be disabled.
SFTP User
The "PAM User" record to authenticate as when connecting to the specified SSH server for SFTP. This parameter is required if SFTP is enabled.
Default upload directory
The directory to upload files to if they are simply dragged and dropped, and thus otherwise lack a specific upload location. If left blank, the default upload location of "C:\Users\<username>\" will be used.
SFTP keepalive interval
The interval in seconds between which keepalive packets should be sent to the SSH server for the SFTP connection, where "0" indicates that no keepalive packets should be sent at all (the default behavior). The minimum legal value is "2".
PAM Configuration
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.
Administrative Credential Record
This is the linked that will be used to authenticate to the target and perform administrative operations on it.
Keeper Connections can be authenticated using one of the following methods:
Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.
For this protocol, graphical data, including timing information, is recorded. For more details on the recordings and how to access them, see the Session Recording & Playback docs.
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
Connection TemplatesPS C:\> Get-VM VirtualMachineName | Select-Object Id
Id
--
ed272546-87bd-4db9-acba-e36e1a9ca20a
PS C:\> wget -O guacctl https://raw.githubusercontent.com/apache/guacamole-server/master/bin/guacctlchmod +x guacctl./guacctl -d <filename> or <directory><filename>./guacctl -d clientID.txt or /mnt/c/Users/helpdesk/Downloads/clientID.txt./guacctl -d <filename> <filename> or <filename> <directory><filename>./guacctl -d clientID.txt /mnt/c/temp/license.txt"TLS Encryption" - Transport Layer Security.
"Hyper-V/VMConnect" - Automatically select the security mode based on the security protocols supported by both the client and the server, limiting that negotiation to only the protocols known to be supported by Hyper-V / VMConnect. This security mode must be selected if connecting to the console of a Hyper-V virtual machine.
Default value is Any
"en-gb-qwerty" - UK English
"en-us-qwerty" - US English (the default)
"es-es-qwerty" - Spanish
"es-latam-qwerty" - Latin American
"fr-be-azerty" - Belgian French
"fr-ch-qwertz" - Swiss French
"fr-fr-azerty" - French
"hu-hu-qwertz" - Hungarian
"it-it-qwerty" - Italian
"ja-jp-qwerty" - Japanese
"pt-br-qwerty" - Portuguese Brazilian
"sv-se-qwerty" - Swedish
"tr-tr-qwerty" - Turkish-Q
"failsafe" - Force use of Unicode events rather than key events for all keys
This is the layout of the RDP server and has nothing to do with the keyboard layout in use on the client. The Keeper vault client is independent of keyboard layout. The RDP protocol is not independent of keyboard layout, and Keeper needs to know the keyboard layout of the server in order to send the proper keys when a user is typing.