Instantly access your infrastructure with zero-trust security from your Keeper Vault
Keeper Connections allow users to instantly and securely access assets within their target infrastructure, such as servers, databases, web apps and workloads directly from their Keeper Vault. Connections can be established without exposing the underlying credentials to the user, ensuring zero-trust and zero-knowledge access.
Keeper Connections are configured on PAM Machine, PAM Database, PAM Directory and PAM Remote Browser record types, and once configured, connections are launched directly from these records.
One of the key features of Keeper Connections is the agentless and clientless architecture. Organizations need to install only a Keeper Gateway in each managed environment. This streamlined approach simplifies deployment and enhances security by centralizing access management.
Connections are launched directly from the Vault interface with one click. The connection is established between the Keeper Gateway and the target machine, and the session is visually projected into the Vault where you can interact seamlessly.
Click "Launch" to open a privileged session.
Sessions are opened directly inside the Keeper vault, establishing a zero trust encrypted connection to the target.
Full screen mode and zoom controls are available from the upper right corner of the window.
The Connection Dock provides instant switching between active sessions. The dock can be moved to any desired location on the screen.
The dock can be minimized and moved anywhere on the screen.
When launching a connection, the Web and Desktop Vault Client will render a window with the established connection protocol to the specified target defined on the PAM record. This is done by:
The Vault Client communicating with the Keeper Gateway with the relevant connection info through a secure tunnel
The Keeper Gateway then establishes the connection protocol to the target defined on the PAM Record
After establishing the connection, the Keeper Gateway projects the visual session to the Keeper vault client.
For more information on the architecture, see this page.
IT Admins, DevOps and development teams struggle with protecting access to cloud and on-prem infrastructure to endpoints like remote desktops, Windows machines, Linux Servers, critical web-based apps, Kubernetes clusters and Databases.
Keeper Connections protects your business, your employees and your customers against data breaches by providing a unified vault for all access and control. Reducing risk and simplifying access are the core tenants of the Keeper platform.
Lower complexity: All zero trust access is managed by the Keeper Vault
Lower employee risk: No VPNs, No ZTNAs and no Agents
Lower supply chain risk: No client-side connection apps
Lower attack surface risk: Zero-knowledge encryption and networking
Support for RDP, SSH, VNC, K8s, telnet remote access protocols
Support for MySQL, PostgreSQL, SQL Server database protocols
Remote browser isolation (http/https) protocol for web-based apps
Drag-and-drop file transfer via SFTP to target machines
Session Recording and playback
Privileged Session Management
Role-Based Access Controls
To get started with Keeper Connections, proceed to the next section.
Getting Started with configuring connections on your PAM Record types
In this guide, you will learn how to setup connections for all the supported protocols on your PAM Record types in your Keeper Vault.
Prior to configuring Connections, make sure to have the following:
The following Enforcement Policies affect user's permissions to use Connections and need to be enabled.
Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.
Can configure connection settings
Allow users to configure Tunnel settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Records Types
Can start connections
Allow users to start tunnels on PAM Machine, PAM Directory and PAM Database Record Types
Can view recordings
Allow users to view session Recordings.
Tunnels can also be enabled on the Keeper Commander CLI using the enterprise-role command:
If a user should only have access to launching connections and not configuring connections, then only "Can start connections" policy should be enabled for the user.
In addition to launching connections, If a user should also have access to configure connections, then "Can configure connections settings" and "Can start connections" should be enabled for the user.
Launched connections can also be recorded. These recordings are available on the PAM Machine, PAM Database, or PAM Directory record types and can be played back on your Vault. For more details on session recording and playback, visit this page.
The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.
For more details on installing and setting up your gateway, visit this page.
The PAM Configuration contains essential information of your target infrastructure, settings and Keeper Gateway. Setting up a PAM Configuration for your infrastructure is required. For more information on creating and configuring the PAM Configuration, visit this page.
A Keeper Connection is a secure, encrypted interactive session established between your vault client to the target endpoint. The target endpoint needs to be defined on one of the following PAM Record types:
Windows/MacOS/Linux Machines, EC2 Instances, Azure VMs
MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle
Active Directory, OpenLDAP
Web-based applications
Depending on your target endpoint, visit the corresponding PAM Record Type page for more information on setup.
The following table lists all the supported connection protocol that can be configured in your Keeper Vault. Visit the associated link for each protocol for more details on configuration.
PAM Machine
Connecting to the target defined on the PAM Machine Record with the SSH connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the RDP connection protocol
PAM Browser
Connecting to the URL defined in the PAM Browser Record with the Remote Browser Isolation (http/https) protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the MySQL connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the SQL Server connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the PostgreSQL connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the VNC connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the Telnet connection protocol
Details on the available connection protocols in KeeperPAM for interactive privileged sessions
The following table lists all the supported connection protocols that can be configured in your Keeper Vault to establish zero-trust privilege sessions. Visit the associated link for each protocol for more details on configuration.
PAM Machine
Connecting to the target defined on the PAM Machine Record with the SSH connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the RDP connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the MySQL connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the SQL Server connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the PostgreSQL connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the VNC connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the Telnet connection protocol
PAM Remote Browser
Connecting to the target defined on the PAM Machine Record with http or https protocol in an isolated Chromium browser session
Keeper Connections - SSH Protocol
KeeperPAM enables zero-trust privileged session management for target infrastructure using the SSH protocol. This guide explains how to set up SSH connections on your PAM Machine Records in the Keeper Vault. Secure SSH sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
This guide will use a Linux server to represent a PAM Machine record.
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the SSH protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the SSH protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the SSH protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For SSH, the port is 22
Public Host Key (Base64)
The known hosts entry for the SSH server, in the same format as would be specified within an OpenSSH known_hosts file. If not provided, no verification of host identity will be performed.
Color Scheme
The color scheme to use for the terminal emulator used by SSH connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black on white" - Black text over a white background
"gray on black" - Gray text over a black background (the default)
"green on black" - Green text over a black background
"white on black" - White text over a black background
"Custom" - custom color scheme
Default value is "white-black"
Font Size
Font size displayed for the terminal session
SFTP
If enabled, the user can drag and drop files into the terminal session to transfer one or more files.
File Browser Root Directory
If SFTP is enabled, file transfers will be saved to the specified folder path.
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user.
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session.
Once you have configured the SSH Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:
In the above image, a Linux server has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:
If the SFTP file transfer feature is enabled, the user can drag and drop files into the terminal session to transfer the files to the machine.
Keeper supports one or more files transferred simultaneously through drag-and-drop.
While the files are being uploaded to the target machine, a file transfer status is displayed in the dock area of the Keeper Vault:
To transfer files from the SSH remote connection to the local filesystem, you can download a tool called guacctl into the remote system and use it for performing outbound transfers.
Download guacctl and set as executable:
Initiate the file download using this syntax:
The SSH protocol can also be used to access Windows servers for execution of PowerShell commands or other administrative actions.
Learn more on how to activate SSH on Windows
Keeper Connections - RDP Protocol
KeeperPAM enables zero-trust privileged session management for target infrastructure using the RDP protocol. This guide explains how to set up RDP connections on your PAM Machine Records in the Keeper Vault. Secure RDP sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
The PAM Configuration contains information of your target infrastructure
The PAM Machine record contains information of the endpoint you want to establish an RDP protocol connection to.
The PAM User record contains the user credentials that will be used to connect to the endpoint
This guide will use a Azure VM as an example. For more details on how this is setup on the PAM Machine Record, visit the following page:
Example: Azure Windows VMAfter creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the RDP protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable settings for the RDP protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the RDP protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For RDP, the port is 3389
Security Mode
The security mode to use for the RDP connection. This mode dictates how data will be encrypted and what type of authentication will be performed, if any. By default, security mode negotiation is performed.
Legal values are:
"any" - Negotiate with the server, allowing the RDP server to choose its preferred security mode (the default).
"NLA" - Network Level Authentication, sometimes also referred to as "hybrid" or CredSSP (the protocol that drives NLA) and uses TLS encryption.
"RDP Encryption" - Standard RDP encryption. Newer Windows servers generally have this mode disabled by default, and instead require NLA.
"TLS Encryption" - Transport Layer Security.
"Hyper-V/VMConnect" - Automatically select the security mode based on the security protocols supported by both the client and the server, limiting that negotiation to only the protocols known to be supported by Hyper-V / VMConnect. This security mode must be selected if connecting to the console of a Hyper-V virtual machine.
Default value is Any
Disable Authentication
If enabled, authentication will be disabled. Note that this refers to authentication that takes place while connecting. Any authentication enforced by the server over the remote desktop session (such as a login dialog) will still take place. By default, authentication is enabled and only used when requested by the server.
If you are using NLA, authentication must be enabled by definition.
Ignore Server Certificate
If enabled, the certificate returned by the server will be ignored, even if that certificate cannot be validated. This is useful if you universally trust the server and your connection to the server, and you know that the server's certificate cannot be validated (for example, if it is self-signed)
Load Balance Info/Cookie
The load balancing information or cookie which should be provided to the connection broker. If no connection broker is being used, this should be left blank
RDP Source ID
The numeric ID of the RDP source. This is a non-negative integer value dictating which of potentially several logical RDP connections should be used. This parameter is only required if the RDP server is documented as requiring it. If using Hyper-V, this should be left blank.
Preconnection BLOB (VM ID)
An arbitrary string which identifies the RDP source - one of potentially several logical RDP connections hosted by the same RDP server. This parameter is only required if the RDP server is documented as requiring it, such as Hyper-V. In all cases, the meaning of this parameter is opaque to the RDP protocol itself and is dictated by the RDP server. For Hyper-V, this will be the ID of the destination virtual machine.
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session
Disable Audio
Audio output is always enabled by default. If you are concerned about bandwidth usage, or audio is causing problems, you can explicitly disable audio output
When troubleshooting authentication and connection issues, check the following:
Ensure the user specified in the linked PAM User record has the rights to RDP to the target machine.
Adjust your group policy or add the user to the "Remote Desktop Users" group on Windows to grant access.
For additional troubleshooting, refer to the Gateway logs which will contain additional information. The location of the Gateway logs depends on the installation method.
Keeper Connections - MySQL Protocol
KeeperPAM enables zero-trust privileged session management for MySQL databases through an interactive CLI. This guide shows how to configure MySQL connections on your PAM Database Records in the Keeper Vault. Sessions are securely initiated from the Vault, routed via the Keeper Gateway, and connected to target databases.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Database Record
The PAM Database record contains information of the endpoint you want to establish an MySQL protocol connection to.
PAM User Record
The PAM User record contains the MySQL user credentials that will be used to connect to the endpoint
This guide will use a MySQL Database. For more details on how this is setup, visit the following page:
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the MySQL protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable settings for the MySQL protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the MySQL protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Inlcude Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Database. The port specified here will override the default port. For MySQL, the port is 3306
Default Database
The database schema selected when connecting to the specified database server.
Can export CSV
Enables CSV export of data when using the SQL statement "select ... into local outfile"
Can import CSV
Enables CSV import of data when using the SQL statement "load data local infile ... into table"
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from local clipboard into the connected protocol session
Keeper Connections - SQL Server Protocol
KeeperPAM enables zero-trust privileged session management for SQL Server databases through an interactive CLI. This guide shows how to configure SQL Server connections on your PAM Database Records in the Keeper Vault. Sessions are securely initiated from the Vault, routed via the Keeper Gateway, and connected to target databases.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Database Record
The PAM Database record contains information of the endpoint you want to establish an SQL Server protocol connection to.
PAM User Record
The PAM User record contains the SQL Server user credentials that will be used to connect to the endpoint
This guide will use a SQL Database. This is similar to setting up a MySQL database, for more details on how this is setup, visit the following page:
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the SQL Server protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the SQL Server protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the SQL Server protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Database. The port specified here will override the default port. For SQL Server, the port is 1433
Default Database
The database schema selected when connecting to the specified database server.
Can export CSV
Enables CSV export of data when using the SQL statement "select ... into local outfile"
Can import CSV
Enables CSV import of data when using the SQL statement "load data local infile ... into table"
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from local clipboard into the connected protocol session
Keeper Connections - PostgreSQL Protocol
KeeperPAM enables zero-trust privileged session management for PostgreSQL databases through an interactive CLI. This guide shows how to configure PostgreSQL connections on your PAM Database Records in the Keeper Vault. Sessions are securely initiated from the Vault, routed via the Keeper Gateway, and connected to target databases.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Database Record
The PAM Database record contains information of the endpoint you want to establish an PostgreSQL protocol connection to.
PAM User Record
The PAM User record contains the PostgreSQL user credentials that will be used to connect to the endpoint
This guide will use a PostgreSQL Database. For more details on how this is setup, visit the following page:
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the PostgreSQL protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the SQL Server protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the PostgreSQL protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Database. The port specified here will override the default port. For PostgreSQL, the port is 5432
Default Database
The database schema selected when connecting to the specified database server.
Can export CSV
Disables CSV export of data when using the PSQL statement \COPY
FROM "input.csv" With CSV
Can import CSV
Disables CSV import of data when using the PSQL statement \COPY () TO ".csv" With CSV HEADER
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from local clipboard into the connected protocol session
Keeper Connections - VNC Protocol
KeeperPAM enables zero-trust privileged session management for target infrastructure using the VNC protocol. This guide explains how to set up VNC connections on your PAM Machine Records in the Keeper Vault. Secure VNC sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Machine Record
The PAM Machine record contains information of the endpoint you want to establish an VNC protocol connection to.
PAM User Record
The PAM User record contains the VNC credentials that will be used to connect to the machine
This guide will use a Azure VM. For more details on how this is setup on the PAM Machine Record, visit the following page:
Example: Azure Windows VMAfter creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the VNC protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable settings for the VNC protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the VNC protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For VNC the port is 5900
Destination Host
Required if using a VNC Repeater such as UltraVNC Repeater
The destination host to request when connecting to a VNC proxy such as UltraVNC Repeater
Destination Port
Required if using a VNC Repeater such as UltraVNC Repeater
The destination port to request when connecting to a VNC proxy such as UltraVNC Repeater
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session
Keeper Connections - Telnet Protocol
KeeperPAM enables zero-trust privileged session management for target infrastructure using the Telnet protocol. This guide explains how to set up Telnet connections on your PAM Machine Records in the Keeper Vault. Secure sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Machine Record
The PAM Machine record contains information of the endpoint you want to establish an Telnet protocol connection to.
PAM User Record
The PAM User record contains the user credentials that will be used to connect to the endpoint
This guide will use a Linux Machine. For more details on how this is setup on the PAM Machine Record, visit the following page:
Example: Linux MachineAfter creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the Telnet protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the Telnet protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the Telnet protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For Telnet, the port is 23
Username Regular Expression
The regular expression to use to detect the username prompt when the username cannot be provided. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Password Regular Expression
The regular expression to use to detect the password prompt. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Login Success Regular Expression
The regular expression to use when detecting that the login attempt has succeeded. If specified, the terminal display will not be shown to the user until text matching this regular expression has been received from the telnet server. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Login Failure Regular Expression
The regular expression to use when detecting that the login attempt has failed. If specified, the connection will be closed with an explicit login failure error if text matching this regular expression has been received from the telnet server. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session
Color Scheme
The color scheme to use for the terminal emulator used by Telnet connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black on white" - Black text over a white background
"gray on black" - Gray text over a black background (the default)
"green on black" - Green text over a black background
"white on black" - White text over a black background
"Custom" - custom color scheme
Default value is "white-black"
Keeper Connections - Kubernetes
KeeperPAM enabled zero-trust privileged session management for Kubernetes containers using Kubernetes' REST API. This guide shows how to configure Kubernetes connections on your PAM Machine Records in the Keeper Vault. Secure Kubernetes sessions are established from the Vault, through the Keeper Gateway, and directly to the target container.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
The PAM Configuration contains information of your target infrastructure
PAM Machine Record
The PAM Machine record contains information of the endpoint you want to establish a Kubernetes REST API connection to.
PAM User Record
The PAM User record contains the user credentials that will be used to connect to the endpoint
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the Kubernetes protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the Kubernetes protocol on the PAM Settings:
Protocol
Required The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the Kubernetes protocol should be selected
Enable Connection
Required To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
Connection Port
The port used to establish the selected protocol connection. By default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For Kubernetes, the port is 8080.
Namespace
The name of the Kubernetes namespace of the pod containing the container being attached to. If omitted, the namespace "default" will be used.
Pod Name
The name of the Kubernetes pod with the container being attached to.
Container Name
The name of the container to attach to. If omitted, the first container in the pod will be used.
Ignore Server Certificate
If checked, the validity of the SSL/TLS certificate used by the Kubernetes server will be ignored if it cannot be validated. By default, SSL/TLS certificates are validated.
Certificate Authority Certificate
The certificate of the certificate authority that signed the certificate of the Kubernetes server, in PEM format. If omitted, verification of the Kubernetes server certificate will use only system-wide certificate authorities.
Client Certificate
The certificate to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. If omitted, SSL client authentication will not be performed.
Client Key
The key to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. If omitted, SSL client authentication will not be performed.
Color Scheme
The color scheme to use for the terminal emulator used by Kubernetes connections. Each color scheme dictates the default foreground and background color of the terminal. Programs which specify colors when printing text will override these defaults.
Font Size
The size of the font to use, in points. By default, the size of rendered text will be 12 point.
Keeper Connections - Remote Browser Isolation (http/https) Protocol
KeeperPAM enables zero-trust privileged session management for web applications using the Remote Browser Isolation (RBI) protocol. This guide explains how to configure RBI connections on your PAM Remote Browser Records in the Keeper Vault. Secure web sessions are initiated from the Vault, routed through the Keeper Gateway, and delivered directly to target applications.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure.
PAM Remote Browser
The PAM Remote Browser record contains information of the endpoint you want to establish a web session to.
PAM User Record
The PAM User record contains the user credentials that will be used to autofill credentials on the web page.
This guide will use a Jenkins web application.
After creating a PAM Remote Browser with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the RBI protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable settings for the RBI protocol on the PAM Settings:
Enable Remote Browser Isolation
Required
To enable connection for this record, this toggle needs to be enabled.
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record.
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Allow navigation via direct URL manipulation
Shows a website address tool in the user interface that allows the user to navigate.
Ignore server certificate
Instructs RBI to ignore invalid or expired SSL certificates on the website that is explicitly set in the URL field for the record. Certificates are required for any other domains during the session.
Allowed URL Patterns
The patterns of all URLs that the user should be allowed to visit, regardless of whether via manual navigation (URL bar) or interacting with the current page. Multiple patterns may be specified, separated by newlines. If specified, only pages matching patterns in the list are permitted. By default, all URLs are permitted.
Allowed Resource URL Patterns
The patterns of all URLs that the a page should be allowed to load as a resource, such as an image, script, stylesheet, font, etc. Multiple patterns may be specified, separated by newlines. If specified, only resources matching patterns in the list are permitted to be loaded. By default, no restrictions are imposed on resources loaded by pages.
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user.
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session.
Browser Autofill
KeeperPAM provides the capability of autofilling a username, password and TOTP code into a target website login screen.
For this protocol, graphical data, including timing information, is recorded. For more details on the recordings and how to access them, see the Session Recording & Playback docs.
Example connection records
A few example guides explain how to set up Connections:
Loading...
Establish a connection to an Azure Virtual Machine directly from your Vault
In this guide, you will learn how to configure a Azure Virtual Machine on your PAM Machine and configure the RDP protocol to successfully launch a zero-trust connection to the Azure Virtual Machine — directly from your Keeper Vault.
For this setup, you need to do the following:
After completing the above, you can launch zero-trust connections to the Azure Virtual Machine directly from your Keeper Vault.
From the Admin Console, enable the corresponding PAM Enforcement Policies for connections:
Can configure connection settings
Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types
Can launch connections
Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types
Can view session recordings
Allow users to view Session Recordings
Prior to creating the PAM Record types in your Vault, the Keeper Gateway needs to be installed in your infrastructure. Visit the following guides based on your needs:
Additionally, the Keeper Gateways needs to be configured with the Gateway token. For more information, visit this page.
Steps 3 and Step 4 can be automated with the Gateway Wizard. For more information, visit this page.
The PAM Configuration contains critical information on your infrastructure, settings and associated Keeper Gateway. Visit the following pages for more details based on your target infrastructure:
After setting up your Gateway and PAM Configuration Record, the Azure Virtual Machine and its users need to be configured on PAM Record types in your Vault:
PAM Machine - The Azure Virtual machine is configured on this record type
PAM User - The Azure Virtual User is configured on this record type
Refer to this example on how to configure Azure Virtual Machine on a PAM Machine record type:
Example: Azure Windows VMThe PAM Machine record type contains the necessary information required for the Keeper Gateway to locate and establish a connection with the machine, while the PAM User record type contains the necessary information to authenticate the connection.
The PAM Settings need to be configured to enable connections or tunnels on the target defined on the PAM Machine Record. To configure the RDP protocol, visit the following page:
RDP ConnectionsOnce you have configured the RDP Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:
In the above image, an Azure Virtual Machine has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:
PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with an Azure Virtual Machine, the recipient can connect to the Azure Virtual Machine on the PAM Machine record without having direct access to the linked credentials.
Loading...
Establish a connection to a PostgreSQL Database directly from your Vault
In this guide, you will learn how to configure a PostgreSQL Database on your PAM Database and configure the PostgreSQL protocol to successfully launch a zero-trust connection to the PostgreSQL Database — directly from your Keeper Vault.
For this setup, you need to do the following:
Enable the Connection Enforcement Policies
Install and Configure the Keeper Gateway
Create and configure the PAM Configuration File
Create the PAM Database and PAM User record types
Configure PAM Settings and the PostgreSQL Connection Protocol
After completing the above, you can launch zero-trust connections to the PostgreSQL Database directly from your Keeper Vault.
Prior to creating the PAM Record types in your Vault, the Keeper Gateway needs to be installed in your infrastructure. Visit the following guides based on your needs:
After setting up your Gateway and PAM Configuration Record, the PostgreSQL Database and its users need to be configured on PAM Record types in your Vault:
Refer to this example on how to configure PostgreSQL Database on a PAM Database record type:
The PAM Database record type contains the necessary information required for the Keeper Gateway to locate and establish a connection with the database, while the PAM User record type contains the necessary information to authenticate the connection.
The PAM Settings need to be configured to enable connections or tunnels on the target defined on the PAM Database Record. To configure the PostgreSQL protocol, visit the following page:
Once you have configured the PostgreSQL Protocol connection on your PAM Database Record, your record will contain the following connection banner with the "Launch" Button:
In the above image, a PostgreSQL Database has been configured on the PAM Database Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target.
PAM Database records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a PostgreSQL Database, the recipient can connect to the PostgreSQL Database on the PAM Database record without having direct access to the linked credentials.