1 of 3

Setting up RBI

Setting up Tunnels in your Desktop Vault

Overview

In this guide, you will learn how to setup Remote Browser Isolation (RBI) in your Keeper Vault. RBI works from both Web Vault and Desktop App.

An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers.

Prerequisites

Prior to configuring RBI, make sure to have the following:

Remote Browser Isolation Enforcement Policies

Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.

The following Enforcement Policies affect user's permissions to use Remote Browser Isolation and need to be enabled:

Enforcement Policy

Commander Enforcement Policy

Definition

Can configure remote browsing settings

ALLOW_CONFIGURE_RBI

Allow users to configure Remote Browser and session recording settings on PAM Remote Browsing and PAM Configuration Records Types

Can launch remote browsing

ALLOW_LAUNCH_RBI

Allow users to launch remote browsing on PAM Remote Browsing Record Types

Can view RBI session recordings

ALLOW_VIEW_RBI_RECORDINGS

Allow users to view RBI Session Recordings.

The above enforcement policies can also be enabled on the Keeper Commander CLI using the enterprise-role command:

enterprise-role "My Role" --enforcement "ALLOW_CONFIGURE_RBI":true
enterprise-role "My Role" --enforcement "ALLOW_LAUNCH_RBI":true
enterprise-role "My Role" --enforcement "ALLOW_VIEW_RBI_RECORDINGS":true

Enforcement Policy Use Cases

If a user should only have access to launch RBI sessions and not configuring RBI settings, then only "Can launch remote browsing" policy should be enabled for the user.

In addition to launching RBI sessions, If a user should also have access to configure RBI settings, then "Can configure remote browsing settings" and "Can launch remote browsing" policies should be enabled for the user.

To allow users to view RBI session recordings, then "Can configure remote browsing settings" policy should be enabled for the user.

Session Recordings

Launched RBI sessions can also be recorded. These recordings are available on the PAM Browser record types and can be played back on your Vault. For more details on session recording and playback, visit this page.

Installing the Keeper Gateway

The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.

For more details on installing and setting up your gateway, visit this page.

PAM Configuration

The PAM Configuration contains essential information of your target infrastructure, settings and Keeper Gateway. Setting up a PAM Configuration for your infrastructure is required. For more information on creating and configuring the PAM Configuration, visit this page.

PAM Remote Browser

When launching an RBI session, the Web and Desktop Vault Client will render a chromium browser window with a established connection to the specified URL defined on the PAM Browser record. For more information on how to setting up the PAM Browser Record, visit this page.

PAM Settings - Remote Browser Isolation

Accessing RBI Settings

After creating a PAM Browser Settings with the target URL, navigate to the PAM Settings by:

Editing the PAM Browser Record
Clicking on "Set Up" in the PAM Settings section

Configuring RBI Settings

After opening up the PAM Settings screen. The following table lists all the configurable fields for RBI:

Field

Definition

PAM Configuration

Required

This is the PAM Configuration that defines the environment and Gateway being utilized.

Enable Connection

Required To enable RBI for this record, this toggle needs to be enabled.

Graphical Session Recording

When enabled, graphical session recordings will be enabled for this record.

Include Key Events

When enabled, the keyboard events will also be monitored and played back alongside the graphical session recording.

Allow navigation via direct URL manipulation

If checked, the user will be presented with an URL navigation bar.

Ignore server certificate

If set, the Chromium browser will ignore an invalid certificate as long as the URL matches the exact domain that is set in the Record URL field.

Allow URL Patterns

The patterns of all URLs that the user should be allowed to visit, regardless of whether via manual navigation (URL bar) or interacting with the current page. Multiple patterns may be specified, separated by newlines.

If specified, only pages matching patterns in the list are permitted.

By default, all URLs are permitted. Detailed Information here

Allow Resource URL Patterns

The patterns of all URLs that the page should be allowed to load as a resource, such as an image, script, stylesheet, font, etc. Multiple patterns may be specified, separated by newlines.

If specified, only resources matching patterns in the list are permitted to be loaded.

By default, no restrictions are imposed on resources loaded by pages. Detailed Information here

Browser Autofill - Credentials

RBI sessions launched from the Keeper Vault provides the capability of autofilling a username and password into a target website login screen. A vault record that is shared to a KSM application can be linked here. The credentials on this linked record will be autofilled in the target website login screen based on the autofill rules defined in the Autofill Targets section. Detailed Information here

Browser Autofill - Autofill Targets

This section will contain the autofill rules, which are a JSON/YAML array of objects, where each object specifies contains an autofill rule. Detailed Information here

Can copy to clipboard

If enabled, text copied within the RBI session will be accessible by the user.

Can paste from clipboard

If enabled, user can paste text from clipboard within the connected RBI session.

Session Recordings - RBI

For this protocol, graphical data, including timing information, is recorded. For more details on the recordings and how to access them, see the Session Recording & Playback docs.

URL Patterns & Resource URL Patterns

Allowed URLs and Resources in the Remote Browser Isolation session

Overview

This guide will go over the following PAM settings section for the PAM Browser Record:

URL Patterns
Resource URL Patterns

URL Patterns & Resource URL Patterns

The format of the URL patterns accepted by the “Allowed URL Patterns” and “Allowed Resource URL Patterns” parameters is identical to any URL and dictates exactly which URLs are allowed to be used. They are enforced according to the following criteria:

Any aspect of the URL that is omitted from the pattern is ignored (not enforced as a requirement), except that standard port numbers are considered to have been specified if a scheme is specified.
A *. wildcard prefix may be used for domain names to indicate "any subdomain of a particular domain".
A * wildcard may be used in place of a path to more visibly and explicitly note that any value is allowed.
A * wildcard may be used at the end of a path to indicate that any subpath of that path is allowed.
A * wildcard may be used in place of a port number to indicate that any port is allowed.

For example:

Pattern

Meaning

accounts.google.com

Allow requests to the domain accounts.google.com involving any protocol and any path. Requests must be made to the standard port for whatever protocol is involved.

*.youtube.com

Allow requests to any subdomain of youtube.com involving any protocol and any path. Requests must be made to the standard port for whatever protocol is involved.

http://10.10.10.10:8080

Allow requests to 10.10.10.10 on port 8080 using strictly HTTP (not HTTPS) and any path.

10.10.10.10:*

Allow requests to 10.10.10.10 on any port using any protocol and any path.

https://example.net/foo

Allow requests to example.net using strictly HTTPS (not HTTP) and the path “/foo”. Requests must be made to the standard port for HTTPS.

https://example.net/foo/*

Allow requests to example.net using strictly HTTPS (not HTTP) and any path beneath “/foo”. Requests must be made to the standard port for HTTPS.

google.com

This would allow any protocol or path from google.com root domain, but does not allow a subdomain.

In the next section, we'll cover the autofill capabilities.

Browser Autofill

Autofill credentials into Remote Browser Isolation sessions

Overview

KeeperPAM can automatically fill credentials into the target remote browser isolation session. Credentials are never exposed to the user - the Keeper Gateway performs the filling inside of the Chromium session, and the session is visually projected into the user's vault.

An example of an RBI record is below. This is an Amazon AWS login that will autofill a credential.

Eligible Credentials

In order for the Keeper Gateway to autofill the credentials, the record must be added to a Shared Folder which is associated to the gateway.

In this example, the "craigdemouser" AWS identity is saved to a shared folder which is controlled by the Keeper Gateway:

The Shared Folder is shared to the Application holding the Keeper Gateway:

The Application is associated to the Keeper Gateway. This gives the Gateway the ability to access and decrypt any shared credentials.

To set up Autofill, edit the autofill settings by clicking on "Edit" in the PAM Settings section of the record.

The configuration of Remote Browser Isolation provides the ability to select which credential is filled.

When launching the session, the username and password for the AWS Console is autofilled within the isolated browser session. The credentials are not exposed to the user and the form fields cannot be inspected.

Autofill Targets

The autofill rules used by KCM are a JSON/YAML array of objects, where each object specifies at least the following property:

page - The URL pattern of the page that the autofill rule applies to. The patterns accepted here are identical to the patterns accepted by the navigation/resource rules.

and one or more of the following properties:

username-field - A CSS selector that matches the field that should receive the filled username. The Keeper Gateway will inject the value of the username field from the Keeper record.
password-field - A CSS selector that matches the field that should receive the filled password. The value filled will be the value of the password parameter for the connection.
totp-code-field - A CSS selector that matches the field that should receive the filled TOTP code. The value filled will be the value of the totp parameter for the connection.
submit - A CSS selector for an element that should be clicked once all applicable username/password fields have been populated. This should only be specified if necessary (ie: if the login page in question does not actually use a proper HTML <form>). When omitted, KCM will attempt to submit the login form as if the user pressed "Enter".
cannot-submit - A CSS selector to tell KCM not to automatically submit the form as long as any matching element is present

Basic Example: A single page web application with a Login and Password field:

- page: "http://172.31.8.134:8080/login"
  username-field: "input[name='j_username']"
  password-field: "input[name='j_password']"

Some login flows will require multiple rules. For example, the Microsoft Azure Portal login flow would be an example of this.

Here's a YAML example of the autofill rules that would be necessary for Microsoft Azure:

- page: "login.microsoftonline.com"
  username-field: "input[autocomplete='username']"

- page: "login.live.com"
  password-field: "input[autocomplete='current-password']"

Here's the equivalent, formatted as JSON:

[
    {
        "page": "login.microsoftonline.com",
        "username-field": "input[autocomplete='username']"
    },
    {
        "page": "login.live.com",
        "password-field": "input[autocomplete='current-password']"
    }
]

A common example where you would not want Keeper automatically submitting is when there's a captcha on the page. An example of this is below:

- page: "https://dash.cloudflare.com/login"
  username-field: "input[id='email']"
  password-field: "input[id='password']"
  cannot-submit: "div[data-testid=challenge-widget-container]"

For unusually complex pages where CSS is not sufficient, XPath expressions may be used instead. Any such XPath expression must be constructed with a leading /.

Field Identification

Remote Browser Isolation will fill credentials based on the specific field elements defined in the JSON or YAML code. Form field selectors can be found by inspecting the content of the page and locating the specific field element.

Inspect the Page: Open the developer tools by right-clicking on the webpage and selecting "Inspect."
Select the Field: Use the element selector tool to click on the form field you want to identify.
Read the Attributes: Look at the highlighted HTML code to find attributes like autocomplete, type, name, id, or other identifiers.

Example 1: Using autocomplete

HTML Code: <input type="password" autocomplete="current-password" ...>
Explanation: The password field can be identified by the autocomplete attribute set to current-password.

Example 2: Using type

HTML Code: <input type="password" ...>
Explanation: The password field can be identified by the type attribute set to password.

Example 3: Using name

HTML Code: <input type="password" name="some_name_xyz" ...>
Explanation: The password field can be identified by the name attribute set to some_name_xyz.

Example 4: Using id

HTML Code: <input type="password" id="some_id_1234" ...>
Explanation: The password field can be identified by the id attribute set to some_id_1234.

Testing Field Identification

From your Chrome browser, open the developer tools and visit the Console tab.

To test the form field identification, use the document.querySelector() javascript command.

For example, type the below and press <enter>:

document.querySelector("input[type='password']")

If the field is found, the DOM element will be displayed. Otherwise, an error will be displayed.