Setting up RBI
Setting up Tunnels in your Desktop Vault
Last updated
Was this helpful?
Setting up Tunnels in your Desktop Vault
Last updated
Was this helpful?
In this guide, you will learn how to setup Remote Browser Isolation (RBI) in your Keeper Vault. RBI works from both Web Vault and Desktop App.
Prior to configuring RBI, make sure to have the following:
Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.
The following Enforcement Policies affect user's permissions to use Remote Browser Isolation and need to be enabled:
Can configure remote browsing settings
Allow users to configure Remote Browser and session recording settings on PAM Remote Browsing and PAM Configuration Records Types
Can launch remote browsing
Allow users to launch remote browsing on PAM Remote Browsing Record Types
Can view remote browser recordings
Allow users to view RBI Session Recordings.
The above enforcement policies can also be enabled on the Keeper Commander CLI using the enterprise-role
command:
If a user should only have access to launch RBI sessions and not configuring RBI settings, then only "Can launch remote browsing" policy should be enabled for the user.
In addition to launching RBI sessions, If a user should also have access to configure RBI settings, then "Can configure remote browsing settings" and "Can launch remote browsing" policies should be enabled for the user.
To allow users to view RBI session recordings, then "Can configure remote browsing settings" policy should be enabled for the user.
Launched RBI sessions can also be recorded. These recordings are available on the PAM Browser record types and can be played back on your Vault. For more details on session recording and playback, visit this page.
The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.
For more details on installing and setting up your gateway, visit this page.
The PAM Configuration contains essential information of your target infrastructure, settings and Keeper Gateway. Setting up a PAM Configuration for your infrastructure is required. For more information on creating and configuring the PAM Configuration, visit this page.
When launching an RBI session, the Web and Desktop Vault Client will render a chromium browser window with a established connection to the specified URL defined on the PAM Browser record. For more information on how to setting up the PAM Browser Record, visit this page.
After creating a PAM Browser Settings with the target URL, navigate to the PAM Settings by:
Editing the PAM Browser Record
Clicking on "Set Up" in the PAM Settings section
After opening up the PAM Settings screen. The following table lists all the configurable fields for RBI:
PAM Configuration
Required
This is the PAM Configuration the PAM Record is part of
Enable Connection
Required To enable RBI for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Allow navigation via direct URL manipulation
If checked, the user will be presented with an URL navigation bar
Allow URL Patterns
The patterns of all URLs that the user should be allowed to visit, regardless of whether via manual navigation (URL bar) or interacting with the current page. Multiple patterns may be specified, separated by newlines.
If specified, only pages matching patterns in the list are permitted.
By default, all URLs are permitted. Detailed Information here
Allow Resource URL Patterns
The patterns of all URLs that the page should be allowed to load as a resource, such as an image, script, stylesheet, font, etc. Multiple patterns may be specified, separated by newlines. If specified, only resources matching patterns in the list are permitted to be loaded.
By default, no restrictions are imposed on resources loaded by pages. Detailed Information here
Browser Autofill - Credentials
RBI sessions launched from the Keeper Vault provides the capability of autofilling a username and password into a target website login screen. A vault record that is shared to a KSM application can be linked here. The credentials on this linked record will be autofilled in the target website login screen based on the autofill rules defined in the Autofill Targets section Detailed Information here
Browser Autofill - Autofill Targets
This section will contain the autofill rules, which are a JSON/YAML array of objects, where each object specifies contains an autofill rule Detailed Information here
Can copy to clipboard
If enabled, text copied within the RBI session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected RBI session
An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers.
For this protocol, graphical data, including timing information, is recorded. For more details on the recordings and how to access them, see the docs.