Setting up Tunnels

Overview

KeeperPAM Tunnels provide secure, ephemeral connections for accessing infrastructure without requiring a direct network path to the target system. They enable just-in-time access by establishing encrypted tunnels for RDP, SSH, LDAPS, databases, and other protocols. Users can authenticate through the KeeperPAM platform, which brokers the connection and ensures strict policy enforcement.

An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers.

• KeeperPAM Homepage

• Request a Demo

• Contact Support

Prerequisites

Tunnels are available in the Keeper Desktop application and Keeper Commander CLI.

Prior to configuring Tunnels, make sure to have the following:

Tunnel Enforcement Policies

On the Admin Console, the following Enforcement Policies affect user's permissions to use Keeper Tunnels and need to be enabled.

Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.

ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS

ALLOW_LAUNCH_PAM_TUNNELS

Tunnels can also be enabled on the Keeper Commander CLI using the enterprise-role command:

enterprise-role "My Role" --enforcement "ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS":true
enterprise-role "My Role" --enforcement "ALLOW_LAUNCH_PAM_TUNNELS":true

Enforcement Policy Use Cases

If a user should only have access to start tunnels and not configuring tunnels, then only "Can start tunnels" policy should be enabled for the user.

In addition to starting tunnels, If a user should also have access to configure tunnels, then "Can configure tunnel settings" and "Can Start tunnels" should be enabled for the user.

Installing the Keeper Gateway

The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.

For more details on installing and setting up your gateway, visit this page.

PAM Configuration

The PAM Configuration contains essential information of your target infrastructure, settings and Keeper Gateway. Setting up a PAM Configuration for your infrastructure is required. For more information on creating and configuring the PAM Configuration, visit this page.

PAM Machine, PAM Database, or PAM Directory

Keeper Tunnel is a secure, encrypted TCP/IP connection established between your vault client to the target endpoint. The target endpoint needs to be defined on one of the following PAM Record types:

Depending on your target endpoint, visit the corresponding PAM Record Type page for more information on setup.

PAM Settings - Tunnel Settings

After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Tunnel Section on the PAM Settings screen by:

1. Editing the PAM Record

2. Clicking on "Set Up" in the PAM Settings section

3. Navigate to the "Tunnel" section in the prompted window

After navigating to the Tunnel Section on the PAM Settings screen. The following table lists all the configurable fields for Tunnels:

The following image shows a PAM Machine record where:

• Tunnel is enabled

• Tunnel will be open on localhost to the remote server port 3306

• Subsequent tunnels will use the same local port

Once tunnels have been configured on the PAM Record, your PAM Record will have the "Start Tunnel" button:

Starting a Tunnel

Once tunnels have been configured on the PAM Record, click on "Start Tunnel" button to start a tunnel. The local port number is selected in this case as 49644. Subsequent tunnels for this resource will use the same local port and tunnel.

Using the Tunnel

In the above screenshots, the target endpoint, a MySQL Database running in the AWS Cloud, was defined and configured on a PAM Machine record. After configuring the tunnel settings, a tunnel has been started on local hostname 127.0.0.1 and local port 59644.

This MySQL Database can then be accessed by using a native application of choice. For example, the MySQL Workbench tool can be used to access the database:

Likewise, using the CLI on the local device can initiate a connection to the database using this command:

mysql --host=127.0.0.1 --port=59644 --user=admin --password

Commander CLI

Keeper Commander provides Tunneling capabilities in addition to using the Keeper Desktop UI.

Related commands:

• pam tunnel

Example:

My Vault> pam tunnel start s0W1v6R4SUTJYMlu4jTZw
Establishing tunnel between Commander and Gateway. Please wait...

+------------------------------------------------------------------+
| Endpoint pbxV4snkAP9KGCUhSb6aQ==: Listening on: 127.0.0.1:49152 |
+------------------------------------------------------------------+
View all open tunnels   : pam tunnel list
Tail logs on open tunnel: pam tunnel tail pbxV4snkAP9KGCUhSb6aQ==
Stop a tunnel           : pam tunnel stop pbxV4snkAP9KGCUhSb6aQ==

Tunnels versus Connections

A tunnel provides a path from the user's local device to the target infrastructure using end-to-end encryption. For security reasons, Keeper does not intercept or interfere in the low level communications. Therefore, any authentication required for a protocol, such as a password or SSH key must be available to the user on their local device. Keeper does not intercept the protocol layer.

If tunnels are provided to users along with the necessary credentials, we recommend automatic rotation of the credential to ensure that the credentials are ephemeral and invalidated on a scheduled basis. For more information about rotation, see the Password Rotation section.

KeeperPAM provides two methods of accessing remote infrastructure without the need to share credentials:

• Connections to establish interactive sessions across many different protocols

• Remote Browser Isolation with Autofill to establish web-based interactive sessions