Tunnels
Create a secure and encrypted TCP/IP connection to your target endpoint from your Vault
Overview
KeeperPAM Tunnels provide secure, ephemeral connections for accessing infrastructure without requiring a direct network path to the target system. They enable just-in-time access by establishing encrypted tunnels for RDP, SSH, LDAPS, databases, and other protocols. Users can authenticate through the KeeperPAM platform, which brokers the connection and ensures strict policy enforcement. Once a tunnel is activated, users can make use of any native application to communicate with the target infrastructure.
Keeper Tunnels require the native Keeper Desktop App or Commander CLI
How do Keeper Tunnels work?
When starting a tunnel, a local port is opened up on the local device running Keeper Desktop client. Native applications can then communicate to the target from this local port. For more details on the security model, see the Connection and Tunnel Security page.
Why Use Keeper Tunnels?
A common challenge faced by IT Admins, DevOps and development teams is providing remote employees or contractors with access to internal company resources without exposing those resources to external networks. Additionally, remote employees may want to use their desired native applications to access these resources.
Keeper Tunnels solves the above solutions by:
Providing secure, encrypted connection from client to target resource
Allowing users to securely connect to target resource with the native application of choice
Simplifying Configuration - streamline setup and management of secure connection from PAM Record types
Access controls and compliance - centralized management of access controls, ensuring that all connections meet organizational security policies and compliance requirements
Tunnel Enforcement Policies
On the Admin Console, the following Enforcement Policies affect user's permissions to use Keeper Tunnels and need to be enabled.
Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.
Can configure tunnel settings
Allow users to configure Tunnel settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Records Types
Can start tunnels
Allow users to start tunnels on PAM Machine, PAM Directory and PAM Database Record Types
Tunnels can also be enabled on the Keeper Commander CLI using the enterprise-role command:
Enforcement Policy Use Cases
If a user should only have access to start tunnels and not configuring tunnels, then only "Can start tunnels" policy should be enabled for the user.
In addition to starting tunnels, If a user should also have access to configure tunnels, then "Can configure tunnel settings" and "Can Start tunnels" should be enabled for the user.
Installing the Keeper Gateway
The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.
PAM Configuration
The PAM Configuration contains essential information of your target infrastructure, settings and Keeper Gateway. Setting up a PAM Configuration for your infrastructure is required.
PAM Machine, PAM Database, or PAM Directory
Keeper Tunnel is a secure, encrypted TCP/IP connection established between your vault client to the target endpoint. The target endpoint needs to be defined on one of the following PAM Record types:
Windows/MacOS/Linux Machines, EC2 Instances, Azure VMs
MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle
Active Directory, OpenLDAP
Depending on your target endpoint, visit the corresponding PAM Record Type page for more information on setup.
PAM Settings - Tunnel Settings
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Tunnel Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Edit" in the PAM Settings section
Navigate to the "Tunnel" tab in the modal
The above image shows a PAM Database record where:
Tunnel is enabled
Tunnel will be open on localhost to the remote server port 1433
Subsequent tunnels will use the same local port
After navigating to the Tunnel Section on the PAM Settings screen. The following table lists all the configurable fields for Tunnels:
PAM Configuration
Required
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record
Enable Tunnel
Required When checked, enable tunnels for this record
Generate Local Port
When checked, Keeper will decide which local port to use based on available open ports.
Reuse Last Port
When checked, the last used tunnel port will be reused. This ensures that the port number doesn't change every time.
Remote Tunnel Port
Required
The port which is used to connect from the Keeper Gateway to the target infrastructure. If not specified, the gateway will use the "rotation port" specified in the Keeper record view. If the specified port is in use, Tunnels will fail to start.
Once tunnels have been configured on the PAM Record, your PAM Record will have the "Start Tunnel" button:
Starting a Tunnel
Once tunnels have been configured on the PAM Record, click on "Start Tunnel" button to start a tunnel. The local port number is selected in this case as 51255. Subsequent tunnels for this resource will use the same local port and tunnel.
Using the Tunnel
In the above screenshots, the target endpoint, a cloud database was defined and configured on a PAM Database record. After configuring the tunnel settings, a tunnel has been started on local hostname 127.0.0.1 and local port 51255.
The database can then be accessed by using a native application of choice. For example, you can use DBeaver, MySQL Workbench Microsoft SQL Server Management Studio or even the KeeperDB multi-protocol native database application.
Likewise, using the CLI on the local device can initiate a connection to the database using this command:
Commander CLI
Keeper Commander provides Tunneling capabilities in addition to using the Keeper Desktop UI.
Related commands:
Example:
Passwordless Database Management with KeeperDB Proxy
For database tunnels (MySQL, PostgreSQL, SQL Server, Oracle, etc.), enable KeeperDB Proxy to provide passwordless access. Users simply connect to databases using their preferred native tools - without ever seeing or entering passwords.
Credentials are injected by the Keeper Gateway, never exposed to the user
No copying/pasting passwords into database clients
Session management with idle timeout and duration limits
Choice of static or short-lived credentials available
See KeeperDB Proxy for configuration details.
Tunnels versus Connections
A tunnel provides a path from the user's local device to the target infrastructure using end-to-end encryption. For database connections, we recommend activating KeeperDB Proxy to transparently inject credentials from the gateway and provide a fully passwordless database session.
If tunnels are provided to users along with the necessary credentials, we recommend automatic rotation of the credential to ensure that the credentials are ephemeral and invalidated on a scheduled basis. For more information about rotation, see the Password Rotation section.
KeeperPAM provides several methods of accessing remote infrastructure having full session recording and monitoring, without the need to share credentials:
Keeper Connections can establish interactive recorded sessions across many protocols
Commander CLI pam launch can establish terminal-based SSH and database sessions
Remote Browser Isolation with Autofill can control access to web-based applications
KeeperDB creates fully interactive database sessions in a fully-featured UI
KeeperDB Proxy provides native database sessions with query logging
Last updated