This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RDP Rule not showing up in the Portal

I'm struggling with creating a PAM rule (PAM 4.0)

Sorry for the long text, but this might be needed to understand what I’m trying to archive.

 

Scenario: External customer logs into PAM from "External" Domain. Based on Rule definition he should see only the Servers assigned to his account and be able e.g. to RDP into his server using an account from "Internal" Domain. So PAM is proxying the RDP session with a different user the customer don't know or have the password for.

 

I have created the credential vault (Windows Active directory) for Domain "External". Also a credential vault for Domain "Internal" where I have added also an account which PAM will use when proxying the RDP session.

 

 Within the settings I have created the LDAP configuration for Domain "External" and Domain "Internal"

 

So far so good. When I try to create a rule in Command control with condition

 

- create a User Group for Domain "External" which contains the Global Group from the external Domain the external user account is a member of

- create a Host Group which contains the server (having the Agent installed) the customer should be able to connect

- Create a Rule with condition if user in Group (from the “External” Domain) and if command in RDP session, the authorize: yes, second Authentication: no, Session Capture: yes, Application SSO: no, Credential: account from the “Internal” Domain, Run User: Account from the “Internal” Domain, Run Hosts: the created Host Group for that customer, Stop if unauthorized.

à  Then I don’t get the policy and the RDP connection listed when “External” customer logs into the Portal

à  When I change the Condition to OR Command in RDP session then I can see the Rule and the connection to the Windows server with the specified internal account just works fine

à Obviously OR is wrong as an second “external” customer would get the same Rule and would be able to connect to the server which should only assigned to customer1

 

What I’m doing wrong, why can I not see the Rule for external customer1?

 

Next I tried with the new Access Control

- I created a resource pool which contains the Windows server (with Agent). The Default Credential is a account out of the “Internal” Domain (which PAM should be using when logging into the server

- next I created a User Role with the Global Group of the “External” Domain the external customer 1 account is a member of

- I created the assignment with the Windows Agent Resource pool and the “External” User Role and added Direct RDP

à same problem as with the Rules on Command Control, I don’t get this Rule listed when I login to the PAM Portal with the external customer account

 

I don’t get what I’m doing wrong, please help

Thanks

  • 0  

    I was able to solve the Command Control Rule issue.

    Problem was the defined Global Group from the external Domain, which had

    %:=~/[distinguished name]/

    instead of 

    %:=~/^distinguished name/i

    However this still not solved the issue to archive the same policy within the Access Control

  • Verified Answer

    0 in reply to   

    Hi,

    If Direct RDP, you won't be able to see the Resource lists in the PAM User Portal.

    If RDP via RDP Relay, I believe you need to use the old PAM Console to achieve Resource lists. I had not using PAM 4.0 new UI to get RDP Relay working so far, but old ways does.

    However, using the new PAM 4.0 WebRDP, you can achieve RDP session via web browser with either Agent or Agentless way. Pretty Cool

    Regards,

    Keng