Fudo Enterprise 5.6 Documentation

Welcome!

The following are the enhancements and modifications introduced in version 5.6 of Fudo Enterprise. Remember to update to the latest available version to benefit from all improvements.

Version 5.6.1 (Latest)

• ROLE-BASED ACCESS CONTROL

  In this Fudo Enterprise version we gladly introduce RBAC (Role-Based Access Control) - feature, which brings significant improvements in access management. List of improvements within RBAC:

  • Creating custom roles – Administrators can create roles with precisely defined permissions tailored to specific tasks, instead of relying solely on the predefined roles as before.
  • Managing selected object types – Roles can be narrowed down to manage only selected types of objects, such as Users, Listeners, Pools, Servers, or Safes.
  • Assigning action scope on objects – Permissions can be limited to specific actions, such as creating, modifying, exporting, deleting, or blocking particular types of objects.
  • Flexibility in assigning permissions – Permissions can be granted globally or selectively, e.g., to all objects of a certain type (e.g., Users, Accounts, or Servers) or only to selected, specific objects.
  • Access management by specific tabs – The ability to create roles with access limited to selected tabs within Fudo Enterprise.
  • Multi-role assignment – Users will be able to receive multiple roles, rather than just one of the six predefined roles as was the case before.

• GROUPS

  We’re introducing a new object—Group—that adds an extra layer of control over resource access. Administrators can now create user groups to grant more precise permissions, ensuring that only authorized users can interact with specific Safes. Additionally, it is now possible to view which Safes a user has access to through the groups they belong to.

• AI SESSION SUMMARY

  Fudo Enterprise 5.6 introduces a beta version of AI-powered summaries for SSH sessions. This feature allows administrators to quickly assess session context without replaying full recordings, improving audit efficiency and reducing manual review time. The feature can be easily configured with AI providers such as OpenAI, Anthropic, or a custom model using a local Ollama framework.

• GRANULAR ACCESS TO REMOTE APPLICATIONS

  To improve access control and reduce surface exposure, this version adds support for restricting users to specific remote applications without granting access to the full desktop environment. This enhancement enables more granular permission management and helps ensure that users interact only with the resources necessary for their roles.

• TUNNEL LISTENERS

  Fudo Enterprise 5.6 introduces a new Listener type that allows establishing an SSH tunnel for more secure connections. With this feature, administrators can safely enable access to protocols that are not encrypted by default, such as Telnet or VNC, while also adding an optional layer of encryption to other supported protocols.

• ADDITIONAL NEW FEATURES AND IMPROVEMENTS:

  • Port Ranges: Added support for configuring Server objects with a port range, simplifying multi-port redirection and reducing manual setup.

  • Added support for configuring an outbound HTTP proxy for authentication-related traffic (OIDC, SMS, DUO). Also usable for timestamping services. Support for more integrations coming in future releases.

  • Added the ability to specify a remote application when establishing a session through the web client.

  • Enhanced MySQL protocol support:

    • Added support for Bastion connections

    • Enabled authentication against the MySQL server

    • Supported all authentication methods, including one-step multi-factor (e.g., password+token)

    • Supported authentication plugins:

      • for communication between Fudo and the database server: mysql_clear_password, mysql_native_password, caching_sha2_password;
      • for communication between the client and Fudo: mysql_clear_password.

  • Reorganized Interface Elements:

    • Export/Import Configuration options have been relocated from the user menu (top-right corner) to System > Configuration for improved visibility and accessibility.
    • The Timestamping settings have been moved from a standalone tab to Settings > System, aligning with other system-level configuration options.
    • The former LDAP Synchronization tab has been replaced with User Directory, reflecting its broader functionality and redesigned layout.
    • A new Object Rights subtab has been added to the editing views of Servers, Accounts, Pools, and Safes. This change, introduced with role-based access control (RBAC), enables administrators to define which users or roles are authorized to manage a given object—supporting more granular delegation of access rights.

  • User mapping in the User Directory has been redesigned — users are now assigned to groups instead of safes. This simplifies configuration and enables more flexible, centralized control over user permissions.

  • Nearly all configuration tabs in Fudo Enterprise have now been fully migrated to the new graphical interface. Each redesigned tab features improved clarity, faster navigation, and consistent behavior. Overview of Updated Tabs:

    • Sessions tab – Redesigned layout with labeled action buttons and a customizable column view. Less-used fields moved under a three-dot menu.
    • System tab – New Configuration subtab for export/import. Diagnostics split into focused subtabs for better clarity.
    • Network Configuration tab – Refreshed visuals and clearer layout for managing interfaces and routes.
    • Reports tab – Unified table view for all report types and schedules. Simplifies configuration and overview.
    • Cluster tab – Split into Create cluster and Join cluster tabs for more intuitive setup.
    • Notifications tab – Updated layout aligned with the new interface style. Improved readability.
    • User Directory tab – Formerly LDAP Synchronization. Restructured with modal windows for cleaner configuration.
    • External Storage tab – Updated to match the modernized UI. Minor usability enhancements.
    • Productivity tab – Updated to match the modernized UI. Minor usability enhancements.

  • The Session Player interface has been refreshed to enhance usability. Key control buttons have been repositioned for improved visibility and a more intuitive playback experience.

  • Enhanced Listener configuration for User Access Gateway. Administrators can now bind Listeners directly to the UAG address, simplifying native client connections and improving flexibility when UAG operates on multiple addresses.

  • Added support for clustered environments in Fudo ShareAccess. When Fudo Enterprise instances are configured in a high-availability cluster, they can now be connected to Fudo ShareAccess as gateway nodes, ensuring redundancy and seamless failover.

  • Added support for mapping OIDC configurations to Fudo domains. This allows assigning an OIDC configuration to a specific domain, resolving conflicts where users with identical user IDs originate from different LDAP/AD synchronizations.

  • Added support for custom TLS certificates in OIDC configuration. Administrators can now specify the CA certificate that signed the OIDC server certificate, provide a custom server certificate, or continue using the system root CA repository as before.

Warning

DISCONTINUED FEATURES:

• Fudo Enterprise 5.6 no longer supports the DHCP.
• Fudo Enterprise 5.6 no longer supports the APIv1. All scripts using this APIv1 should be rewritten to use APIv2.
• API: Grant-related endpoints have been removed in this release. Please update your integrations accordingly. For more information, refer to the updated API documentation.
• API: Disabled access to the /api/v2/diagnostics endpoint.
• Fudo Enterprise 5.6 no longer supports the Application to Application Password Manager.
• Fudo Enterprise 5.5 and 5.6 no longer supports the Mobile Token authentication method used to bind the Fudo Officer mobile application to a User. You must unlink all Fudo Officer bindings from Users configuration before the upgrade.

ANNOUNCEMENTS:

• Fudo Enterprise 5.6 is the last version supporting the gateway and transparent modes in the listeners configuration. Listeners using these modes must be reconfigured to use proxy and bastion modes before upgrading to the next release.
• Fudo Enterprise 5.6 is the last version to support bridge interfaces and network interface cards with bypass mode. These components are tightly coupled with the transparent and gateway modes, which will also be removed in version 5.7. We recommend reviewing your network configuration to ensure compatibility with future versions.
• Support for the Telnet 3270 protocol is under review and may be removed in a release following version 5.6. If this protocol is critical to your environment, please contact Fudo Support for more information.

---

Table of contents

• About documentation
• Layout themes of the Admin Panel
• Introduction
  • System overview
    • Session Monitoring & Recording
    • Secret Management
    • Just-in-Time (JIT) Access
    • Single Sign-On (SSO)
    • Agentless Convenient Access
    • AI-Powered Prevention
    • Productivity Analyzer
    • Rapid Deployment
    • Compliance Support
  • Available GUI Languages
  • Licensing
  • Supported protocols
    • HTTP
    • Modbus
    • MS SQL (TDS)
    • MySQL
    • RDP
    • SSH
    • Telnet 3270
    • Telnet 5250
    • Telnet
    • VNC
    • X11
    • TCP
    • Secret Checkout
  • Deployment scenarios
  • Connection modes
  • User authentication methods and modes
  • Security measures
    • Data encryption
    • Backups
    • Permissions
    • Sandboxing
    • Reliability
    • Cluster configuration
  • Data model
  • Dashboard
    • Widgets
    • Adding, customizing and removind dashlets
    • Hard drives status information
  • Third-Party Licenses
• System deployment
  • Requirements
  • Hardware overview
  • System initiation
    • Virtual machine
  • Accessing Fudo Enterprise Portals
    • Admin Panel
    • User Access Gateway
    • Supported Web Browsers
• Quick start
  • SSH
    • Prerequisites
    • Configuration
    • Establishing connection
    • Viewing user session
  • SSH in bastion mode
    • Prerequisites
    • Configuration
    • Establishing connection
    • Viewing user session
  • SSH in Bastion Mode with Jump Host Option
    • Prerequisites
    • Configuration
    • Establishing a Connection
  • RDP
    • Prerequisites
    • Configuration
    • Establishing an RDP connection with a remote host
    • Viewing user session
  • RDP in bastion mode
    • Prerequisites
    • Configuration
    • Establishing an RDP connection with a remote host
    • Viewing user session
  • Telnet
    • Prerequisites
    • Configuration
    • Establishing a telnet connection with the remote host
    • Viewing user’s session
  • Telnet 5250
    • Prerequisites
    • Configuration
    • Establishing a telnet connection with the remote host
    • Viewing user’s session
  • MySQL
    • Prerequisites
    • Configuration
    • Establishing connection with a MySQL database
    • Viewing user session
  • MS SQL
    • Prerequisites
    • Configuration
    • Establishing connection with a MS SQL database
    • Viewing user session
  • HTTP
    • Prerequisites
    • Configuration
    • Connecting to remote resource
    • Viewing user session
  • VNC
    • Prerequisites
    • Configuration
    • Establishing connection
    • Viewing user session
  • User authentication against external LDAP server
    • Prerequisites
    • Configuration
• Role-Based Access Control (RBAC)
  • Transition to RBAC After Upgrade
    • Understanding Privileges and Capabilities
    • Predefined Roles as a Starting Point
  • Creating Role
  • Assigning Roles to Users
  • Modifying Roles
  • Deleting Roles
  • Typical Role Scenarios and Required Privileges
    • Tab-Level Access Control Matrix
    • Dashboard Widgets Visibility
    • Sessions Tab Permissions
      • Playback and Preview
      • Session Backup
      • Session Management
    • Downloads Tab Permissions
    • Safes Management
    • Discovery Tab Permissions
    • Access Request Permissions
    • Fudo Officer
    • Reports Tab Permissions
• Groups (RBAC)
  • Access Resolution and Prioritization
  • Creating Group
  • Modifying Groups
  • Deleting Groups
• Users
  • Creating a user
  • Editing a user
  • Blocking a user
  • Unblocking a user
  • Deleting a user
  • Authentication failures counter
  • Users Synchronization - User Directory
• Servers
  • Creating a server
    • Creating an HTTP server
    • Creating a Modbus server
    • Creating a MS SQL server
    • Creating a MySQL server
    • Creating an RDP server
    • Creating an SSH server
    • Creating a Telnet server
    • Creating a Telnet 3270 server
    • Creating a Telnet 5250 server
    • Creating a VNC server
    • Creating a TCP server
  • Port Ranges in Server Configuration
    • Configuring a Port Range
    • Server Configuration Prioritization in Case of Conflict
  • Importing a server list from CSV file
  • Editing a server
  • Blocking a server
  • Unblocking a server
  • Deleting a server
• Pools
  • Creating a pool
  • Deleting a pool
• Remote Applications
  • Adding Remote Application
  • Adding Arguments
  • Connecting to Remote Application via Access Gateway
  • Granular Access to Remote Applications
  • Deleting Remote Application
• Accounts
  • Creating an account
    • Creating an anonymous account
    • Creating a forward account
    • Creating a regular account
  • Editing an account
  • Blocking an account
  • Unblocking an account
  • Deleting an account
  • Managing security alerts
    • Triggering password change
    • Ignoring security alert
• Listeners
  • Creating a listener
    • Setting up the SSH listener
    • Setting up the RDP listener
    • Setting up the VNC listener
    • Setting up the HTTP listener
    • Setting up the Modbus listener
    • Setting up the MySQL listener
    • Setting up the TCP listener
    • Setting up the MS SQL listener
    • Setting up the Telnet listener
    • Setting up the Telnet 3270 listener
    • Setting up the Telnet 5250 listener
  • Editing a listener
  • Blocking a listener
  • Unblocking a listener
  • Deleting a listener
• Safes
  • Creating a Safe
  • Editing a safe
  • Blocking a safe
  • Unblocking a safe
  • Deleting a safe
• Discovery
  • Creating a rule
    • Creating a rule for accounts
    • Creating a rule for servers
  • Managing rules
  • Creating a scanner
    • Creating a scanner for Domain Controller Accounts
    • Creating a scanner for Domain Controller Servers
    • Creating a scanner for local accounts
  • Managing scanners
  • Managing discovered accounts
  • Managing discovered servers
• Password changers
  • Password changer policy
    • Defining a password changer policy
    • Editing a password changer policy
    • Deleting a password changer policy
  • Custom password changers
    • Defining a custom password changer
    • Editing a custom password changer
    • Deleting a custom password changer
  • Importing and exporting password changers
    • Exporting a password changer
    • Importing a password changer
  • Connection modes
    • SSH
    • LDAP
    • Telnet
    • WinRM
  • Setting up password changing on a Unix system
• Policies
  • AI module-based policy
  • AI module-based policy examples
  • Regular expression-based policy
• Downloads
  • Sessions
  • Files
• Account activity in the Access Gateway
• Access requests
  • Awaiting requests
  • Active requests
  • Archived requests
• Sessions
  • Filtering sessions
    • Defining filters
    • Managing user defined filter definitions
    • Full text search
  • Viewing sessions
  • Pausing connection
  • Terminating connection
  • Joining live session
  • Sharing sessions
  • Commenting sessions
  • Sessions’ retention lockdown
  • Exporting sessions
    • Export Session File Formats
  • Deleting sessions
  • OCR processing sessions
  • Session data replication
  • Timestamping selected sessions
  • Cancelling sessions timestamping
  • Require approval for access
    • Approving pending user requests
    • Declining pending requests
  • AI Behavioral Analysis in Sessions
  • AI Session Summary [BETA]
• Reports
  • System Reports
  • User Reports: Periodic and On-Demand
  • List of Predefined Reports
  • Subscribing to a Periodic Report
  • Unsubscribing from a recurring report
  • Generating a report on demand
  • Viewing and saving reports
  • Deleting reports
• Productivity
  • Overview
  • Sessions analysis
  • Activity comparison
• Administration
  • System
    • Date and Time
    • SSL Certificates
    • SSH access
    • Sensitive features
    • System Update
      • Updating system
      • Restoring previous system version
      • Deleting upgrade snapshot
    • License
    • Hotfix
    • Diagnostics
    • Configuration encryption
    • Password changers - active cluster node
      • Cluster Password Changers
    • Configuring an HTTP Proxy
  • Login Timeout
  • Network settings
    • Network Interfaces Configuration
      • Managing Physical Interfaces
      • Defining IP Address Using System Console
      • Setting Up A Network Bridge
      • Setting Up Virtual Networks (VLAN)
      • Setting Up Link Aggregation (LACP)
    • Labeled IP Addresses
    • Routing Configuration
    • DNS Configuration
    • ARP Table Configuration
  • Notifications
    • Configuring the SMTP Server
  • Artificial Intelligence (AI)
    • AI Behavioral Analysis
      • Configuring Models Trainers
      • Behavioral Analysis Models
    • AI Session Summary [BETA]
  • Trusted Timestamping
  • Certificate-based authentication scheme
  • Authentication
    • External authentication server definition
    • OpenID Connect authentication definition
    • Global authentication settings
      • Default domain
      • Deny New Connections
      • Password complexity
      • OATH authentication definition
      • SMS authentication definition
      • DUO authentication definition
      • Single Sign On
      • Kerberos authentication settings
  • External passwords repositories
    • CyberArk Credential Provider
    • Thycotic Secret Server
    • Local Administrator Password Solutions (LAPS)
  • Resources
    • RDP/SSH/VNC login screen configuration
    • User portal configuration
      • Login Screen Configuration
      • Predefined Keyboard Layout
  • System Version Restore
  • System Reboot
  • SNMP
    • Configuring SNMP
    • Configuring SNMPv3 TRAP
    • SNMP MIBs
    • Getting SNMP readings using snmpwalk
    • Fudo Enterprise specific SNMP extensions
  • Backup and retention
    • Session data backup
    • Data retention
  • External Storage
    • Configuring External Storage
    • Expanding external storage device
  • Exporting/Importing System Configuration
    • Exporting System Configuration
    • Importing System Configuration
  • Cluster configuration
    • Initiating cluster
    • Adding cluster nodes
    • Editing cluster nodes
    • Deleting cluster nodes
    • Redundancy groups
  • Events log
    • Filtering logs by date and time
    • External syslog servers
    • Exporting events log
  • Changing encryption passphrase
  • Integration with CERB server
  • System maintenance
    • Backing up encryption keys
    • Monitoring system condition
    • Health Check
      • API Health Check
    • Callhome
      • Data Collected by Callhome Service
      • The Benefits of Using Callhome
      • Enable/Disable Callhome
    • Hard drive replacement
    • Resetting configuration to default settings
• Reference information
  • RDP connections broker
  • Log messages
  • Footer Information
• Fudo Officer 2.0
  • Configuration
  • Managing Profiles
    • Add New Profile
    • Switch Profiles
    • Edit Profile
    • Delete Profile
  • Managing Session Requests
    • Awaiting Requests
    • Active Requests
    • Revoking Request
    • Archived requests
  • Settings
    • Biometric Authentication
    • Change PIN code
    • Language
• Fudo ShareAccess
  • Data Model
  • Pairing Fudo Enterprise with Fudo shareaccess
  • License
    • Trial License Activation
    • Requesting a License
    • Uploading License File
  • Manage Fudo ShareAccess Members
    • Inviting Members
    • Verifying Members Status
    • Creating an Account Without an Invitation
    • Revoking Members Status
    • Deleting Members
  • Manage Access to Resources
• Client applications
  • PuTTY
  • Microsoft Remote Desktop
  • TightVNC Viewer
  • SQL Server Management Studio
• Troubleshooting
  • Booting up
  • Connecting to servers
  • Logging to administration panel
  • Session playback
  • Cluster configuration
  • Trusted timestamping
  • Support mode
• Use Cases
  • Two-factor OATH authentication with Google Authenticator
    • Protocols Supporting OATH Authentication Method
    • Configuring the OATH Authentication Method
  • OpenID Connect authentication definition with Microsoft Entra (Azure)
  • Remote Desktop Services configuration on Windows Server for Fudo Enterprise
    • Setup Remote Desktop Services (RDS) on Windows
    • Setup Fudo Enterprise - bastion scenario (recommended)
    • Setup Fudo Enterprise - proxy scenario
  • Managing RDP Server certificates in Windows Server
    • Locating the Server Certificate in Windows Server
    • Providing the CA Certificate
  • Configuring the Single Sign On (SSO)
    • SSO configuration on Windows Server 2019
    • Setup Fudo Enterprise
    • Setup and check user workstation - Windows2010 Client
  • Handling Local Account Password Changes Using a Domain Account with WinRM Password Changer
    • Hostname and DNS Server Configuration
    • Adding a KDC Server
    • Server Configuration
  • Configuring Kerberos Constrained Delegation for MSSQL(TDS) Server
    • Kerberos Authentication Configuration on Windows Server
    • Setup Fudo Enterprise
    • Establish a Connection
  • Establishing Connections to Servers via SSH Tunnel in Fudo Enterprise
    • General Requirements
      • Establishing an SSH Connection
      • Establishing an HTTP Connection
      • Connecting to an Oracle Database
• Frequently asked questions
• Glossary