Creating a forward account

  1. Select Management > Accounts.
  2. Click Add.
../../_images/accounts_view_add.png
  1. Define object’s name.
  1. Select Blocked option to disable account after it’s created.

  1. Select forward from the Type drop-down list.

  2. Select desired session recording option.

    • all - Fudo PAM saves session metadata (basic session information), records raw network traffic (RAW file) and stores session data in internal file format (FBS). The latter enables session playback using the built-in session player, as well as exporting sessions to a selection of video file formats.
    • raw - Fudo PAM saves session metadata (basic session information) and records raw network traffic (RAW file). The raw data can be downloaded but it cannot be played back in graphical form using the built-in session player (session player only depicts the networks packet exchange between the client and the target host).
    • none - Fudo PAM saves only session metadata (basic session information).
  1. Select the OCR sessions option to fully index RDP and VNC sessions contents.

Note

Indexing sessions enables full-text content searching.

../../_images/sessions_search.gif

Warning

OCR is a CPU intensive process and may have negative impact on system’s performance.

  1. Select language used for processing recorded sessions.
  2. In the Notes field, enter a message to User Portal users.
../../_images/add_account_general.png

Note

Account notes can be displayed and edited in the User Portal.

../../_images/user_portal_notes.gif

  1. In the Data retention section, define automatic data removal settings.

    • Select Override global retention settings option to set different retention values for connections established using this account.
    • Change the global parameter value or uncheck the Delete session data option to exclude sessions from retention mechanism.
    • In the Move session data to external storage after, define the number of days after which the session data will moved to external storage device.

  2. In the Permissions section, add users allowed to manage this object.

  3. In the Server section, assign the account to a server by selecting it from the Server drop-down list.

  4. From the Replace secret with drop down list in the Credentials, select desired option.

other account

  • From the Account drop-down list, select account object, whose credentials will be used to authenticate user when establishing connection with monitored server.

Note

The list contains only objects to which you have been given access permissions.

key

  • Click the i icon and select the key type.
  • Click the i icon and browse the file system to find the key definition file.

password

  • Provide account password.
  • Repeat account password.

Note

Two-fold authentication

With two-fold authentication enabled, user is being prompted twice for login credentials. Once for authenticating against Fudo PAM and once again for accessing target system.

To enable two-fold authentication, select password from the Replace secret with drop-down list and leave the password and login fields empty.

password from external repository

  • Select external repository.

Note

Authentication by the server

With the Authentication against server option enabled, Fudo PAM does not verify the correctness of user credentials. Login information is forwarded to the target host, which verifies whether the user is allowed to access it. Verification status is returned to Fudo, which establishes monitored connection. To enable this authentication scenario, select the Authenticate against server option in the Credentials section (available only for SSH servers and RDP hosts with the Enhanced RDP Security (TLS) + NLA security option selected).

../../_images/authenticate_against_server.png

Also note that 2FA/MFA authentication won’t work here. If you create a user with OATH+AD authentication the OATH part is bypassed and only the password is used and sent to the server – Fudo won’t ask for the OATH token in this situation. The same goes for Duo, SMS an any other 2FA user authentication scheme that can be configured in Fudo. This restriction is specific only to forward account types.

  1. Select Forward domain option to have the domain name included in the string identifying the user.
  2. Select SSH Agent forwarding option to authenticate the user against the target host using client’s SSH key.

Note

This option is availble only after selecting an SSH server. Use -A option for connecting to SSH server.

  1. Click Save.

Related topics: