HTTP

This chapter contains an example of a basic Fudo PAM configuration, to monitor access to Twitter over HTTPS. In this scenario, the user uses its individual login credentials to log in to a monitored Twitter account. The connection will timeout after 15 minutes (900 seconds) and the user will have to login again to continue browsing the server’s contents.

Warning

HTTP rendering is a CPU intensive process and may have negative impact on system’s performance. A physical appliance is recommended for monitoring rendered HTTP connections with the following limitations regarding the maximum number of concurrent rendered HTTP sessions.

Model Maximum recommended number of concurrent HTTP sessions*
F100x 2
F300x 5
F500x 10

* The actual value depends on the Fudo PAM instance configuration.

Prerequisites

The following description assumes that the system has been already initiated. For more information on the initiation procedure refer to the System initiation topic.


Configuration

../../_images/data_modeling1.png

Adding a server

Server is a definition of the IT infrastructure resource, which can be accessed over one of the specified protocols.


  1. Select Management > Servers.
  2. Click Add and select Static server.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name twitter
Description fail
Blocked fail
Protocol HTTP
HTTP timeout 900
Bind address 10.0.236.70
Use TLS ok
Legacy ciphers fail
Use root store certificates ok
CA certificate Click i to upload a certificate.
   
Permissions  
Granted users fail
   
Server addresses  
Address twitter.com
Port 443
Server certificate Click i to fetch server’s certificate.
HTTP host fail
Authentication method Twitter
  1. Click Save.

Adding a user

User defines a subject entitled to connect to servers within monitored IT infrastructure. Detailed object definition (i.e. unique login and domain combination, full name, email address etc.) enables precise accountability of user actions when login and password are substituted with a shared account login credentials.


  1. Select Management > Users.
  2. Click Add.
  3. Provide essential user information:
Parameter Value
General  
Login john_smith
Fudo domain fail
Blocked fail
Account validity Indefinite
Role user
Preferred language English
Safes fail
Full name John Smith
Email john@smith.com
Organization fail
Phone fail
AD Domain fail
LDAP Base fail
   
Permissions  
Granted users fail
   
Authentication  
Authentication failures fail
Enforce static password complexity fail
Type Password
Password john
Repeat password john
  1. Click Save.

Adding a listener

Listener determines server connection mode (proxy, gateway, transparent, bastion) as well as its specifics.


  1. Select Management > Listeners.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name twitter_listener
Blocked fail
Protocol HTTP
Render sessions ok
   
Permissions  
Granted users fail
   
Connection  
Mode proxy
Local address 10.0.236.70
Port 997
Use TLS ok
Legacy ciphers ok
TLS certificate Click i to generate a certificate.
  1. Click Save.

Adding an account

Account defines the privileged account existing on the monitored server. It specifies the actual login credentials, user authentication mode: anonymous (without user authentication), regular (with login credentials substitution) or forward (with login and password forwarding); password changing policy as well as the password changer itself.


  1. Select Management > Accounts.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name twitter_admin
Blocked fail
Type regular
Session recording all
Notes fail
   
Data retention  
Override global retention settings fail
Delete session data default settings
   
Permissions  
Granted users fail
   
Server  
Server twitter
   
Credentials  
Domain fail
Login YourTwitterAccountUsername
Replace secret with with password
Password ******
Repeat password ******
Password change policy Static, without restrictions
  1. Click Save.

Defining a safe

Safe directly regulates user access to monitored servers. It specifies available protocols’ features, policies and other details concerning users and servers relations.


  1. Select Management > Safes.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name twitter_safe
Blocked fail
Notifications fail
Login reason fail
Require approval fail
Policies fail
Note access No access
Users john_smith
   
Protocol functionality  
RDP fail
SSH fail
VNC fail
  1. Select Users tab.
  2. Click Add user.
  3. Find John and click ..
  4. Click OK.
  5. Select Accounts tab.
  6. Click Add account.
  7. Find the twitter_admin object and click ..
  8. Click OK.
  9. Click in the Listeners column.
  10. Find the twitter_listener object and click ..
  11. Click OK.
  12. Click Save.

Connecting to remote resource

  1. Launch a web browser.
  2. Go to the 10.0.236.70:997 web address.
  3. Enter user login and password and press the [Enter] key or click the Login button.

Note

In case you are authenticating using two factors, input your static password along with the dynamic factor (token value) in the password field as a single string of characters.

../../_images/http_login.png
  1. Continue browsing the website.

Viewing user session

  1. Open a web browser and go to the Fudo PAM administration page.
  2. Enter user login and password to log in to Fudo PAM administration panel.
  1. Select Management > Sessions.
  2. Find John’s session and click i.
../../_images/http_ongoing.png ../../_images/player_http_session.png

Related topics: