Fudo Enterprise 6.1 - System Documentation

Welcome!

The following are the enhancements and modifications introduced in version 6.1 of Fudo Enterprise. Remember to update to the latest available version to benefit from all improvements.

Version 6.1 (Latest)

In this release, the improvements focus on

• Added support for sudo command control:

  • Added a new sudo policy type for defining allowed sudo command execution rules.

  • Added a sudo plugin that checks sudo commands against the configured policy before execution.

  • Added Fudo Officer notifications for executed sudo commands, available in Fudo Officer 2.3.32 and later.

• Improved Password Vault capabilities:

  • Added password audit for compromised passwords, allowing administrators to upload a password list and warn users when a Password Vault password is found on that list.

  • Added support for SSH key rotation with Secret Changers, including SSH key target configuration and SSH key type selection in Secret Change Policies.

  • Updated related UI terminology from Password Changer to Secret Changer to better reflect support for different secret types.

• Added the Password Vault browser extension for desktop versions of Chrome, Firefox, Edge, and Safari. The extension lets users access and search Password Vault secrets, autofill recognized login forms, request access to restricted secrets, and use granted exclusive checkout directly from the browser.

• Expanded Kerberos authentication support:

  • Added Kerberos authentication for Discovery, Secret Change, and Secret Verification operations.

  • Added support for Kerberos authentication in multi-domain Active Directory environments.

  • Added separate configuration switches for RDP, external authentication, and LDAP synchronization.Added options to disable fallback to NTLM and LDAP simple bind for stricter authentication control.

• Added LDAP channel binding support for User Directory, LDAP Discovery, and LDAP-based Secret Changers.

• Added SCIM 2.0 provisioning support with Fudo as a service provider:

  • Renamed User Directory to User Sources and added a dedicated SCIM Provisioning tab for configuring SCIM integration with external identity providers.

  • Added SCIM API key generation, rotation, and provisioning disable options.

  • Added Managed by information for users and groups, including new columns and filters for identifying objects managed by SCIM, Fudo, or User Directory.

  • Added clearer status and blocking information for SCIM-managed users and groups, including local blocking behavior in Fudo and external management indicators.

• Improved rendered HTTP sessions:

  • Enhanced Kiosk Browser mode with configurable URL bar behavior: hidden, read-only, or editable.

  • Added an optional browser tab limit with a notification that lets users open a link in the current tab when the configured limit is reached.

• Added support for uploading and downloading files in RDP sessions.

• Added Azure Key Vault as a new External Password Repository type.

• Improved LAPS and password operation handling by adding support for modern JSON-based LAPS password formats with fallback to legacy formats, clearer password retrieval errors, enhanced certificate configuration forms, and stronger logging across password change and verification operations.

• Added support for FIDO2 authentication in the Admin Panel and User Access Gateway, enabling users to sign in with registered security keys.

• Improved syslog server configuration:

  • Added TLS support for sending logs to syslog servers over TCP.

  • Added a dedicated Syslog Servers view in the Events Log section for reviewing configured syslog servers and their connection details.

• Improved API key management by adding friendly names, configurable expiration times, and key hints that make it easier to identify existing API keys without revealing the full value.

• Updated the Webclient side toolbar for RDP, SSH, and VNC sessions. The toolbar is now displayed on the right side of the session window with a refreshed visual design.

• Improved cluster network configuration by allowing administrators to choose whether the local bind address should also be used as the node address. This provides greater flexibility for cluster deployments in environments with NAT or custom network routing.

• Improved PDF report generation reliability by replacing the previous HTML-to-PDF conversion mechanism with a dedicated PDF rendering engine.

• Restored visibility of users assigned to a specific external authentication method, making it easier for administrators to review dependencies before managing authentication configuration.

• Enhanced certificate validation for remote server connections to include hostname and address matching when CA verification is enabled, providing more precise server identity matching.

• Restored connectivity validation notifications for DNS and NTP configuration, so administrators are informed when configured servers are unreachable or non-functional.

• Added support for assigning the same anonymous account and tunnel listener combination to multiple Safes. Sessions established through such tunnels are now correctly associated with the user who created the tunnel, while existing restrictions for non-tunnel listener configurations remain enforced.

• Improved bulk operations across tables with object selection options, progress visibility, and clear completion status with issue details when needed.

• Added new columns to the user list: Auth Methods, External Authentications, and Managed by, making authentication details and management source easier to review directly from the table.

• Improved AI model synchronization in clustered environments to ensure trained models remain available across nodes after rollbacks and when new nodes join a cluster.

• Added timestamp verification scripts to TGZ session downloads for Windows and macOS, enabling users to verify session timestamping information.

• Added DMZ Gateway as a virtual appliance for Reverse Proxy deployments, available on customer request. Customers can deploy a dedicated FreeBSD-based VM image on their hypervisor to expose sshd(8), which Fudo uses to establish a reverse SSH tunnel.

• Added SBOM generation capability, allowing a Software Bill of Materials for Fudo components to be provided upon customer request.

• Upgraded the operating system base to FreeBSD 14.4.

• Upgraded OpenSSH to version 10.2.

• Added TLS 1.3 support for management, UAG, ShareAccess, and Fudo Officer connections to improve compatibility with modern security standards.

• Updated SSH message authentication algorithm configuration by moving UMAC-64 and UMAC-64-ETM to legacy options, preserving backward compatibility with existing SSH implementations while keeping the primary algorithm list aligned with current security recommendations.

• ShareAccess improvements:

  • Improved the Gateway pairing process with Fudo Enterprise by adding clearer setup guidance and validation of key requirements before the connection is established.

  • Connect Region selection for Gateways with latency measurement and automatic indication of the fastest available region.

  • Support for Server Pools synchronized from Fudo Enterprise.

  • Changed domain verification during organization onboarding from mandatory to optional.

---

Table of Contents

• About Documentation
• Layout Themes of the Admin Panel
• Introduction
  • System Overview
    • Session Monitoring & Recording
    • Secret Management
    • Just-in-time (JIT) Access
    • Single Sign-on (SSO)
    • Agentless Convenient Access
    • Ai-powered Prevention
    • Productivity Analyzer
    • Rapid Deployment
    • Compliance Support
  • Available GUI Languages
  • Licensing
  • Supported Protocols
    • HTTP
    • Modbus
    • MS SQL (TDS)
    • MySQL
    • PostgreSQL
    • RDP
    • SSH
    • Telnet 3270
    • Telnet 5250
    • Telnet
    • VNC
    • X11
    • TCP
    • Secret Checkout
  • Deployment Scenarios
  • Connection Modes
  • User Authentication Methods and Modes
  • Security Measures
    • Data Encryption
    • Backups
    • Permissions
    • Sandboxing
    • Reliability
    • Cluster Configuration
  • Data Model
  • Dashboard
    • Widgets
    • Adding, Customizing and Removind Dashlets
    • Hard Drives Status Information
  • Third-Party Licenses
• System Deployment
  • Requirements
  • Hardware Overview
  • System Initiation
    • Virtual Machine
  • Accessing Fudo Enterprise Portals
    • Admin Panel
    • User Access Gateway
    • Supported Web Browsers
• Quick Start
  • SSH
    • Prerequisites
    • Configuration
    • Establishing Connection
    • Viewing User Session
  • SSH in Bastion Mode
    • Prerequisites
    • Configuration
    • Establishing Connection
    • Viewing User Session
  • SSH in Bastion Mode with Jump Host Option
    • Prerequisites
    • Configuration
    • Establishing a Connection
  • RDP
    • Prerequisites
    • Configuration
    • Establishing an RDP Connection with a Remote Host
    • Viewing User Session
  • RDP in Bastion Mode
    • Prerequisites
    • Configuration
    • Establishing an RDP Connection with a Remote Host
    • Viewing User Session
  • Telnet
    • Prerequisites
    • Configuration
    • Establishing a Telnet Connection with the Remote Host
    • Viewing User’s Session
  • Telnet 5250
    • Prerequisites
    • Configuration
    • Establishing a Telnet Connection with the Remote Host
    • Viewing User’s Session
  • PostgreSQL
    • Prerequisites
    • Architecture Overview
    • Configuration Steps
    • Establishing PostgreSQL Connection
  • MySQL
    • Prerequisites
    • Configuration
    • Establishing Connection with a MySQL Database
    • Viewing User Session
  • MS SQL
    • Prerequisites
    • Configuration
    • Establishing Connection with a MS SQL Database
    • Viewing User Session
  • HTTP
    • Prerequisites
    • Configuration
    • Connecting to Remote Resource
    • Viewing User Session
  • VNC
    • Prerequisites
    • Configuration
    • Establishing Connection
    • Viewing User Session
• Sessions
  • Filtering Sessions
    • Defining Filters
    • Saving Custom Filters
    • Applying Custom Filters
    • Editing Custom Filters
    • Disabling Filters
    • Deleting Custom Filters
    • Full Text Search
  • Viewing Sessions
  • Pausing Connection
  • Terminating Connection
  • Joining Live Session
  • Sharing Sessions
  • Commenting Sessions
  • Sessions’ Retention Lockdown
  • Exporting Sessions
    • Export Session File Formats
  • Deleting Sessions
  • OCR Processing Sessions
  • Session Data Replication
  • Session Timestamping
  • Require Approval for Access
    • Approving Pending User Requests
    • Declining Pending Requests
  • AI Behavioral Analysis in Sessions
  • Ai Session Summary [BETA]
• Access Requests
  • Awaiting Requests
  • Active Requests
  • Archived Requests
• Reports
  • System Reports
  • User Reports: Periodic and On-Demand
  • List of Predefined Reports
  • Subscribing to a Periodic Report
  • Unsubscribing from a Recurring Report
  • Generating a Report on Demand
  • Viewing and Saving Reports
  • Deleting Reports
• User Management
  • Users
    • Creating a User
    • Editing a User
    • Blocking a User
    • Unblocking a User
    • Deleting a User
    • Authentication Failures Counter
  • Groups (RBAC)
    • Access Resolution and Prioritization
    • Creating Group
    • Modifying Groups
    • Deleting Groups
  • Role-Based Access Control (RBAC)
    • Transition to RBAC After Upgrade
      • Understanding Privileges and Capabilities
      • Predefined Roles as a Starting Point
    • Creating Role
    • Assigning Roles to Users
    • Modifying Roles
    • Deleting Roles
    • Typical Role Scenarios and Required Privileges
      • Tab-Level Access Control Matrix
      • Dashboard Widgets Visibility
      • Sessions Tab Permissions
      • Downloads Tab Permissions
      • Safes Management
      • Discovery Tab Permissions
      • Access Request Permissions
      • Fudo Officer
      • Reports Tab Permissions
      • Sudo Policy Permissions
• Session Management
  • Servers
    • Creating a Server
      • Creating an HTTP Server
      • Creating a Modbus Server
      • Creating a MS SQL Server
      • Creating a MySQL Server
      • Creating a PostgreSQL Server
      • Creating an RDP Server
      • Creating an SSH Server
      • Creating a Telnet Server
      • Creating a Telnet 3270 Server
      • Creating a Telnet 5250 Server
      • Creating a VNC Server
      • Creating a TCP Server
    • Port Ranges in Server Configuration
      • Configuring a Port Range
      • Server Configuration Prioritization in Case of Conflict
    • Use SSH Tunnel - SSH Reverse Tunnel Server Configuration
    • Importing a Server List from CSV File
    • Editing a Server
    • Blocking a Server
    • Unblocking a Server
    • Deleting a Server
  • Pools
    • Creating a Pool
    • Deleting a Pool
  • Accounts
    • Creating an Account
      • Creating an Anonymous Account
      • Creating a Forward Account
      • Creating a Regular Account
    • Editing an Account
    • Blocking an Account
    • Unblocking an Account
    • Deleting an Account
    • Managing Security Alerts
      • Triggering Secret Change
      • Ignoring Security Alert
  • Listeners
    • Creating a Listener
      • Setting up the SSH Listener
      • Setting up the RDP Listener
      • Setting up the VNC Listener
      • Setting up the HTTP Listener
      • Setting up the Modbus Listener
      • Setting up the MySQL Listener
      • Setting up the PostgreSQL Listener
      • Setting up the TCP Listener
      • Setting up the MS SQL Listener
      • Setting up the Telnet Listener
      • Setting up the Telnet 3270 Listener
      • Setting up the Telnet 5250 Listener
    • Editing a Listener
    • Blocking a Listener
    • Unblocking a Listener
    • Deleting a Listener
  • Safes
    • Creating a Safe
    • Editing a Safe
    • Blocking a Safe
    • Unblocking a Safe
    • Deleting a Safe
  • Discovery
    • Creating a Rule
      • Creating a Rule for Accounts
      • Creating a Rule for Servers
    • Managing Rules
    • Creating a Scanner
      • Creating a Scanner for Domain Controller Accounts
      • Creating a Scanner for Domain Controller Servers
      • Creating a Scanner for Local Accounts
    • Managing Scanners
    • Managing Discovered Accounts
    • Managing Discovered Servers
  • Remote Applications
    • Adding Remote Application
    • Adding Arguments
    • Connecting to Remote Application via Access Gateway
    • Granular Access to Remote Applications
    • Deleting Remote Application
  • Policies
    • Regular Expression-Based Policy
    • Ai Module-Based Policy
    • Ai Module-Based Policy Examples
    • AI Session Summary Policy
      • Policy Configuration
      • How It Works
    • Sudo Command Control Policy
      • How Sudo Command Control Works
      • Setting up Fudo for Sudo Control
      • Sudo Policy Configuration
      • Sudo Plugin Installation
  • Downloads
    • Sessions
    • Files
  • Productivity
    • Overview
    • Sessions Analysis
    • Activity Comparison
• Password Vault
  • Overview
    • Architecture Overview – Security Model
    • Password Vault Structure
    • Event Logging and Audit Trail
  • Collections
    • Creating Collections
    • Nesting Collections
    • Accessing Collection Editing
      • Edit Collection Panel
    • Assigning Users and Groups to Collections
    • Managing Collection Object Rights
      • Assigning Object Rights to Users
      • Assigning Object Rights to Roles
    • Collection Notifications
    • Deleting Collections
  • Secrets
    • Creating Secrets
    • Importing Secrets
    • Accessing Secret Editing
      • Edit Secret Panel
    • Moving Secrets Between Collections
    • Deleting Secrets
    • Assigning Password Vault Secrets to Accounts
  • Secret Access Monitoring
    • Event Types and Status Indicators
    • Filtering and Reviewing Events
  • Compromised Passwords
    • How It Works
    • Accessing Compromised Passwords Settings
    • Uploading a Compromised Password List
    • File Format Requirements
      • Plaintext Password Files
      • SHA-1 Hash Files
    • Scan Results
    • Managing Uploaded Files
  • Secret Changers
    • Secret Changer Policy
      • Defining a Secret Changer Policy
      • Editing a Secret Changer Policy
      • Deleting a Secret Changer Policy
    • Custom Secret Changers
      • Defining a Custom Secret Changer
      • Editing a Custom Secret Changer
      • Deleting a Custom Secret Changer
    • Importing and Exporting Secret Changers
      • Exporting a Secret Changer
      • Importing a Secret Changer
    • Connection Modes
      • SSH
      • LDAP
      • Telnet
      • WinRM
    • Setting up Secret Changing on a Unix System
• Settings
  • System
    • Date and Time
    • SSL Certificates
    • SSH Access
    • Configuration Encryption
    • SNMP
      • Configuring SNMP
      • Configuring SNMPv3 TRAP
      • SNMP MIBs
      • Getting SNMP readings using snmpwalk
      • Fudo Enterprise Specific SNMP Extensions
    • Trusted Timestamping
    • Secret Changers - Active Cluster Node
      • Cluster Secret Changers
    • Sensitive Features
    • Configuring an HTTP Proxy
    • System Update
      • Updating System
      • Restoring Previous System Version
      • Deleting Upgrade Snapshot
    • Hotfix
    • License
    • Diagnostics
    • Exporting/Importing System Configuration
      • Exporting System Configuration
      • Importing System Configuration
  • Network Settings
    • Reverse Proxy
      • Prerequisites
      • Configuration Steps
      • User Access Gateway Connections
      • Enabling and Disabling Reverse Proxy
      • Reverse Proxy Status Indicators
      • SSH Tunnel Operation
      • Workflow Recommendation
      • Internal Routing Behavior
      • Security Considerations
      • Troubleshooting
    • Network Interfaces Configuration
      • Managing Physical Interfaces
      • Defining IP Address Using System Console
      • Setting up Virtual Networks (VLAN)
      • Setting up Link Aggregation (LACP)
    • Labeled IP Addresses
    • Routing Configuration
    • DNS Configuration
    • ARP Table Configuration
  • Notifications
    • Configuring the SMTP Server
  • Artificial Intelligence (AI)
    • AI Behavioral Analysis
      • Configuring Models Trainers
      • Behavioral Analysis Models
    • AI Session Summary [BETA]
  • Authentication
    • External Authentication Server Definition
      • Active Directory
      • LDAP
      • Cerb
      • Radius
      • Assigning an External Authentication Method to a User
      • Second Authentication Factor
    • OpenID Connect Authentication Definition
    • Global Authentication Settings
      • Default Domain
      • Deny New Connections
      • Password Complexity
      • OATH Authentication Definition
      • SMS Authentication Definition
      • DUO Authentication Definition
      • Single Sign On
      • Kerberos Authentication Settings
  • External Passwords Repositories
    • CyberArk Credential Provider
    • Thycotic Secret Server
    • Local Administrator Password Solutions (LAPS)
  • External Storage
    • Configuring External Storage
  • Resources
    • RDP/SSH/VNC Login Screen Configuration
    • User Portal Configuration
      • Login Screen Configuration
      • Predefined Keyboard Layout
  • Backup and Retention
    • Session Data Backup
    • Data Retention
  • Cluster Configuration
    • Session Data Replication and Behavior in the Event of a Node Failure
    • Cluster Initialization
    • Adding Cluster Nodes
      • Cluster Initialization and Adding Nodes
      • Setting Relationships Between Nodes
      • Linking Nodes with the Initial Node
      • Cluster Initialization Completion Verification
    • Cluster Expansion with New Nodes
    • Editing Cluster Nodes
    • Removing Cluster Nodes
      • Removing a Node from the Cluster
      • Rejoining a Removed Node
    • Redundancy Groups
    • Checking Session Replication Status
  • Users Synchronization - User Directory
    • Configuring Users Synchronization Service
    • Disabling Data Synchronization for User
    • Kerberos Support for Active Directory
  • Certificate-based Authentication Scheme
  • Login Timeout
  • System Version Restore
  • System Reboot
  • Changing Encryption Passphrase
  • Integration with CERB Server
  • System Maintenance
    • Backing up Encryption Keys
    • Monitoring System Condition
    • Health Check
      • API Health Check
    • Callhome
      • Data Collected by Callhome Service
      • The Benefits of Using Callhome
      • Enable/Disable Callhome
    • Hard Drive Replacement
    • Resetting Configuration to Default Settings
• Events Log
  • Filtering Logs by Date and Time
  • External Syslog Servers
  • Exporting Events Log
• Account Activity in the User Access Gateway (UAG)
• Reference Information
  • RDP Connections Broker
  • Log Messages
  • Footer Information
• Fudo Officer 2.3
  • Configuration
  • Managing Profiles
    • Add New Profile
    • Switch Profiles
    • Edit Profile
    • Delete Profile
  • Managing Session Requests
    • Awaiting Requests
    • Active Requests
    • Revoking Request
    • Archived Requests
  • Notifications
    • Configuring Application Notifications
  • Settings
    • Biometric Authentication
    • Change PIN Code
    • Two-Factor YubiKey Authentication
    • Language
• Fudo ShareAccess
  • Data Model
  • Pairing Fudo Enterprise with Fudo Shareaccess
  • License
    • Trial License Activation
    • Requesting a License
    • Uploading License File
  • Manage Fudo ShareAccess Members
    • Inviting Members
    • Verifying Members Status
    • Creating an Account Without an Invitation
    • Revoking Members Status
    • Deleting Members
  • Manage Access to Resources
• Client Applications
  • PuTTY
  • Microsoft Remote Desktop
  • TightVNC Viewer
  • SQL Server Management Studio
• Troubleshooting
  • Booting Up
  • Connecting to Servers
  • Logging to Administration Panel
  • Session Playback
  • Cluster Configuration
  • Trusted Timestamping
  • Sudo Plugin Issues
  • Support Mode
• Use Cases
  • Two-Factor OATH Authentication with Google Authenticator
    • Protocols Supporting OATH Authentication Method
    • Configuring the OATH Authentication Method
  • OpenID Connect Authentication Definition with Microsoft Entra (Azure)
  • Remote Desktop Services Configuration on Windows Server for Fudo Enterprise
    • Setup Remote Desktop Services (RDS) on Windows
    • Setup Fudo Enterprise - Bastion Scenario (Recommended)
    • Setup Fudo Enterprise - Proxy Scenario
  • Custom RDP Hostname in the Session Title
    • DNS Configuration in Windows DNS Manager
    • Fudo Enterprise Configuration
    • Start RDP Connection
    • Result
  • Managing RDP Server Certificates in Windows Server
    • Locating the Server Certificate in Windows Server
    • Providing the CA Certificate
  • Configuring the Single Sign On (SSO)
    • SSO Configuration on Windows Server 2019
    • Setup Fudo Enterprise
    • Setup and Check User Workstation - Windows2010 Client
  • Handling Local Account Password Changes Using a Domain Account with WinRM Secret Changer
    • Hostname and DNS Server Configuration
    • Adding a KDC Server
    • Server Configuration
    • Adding a Secret Change Policy
    • Administrator Account
    • Account for Which the Password Will Be Changed
  • Configuring Kerberos Constrained Delegation for MSSQL(TDS) Server
    • Kerberos Authentication Configuration on Windows Server
    • Setup Fudo Enterprise
    • Establish a Connection
  • Establishing Connections to Servers via SSH Tunnel in Fudo Enterprise
    • General Requirements
      • Establishing an SSH Connection
      • Establishing an HTTP Connection
      • Connecting to an Oracle Database
      • Connection to a Server with Reverse Tunnel via Tunnel-type Listener
• Frequently Asked Questions
• Glossary