Creating a safe

Warning

Data model objects: safes, users, servers, accounts and listeners are replicated within the cluster and object instances must not be added on each node. In case the replication mechanism fails to copy objects to other nodes, contact technical support department.

  1. Click + icon in the main menu next to the Safes tab, or
  2. Select Management > Safes and then click Add safe.
../../_images/5-5-add-safe.png
  1. Enter object’s name.
  1. Select Blocked option if you want to disable access to object after it’s created.
  2. Click Save to save the object and proceed with further configuration.

GENERAL TAB


  1. In the General tab, in the Connection field, select Login reason option, to display prompt upon logging in, asking user to enter login reason.

Note

Login reason is not supported in HTTP connections.

../../_images/5-5-safes-general.png
  1. Select Session time limit option and enter a value in minutes after which the session will be terminated.
  2. Select the Session inactivity limit option and enter the number of minutes of inactivity after which the session will be terminated.
  3. The OTP in Access Gateway option is enabled by default and is responsible for generating OTP in the Access Gateway.

Warning

Disabling the OTP in Access Gateway option makes impossible connecting via the Native Client or Web Client. Access via the Access requests would be possible only.

  1. For RDP, VNC and SSH-based safes, select Web Client option to allow connecting to the session using the built-in browser client.

Note

The Web Client option can’t be enabled when the OTP in Access Gateway option is disabled.

  1. Select Just in time option and provide a number of the voters. This feature allows defining and scheduling the time when a user is allowed to access specific resources for a set period of time. The user sends requests via the Access Gateway, and the voters accept or reject them on in the Admin Panel. Read more about the Just-In-Time feature in a Access requests section.
  2. Select Require approval option to have the administrator approve each connection to servers accessed through configured safe. Provide how many minutes the administrator has to approve or reject a request. For more information, refer to the Require approval for access section.
  1. In the Other field, select a Backup target as a destination place for storing data. To create a backup target, please refer to the Backup and retention section.
  2. From the Note access drop-down list, select access rights to account related notes: read, write or none.

Note

Notes can be accessed either from the account edit form

../../_images/5-5-account-notes.png

or in the User Access Gateway.

../../_images/user-portal-note1.png

POLICIES TAB


  1. Go to the Policies tab, and assign desired security policies by selecting checkboxes in front of the policies names.
../../_images/5-5-safes-policies.png

FUNCTIONALITY TAB


  1. Go to the Functionality tab, and select allowed protocols’ features.
../../_images/5-5-safes-protocol-func.png

Note

Protocol functionality options overview:

  • RDP

    • Audio Input Redirection - Redirects audio input from the client device to the remote desktop, allowing voice input applications to function.
    • Dynamic Virtual Channels - Enables support for the feature of multiple virtual channels over a single RDP session. DVC is directly related with GFX driver support. Turn off this option to disable GFX support if you experience performance issues. Disabling this option is also required to restore xrdp compatibility.
    • Clipboard Redirection - Shares clipboard contents between the client and remote desktop, enabling copy-paste functionality.
    • Sound Redirection - Redirects audio output from the remote desktop to the client device.
    • Device Redirection - Allows peripherals (e.g., printers, USB devices, smart cards) connected to the client device to be used within the remote desktop session.
    • Multimedia Redirection - Improves multimedia playback by offloading the decoding process to the client device for smoother video and audio.
    • Suspend - Pauses and saves the current session, allowing it to be resumed later without restarting. With the Suspend option enabled, the session content will not be available for viewing when the user minimizes the client application.
    • Max. Resolution - Sets the maximum resolution for the remote desktop session, affecting display quality and bandwidth usage.
    • Max. Color Depth - Sets the maximum color depth for the remote desktop session, affecting visual quality and bandwidth usage. Caution: Older Windows systems require a color depth lower than 32 bpp, whereas newer versions need 32 bpp. To ensure compatibility, you can assign servers with older Windows versions to separate safes and configure a lower color depth for them while maintaining a 32 bpp limit for newer systems.
    • Common configuration - Allows custom content to be added to the RDP configuration file. For example, to share the /tmp directory, the following line can be included in the generated .rdp file: drivestoredirect:s:/tmp.

  • SSH*

    • SSH Agent Forwarding - Enables the User to utilize the SSH Agent Forwarding option during authentication.
    • Environment - Disabling this option will prevent the passing of environment variables to the server using -o SendEnv=. This option does not block the use of environment variables on the destination server.
    • Port Forwarding - Enables redirecting network traffic from one port to another, allowing secure connections to services behind firewalls or NAT.
    • SCP (Secure Copy Protocol) - Enables secure file transfer between local and remote systems using SSH.
    • Sessions - Disabling this option will prevent the initiation of interactive sessions and the execution of remote commands. Nevertheless, certain options, such as port forwarding, will remain available.
    • SFTP (Secure File Transfer Protocol) - Enables secure file transfer and management over SSH.
    • Shell - Disabling this option will prevent the initiation of interactive sessions. However, it will still be possible to execute remote commands and forward ports.
    • Terminal - Enables pseudo-terminal functionality.
    • X11 - Enables support for X11 protocol.
    • Exec - Enables executing a single command on the remote server without starting an interactive shell session.

  • VNC

    • Client Cut Text - User is allowed to paste text into the VNC server computer.
    • Server Cut Text - User is allowed to copy and paste text from the VNC server computer into the user’s computer.

*For detailed information about SSH functionalities please refer to RFC 4254 - The Secure Shell (SSH) Connection Protocol.


USERS TAB


  1. Go to the Users tab to assign users allowed to access accounts assigned to this safe.
  • Click Manage users.
  • Mark the checkbox in front of the users’ names to enable their server access through the monitored safe.
../../_images/5-5-safes-users.png

  • Click Save to close the modal window.

  • To define safe access options for a user, select the checkbox in front of the desired users’ names and click Manage options.

    • Go to General tab and select Blocked option if you want to block the users selected in previous step.
    • Select Reveal password to allow selected users to use Secret Checkout feature and view passwords in the Access Gateway.
    ../../_images/5-5-safes-users-general.png
    • Select Access Time Period tab to fill out the Valid since and Valid to fields with date and time interval when user will be allowed to access servers through the given safe. When defined date and time comes, access to the given safe is granted to the user automatically.
    ../../_images/5-5-safes-users-valid-from.png
    • Select Daily Access Policy tab to enable and define time intervals during which the user will be allowed to connect to servers. Just click in the row corresponding to the chosen day of the week to add a range, then click on that range to open the time range edit menu.
    ../../_images/5-5-safes-users-time-policy.png

Note

Access time policy options are disabled when the Just in time option is enabled for the safe.


ACCOUNTS TAB


  1. Select Accounts tab to add accounts accessible through this safe.
../../_images/5-5-safes-accounts.png
  • Click Manage accounts.
  • Mark the checkbox in front of the accounts’ names to add it.
../../_images/5-5-safes-accounts-manage.png
  • Click Save to close the modal window.
  • Select desired account and click Manage listeners to assign listeners to accounts.
../../_images/5-5-safes-accounts-manage-listeners.png
  • Click Save to close the modal window.

PERMISSIONS AND NOTIFICATIONS TAB


  1. Select Permissions and Notifications tab to assign users allowed to manage this safe and specify notifications that will be enabled for the particular granted user. For more information, please refer to the Notifications section.
  • Click Manage users.
  • Mark the checkbox in front of the users’ names to assign users allowed to manage this safe.
../../_images/5-5-safes-users.png
  • Click Save to close the modal window.
  • To define specific notification types for a user, select the checkbox in front of the desired users’ names and click Manage options.
../../_images/5-5-safes-accounts-notify.png
  • Click Add notification to close the modal window.
  1. Click Save or Save and close to save the safe configuration.

Related topics: