Reference Guide
Kron PAM Remote Access
Remote Access Configuration in Kron PAM
remote access configuration is the page where administrators can set the working hours of vendors in kron pam before making configurations, you need to add the cloud server name and allow access to kron pam from the cloud server add the cloud server name for the link attached to the email navigate to administration > system config man when the sms service is set to the following parameter as the remote access portal (cloud server) address and save parameter name default parameter value description rap cloud server http //localhost 7777/connect this parameter defines the remote access portal address the parameter can be defined as a url with ip (e g , https //34 234 69 53/connect ) or as a url with a domain name (e g , https //cloudpam com/connect ) there are also optional parameters that can be defined to tune the remote access configuration parameter name default parameter value description rap rdp session duration limit warning before min 1 this parameter defines how many minutes before the rdp session expires that the timeout warning will be sent rap ssh session duration limit warning before min 1 this parameter defines how many minutes before the ssh session expires that the timeout warning will be sent rap token expiration period 1 this parameter indicates the lifespan of a token and is used to prevent the creation of long term invitation links rap client otp enabled false this parameter is used to enable or disable multi factor authentication (mfa) for the secure remote access login the default value is false rap passcode characters count 12 this parameter shows how many characters are used in the passcode definition this parameter's value should be numeric, and the default value is 8 if the system admin defines this parameter as 4 or fewer, the passcode is\[dt1] created with 4 characters rap passcode only numeric text true/false this parameter's value should be a boolean, and the default value is false if this parameter's value is set as true, the passcode only contains numeric values; however, if this parameter's value is set as false, the passcode contains alphanumeric values the passcodes of remote access requests are sent via email and optionally sms services in the case of the sms service is employed, the sms parameters related to secure remote access should be defined on sms integrations subscreen of the integration tab under system configuration management screen to configure sms services for secure remote access, please follow the steps explained in the relevant section ( secure remote access integration on kronpam administration section on the reference guide) http sms parameters example values http url https //api sms com/v1/send sms http method post or get http headers content type\ text/xml http body \<request>\<authentication>\<username>username\</username>\<password>password\</password>\</authentication>\<order>\<sender>kron\</sender>\<senddatetime>\</senddatetime>\<message>\<text> \<!\[cdata\[ dear %usereid%, please use the passcode below during login phase of your secure remote access connection passcode %passcode% secure remote access connection (access on web browser) %connurl% ]]> \</text>\<receipents>\<number>%phonenumber%\</number>\</receipents>\</message>\</order>\</request> http encoding utf 8 http delimiter & smpp integration parameters example values sms channel smpp ip localhost password netright (encrypted) system id netright source address 2222 receive timeout 30 port 16000 then, allow access from the cloud server to kron pam edit the tomcat cors file with the cloud url in the web xml file open the web xml vi /pam/gui/conf/web xml fill in the cors allowed origins field example; \<param name> cors allowed origins cors allowed origins \</param name> \<param value> https //remote cloudpam com\</param value https //remote cloudpam com\</param value > the wildcard allows all access, but this usage is not recommended for product environments the remote access invitations can be created by clicking the + add button the vendor needs to have single connect rdp client modulevisibility and single connect cli modulevisibility portal rights to make rdp/ssh sessions via secure remote access netright license modulevisibility portal right is necessary for the external (rap only) users after creating the invitation for the vendor, you can edit and delete the request by clicking the options button to the right of the request admins can verify the details of the request by clicking on the request to invite a vendor navigate to users > remote access config click the + add fill in the username/group and device/group and optionally select whether the sms service for sending remote access requests, lastly, click next if the user hasn’t required realm rights, the warning pops up and says “the realm right is not sufficient for the selected user(s) or user group(s)” fill in the start and end times and select the days administrators can also set specific working hours for vendors by enabling set time by day click the save button vendors receive an email with a url and a passcode when the working time starts, vendors can click on the url, enter their passcode first, then enter the kron pam user’s password, and start working if the otp parameter (rap client otp enabled) is set to true, after entering the kron pam user’s password, the user must enter the otp value, which is accessible on the kron pam mobile client application or email the device list is shown on the remote access portal the user can access the target device by clicking the action button