2.13. Procedure – The gateway authentication process

Purpose: 

When gateway authentication is required for a connection, the user must authenticate on PSM as well.

This additional authentication can be performed:

  • Out-of-band: in a protocol-independent way, on the web interface of PSM.

    That way the connections can be authenticated to the central authentication database (for example, LDAP or RADIUS), even if the protocol itself does not support authentication databases. Also, connections using general usernames (for example, root, Administrator, and so on) can be connected to real user accounts.

  • Inband: when the protocol allows it, using the incoming connection itself for communication with the authentication database.

    It is the SSH, RDP, and Telnet protocols that allow gateway authentication to be performed also inband, without having to access the PSM web interface.

    For SSH and Telnet connections, inband gateway authentication must be performed when client-side authentication is configured. For details on configuring client-side authentication, see Section 11.3.2, Client-side authentication settings.

    For RDP connections, inband gateway authentication must be performed when PSM is acting as a Remote Desktop Gateway (or RD Gateway). In this case, the client authenticates to the Domain Controller or a local user database. For details, see Procedure 10.7, Using PSM as a Remote Desktop Gateway.

    In the case of RDP connections, inband gateway authentication can also be performed if an AA plugin is configured.

Figure 2.14. Gateway authentication

Gateway authentication

Technically, the process of gateway authentication is the following:

Steps: 

  1. The user initiates a connection from a client.

  2. If gateway authentication is required for the connection, PSM pauses the connection.

  3. Out-of-band authentication:

    The user logs in to the PSM web interface, selects the connection from the list of paused connections, and enables it. It is possible to require that the authenticated session and the web session originate from the same client IP address.

    Inband authentication:

    PSM requests the username and optionally the credentials for gateway authentication. The user logs in to the PSM gateway.

  4. The user performs the authentication on the server.

    Note

    Gateway authentication can be used together with other advanced authentication and authorization techniques like four-eyes authorization, client- and server-side authentication, and so on.