18.2. Configuring gateway authentication

When gateway authentication is required for a connection, the user must authenticate on PSM as well. This additional authentication can be performed:

  • Out-of-band, on the PSM web interface, for every protocol.

  • Inband, using the incoming connection, for the SSH, Telnet, and RDP protocols.

For details about the concepts of gateway authentication, see Procedure 2.13, The gateway authentication process. You can use gateway authentication to authenticate the real person when the user is using a shared account to access the target server.

Note

For SSH, Telnet, and RDP connections, gateway authentication can be performed also inband, without having to access the PSM web interface.

  • For SSH and Telnet connections, inband gateway authentication must be performed when client-side authentication is configured. For details on configuring client-side authentication, see Section 11.3.2, Client-side authentication settings.

  • For RDP connections, inband gateway authentication must be performed when PSM is acting as a Remote Desktop Gateway (or RD Gateway). In this case, the client authenticates to the Domain Controller or a local user database. For details, see Procedure 10.7, Using PSM as a Remote Desktop Gateway.

    In the case of RDP connections, inband gateway authentication can also be performed if an AA plugin is configured.

Note

Gateway authentication can be used together with other advanced authentication and authorization techniques like four-eyes authorization, client- and server-side authentication, and so on.

Warning

If the username used within the protocol to access the remote server is different from the username used to perform gateway authentication (for example, because the user uses a shared account in the remote server, but a personal account for gateway authentication), usermapping must be configured for the connection. For details on usermapping, see Procedure 18.1, Configuring usermapping policies.

Note

To configure a credential store for gateway authentication, see Section 18.4, Using credential stores for server-side authentication.