Wca 003 Wallix Session Manager

WALLIX CERTIFIED ADMINISTRATOR
WCA
SESSION MANAGER
WALLIX products : WALLIX PAM Bastion features
• Single Sign-On
• Access policies
Session • Session recording
• Pattern detection
Audit-Risk Manager
Compliance
APPLIANCES
PASSWORD WAB
LINUX/UNIX SERVERS
Privileged
Users SESSION Cloud
MANAGER Availability
Access VAULT APPLICATIONS
WINDOWS SERVERS
Manager WEB CONSOLES
Third
parties
SIEM
• Access policies Logs management
Password • Extensible change management

• Generation complexity
Manager • Check-out/check-in workflow
• Password Visualization
© Copyright WALLIX 2
Demo 1-Session
Manager
How does
it work ?
Basic Configuration Gui
Global concepts
Which account can Bastion Target device

be used to connect Primary connection Secondary connection
to the device ?
RDP, SSH,HTTPS RDP, SSH, VNC, RAWTCPIP
TELNET, RLOGIN
User/primary account Secondary/Target account

Accounts
User/primary account
Accounts
mappings
Interactive User/primary
accounts accounts
Interactive
login
Interactive login
Account mapping Account
Global concepts
Authorization
Primary accounts group Target target group
Accounts Accounts mappings
SSH, TELNET
Primary Vmware
SSH
accounts client
• Protocols and subprotocols allowed (RDP,

RDP_CLIPBOARD_DOWN, SSH, etc..) Scenario Accounts Interactive login
• Session recording
• Approval workflow SSH, TELNET
RDP
FTP
SSH startup scenario
client
Global concepts
▪ Steps:
1. Add a user/primary account
2. Add a user/primary account group
3. Add target device
4. Add secondary/target account (Not Mandatory)
5. Add target group
6. Add authorization
QUESTIONS?
MANAGE USER/PRIMARY ACCOUNT WITH
LOCAL AUTHENTICATION
Global concepts
▪ Steps:
5. Add target group
Types of user/primary account group
Primary/user account Group
Local users with external

Local users
authentication
Manager user/primary account group
▪ Add a local account
Manage a user/primary account group
▪ Add a local account with a local authentication
▪ Add a local account with an external authentication
▪ Delete user/primary accounts
Delete
QUESTIONS?
MANAGE PRIMARY USER GROUP
Global concepts
▪ Steps:
5. Add target group
▪ Add a user/primary
account group
▪ Rule examples (regular expressions)
rm\s+.* (detect files deleting)

$filesize:>10m (transfer files bigger that 10M)
$downsize:>100m (download files bigger than 100M)
$acmd:[en:able, sh:ow kerb:eros, access-t:emplate, conf:igure t:erminal] (cisco commands)
Delete a group
Create a time frame

for a user group
QUESTIONS?
MANAGE DEVICES
Global concepts
▪ Steps:
5. Add target group
Manage a device
▪ Add an RDP device
Manage a device
▪ Add an SSH device
Manage a device
▪ Delete devices
Delete a
device
QUESTIONS?
MANAGE SECONDARY/TARGET ACCOUNT :
Global concepts
▪ Steps:
5. Add target group
TYPES OF SECONDARY/TARGET ACCOUNT
Device account
• Linked to a device
Application account
• Linked to an Application
Local domains
Device1
Application1
Device1-LocalDomain1
Application1-LocalDomain1
Application1-LocalDomain2
Why ?
• Every local domain can have a different password change policy
ADD SECONDARY/TARGET ACCOUNT - DEVICE ACCOUNT
Menus from which secondary/target account can be added
Manage a secondary account
Add secondary/target account –

Device account
Manage secondary/target account – Device account
QUESTIONS?
ADD target GROUP
Global concepts
▪ Steps:
5. Add target group
Manage a target group
Add a target group
Manage a target group
Account
userbastion1 RDP: adminwindows1

SSH: adminlinux1
Account mapping
userbastion1 RDP & SSH: userbastion1
Interactive login
userbastion1
RDP: adminwindows1
SSH: adminlinux1
QUESTIONS?
MANAGE AN AUTHORIZATION
Global concepts
▪ Steps:
5. Add target group
Manage an authorization
Add an authorization
Start/stop session
recording
Authorize/deny password
checkout
Start/stop approval
workflow
Manage authorizations
Delete a group
Global concepts
▪ Steps:
5. Add target group
QUESTIONS?
MANAGE A CHECKOUT POLICY
Demo 2- Check Out Policy
with lock
QUESTIONS?
Global concepts
▪ Check-out Policy on the target account

User/primary Secondary/Target
account account
Primary user 1
Check-out Policy
Without Lock Primary user 2
User/primary Secondary/Target
account account
Primary user 1
Check-out Policy
With Lock
Primary user 2
Add a check-out Policy
MANAGE APPLICATION
Global concept
Goals
• Give an access only to an application instead of an
entire session
What's an Application
• A webapp (i.e a browser)
• A think app
QUESTIONS?
Demo 3- Check Application
Manage applications
Bastion Target application
Which account can
Secondary connection
be used to Primary connection
authenticate on the RDP

RDP
application ? Authentication
User/primary account Secondary/Target accounts

Accounts
Accounts mappings User/primary account
Interactive User/primary
Interactive login accounts accounts
Manage applications
Prerequisites:
Enable RDS (Remote Desktop Services) on

the Windows server
Allow the user who opens the RDP session

on the server accessing to the collection
IF Session Probe is enabled :

Publish only cmd.exe and allow all command-line parameters
ELSE :
Publish the application in the collection
QUESTIONS?
Global concepts
▪ Steps:
1. Add an Application
2. Add secondary/target application account (Not Mandatory)
3. Add the target on a target group
Global concepts
▪ Steps:
Manage applications
Add an application not requiring an account or with an interactive account.
Manage applications
Add an application requiring an account
Global concepts
▪ Steps:
Manage applications
Add an application secondary/target account
Manage applications
Add an application secondary/target account
Global concepts
▪ Steps:
Manage applications
▪ Add an application not requiring an account or with an interactive account
Manage applications
Add an application
requiring an account
userbastion1 wca_user
userbastion1 userbastion1
Manage applications
Connection to the application from Bastion GUI
Global concepts
▪ Steps:
QUESTIONS?
Annexes
CONNECTING TO A SERVER USING RDP
Connecting to a server using RDP
▪ Connecting to a server using RDP (Remote Desktop Protocol)
▪ Connecting to a server using RDP (Remote Desktop Protocol)
▪ Account
▪ Account mapping
▪ Interactive
Connecting to a server using RDP from Bastion GUI
Connecting to a server using RDP from Bastion GUI
OTP: One-Time Password
CONNECTING TO AN SSH SERVER
Connecting to a server using SSH
▪ Connecting to an SSH server using Putty
Interactive
Account
Account
mapping
Download and install WALLIX puTTY
CONNECTING TO AN APPLICATION
Connecting To Application
▪ Connection to the application from Bastion GUI
Connecting To Application
▪ Connection to the application using RDP client

Wca 003 Wallix Session Manager

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wca 003 Wallix Session Manager

Uploaded by

Copyright:

Available Formats

WALLIX CERTIFIED ADMINISTRATOR

Password • Extensible change management

Which account can Bastion Target device

User/primary account Secondary/Target account

Account mapping Account

Primary accounts group Target target group

Accounts Accounts mappings

• Protocols and subprotocols allowed (RDP,

2. Add a user/primary account group

3. Add target device

4. Add secondary/target account (Not Mandatory)

5. Add target group

2. Add a user/primary account group

3. Add target device

4. Add secondary/target account (Not Mandatory)

5. Add target group

Primary/user account Group

Local users with external

▪ Add a local account

▪ Add a local account with a local authentication

▪ Add a local account with an external authentication

▪ Delete user/primary accounts

2. Add a user/primary account group

3. Add target device

4. Add secondary/target account (Not Mandatory)

5. Add target group

▪ Rule examples (regular expressions)

rm\s+.* (detect files deleting)

Create a time frame

2. Add a user/primary account group

3. Add target device

4. Add secondary/target account (Not Mandatory)

5. Add target group

▪ Add an RDP device

▪ Add an SSH device

2. Add a user/primary account group

3. Add target device

4. Add secondary/target account (Not Mandatory)

5. Add target group

Menus from which secondary/target account can be added

Add secondary/target account –

Manage secondary/target account – Device account

2. Add a user/primary account group

3. Add target device

4. Add secondary/target account (Not Mandatory)

5. Add target group

Add a target group

userbastion1 RDP: adminwindows1

userbastion1 RDP & SSH: userbastion1

2. Add a user/primary account group

3. Add target device

4. Add secondary/target account (Not Mandatory)

5. Add target group

2. Add a user/primary account group

3. Add target device

4. Add secondary/target account (Not Mandatory)

5. Add target group

▪ Check-out Policy on the target account

Add a check-out Policy

authenticate on the RDP

User/primary account Secondary/Target accounts

Accounts mappings User/primary account

Enable RDS (Remote Desktop Services) on