PAM PROJECT

How to use BeyondTrust Password Safe

External users using SSL VPN

1
Procedure summary

1. Connect to the solution

2. Verify that your admin account is correctly onboarded
3. Retrieve your admin account password
4. Connect to RDS AWS
5. Access your servers via RDP
6. Access applications

2
Connect to the solution

3
Connect to the solution
• Connect to Global Protect SSL VPN accessible here, using your Okta account

• Once connected, click on the « pam.imerysnet.com » icon on the portal:

If you don’t have the icon, click « Application URL » on the top right of the portal. Enter the following URL:
https://pam.imerysnet.com and click on « Go »:

4
Connect to the solution
• You should be redirected to a login page. Provide your Imerys AD regular account’s username*
(ext_XXX) and password, select « dome.imgln.net » or « doma.imgln.net » and click « Log in »:

* In case your regular and admin account don’t share the same pattern (example: regular = ext_XXX and
admin = adm_XXX instead of adm_ext_XXX), this won’t work for you. Please provide here your BeyondTrust
local account credentials without selecting any domain. Please open a case with Imerys support if needed.

5
Connect to the solution
• Once connected, you should see two tiles on the homepage:

6
Verify that your admin account is
correctly onboarded*
*Only needed on first connection – can be skipped for future access

7
Verify that your admin account is correctly onboarded

• On first connection, you have to review that your admin account is correctly onboarded into Password
Safe. To do that, click on « Managed Accounts »:

8
Verify that your admin account is correctly onboarded
• You should see your adm_ account listed in the grid. If not, open a case with Imerys support for
assistance.

9
Verify that your admin account is correctly onboarded

• Click on the three dots on the right, then click on « Test password »:

• You should get the following message. If not, contact Imerys support for assistance

10
Retrieve your admin account
password

11
Retrieve your admin account password
• If you are in the « Managed Accounts » menu, please click on the « Key » icon in the left pane, which
will redirect you to Password Safe:

• If you are instead at the main menu, please click on the « Password Safe » tile :

12
Retrieve your admin account password
• Click on the « Domain Linked Accounts » tab on the grid appearing:

13
Retrieve your admin account password
• Click on « Click here to return all accounts » on the grey box

• You should at least see here the following line, with your adm_ account instead of mine:

14
Retrieve your admin account password
• When clicking on the icon, you should be able to retrieve the password of your adm_ account
by selecting « Retrieve Password » (copy/paste function available for 20 seconds):

The adm_ account’s password retrieved here is only valid for 24 hours, as it will be
automatically rotated by the product everyday

15
Retrieve your admin account password
• After closing the page showing your password, it’s important that you make sure to « check-in » your
request. To do that, click on « Requests » as outlined below:

• You will see that you have one active request:

16
Retrieve adm_ account password
• After clicking on the request, make sure to select « Check-in Request »

17
Connect to RDS HTML5 farm in
AWS

18
 Connect to RDS HTML5 farm in AWS
CONTEXT

For RDP sessions, Password Safe normally generates custom RDP files that need to be opened on the end user
workstation. However, since you are using SSL VPN to connect to Imerys, this is not feasible in your case.
Instead, you have to use the RDS farm deployed in Imerys environment, which offers the possibility to open RDS
sessions through HTML5.

PREREQUISITES

Several prerequisites need to be verified in order for you to use this feature. They are listed below:
- You have to be assigned the RDS app in the SSL VPN portal
- Your admin account needs to be entitled to access RDS AWS
- In case you need to access servers through RDP, your admin account needs to have proper permissions on the
target servers to connect. Additionnaly, the list of corresponding servers has to be sent to Imerys so that they can
be linked to your account in Password Safe
- In case you need to access applications (such as SSMS or LAPS), a Cherwell ticket will have to be opened to
request network flows opening between the RDS farm and the target application servers
19
 Connect to RDS HTML5 farm in AWS
• Once you have ensured that all prerequisites are met, return to the Global Protect portal, and select « Microsoft
RDS »:

20
 Connect to RDS HTML5 farm in AWS
• You will have a login page where you have to put your admin account username and the password you retrieved
from Password Safe:

21
Access your servers via RDP

22
 Access your servers via RDP
• Once authenticated, you will have access to the portal:

• You will see applications that are published on the RDS. If you need to use an application that is not accessible in
the list, please ask your Imerys manager to open a Cherwell ticket about this.

23
 Access your servers via RDP
• To access servers via RDP, you have to use the application « Remote Desktop ». Open it, then click on « Show
Options »:

• Click « Open » in the « Connection Settings » menu:

24
 Access your servers via RDP
• Click on « This PC » in the left pane, then on « Local Disk (C:) »:

• Double-click on the « autoit » folder and then on the « PasswordSafe-RDP-template » folder:

25
 Access your servers via RDP
• Select the file called « RDP Template » and then click on « Open »:

• The « Computer » and « Username » fields of your MSTSC client should now be filled in:

26
 Access your servers via RDP
• In the Username field, replace the parts between brackets with the relevant information for your account. For
example, in my case the regular account’s username is tpatel2, and my admin account’s username is adm_tpatel2.
Additionally, both accounts are in the domain dome.imgln.net.

In my case, the username field would then go from

[dome/doma].imgln.net\[your-regular-account-username]+[dome/doma].imgln.net\[your-admin-account-
username]+[your-target-server-hostname] to

dome.imgln.net\tpatel2+dome.imgln.net\adm_tpatel2+desvaws092

if the server I want to access is desvaws092.

• Click on « Connect ».

Note: You must never check the box « Allow me to save credentials »

27
 Access your servers via RDP
• You will be prompted for a password. You have to provide the password of your regular account (it should be the
same as the one you are using to connect to Okta):

Note: Again, you must never check « Remember my credentials ».

28
 Access your servers via RDP
• Your RDP session should open after this screen:

Note: If you have an error message, please contact Imerys for assistance.
Note 2: Since passwords are rotated everyday, you must make sure that you properly close the RDP session after use.
Please also make sure to log out of the RDS portal when you’re done.
Please review this document (requires your Imerys google account for access) for information and steps to do when
having account lock-outs.
29
Access applications

30
 Access applications
• It’s possible that you need to access a specific application using your admin account. If it’s the case, please make
sure the application can be seen in your RDS portal. If not, please review Slide 19.

• As an example, when clicking on « Microsoft SQL Server Management Studio », you will have a tab opening in your
browser:

You will just have to provide the instance name, and you will
be able to connect using your admin account.
Note: It will fail if the required port (here 1433 TCP) are not
opened between the RDS an the target server. Please review
slide 19 if you are in this case.

31