Containerized Networks

Imprivata Privileged Access Security (PAS) solutions enable users to create remote and secure connections in a target customer’s assets, including their infrastructure, applications, and data. During these connections, vendors can run support or maintenance services. The services often require a specific local port for traceability, auditability, security, or functionality purposes. In certain cases, the ports required by the services are blocked by:

  • Other applications using the port

  • Security measures that block the services configured in PAS solutions

To ensure the customers receive vendor support, PAS has developed the Containerized Networks feature. With this feature, the services configured in the PAS solutions use a virtual interface to connect a service without using a limited loopback interface.

This document contains the requirements to set up the Containerized Networks feature in the service you configure for your customers.

Requirements

Before you use the Containerized Networks feature, consider the following:

  • The feature is only available for Windows-based applications hosted on a Gatekeeper.

  • Your CPAM or VPAM server must be version 25.1.3 or newer.

  • Your CPAM or VPAM server's cfg_property must have the virtualInterfacesEnabled flag set to true.

  • You must have the IP Connect driver installed in the user's computer.

Use the Feature

The Containerized Networks feature works at a customer's Gatekeeper level, where you activate the feature directly in the service that you need. You can set the feature when you create a new service for a customer or edit an existing service to use the feature. To activate the feature, ensure that there are no active sessions to the customer's service and then:

  1. Open the Edit Services page of the Gatekeeper you want to modify.

  2. Select the service you want to change.

  3. Click Edit.

  4. Check Required Local Port.

  5. Click Save.

The Containerized Networks feature uses a virtual interface to bind the otherwise inaccesible port. By default, the PAS servers are configure to use the 10.6.6.0/24 virtual network. You can set a preferred virtual network directly in your PAS server. First, ensure that there are no active sessions to the customer's service and then:

  • Open your PAS server in a terminal with an admin account.

  • Use the following command to set a different virtual network:
    insert into cfg_property (propname, propvalue) values ('scm.virtualNetwork', 'xx.x.x.x/xx');

Confirm that the Containerized Networks feature is running by initiating a connection to the service you changed. In the Session Information page, the interface should belong to the default virtual network (10.6.6.0/24) or the virtual network you configure in your PAS server.

IMPORTANT:
When you activate this feature on a service, all the hosts and services in the Gatekeeper will use the Containerized Networks feature.