Settings

As its name suggests, the Authorized Domains section contains a list of all the domains (@domain.com) that a user's or customer's email can have to access your VPAM server. The system displays these authorized domains in the New Customer and New User forms. Only System Admins can add, remove, and set domains as primary.

To create an authorized domain:

1. Click Add Domain.

2. Type the domain after the @ symbol.
   Instead of "@company.com", type "company.com".

3. Click Save.

To remove an authorized domain, click Remove in the domain list. The system must have at least one authorized domain at all times, so you can only remove domains when you have created a new domain, and have set it to Primary Domain.

To set a domain as the Primary Domain, click Set in the domain list. The domain moves to the top of the list. The Primary Domain is the default domain used when adding new users.

The Custom From Settings enables you to set a default Connection Form. Read the Connection Form section in this document.

To set a Default Connection Form, click the drop-down menu and select the custom form you want to establish as the default.

The Global Connection Notification Email List lets you manage a global list of emails that receive connection notifications and session summary details.

The Connection Notification Settings section lets you to configure the frequency of notification emails that are triggered. There are currently two notification modes available:

• The first time a user connects to a session

• Every time a user connects to a session

A session summary is also be sent to the configured email list at the end of each session.

Maintenance Mode disables access to the VPAM server to non-administrator users. When you set your VPAM server in Maintenance Mode, the system displays a customizable message that your non-admin users will see when trying to log in to the VPAM server.

Check the Schedule end of maintenance mode at: option to provide access to your users at a specific date and time. If you do not set an end date, a System Admin must Disable the maintenance mode manually in this same page.

The system effectively disables access 10 minutes after you click Save.

The Web Session Expiration enables you to set how long an idle session remains active.

The Best Practices Settings enable you to select the compliance Best Practices for the system to continuously evaluate. For more information on the available best practices, use the following resources:

• HIPAA for Professionals

• PCI Security Standards Council

• NERC

• CJIS

Syslog Server enables you to export audit and system events via UDP to an external server running the Syslog service. If no port number is specified, UDP port 514 is assumed.

You can specify a port by putting it after the IP Address, separated by a colon. In many cases, DNS resolution may not be configured on the VPAM server, so it's often best to avoid using host names when specifying a syslog server.

The Connection Manager Cipher Preference setting enables you to express a preference for the encryption cipher used in the Connection Manager when users connect to the VPAM sessions. Since export control may limit the available ciphers for some users, a small amount of users may fall-back to using a cipher with a shorter key length than the expressed preference. VPAM recommends 128-bit AES as a compromise between connection efficiency and security appropriate for most systems.

The Privileged Access Management (PAM) Server Configurations are used by PAM provider plugins to connect to remote, third party PAM servers and vaults.

An Administrator can only create Global PAM configurations, which assume that the remote PAM vault is directly accessible by the VPAM Server.

Customer users, particularly Gatekeeper or Application administrators, can create PAM Configurations that use one of their managed Sites as a tunnel for the PAM provider plugin to reach the vault, allowing the VPAM server to use vaults that reside within that Customer's networks and would otherwise be unreachable.

When creating PAM Configurations, administrators need to provide a Name, a Description, and a URL that the plugin uses to make its requests. This endpoint must be accessible from the VPAM server. Along with those configurations, administrators must select a PAM provider plugin that is currently loaded into the server, and configure its required Connection Parameters as specified.

A suitable list of placeholders can be used, so that the remote vault can be connected to as needed. To see the list of placeholders, the Administrator needs to hover their mouse over Help.

Placeholders resolved according to the appropriate service, host and user that is trying to access the service, each time that a credential is requested. PAM Plugins use these values as part of their workflow when connecting to the remote provider.

The Global Properties section enables you to set a default user role and user group for new users that receive access to your VPAM server. Your VPAM server sets the default to Standard User for the user role and defaultUserGroup for their user group. Click Edit to modify these settings.

Read the User Groups and Roles sections of the System Admin Guide to create new user roles and user groups.

The Credentials section enables you to configure the query that the VPAM server should run in your AD or LDAP provider to obtain the users' IDs and credentials.

The AD/LDAP Providers section enables you to link your provider to your VPAM server.

You can add more than one query in more than one provider.

To add an AD/LDAP Provider, you must create a Credential first. This enables the system to link the Credential to your Service Provider.

User Account Settings allows you to:

• Disable Inactive and Not Registered accounts after a custom number of days.

• Notify users about their account disablement.

• Set a number of failed login attempts in a given time before being locked out.

• Set the unlocking of an account to a time limit or a manual override.

• Set the minimum length for a User ID.

Password Settings allows you to set password rules for all user types.

Physical Devices Authentication enables you to set a physical device as an authentication process, instead or in addition to a password. Physical devices can be keycards or fingerprint readers.

RDP Settings enables you to set the access you have to your customer's assets (specifically drives and printers) during a session. You can also enable your users to override your policy.

To set MFA for the Nexus Application, your users must have access to one of the following MFA methods: mobile authentication via SMS or authentication application, SAML with MFA, or authorized IP network configuration.

Additionally, your VPAM server must be version 19.4 for mobile authentication and authorized IP network configuration or 23.1.12 for SAML with MFA configuration.

Finally, you and your Nexus users must configure MFA authentication at the same time. Otherwise, the connection between the Nexus application, your VPAM, and your Users will break.

Read the MFA for Nexus Users Document before you attempt to configure this option.

The Vendor Representative Settings enables you to Allow Self Registration to vendor reps, as long as they have an email address with an Authorized Domain. Read the Authorized Domain section in the Vendor Management documentation.

You can also configure two optional messages:

• A Post registration message for vendor reps that are awaiting approval from the users you configure in the Email Notification List of the Vendor.

• A Registration failure message for vendor reps that fail to meet requirements for self-registration (see the Authorized Domains and Disqualified Email Addresses section of Vendor Management.)

Configure the Vendor Representative Settings considering the following:

• Require approval for Vendor Reps at Login: Vendor Representatives must request access to the system.

• Require approval for Vendor Reps per Application based on the Application's Department: Vendor Representatives can log in. They must request access for each individual application.

• Require approval for Vendor Reps per Application based on the Vendor's Department: Self registration requires approval before connecting.

• No Vendor Rep Approval: Your server is open for any member with the Authorized Domain to access.

Authentication Requirements enables you to enforce authentication through:

• Authorized Networks

• Email Verification

• Mobile Authenticator

• Multi-Factor Authentication (MFA) for Nexus Users

Authorized Networks displays all available networks. A user can add a new network or delete an existing network.

The Administrator Notification List is an email address that is used to deliver internal notifications about system events to your system administrators. A distribution list is recommended if you would prefer to notify more than one recipient.

The System Message opens as a banner across the top of the Login page, or optionally on every page. This is useful to notify Users of upcoming system downtime or system policy changes. If you enter a number in Expire message in ____ hours, the System Message automatically disappear after the specified time has elapsed. Click the colored boxes to set the text and background colors of the message. To delete a message, clear the Message area and click Save.

The Login Page Note appears as a notice on the Login page. This is useful to provide information to everyone prior to login. You can use HTML in the note, which is sanitized before display to prevent dangerous tags.

Login Help Contact Information appears as a help contact information in Authorization when a key is requested right after being authenticated in Login, and in forgot password. This is useful to provide information about who to contact in case the authorization key is not received or the password is forgotten. You can use HTML in the contact information, which is sanitized before display to prevent dangerous tags.

The Report A Problem Email feature allows vendor reps to submit any issues they encounter while using VPAM. You can designate a contact email address to receive notifications on problems encountered during sessions directly from the VPAM server.

Support Contact Information allows you to customize the contact information on the footer of the emails sent by the application. The default values are a general VPAM contact email and phone number. You can update one or both values to reflect specific internal support routes, such as a help desk or administrator.

The Vendor Rep Terms and Conditions message appears when a Vendor Rep connects to a Session.

Configure a message for Vendor Reps whose accounts have been disabled, when they attempt to log in to the system

To create a new Custom Field, click New in the User Fields, Gatekeeper Fields, or Host Fields settings. Complete the form and Save your custom field.

The New Custom Field form has the following configurations:

• Label: The value that is displayed to the user who is editing or viewing the Gatekeeper information.

• Type: The field type to render:

  • Drop-down: A list of pre-defined options.

  • Radio: A list of options from which the user must select one.

  • Text: A field where the user inputs text.

  • Multi-Select: A list of options from which the user might select more than one.

  • Check Box: A boolean option.

• Required: This field required.

Additionally, the New Custom Field has advanced configuration options:

• Sort Priority: This numeric value is required (default: 10) and is used to order the values on the View and Edit pages. Items are sorted first by this value (smallest to highest) and then in alphabetic order by the Label value.

• Minimum Length: The user input must have at least this many characters in their input. Spaces count as characters.

• Maximum Length: The user input must not be longer than this many characters. Spaces count as characters.

• Regex Pattern: The system administrator may select a Regular Expression Field Pattern from the defined values.
  See Field Patterns for more information.

Click Edit from the list of Custom Fields to edit an existing Custom Field.

If you click Test this Regex, a separate page opens where you can enter in some test text and validate that your Regular Expression works. From this page, click Save new Field Pattern to return to Add New Field Pattern page.

The name is used to distinguish between other Field Patterns. This human-readable name appears in drop-dow selections.

Regular expressions are the most important piece of information. Regular Expressions are very powerful ways of matching (or not matching) strings of text based off of defined patterns.

The text displayed to the user when the pattern does not match.

Pattern Flags are not commonly used.

To access the approval queue, hover the Admin menu and locate the Approval Requests option from the drop down. This page contains three types of approval queues:

• Users Requesting Approval: VPAM users that raise an approval for acces to an application that they don't have access.

• Vendor Requests: Vendor reps' requests to access the server or an application.

• Application Requests: Vendor reps' or VPAM users' requests to create a new application.

Click Modify Status to approve or deny the requests in each queue. Some requests may have a request message.

For Users and Vendor Requests, you can:

• Enable Access indefinitely

• Enable for a certain time

• Deny User access

You can also send an optional message to the Vendor Rep and your Users depending on your reason for approving or denying access. This message is included in an email notification to the representative.

Approval Profiles are custom forms that administrators and Vendor Reps in the Email Notification List of the Vendor configuration must complete before granting access to applications. To create your own Approval Profiles:

1. Create a New Approval Profile with a unique name and description.
   You can immediately set it as the Default Profile.

2. Save the Approval Profile.

After you save this profile, the system enables you to create custom fields and assign Vendors to this profile.

The Audit Configuration box shows information about the audit directories:

• Usage: Amount of disk space used by the audit directory.

• Available: Amount of maximum disk space that can be used by the audit directory.

• % Used: Percentage of disk space used by the audit directory.

• Days to Keep: Maximum number of days that an audit file is kept in the directory, after that it is considered old making it eligible for pruning.

• Pruning Enabled: Indicates if pruning is enabled.

In Audit Configuration click Configure of the corresponding audit:

• Terminal audit for Telnet and SSH protocols.

• Video audit for VNC, Desktop Sharing, RDP protocols.

• Database audit for Oracle protocol.

A settings pop-up opens. Click on the toggles next to each protocol to enable or disable audit. It’s important to note that disabling audit does not disable pruning for that directory.

In Audit Configuration click Configure of the corresponding audit. A settings pop-up opens:

• Prune Files Older Than: Deletes any files that are older than the specified number of days. If you set this value to 0, it prunes any audit file, regardless of its age.

• Prune Older Audit Files Over: Deletes the oldest files after the directory reaches the specified size in megabytes. It’s crucial to make sure that this value does not exceed the capacity of the file system. This value does not take into account the values from other directories, so the sum of all megabytes for all directories should not exceed the capacity of the file system.

• Prune older archived files over: Same as Prune older audit files over but for audit archive directories.

In Prune Quick Connect Configuration.

• Prune QC Sessions and History after: Define the amount of days after which sessions and history are pruned.

• Prune pending QC Sessions if still pending after: Define the amount of days after which pending sessions are pruned.