Workflow of TPAM & Safeguard

Can someone please suggest how TPAM or Safeguard works asap? I have few cases like:-

1. Workflow of Target device in TPAM or Safeguard

2. Workflow of change password of target device in TAPM or Safeguard

3. Workflow of Account onboarding? is it via auto discover or via bulk upload or any rule?Need info about 1 Windows, 1 Unix & 1 Network device

Thanks,

Sushant

  • That is quite a lot to try to answer without any knowledge of your understanding of ether solution or your requirement..

    So what are you looking for? Information on Safeguard or TPAM?

    You can find the documentation for TPAM at:

    https://support.oneidentity.com/tpam/2.5.922/technical-documents

    These should help with questions around TPAM

    Not sure what you are asking when you take about workflow of target device.

    Both TPAM and Safeguard provide the ability to carry out auto -discovery, bulk upload from a csv or API/scripting to import

    Workflow to change a password would depend on your requirements Both solutions allow you to determine how and when passwords are changed. The rules for the creation of the new passwords. Provide the ability to create custom platforms to manage password not included in the default list and provide API/CLI to allow you to script password processes.

    I would suggest that you engage with One Identity Pre Sale or Professional Service to assist you as without understanding of solution operation it is not going to be easy for  you to obtain the information you will need to fully answer these type of questions because there are a large number of possible answers to each based on requirement.

    Tim

  • Thanks Tim for Answer.

    My Question for Workflow of connection to Target Device is like that:-

    Case :- User login to TPAM or Safeguard Console, click on connect button --> Session Manager come into picture and start recording --> Session will be established based on internal mechanism

  • Ok still not 100% sure what you are actually asking here as at a very high level you are describing the way both products work

    Both solutions proxy the connection from the user to the target host.

     TPAM uses a native Java client which is launched on the client end. No client is needed just local Java runtime. This java app connects to the front side of the TPAM device that will proxy the session. The TPAM device will create the connection from the back of the proxy using the required protocol - RDP SSH etc. Session is recorded on the proxy.

    Safeguard is a little more difficult to describe as it is in effect 2 products (SPP and SPS)and there are 2 ways to initiate a session. To compare to TPAM you would be using the SPS initiated session where the user requests the session through the SPP (Password manager) and when they click the play button the SPP passes the request to the SPS (Session manager) which initiates the session using the local native client on the user PC. Once again the session is recorded on the proxy.

    Tim

  • Thanks Tim for clarification. So in TPAM (TPAM uses a native Java client which is launched on the client end) it's Java client based app not a Web console? Once we click on this Java client (I hope, after putting our credential) it will connect to TPAM device or Appliance. --> "Proxy the Session" 

    could you please describe what is the meaning of front side of TPAM proxy the session? then Back of the Proxy?

    is Proxy a device?

    Ok and in case of Safeguard what would be 2nd method to connect target host?

     

    Many Thanks,

    Sushant

  • So the java applet is launched from the TPAM appliance. There is nothing to install on the client PC except the Java run-time environment.

    I assume you know how a proxy works. The session server which could be a TPAM or Distribute Processing Appliance (DPA) acts as a proxy for the sessions.

    All authentication is via an SSL connection  to the TPAM. The TPAM will instruct a session device (could be the actual appliance or a DPA) to handle the session. This session server will then instruct the client PC to make a connection (via port 22) to the front side of the session server and also instruct the session server to make the connection to the target/host. The Java app.then receives KVM information.

    Safeguard can use PPM originated sessions or PSM originated sessions. Check out the documentation for both SPP and SPS fro a better understanding of how this works. 

    Tim

  • Okay thanks much last question pls "the java applet is launched from the TPAM appliance" so every user should get access on TPAM appliance, from there they can launch Java application? User will login from his/her credential to TPAM then only they can launch Java app?

  • yes. There is nothing on the client PC. Untill the TPAM instructs the java applet to start and make the connection to the appliance (TPAM or DPA) that will handle the KVM information for the session the client cannot start a session via TPAM or a DPA. The instructions to start the java applet are sent across the SSL link from the TPAM Primary. Only TPAM can launch the Java applet. Credential to start the session are provided by TPAM. 

    All the best

    Tim

  • Thank you very much Tim for your support on this.

    Regards,

    Sushant