[MUSIC PLAYING] Hello and welcome to this little video. My name is Holger Weihe. I'm working as a sales engineer at One Identity, and I'm going to talk about new features in Safeguard 7.1 and SPS 7.11, which is the Safeguard for Privileged Sessions appliance. And we'll show you nice features about remote app launching, credential injection, branding, and some other cool stuff. So stay tuned.
On my screen, you can see a desktop. And with that desktop, I'm going to play around in my test environment, which has the necessary features installed. And now, the question is, what are these necessary features?
The first thing you need to make the remote app launcher-- and that's the first topic I want to talk about-- work is that you need to have some kind of infrastructure available. So what's this infrastructure? So the first thing we need is an RDS system. That stands for remote desktop session. Remote desktop session is a Microsoft technology which is usually deployed on a Windows Server.
And I'm going to show you how I did this here in my environment. So let's have a look on my server. Let's log in. And this is a simple Windows server. Can show you what this is, whatever system-- well, let's go to the name. And you see this is just a simple Windows system. It's a Windows 2019 server. Nothing special.
Special here is the configuration of it. And if we want to have a look on that, let's call for the Server Manager to see what roles are installed on these. So the thing we need is the so-called remote desktop service role. Here it is, remote desktop services. And if we click on that, you can see that this is a basic deployment, which has the usual components here.
You have two different kinds that you can use this technology for. One is the virtual machine-based desktop deployment, and the other one is the session-based desktop deployment. To work with our remote desktop launcher-- or the remote app launcher, not the desktop launcher, so the remote app launching feature of Safeguard-- we need the session-based desktop deployment only. There's no need to configure both of them. This one will do nicely.
Once you have done this-- and I don't cover this in this video, because it is more or less a basic task. You can simply add these roles to your server, and then you follow the configuration wizard, and if you have completed that all, you're going to end with something similar like that, because, one important thing. If you want to play around with that, RDS requires a license. The license comes from Microsoft for free for, I think it's 180 days. It might be less or more. Depends.
On the other hand, if you want to have it in production, of course, you need a valid license for that, just to make that clear. And you see you have this RD licensing role deployed here as well. This is a requirement. So without a license, that will not work. Here's a test license if you want to try it out, of course.
The important thing here is that you have to configure this session host. And on that session host, you have something that's called a collection. The collection, here, I have called Safeguard remote apps. That's the name of the collection. And in this collection, I have deployed a couple of so-called "remote apps." And if you want to add some new program you want to make accessible for your users, you simply click here on the Tasks and click on Publish Remote App Programs. And now, the system goes out to see what applications are available on this server so it can publish it in that service.
The thing is, we need only one application to be available in the first round, and this is our remote app launcher. The remote app launcher it's something you usually find not in that list of applications here, because it is not a standard application. So you have to click on that Add button.
And then you're going to browse where you have installed the remote app launcher. The remote app launcher usually goes into the program file directory under One Identity. And you've got to find something that is called Remote App Launcher. And here is the EXIF. That is the one that will take care for the launching of the target applications.
And the main use of that launcher is that it pulls parameters from the safeguard for privileged passwords and safeguard for privileged sessions and establishes communication between these two to enable that you can inject credential information into applications when we start, and maybe additional information that might be required as well.
Where do you get this launcher from? Very easy. You go to support.oneidentity.com. You're going to scroll down, see that you find something like privilege access management, and you're going to go for Safeguard for privileged sessions. That might take a second.
And select the most recent version. This is German, because I'm from Germany, so it should be-- let me switch that to English. Might be more applicable. Oh, come on. Here we go. United States. OK, here we go. So select the most recent version here. In this case, for SPS, this 7.1.1-- and please, if you start some kind of deployment here, always go with the latest versions. And for 7 and for the safeguard for privileged passwords, it's currently 7.1 at the time of doing this video.
So again, please check the latest versions and always go for the latest versions. And please have a look on the compatibility requirements as well, because there might be certain versions in the SPS side and on the SPP side that have to work together. So please check that out. Usually, the latest version will do that have the same versions, like 7.1, 7.1.1, or 7.2, 7.2-whatever, but nothing like 7.1 with 7.2 that might be not supported. So check out the compatibility.
So if you click on that and if you go for the Download Software section, down that screen, you're going to see that you have the remote app launcher software here. And if you click on that, you can just download it. Then you have to look into the support portal with an account. If you don't have one, just create one. And then you can download the software.
This software then goes to your RDS server, to your Windows Server. And once you have installed it over there, it should appear somewhere in the program files, One Identity remote app launcher Directory. And as we have said, when we try to publish our applications, we will not publish the target application. We will publish this launcher app instead.
So in this case, click on Next. And now, you have this remote app launcher here in the list of selected applications. And simply click on Publish. That may take a second. Now, it's published. And click on Close. And now, you see that you have this entry here. This is the new one. And you're going to see that you have all-- that I have already deployed a couple of applications just to do this demo with.
And you see that it's always the same name. There's only this number in parentheses attached to it. Just remember that name, or this alias, which is how it is called. That's going to be important later when we configure the appropriate mapping in our safeguard for privilege passports.
And here, you have the published applications. And maybe, let's have a look how this really is to be configured. So for instance, if you go for the-- let's go for, whatever, WinSCP. And if you go to Edit Properties, you're going to see that you have a remote app name. That is something you can change if you want. It doesn't matter. But it might be a good indication that you have something that you can identify with its common name.
The alias cannot be changed. It stays as it is. The remote program location is the one that you have selected during the selection process when you select the application to be published. And this is our remote app launcher, of course. You can change the icon if you want, but it's not really of importance. You can show it in the RD web access page. This is the standard launch page of the built-in RDS portal that comes with the Microsoft software.
We will not use that. So it is-- just leave it. Leave it or just click on No. It really doesn't matter, because users who, later, will be launching applications, they will not use that way. Of course, you can call it. You will see this application published. But it will not work if you double-click on this, because we are launched in a different way. But so if you don't want to confuse your users, just simply click on No and it will not be shown. Depends on you. I just leave it at default. No problem.
For the remote app program folder, you usually do not have to configure anything. And the important thing, now, goes to the parameters. The parameters consists of the following. And this is about the command syntax of the remote app launcher program. The remote app launcher program that is provided by One Identity has a couple of command lines switches.
And the important switch, number one, is --command, C-M-D. Also, it's --cmd. And after that, you have to type in the name of the target application you want to launch. And the next one that goes for it is --args, A-R-G-S. And in this args, that is for arguments, you can specify additional arguments that will be passed to the launched application, to your target application.
And there are a couple of special things here, because you have some kind of placeholders here. So that is about username, the password, and the asset. Those are the three informations that are passed via SPP/SPS to the launcher, and the launcher will then replace the privileged account from a safeguard for privileged passwords perspective. So that will be the account that your application runs with.
And of course, you have the password. The password is the password. That is injected from the SPP. So it comes from SPP's vault, so nobody knows it except SPP. And of course, you have the asset. And the asset is, of course, the target system the application wants to connect to, or run on, or whatever this application-- how is interpreting this information. So these are some kind of placeholders that will be replaced with information coming from SPP.
And with that, that's the configuration you need to do-- on the RDS side, of course. And depending on your application, there might be different things that you have to configure. So let's close this for a minute. And because I have said there might be different things you need for different kinds of applications, let's see what the other things are that you may or may not need, depending what you're trying to achieve.
So there is something here like Azure, or let's go for-- maybe let's go for, here, for the Microsoft SQL studio first. That's a common database tool. And if you look into the properties of that entry, you're going to see that the parameters here-- so that's, again, something you can have as well, enable debug.
So if you want to see if everything works fine, the launcher will create some kind of log file where you can see, what's the application? How is it called? What's the parameters? And so on and so on. It's very good for troubleshooting. So I left it in here because I did a little bit of debugging here until this works. But if you're in production, of course, you may simply remove that.
What the rest of it is pretty much the same. You see, OK, there's this CMD switch. Then you have some kind of strange named .exe file. And you see there is something that is called AutoIt in it. So this is a program or some kind of launcher-- so it's a launcher by launcher-- and that is implemented using the auto IP scripting language. And here, you have the additional arguments that are then passed to the AutoIt script that is running here via this .exe file.
So you might say, what, AutoIt? What's AutoIt? Let's have a look on AutoIt. AutoIt is located here, on autoitscript.com, and is a public domain software. And with that, you can write scripts that can be used for automation processes, and then they can talk to Windows software, other software, browsers, and so on, that you can automate user interaction.
So it is just some kind of robot that may take information, put this into certain fields in your application dialog boxes, moves the mouse, presses the button, selects style, selects-- selection fields, and so on and so on. All of this can be automated. So it is automated IT.
And you need to download that software if you want to utilize that. And you, of course, can download it here somewhere. Where it is-- where is it? Here is the download area. And you will get to that page. And here, you can download the latest version. Here, for instance.
And again, check, please, if there's something not working, check here on the latest version, because this may be updated regularly. And of course, IT and other systems are evolving pretty much fast, so check regularly for updates. So if there might be some box or something, sometimes, it simply breaks when you deploy a new version. Nothing works anymore. So you may have to update.
Good. So simply download this AutoIt software, and then you can use the software to create your scripts. And then you need to put it to your RDS server, and then you can configure it in the launcher parameters. And that's the way-- how it goes. So let's have a look how this would look like.
So if I go back to here to my system again-- so I need to log in-- just refresh my page, because I'm using a cloud environment, so it might be a little bit delayed. And if I go, now, here, to my working directory, I have-- of course, I have installed AutoIt. So if I go to the Applications here, I have this AutoIt v3, version three. This is the folder where this is located.
And here, you have all of the appropriate tools, like the script compiler, script editor, and so on and so on, that you might need to create your AutoIt scripts. So here, I have this folder AutoIt. And I have something here that is the SQL studio AutoIt script. Great, I have a script.
Where do I get it? It is not my own. I just have pulled it from our website. And if you want to do that, just point your browser to github.com/oneidentity and select Safeguard Automation. So if I just make it here, so this is github.com/oneidentity. That is our main site for our public domain software and all of the stuff we develop and give away for free.
And one of the entries you can select here is safeguard session automation. So let's click on here. And you see that you have a couple of things here. And the important thing, for this moment, is AutoIt. And here, you have a couple of scripts that are already written for these various applications, like the SQL Developer or WebSPS, or web_generic. We're going to touch on this later, maybe.
And here is our Microsoft SQL server management studio. And you see, this is the script. So simply pull down that script, and then you can just use this to compile it. So in the end, you're going to download that script. Then you're going to put it into here. And then you can use the SQL studio.
And if you want to compile it, just go to the context menu with the right-click of the mouse and just select Compile Script, or compile a script as a 64-bit version, or an x86 version, depending on the system you're running on, that is-- sorry-- that is the same. It's not the same. It's a different .exe that would be produced, but the action to compile it is pretty much the same.
And once you have done, you're going to end up with something like sqlstudio.exe. I just have renamed it because I have a certain naming schema for that to know which version I run and when was the latest build. So I just named it this way. You make it totally-- completely different. It's up to you. I don't care. It's just my approach. So if you want to follow that, nice, but you don't have to-- of course not.
And this is the only thing you need for this one. And when we go back to the page where we have just been right now, we have something here, as well, that is called-- here we go-- that is called web_generic. And web_generic is a script that is used to operate or interact with web pages or web-based applications.
And this is usually that-- you need this to tackle some kind of application which more or less follow a very common format, because if you just imagine, when you log into a web interface, there's three things you have to do.
First one is to supply your username or your account. Second thing is that you have to supply some kind of identification information, like a password. And the next one is click on the next, or log in, or submit or whatever name button to do the login process. That's the thing that the script will do for you. And for that, it will only know-- need to know what are the username, the password, and where is the button to click on it.
And this web application script is here. So you simply can download it here. And to interact with the web, you need a browser. Unfortunately, there are many browsers outside, and not all browsers work in the same way. So to do the communication between your script or your application and the browser, you need some kind of driver for that browser who is able to do the automation of that browser to put in the information on the right form, fields, and press the right buttons, and so on and so on.
This driver is available for various browsers. And of course, you have to download them, and you have to look whatever other systems or system supporting or other tools or packages you need to put this all together. So if you have a look on this page, you're going to see that, first, you have this web driver folder here, which holds some kind of scripts and some kind of other stuff that you might need to run with these AutoIt scripts.
This is something we have collected, but it might not be up to date. So you see, this is about eight months ago. Some packages are pretty old-- or scripts are pretty old. The other ones, like the drivers, are changing very fast and rapidly. So I would absolutely recommend that you will go out to the web and build your own list of things you need.
So when you want to know where these are located, just go back to this page, web_generic, and scroll down a little bit. And you see, there is some kind of wiki entry here on the AutoIt script page. And if you click on that, it will take you to this web driver page.
And if you scroll down a little bit, you're going to see there is the sections requirements. If you want to make everything more or less up to date, go to the appropriate links here-- or maybe this as well-- and download the packages. Extract everything that's in these packages and put this together in a directory.
And the directory-- the name of the directory is usually web driver. Web driver is coming from the scripts you want to compile. So let's see where this web driver name comes from, because you can say, OK, I can name it-- like, whatever you want.
Yes, you can, but then you need to change the scripts, because if you go to the system here-- so if you are looking into this web_generic script, for instance, and if you just edit it, you see that there is some kind of include statement over there. And there, it references this web driver directory. So if you want to install it in the different locations, you may have to change these include statements in the scripts that we have provided. If you don't want to deal with that, just name the directory web driver. That's all.
And once this is done, you can just compile this in the same way with a right-click and just go to compile script with whatever you want here. And then you're going to have some kind of SQL studio, and you have the web generic file. And once this has been compiled, I take this to my RDS server and I put it here in some kind of directory. I placed it here under Program Files, and I have just created some kind of directory that is called Auto Logon.
And in Auto Logon, I have just collected all of my compiled scripts and stuff that I have made available here. So you see, there is this very generic AutoIt. There is this SQL studio AutoIt. And there are a couple of other ones that I will show you in a minute.
So once this is done, of course, then you can go back to the Safeguard remote apps collection management or remote apps collection management, and then you can have to specify it here as where this --cmd switch is for the launcher that you reference to the appropriate .exe file that you want to launch. And then you have to use-- have to add the appropriate commands over there.
And how this really looks like can be, sometimes, a real pain, because you may have to check out the menus of these applications. Sometimes, applications do not support passing password information via a command line switch. And then you have to do some kind of interface or form injection into the application where you have to do advanced script doing, and so on and so on.
So that can take a little time, and it can be a very nice work to do, but it can be a very tricky one as well. So if you want to go for it, go for it. Otherwise, you cannot launch it. So sometimes, you have to do it. And it really depends what type of mechanism you want to use. So the first one I just have talked about is AutoIt. That's a pretty common thing.
The other one is, you can write some kind of your own launcher that makes use of whatever technology you want to or you need to launch your application. And you can write it into your own application programming language of your personal choice. It's up to you. We don't care. So we are using AutoIt, and we are using something like Go that I'm going to show you in a second.
So the next thing we're going to see is the Go thing. So here, on my systems, I have other things like Go, and I have my stuff here. And I have a generic one as well. So I have a generic launcher program written in the programming language Go. And if I just open that, that may take a second. OK, come on. Always the same. Here we go.
So it looks pretty much the same. And you see it uses-- in this case, it uses the Chrome browser. It uses this package. And if you specify it in this way, it will download the latest version directly from GitHub when it compiles it. So you don't need to update. It will automatically reach out for the latest version.
If you want to make it available offline, you may have to download it and just maybe reference some kind of include statement or just make it available as a pre-compiled package. I'm not the greatest feature man in Go and the program development. So just, I think you're more experienced, like me, in this case. So you know what to do.
And then you're going to have-- we have some kind of stuff here that sets a couple of switches on the browser to restrict it, to accept things, and so on and so on. And the real magic, then, is here on the lower end of it. And here, you see there's something like running login actions. As I said, a generic web application has, usually, three actions-- specify the account, specify the password or your credentials, and then submit and click on the Log In button.
And this is exactly what is done here. You say, OK, you're going to navigate to your URL. That means you open up the browser at your target URL where your web application sits. Then you're going to sleep a little bit. And this is, maybe, important, because browsers might have something like robot protection. So if you're typing too fast, browsers may refuse to do that, because they might be, oh, there's a robot talking to me, and they are using scripting, whatever, or making bad things. No, no, no, I will not do that. So you have to test that.
And once you have waited, then you get just put in some kind of-- you send in the keys for the account. You send in the keys for the password. And then you click on the Submit button. That's all what is done with these three statements here and with the appropriate wait-- little delays between them. So it's enter the account, wait a few milliseconds, enter the password, wait a few milliseconds, and then click on the Submit button. That's the action that is initiated in that script.
The tricky thing is, how does this program know which form field, which button, which stuff, to tackle? This is, again, something you need to specify when you call that script. And if we have a look on all of these special script here that is the web_generic or something like the Azure one that is a little bit more experienced, because it does a little bit more clicking and tracking.
So if you go back here on our system and if we go for this Azure thing here, for instance, and if we go to the Edit Properties and select the Parameters, everything else is the same as usual. So it's only the parameters that make it really different. And you see, this is a much, much, much more long command line.
So see, this is enabled. But we have seen this already. This is the CMD. That's the Azure launcher stuff compiled from these sources. Again, it's up to you how you implement that, or if you use the generic AutoIt, it does pretty much the same thing.
And here, you have the arguments. And of course, these arguments are just specific to this Azure stuff we are using here for this personal launcher we are using here. And you see, there's something like incognito that fires up an incognito window in the browser, that sets the account based on the username that is passed in via Safeguard for privileged passwords. It utilizes the password information that comes via the remote app launcher.
And here is something that is pretty much important. It says account selector hash I0116. Great. What is this number? This is more or less an identification in the web UI that is referencing to the appropriate field. And if you don't know it, how do you get it? There are two ways.
The first thing is if you go back to the automation page on the One Identity side, and you go back to the photo ID and get one step up to the Safeguard automation page, you're going to see there's something like here that is OI-ST_RemoteApp_Publisher.
That is a script that helps you to publish your own application from a CSV file so that you don't have to type in all of this stuff and select all of these boxes in the Safeguard in this remote app collection, stuff that I have shown you before. It is just to automate things, and you can set a nice icon to it, and so on and so on. So thanks and kudos to my colleague Victor, who has written that script. It's a nice thing.
And there is some kind of example here in this app.csv. And if you have a look on this, you're going to see that if you're looking here for this Azure thing, you're going to see that there are these appropriate IDs already in here, like I0116, I0118, IDSIButton-9 and so on and so on. So if you don't know what to do, just take it from here. But of course, I'm going to show you how this is really-- where this all really comes from.
And if you just want to configure your own applications and you do don't know where to go, me show you how this works. So for instance, because we are just talking about Azure so that you can reproduce it, we simply log on to Azure. So if we just target the standard, Azure [INAUDIBLE] portal.azure.com.
And again, this is a problem here because I was already logged on. So let's go for the internal one, because this was my office PC I was just launching this from. So let's just make this a little bit smaller. Just hide it-- hide this as well-- and start the browser from my test system from my cloud environment. And there's already one open. There we go.
And now, if we go to portal.azure.com, if we really type it in the wrong-- in the right way-- here we go. And it doesn't matter. Let's just say use another account. So this is the standard login page of Azure, or of any other web applications you just want to configure.
So if you just want to know, what are these numbers here, you see, if you right-click on the browser and click on the Inspect or switch to the developer mode-- it's the same-- and if you click here on this little select an element in the page to inspect its stuff, and you click on-- or just move the mouse to here, you're going to see that in that popup, you see that is input number I0116.form-control, whatever. And there is where the number comes from.
And so you see that here, the next button is the IDSIButton-9. And with all of that, you're going to collect all of the information you need. So every field in these forms, or every button-- or any button you want to click, just inspect it to get the ID. And then you have to write your script. And if you want to instruct your script to press on the appropriate buttons or fill in the information to the appropriate fields, you then can just reference these ID numbers. Straightforward, very easy.
And that's exactly what I have done when I was just writing my stuff here. So here, I have the I006. That is the account selector. The password selector that shows up in the next page when you just remember the login process, that is I0118. And the submit selector is always the same. It's in both boxes, or it's the same. It's IDSIButton-9. Of course, this is just for this web page. For any other web page, it is completely different. But you should have not expected anything different, as well.
And of course, at the latest one here, you have just to specify the URL you want to target, in this case. This is Assets. And asset then comes from the SPS as well. So that is everything you need on the RDS side, on your Windows Server that is launching your remote apps and the appropriate software to configure and compile your AutoIt scripts or write your own launcher applications, whatever you name it.
This is the one side. And now, let's go to the other side. And the other side, of course, is Safeguard-- not surprisingly, Safeguard. So let's have a look on Safeguard. So here we go. Ooh, didn't I tell you that we have a little bit of-- what's it called-- branding?
So Safeguard 7.1 is supporting branding, and you can put in your own branding to it. I think that's a nice feature. I would just switch it off in a minute, just not to confuse you, because this might not look familiar to you because we may have never seen similar like that. But we can do, so we now can do stuff here like that.
So let's first look in with some kind of administrative user to Safeguard and give it the password. And the first thing I'm going to do is switch off the branding. So say goodbye to little propeller. And we have to go to Appliance Management, we have to go to Safeguard Access. And you see here that it's branding. Yeah. We heard you. We heard you.
So simply go to here, and there should be something like Reset Branding. Here it is. Just select Branding Safeguard. Click on Save. Click on Yes. Log out again. And here we go, back to the old familiar blue and white stuff. So let's get back to it again. And let's see what we can do.
As I said, you need standard things. You need, of course-- what do you need when you configure Safeguard? Users, assets, accounts, entitlements, access request policies. That are the major building blocks. So the first thing, we're going to go for asset management, and we're going to go for assets.
Of course, I have something like Azure here in my asset list. And you see this is an asset which is built from the appropriate service using Starling or cloud environment that you can configure here in Safeguard. So you have a connection to it. And this is the-- you have something like here, like a registered connector, that you need to configure installing.
I will just note that you have to read the manual to configure that. So I will not go into the details on how to configure the integration of Starling in Active Directory, or Azure Directory here, in particular, via the Starling cloud service, because that might be too long here.
And of course, once this is done, you have something like accounts. And I have two accounts here configured in my system. One is HenriettaM@pandorasbox. This is my domain on the Azure one. And the other one is resilient user. And you see this has no password currently set, so it will not be available for selection if you haven't set a password or in Safeguard for this a very nice common error.
But I will not play around with that. So in this case, I'll just leave it at it is. It will not hurt. But you cannot select it because it will not show up. So this is my Azure target with an Azure account. The next one I have here is SQL. So if we go for my assets here, that is more or less SQL-related. You can see-- I just have selected something. So this little exclamation mark shows that you have a selection pending on one of the other dialog boxes. So if you just want to clear it, you just click on this little Clear Selection, because you usually cannot select multiple things when you're configuring stuff.
So here, you have a Microsoft SQL Paradise, blah-blah. This is my server here. That is my Paradise server, which is acting as my RDS system, as well. But it has Microsoft SQL Server installed as well. It's just some kind of multipurpose server.
And of course, I have this asset defined. And the asset, of course, because it's a Microsoft SQL database, it is of type SQL server. It is a supported access type. And then you have to fill in the appropriate information, like an account name, to manage all of this stuff and whatever you need to do this.
And of course, I have configured a couple of accounts here. You see, I have my functional account to manage my asset. I have the standard database, super-duper, built-in administrator as a-- of course, this is just the demo environment. You might have already deleted, renamed, or whatever-- done with that.
I have two accounts here in my database server that is ms-sql-account and [INAUDIBLE] msdbadmin. And if I would look into the database here-- let's call out for the Microsoft Management Studio. And of course, we're going to select SA here. And I know the password of SA. Maybe I don't. I'll just type it in in the right way. Here we go.
And you're going to see that if I go to my security settings and go to logins, I have the Safeguard MSSQL. I have the SA. I have the MSSQL-account and I have my msdbadmin. These are local accounts in my database. And these local accounts in the database are going to log in via the remote app launcher.
This is some standard setup of Microsoft SQL asset-type stuff. And let's just look out from here and go back to our configuration. So again, these are the accounts I have just shown to you, so nothing special. And of course, I have some kind of third one. I have something like FTP, SFTP, that I have configured as well. This is it's an asset. It's not an account. It doesn't matter.
I have SCP configured as well. I'm going to use this here on my Linux system. This is called almamater. And I have a third stuff that is the SPS itself, because SPS itself is a target. It's a web-based application, if you look to it. And we have some kind of SPS AutoIt file or a Go file for this as well.
So we can just instrument or automate or robotize logging into SPS via an account that is managed in SPP. Cool. So you don't need to know the master account of SPS anymore. You can simply request it from SPP and launch in via remote app launcher via browser automatically with the password and the account name injected. That sounds cool. You're going to see it later.
Let me see if I have SPS here. Actually, here is the-- those are different ones. OK. So we have now configured the account, the assets, and of course, we need to have some kind of accounts, like the admin accounts, and the user accounts, and whatever accounts you need, like my FTP user that is my user for the winstp automation. I have a couple of other things that are of no importance, because this is just my demo environment. I'm just playing around for lots of customers' demos, so it has lots of information here in it.
But one thing is important. And there is one thing that is called, here, remote app launcher. A remote app launcher is an account on the RDS server machine. And this is used to log in to this remote app launch machine to be able to launch the remote app launcher and the appropriate applications.
So it is just an account that is managed in the same way that is able to lock in via a controlled remote RDP session to that server. Nothing special. It is just a standard use case, out of the box working. Nothing special. We are going to see how this all links together.
And the other one-- we're going to see how this really is configured. So we have assets. We have accounts. Next thing is, we have to have entitlements. And of course, we have to have users. So users, usually, are the usual suspects that log into the Safeguard system to do some requesting, whatever it is in your environment.
I have one user coming from my Active Directory that is linked in here that is called requester. We're going to see later. The one thing we're going to go here is, on the security policy management to have a look into the entitlements. So the entitlements we have is, oh, not surprisingly, remote app launcher. That is the name I choose for this entitlement.
And if I look into the entitlement-- and you know an entitlement is just a container of access request policies-- you're going to find access request policies. Some kind of basic information, and here are my access request policies. And I have just created one access request policy per application I'm going to launch. This is something how I did it. You can do different. It really doesn't matter.
That is how I did it. I find it more intuitive that I have one access request policy per application so that I can just assign users, assign groups, assign accounts to it so that makes it much more easier, in my understanding, to manage it. But you may think different, which is absolutely fine. But this is just how to say [INAUDIBLE] or I think I just did it my way. Good.
So let's see. Let's see, for instance, for the SCP, we have just talked about a little bit. So if I look onto that, you're going to see-- and this might be something that is special to the configuration based on the thing you might know. So usually, you give it a name and you make a description here.
Priority is the usual thing. And the request policy type-- and this is important. It must be session. When you want to launch a remote app-based session, it must be a remote app launcher-based application. It must be a session request, not a password request-- a session request.
And if you select Session, you have this new session type here that is RDP application. And you need to select both Session and RDP Application. That is important. I come back to the SPP-- sorry, to the SPS, to the Safeguard for session configuration-- in a minute, because this is the last building block we need to tackle as well.
So this is the selection session RDP application. And the security settings here require a couple of things over there if you need them. So I just played around not changing my passwords. I just want to make it injected so that I can maybe verify, log in later, and if it all works, I may turn on password rotation based-- if this is a supported asset you can rotate passwords for. Depends what it is.
So the connection policy-- and you know this comes from the Safeguard for Privilege Sessions thing-- is Safeguard_RDP. And Safeguard_RDP is the default connection policy that is created when you join SPS and SPP. I didn't change anything on that. It's just default.
So if you join SPP and SPS, you will get these policies created, and then you can instantly continue to configure the remote app launcher without changing everything-- anything. Isn't that cool? It is indeed.
So the next thing you need is, you need to specify, where is your RDS host? And of course, it needs to come from your assets. So if you click on Browse, you of course get all of the Windows-related stuff here that are on your assets list. And here, I have a couple of them. But the only one I'm interested is this one, the Paradise, oneidentity.demo, which was already selected here.
Require host account. Again, this is the one that is used to log into this RDP host asset that is specified the line above. And this is my account. And this account is absolutely managed by Safeguard, and the password is constantly rotated, as it is the usual way of doing.
So it is just some kind of working account or launcher-related account that is managed and handled by Safeguard. There is no intention that the humans will log into it. You can, of course if you just mangle the password as an admin. But we don't care. In the normal operation, this is the one Safeguard will use to log into the RDS server to do the launching, full stop. Nothing more, nothing less. Straightforward, very easy.
You give it some kind of display name. The display name is just the name that is displayed when you are launching the remote app, because you will see a little icon, and that is the name that will be shown on that icon. So you may give it a nice name that you can recognize that you just find the right application. Otherwise, it can do anything. But it's the only thing that is useful.
And then you have to select the Use Application Alias. And in this line-- and don't ask me that. I have not played around with the use application path and command line. I don't know if it is already supported or it's just built for the future release. I did not know that. I have not tested it, but I will do, of course. And maybe I'm going to talk about that later.
Here, you have OI-SG_RemoteApp_Launcher(1). And that might look familiar to you, because if you look back to your RDS host, you're going to see this here is the appropriate alias setting here in your remote app collection on your RDS host.
And this must be exactly the same. If you do a typo, it will fail. It will just pop up in a window, and then the window will close, and nothing will be seen. And if you experience that, this is usually something you misconfigured in your settings here on the SPP.
And of course, there's an important thing as well. You have these two pipe characters. This must be two pipe characters-- like a bar. That must be the two first characters in that line. If you don't use that, it will not work. That is based on the remote app launcher behavior. So just believe me just that is the way you need to configure that.
And once you have done this, the only missing part here, now, is that you need to tell Safeguard which account it should handle in that policy. And of course, this is configured in the scope. And you see that I have, for this FTP access, I have my FTP user account here selected that lives on my Unix system that was called almamater. You see here, almamater is the parent of that account. That is the asset where this account lives on.
And it has a password. Of, course this password is constantly rotating or not rotating depending on your policy. Doesn't matter. And that is the thing you need to configure. So once you have done this, I just have to save that, because I just have just changed the description. So just give it a Close and Save and Save and Close. That's important, to do it twice. Otherwise, it will be lost. Good.
So you have your remote app launcher policy edited. Here we go. And here, you can have a look on all of the other ones as well. But if you look on the other ones, like this one here, it's just a different name. It's the same. It's definitely-- it's pretty much identical, except that you have to have the right alias selected, because otherwise, it will call the wrong application. That's the only difference. And this is how you configure your remote apps that you will be launching.
Wasn't that easy? It was. So we have RDS. We have set up our remote apps that we have published. We have installed our launcher scripts that we need and compiled them. We have installed our SPP configuration. So what's missing? SPS. Let's have a look into SPS.
So if you look into SPS-- and of course, I could do this with my remote app launcher if I want to, of course. But I know it, of course, because it's a demo environment. So this is version 7.1.1, the latest one. Again, always use the latest one.
And if you just look on the RDP-- because the RDP is the only interesting thing at the moment if you do a remote app launching. It's not SSH. It's nothing else. It's just RDP, nothing else. So here, you need to go to RDP control, and you need to go to Connections. I have a lot of more other connections, but you see, I only have selected one thing here. That is the Safeguard_RDP, which is the default one. This, as I have said, is generated automatically when you join SPS and SPP.
If we just have a look into that, that is the usual one. So it says get any traffic that hits you on port 3389. Inbound destination allows reaching any target via port 3389. Of course, you may want to restrict that. That is an option that you can do that you can only-- whatever-- jump to or connect to different hosts.
So maybe you're simply put in the RDS server here as the only available target, or a list of RDS servers that you want to use so that you cannot do this island-hopping stuff here to somewhere. But of course, this would always be dictated by your security policy and your entitlements. And if you only have remote apps assigned to a user, there is nothing much to do.
Just forget to assign the users to the entitlements. So that is, of course one we did not do. So just let me hop on in quickly. So of course, if you have configured your remote-- your entitlement, you just need to specify, what are the users that are assigned to this entitlement, so that they can execute access as dictated in your access request policies. And this is something like my request to user and my demo users. That's just the thing. Just not to skip that. OK, good. Back to SPS.
And you see, I have just defined a target DNS server, because I run my own DNS server here in my environment. I would always recommend to do that if it's possible. Otherwise, if you have a corporate one and you have all of the appropriate DNS entries as the A or C names or whatever stuff you require-- and of course, with the appropriate PTR records.
So if you want to make your life easier, please always, always, if you generate a DNS, record put the appropriate PTR record into it. Otherwise, it may lead to problems. As I usually say in my bootcamps that I'm giving, if you do not do your DNS right, you're going to be in big, big trouble. And 95% of problems in customer environments I see is DNS problems.
And both products, SPP and SPS, are relying heavily on DNS. So please, please, do it right. Make it correct. Make it run. Make it complete. Otherwise, it will behave unexpectedly. OK, stop that. Good.
So next one is on the transport security layers, like encryption, because it's an RDP thing that encrypts traffic. And maybe just one thing. You will not see a kind of certificate warnings when I use this stuff, because I have my CA configured and I have the appropriate certificates installed everywhere.
If you are doing this on a-- just for a demo, or maybe just for gaining knowledge and just studying and playing around with that and you do not have the appropriate certificates installed here, it might lead to the behavior that any time you're starting some kind of connections, you will get this certificate warnings popping up. So if you want to get rid of that, get your CA right and put the appropriate certificates in the right places.
And then I have just selected Enable Indexing. Enable Indexing, of course, means that you can record it. And of course, we want to record it. We want to see what the people are doing. And I'm going to show you this later as well. And the other ones are Safeguard default everywhere. That's all. Nothing here.
Maybe just one small note to people coming from version 6. In version 6, you have usually selected this AA plugin. The AA plugin now, in version 7, is included by default. So you do not need to specify it any more. So if you're just wondering, what's going on there as the AA plugin? You don't need it anymore. It is already always enabled by default. And if you enable it, it will give you a warning.
And the other ones are the usual ones. And that's the thing you need to configure. Maybe check this after the default policy is created, because one of the switches that is not enabled by default is indexing. So you will have no recording on that. Not a problem, but it might not be required. Depends on you.
This is the SPS site. And maybe if you want to look in the-- one thing. Just one thing. But that's not me. That's a different guy. If you go to channel policies-- and you see I have a channel policy here, so you've got default. Because this might be looking different compared to version 6. I hope it's--it should be.
So if you look to the channel policy and go to Safeguard default, you're going to see that it has, here, the drawing channel. That is something you need, of course. Otherwise, if you don't enable it, you will not see something on the screen, because it will not-- it cannot display a picture if you don't enable that.
You have, here, a dynamic virtual channel. And that is a channel you need to put into this policy if you do it manually, because this is used to for communication between Safeguard and the launcher. If you don't enable this, it will not work.
And you have a custom channel here. And the custom channel has these permitted channels, as well, like rail, rail_ri, and rail_wi. This is the standard thing you need to configure when you are using your remote apps. In the version 6, you had to configure this manually. In version 7, this is all put in when you create these default policies. So it's all set up right for you. But give it a check.
Good. And with that, we are ready to launch. So let's go to the launchpad, or let's go to Cape Canaveral. OK, so here we go. So let's go with that one. It doesn't matter which browser you are using here for doing the access, because when you remember, when we're using web applications, we have the launcher. And the launcher can be instructed via the scripts that it is launching that will launch the target application. You're still with me? OK, great.
That these scripts will dedicate which browser will be used, or which web browser is to be used. And this will launch the appropriate browser. The appropriate web driver is to be used, will launch the appropriate driver-- web browser. Gosh. That is the way.
And so let's go back to our SPP portal and log in with some kind of user. I'm just using somebody who's called requester. And the requester is giving in the password. Here we go. And I still have a couple of stuff here. I just want to make that go.
So going back to my home page screen, that is the standard home page, of course. I have just modified this a little bit, and I have a couple of bookmarks and favorites here that I just have configured just to make my life easier. So if I go to my requests, I'm going to have this nice little row of favorites, something you can use, something you don't need to use. It is just a very nice and easy way to make life easier.
So let's start with the FTP service one. So simply click on that. And when I click on that, you're going to see that I am requesting the FTP user. On my Unix item-- or asset, in this case-- almamater, and this is the request type RDP application as we have configured it in the entitlements and the appropriate access request policy?
So let's submit the request, and it will show up here in our list. And it will show us, here, these RDP sessions. And this brings me to another point. You can use your Microsoft terminal services client if you want, but we are using something here that is our launch system that is called Scalus.
Scalus is some kind of launcher system. Lots of launchers here. In this case, more technically spoken, it is a protocol handler for something-- for a URL that is specifying the RDP protocol. And we have something here, of course-- where else? In github.com/oneidentity.
And you can go down here to see Scalus session launcher. And if you download, here, the latest version and install it, just take a read here over there, you will find it on your client machine, in this case, my Windows 10 system. And I have it here on-- where is it? Have it here on-- here it is, Scalus. Here, Scalus.
And there's something called Scalus UI. That's the user interface to configure it. And if you want to use Scalus to do this remote app launching, then you can just go to the configuration page. And you need to configure the RDP and register-- you see, I'm not a native English or American language speaker.
If you have-- if you want to use or make use of Scalus, you simply can select this Windows RDP client with program template, because it then will generate a template, and that template is used to configure the Microsoft Windows terminal services client in the appropriate way.
And then you need to click on this button until it has this checkmark here so that this protocol is registered. And this will instruct the operating system that any time some kind of URL is passed to the operating system, like whatever //rdp, colon, whatever, will be then handed over to this registered protocol handler. In this case, it will be handled by Scalus.
So when I just click on this button, you're going to see Windows launching in the background. That is Scalus. And then Scalus will do the rest for you, just not to miss that. So I just need to close that.
So now, let's start with the fun. Here, click on Start RDP Session. And you see session is launched. It may take a minute until it comes up. And now, it's starting your app. The window before was Scalus. And now, you see it coming up here, and you see I'm logged in into the WinSCP. And the WinSCP, now, is running on my RDS server. You can see that, of course, if you just go for the SPS.
Let's have a look into it. You're going to see that you have an active connection. It is an RDP connection. Yes, that's what we want. And you see the user that is doing this session is the remote app launcher. That is my account that I was using to hop over to the RDS system to do the appropriate launching. And you see that the user who has initiated that session is the requester.
And of course, because this is now a session through SPS and I have switched on the indexing, I will have a recording. We're going to check this in a minute just to show you that. And now, you can go to here, can whatever, go to pass here over there. And of course, you can hopefully-- first time I tested that. Maybe we can just move over a little data. Nothing here.
User remote app launcher has nothing special here on data, because, you see, that's important to know as well. This is my user-- that is my home directory I'm logged in with. And you see, this is user's remote app launcher because I'm logged in as the remote app launcher user on this RDS server. So everything here runs under this [INAUDIBLE] app launcher user that is used by Safeguard to initiate the session.
So anything that, maybe, if you use a browser or something, or do an application, anything that you download in that remote app session goes to the user Directory on this RDS server of that user-- something like that. So just, too, important to know.
So in this case, I'll just close this here and leave my RDS-- leave my WinSCP that I was launching. This is just a redraw that will disappear over time, or just in the redraw. And here, I can now close the session, and now, my access is over.
Is this different to the ones you are doing? A little bit, maybe. But you're requesting itself, and all of this stuff that is doing here is always the same as usual. And just to show you that, if you want to go for this-- maybe, for this SQL stuff, like my Microsoft videos for my Microsoft studio, click on that.
And you see, I'm now requesting the account msdbadmin on my ms-sql-paradise as an RDP application type. And if I click on the Submit, same thing happens. If I click on the Start button here, Scalus comes up. Then the remote app is launched, then the remote app starts. Here's the remote app. And here, I am now logged in automatically with-- in this case, it was an AutoIt script-- to my database server.
And you see, I'm logged in as-- whatever-- can I see that somewhere? Doesn't matter. So I'm logged into this ms-sql database. I can just browse here if I want, go to the database, go to my model, whatever, go to the tables. Go to this one, this one here, whatever. Whatever it is here, I have no clue. I'm not a database guy.
Now, you can just go around whatever tables. Here we go. Here, we have something. Columns-- something here. Whatever. Just give it a full screen, and then you can just do whatever you want in that database server here. Who knows?
That is the database server login. And then just go to exit. And of course, if I just want to do it again, I simply click on the Start RDP Session again, or when this is just hover-- and just might happen, because the remote connection, then, is broken. When we close the sessions, then we may just click on the same button again, because now, then, we can request it again. And depending on your access request policies, the password will get changed, and so on and so on and so on.
Same goes, maybe, for this one. This is a different database tool. Same thing, just a different account. Start the RDP session. Scalus comes up. Here is the application, starts up, and here is the interface. Logged in automatically with passwords and accounts injected via the appropriate scripts and launcher programs. Straightforward, very easy.
So let's request it again. OK, that should be the one. henriettam@pandorasbox.microsoft.com. That is my account, and it should be going to portal azure.com. So let's see where it goes. That's Azure. Now, it works. It presses the buttons. And now, this is triggered by my Azure account settings. [DING] You just hear the ping that is from my authenticator app. And I just can prove that. And I'm logged in.
So that depends, really, on the application here on that web page. So if you have this 2FA enabled, you may have to do this manually, because it might not be applicable that you just robotize entering some kind of one-time or multi-factor authentication into it, or you simply have to disable multifactor authentication here when you log in, just to avoid that.
But this really depends on your website and the authentication schema that sits on it. But you see, it works for this as well. And don't ask me why that didn't work before. Maybe I just clicked on the wrong button somewhere, or the wrong entry. I have no clue. Good. So let's just close this here and close this request again.
And maybe just one thing I want to show you is about the SPS. Of course, we can use SPS as well, because SPS is our web interface as well. So if we just request my SPS with the admin account, then just click on the Submit and click on the Start [INAUDIBLE], and again, the same thing happens. SPS web log in, calls the browser. Here we are. Admin, password, and boom, you're logged in. Straightforward, very easy.
So we can just look out here. Nothing special. And of course, I don't know the password in this case. And if the password would get rotated, everything would be secure. There's a custom system script available, or at least internally, that is able to rotate the password of the SPS via some kind of API calls. But I'm going to tackle this in a different video. So stay tuned. Good.
With that, I hope you will find anything that you need to configure this stuff. If not, just try it out. Do some research. But just not forget the recording features I've just promised. So let's have a look on SPS. So we can use, of course, the same thing again. But let's [INAUDIBLE] just out of that.
So log into SPS with the admin. And you're going to see something here. Come on. Here we go. So let's go to the Search interface. And you see you have the requester as remote app. You have the requester, Henrietta. You have the request for stuff here-- requester for app m and so on and so on.
Everything is recorded here. So let's see what these things are. So let's maybe look here. And you're going to see what has happened. You have the remote app launcher. You have to log into the Safeguard privileged, and so on and so on. Let's see what we have here.
Nice things that they have-- that it has discovered here. It is just a standard stuff that you have that you already know if you are familiar with SPS, just the capability to do some kind of screenshotting. You have, here, the appropriate details. You have the timeline view here. When you click on the recorded events, you can just generate some kind of screenshots that show you everything that goes.
And of course, because I have switched on the indexing, I can do some kind of video playback. So let's see. So what's going on? It's launching something. And here is the browser, and I'm logged in. And that was the thing that was our latest session that we have just seen before. Just logging into the SPS.
So again, the same thing. So if I go back to my search results and go maybe a little bit more down below, like maybe this one here, and Safeguard for privileged whatever. And it's a little bit much more here. So let's see what this was. That's why we have this video for. And go for the video.
And see this is a Windows-based, again, launcher launch. It's mostly SPS session as well. Maybe it was one of my testing things. So let's close this and let's go back to our search results. Let's maybe going back to something like here. This one might be nice. That's more like it. That's something like Azure, it looks like. Here we go.
That's the Azure login. And you see everything that happened on the screen, as you have seen in the video already-- or in the recording-- that is just a normal thing, as expected. And that is a good feature, as well, because now, you have the capability that you can record this stuff with the RDP recording feature of Safeguard SPS, and you don't have to, whatever, go to something fishy like HTTPS recording decoding re-rendering or whatever you can think of. It is just, now, coming via a remote app, and the remote app is transported via RDP, so it can work.
So that concludes my little video here today. I hope you have enjoyed it and you find it useful and have found a couple of information you can use. Otherwise, just reach out to us. We're here to help. And now, it's just on me just to say thank you very much for listening, and again, have a good day and see you in my next video. Thank you. Bye-bye.
[MUSIC PLAYING]
01:26:31
