TroutTrout
All docs

Privileged Access Management

Give administrators and vendors browser-based RDP, SSH, and VNC sessions — identity-bound, time-limited, recorded.

5 min read · Last updated 2026-04-22

Privileged Access Management in Access Gate is a browser-based Remote Access Scheme: a DBA, integrator, or support engineer opens a URL, authenticates, and gets a proxied session to a specific system. No VPN tunnel, no standing credential, no SSH keys distributed in advance. Each session is tied to a named person, time-bounded, and recorded.

What the Remote Access Scheme Covers

The scheme proxies admin-class protocols through Access Gate so the client device never touches the target network directly:

ProtocolTypical targetClient surface
RDPWindows servers, engineering workstationsBrowser — HTML5 renderer
SSHLinux/Unix hosts, network appliances, jump hostsBrowser — terminal in-page
VNCHMI panels, legacy workstationsBrowser — HTML5 renderer
HTTPSAdmin web UIs, historians, BMS dashboardsBrowser — iframe / redirect

The target system sees a connection coming from Access Gate. The user sees a browser tab. The two never share an IP path.

Why Proxied Sessions Matter for OT and Hybrid Networks

Legacy approachProblem it createsProxied-session answer
Shared admin accountsNo identity-to-action mapping during investigationEvery action ties to an IdP user
Distributed SSH keysKey sprawl, no revocationNo keys leave Access Gate
Jump host with VPNOne credential, broad blast radiusPer-enclave, per-protocol scope
Screen-share for vendorNo audit recordFull session log + timeline

What the User Experience Looks Like

  1. The user opens a URL you publish (for example acme.tr-sec.net/connect).
  2. They authenticate through your Identity Provider (OIDC or SAML) or via a temporary user created in Access Gate.
  3. Access Gate lists only the systems their role can reach — per enclave.
  4. They click a system; the browser opens an RDP, SSH, VNC, or HTTPS session against it.
  5. At session end (explicit logout, timeout, or operator-triggered end-session), the connection drops.

No client software. No credential handed to the remote user. No private route onto the network.

PAM Controls

For high-impact sessions, the same path layers on standard PAM behaviors:

  • Identity-bound sessions — every action attributes to a named person, never a shared account.
  • Just-in-time access — grant a role for a defined window; it revokes automatically.
  • Per-session expiration — idle timeout + maximum session length, configurable per enclave.
  • Operator end-session — any active session can be terminated from the admin UI.
  • Full audit trail — connection, target, principal, protocols, and outcome land in the enclave change history and the log pipeline.

Setting It Up

1. Configure Remote Access Scheme for your asset
  1. Navigate to Assets → [Your Asset] →
  2. Click on the pencil icon, and then Edit network.
  3. Specify the Remote Access Schme & login information to use.
  4. Save.

The information is stored on the Access Gate and encrypted at rest + transit. You avoid to share credentials to connect to a given system.

2. Enable the Remote Access Scheme on an enclave
  1. Navigate to Enclaves → [Your Enclave] → the flow you want to PAM
  2. Toggle Remote Access Scheme on.
  3. Save.

Only the protocols picked here are reachable through the proxy. The target system's other ports stay invisible from a session.

3. Grant just-in-time access (optional)
  1. Select an Access Agreement that will authenticate the visitor
  2. This access screen is configured to grant access for a period of time, and to leverage a specific Directory.
  3. Save.

At the cutoff time the entry is deactivated automatically; no operator action needed.

Session Recording and Review

Every proxied session lands in the enclave's change history with:

  • Principal (IdP user)
  • Target asset
  • Protocol and timestamps
  • Session outcome (normal close, timeout, operator-ended)

The log pipeline carries the same events to your SIEM if you have log forwarding configured — so investigators can tie a detection alert to a specific session without pivoting into Access Gate's UI.

When to Use This vs Remote ZT Access

ScenarioReach for
Remote engineer needs HTTPS/Modbus/OPC to a set of enclaved systemsRemote Zero Trust Access
Vendor needs a one-off RDP onto a Windows serverPrivileged Access Management (this page)
SSH on an industrial appliance for troubleshootingPrivileged Access Management (this page)
Day-to-day application traffic from a remote laptopRemote Zero Trust Access

The two flows coexist — you can enable both on the same enclave and let each user's role decide which one they actually get.

Previous
Access Control Lists