Fortinet black logo

Administration Guide

Home FortiPAM 1.0.0 Administration Guide
1.0.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

Modes of operation

Modes of operation

FortiPAM can operate in the following two modes:

  • Proxy: All the launched traffic to the target server is forwarded to FortiPAM first. FortiPAM then connects to the target server. FortiPAM delivers fake credentials to the client machine. FortiPAM manages the credentials and login procedures to the target server.

    All the traffic except web browsing is proxied through FortiPAM.

    The proxy mode is more secure than the non-proxy mode as it does not deliver sensitive information to the client machine.

    In the proxy mode, the administrator can terminate traffic connections if improper user behavior is detected.

    Web SSH, Web RDP, Web VNC, Web SFTP, and Web SMB default launchers always use the proxy mode irrespective of the proxy settings.

  • Non-proxy: All the launched traffic is directly connected to the target server without FortiPAM. FortiPAM delivers the credential information to the client machine. The native program, PuTTY or the website browser directly connects to the server.

    The direct connection (non-proxy) mode or the web browsing comes with an added risk of credential leakage. To reduce such risks, this mode is strictly controlled by user permissions.

    Users without sufficient permission cannot access direct mode or web browsing launchers.

    The following features do not work when FortiPAM is in non-proxy mode:

    • SSH filters

    • SSH auto password delivery

    • Block RDP clipboard

    • RDP security level

    PuTTY and WinSCP launchers are not supported when the secret is in non-proxy mode, and the secret uses an SSH key for authentication.

    TightVNC launcher is not supported when the secret is in non-proxy mode and requires a username for authentication.

    When using launchers with non-proxy mode, launchers may require the environment to be initialized beforehand. You may specify this with init-commands and clean-commands.

    Note: Init-commands and clean-commands only run in the non-proxy mode.

    To select the mode of operation, see the Proxy Mode option when creating or editing a secret. See Creating a secret. Alternatively, see the Proxy Mode option when creating or editing a policy. See Creating a policy.
Previous
Next

Modes of operation

FortiPAM can operate in the following two modes:

  • Proxy: All the launched traffic to the target server is forwarded to FortiPAM first. FortiPAM then connects to the target server. FortiPAM delivers fake credentials to the client machine. FortiPAM manages the credentials and login procedures to the target server.

    All the traffic except web browsing is proxied through FortiPAM.

    The proxy mode is more secure than the non-proxy mode as it does not deliver sensitive information to the client machine.

    In the proxy mode, the administrator can terminate traffic connections if improper user behavior is detected.

    Web SSH, Web RDP, Web VNC, Web SFTP, and Web SMB default launchers always use the proxy mode irrespective of the proxy settings.

  • Non-proxy: All the launched traffic is directly connected to the target server without FortiPAM. FortiPAM delivers the credential information to the client machine. The native program, PuTTY or the website browser directly connects to the server.

    The direct connection (non-proxy) mode or the web browsing comes with an added risk of credential leakage. To reduce such risks, this mode is strictly controlled by user permissions.

    Users without sufficient permission cannot access direct mode or web browsing launchers.

    The following features do not work when FortiPAM is in non-proxy mode:

    • SSH filters

    • SSH auto password delivery

    • Block RDP clipboard

    • RDP security level

    PuTTY and WinSCP launchers are not supported when the secret is in non-proxy mode, and the secret uses an SSH key for authentication.

    TightVNC launcher is not supported when the secret is in non-proxy mode and requires a username for authentication.

    When using launchers with non-proxy mode, launchers may require the environment to be initialized beforehand. You may specify this with init-commands and clean-commands.

    Note: Init-commands and clean-commands only run in the non-proxy mode.

    To select the mode of operation, see the Proxy Mode option when creating or editing a secret. See Creating a secret. Alternatively, see the Proxy Mode option when creating or editing a policy. See Creating a policy.
Previous
Next