Launchers

Secret launchers allow users to remotely gain access to a target without the need to know, view, or copy the passwords stored in FortiPAM.

A secret launcher stores an executable and the parameters needed to start a connection to a target.

In proxy mode, browsing triggers ZTNA tunnel between the FortiClient and FortiPAM server.

The FortiPAM chrome extension may have compatibility issues for some specific login pages and cannot fill in the user name and password.

To avoid DoS attacks, multiple secret launching from the same user within 1 second is blocked.

For each secret launcher; name, type, file launcher, client software, executable, parameter, and references are displayed.

The following default launchers are available in FortiPAM:

HeidiSQL: An SQL GUI launcher that supports mssql, psql, and mysql.
Microsoft SQL CLI: A MSSQL CLI launcher for sqlcmd.exe.
MobaXterm: An SSH client using MobaXterm.
MySQL CLI: A MYSQL CLI launcher for mysql.exe.
MySQL Shell: A MYSQL CLI launcher for mysqlsh.exe.

PostgreSQL CLI: A PostgreSQL CLI launcher for psql.exe.

To use psql.exe:

You must add the application path to the PATH environment variable in the system, e.g., C:\Program Files\PostgreSQL\<version>\bin.
Restart FortiClient.

PostgreSQL CLI default launcher is connected to postgres by default.

To switch the database:

use \l to see the full list of all the available database.
Use \c \<dbname\> to change to the desired database.

PuTTY: A basic SSH client using PuTTY.
Remote Desktop- Windows: A basic RDP client using remote desktop.
SSH CLI: An SSH CLI launcher for ssh.exe.

SSMS: An MSSQL GUI launcher.

You must open SSMS locally at least once (it does not require connecting to the database) to set up the initial software cache; otherwise, the SSMS launcher fails.

SecureCRT: An SSH client using SecureCRT.

TightVNC: A basic VNC client using TightVNC.

The TightVNC client does not support connecting to a macOS server in non-proxy mode.

VNC Viewer: A basic VNC client using VNC Viewer.

Web Launcher: A basic web launcher using Fortinet’s FortiClient web extension.

For secrets created for a target with Web Proxy enabled:

Web Launcher is available to users with View, Edit, or Owner permission for the secret.

For secrets not created for a target or for secrets created for a target with Web Proxy disabled:

Web Launcher is unavailable to users with View permission for the secret, as the password can be retrieved using browser dev tools.
Web Launcher is only available to users with Edit or Owner permission for the secret.

For information on setting up folder and secret permissions, see Creating a folder and Creating a secret.

Web RDP: A basic browser based RDP launcher.

To copy and paste when accessing a target using the Web RDP launcher:

Press F8.
A new menu opens.
From the menu, select Clipboard.
The RDP Clipboard menu opens.

Copy from Local to Remote:
1. Enter/paste (Ctrl + v) the selected text from the local machine to the text box similar to the one in step 2.
2. In the RDP Clipboard menu, select Copy to Remote Clipboard.
3. From the top-right, click X to close the text box.
4. On the remote machine, use Ctrl + v to paste.
Copy from Remote to Local:
1. On the remote machine, copy the text ( Ctrl + c).
2. In the RDP Clipboard menu (the one in step 2), select Request Remote Clipboard.
  The copied text appears in the text box.
3. In the RDP Clipboard menu, select Copy to Local Clipbaord.
  The text is now available on the local clipboard.
4. From the top-right, click X to close the text box.
5. On the local machine, use Ctrl + v to paste.

Web SFTP: A basic browser based SFTP web launcher.
Web SMB: A basic browser based SMB web launcher.

Web SSH: A basic browser based SSH web launcher.

To copy and paste in the Web SSH console, select the text and then use Ctrl+ Shift + v.

Web VNC: A basic browser based VNC web launcher.
WinSCP: A basic WinSCP client using SSH.
Xshell: An SSH client using Xshell.
FortiClient Web extension FortiClient Web Launcher
RDP over Web RDP over Web Launcher
SSH over Web SSH over Web Launcher
VNC over Web VNC over Web Launcher
SMB over Web SMB over Web Launcher
SFTP over Web SFTP over Web Launcher

The following launchers should not be used for customized launcher:

FortiClient Web extension FortiClient Web Launcher
RDP over Web RDP over Web Launcher
SSH over Web SSH over Web Launcher
VNC over Web VNC over Web Launcher
SMB over Web SMB over Web Launcher
SFTP over Web SFTP over Web Launcher

These launchers will be removed in a future FortiPAM version.

Chrome, Edge, and Firefox are the supported browsers.

Starting FortiPAM 1.1.0, only the Client Software toggle/dropdown of a default secret launcher can be modified.

Web SSH, Web RDP, Web VNC, Web SFTP, and Web SMB default launchers always work in proxy mode irrespective of the Proxy Mode setting.

PuTTY and WinSCP launchers are not supported when the secret is in non-proxy mode, and the secret uses an SSH key for authentication.

TightVNC launcher is not supported when the secret is in non-proxy mode and requires a username for authentication.

In proxy mode, the following launchers are available to all users:

Web SSH
Web RDP
Web VNC
Web SFTP
Web SMB
Web Launcher
PuTTY
WinSCP
RDP
VNC Viewer
TightVNC

In non-proxy mode, the following launchers are available to all users:

Web SSH (always in proxy mode)
Web RDP (always in proxy mode)
Web VNC (always in proxy mode)
Web SFTP (always in proxy mode)
Web SMB (always in proxy mode)

In non-proxy mode, the following launchers are only available to users with the permission to view secret password:

PuTTY
WinSCP
RDP
VNC Viewer
TightVNC

The Launchers tab contains the following options:

Create	Select to create a new launcher.Creating a launcher.
Edit	Select to edit the selected launcher.
Delete	Select to delete the selected launchers.
Clone	Select to clone the selected launcher.
Search	Enter a search term in the search field, then hit `Enter` to search the launchers list. To narrow down your search, see Column filter.

Preconfiguration for MobaXterm, Xshell, and SecureCRT

Before you use FortiPAM to launch secrets in MobaXterm, Xshell, or SecureCRT, ensure that these applications are correctly installed and configured on your local endpoint (user machine).

Execute each application independently to confirm that it operates correctly. Pay close attention to any initial setup or configuration prompts that may appear during the first launch. It is essential to have all the necessary configurations in place for the applications to run smoothly.

This preconfiguration step is essential to avoid issues or disruptions when using these secrets within FortiPAM. If you encounter problems during the initial manual launch, please resolve them before integrating FortiPAM with these applications.

Once you have verified that these applications work correctly on your endpoint, you can seamlessly integrate them with FortiPAM for enhanced access control and security.

Launchers

Secret launchers allow users to remotely gain access to a target without the need to know, view, or copy the passwords stored in FortiPAM.

A secret launcher stores an executable and the parameters needed to start a connection to a target.

In proxy mode, browsing triggers ZTNA tunnel between the FortiClient and FortiPAM server.

The FortiPAM chrome extension may have compatibility issues for some specific login pages and cannot fill in the user name and password.

To avoid DoS attacks, multiple secret launching from the same user within 1 second is blocked.

For each secret launcher; name, type, file launcher, client software, executable, parameter, and references are displayed.

The following default launchers are available in FortiPAM:

HeidiSQL: An SQL GUI launcher that supports mssql, psql, and mysql.
Microsoft SQL CLI: A MSSQL CLI launcher for sqlcmd.exe.
MobaXterm: An SSH client using MobaXterm.
MySQL CLI: A MYSQL CLI launcher for mysql.exe.
MySQL Shell: A MYSQL CLI launcher for mysqlsh.exe.

PostgreSQL CLI: A PostgreSQL CLI launcher for psql.exe.

To use psql.exe:

You must add the application path to the PATH environment variable in the system, e.g., C:\Program Files\PostgreSQL\<version>\bin.
Restart FortiClient.

PostgreSQL CLI default launcher is connected to postgres by default.

To switch the database:

use \l to see the full list of all the available database.
Use \c \<dbname\> to change to the desired database.

PuTTY: A basic SSH client using PuTTY.
Remote Desktop- Windows: A basic RDP client using remote desktop.
SSH CLI: An SSH CLI launcher for ssh.exe.

SSMS: An MSSQL GUI launcher.

You must open SSMS locally at least once (it does not require connecting to the database) to set up the initial software cache; otherwise, the SSMS launcher fails.

SecureCRT: An SSH client using SecureCRT.

TightVNC: A basic VNC client using TightVNC.

The TightVNC client does not support connecting to a macOS server in non-proxy mode.

VNC Viewer: A basic VNC client using VNC Viewer.

Web Launcher: A basic web launcher using Fortinet’s FortiClient web extension.

For secrets created for a target with Web Proxy enabled:

Web Launcher is available to users with View, Edit, or Owner permission for the secret.

For secrets not created for a target or for secrets created for a target with Web Proxy disabled:

Web Launcher is unavailable to users with View permission for the secret, as the password can be retrieved using browser dev tools.
Web Launcher is only available to users with Edit or Owner permission for the secret.

For information on setting up folder and secret permissions, see Creating a folder and Creating a secret.

Web RDP: A basic browser based RDP launcher.

To copy and paste when accessing a target using the Web RDP launcher:

Press F8.
A new menu opens.
From the menu, select Clipboard.
The RDP Clipboard menu opens.

Copy from Local to Remote:
1. Enter/paste (Ctrl + v) the selected text from the local machine to the text box similar to the one in step 2.
2. In the RDP Clipboard menu, select Copy to Remote Clipboard.
3. From the top-right, click X to close the text box.
4. On the remote machine, use Ctrl + v to paste.
Copy from Remote to Local:
1. On the remote machine, copy the text ( Ctrl + c).
2. In the RDP Clipboard menu (the one in step 2), select Request Remote Clipboard.
  The copied text appears in the text box.
3. In the RDP Clipboard menu, select Copy to Local Clipbaord.
  The text is now available on the local clipboard.
4. From the top-right, click X to close the text box.
5. On the local machine, use Ctrl + v to paste.

Web SFTP: A basic browser based SFTP web launcher.
Web SMB: A basic browser based SMB web launcher.

Web SSH: A basic browser based SSH web launcher.

To copy and paste in the Web SSH console, select the text and then use Ctrl+ Shift + v.

Web VNC: A basic browser based VNC web launcher.
WinSCP: A basic WinSCP client using SSH.
Xshell: An SSH client using Xshell.
FortiClient Web extension FortiClient Web Launcher
RDP over Web RDP over Web Launcher
SSH over Web SSH over Web Launcher
VNC over Web VNC over Web Launcher
SMB over Web SMB over Web Launcher
SFTP over Web SFTP over Web Launcher

The following launchers should not be used for customized launcher:

FortiClient Web extension FortiClient Web Launcher
RDP over Web RDP over Web Launcher
SSH over Web SSH over Web Launcher
VNC over Web VNC over Web Launcher
SMB over Web SMB over Web Launcher
SFTP over Web SFTP over Web Launcher

These launchers will be removed in a future FortiPAM version.

Chrome, Edge, and Firefox are the supported browsers.

Starting FortiPAM 1.1.0, only the Client Software toggle/dropdown of a default secret launcher can be modified.

Web SSH, Web RDP, Web VNC, Web SFTP, and Web SMB default launchers always work in proxy mode irrespective of the Proxy Mode setting.

PuTTY and WinSCP launchers are not supported when the secret is in non-proxy mode, and the secret uses an SSH key for authentication.

TightVNC launcher is not supported when the secret is in non-proxy mode and requires a username for authentication.

In proxy mode, the following launchers are available to all users:

Web SSH
Web RDP
Web VNC
Web SFTP
Web SMB
Web Launcher
PuTTY
WinSCP
RDP
VNC Viewer
TightVNC

In non-proxy mode, the following launchers are available to all users:

Web SSH (always in proxy mode)
Web RDP (always in proxy mode)
Web VNC (always in proxy mode)
Web SFTP (always in proxy mode)
Web SMB (always in proxy mode)

In non-proxy mode, the following launchers are only available to users with the permission to view secret password:

PuTTY
WinSCP
RDP
VNC Viewer
TightVNC

The Launchers tab contains the following options:

Create	Select to create a new launcher.Creating a launcher.
Edit	Select to edit the selected launcher.
Delete	Select to delete the selected launchers.
Clone	Select to clone the selected launcher.
Search	Enter a search term in the search field, then hit `Enter` to search the launchers list. To narrow down your search, see Column filter.

Preconfiguration for MobaXterm, Xshell, and SecureCRT

Before you use FortiPAM to launch secrets in MobaXterm, Xshell, or SecureCRT, ensure that these applications are correctly installed and configured on your local endpoint (user machine).

Once you have verified that these applications work correctly on your endpoint, you can seamlessly integrate them with FortiPAM for enhanced access control and security.

Administration Guide

Launchers

Launchers

To switch the database:

Preconfiguration for MobaXterm, Xshell, and SecureCRT

Launchers

To switch the database:

Preconfiguration for MobaXterm, Xshell, and SecureCRT