Remote Apps Getting Started Guide

PAM Privileged Remote Application Launcher using Windows RDS.

This guide is designed for System Administrators to learn about PAM Remote App Launchers and to create a secure login record to MS SQL Server Management Studio.

Please note that this guide is using the application MS SQL Server Management Studio as an example to illustrate how to create a working RemoteApp record in PAM.

Before you begin this guide, ensure you have the following pre-requisites.

Pre-requisites

  1. Fully implemented, configured and working Windows Remote Desktop Services Host with Published RemoteApp functionality enabled. You will need access to the host to install our PAM Auto Shell program and to make it a Published RemoteApp Program.
  2. Both the Drives and Clipboard options must be enabled in the RDS Collection’s Client Settings configuration (shown in the screenshot below). If there are any Domain Policies that prevent Drives or Clipboard access, then exceptions must be made to accommodate this requirement.

    3. RemoteApp-RDS-Client-Settings

  3. Updated instance of Privileged Access Management with a System Administrator login.

  4. MS SQL Server Management Studio installed on this host in the location.

    Note the installation location of this application as it will be required in a later step of this guide.

  5. Valid connection credentials for a MS SQL database connection (SQL Server name, Login and Password).

Topic guide

With the pre-requisites out of the way, this guide will cover the following topics:

1. Deploying and publishing the PAM Auto Shell program

2. Configuring the PAM Remote Apps record types

3. Creating your PAM Remote App Host record

4. Creating your PAM Remote App Launcher record

5. Verifying or Updating Remote App Script

6. Testing your Remote App connection

1: Deploying and publishing

Deploying and publishing the Auto Shell program on your Windows Remote Desktop Services Host. This published Auto Shell application will be used to launch the RemoteApp application as configured in PAM.

  1. Copy the PAM Auto Shell program from your PAM host server to your Windows Remote Desktop Services host. The program is located at:

    2. Copy 
    $PAM_HOME\pkg\pam-app-launcher.zip

  2. Login to your Windows Remote Desktop Services host.

  3. On your Windows Remote Desktop Services host, extract our pam-app-launcher.zip to C:\app. The full program path should be:

    Copy 
    c:\app\XtAutoShell\XtAutoShell.exe

  4. Publish XtAutoShell.exe as a new RemoteApp Program with the exact program name and alias XtAutoShell. You may set the Visible in RD Web Access parameter to No if you wish.

    RemoteApp-Program-XtAutoShell

  5. Ensure User Assignment is properly configured for the published XtAutoShell RemoteApp. To modify User Assignment, right click on XtAutoShell and choose Edit Properties.

    RemoteApp-Program-XtAutoShell-Edit-User-Assignment

  6. Enable Remote Desktop to this host and enable permissions for the user account that you intend to define in your PAM record.

2. Configuring Remote Apps record types

  1. Login to PAM as a System Administrator.
  2. Navigate to Administration > Record Types.
  3. Locate the Record Type Remote App Host and click its Edit button.
  4. Uncheck the option Hidden and then click Save.
  5. Return to the Record Types page and repeat this process for the Record Type MS SQL Studio.

3. Creating your Remote App Host record

This record will create the secure, remote connection to your Windows Remote Desktop Services server host. Users that will be starting RemoteApp sessions are not required to have permission to this record to begin their sessions. We recommend limiting permission to this Remote App Host record to only those that maintain or troubleshoot RemoteApp sessions.

  1. Navigate to Records > All Records and (optionally) create a new folder.
  2. Create a new Record using the type Remote App Host.
  3. Enter a Name and Description.
  4. Populate the following connection and configuration values:

    • Host: Enter the host name for the remote desktop connection to your Windows Remote Desktop Services server.

    • Port: Enter the port number for the remote desktop connection to your Windows Remote Desktop Services server.

    • User: Enter the user account that will establish the remote desktop connection and launch the published PAM Auto Shell program. This user must have RDP access to the Remote App Host and have permission to launch the published PAM Auto Shell program.

    • Password: Enter the password for this user account.

    • Filter: Enter the value MS SQL Studio. This defines which remote applications can be launched with the Remote App Host record. Empty value will permit any applications to be used.

    • Remote App Platform: Select Windows RDS from the dropdown menu.

    • Enabled: Check this box to enable this host for connection.

  5. Click Save and Return.

4. Creating Remote App Launcher record

This record will be used by the System users to securely launch your MS SQL Server Management Studio remote application.

  1. Create a new Record using the type MS SQL Studio.
  2. Enter a Name and Description.
  3. Populate the following connection and configuration values:

    • Host: Enter the server name for your MS SQL Database connection.

    • User: Enter the user account for your MS SQL Database connection.

    • Password: Enter the password for this user account.

  4. Click Save and Return.

5. Verifying or Updating Remote App Script

Before you finish, we must verify or modify the launcher script to accurately reflect the installation path of our example application. If the path in the script is incorrect, then the Auto Shell program will fail to successfully launch it.

  1. Navigate to the page Administration > Scripts.

  2. Locate the script named “Remote Application MS SQL Studio Launcher” and click its Edit button.

  3. The third line of this script begins with Local Const $SSMS_EXECUTABLE. In this line, verify the full path to the Ssms.exe application accurately reflects the installation path of this program on your Remote App Host server. Update the full path if required and click Save if any changes were made to the script. Failure to define the correct path to Ssms.exe will result in unsuccessful sessions.

6. Testing your Remote App connection

  1. Open the MS SQL Studio record that was created in the previous step.
  2. Select the Connect and Record option to establish the connection with session recording enabled.
  3. A new session will open. It will first establish a secure connection to your Remote App Host server and then it will launch the PAM Auto Shell script. Now, the PAM Auto Shell program will launch MS SQL Server Management Studio, populate the Server name, User and Password parameters automatically and open the database connection. Once the connection is made, keyboard and mouse controls will be returned to you.
  4. Navigate through your MS SQL database and execute a few test SQL commands. Once satisfied, you may exit MS SQL Server Management Studio and then disconnect the secure remote session by closing this browser tab or window.
  5. At this point, you may review the video and keystroke recordings by opening the Sessions tab for this record.

This completes the PAM Remote App Launcher walk through.

 

By default, Remote App Host records could be used by any Remote App Launcher record stored in a PAM vault. To disable the ability of a Remote App Launcher record to use a Remote App Host record located in a different vault, please add the following line to PAM's catalina.properties file, save the file and restart the PamManagement service.

Copy 
xtam.apphost.crossvault.disable=true

 

For additional remote app topics and how-to guides, return to the Remote App Launcher main page and use the topics listed at the bottom to navigate the available articles.

˂ Return to PAM Remote App Launcher