Experience Center
Understanding Privileged Remote Access
Privileged Remote Access (PRA) is a clientless remote desktop gateway that enables end users to securely connect to servers, jump hosts and bastion hosts, or desktops using Remote Desktop Protocol (RDP), Secure Shell (SSH), or Virtual Network Computing (VNC) from the end user’s modern browser without installing Zscaler Client Connector or any browser plugins. PRA allows you to provide third-parties (vendors, contractors, suppliers), IT administrators, and remote employees controlled access to your privileged servers and applications.
PRA allows an admin to set up specific end users for specific privileged consoles with policies for a specific time frame. You can also choose to provide configured credentials for short-term end users, or prompt end users to enter their credentials when using a privileged console. These PRA features provide secure, user-friendly access while also limiting the end user’s access only to what is needed and when and for a duration of time.
To set up PRA, see Step-by-Step Configuration Guide for Privileged Remote Access.
The PRA service includes the following key components:
- Privileged Portals
Privileged portals are what your end users use to gain access to designated servers and browsers for PRA. Privileged portals are designated with a URL and a Browser Access certificate that the Private Applications infrastructure uses when an end user accesses a privileged portal. These can also be branded with the customer’s domain and text.
An end user’s privileged portal is commonly referred to as the Privileged Remote Access (PRA) Portal. The PRA Portal is a user-friendly catalog of resources that shows what privileged consoles the end user can access after they have authenticated to the configured identity provider. The PRA Portal is external from the Admin Portal but its features are configured within the Admin Portal.
End users can also view future and expired privileged consoles, if any. If privileged approvals have been assigned to privileged consoles, then they expire following the scheduled window of time. If an end user has been given permissions for privileged live sessions, then there is also a carousel of the live privileged sessions they have access to. If you have included a notification banner, it appears at the top of the PRA Portal. After a privileged portal is created, privileged consoles can be added.
To learn more, see About Privileged Portals.
Close - Privileged Consoles
A privileged console is what the end user selects in a PRA Portal to access the assigned servers and databases associated with that privileged console. The privileged console and the PRA Portal are external to the Admin Portal, though they are configured within the Admin Portal. Privileged consoles are each assigned a protocol, domain, and port number. There are three types of protocols available to use with PRA: VNC, SSH, and RDP. End users can only access privileged consoles that they have been granted access to. End users can discover what privileged consoles they have access to by logging into the PRA Portal.
When an end user selects a privileged console, they are then required to provide their credentials specific to the associated protocol. After the end user is logged into the privileged console, there are a few features that are visible, if enabled for that privileged console. These options include a virtual keyboard, File Transfer, and Clipboard. If the Session Recording feature is enabled, then the end user sees a Recording notification at the top of the privileged console during their privileged session. If an end user has a privileged approval assigned to their privileged consoles, they lose access once the scheduled time expires.
To learn more, see About Privileged Consoles.
Close - Privileged Approvals
A privileged approval is a set start and end date and time that an end user has access to a privileged console. After a time window expires, the end user is no longer able to access the privileged console. This is a key feature if you want to set permissions for contractors, third-party users, and other end users who only need a certain window of time for access.
Privileged consoles with privileged approvals that have ended due to the time window completing show as Expired. Any scheduled privileged consoles with upcoming time windows of access show as Future. Admins can clean up their privileged approvals table by selecting Purge Expired Approvals to remove existing expired privileged approvals.
To learn more, see About Privileged Approvals.
Close - Privileged Credentials
Privileged credentials allow end users to access privileged portals seamlessly. These set credentials provide an end user access without requiring a personalized login for short-term end users (e.g., contractors and third-party users). To set a privileged credential with a privileged console, you need to create a privileged credentials policy.
To learn more, see About Privileged Credentials.
Close - Privileged Policies
There are two PRA-specific policies that can be set to provide rules for privileged consoles: privileged credentials policies and privileged capabilities policies. You might see both PRA policy options, only one, or neither in your Admin Portal depending on your enablement of these policy options.
To learn more, see About Privileged Policy.
- Privileged Credential Policies
Privileged credential policies allow you to assign existing privileged credentials to existing privileged consoles. When an end user accesses a privileged console that has an assigned privileged credentials policy, the end user can access the privileged console without manually logging in. If you delete the privileged credentials policy, the privileged credentials associated with the privileged consoles for that policy are removed and the privileged credential feature no longer applies to that privileged console. The credentials prompt the end user to log in, replacing the credential-provided access.
To learn more, see About Privileged Credentials Policy.
Close - Privileged Capabilities Policies
Privileged capabilities policies allow you to enable and disable the following features in a privileged console: File Transfer, Clipboard, and Session Recording. You can enable or disable the items related to each of these features for each privileged capabilities policy rule. Each item is disabled by default. The configurations you set in this policy rule determine what capabilities in a privileged console an end user has.
If enabled, the end user can access the File Transfer and Clipboard options from their designated icons in the privileged console window. If enabled, Session Recording shows as Recording at the top of the privileged console window. If any of the features are disabled, then they are not displayed, with the exception of the File Transfer feature, which shows if disabled but isn’t functional.
To learn more, see About Privileged Capabilities Policy.
Close
- Privileged Credential Policies
- Privileged Application Segments
When you are configuring a defined application segment, you can enable PRA and assign a protocol to that application segment. When an application segment is PRA-enabled, you can select that application segment when creating a privileged console. When an end user selects a privileged console in the PRA Portal, they are taken to the PRA-enabled application segment. When configuring a privileged console, you can only select application segments that aren’t PRA-enabled.
To learn more, see About Privileged Remote Access Applications.
Close - Diagnostics
You can view the data and analytics for your PRA features on the User Activity Diagnostics page and the Privileged Sessions page. On the User Activity Diagnostics page, you can view data for Session Recordings, privileged credentials policies, privileged capabilities policies, File Transfer, and PRA-related errors. In the User Activity Logs table, you can filter by policy and by Session Recording. The following fields are listed in the Policy column: Capabilities Policy ID, File, and Credentials Policy ID. The following fields are listed in the Applications column: Credential Username, Credential Login Type, Files, PRA Error, and Session Recording. You can view the recorded privileged sessions when you click the Play icon in the Session Recording field.
To learn more, see Accessing User Activity Diagnostics.
You can view the data and analytics specific to privileged recorded sessions on the Privileged Sessions page on the Recorded tab. You can filter the data based on a protocol type. You can view and filter the data table that displays recorded privileged session details. If you want to play one of the recorded privileged sessions, click the Play button. This takes you to a new page to view the recording. You can also download a recording.
To learn more, see Accessing Privileged Sessions.
Close
Supporting PRA features:
- Emergency Access
Emergency access allows you to add end users access who only need access within a set window of time. You can designate one existing IdP to have emergency access for third-party users (e.g., contractors and vendors) provisioned to that IdP. When configuring a privileged approval, you can select the IdP with emergency access to apply the set date and time rules to the related emergency access users. The emergency access users are managed in an Okta IdP but can be viewed on the Emergency Access Users page within the Admin Portal.
To learn more, see About Emergency Access Users.
Close - Arbitrary Authentication Domains
Arbitrary authentication domains allow third-party end users to access a privileged portal with single sign-on for any authentication domain, without having to designate a specific domain. This streamlines the process of providing access to third-party users securely. You can enable arbitrary domains to one IdP at a time.
To learn more, see Configuring an IdP for Single Sign-On.
Close - File Transfer
File Transfer allows an end user to upload and download files within a privileged console if these features are enabled. You can enable these features when configuring a privileged capabilities policy. When an end user is in a privileged console, the File Transfer icon appears at the bottom of the page. If the upload feature is enabled, the end user can select files to upload from their local server to the privileged console. If the download feature is enabled, then the end user can select files within the privileged console to download to their local server.
To learn more, see Uploading and Downloading with File Transfer.
In addition to uploading and downloading, if the Internet & SaaS Sandbox File Transfer feature is configured and enabled, then end users can inspect the files that they are uploading to prevent malicious files from being uploaded to the privileged console. This can be set up on the Integrations page and then enabled when configuring a privileged capabilities policy. When an end user is in a privileged console, the File Transfer icon appears at the bottom of the page. If the Inspect option is enabled, the end user can choose to inspect the selected files that are being uploaded from their local server to the privileged console. If the files inspected have malware detected, then the uploading process halts and the files are not uploaded.
To learn more, see Configuring Sandbox Integrations.
Close - Clipboard
Clipboard allows an end user to copy and paste to and from the privileged console and their local system. You can enable the Clipboard Copy and Clipboard Paste features when you are configuring a privileged capabilities policy. If the copy or paste features are enabled, when an end user is in a privileged console, the Clipboard icon appears at the bottom of the page.
To learn more about this feature and its requirements, see Copying and Pasting with Clipboard.
Close - Session Recording
Privileged console sessions can be recorded and reviewed by admins. Viewing recorded privileged sessions allows admins to review malicious activity and error prevention. You can enable Record Sessions to have privileged sessions recorded for a privileged console when configuring a privileged capabilities policy. When an end user selects the privileged console with this policy configured, the Recording notification appears at the top of the screen within the privileged console window. After the end user ends the session for that privileged console, the recording for that privileged session ends. You can review the details of the privileged session and replay the recording by going to the Privileged Sessions page.
To learn more, see Accessing Privileged Sessions.
Close
Understanding Key and Supporting PRA Components
To use PRA, you need to create a privileged portal with a privileged console that includes selected PRA-enabled applications. These are the main components of PRA. From there you can build upon the PRA features to provide a controlled experience, from authentication to using PRA, to reviewing and analyzing the usage of PRA.
Manage the PRA consoles after the PRA main components have been configured by including privileged approvals to set time limits on access. To provide ease of use, include a privileged credentials policy with selected privileged credentials.
Provide tools that the end user can use within a privileged console, include a privileged capabilities policy to enable Clipboard, File Transfer, and Session Recording features. To enhance the security of uploaded files, configure the Internet & SaaS Sandbox File Transfer feature.
Gain deeper insight into PRA analytics by going to the User Activity Diagnostics page. Review and manage privileged session recordings by going to the Privileged Sessions page.