Applications

Vendor Privileged Access Management (VPAM) Applications are a collection of services on various hosts and ports.

With Gateway Applications, you can manage access to these hosts and ports for specific Vendors, Vendor Representatives, and Internal Users of your VPAM server. Additionally, VPAM applications enable you to create custom access rules for date, time, and roles.

VPAM Applications are managed by a Gateway or a Gatekeeper. Gateways and Gatekeepers are software systems that enable you, your internal users, your vendors, and the vendor representatives to initiate remote connections to an application.

The key differences between a Gateway and a Gatekeeper are:

Feature Gateway Gatekeeper
Application management Gateways can manage several applications at the same time, but if an application is managed by a Gateway, the application can not have built-in services. Gatekeepers can only manage a single application at a time, but Gatekeepers can provide the application with built-in services, such as Desktop Sharing and File Transfer.
Access Gateways enable vendor representatives and internal users to access a single or multiple applications at a time, but the Gateway cannot provide any additional services. Gatekeepers enable vendor representatives to access a single application at a time, as well as provide built-in or customizable services to remotely connect and manage the application.
Instancing Gateways enable you to create instances to maintain availability of the applications they manage. Gatekeepers do not have instances.
NOTE:
Imprivata does not support taking snapshots of individual nodes in a high-availability (HA) cluster.

For more information, read the Gatekeeper Installation and the Gateway Installation guides.

Applications Menu

After you log in to your VPAM server, click Applications to open a list of all the applications in your server. From the Applications page, you can create, edit, and connect to an online application or resource. Additionally, the Applications page enables you to open the List Gateways page, where you can create and edit Gateways.

The Applications page has a list with all the applications in your VPAM server. The table contains the application's name, description, the Gateway that manages it, its status, an option to view the application's details, and the option to connect to the application.

Each application can have one of the following statuses:

Status Description
Ready The Application is ready for connection.
Online There is an active Session for this Application, but nobody's connected to it. This could be because users have recently disconnected from the Application, or are in the process of connecting.
Connected Users or Vendor Reps are currently connected.
Ready A yellow background indicates that access expires soon due to either an explicit Access Expiration time or an Access Schedule. View the Application for details.
Offline The Application is offline. This can happen when the Gatekeeper system is powered off or doesn't have network connectivity.
Not Registered

The Registration Code has not been entered into the Gatekeeper interface.

  • Click View to see the Application's details page, and scroll to the Gatekeeper or Gateway section to find the registration code.

  • Navigate to the Gatekeeper interface on the Gatekeeper box and type in the registration code.
Offline Access to the Application has expired. The Application has either an Access Schedule set or an expiration date.

Select the application name to open the View Application Details page.

View Application

When you open an Application Details page, you can see the Authorized User Groups, and Authorized Vendors. Admin users can authorize more User Groups and Vendors for an application by clicking Edit on the View Application page. The Application Details page contains the following information:

  • Gateway Information: The Gateway Information section shows information about this Application's Gateway system. For Applications that are on a Gatekeeper system instead of a Gateway system, this section shows information about the Gatekeeper host.

  • Authorized User Groups: Authorized User Groups determine which VPAM users can add Vendor Reps or Internal Users to access this Application. Users cannot see an Application if they are not in one of the authorized user groups. Users in an Authorized User Group can also connect to the Application.

  • Authorized Vendors: The Authorized Vendors list is a list of Vendors who are allowed to support this Application. Only Vendor Representatives of these Vendors can access the application and its configured services.

New Application

If you have a brand new VPAM server, you might want to start by creating a new application. To follow this process you must have an administrator role. To create a new application from the Applications page, click Add New Application. Follow the steps below to complete your new application creation:

  1. Select the application management type: Gateway or Gatekeeper.
    Remember, Gateways can manage multiple applications but do not provide built-in services; while Gatekeepers can manage a single application with built-in services.

    • If you select Gateway, you must select an existing Gateway to add the application.

    • If you select Gatekeeper, you will need to create, download, install, and register the Gatekeeper at the end of the New Application process.

  2. Complete the Application details.
    Consider the following:

    • Application Name: Provide a unique name to the application. Required field.

    • Description: Provide a clear and short description. Required field.

    • Department: Select the server's department for the application.

    • Connection Form: Select a form that a vendor representative must complete to connect to the application.
      Read the Connection Forms documentation for more information.

    • Approval Form: Select the form that the application owner must complete to provide vendor reps access to the application.
      Read the Vendor Approval Profiles documentation.

    • Application Labels: Select one or more labels to help categorize and organize applications. Labels are internal-only and are not visible to Vendors. Administrators can use labels as an additional way to identify and filter applications, alongside fields such as Application Name and Description. Label visibility and usage for non-admin users depend on assigned permissions.

    • Primary Contact: Provide the name of the person in charge of the application.

    • Contact Phone:  Provide the primary contact's phone information.

    • Contact Email:  Provide the primary contact's email.

    • Access: Configure the access policy to the application.
      Read the Access Expires Configuration section for more information.

    • Authorized User Groups: Select the Users in your servers that have access to this application.

    • Authorized Vendors: Select the Vendors that have access to this application.

  3. Save the Application.

If you created a Gateway application, the selected vendors and Users can now access the application in the Gateway you hosted this application.

If you created a Gatekeeper application, you must continue to download, install, and register the Gatekeeper for this application.

Read the Gatekeeper Installation documentation for more information.

The Access Expires configuration in the New Application and Edit Application pages enable you to create custom access rules for an application. The access rules are:

  • Disable Access Now: Instantly remove access to all Users and Vendors. You can reinstate the access by changing this configuration again.

  • Enable Access for: State a time in hours, days, or weeks for this application to be accessible by Users and Vendors. When the time passes, Access is restricted.

  • Enable Access Until: Set a date and time in which access is open. When the date and time arrive, Access is restricted.

  • Use an Access Schedule: Set the days and time when you open access. The weekly access feature displays when you select this option.

    NOTE:
    The Access Schedule is enforced based on the VPAM server's time. If your users are located in a different timezone, consider the time differences.

Edit an Application

To edit an application, click the Application Name from the Applications page and click Edit. From the Edit Application page, you can:

  • Change the application's details such as the name, description, Authorized User Groups, and Authorized Vendor Groups.

  • Specify that access to an application should be Disabled either now, or at some point in the future. See the Access Expire Configuration section for more information.

  • Delete the application by clicking Delete.

NOTE:
Removing user group access takes effect immediately after clicking Save, and will disconnect any connected users from the removed groups.

This page also enables you to modify the services available in the application. To change the services provided by an application, click Edit Services.

From the Edit Services page, you can:

  • Add a new service to a host by clicking New Host.

  • Delete the service by clicking Delete Host.

  • Modify the service by selecting the service and changing its attributes, including the service name, description, port, default local port, port type, etc.

Read the Services documentation for more information.

All Applications hosted on a Gatekeeper have the following built-in services:

  • Desktop Sharing Access: Enables vendors to remote access a customer's desktop.
    Read the Services documentation for more information.

  • Primary File Transfer Port: Enables vendors to transfer files from their server to their customer's server.
    Read the Services documentation for more information.

IMPORTANT:
The Linux Gatekeeper Desktop Sharing service (rssDS2) operates on port 5918 and must be manually enabled with a script. The service requires an X11 display environment. The script is available in the following locations of the Gatekeeper installation folder:
  • RHEL based distributions (Centos/Alma): sudo scripts/setup-display-rss.sh --with-epel

  • Ubuntu distributions: sudo scripts/setup-display-rss.sh

Edit Multiple Applications

You can also edit multiple applications by clicking Edit Multiple Applications from the Applications page. This will take you to a page where you can select the applications you wish to edit.

After selecting the applications you wish to edit and clicking Edit Selected, you can select the fields you want to edit for all the applications, at once.

NOTE:
If you select User Groups or Vendors in this form, it removes existing User Groups or Vendors from the selected applications and will replace them with the ones you choose.

Connect to an Application

From the Applications page, you can click Connect to initiate a connection to the application. Read the Sessions documentation for more information.

List Gateways

The List Gateways page lists all the available Gateways in your VPAM server. From this page, you can create and edit Gateways. Read the Gateway Installation documentation for more information.