PrivX web access architecture
PrivX can be used to connect to HTTP and HTTPS websites. Web connections established via PrivX offer the following benefits:
- Session-recording support for improved auditability.
- For sites that require login, you may store credentials in PrivX. PrivX automatically fills in the credentials, allowing users to log in without knowing any passwords. Access is provided in a role-based fashion.
Web browsing flow
- The administrator defines the target website URL as well shared username and password (if applicable) used to access the website. The data is store in Host Store (A) and the secrets are vaulted in PrivX Keyvault (G)
- User logs in to PrivX and is mapped to roles according to pre-defined rules in Role Store (B)
- The user connects to the target website, a connection is launched via the RDP Proxy (C)
- RDP Proxy (C) registers the connection to Connection Manager (D)
- RDP Proxy (C) queries web credentials from Host Store (A) and replaces the password with magic string
- RDP Proxy (C) notifies ECAP (E) about incoming connection
- RDP Proxy (C) initiates a connection to PrivX Carrier and provides the website address, username and the password magic string
- The connection is persisted to Audit Trail Storage (H) for playback and analysis (if enabled)
- The PrivX Carrier (I) launches a new Firefox container (J) to the website address and pre-populates the 1.1 Firefox password manager with the username and password magic string
- Firefox has been configured to run in kiosk mode and to trust and use an TLS intercepting Squid proxy (K)
- The Squid proxy (K) creates a certificate for the target website and passes the request to PrivX ECAP server (E)
- After the user clicks login, the ECAP server (E) analyses the request. If a password magic string is present, it replaces it with the real configured password and returns the request back to Squid.
- The Squid proxy (K) makes a request against the target website using the ECAP-augmented request and returns the response back to the user
- The target website (L) can be configured to only be accessible from the PrivX Squid proxy's (K) address.
Updated almost 3 years ago