Oplon Secure Access
Configuration

Configuration of Oplon Secure Access

In this part of the guide, aimed at all administrators of the Oplon suite, we will see what the concepts are fundamentals of Oplon Secure Access and how to configure new resources to be accessed by third parties.

At the end of the guide, the concepts of User Group, and Resource will be understood, and it will be possible to create for the first once a resource of type Host or Link.

Prerequisites

  1. You have already installed and configured the appliance as described here
  2. You have configured MFA as described in this guide
  3. (Optional) In case you want to do File Managing on Windows type resources, you have installed OpenSSH Server on each resource:

Fundamental concepts

Within OSA, there are 3 fundamental concepts that it is useful to explain in this part of the guide, and they are:

User Groups

User Groups represent a class of users all having the same privileges, they are labels necessary to associate Resources (Hosts/Links) to users.

A User Group has a unique name and description, each User Group entered from within the interface of Oplon Secure Access, will bind to the User Groups entered in MFA as described in this guide. This will ensure that every user registered in Oplon MFA will be granted exactly the privilege described.

Resources and Locations

In Secure Access a Resource is an entity that can identify:

  • a Host which is Windows,Linux or macOS
  • a Remote App
  • a Web App/Link

Each resource can be cataloged through a Location, i.e. a label that it serves to logically group all the resources of the configuration.

Hosts

Within Oplon Secure Access, the Host (which is a Resource) is the representation of a physical/virtual Host consisting of its IP Address/Hostname. For convenience, it is possible to assign a Location label to a Host, this will only serve as logical grouping and to represent the resource in an orderly and hierarchical manner within the user interface of Oplon Secure Access.

Different types of access can coexist inside a Host, which can be:

  • SSH Access
  • RDP Access
  • Remote App Access
  • VNC Access
  • SFTP Access (File Management)

These accesses, all or some, can be assigned to the various User Group based on the desired policies.

It is also possible to assign prefixed login os, to ensure that when accessing that specific Host, the user does not have to enter a username or password.

Remote App

Remote Apps (RDP Only) live inside a Host, but are still considered separate resources. They allow you to expose only an application exposed via the Windows RDP protocol.

Web Apps/Links

A Web App/Link is a resource represented by a URL. They can be either internal resources or r

Configuration interface

To set up a new resource, you need to open the admin center Oplon Secure Access, to https://<your-ip>:4444 and login.

From here in the left menu, expand the item Secure Access, click on Settings and open the module.

In this screen you can:

  • See the list of User Groups present, with the possibility of adding new ones and deleting old ones
  • See the List of Hosts, with the possibility of adding, removing and editing
  • See the list of Web Apps/Links, with the possibility of adding, removing and modifying them

Added new User Groups

To add a new User Group, click on the green (+) button of an already inserted User Group this will be duplicated below to then be edited at will

Add a new Host

To add a new Host it is necessary to click on the green (+) button of an already existing Host this will be duplicated below to then be edited at will.

To modify a Host it is recommended to enter the details using the "See Details" button

Here we can enter:

  • Hostname/ip
  • Name
  • Location
  • Description
  • Services and related ports: SSH, RDP, VNC, SFTP (File Manager)...
  • Any RD Gateway (RDP Only)
  • The Associated User Groups
  • Any Remote App (RDP Only)

Here we have configured a Host 127.0.0.1 and associated it with the User Group Local

Add a new Remote App

To add a new Remote App, you must necessarily start from a Host with RDP access already configured.

Then go to Secure Access > Settings and then, open a Host.

Below in Applications we can enter:

  • name: that is the name that will appear in the menu
  • description
  • app name: the alias of the app published via RDP
  • working dir: the working directory of the app (optional)
  • args: the app start arguments (optional)

Remember to always carry out Save and Re-Init at the end.

Add a new Web App

To add a new Web App, you can always go to the Settings interface and find the screen at the bottom Web Apps.

Enter the minimum information here to be able to use the Web App, i.e.:

  • name
  • he yelled

Remember to always carry out Save and Re-Init at the end.

User Group assignment

To assign a User Group within a Host, we can click on the green (+) button and select the new User Group from those already present from the drop-down menu.

By assigning a Resource through the User Group, we are able to:

  • Enable/Disable SSH access
  • Enable/Disable RDP access
  • Enable/Disable VNC access
  • File Manager (if enabled):
    • Enable/Disable Upload
    • Enable/Disable Download
    • Enable/Disable Hypercopy
  • Enable/Disable copying (user)
  • Enable/Disable paste (user)
  • Enable/Disable Impersonation
  • Enable/Disable Remote Desktop log
  • Enable/Disable SSH logging

💡

It should be remembered that once the User Groups have been assigned within a Host, they will have the possibility to login with any credentials inside the machine.

Assigning a User Group with Impersonification

The concept of Impersonification is one more abstraction, introduced to help with the configuration of permissions related to resources and User Groups. It is used to solve some configuration classes such as for example that of bind to a user a domain user that is typical of that specific organization. The impersonation will bind with the ID/Impersonification set on the MFA side

Once a User Group has been assigned to a resource, it is possible to enable impersonation through the appropriate menu dropdown. Once set to true we can find ourselves in two cases:

  • Impersonification non-strict: is when there is no associated OS login
  • Impersonification strict: it is when there is at least one associated OS login Name

The logic that follows Oplon Secure Access to give an impersonation permission is as follows:

  • The user will have access to the resource if and only if it has the same associated User Group e
    • the associated User Group is in non-strict mode, or
    • the associated User Group is in strict mode and among the list of user OS Login names there is the impersonation set for that user

In both cases the user will only have access with the Impersonation (if set)

User Group assignment summary table

User GroupsImpersonationOS Login NamesExpected result
➡️Everyone in the group can enter with any username and password
➡️Everyone in the group can ONLY enter with that set of username and possibly password (if entered in the Vault)
➡️Everyone in the group can ONLY login with only the username (impersonification/id) set from the MFA
➡️Everyone in the group can login with their impersonification IF AND ONLY IF the assigned User Group contains that impersonation among the OS Login Names

OS Login assignment to a User Group

Once a User Group has been assigned within a Host, we can assign pre-set users to it. Here we can enter as many users as there are those with whom we want to access that specific User Group.

The insertion of even a single user disables the possibility for the User Group to access with any credential forcing subsequent accesses with only the credentials indicated.

By inserting only the Username, the user who tries to access the resource will be able to request only the password.

If you also want to enter a password, to ensure that the user does not need to remember it every time, just follow this guide.

Assign "administrator" and "root" users

Password Entry for an OS Login (Host Vault)

To assign the password to an OS Login (assigned to a User Group) of a Host, you must go in the Host Vault section via the menu

PAM Management > Vault Manager > Vault Hosts

Search for the corresponding resource from the search bar and click the green key button to edit the OS Login Names.

From here, select the users whose passwords you want to enter from the drop-down menu and enter them corresponding passwords

Remember to always carry out Save and Re-Init at the end.