Skip to content

Zero-trust methods to access remote endpoints.

Introduction

Modern zero-trust security models demand strict control, visibility, and verification for every access request — especially when connecting to remote endpoints. Privileged access is no longer just about authentication; it requires continuous enforcement, auditing, and intelligent oversight.

This article explores multiple methods of accessing remote endpoints through the 12Port Privileged Access Management (PAM) platform. It compares their advantages, limitations, and practical use cases, focusing on the following access mechanisms:

  • Proprietary WEB client
  • RDP Proxy
  • SSH Proxy
  • PowerShell Proxy

While each method is optimized for different scenarios, they all implement a consistent zero-trust foundation built on the following core capabilities:

  • Credential injection ensures secure access without exposing passwords, keys, or certificates to end users and to the client devices.

  • Role-based access control (RBAC) enforces granular permissions for users and groups across specific endpoints.

  • Approval workflows require multi-level authorization and capture justification, approvals, and rejections for full accountability.

  • Audit logging records session metadata, including target systems, accounts, timestamps, operators, and approvers.

  • Full session recording provides video playback and exportable recordings with embedded metadata for compliance and forensics.

  • Session event tracking captures keystrokes, file transfers, clipboard activity, and executed applications.

  • Real-time session control enables administrators to pause or terminate sessions instantly.

  • Session intelligence continuously analyzes live sessions to detect suspicious behavior and can automatically alert, block, or terminate risky activity.

  • Just-in-time access provisions temporary, time-limited access to specific users after human or automated approval, with optional MFA to re-establish user identity before the session begins.

  • Temporary credentials ensure that endpoint credentials are valid only for the duration of the session, remaining undisclosed to the user and unusable outside the approved access window.

  • Jump host control enables zero-trust access for client-side (thick) applications executed on secured remote endpoints, allowing users to interact with downstream systems — such as databases — through secondary credential injection without exposing those credentials.

  • Command Filtering allows precise control over which shell or terminal commands are permitted or denied during a secure remote session as well as ensures that only trusted binaries from approved directories are executed.

  • Isolated network access extends the capabilities of the primary deployment into environments that would otherwise be unreachable.

Together, these capabilities form a unified zero-trust access layer that minimizes risk while maintaining operational flexibility across diverse remote access scenarios.

Proprietary WEB client

The proprietary web client provides browser-based access to Windows, Linux, Unix, IBM i servers, network devices, and WEB Portals. It delivers a unified interface for establishing remote sessions, transferring files, and requesting access using standard protocols such as RDP, SSH, VNC, Telnet, Kubernetes, and WEB Browser.

Best-fit scenarios

  • Unified user experience with seamless integration into the web portal, enabling users to browse assets, request access, and launch sessions from a single interface.

  • Zero client footprint, requiring only a standard web browser with no additional software installation.

  • Consistent security enforcement, with all zero-trust controls applied centrally regardless of protocol or endpoint.

  • Session sharing to enable live session monitoring, administrator training, and facilitate real-time threat response.

Trade-offs

  • Learning curve for administrators who are accustomed to native or third-party tools with familiar interfaces and controls for keyboard input, file transfer, and clipboard usage.

  • Limited mobile usability, making complex remote interactions difficult on smaller screens.

  • Weak support for automation and AI-driven workflows, as browser-based interaction is less suitable for programmatic access compared to native protocola or APIs.

  • Limited support for advanced administration scenarios, such as interactive privilege elevation or tunneling.

RDP Proxy

The RDP proxy enables native desktop and mobile RDP clients to securely access Windows servers through the RDP protocol, while enforcing zero-trust controls via the 12Port PAM platform.

Best-fit scenarios

  • Familiar and optimized user experience, preserving native RDP functionality such as session control, file transfer, and clipboard operations — reducing friction in adopting zero-trust access and improving administrator productivity.

  • Optimized mobile access, leveraging purpose-built RDP applications that provide a smoother and more usable experience on mobile devices.

  • Improved performance, as sessions are handled by native clients rather than browser-based rendering, reducing load on the PAM server compared to web sessions.

Trade-offs

  • Dependency on third-party clients, requiring installation and management of RDP applications on user devices.

  • Fragmented user experience, as session initiation and management occur outside the centralized web portal interface.

  • Lack of session sharing to support live session monitoring and administrator training.

SSH Proxy

The SSH proxy enables native desktop and mobile SSH clients to securely access Linux, Unix, IBM i servers through the ssh, scp, sftp, tunnel protocols, while enforcing zero-trust controls via the 12Port PAM platform.

Best-fit scenarios

  • Familiar and optimized user experience, preserving native SSH functionality such as session control, file transfer, and clipboard operations — reducing friction in adopting zero-trust access and improving administrator productivity.

  • Optimized mobile access, leveraging purpose-built SSH applications that provide a smoother and more usable experience on mobile devices.

  • Access to a rich application ecosystem, including command-line SSH, SCP, SFTP, and popular tools such as PuTTY, MobaXterm, WinSCP, SecureCRT, and others.

  • SSH tunneling with session control enables secure access across diverse network scenarios—including database connectivity, multi-network integration, cloud environments, and point-to-point connections—while maintaining full visibility and governance over the session.

  • Privilege elevation support enables non-privileged users to obtain temporary, tightly controlled elevated permissions to perform administrative tasks—without requiring server-side agent deployment.

  • Automation and AI agent support enables scripts, network automation tools (such as Ansible), and purpose-built AI agents to securely access remote endpoints for monitoring and management through controlled SSH channels governed by the PAM server.

  • Improved performance, as sessions are handled by native clients rather than browser-based rendering, reducing load on the PAM server compared to web sessions.

Trade-offs

  • Dependency on third-party clients, requiring installation and management of RDP applications on user devices.

  • Fragmented user experience, as session initiation and management occur outside the centralized web portal interface.

  • Lack of session sharing to support live session monitoring and administrator training.

PowerShell Proxy

The PowerShell proxy enables native desktop and mobile PowerShell clients to securely access Windows servers through the WinRM / WS-Management protocol, while enforcing zero-trust controls via the 12Port PAM platform.

Best-fit scenarios

  • Familiar and optimized user experience, preserving native PowerShell functionality such as session control, file transfer, and clipboard operations — reducing friction in adopting zero-trust access and improving administrator productivity.

  • Optimized mobile access, leveraging purpose-built PowerShell applications that provide a smoother and more usable experience on mobile devices.

  • Privilege elevation support enables non-privileged users to obtain temporary, tightly controlled elevated permissions to perform administrative tasks—without requiring server-side agent deployment.

  • Automation and AI agent support enables scripts, network automation tools, and purpose-built AI agents to securely access remote endpoints for monitoring and management through controlled PowerShell channels governed by the PAM server.

  • Improved performance, as sessions are handled by native clients rather than browser-based rendering, reducing load on the PAM server compared to web sessions.

Trade-offs

  • Dependency on third-party clients, requiring installation and management of RDP applications on user devices.

  • Fragmented user experience, as session initiation and management occur outside the centralized web portal interface.

  • Lack of session sharing to support live session monitoring and administrator training.