Skip to content

Session Launcher and MFA Challenge

Before initiating a Web based Remote Session, users are presented with a Session Launcher prompt. This interface allows users to define session parameters and, if required, complete an MFA challenge.

Web Session Launcher with MFA Prompt

Web Session Launcher Parameters

The Web Session Launcher may include the following options, depending on the user's requirements:

  • Asset: A read-only field showing the asset targeted for the remote session.
  • Window Type: Defines how the session will be launched in the browser:
    • Tab: Opens the session in a new tab within the current browser window.
    • Full Screen: Opens the session in a new, maximized browser window.
  • Credentials Type: Specifies which credentials will be used to authenticate to the asset endpoint:
    • Main Asset Credentials: Uses the credentials stored on the asset itself.
    • Transit Credentials: Uses the credentials of the currently logged-in user.
    • Member Credentials: Uses the credentials of the selected Member asset by its displayed Name. Members assets are defined in the asset itself.

      A single host may be accessed by multiple Member credential accounts, each with its own password rotation schedule, history, and strategy. For example, an Active Directory (AD) account using LDAP-based password resets may be shared across hundreds of Windows hosts, while other accounts could follow independent rotation policies.

  • Transport: Determines the communication protocol between the browser and the application server:
    • HTTP: Maintains the session through frequent HTTP requests and responses, with each request establishing its own TCP connection.
    • WebSockets: Maintains the session using a single persistent TCP connection for the duration of the session.

      Peformance Note:
      WebSockets is generally the preferred transport, offering better performance and reduced latency. In contrast, HTTP transport can suffer from performance degradation due to buffering by intermediary devices such as load balancers or proxies. If WebSockets is not available due to network appliance restrictions, contact your network administrator to enable WebSocket support or adjust caching/buffering settings for HTTP traffic, if performance is not ideal.

  • Code: This field is used to confirm the session using Multi-Factor Authentication (MFA). The platform supports the following MFA flows:
    • TOTP: Enter a time-based one-time password (TOTP) from your mobile authentication app, then click Confirm.
    • Entra ID:
      • If prompted, confirm your password.
      • Click the Push button to receive a notification in the Microsoft Authenticator app, or enter a code from the app and click Confirm.
    • Duo Security: Click the Push button to receive a prompt in the Duo app, or enter a code manually and click Confirm.
    • YubiKey: Place the cursor in the Code field, activate your YubiKey to generate a token, then click Confirm.
    • Mail MFA: Click Push, then copy the verification code received via email and paste it into the field before clicking Confirm.
    • Radius HOTP: Enter the code generated by your RADIUS token device and click Confirm.
    • Radius Confirm:
      • If required, re-enter your password.
      • Click Push, then enter the code provided by your RADIUS device and click Confirm.

Note

The non-MFA selected parameters in the Session Launcher are automatically saved and will be pre-filled the next time you launch a remote session.