Excalibur Enterprise - FAQs

Welcome to our Help Center. This section covers the most common questions about our products, services, and policies. You can use the search bar or browse by category to find what you're looking for. If you don't find the answer, feel free to contact us.

---

General

What types of targets are supported? Do you provide access management for web-based applications?

Excalibur currently supports SSH, RDP, and VNC targets. Support for web-based application targets is planned for a future release.

Do you have your own vault? Can you rotate passwords? How are the passwords and credentials stored? Can I see what credentials are stored separately from the targets?

Vault: No, Excalibur does not currently maintain a dedicated internal vault system.

Password Rotation: Yes, Excalibur supports password rotation for PAM Targets via a privileged user account. This account changes target passwords according to a defined Password Rotation Policy, which includes settings for generating random passwords.

Credential Storage: All updated passwords for PAM Targets are stored encrypted at rest within the PAMTarget table in our system.

Credential Visibility: Users cannot see the passwords for PAM Targets. Credentials are only decrypted at the start of a session and are used exclusively to initiate that session.

Can Excalibur be delivered as a service (MSP model)?

Yes, Excalibur is designed with multi-tenancy, making it ideal for Managed Service Provider (MSP) deployments.

Is there a dashboard or list of all accessible targets (including SAML)?

Yes, the Excalibur Dashboard provides a list of all targets you can access. You can find more information in our User Manual.

Do you have your own API? What do you integrate with?

Yes, Excalibur offers a comprehensive API. For details on its capabilities, please refer to our API Documentation.

Can I integrate Excalibur with my SIEM? How? What information can I obtain?

Yes, Excalibur can be integrated with SIEM systems. Our Auditor Manual provides details on the integration process and the types of logs and events that can be sent to your SIEM.

Can Excalibur support tunnels to multiple physical locations?

Yes, you can create multiple secure tunnels with Excalibur. Each tunnel can connect to a different physical location or network segment, allowing for flexible and widespread resource access management.

Can you integrate with Microsoft 365 or Google Workspace for authentication and access management?

Yes, you can use Microsoft 365 and Google Workspace as identity stores with Excalibur.

Current Capability (Excalibur as IdP): Excalibur can act as an Identity Provider (IdP) to authenticate users into these services via SAML. This means users would authenticate through Excalibur to access O365/Google Workspace. It's also conceivable to configure security policies to enforce access to these platforms exclusively through Excalibur for enhanced monitoring. Future Capability (Excalibur as SP): We may support Excalibur acting as a SAML Service Provider (SP) in the future. This would mean O365/Google Workspace (e.g., using Microsoft Authenticator) would handle the primary authentication, and Excalibur would manage the access. However, this approach could reduce auditing visibility, which is a key strength of our product.

Will we be notified if the SaaS version of Excalibur is unavailable?

Yes, in the event of an outage, we will send notifications to all administrators.

What is the storage limit for logs and session recordings?

For our SaaS version, storage is virtually unlimited. For on-premise installations, storage depends on your local capacity. You can also configure a retention period to automatically delete old recordings.

Is there a way to prevent users from taking screenshots of the platform?

We do not currently offer a feature to block screenshots.

Identity Management & Authentication

Can Excalibur work as an Identity Store?

Currently, Excalibur requires an existing identity store (e.g., LDAP, Active Directory) to be present. We integrate with these using standard protocols like LDAP.

Rationale: This approach allows us to focus on our core access management strengths. For smaller organizations without a dedicated identity store, this can be a consideration.

Future Possibility: We may consider adding an integrated lightweight identity store (e.g., based on OpenLDAP) in the future if there's a strong strategic need. However, this would require careful scoping to manage user expectations regarding features (like email integration, etc.) that are typically part of comprehensive identity platforms like Microsoft 365 or Google Workspace. For now, our focus remains on leveraging existing identity stores.

Can you support access through existing tunnels so I don't need to install another endpoint client for your tunnel?

Excalibur offers flexibility here:

1. Integrated Tunneling: Excalibur provides its own integrated tunneling solution. This method is fully managed within our interface and benefits from comprehensive auditing and control features. 2. Using Existing Tunnels/Network Connectivity: Alternatively, you can use your existing VPNs or network infrastructure. In this scenario, the Excalibur server simply needs network-level reachability to the resources it protects. While this approach works, features like detailed tunnel management and specific tunnel-related auditing within Excalibur would be less visible, as the network layer is transparent to our system.

Can you sync Excalibur users with Active Directory users?

Excalibur does not have its own identity store. Instead, it relies entirely on your existing one, such as Active Directory (AD) or any other store that uses the LDAP/LDAPS protocol. We plan to add support for more identity stores like Entra ID and Google Workspace in the future.

Target Access Management

Do you support access management for databases?

Yes, Excalibur can manage access to databases in several ways depending on how the database is typically accessed:

• Web Interfaces: Many modern databases offer web-based management consoles. Excalibur can secure access to these web interfaces.
• Console Access: For databases allowing command-line access, Excalibur can protect this via an SSH PAM Target.
• Thick Clients: If the database relies on a dedicated 'thick client' application, you can install this client on a Windows machine (or a jump host) and use Excalibur to manage RDP access to that machine, thereby controlling access to the database client.

Do you support access management for OT devices?

Yes, Excalibur can manage access to OT devices, focusing on the human-interactive protocols they commonly use. OT devices vary in their interaction methods:

Supported Protocols for Interactive Access: * Web Interfaces: Many modern OT devices (PLCs, HMIs, SCADA controllers) have browser-based interfaces. Excalibur can secure these. * SSH (Secure Shell): Common on advanced OT devices (RTUs, industrial routers) for secure command-line management. Excalibur supports SSH PAM Targets for these. * Telnet: While older devices might use Telnet, it's an insecure (unencrypted) protocol. Excalibur could potentially support it, but we strongly advise against its use due to security risks.

Unsupported Access Methods (by design): * Programmatic Access (APIs): Protocols like REST APIs or Web Services are typically for server-to-device communication, not direct human interaction. Excalibur focuses on securing human access, so these are generally out of scope for direct PAM. * Physical Access (Serial Connections): Direct serial connections (RS-232/485) are physical access methods and are not applicable to Excalibur's remote access management capabilities.

Summary: Excalibur effectively manages access to OT devices through common interactive protocols like HTTP/S and SSH, aligning with standard Privileged Access Management practices.

Can we secure sandboxes with IAM?

Yes, Excalibur can effectively secure access to sandbox environments using IAM principles.

A "sandbox" is typically an isolated environment used for purposes like testing, development, or running potentially untrusted applications. Securing such an environment with IAM involves controlling who can access these resources and what actions they are permitted to perform.

Excalibur achieves this by: 1. Brokering Access: Excalibur manages and brokers all access to the resources within the sandbox. 2. Connectivity: Whether the sandbox is on a separate network segment (requiring an Excalibur tunnel for connectivity) or directly reachable by the Excalibur server, access can be managed. 3. Policy Enforcement: Granular access policies are defined within Excalibur, specifying which users or groups can access which sandbox resources. 4. Credential Abstraction: Users are authenticated through Excalibur, and access is granted based on these policies. The underlying credentials for the sandbox resources are never exposed to the end-user. 5. Auditing: All access attempts and sessions are logged, providing a clear audit trail.

By implementing these measures, Excalibur ensures that only authorized personnel can access specific sandbox environments, and all interactions are controlled and auditable, significantly enhancing the security and governance of these isolated systems.

Do you support YubiKeys?

Yes. We support Passkeys, so any YubiKey model that is compatible with Passkeys will work with Excalibur.

Is there possibility to join PAM target in form of Web App for example Jira/CRM/ERP etc. to have SSO and full auditability?

It will be possible, but not included in current PAM solution. It will be available in our upcoming product Vitro (AI-powered contextual prevention functionality) which will be integrated in PAM.

Is there any limit to PAM targets? Are we talking hundreds or thousands? What can be added as PAM target? Are there any limitations?

Amount of targets: code perspective - no limit, UX - we have not enough data. SSH and RDP can be added. In the future also HTTP

What is the limit of simultaneous user connections through a tunnel?

Only one Excalibur Tunnel Client can establish the connection from a location. Once the tunnel is established, many simultaneous PAM sessions can run through it. Since this feature is still in development, we do not have a firm limit on the number of sessions.

Is the secure tunnel client available for Windows servers?

Yes. For more information, see the Administrator Manual and the installation guide on our GitHub page.

Can I get alerts when there are potentially malicious actions?

Excalibur operates on a whitelisting principle: users only have access to resources they are explicitly configured to access. This inherently limits the scope for unauthorized actions, as access to the broader network is not granted; only streamed access to specific resources is provided.

Authentication Logging: All authentication attempts are logged. Failed attempts are recorded and can be used for security monitoring.

SIEM Integration for Alerts: While Excalibur itself is improving its direct alerting capabilities (e.g., configurable email notifications for security policy failures are under consideration), all relevant security events are streamed to your SIEM. This allows for sophisticated alert configurations and notifications to be managed at the SIEM level. Future AI-based Anomaly Detection: AI-powered anomaly detection (e.g., behavioral analysis, attack detection) is a feature currently under development and not yet generally available. A demo (AI1 demo on vitro.xclbr.com) showcases this future capability.

If the developer has emergency during weekend, but in standard mode there is no possibility for him to join, how it can be solved?

This can be managed through security policies. Here are two common approaches: 1. Create a Disabled Emergency Policy: You can have a pre-configured security policy for emergency access that remains disabled. An administrator can activate it when needed. 2. Adjust an Existing Policy: An administrator can temporarily modify an existing policy to grant the required access.

There is no way to do any special request which is approved by superior?

This feature is on our roadmap. In the future, you will be able to configure security policies that require approval from a manager for certain actions, such as weekend access.

If there is a way to access remote server via bookmark or the user needs to go directly through the dashboard?

No, users must always go through the Excalibur Dashboard to access remote systems. There is no persistent URL or bookmark for a remote session.

Security & Encryption

How does data encryption work? Can we use our own encryption key?

Encryption Standards: Excalibur employs industry-standard cryptography, specifically Public Key Infrastructure (PKI) based on ECIES (Elliptic Curve Integrated Encryption Scheme) for asymmetric key ciphers. For details, you can refer to resources like Nakov's CryptoBook on ECIES.

Key Storage (HSM): For our cloud services, we utilize Hardware Security Modules (HSMs) to store cryptographic keys securely. HSMs ensure that key material is stored in dedicated hardware, similar to secure enclaves on mobile phones, but on a larger, often network-attached scale.

Customer-Provided Keys: For larger customers who have their own HSMs, Excalibur can integrate with these, as they typically provide APIs for interaction. This allows customers to maintain control over their key material.

How does peer verification work? What actions can be peer-verified?

Peer verification in Excalibur is a configurable security policy feature. It allows you to require an additional approval step from a designated peer (or a member of a designated group) before access to a resource is granted.

How it works: When a user attempts to access a resource for which peer verification is enabled, the system will trigger a request. For example: "If user X wants to access resource Y, and condition Z is met, then require peer verification from any member of group W before granting access." Applicable Actions: Any access attempt to any resource managed by Excalibur can be configured to require peer verification, as defined by the security policy. This aligns with our core function of streaming and controlling access to resources based on defined conditions.

When accessing a web target through Vitro, and the target displays a login page, does the user always have to manually enter their login credentials, or can those credentials be saved?

Currently, our secure remote browser cannot save login credentials because it runs in an isolated sandbox. We plan to add the ability to automatically fill in credentials in the future, either through scripting or an AI agent.

Design & Architecture

Why do you only provide PAM access through a browser instead of native clients like PuTTY?

Excalibur Privileged Access Management does not support other clients connecting to protected resources to avoid protocol proxying, which could expose protocol vulnerabilities. By streaming access instead of direct interaction with protocols like SSH, Excalibur ensures that potential exploits on vulnerable targets are mitigated. Introducing weaknesses to accommodate familiar tools would undermine the security benefits provided by Excalibur's approach. [Exposure Reduction]

Why do you integrate MFA & PAM instead of supporting third-party MFA solutions?

In Excalibur, every action performed within the PAM system is cryptographically signed using key material tied to the MFA. We utilize secure enclaves in mobile devices, similar to the security used in mobile payments, providing robust security guarantees. This integration ensures that each user action is securely verified and recorded, with the user's identity cryptographically linked to all authentication factors. By tightly integrating MFA with PAM, Excalibur prevents the security gaps that could arise from using third-party MFA solutions, which lack standardized cryptographic signing capabilities.Unlike OTP hardware tokens, which only allow retyping displayed OTPs and cannot cryptographically sign actions, Excalibur's integrated solution ensures comprehensive security by signing every user activity. [Non-Repudiation]

Why do you use QR codes for authentication instead of push notifications or SMS?

At Excalibur, we look into how to provide the best user experience as well as the most secure environments. Push notifications, SMS, and other similar methods can cause MFA fatigue which then can be exploited by attackers. Scanning a QR code to login is a "pull" approach that can't be exploited by attackers in a similar fashion. [Secure-by-Default]

Why is raw RDP/SSH proxying a bad idea?

Because a raw TCP proxy sits between client and server, it effectively becomes a man‑in‑the‑middle: host‑key/certificate pinning breaks, credentials and session data pass through the proxy, and long‑patched relay exploits reopen—so you lose the very security RDP/SSH are meant to provide. See https://github.com/runZeroInc/sshamble for some attacks.

Can geofences be created in shapes other than a circle?

We use circular geofences because they are simple and effective. A circle is defined by a central point and a radius, which is easy to manage and covers the vast majority of use cases.

Does Excalibur solution continuously gather data of GPS location of the user?

Excalibur does not continously gather any data from the GPS over time. We are using the gps location directly from phone and only as a snapshot in the moment of authentication.

Can the system send an email notification if a user runs a specific command?

Not directly. Excalibur sends detailed logs to your SIEM system. You can then configure your SIEM to send email alerts based on specific events, such as the use of a certain command.

Is it possible to add a MAC address to network policies?

No, this is not possible.

Is the Geolocation extracted from mobile phone internet connection or from phone provider?

The location is provided by your phone's operating system (using GPS, Wi-Fi, or cellular data). It is only a snapshot taken at the moment of authentication, not continuous monitoring.

Is any kind of way excalibur can be offline solution in fully offline infrastructure?

Can be done via WFA, but the smartphones and users will be able to connect.

Deployment & Infrastructure

Where is your cloud version located? Do you provide it as a SaaS?

Hosting: We primarily use Hetzner (a German company with data centers in the EU, US, and Asia). We can also deploy Excalibur in other cloud environments like Azure, AWS, or Google Cloud if required.

SaaS Offering: Excalibur is available as a managed service or for on-premise/private cloud deployment. We plan to offer a self-service SaaS solution in the future.

Where does Excalibur store data and what third-party services are used?

We use third-party cloud providers with storage located in Germany to store customer data. These providers include Microsoft Azure and Hetzner.

What certifications do you have, such as ISO 27001?

We are currently in the process of obtaining ISO 27001 and other certifications. We will make an announcement once we are officially certified.

How is the solution deployed?

Excalibur can be deployed on a Virtual Machine (VM) or used as a managed service (SaaS).

Really good solution for Gov and Enterprise, but one bottleneck - the weakest link is your company Excalibur - what kind of certifications, security policies, disaster plans do you have in place?

For security and certification, we have certificates from https://www.linkedin.com/company/tuvsud/:

• ISO/IEC 27001 – Information Security Management
• ISO/IEC 27017 – Cloud Security Controls
• ISO/IEC 27018 – Protection of Personal Data in the Cloud

Configuration & Administration

Is an Active Directory connection necessary?

Yes, an identity store must be connected during the deployment process. Excalibur supports Active Directory and any other identity store that uses the LDAP/LDAPS protocol.

What happens if I don't connect an Active Directory / Identity Store?

An identity store must be connected during the deployment process for Excalibur to function.

Recording sessions - how big are they? Where they are stored and how big is basic storage for standard licensing?

File size is based on how much changes there are on the screen, small and local changes can be tackled by compression creating just small file - small bitrate recording. Also resolution plays a role.

How long does PAM keep logs available?

There is no time limit for logs; they are available for as long as you need them.

Is the PAM target of each tenant independent of the PAM target of the system administrator? Can you add system pam targets to another Tenants?

Yes, tenants are independent of each other. The system itself is also a tenant, so system-level PAM targets cannot be added to other tenants.

Usage & Performance

Imagine 10 000 users using the session 8 hours a day, what might be the estimation of storage we need to sustain it for let's say 3 years? Applies for on-prem, hybrid and MSP/SaaS model.

We record sessions using incremental snapshots, meaning we only record changes on the screen. An idle session creates a very small recording, while a very active session creates a larger one. The best way to estimate storage needs is to experiment with your typical usage and calculate an average.

I am connected to 5 to 6 machines. Browser shuts down. Can I see on which machines I am connected at the moment on the dashboard? What happens when I close the tab instead of signing out?

Yes, your active sessions will still be visible in the dashboard. Whether the session itself continues to run depends on the target system. Windows Server sessions will typically keep running, while SSH sessions will terminate when the connection is lost.

How does it work if I have MFA on 3^rd party soft (f.e. VPN) and I will lose my phone, can I access it via Excalibur even without phone?

Currently, Excalibur always requires authentication with the mobile app token. We do not yet support third-party MFA solutions, but this is on our roadmap.

Is there any point on roadmap where you can scan QR code with basic camera app and it will automatically guide you to Excalibur App for authentication?

No, currently not on a roadmap and not being considered. Might change if many customers ask for it.

When I click an invitation link while logged in as a different user, I get redirected. Is this expected?

This is expected behavior. You must be logged out of any existing session before accepting an invitation for a new account. We are considering future support for multiple logged-in users in a single browser.

If a user closes the browser tab, does the RDP session keep running?

This depends on the server configuration. It can be configured so the session remains active for a short period (e.g., 15 seconds), allowing the user to rejoin by reopening the tab before the session is terminated.

What are the main use cases for small and medium companies?

The primary benefit for any company is a secure and easy-to-use MFA and PAM solution in one package. The MFA component can also be used as a standalone product to integrate with other third-party applications via the SAML protocol.

If the RDP session is closed and later reopened (in 15 sec interval to reopen the tab), are the credentials being stored in cookies or somewhere else?

RDP session browser Tab reopened within 15 seconds means, that user is redirected to the same session as he was interacting with before. So there no need to store the credentials, because session is still alive in the background within those 15 seconds and terminated after the 15 seconds expiration interval.

How many users can access and work on the same target simultaneously via RDP? Does this depend on Microsoft RDP licensing?

Yes, this is completely depending on Microsoft RDP licensing. By default each Windows server can run 2 RDP session simultaneously. After deployment of Microsoft RemoteDesktopServices Client Access licenses to Windows server, it can handle more than 2 RDP sessions.

Troubleshooting & Support

How do I fix a "Network error" in the mobile app during registration?

On iOS devices, this can sometimes be caused by a manually installed certificate profile or by iCloud Private Relay.

1. Ensure any required certificate profiles are trusted: Apple Support Article

2. Try turning off iCloud Private Relay in your device settings.