Excalibur Enterprise - Knowledge Base Articles

Welcome to our Knowledge Base Articles. Explore our library of articles answering questions about our products, services, and policies. Simply use the search bar or browse by category to locate the information you need. If you can't find it, please contact us.

---

General

What types of targets are supported? Do you provide access management for web-based applications?

Excalibur currently supports SSH, RDP, and VNC targets. Support for web-based application targets is in preview and planned for a future release.

Do you have your own vault? Can you rotate passwords? How are the passwords and credentials stored? Can I see what credentials are stored separately from the targets?

Vault: No, Excalibur does not currently maintain a dedicated internal vault system.

Password Rotation: Yes, Excalibur supports password rotation for PAM Targets via a privileged user account. This account changes target passwords according to a defined Password Rotation Policy, which includes settings for generating random passwords.

Credential Storage: All updated passwords for PAM Targets are stored encrypted at rest within the PAMTarget table in our system.

Credential Visibility: Users cannot see the passwords for PAM Targets. Credentials are only decrypted at the start of a session and are used exclusively to initiate that session.

Can Excalibur be delivered as a service (MSP model)?

Yes, Excalibur is designed with multi-tenancy, making it ideal for Managed Service Provider (MSP) deployments.

Is there a dashboard or list of all accessible targets (including SAML)?

Yes, the Excalibur Dashboard provides a list of all targets you can access. You can find more information in our User Manual.

Do you have your own API? What do you integrate with?

Yes, Excalibur offers a comprehensive API. For details on its capabilities, please refer to our API Documentation.

Can I integrate Excalibur with my SIEM? How? What information can I obtain?

Yes, Excalibur can be integrated with SIEM systems. Our Auditor Manual provides details on the integration process and the types of logs and events that can be sent to your SIEM.

Can Excalibur support tunnels to multiple physical locations?

Yes, you can create multiple secure tunnels with Excalibur. Each tunnel can connect to a different physical location or network segment, allowing for flexible and widespread resource access management.

Can you integrate with Microsoft 365 or Google Workspace for authentication and access management?

You can use Microsoft 365 and Google Workspace as identity stores with Excalibur.

Current Capability (Excalibur as IdP): Excalibur can act as an Identity Provider (IdP) to authenticate users into these services via SAML. This means users would authenticate through Excalibur to access O365 / Google Workspace. It's also conceivable to configure security policies to enforce access to these platforms exclusively through Excalibur for enhanced monitoring. Future Capability (Excalibur as SP): We may support Excalibur acting as a SAML Service Provider (SP) in the future. This would mean O365/Google Workspace (e.g., using Microsoft Authenticator) would handle the primary authentication, and Excalibur would manage the access. However, this approach could reduce auditing visibility, which is a key strength of our product.

What is the storage limit for logs and session recordings?

For our SaaS version, storage is virtually unlimited. For on-premise installations, storage depends on your local capacity. You can also configure a retention period to automatically delete old recordings.

Is there a way to prevent users from taking screenshots of the platform?

We do not currently offer a feature to block screenshots.

Why Excalibur is Not Offered as a Virtual Appliance or EXE?

Excalibur is designed as a modern, cloud-native platform, which is why we don’t ship it as a single virtual appliance or executable. Key reasons:

1. Service-based architecture

   Excalibur is built from multiple specialized services, not one monolithic app. Packaging everything into a single appliance would reduce flexibility and make updates harder.

2. High availability (HA)

   A virtual appliance usually runs on one machine, creating a single point of failure. Excalibur needs multi-node, redundant deployment to ensure uptime and reliability.

3. Dynamic scaling

   Customer workloads vary. Excalibur automatically scales resources up or down as needed—something fixed appliances or EXEs cannot support.

4. Easier maintenance and security

   Updating or patching a monolithic appliance requires replacing the whole package. With Excalibur’s service-based design, we can update components independently, faster, and more securely.

5. Cloud-native design

   Excalibur integrates with modern cloud environments, orchestration tools, and enterprise workflows. A single downloadable image would limit functionality and performance.

Google Places API

Excalibur Dashboard integrates with Google Maps across key workflows:

• Geofence management: view, pan, and create/edit geofences on interactive maps.
• Actions view: in action details, see the map context of where a user performed their action.

The application ships with a built‑in Google Maps API key restricted to the Maps JavaScript API and Maps Static API. This supports core functionality for both geofences and action details: map viewing, panning, and geofence creation/editing.

To unlock enhanced capabilities like place search, autocomplete, and location name resolution (useful when finding places while creating geofences or understanding the location context in action details), you can provide your own Google Maps API key with the Places API enabled.

---

About Google Places API

Google Places API allows you to access detailed information about millions of places, including businesses, landmarks, and points of interest. This enables features like search, autocomplete, and detailed place information in your applications.

API Key

• Free to create: Generating a Google Cloud API key does not incur any cost.
• Required for all requests: Every request to the Places API must include a valid API key to identify your project.
• Security: You can restrict your key by domain, IP address, or mobile app to prevent unauthorized use.

Billing & Pricing

• Pay-as-you-go: While the API key itself is free, using the Places API is billed based on usage. Each request is counted depending on its type, referred to as a SKU.
• Billing triggers: Charges apply when your usage exceeds the free monthly quota provided by Google for each SKU.
• Cost depends on request type: Different requests, like Autocomplete, Place Details, or Nearby Search, have different rates.
  • Example: Autocomplete requests are billed per 1,000 calls, and Place Details requests may cost more depending on the data requested.
• Monitoring: You can track your usage and manage costs in the Google Cloud Console.

For more details, visit: https://developers.google.com/maps/documentation/places/web-service/usage-and-billing

---

Configuring Google Maps and Places API in Excalibur Dashboard

What’s included by default (built‑in key):

• Enabled APIs: Maps JavaScript API, Maps Static API

• Core map interactions:

  • View and pan maps (geofences and action details)
  • Create and edit geofences

What's not included by default:

• Place search and autocomplete
• Location name resolution (e.g., converting coordinates to place names)
• Rich place details (names, addresses, categories)

Minimum configuration for a custom key with enhanced features

To enable Places features, your custom key should have:

• Maps JavaScript API (required)
• Maps Static API (required for static map rendering where applicable)
• Places API (required for search, autocomplete, and place details)

Why provide your own API key

• Security and control: Use your own Google Cloud project and enforce API restrictions.
• Access to enhanced features: Places API powers search, autocomplete, and richer data for both geofence flows and action details.
• Scalability and quotas: Manage usage and quotas under your own billing account.

Prerequisites

• A Google Cloud project
• Billing enabled on your project
• A Google Maps API key
• Places API enabled for the key (required for enhanced features)

Step‑by‑step: Create and configure a Google Maps API key with Places API

1) Create an API key

• Go to the Google Cloud Console
• Navigate to APIs & Services → Credentials
• Click “Create credentials” → “API key”
• Copy the generated key

1) Enable required APIs

• In APIs & Services → Library, enable:

  • Maps JavaScript API
  • Maps Static API
  • Places API

1) Apply key restrictions (recommended)

• In APIs & Services → Credentials, select your key

• Application restrictions:

  • For browser-based usage, use “HTTP referrers (web sites)” and add your dashboard domain(s)

• API restrictions:

  • Restrict the key to only the APIs you need (Maps JavaScript, Maps Static, and Places)

• Best practices: API Key Best Practices

1) Add your key to Excalibur Dashboard

• In the Dashboard, open Settings → Maps
• Paste your API key into “Your Google Maps API Key”
• Toggle “Places API (Enhanced features)” On
• Save changes

---

Feature comparison

Capability	Built‑in Key (Maps JS + Static)	Custom Key (Maps JS + Static + Places)
Map viewing & panning (geofences, action details)	✓	✓
Geofence creation & editing	✓	✓
Place search & autocomplete (geofences, action details context)	✗	✓
Location name resolution (nearby names/addresses)	✗	✓
Rich place details (types, hours, ratings where available)	✗	✓
Control over quotas & billing	Limited (shared)	Full (your project)
API key restrictions & security	Not configurable	Configurable in your project

---

Troubleshooting

• Places features not working:

  • Confirm Places API is enabled for your key in Google Cloud
  • Check API restrictions: ensure Places API is allowed alongside Maps JavaScript and Maps Static
  • Verify application restrictions: your dashboard domain must be listed if using HTTP referrers
  • Inspect browser console/network logs for Google Maps errors and quota messages

• Quota and billing:

  • Ensure billing is active in your Google Cloud project
  • Review usage in Google Cloud Console under “Quotas”

---

References

• Google Maps Platform:

  • Maps JavaScript API Overview
  • Maps Static API Overview
  • Places API Overview
  • API Key Best Practices

• Google Cloud Console:

  • APIs & Services – Library
  • APIs & Services – Credentials

Identity Management & Authentication

Can Excalibur work as an Identity Store?

Yes, you can setup Excalibur as a Local Identity Store. In addition, we support other Identity Stores like AD-based Identity Store, Entra ID Identity Store and more. See Administrator Manual -> Settings -> Identity Store for more information.

Can you support access through existing tunnels so I don't need to install another endpoint client for your tunnel?

Excalibur offers flexibility here:

1. Integrated Tunneling: Excalibur provides its own integrated tunneling solution. This method is fully managed within our interface and benefits from comprehensive auditing and control features. 2. Using Existing Tunnels/Network Connectivity: Alternatively, you can use your existing VPNs or network infrastructure. In this scenario, the Excalibur server simply needs network-level reachability to the resources it protects. While this approach works, features like detailed tunnel management and specific tunnel-related auditing within Excalibur would be less visible, as the network layer is transparent to our system.

User's domain password is expired and needs to be changed. How does Excalibur handle this?

This issue is typically caused by your Active Directory configuration. For Excalibur to manage passwords, two requirements must be met:

• Secure Connection (LDAPS): Your Identity Store connection must use the secure LDAPS protocol, not the unencrypted plaintext LDAP protocol.

• Delegated Permissions: The service account used by Excalibur needs specific permissions to be delegated to it in Active Directory, such as "Reset Password" and "Write lockoutTime".

A complete, step-by-step guide to fix this is available in our Installation and Implementation Guide -> Configure Active Directory Permissions for Password Reset.

Target Access Management

Web Application Streaming

— Why Testing Against Public Websites Doesn't Work (And Why It Doesn't Matter)

The Problem You Just Hit

You tried to stream a publicly available website through our PAM Web Application Streaming feature and ran into one or more of the following:

• Anti-bot protection kicked in (CAPTCHA, Cloudflare challenge, Akamai bot detection)
• IP blocking — the target website rejected the connection because it originates from a cloud datacenter IP range
• Geo-IP restriction — the website denied access based on the geographic location of the PAM gateway
• Rate limiting or behavioral analysis — the website flagged the session as suspicious

This is expected. This is not a bug. And most importantly — this scenario will never occur in a real PAM deployment.

This article explains why.

---

What You Are Trying to Do vs. What PAM Is Designed For

When you point PAM Web Application Streaming at a public website, you are asking our PAM gateway — running in a cloud datacenter — to open an isolated browser session to a website that has no idea who we are, doesn't trust us, and is actively trying to keep us out.

Public websites invest heavily in protecting themselves against exactly this kind of traffic: automated, proxied connections originating from cloud infrastructure. From their perspective, our PAM gateway looks no different than a bot, a scraper, or an attacker.

Here is what that looks like:

The public website doesn't know you. It doesn't trust you. It doesn't want automated cloud-based traffic. It is doing exactly what it was designed to do — blocking you.

Spending engineering effort trying to bypass these protections is:

• Irrelevant — this scenario doesn't exist in production PAM deployments
• Potentially harmful — circumventing anti-bot protections may violate terms of service of those websites
• A waste of time — every hour spent on this is an hour not spent on real product value

---

How PAM Web Application Streaming Actually Works in Production

In every real-world PAM deployment, the target web application is an internal, organization-controlled system. The customer owns both the PAM gateway and the target application, and they configure the network path between them to be trusted and permitted.

There is no anti-bot protection. There is no IP blocking. There is no CAPTCHA. There is no adversarial relationship between PAM and the target. The entire point is that the organization wants PAM to access the application — that's why they bought it.

Our Web Application Streaming works by capturing DOM mutations (snapshots) from the isolated browser session on the PAM gateway and transmitting them to the operator's browser, where the session is reconstructed on the PAM client. This approach delivers a faithful, high-fidelity reproduction of the target application's UI. The operator interacts with the reconstructed session in their browser — they never have direct network access to the target application, and they never see or handle privileged credentials.

Notice the fundamental difference:

	Public Website (your test)	Real PAM Target (production)
Who owns the target?	Someone else	The customer
Does the target know about PAM?	No	Yes — PAM is explicitly configured
IP blocking?	Yes — cloud IPs are blacklisted	Inverted — PAM IP is allowlisted
Anti-bot protection?	Yes — you look like a bot	No — there is no untrusted traffic to protect against
CAPTCHA?	Yes — prove you're human	No — the session is machine-brokered by design
Trust relationship?	None — adversarial	Full — both sides are under the customer's control

---

What Applications Are Actually Behind PAM?

PAM Web Application Streaming protects administrative interfaces to critical infrastructure — systems where privileged access must be controlled, credentials must be vaulted, and sessions must be recorded.

Category	Examples
Network & Security Devices	Cisco ASDM, Fortinet FortiGate, Palo Alto Panorama, F5 BIG-IP, pfSense
Hypervisor & Hardware Mgmt	VMware vSphere/vCenter, Proxmox, Dell iDRAC, HPE iLO, Nutanix Prism
Containers & Cloud	Kubernetes Dashboard, Rancher, Portainer, OpenShift Console
Databases	phpMyAdmin, pgAdmin, Oracle Enterprise Manager
CI/CD & DevOps	Jenkins, GitLab (self-hosted), Artifactory, SonarQube, ArgoCD
Security Operations	Splunk, QRadar, Nessus, Qualys, certificate management UIs
Business Applications	SAP, Oracle EBS, internal ERP/HR/Finance admin panels
Identity Infrastructure	Active Directory web consoles, LDAP admin UIs, IAM portals

What all of these have in common:

• They are internally hosted or deployed as private instances — not public SaaS
• They are not exposed to the public internet
• There is no anti-bot protection between PAM and the application
• The PAM gateway's IP is explicitly allowlisted
• The organization controls both sides of the connection

---

So What Should You Use for Demos and Evaluations?

If you need to demonstrate or evaluate Web Application Streaming, use applications that represent the real use case. All of the following can be deployed in minutes and provide a rich, dynamic UI experience:

Application	What It Simulates	Setup
Grafana	Monitoring dashboard (rich, dynamic UI)	docker run -d -p 3000:3000 grafana/grafana
Jenkins	CI/CD admin console	docker run -d -p 8080:8080 jenkins/jenkins:lts
Portainer	Container management platform	docker run -d -p 9443:9443 portainer/portainer-ce
phpMyAdmin	Database administration	docker run -d -p 8080:80 phpmyadmin/phpmyadmin
GitLab CE	Full DevOps platform	docker run -d -p 8080:80 gitlab/gitlab-ce
pfSense / OPNsense	Firewall admin (most realistic)	VM deployment (~30 min)

These applications are:

• Under your control — no external dependencies
• Representative of real PAM targets
• Free of anti-bot, IP blocking, or CAPTCHA issues
• Rich, dynamic, JavaScript-heavy UIs that properly test streaming performance and DOM snapshot fidelity

---

The Takeaway

PAM Web Application Streaming is not a generic web browser proxy. It is a purpose-built privileged access control mechanism for internally hosted, organization-controlled web management interfaces.

When you test it against a public website and get blocked — that's not our product failing. That's the public internet doing its job. And in every real customer deployment, that situation simply does not exist.

If you've landed on this article because you just hit an anti-bot wall or an IP block during a demo — now you know why. Close that public website, spin up a Grafana or Jenkins container, and you'll have a working, production-representative demo in under five minutes.

Do you support access management for databases?

Yes, Excalibur can manage access to databases in several ways depending on how the database is typically accessed:

• Web Interfaces: Many modern databases offer web-based management consoles. Excalibur can secure access to these web interfaces.
• Console Access: For databases allowing command-line access, Excalibur can protect this via an SSH PAM Target.
• Thick Clients: If the database relies on a dedicated 'thick client' application, you can install this client on a Windows machine (or a jump host) and use Excalibur to manage RDP access to that machine, thereby controlling access to the database client.

Do you support access management for OT devices?

Yes, Excalibur can manage access to OT devices, focusing on the human-interactive protocols they commonly use. OT devices vary in their interaction methods:

Supported Protocols for Interactive Access: * Web Interfaces: Many modern OT devices (PLCs, HMIs, SCADA controllers) have browser-based interfaces. Excalibur can secure these. * SSH (Secure Shell): Common on advanced OT devices (RTUs, industrial routers) for secure command-line management. Excalibur supports SSH PAM Targets for these. * Telnet: While older devices might use Telnet, it's an insecure (unencrypted) protocol. Excalibur could potentially support it, but we strongly advise against its use due to security risks.

Unsupported Access Methods (by design): * Programmatic Access (APIs): Protocols like REST APIs or Web Services are typically for server-to-device communication, not direct human interaction. Excalibur focuses on securing human access, so these are generally out of scope for direct PAM. * Physical Access (Serial Connections): Direct serial connections (RS-232/485) are physical access methods and are not applicable to Excalibur's remote access management capabilities.

Summary: Excalibur effectively manages access to OT devices through common interactive protocols like HTTP/S and SSH, aligning with standard Privileged Access Management practices.

Can we secure sandboxes with IAM?

Yes, Excalibur can effectively secure access to sandbox environments using IAM principles.

A "sandbox" is typically an isolated environment used for purposes like testing, development, or running potentially untrusted applications. Securing such an environment with IAM involves controlling who can access these resources and what actions they are permitted to perform.

Excalibur achieves this by: 1. Brokering Access: Excalibur manages and brokers all access to the resources within the sandbox. 2. Connectivity: Whether the sandbox is on a separate network segment (requiring an Excalibur tunnel for connectivity) or directly reachable by the Excalibur server, access can be managed. 3. Policy Enforcement: Granular access policies are defined within Excalibur, specifying which users or groups can access which sandbox resources. 4. Credential Abstraction: Users are authenticated through Excalibur, and access is granted based on these policies. The underlying credentials for the sandbox resources are never exposed to the end-user. 5. Auditing: All access attempts and sessions are logged, providing a clear audit trail.

By implementing these measures, Excalibur ensures that only authorized personnel can access specific sandbox environments, and all interactions are controlled and auditable, significantly enhancing the security and governance of these isolated systems.

Do you support YubiKeys?

Yes. We support Passkeys, so any YubiKey model that is compatible with Passkeys will work with Excalibur.

What is the limit of simultaneous user connections through a tunnel?

Only one Excalibur Tunnel Client can establish the connection from a location. Once the tunnel is established, many simultaneous PAM sessions can run through it. Since this feature is still in development, we do not have a firm limit on the number of sessions.

Is the secure tunnel client available for Windows servers?

Yes. For more information, see the Administrator Manual and the installation guide on our GitHub page.

Can I get alerts when there are potentially malicious actions?

Excalibur operates on a whitelisting principle: users only have access to resources they are explicitly configured to access. This inherently limits the scope for unauthorized actions, as access to the broader network is not granted; only streamed access to specific resources is provided.

Authentication Logging: All authentication attempts are logged. Failed attempts are recorded and can be used for security monitoring.

SIEM Integration for Alerts: While Excalibur itself is improving its direct alerting capabilities (e.g., configurable email notifications for security policy failures are under consideration), all relevant security events are streamed to your SIEM. This allows for sophisticated alert configurations and notifications to be managed at the SIEM level. Future AI-based Anomaly Detection: AI-powered anomaly detection (e.g., behavioral analysis, attack detection) is a feature currently under development and not yet generally available. A demo (AI1 demo on vitro.xclbr.com) showcases this future capability.

If the developer has emergency during weekend, but in standard mode there is no possibility for him to join, how it can be solved?

This can be managed through security policies. Here are two common approaches: 1. Create a Disabled Emergency Policy: You can have a pre-configured security policy for emergency access that remains disabled. An administrator can activate it when needed. 2. Adjust an Existing Policy: An administrator can temporarily modify an existing policy to grant the required access.

If there is a way to access remote server via bookmark or the user needs to go directly through the dashboard?

No, users must always go through the Excalibur Dashboard to access remote systems. There is no persistent URL or bookmark for a remote session.

Security & Encryption

Which certifications, security frameworks, and disaster recovery plans does Excalibur comply with?

For security and certification, we have certificates from https://www.linkedin.com/company/tuvsud/:

• ISO/IEC 27001 – Information Security Management
• ISO/IEC 27017 – Cloud Security Controls
• ISO/IEC 27018 – Protection of Personal Data in the Cloud

For recovery, we support backup several times a day. For more information, see the Installation and Implementation guide - Backup.

How does data encryption work? Can we use our own encryption key?

Encryption Standards: Excalibur employs industry-standard cryptography, specifically Public Key Infrastructure (PKI) based on ECIES (Elliptic Curve Integrated Encryption Scheme) for asymmetric key ciphers. For details, you can refer to resources like Nakov's CryptoBook on ECIES.

Key Storage (HSM): For our cloud services, we utilize Hardware Security Modules (HSMs) to store cryptographic keys securely. HSMs ensure that key material is stored in dedicated hardware, similar to secure enclaves on mobile phones, but on a larger, often network-attached scale.

Customer-Provided Keys: For larger customers who have their own HSMs, Excalibur can integrate with these, as they typically provide APIs for interaction. This allows customers to maintain control over their key material.

How does peer verification work? What actions can be peer-verified?

Peer verification in Excalibur is a configurable security policy feature. It allows you to require an additional approval step from a designated peer (or a member of a designated group) before access to a resource is granted.

How it works: When a user attempts to access a resource for which peer verification is enabled, the system will trigger a request. For example: "If user X wants to access resource Y, and condition Z is met, then require peer verification from any member of group W before granting access." Applicable Actions: Any access attempt to any resource managed by Excalibur can be configured to require peer verification, as defined by the security policy. This aligns with our core function of streaming and controlling access to resources based on defined conditions.

How does device integrity work?

Device integrity is verified during authentication when a security policy is enabled.

When device integrity check is enabled, the process is as follows:

1. During authentication, the device's integrity is evaluated
2. The system checks token integrity as part of the authentication process
3. The device is then marked as either:

    - Trusted -> Allowed access to the system
    - Not trusted -> Denied access to the system

Design & Architecture

Why do you only provide PAM access through a browser instead of native clients like PuTTY?

Excalibur Privileged Access Management does not support other clients connecting to protected resources to avoid protocol proxying, which could expose protocol vulnerabilities. By streaming access instead of direct interaction with protocols like SSH, Excalibur ensures that potential exploits on vulnerable targets are mitigated. Introducing weaknesses to accommodate familiar tools would undermine the security benefits provided by Excalibur's approach.

Why do you integrate MFA & PAM instead of supporting third-party MFA solutions?

In Excalibur, every action performed within the PAM system is cryptographically signed using key material tied to the MFA. We utilize secure enclaves in mobile devices, similar to the security used in mobile payments, providing robust security guarantees. This integration ensures that each user action is securely verified and recorded, with the user's identity cryptographically linked to all authentication factors. By tightly integrating MFA with PAM, Excalibur prevents the security gaps that could arise from using third-party MFA solutions, which lack standardized cryptographic signing capabilities. Unlike OTP hardware tokens, Excalibur’s integrated MFA binds user identity, device, and every privileged action through strong cryptographic signatures.

Why do you use QR codes for authentication instead of push notifications or SMS?

At Excalibur, we look into how to provide the best user experience as well as the most secure environments. Push notifications, SMS, and other similar methods can cause MFA fatigue which then can be exploited by attackers. Scanning a QR code to login is a "pull" approach that can't be exploited by attackers in a similar fashion.

Why is raw RDP/SSH proxying a bad idea?

Because a raw TCP proxy sits between client and server, it effectively becomes a man‑in‑the‑middle: host‑key/certificate pinning breaks, credentials and session data pass through the proxy, and long‑patched relay exploits reopen—so you lose the very security RDP/SSH are meant to provide. See https://github.com/runZeroInc/sshamble for some attacks.

Does Excalibur solution continuously gather data of GPS location of the user?

Excalibur does not continuously gather any data from the GPS over time. We are using the gps location directly from phone and only as a snapshot in the moment of authentication.

Can the system send an email notification if a user runs a specific command?

Not directly. Excalibur sends detailed logs to your SIEM system. You can then configure your SIEM to send email alerts based on specific events, such as the use of a certain command.

Is the Geolocation extracted from mobile phone internet connection or from phone provider?

The location is provided by your phone's operating system (using GPS, Wi-Fi, or cellular data). It is only a snapshot taken at the moment of authentication, not continuous monitoring.

Deployment & Infrastructure

Can Excalibur be deployed on-premises without internet connectivity?

Excalibur can be deployed on-premises, but typically requires limited internet connectivity for certain functions. Here's what you need to know about offline deployment options:

Standard On-Premises Deployment

By default, an on-premises deployment requires access to specific external services:

URL/Endpoint	Purpose	Optional?
ca.xclbr.com	License registration, deployment certificate issuance, user certificate management, and license tracking	No
www.googleapis.com:443	Device integrity verification	Yes (can be disabled in security policies)
playintegrity.googleapis.com:443	Device integrity verification	Yes (can be disabled in security policies)

Connectivity Options

1. HTTP Proxy Support: All external service connections can be configured to use an HTTP proxy within your infrastructure, allowing for controlled internet access.
2. Device Integrity Checks:
   • These can be disabled through security policies for environments with restricted internet access
   • For iOS devices, we can perform device checks offline without accessing third-party services

Fully Offline Deployment Options

For organizations requiring complete air-gapped environments:

1. On-Premises CA Mirror: For larger deployments, we can set up a mirror of our cloud Certificate Authority (CA) within your infrastructure. This option:

   • Eliminates the need for external connectivity
   • Requires additional implementation effort
   • Results in reduced license usage visibility for our team
   • Requires a specialized contract with an alternative licensing model

2. Custom Licensing Arrangements: For fully offline deployments, please contact our sales team at sales@xclbr.com to discuss your specific requirements and custom licensing options.

Please note that the cloud CA connection is essential for the standard licensing model as it enables user certificate issuance when users register and certificate revocation when users are removed from the system.

Where is your cloud version located? Do you provide it as a SaaS?

Hosting: We primarily use Hetzner (a German company with data centers in the EU, US, and Asia). We can also deploy Excalibur in other cloud environments like Azure, AWS, or Google Cloud if required.

SaaS Offering: Excalibur is available as a managed service or for on-premise/private cloud deployment. We plan to offer a self-service SaaS solution in the future.

Where does Excalibur store data and what third-party services are used?

We use third-party cloud providers with storage located in Germany to store customer data. These providers include Microsoft Azure and Hetzner.

Configuring Hostname and Token URLs in Excalibur SAM

Excalibur SAM uses a mobile app that serves as your secure authentication and authorization token. To work correctly, the mobile app needs to know which Excalibur SAM server it should connect to. This information is shared using QR codes, which include the server’s connection details.

In some environments—especially when Excalibur SAM is deployed in isolated or segmented networks—you may need to use different fully qualified domain names (FQDNs) for the Excalibur SAM Dashboard and for the mobile app’s connection endpoint. For example, the web Dashboard might only be accessible from inside your network, while the mobile app connects through a public-facing reverse proxy or load balancer that handles SSL/TLS termination.

During the Excalibur SAM setup wizard, you can specify the Token URL used by the mobile app. You can later adjust both the Token URL and the main application Hostname URL under Dashboard → Settings → System → Server Settings.

• Hostname URL: Defines the base URL of your Excalibur SAM system. It appears in email notifications such as registration invitations and peer verification messages.
• Token URL: Defines the endpoint used by the mobile app and determines what is embedded in the QR codes. It must be reachable by the smartphone, either using resolvable hostname/FQDN/address OR via an always-on-VPN solution.

Important: Incorrectly configuring either of these URLs can cause issues such as invalid QR codes, mobile app connection failures, or broken links in email notifications. Always ensure the URLs are correct, accessible for their intended purpose, and aligned with your network design.

Configuration & Administration

What is the size of file recordings?

Recording File Size

The size of RDP session recordings can vary significantly. It mainly depends on the client’s screen resolution and how much of the RDP desktop (width × height in pixels) is being updated during the session.

How large can recordings get?

• In an extreme test case, the recording reached up to 4 GB per hour when using 4K resolution and watching a YouTube video within the RDP session.
• In another example, a 5-minute session at 1920×1080 resolution resulted in a recording file of only 5 MB.

Why do sizes vary so much? Recording size depends on several factors:

• The screen resolution of the client.
• How often the screen content changes.
• How much of the RDP screen is being redrawn.
• The type of activity (e.g., watching video generates far more data than viewing static content).

Because of these variables, actual recording sizes may differ. The numbers above should be taken as indicative examples rather than guaranteed values.

How long does PAM keep logs available?

There is no time limit for logs. They are available for as long as you need them.

Is the PAM target of each tenant independent of the PAM target of the system administrator? Can you add system pam targets to another Tenants?

Yes, tenants are independent of each other. The system itself is also a tenant, so system-level PAM targets cannot be added to other tenants.

Usage & Performance

Understanding Bandwidth & Performance in Excalibur SAM

Excalibur SAM (Streamed Access Management) utilizes two distinct technologies to deliver remote access: Pixel-based Streaming (for Desktop/Terminal access) and Vitro DOM-based Streaming (for Web Application access).

Because these technologies handle data differently, their bandwidth footprints vary significantly.

1. Pixel-based Streaming (RDP, VNC, SSH)

   Used for full desktop environments or server consoles. This method captures the screen as a series of images and streams them to your browser.

   Bandwidth Benchmarks (at 1080p)

   Activity Level	Estimated Bandwidth	Data Used per Hour
   Idle / Static Screen	5 – 20 kbps	~5 - 10 MB
   Light Office Work (Email, Coding)	100 – 300 kbps	45 - 135 MB
   Active Web Browsing (Scrolling)	500 kbps – 1.5 Mbps	225 - 675 MB
   High Motion / Video	2 Mbps – 8 Mbps+	1 GB - 3.5 GB+

   Why it varies:

   • The Pixel Delta Principle: Excalibur SAM only transmits pixels that change. If your screen is static, bandwidth is negligible. If you play a video, every pixel changes 30–60 times per second, increasing data usage.
   • Protocol Optimization: SSH is the lightest (text-only, <50 kbps), while RDP is more efficient than VNC due to advanced caching.

2. Vitro: Web App Streaming (DOM-based)

   Used for secure, isolated web application access. Unlike pixel streaming, Vitro does not send images of the website. Instead, it observes the structure of the page (the DOM) and sends the "blueprint" to your browser.

   How Vitro Works:

   • Full Snapshot: When you first open a session, Vitro sends a serialized snapshot of the target website's state.
   • Mutation Tracking: Vitro monitors the target site for "mutations" (changes in text, new buttons, or UI updates).
   • Serialized Delivery: Only the specific change is serialized and sent to your browser to be reconstructed.
   • Isolation: All scripts (JavaScript) run on the secure Excalibur server, not your local machine. You receive the visual structure without the security risks.

   Bandwidth Impact:

   • Native-like Traffic: Bandwidth usage is almost identical to browsing the original website directly.
   • Efficiency: Because it sends text-based "instructions" rather than image frames, Vitro is significantly lighter than RDP or VNC for web-based tasks.
   • Lower Overhead: Scrolling a long page in Vitro uses a fraction of the bandwidth compared to Pixel Streaming, as it only requires updating the scroll position rather than re-rendering thousands of pixels.

3. Comparison at a Glance

   Feature	Pixel Streaming (RDP/VNC)	Vitro (Web App Streaming)
   Delivery Method	Video-like stream of pixel tiles.	Serialized DOM mutations/blueprints.
   Best For	Desktop OS, Legacy Apps, Servers.	Web Portals, SaaS, Admin Consoles.
   Bandwidth	Highly dependent on screen motion.	Nearly identical to native web traffic.
   Visual Quality	Depends on compression/bitrate.	1:1 "Pixel Perfect" (it is the actual site).

4. How to Monitor Your Real-time Usage

   You can verify the performance of either stream type directly in your browser:

   • Press F12 to open Developer Tools.
   • Go to the Network tab and select WS (WebSockets).
   • Select the active Excalibur session.
   • View the Messages/Frames tab to see the size (in bytes) of the data being sent. For Vitro, you will see small "mutation" packets; for Pixel Streaming, you will see larger binary "data" packets.

5. Optimization Tips

   • For Pixel Streams: Disable desktop wallpapers and menu animations to reduce the number of "changed pixels" the system must send.
   • For Vitro: Since Vitro is already highly optimized, ensure your local browser is up to date to handle the reconstruction of the DOM mutations as efficiently as possible.

If the RDP session is closed and later reopened (in 15 sec interval to reopen the tab), are the credentials being stored in cookies or somewhere else?

RDP session browser Tab reopened within 15 seconds means, that user is redirected to the same session as he was interacting with before. So there no need to store the credentials, because session is still alive in the background within those 15 seconds and terminated after the 15 seconds expiration interval.

How many users can access and work on the same target simultaneously via RDP? Does this depend on Microsoft RDP licensing?

Yes, this is completely depending on Microsoft RDP licensing. By default each Windows server can run 2 RDP session simultaneously. After deployment of Microsoft RemoteDesktopServices Client Access licenses to Windows server, it can handle more than 2 RDP sessions.

Troubleshooting & Support

How do I fix a "Network error" in the mobile app during registration?

On iOS devices, this error can sometimes be caused by a manually installed certificate profile or by iCloud Private Relay.

1. Ensure any required certificate profiles are trusted: Trust manually installed certificate profile in iOS, iPadOS, and visionOS.

2. Try turning off iCloud Private Relay in your device settings:

   1. Go to Settings > [your name] > iCloud > Private Relay, then tap Private Relay.
   2. Do one of the following:
      • Turn off iCloud Private Relay temporarily: Tap Turn Off Until Tomorrow.
      • Turn off iCloud Private Relay completely: Tap Turn Off Private Relay.