Skip to content

Supported Target Types

Excalibur supports four target types for privileged access management: SSH, RDP, VNC, and Web. Each target type can be accessed through the browser-based Excalibur Dashboard. SSH and RDP targets also support access through native clients via the Excalibur Proxy.

Target Types at a Glance

Target Type Protocol Browser Access Native Client Access Session Recording
SSH SSH
RDP RDP
VNC VNC
Web HTTP/HTTPS

SSH Targets

SSH targets provide secure terminal access to Linux, Unix, macOS, and network device command-line interfaces.

Capabilities:

  • Interactive shell sessions with full command execution
  • SFTP file transfer
  • Session recording and playback
  • Credential vaulting and automatic injection
  • Command-level auditing

RDP Targets

RDP targets provide graphical desktop access to Windows servers and workstations.

Capabilities:

  • Full graphical desktop sessions
  • Clipboard and file transfer controls (configurable per policy)
  • Session recording and playback
  • Credential vaulting and automatic injection
  • Concurrent session limits governed by Microsoft licensing, not Excalibur

Concurrent RDP sessions

The number of concurrent RDP sessions depends on the Windows Server licensing configuration, not on Excalibur. See Concurrent RDP Sessions for details.

VNC Targets

VNC targets provide graphical access to systems that expose a VNC server — commonly Linux desktops, hypervisor consoles, and headless appliances.

Capabilities:

  • Graphical desktop sessions via VNC protocol
  • Session recording and playback
  • Credential vaulting

Web Targets

Web targets allow controlled access to internally hosted web management interfaces through Excalibur's Web Application Streaming technology. Excalibur opens an isolated browser session on the PAM gateway, captures DOM mutations, and streams a reconstructed view to the operator's browser. The operator never has direct network access to the target application.

Capabilities:

  • Access to internal web-based admin consoles (e.g., vSphere, FortiGate, Jenkins, phpMyAdmin)
  • Credential vaulting with login macro support for automated authentication
  • Session recording and playback
  • No direct network path between the operator and the target application

Web targets are for internal applications

Web Application Streaming is designed for organization-controlled web interfaces — not public websites. Public websites use anti-bot protection, IP blocking, and CAPTCHAs that prevent proxied access by design. See Web Application Streaming for details.

Access Methods

Browser-Based Access (Default)

All four target types support browser-based access through the Excalibur Dashboard. The operator opens a session directly in the browser — no client software is required on the operator's workstation.

This is the primary and recommended access method. It eliminates protocol-level attack surface because the operator's device never communicates directly with the target using the raw protocol. See Browser-Based Access for the security rationale.

Native Client Access via Excalibur Proxy

For SSH and RDP targets, Excalibur also supports access through native clients (such as OpenSSH, PuTTY, or Microsoft Remote Desktop) via the Excalibur Tunnel Client. This enables organizations to keep existing scripts, automation, and operational workflows while enforcing PAM controls.

How it works:

  1. The administrator enables SSH Proxy and/or RDP Proxy on the tunnel configuration and assigns a listening port.
  2. The Excalibur Tunnel Client listens on the specified ports for incoming native client connections.
  3. The operator connects with their native SSH or RDP client to the Tunnel Client address and port.
  4. Excalibur authenticates the operator via QR-based MFA before forwarding the session to the target.

Security controls applied to native client sessions:

  • MFA — QR-based passwordless authentication is required for every connection
  • RBAC — operators only see and connect to targets they are authorized to access
  • Session recording — sessions are recorded and auditable
  • No public exposure — the target's SSH/RDP port is never exposed to the internet
  • No lateral movement — TCP forwarding and port tunneling are disabled

Transition path

Native client access lets you adopt Excalibur without disrupting existing workflows. Organizations can run both access methods in parallel and migrate to browser-based access at their own pace.

For configuration steps, see Connect to PAM targets using Native SSH and RDP Client in the Administrator Manual.