Web Application Streaming¶
Web Application Streaming is Excalibur's purpose-built privileged access mechanism for internally hosted, organization-controlled web management interfaces. This article explains why testing against public websites produces errors — and why those errors do not apply to real deployments.
Why Public Website Testing Fails¶
When you point Web Application Streaming at a public website, the PAM gateway opens an isolated browser session to a site that does not trust and actively blocks unknown traffic. The gateway runs in a cloud datacenter, so the target website treats it as an untrusted source.
You may encounter one or more of the following:
- Anti-bot protection — CAPTCHA, Cloudflare challenge, Akamai bot detection
- IP blocking — the target website rejected the connection from a cloud datacenter IP range
- Geo-IP restriction — the website denied access based on the PAM gateway's geographic location
- Rate limiting or behavioral analysis — the website flagged the session as suspicious
Expected behavior, not a bug
Public websites are designed to block untrusted, automated access. This scenario does not occur in real PAM deployments where the customer controls both the gateway and the target application.
How Web Application Streaming Works¶
In every real-world deployment, the target web application is an internal, organization-controlled system. The customer owns both the PAM gateway and the target application, and configures the network path between them as trusted.
Web Application Streaming captures DOM mutations (snapshots) from the isolated browser session on the PAM gateway. It transmits these snapshots to the operator's browser, where the session is reconstructed. The operator interacts with the reconstructed session — they never have direct network access to the target or handle privileged credentials.
| Aspect | Public website (test) | Real PAM target (production) |
|---|---|---|
| Target ownership | Third party | The customer |
| Target aware of PAM | No | Yes — explicitly configured |
| IP blocking | Cloud IPs are blacklisted | PAM IP is allowlisted |
| Anti-bot protection | Active — gateway looks like a bot | None — no untrusted traffic |
| CAPTCHA | Active — prove you are human | None — session is machine-brokered by design |
| Trust relationship | None — adversarial | Full — both sides under customer control |
Protected Application Types¶
Web Application Streaming protects administrative interfaces to critical infrastructure — systems where privileged access must be controlled, credentials vaulted, and sessions recorded.
| Category | Examples |
|---|---|
| Network and security devices | Cisco ASDM, Fortinet FortiGate, Palo Alto Panorama, F5 BIG-IP, pfSense |
| Hypervisor and hardware management | VMware vSphere/vCenter, Proxmox, Dell iDRAC, HPE iLO, Nutanix Prism |
| Containers and cloud | Kubernetes Dashboard, Rancher, Portainer, OpenShift Console |
| Databases | phpMyAdmin, pgAdmin, Oracle Enterprise Manager |
| CI/CD and DevOps | Jenkins, GitLab (self-hosted), Artifactory, SonarQube, ArgoCD |
| Security operations | Splunk, QRadar, Nessus, Qualys, certificate management UIs |
| Business applications | SAP, Oracle EBS, internal ERP/HR/Finance admin panels |
| Identity infrastructure | Active Directory web consoles, LDAP admin UIs, IAM portals |
These applications are all internally hosted or deployed as private instances. They are not exposed to the public internet and have no anti-bot protection between the PAM gateway and the application.
Recommended Demo and Evaluation Applications¶
To demonstrate or evaluate Web Application Streaming, use applications that represent real-world targets:
| Application | What it simulates | Setup |
|---|---|---|
| Grafana | Monitoring dashboard (rich, dynamic UI) | docker run -d -p 3000:3000 grafana/grafana |
| Jenkins | CI/CD admin console | docker run -d -p 8080:8080 jenkins/jenkins:lts |
| Portainer | Container management platform | docker run -d -p 9443:9443 portainer/portainer-ce |
| phpMyAdmin | Database administration | docker run -d -p 8080:80 phpmyadmin/phpmyadmin |
| GitLab CE | Full DevOps platform | docker run -d -p 8080:80 gitlab/gitlab-ce |
| pfSense / OPNsense | Firewall admin (most realistic) | VM deployment (~30 min) |
These applications are:
- Under your control — no third-party blocking or trust issues
- Representative of real PAM targets — the same applications customers protect in production
- Free of anti-bot or IP blocking — no CAPTCHAs, no IP filtering
- Feature-rich and dynamic — JavaScript-heavy UIs that test streaming performance and DOM snapshot fidelity
Related Topics¶
- Supported Targets — full list of target types supported by Excalibur