Skip to content

Privileged Access Bridge — Overview

The Blackfort Privileged Access Bridge (PAB) is an agentless PAM gateway for IT, OT and cloud. It brokers privileged access via the browser — without any software having to be installed on the endpoint or the target system — and records sessions in an audit-proof manner.

At a glance

  • Agentless: access via a browser tab; nothing is installed on the client or the target.
  • Many protocols: RDP, SSH, VNC, Telnet and Kubernetes through a unified interface.
  • Session recording: sessions are recorded and can be replayed in the portal.
  • Real-time supervision: A supervisor can follow running sessions live and read-only and, in an emergency, terminate them immediately via kill switch.
  • File transfer & clipboard: controlled up-/download into the session, clipboard synchronization.
  • Sovereignly operable: on-premises or as a managed service by Blackfort — EU operation.

Architecture

PAB combines a modern, hardened portal in Blackfort design with a proven, mature session engine:

  • The session engine handles the actual protocol and rendering work: RDP/SSH/VNC/Telnet/Kubernetes, terminal emulation, tunneling and the recording.
  • The Blackfort layer is what you see and operate: the portal, the Backend-for-Frontend (BFF) as a security and supervision layer, the branding and the managed operation.

The benefit: you get a modern, hardened portal in Blackfort design and at the same time the maturity and protocol breadth of an established engine.

Security "by design"

PAB is designed for internet-facing operation:

  • Backend-for-Frontend (BFF): The session token remains server-side; the browser only receives an HttpOnly+Secure+SameSite=Strict cookie (CSRF protection via double-submit token).
  • Hardened edge: strict Content Security Policy, HSTS, rate limiting, security headers.
  • Roles enforced at the BFF: the supervision role (supervisor) and kill switch are enforced at the BFF — an operator cannot bypass them.

Operating models

Model Description
On-Premises PAB runs in your environment; you administer it yourself.
Managed Service Blackfort operates, maintains and patches PAB for you.
Break-Glass Managed operation in which you have no standing admin access in day-to-day work, but only emergency access; Blackfort performs the daily administration.

Details on the models and on setup can be found in the (access-restricted) Administration Guide.

Continue to …

  • User Guide — login, connecting, session operation, supervision and recordings.
  • Administration Guide — operating models, onboarding, connection and user management (access-restricted).