Privileged Access Bridge — Overview¶
The Blackfort Privileged Access Bridge (PAB) is an agentless PAM gateway for IT, OT and cloud. It brokers privileged access via the browser — without any software having to be installed on the endpoint or the target system — and records sessions in an audit-proof manner.
At a glance¶
- Agentless: access via a browser tab; nothing is installed on the client or the target.
- Many protocols: RDP, SSH, VNC, Telnet and Kubernetes through a unified interface.
- Session recording: sessions are recorded and can be replayed in the portal.
- Real-time supervision: A supervisor can follow running sessions live and read-only and, in an emergency, terminate them immediately via kill switch.
- File transfer & clipboard: controlled up-/download into the session, clipboard synchronization.
- Sovereignly operable: on-premises or as a managed service by Blackfort — EU operation.
Architecture¶
PAB combines a modern, hardened portal in Blackfort design with a proven, mature session engine:
- The session engine handles the actual protocol and rendering work: RDP/SSH/VNC/Telnet/Kubernetes, terminal emulation, tunneling and the recording.
- The Blackfort layer is what you see and operate: the portal, the Backend-for-Frontend (BFF) as a security and supervision layer, the branding and the managed operation.
The benefit: you get a modern, hardened portal in Blackfort design and at the same time the maturity and protocol breadth of an established engine.
Security "by design"¶
PAB is designed for internet-facing operation:
- Backend-for-Frontend (BFF): The session token remains server-side; the browser
only receives an
HttpOnly+Secure+SameSite=Strictcookie (CSRF protection via double-submit token). - Hardened edge: strict Content Security Policy, HSTS, rate limiting, security headers.
- Roles enforced at the BFF: the supervision role (supervisor) and kill switch are enforced at the BFF — an operator cannot bypass them.
Operating models¶
| Model | Description |
|---|---|
| On-Premises | PAB runs in your environment; you administer it yourself. |
| Managed Service | Blackfort operates, maintains and patches PAB for you. |
| Break-Glass | Managed operation in which you have no standing admin access in day-to-day work, but only emergency access; Blackfort performs the daily administration. |
Details on the models and on setup can be found in the (access-restricted) Administration Guide.
Continue to …¶
- User Guide — login, connecting, session operation, supervision and recordings.
- Administration Guide — operating models, onboarding, connection and user management (access-restricted).