StrongDM 101 — September 2025 v2

Working with the
StrongDM Client

A complete interactive guide to understanding, installing, and using the StrongDM client to connect users to protected infrastructure resources.

9 modules
~25 min
Windows Β· macOS Β· Linux
01

About the StrongDM Client

The StrongDM client is the user's access point to the StrongDM network. It acts as a forward proxy that directs user traffic to the StrongDM Gateway, enabling secure, audited access to protected resources.

StrongDM Proxy Network Architecture
πŸ‘€ User
end user
β†’
StrongDM Client
forward proxy
β†’
Node / Gateway
reverse proxy
β†’
Resource
protected target
Key principle: The node only accepts traffic from the StrongDM client. All traffic must explicitly pass through the StrongDM client to reach any resource.
🎯

Confirm Accessibility

The client confirms that a resource is accessible and shows the user the connection status in real-time.

πŸ“‹

Connection Details

Provides the loopback address and override port the user needs to connect to each resource.

πŸ”“

Use Familiar Tools

The actual connection is made using native tools β€” SSH, pgAdmin, browser, RDP β€” not the client itself.

πŸ’‘

Design Philosophy: StrongDM deliberately allows users to use their existing tools. Other PAM solutions require a proprietary agent β€” StrongDM does not.

02

How Connections Work

Understanding the localhost loopback mechanism is critical to using StrongDM effectively. Here's how a database connection flows through the system.

The Localhost Loopback Model

The StrongDM client listens on a predefined port on the local loopback address 127.0.0.1. When your tool (pgAdmin, SSH, etc.) connects to this address, the SDM client securely tunnels that traffic to the resource via the Gateway.

Postgres Connection Flow Example
1. SDM desktop client listens on 127.0.0.1:15432 in loopback mode
2. SDM client proxies Postgres traffic within the StrongDM-defined network to the Gateway
3. SDM Gateway uses native protocol (tcp 5432) and injects SQL credentials inline β€” never exposed to end user
4. Credentials are kept within your protected network. The end user experience is completely passwordless.

Override Ports

Since multiple resources share the same loopback address 127.0.0.1, StrongDM uses override ports to distinguish them. These are custom port numbers assigned when a resource is defined, different from the resource's native port.

SSH Resource
127.0.0.1
:10006
native port: 22
TCP Resource
127.0.0.1
:10005
custom tcp resource
Website Resource
http://index.company
.sdm.network
URL instead of loopback
⚠️

Web Resources: When connecting to HTTP/HTTPS website resources, the StrongDM client presents a URL (e.g., http://index.company.sdm.network) instead of a loopback address. Consider using a Proxy Auto Configuration (PAC) file to automatically route browser traffic through the SDM client.

03

Desktop & CLI

The StrongDM client has two interfaces β€” the Desktop GUI (Mac and Windows) and the Command Line Interface (all platforms).

Client Components by Platform

πŸ–₯️

StrongDM Desktop

Graphical interface available on macOS and Windows. Shows resources, connection status, loopback addresses, and provides settings management.

⌨️

StrongDM CLI

Available on all platforms (Windows, macOS, Linux). Essential on Linux where the desktop GUI is not available. Full command reference at strongdm.com/docs/cli/

Desktop UI Controls Reference

Control/IndicatorMeaning
βš™οΈ Gear icon (highlighted)Click to initiate connection with a resource
πŸ”΄ Red dot indicatorResource is offline or unavailable
πŸ• Clock iconHover to see remaining access time for temporary grants
🟒 Green "Connected" barConnection to the resource is already established
127.0.0.1:XXXXXLoopback address + port to use in your client tool

Essential CLI Commands

// Login to StrongDM
sdm login
# Prompts for email and password, then authenticates
Email address or User ID: user@company.com
password: β€’β€’β€’β€’β€’β€’β€’β€’
logged in
// Check client version
sdm -version
sdm version 45.40.0 (8c54bd127cde1518230aa3bbd6dc2cf514f78b1c)
// View resource status
sdm status
SERVER STATUS ADDRESS TYPE
SSH test connected (auto) 127.0.0.1:10006 ssh
TCP server not connected 127.0.0.1:10005 rawtcp
// Get help
sdm help
# Displays all available commands including:
access access requests commands
admin administrative commands
audit administrative audit commands
aws aws commands
πŸ’‘

Adding SDM to PATH: On the desktop app, go to Settings β†’ Install sdm in PATH. This allows you to run sdm from any terminal window. On Linux, add the binary location to your shell profile manually.

Sample SSH Connection

Here's how an SSH connection looks using the loopback address from the StrongDM desktop app:

// Connect to SSH resource via StrongDM loopback
ssh 127.0.0.1 -p 10006
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-47-generic x86_64)
Last login: Wed Oct 30 08:34:33 2024 from 10.0.0.17
$ ls
Desktop Documents Downloads Pictures Public ...
04

StrongDM Client on Windows

The Windows StrongDM client includes both a GUI application and CLI access. Here's a summary of the available training videos and what each covers.

πŸ“¦

GUI & CLI Install

Install the StrongDM GUI on Windows and add it to the PATH system variable.
Duration: 2m 31s

⌨️

CLI Overview

Learn commonly used CLI commands and how to add the SDM client to a host's path.
Duration: 2m 29s

πŸ–₯️

GUI Client Overview

Overview of the GUI, adding the client to host path, and connecting via loopback address.
Duration: 3m 11s

πŸ–±οΈ

RDP Connection

Connect to a Windows resource via Remote Desktop Protocol through StrongDM.
Duration: 1m 16s

πŸ”

SSH Connection

Make an SSH connection to a Linux server through the StrongDM Windows client.
Duration: 1m 45s

🌐

Website Connection

Connect to a web resource and leverage PAC files to route traffic through the SDM client.
Duration: 3m 11s

Windows Quick Reference

Connection TypeTool to UseAddress Format
SSHWindows Terminal / PowerShellssh 127.0.0.1 -p [override-port]
RDPRemote Desktop Connection (mstsc)127.0.0.1:[override-port]
DatabasepgAdmin, DBeaver, SSMS, etc.Host: 127.0.0.1, Port: [override]
WebsiteBrowser + PAC filehttp://resource.sdm.network
05

StrongDM Client on macOS

On macOS, StrongDM provides a native desktop application alongside the CLI. The macOS client is commonly used in the StrongDM-in-a-box lab exercises.

πŸ–₯️

GUI Client Overview

How to use the GUI, add the client to host path, and connect via loopback address.
Duration: 3m 01s

⌨️

CLI Overview

Common CLI commands, how to connect to Kubernetes clusters, adding SDM to hosts path.
Duration: 4m 25s

πŸ”

SSH Connection

SSH into a server through StrongDM using the macOS Terminal application.
Duration: 1m 47s

πŸ–±οΈ

RDP Connection

Remote Desktop to a Windows server from macOS through StrongDM.
Duration: 1m 25s

🍎

macOS PAC File: When connecting to web resources, configure a Proxy Auto Configuration (PAC) file in System Settings β†’ Network β†’ Proxies to automatically route browser traffic to the appropriate SDM loopback address. Refer to Apple's networking documentation for implementation details.

macOS Quick Reference

Connection TypeTool to UseNotes
SSHTerminal.appUse ssh 127.0.0.1 -p [port]
RDPMicrosoft Remote DesktopUse 127.0.0.1:[port] as host
Kuberneteskubectl (CLI integration)SDM configures kubeconfig automatically
DatabaseTablePlus, Postico, pgAdminPoint to 127.0.0.1 + override port
06

StrongDM Client on Linux

Linux users work exclusively with the CLI version of the StrongDM client β€” there is no desktop GUI for Linux. This is the most common deployment for automated and headless environments.

πŸ“Œ

Linux Note: The graphical StrongDM desktop application is only available on macOS and Windows. On Linux, only the CLI (sdm) is available. All resource access and management is performed via command line.

πŸ“₯

Linux Installation Guide

Video walkthrough of installing the StrongDM client binary on Linux.
Duration: 2m 14s

πŸ”§

Path Configuration

On Linux, add the sdm binary to your PATH manually by editing ~/.bashrc, ~/.zshrc, or /etc/environment.

Linux Installation Steps

// Download and install sdm CLI on Linux
# Download the SDM CLI binary (check strongdm.com for latest version)
wget https://app.strongdm.com/releases/cli/linux/sdmcli_latest_linux_amd64.zip
unzip sdmcli_latest_linux_amd64.zip
chmod +x sdm
# Add to PATH (example using ~/.local/bin)
mv sdm ~/.local/bin/
sdm -version
// Start the SDM relay daemon (Linux headless)
sdm login
Email address or User ID: user@company.com
password: β€’β€’β€’β€’β€’β€’β€’β€’
logged in
sdm status
# Lists all accessible resources and their loopback addresses
07

Connecting to Resource Types

StrongDM supports connections to many types of infrastructure resources. The approach is the same: use the loopback address and override port shown in the StrongDM client with your native tool.

Kubernetes Connections Β· 2 min

StrongDM integrates with kubectl to provide secure access to Kubernetes clusters. The SDM client configures your kubeconfig automatically.

// Connect to a Kubernetes cluster via SDM
sdm connect k8s-cluster-name
# SDM updates your kubeconfig automatically
kubectl get pods -n production
NAME READY STATUS RESTARTS
api-deployment-7d4b9c-xk2pq 1/1 Running 0
☸️

The SDM CLI configures your ~/.kube/config to point through the StrongDM proxy. All kubectl commands automatically route through the secure tunnel.

Database Connections Β· 4 min 14 sec

Connect any database client (pgAdmin, DBeaver, MySQL Workbench, etc.) to databases via the loopback address.

// Example: Connect psql to Postgres via SDM
# Get the loopback address from sdm status
sdm status
staging-postgres connected 127.0.0.1:15432 postgres
# Connect using the address shown
psql -h 127.0.0.1 -p 15432 -d mydatabase
psql (16.0)
mydatabase=#
πŸ”

Credential Injection: You do not need to know database credentials. StrongDM injects credentials at the Gateway level β€” your connection is passwordless from the user perspective.

AWS Console Connections Β· 54 sec

StrongDM can broker access to the AWS Management Console, opening a pre-authenticated browser session.

// Open AWS Console via SDM
sdm ssh --exec "aws-console-resource-name"
# Or click the resource in the desktop app to open the browser
Opening AWS Console in your browser...
☁️

AWS Console resources appear in the StrongDM desktop as links. Clicking opens a federated, time-limited browser session without exposing AWS credentials to the user.

AWS CLI Connections Β· 1 min 8 sec

Use the AWS CLI through StrongDM for programmatic access to AWS accounts with full audit logging.

// AWS CLI via SDM (example)
sdm aws --account prod-account -- aws s3 ls
2024-10-01 12:00:00 my-prod-bucket
2024-10-01 12:00:00 my-logs-bucket
# All CLI calls are routed through SDM and logged
08

Requesting Access to Resources

Resources are not always permanently available. In production, users typically request temporary, time-limited access that must be approved by an administrator. There are two ways to request access.

πŸ“š

Note: This section is an introduction to access requests. Detailed workflow configuration is covered in the StrongDM 201 β€” Access module.

⌨️

CLI Access Request

Use the sdm CLI to request access to resources listed in the StrongDM access catalog. An admin approves the request in the admin console.

Duration: 2m
🌐

Admin UI Request

Use the StrongDM admin console (app.strongdm.com) to browse the access catalog and submit a request. Approvals are also handled in the same console.

Duration: 1m 42s

CLI Access Request Flow

// Request access via CLI
# List available resources in the access catalog
sdm access request ls
NAME TYPE TAGS
prod-postgres postgres environment=prod
ssh-bastion-prod ssh environment=prod
# Request access to a specific resource
sdm access request create prod-postgres
Access request submitted. Awaiting approval...
Request ID: req-8x7y2z

Access Lifecycle

1. User Requests
Access
β†’
2. Admin Reviews
Request
β†’
3. Access Granted
(Time-Limited)
β†’
4. Access Expires
Automatically
⚠️

Lab Note: The StrongDM-in-a-box lab environment sets up resources with always-granted access for convenience. This configuration should NOT be used in production. In production, all access should be temporary and require approval.

09

Knowledge Check

Test your understanding of the StrongDM client with these review questions.

Question 1 of 5
What role does the StrongDM client play in the proxy architecture?
A It is a reverse proxy that sits in front of database resources
B It is a forward proxy that directs user traffic to the StrongDM Gateway
C It is a VPN client that encrypts all network traffic
D It manages user credentials and stores them locally
Question 2 of 5
A user sees "127.0.0.1:10006" next to their SSH resource in the StrongDM desktop. What do they use this for?
A They paste it into the StrongDM admin console to connect
B Nothing β€” the StrongDM client makes the connection automatically
C They use it in their native tool (e.g., ssh 127.0.0.1 -p 10006) to connect
D It's the address of the StrongDM Gateway server
Question 3 of 5
Which StrongDM CLI command would you use to check the connection status of all accessible resources?
A sdm login
B sdm help
C sdm status
D sdm -version
Question 4 of 5
On which platform is the StrongDM desktop GUI NOT available?
A Windows
B macOS
C Linux
D All platforms have the GUI
Question 5 of 5
Why does StrongDM use override ports (e.g., :10006) instead of the resource's native port (e.g., :22 for SSH)?
A To improve connection speed by avoiding standard ports
B To prevent firewall detection of StrongDM traffic
C To allow the StrongDM client to distinguish between multiple resources sharing the same loopback address
D To match the port number used by the StrongDM Gateway
πŸŽ“
Module Complete!

You've completed the StrongDM 101 β€” Working with the Client training guide.

πŸ”—

Proxy Architecture

Forward + reverse proxy model

πŸ–₯️

Desktop & CLI

GUI on Win/Mac, CLI on all platforms

🌐

Resource Connections

SSH, DB, K8s, AWS via loopback

πŸ”‘

Access Requests

CLI and UI-based approval workflows

Continue your learning journey with StrongDM 201 β€” Access Module to dive deeper into access workflows and temporary permissions.

Introduction