In the figure:
- Direct access is where the Privileged Access Manager server runs a connector locally. This connector connects to the target system over the network. This is also called a push mode target system.
- Indirect access via a Privileged Access Manager proxy server is where an active Privileged Access Manager server connects to a proxy server. The proxy server runs a connector on behalf of the active server. The connector connects to a target system on the network. Proxy servers are typically co-located with one or more distant or firewalled managed systems. Interaction with target systems via a proxy is still considered push mode, because an active Privileged Access Manager server initiates each connection.
- Direct or web-proxied connections initiated from a client device, accessing a web services API URL on an active Privileged Access Manager server. This is called local service mode and is typically deployed on user laptops, to allow for the fact that they may be powered off, relocated assigned dynamic IP addresses, firewalled, NAT'ed and generally be difficult or unreliable for a central Privileged Access Manager server to find.