Thycotic Secret Sever Cloud - Distributed Engine - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Sunday, July 4, 2021

Thycotic Secret Sever Cloud - Distributed Engine

All interaction between the SSC tenant and your on premises network uses our distributed engine service to communicate. The work tasks that distributed engine completes includes Active Directory authentication, password changing, and heartbeat. The machine where the engine is installed must be able to communicate outbound on ports 443 and 9354.



Distributed Engine supports Heartbeat, Password Changing, and Discovery. It is composed of Site ConnectorsSites, and Engines.




The Engine is a Windows Service which does the actual work such as password changing, heartbeat, Discovery, etc. Each Engine belongs to a Site.

The Site can be thought of as a bucket of work items for a particular network area. Each Engine is assigned to a single Site but each Site can include multiple Engines, significantly increasing throughput.

The Site Connector is a Windows Service which holds the work items for a number of Sites. The Site Connector can be either RabbitMq or MemoryMq (a built-in service developed by Thycotic). Each Site can only be assigned to a single Site Connector but you can have multiple Site Connectors running on separate machines, each storing work items for multiple Sites. Those sites, in turn, distribute the work items among multiple Engines. The ability to add new Site Connectors, Sites, and Engines as needed makes Distributed Engine a highly-scalable solution.
 
For the highest levels of scalability and reliability Thycotic recommends using RabbitMq. MemoryMq is an easy alternative for customers who do not need many Engines or Sites.


Note: https://thycotic.force.com/support/s/article/Distributed-Engine#:~:text=Overview,%2C%20heartbeat%2C%20Discovery%2C%20etc.

SS Cloud Architecture:


https://docs.thycotic.com/ss/10.8.0/secret-server-cloud/architecture



Install the Distributed Engine

  1. Navigate to Admin > Distributed Engine

  2. Click the Download Engine Installer button for either 64-bit or 32-bit.

    Note: You can install distributed engine on your workstation or laptop for testing purposes, but for production installs, the distributed engine server should be installed on a server. SS uses the distributed engine to communicate with your domain, so if your machine is turned off, users cannot log on with their domain accounts, and heartbeat and remote password changing will fail.

  3. Run setup.exe as an administrator to install the engine service. This will install into Thycotic Software Ltd\Distributed Engine.

  4. Go to Admin > Distributed Engine.

  5. Click Manage Sites.

  6. Click Manage New Engines. There should be a new engine available.

  7. Click the Assigned Site dropdown list and select Default.

  8. Approve it by clicking the check box to the right.

  9. Validate the engine’s connectivity:

    1. Go to Admin > Distributed Engine > Manage Sites.

    2. Click the Default site.

    3. Click the Validate Connectivity button to test the communication between the engine and SS. It may take several minutes for the engine to register. If it does not immediately validate wait a few minutes and try again.







Configure Active Directory Integration

Active Directory integration allows users to log in with their domain credentials. Connections to your domain are routed through the distributed engine service running in your network.

  1. On the dashboard, create a new Active Directory secret from the create secret widget in the upper right hand corner.

    Note: The domain account should be able to read users and groups from the domain you want to sync. For detailed information on the rights required, please see Active Directory Rights for Synchronization Account (KB).

  2. Type the domain, username, and password in the Create Secret form.

  3. Save the secret.

  4. Navigate to Admin > Active Directory.

  5. Click Edit and check the boxes for Enable Active Directory Integration and Enable Synchronization of Active Directory.

  6. Click the Save button.

  7. Click the Edit Domains button.

  8. Click the Create New button.

  9. Type your FQDN and a friendly domain name that users will see on the login page.

  10. Click Sync Secret to select the secret you just created.

    Note: The domain site is set to default. This means that the Active Directory authentication and synchronization will run through the distributed engine service installed on your network.

    Note: Do not select “Enable Login from AD.” If you do, you cannot set the domain groups later in this instruction.

  11. Click the Save and Validate button.

  12. Click the Back button.


  13. Click the Edit Synchronization button. The Synchronization Edit page appears.

  14. In the Available Groups list, click each domain group that you want to log on in the SSC instance and click the the < button to move the group to the Synchronized Groups list.

  15. Click the Save button.

  16. Click the Synchronize Now button to start the user and group synchronization immediately. The synchronization process runs automatically, but to get immediate results, you can start it manually.









Test Heartbeat and Remote Password Changing

Heartbeat ensures the secrets you have stored have the correct password, and Remote Password Changing (RPC ) changes passwords on demand or a schedule.

  1. Navigate to Admin > Remote Password Changing.

  2. Click the Edit button.

  3. Click to select the Enable Remote Password Changing and Enable Heartbeat check boxes.

  4. Click the Save button.


  5. Click the Run Now button in the Remote Password Changing and Heartbeat Log sections. This runs the heartbeat and RPC processes immediately.

  6. Go to the secret you created for domain synchronization in the previous section or create a new test secret to use.

  7. A brand new secret’s Last Heartbeat status should be pending or processing. Once heartbeat completes you should one of these statuses:

    • Unable to Connect: SS could not reach the target machine. This could be a firewall issue or the machine name or IP address is wrong.
    • Failed: SS could connect but could not authenticate. This likely means the password on the secret is incorrect.
    • Success: SS successfully connected with the username and password.
  8. You can test password changing by viewing a secret and clicking the Change Password Remotely button.

    Note: This will change the password on the target system.

  9. You can view the status of password changes and heartbeats in the log at Admin > Remote Password Changing.


















No comments:

Post a Comment