Deploy CyberArk Cloud PAM Solution on Two Connector Servers for Azure AD Cloud Only Enterprise - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Monday, August 7, 2023

Deploy CyberArk Cloud PAM Solution on Two Connector Servers for Azure AD Cloud Only Enterprise

This post summarizes some unique points for setting up a CyberArk SaaS Cloud PAM solution for a small or medium-sized Cloud only (Azure AD) enterprise. Cloud only here means no domain service or a one-way sync-ed (from Azure AD to Azure Domain Service). 


Connector Server


Identity Connector only used in certain situation:

  • Use Active Directory or LDAP as a directory service
  • Manage application access with App Gateway
  • Enforce MFA on VPN clients that support RADIUS


Identity Integration with Azure AD

1. Add Azure Active Directory

2. Configure Azuer Active Directory Service

3. Create A New Azure APP Registration
To add AAD as a directory source, you need to register an application in your Azure account with appropriate access to the Microsoft Graph API. You can then authenticate using the Azure application's Application ID, Directory ID, and Client Secret.

Your Azure Active Directory users can now log in to CyberArk Identity using their Azure Active Directory credentials. Add them to roles so you can grant permissions to applications, enforce authentication profiles, and more.

After entering a username, users are redirected to for authentication, then redirected back to the User Portal after successfully completing authentication mechanisms.

MFA from Azure is supported well since it will use Azure AD credentials to log in. 

4. Activate InstallerUser and Reset Password
Enable [email protected] this account. nnnn is the number. This account will reset its password and will be disabled every 24 hours.

5. After Azure AD service integrated into Identy, you can add roles

Mapping those Privilege Cloud roles with your security group created in your Azure AD

6. Policy

Create an Azure MFA policy and apply to your Privilege Cloud Groups. Also make it as top priority so it can be applied to those users. 

Pre-implemetation Checklist


1. Public IPv4 Address which will be used to access CyberArk Privilege Cloud
2. Create CyberArk Administrator, CyberArk Auditor and CyberArk User groups.
▪ Recommended naming convention is CA-Admins, CA-Auditors, and CA-EndUsers
3. Firewall rules
Allow to Microsoft Updates 
All outbound traffic
o Cloud/PrivCloud-sys-req-networks.htm
• Management ports
o Standard ports and protocols SysReq/Standard Ports - CPM.htm
• Palo Alto or Next Gen Firewalls
4. Connector Servers
Windows 2022, deployed into an OU with GPO inheritance disabled
Joined into Windows Domain
.Net Framework 4.8 installed
No Anti-Virus software
RDS license
Latest patches and updates
5. SIEM information
6. Create Windows Reconcile Account 
If you are cloud-only environment, you might not need it. It will be only for local admin accounts.
7. Snapshots for VMs
8. For EPM LCD, and Alero Vendor Access, you will need a certificate for HTML5 gateway

Install Identity Connectors on Servers

Download Softwares and Tools

1. Download Softwares (CyberArk Privilege Cloud Tools) from Market place - CyberArk Integrations and tools
This package is a collection of pre/post implementation tools required to deploy CyberArk Privilege Cloud Connector Components

The package contains the following tools:
  • Add-PSMApps
  • Connector Management Prerequisites (Only for CM, otherwise use
  • PSMCodec.exe
  • PSMP AutoInstall Script(
  • PSM Convert local2domain Users (Set-DomainUser)
  • Onboard PrivilegeCloud Admin(For Standalone)
  • Reports (LicenseCapacity and UserReport)

2. Download CyberArk Privilege Cloud Software

CyberArk is proud to announce the release of Privilege Cloud version 13.2!

This release includes the following improvements to Privilege Cloud: 
  • Privileged Session Manager (PSM) enhancements
  • Support for ‘non-sticky’ sessions
  • Conjur Enterprise plugin
  • Custom plugin development improvement
  • Access Amazon Web Services (AWS) console with STS
  • Accessibility improvements (Privilege Cloud standard only)
  • Secure Tunnel enhancements

Install Softwares 

1. Install Privilege Cloud Connector (Primary server and secondary server)
  • PSM will be active on both servers
  • CPM will be active on primary and standby for secondary

2. Install Secure Tunnel
It will be installed on both connector servers. But the configuration will be saved in vault. When you need to change configuration, just need to change on one server. The second server will retrieve configuration from vault. 
  • For Syslogs traffics
  • For PSM-RDP traffics

3. Reset installeruser account password and activate it for installation

Add Identity Connectors

The CyberArk Identity Connector is a multipurpose service that provides support for key features and enables secure communication between other services on your internal network or a cloud instance. Not all services require a connector, however. For example, if all users are CyberArk Cloud Directory user accounts, the connector isn’t required.

You can install additional connectors for load balancing and failover. You might also want to install more than one connector if you use multiple Identity Administration tenants. In most cases, you should install two connectors in a production environment. Identity Administration determines which connector to use by monitoring connector health and making a random selection with a bias toward healthy connectors.

The following diagram illustrates the default ports used by the Identity Connector.

1. From Identity Administration page, select Connector Management

2. Add a connector 

3. Define installation details

4. Copy script and run it in the connector servers

CyberArk Privilege Cloud Secure Tunnel

Deployment Scenarios

Basic Deployment , One site

    Basic Deployment , Multiple sites

    CyberArk Useful Links

    No comments:

    Post a Comment