This post summarizes some unique points for setting up a CyberArk SaaS Cloud PAM solution for a small or medium-sized Cloud only (Azure AD) enterprise. Cloud only here means no domain service or a one-way sync-ed (from Azure AD to Azure Domain Service).Â
Diagram
Connector Server
Â
Identity Connector only used in certain situation:
- Use Active Directory or LDAP as a directory service
- Manage application access with App Gateway
- Enforce MFA on VPNÂ clients that support RADIUS
Note:Â https://docs.cyberark.com/Idaptive/Latest/en/Content/CoreServices/Connector/Connector-Deploy.htm?tocpath=Administrator%7CDeploy%20the%20CyberArk%20Identity%20Connector%7C_____0
Identity Integration with Azure AD
1. Add Azure Active Directory
2. Configure Azuer Active Directory Service
3. Create A New Azure APP Registration
To add AAD as a directory source, you need to register an application in your Azure account with appropriate access to the Microsoft Graph API. You can then authenticate using the Azure application's Application ID, Directory ID, and Client Secret.
Your Azure Active Directory users can now log in to CyberArk Identity using their Azure Active Directory credentials. Add them to roles so you can grant permissions to applications, enforce authentication profiles, and more.
After entering a username, users are redirected to login.microsoftonline.com for authentication, then redirected back to the User Portal after successfully completing authentication mechanisms.
MFA from Azure is supported well since it will use Azure AD credentials to log in.Â
4. Activate InstallerUser and Reset Password
Enable
[email protected] this account. nnnn is the number. This account will reset its password and will be disabled every 24 hours.
5. After Azure AD service integrated into Identy, you can add roles
Mapping those Privilege Cloud roles with your security group created in your Azure AD
6. Policy
Create an Azure MFA policy and apply to your Privilege Cloud Groups. Also make it as top priority so it can be applied to those users.Â
Pre-implemetation Checklist
Â
1. Public IPv4 Address which will be used to access CyberArk Privilege Cloud
2. Create CyberArk Administrator, CyberArk Auditor and CyberArk User groups.
â–ª Recommended naming convention is CA-Admins, CA-Auditors, and CA-EndUsers
3. Firewall rules
Allow to Microsoft UpdatesÂ
All outbound traffic
o https://docs.cyberark.com/Product-Doc/OnlineHelp/PrivCloud-SS/Latest/en/Content/Privilege Cloud/PrivCloud-sys-req-networks.htm
• Management ports
o Standard ports and protocols https://docs.cyberark.com/Product-Doc/OnlineHelp/PrivCloud-SS/Latest/en/Content/PAS SysReq/Standard Ports - CPM.htm
• Palo Alto or Next Gen Firewalls
o https://cyberark-customers.force.com/s/article/Vault-Connectivity-fails-when-components-separated-by-Palo-Alto-Firewall
4. Connector Servers
Windows 2022, deployed into an OU with GPO inheritance disabled
Joined into Windows Domain
.Net Framework 4.8 installed
No Anti-Virus software
RDS license
Latest patches and updates
5. SIEM information
6. Create Windows Reconcile AccountÂ
If you are cloud-only environment, you might not need it. It will be only for local admin accounts.
7. Snapshots for VMs
8. For EPM LCD, and Alero Vendor Access, you will need a certificate for HTML5 gateway
Install Identity Connectors on Servers
Download Softwares and Tools
This package is a collection of pre/post implementation tools required to deploy CyberArk Privilege Cloud Connector ComponentsThe package contains the following tools:- Add-PSMApps
- CreateCredFile-Helper.zip
- Connector Management Prerequisites (Only for CM, otherwise use PSMCheckPrerequisites_PrivilegeCloud.zip)
- LDAPSCertificateTool.zip
- ldp.zip
- PSMCheckPrerequisites_PrivilegeCloud.zip
- PSMCodec.exe
- PSMP AutoInstall Script(psmpwiz.sh).zip
- PSM Convert local2domain Users (Set-DomainUser)
- Onboard PrivilegeCloud Admin(For Standalone)
- Reports (LicenseCapacity and UserReport)
2. Download CyberArk Privilege Cloud Software
CyberArk is proud to announce the release of Privilege Cloud version 13.2!
This release includes the following improvements to Privilege Cloud:Â
- Privileged Session Manager (PSM) enhancements
- Support for ‘non-sticky’ sessions
- Conjur Enterprise plugin
- Custom plugin development improvement
- Access Amazon Web Services (AWS) console with STS
- Accessibility improvements (Privilege Cloud standard only)
- Secure Tunnel enhancements
Install SoftwaresÂ
1. Install Privilege Cloud Connector (Primary server and secondary server)
- PSM will be active on both servers
- CPM will be active on primary and standby for secondary
2. Install Secure Tunnel
It will be installed on both connector servers. But the configuration will be saved in vault. When you need to change configuration, just need to change on one server. The second server will retrieve configuration from vault.Â
- For Syslogs traffics
- For PSM-RDP traffics
3. Reset installeruser account password and activate it for installation
Add Identity Connectors
The CyberArk Identity Connector is a multipurpose service that provides support for key features and enables secure communication between other services on your internal network or a cloud instance. Not all services require a connector, however. For example, if all users are CyberArk Cloud Directory user accounts, the connector isn’t required.
You can install additional connectors for load balancing and failover. You might also want to install more than one connector if you use multiple Identity Administration tenants. In most cases, you should install two connectors in a production environment. Identity Administration determines which connector to use by monitoring connector health and making a random selection with a bias toward healthy connectors.
The following diagram illustrates the default ports used by the Identity Connector.
1. From Identity Administration page, select Connector Management
2. Add a connectorÂ
3. Define installation details
4. Copy script and run it in the connector servers
CyberArk Privilege Cloud Secure Tunnel
Deployment Scenarios
Basic Deployment , One site
Basic Deployment , Multiple sites
No comments:
Post a Comment