Install a CyberArk Identity Connector

Skip this topic if you have done it as part of another tutorial.

The CyberArk Identity Connector is a multipurpose service that provides support for key features and enables secure communication between other services on your internal network or a cloud instance. Not all services require a connector, however. For example, if all users are CyberArk Cloud Directory user accounts, the connector isn’t required.

You must have at least one connector for the following use cases.

Use case Description

Use Active Directory or LDAP as a directory service

This topic describes how to install the CyberArk Identity Connector to integrate your Active Directory/LDAP service with CyberArk Identity. The CyberArk Identity Connector adds AD as a directory service by enabling secure communication between CyberArk Identity and your AD domain.

The CyberArk Identity Connector is installed on your network inside the firewall, runs on domain-joined Windows server, and monitors AD for changes to users and groups. It also monitors Active Directory for group policy changes, which it sends to CyberArk Identity to update enrolled devices. AD changes are synced to CyberArk Identity every 10 minutes by default.

Manage application access with App Gateway

With App Gateway, you can configure on-premise applications for off-site access without requiring a VPN connection.

For more information, see App Gateway.

Enforce MFA on VPN clients that support RADIUS

Configure the connector as a RADIUS server to enforce MFA on RADIUS clients.

Refer to MFA for VPNs and VDIs for more information.

The machine you are installing the connector on should meet the following requirements:

  • Windows Server 2012 or later

  • 8 GB of memory, of which 4 GB should be available for connector cache functions

  • 2 core CPU

  • Has Internet access so that it can access the CyberArk cloud services.

  • Has a GlobalSign Root CA - R3 certificate installed in the Local Machine Trusted Certificate root authorities store.

    Refer to https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates for more certificate detail.

  • Microsoft .NET version 4.5 or later; if it isn’t already installed, the installer installs it for you.

  • Be a server that is always running and accessible.

Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.

  1. Log in using the domain administrator account that has sufficient permissions to install the connector.

  2. Download the CyberArk Identity Connector package.

    1. Open the Identity Administration portal.
    2. Click Settings >Network > CyberArk Identity Connectors > Add CyberArk Identity Connector.

    3. Click 64-bit in the Download pane.

      The download begins.

  3. Extract the files.

  4. Double-click the installation program: CyberArk Installer.

    In the file name, rr.r indicates the release version and aa indicates the processor architecture (64-bit).

  5. Click Yes to continue if the User Account Control warning displays.
  6. Click Next on the Welcome page.

  7. Review the End User Software License and Services Agreement, accept the terms of agreement, then click Next.

  8. Select the components to install, then click Next.

    The default is to install all components. Use the description on the installation UI determine what you want to install.

  9. Click Install > Finish to open a second installation wizard.

    This second installation wizard initiates the connection between Active Directory and your CyberArk Identity tenant.

  10. Click Next on the Welcome page.

  11. Type the administrative user name and password for your CyberArk Identity account, then click Next.

  12. Click Next unless you are using a proxy to connect to the internet.

  13. (Optional) Specify your domain if you want to synchronize deleted objects in Active Directory/LDAP with CyberArk Identity, then click Next.

    If you want to synchronize deleted objects, make sure you are logged in as a domain administrator.

  14. Click Next if all of the tests are successful.

    As the final step, the connector registers your customer identifier with your tenant, then runs in the background as a Windows service.

  15. Click Finish to complete the configuration and open the connector configuration panel, which displays the status of the connection and your customer ID.
  16. Click CyberArk Identity Connector to view or change any of the default settings.
  17. Click Close.