PSM pre-installation tasks

This topic describes prerequisites to the PSM installation.

Verify that all installed components and applications are compatible. The compatible versions of the Privileged Access Manager - Self-Hosted components are listed in System Requirements by Product.

Before installing or upgrading, ensure that your system still complies with security requirements. To learn more, see Security Fundamentals.

Ready the PSM server machine

The following section describes prerequisites for the PSM server machine.

Remote Desktop Services (RDS) Session Host Role
Verify you have the required number of RDS CALs to enable you to access the RDS server. For more information, refer to Connect to the PSM server with Microsoft Remote Desktop Services (RDS) Session Host.

For information about Setting up RDS on Windows, refer to the Microsoft documentation.

To benefit from RemoteApp user experience validate the following:

RDP client v6.1.7601 or above (RDP protocol version v7.1 or above) on end user machines.

PSM License

Verify that the CyberArk license specifies PSM. Each PSM server installation requires its own license, so make sure that your license specifies the number of PSM servers that you intend to install.

Permissions to install

During installation, Safes and a User are created to enable the PSM to work. So that the installation creates these successfully, the Vault user who installs PSM must have the following authorizations in the Vault:

Add Safes
Add/Update Users
Reset Users’ Passwords
Activate Users
Manage Vault File Categories

During Vault installation, an Administrator user is created with these authorizations specifically for this type of activity.

RDS on a PSM server

This procedure describes how to setup RDS on a PSM server.

This procedure is done automatically during PSM automatic installation.

If you install PSM using the PSM wizard installation, you must set up RDS. To do this, either run the Set up script or perform the following procedure manually.

Set up RDS on a PSM server

In the Server Manager, display the Dashboard, then select Add Roles and Features.
In the Add Roles and Features Wizard window, select Installation Type, then click Next.
In the Installation Type window, select Remote Desktop Services installation, then click Next.

In the Deployment type window, select Standard deployment, then click Next.

In the Deployment Scenario window, select Session-based desktop deployment, then click Next.

Select the server where the new roles will be installed:
1. In the Specify RD Connection Broker server window, select the current server, then click Next.
2. In the Specify RD Web Access server window, select the current server, then click Next.
3. In the Specify RD Session Host servers window, select the current server, then click Next.

In the Confirm selection window, select Restart the destination server automatically if required, then click Deploy.

After the server has restarted, add a session collection:
1. In the Server Manager, select Remote Desktop Services, then Collections.
2. Select Tasks, then Create Session Collection, and then click Next.
3. In the Collection Name window, specify the collection name, then click Next.
4. In the RD Session Host window, select the current PSM server, then click Next.
5. In the User Groups window, remove all user groups. Add a group or a user that you trust to connect to the PSM server via RDP (for example, the administrator user that you are currently logged on with), then click Next.
6. In the User Profile Disks window, clear Enable user profile disks, then click Next.
7. Click Create.

Make sure that the current server is the only server associated with your session collection.

The RemoteApp feature requires a connection broker and a session collection to be associated with it. If these prerequisites are not set up, the PSM installation will not be able to install the RemoteApp feature. If this happens, you can repair the installation and add the RemoteApp feature at a later stage, after setting up the prerequisites.

If you are not using the default session collection, see Set up the RemoteApp feature with a custom session collection.

Set up the RemoteApp feature with a custom session collection

If you use the default session collection this step is not required.

In an environment where the custom session collection was configured in the RD connection broker role, the RemoteApp feature installation might fail during PSM installation. In this scenario, manually publish the PSMInitSession.exe remote application in the RDS collection that you configured for the PSM environment, as described below. This will enable the RemoteApp feature be installed successfully.

This procedure is done automatically during PSM automatic installation.

In the server where you installed the RD connection broker, open the Server Manager.
Select the collection you created for your PSM environment then, in the REMOTEAPP PROGRAMS section, select TASKS and Publish RemoteApp Programs.
Select one of the PSM servers that belong to your collection and navigate to the location of the PSMInitSession.exe application on that server. The default location is the Components folder in the PSM installation folder.
Select the PSMInitSession.exe application and publish it.