Configure PSM to connect to Web applications

PSM supports secured connection to web applications using a web browser.

For configuration details, see Web applications for PSM.

Step 1: Configure PSM to run web applications

  1. Log on to the PSM machine as an administrative user.

  2. Open the PSMHardening.ps1 script in the C:\Programs Files (x86)\CyberArk\PSM\Hardening folder in a text editor, and check the value of $SUPPORT_WEB_APPLICATIONS. If it is not set to $true, change the value to $true and rerun the hardening script.

Step 2: Deploy the dispatcher

WebAppDispatcher v12.6 is deployed with PSM v13.0. To also support web application connections via the Edge browser, download the latest webapp dispatcher from the CyberArk marketplace and copy it to the Components folder under the PSM Installation folder, overwriting the existing files.

Step 3: Configure the Browser

CyberArk plugins and Connection Components use web drivers to connect to web-based targets. For the connection to succeed, the driver and browser versions must be the same. This applies to both Chrome and Edge drivers.

You can set up and update your preferred web driver in one of the following ways:

Method

Description and Required steps

Automatic update

The WebDriverUpdater tool facilitates the upgrade of Chrome and Edge driver updates.

The WebDriverUpdater runs every hour and checks the driver and browser versions installed on the CyberArk component machines. If, for some reason, these are not the same, the WebDriverUpdater downloads the latest drivers from the relevant Google and Microsoft sites accordingly. In case there are no drivers detected in the path specified in the component configuration, the WebDriverUpdater downloads the driver version that complies with the browser version.

To automatically update your web browser driver:

  1. Install Chrome or Edge on the PSM machine(s) as described below.

  2. Download the WebDriverUpdater from CyberArk marketplace > Integrations.

  3. Install the WebDriverUpdater tool on the PSM machine(s), according to WebApp-based connection component or web plugins are used.

  4. Follow the installation and configuration steps described in the WebDriverUpater tool documentation. In the CyberArk marketplace > WebDriverUpdater Tool page, click Resources.

Manual update

It is your responsibility to install the relevant drivers for your preferred web browser.

For every update of the web browser, you must update the related driver according to industry instructions.

To manually set up your web browser driver:

  1. Install Chrome or Edge on the PSM machine(s) as described below.

  2. Download and install the latest driver for your installed browser.

  3. For every update of your web browser, download and update the related driver.

Use the relevant procedure for your browser:

Chrome

Install Google Chrome (32-bit) on the PSM machine.

Configure AppLocker to enable Chrome to run.

  1. Remove the read-only permission from the PSMConfigureAppLocker.xml file.

  2. In the Hardening subfolder of PSM installation folder, open the PSMConfigureAppLocker.xml configuration file and edit the AllowedApplications section:

    At the beginning of the Google Chrome processes section, remove the following line:

      
    <!-- If relevant, uncomment this part to allow Google Chrome webform based connection clients

    At the end of the Google Chrome processes section, remove the following line:

      
    End of Google Chrome process comment -->

    Specifically, make sure that the following line is uncommented:

      
    <Application Name="GoogleChrome" Type="Exe" Path="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Method="Hash" />

    Verify that the path specified in the xml matches the browser installation path.

  3. Save the PSMConfigureAppLocker.xml configuration file and close it.

  4. Open PowerShell in C:\Program Files (x86)\CyberArk\PSM\Hardening and run the following command to start the script:

     

    “.\PSMConfigureAppLocker.ps1”

For details, see Run AppLocker rules.

In-Domain environments

Perform the PSM  hardening, including GPO settings, as specified in PSM Hardening.

Out-of-Domain environments

Run the PSMHardening.ps1 script in the PSM\Hardening folder with $SUPPORT_WEB_APPLICATIONS set to $true inside the script.

 

After running this script, make sure the output logs are empty.

Edge

Install Microsoft Edge (32-bit) on the PSM machine. Download the Edge driver and place it in the C:\Programs Files (x86)\CyberArk\PSM\Components folder.

Configure AppLocker to enable Edge to run.

  1. Remove the read-only permission from the PSMConfigureAppLocker.xml file.

  2. In the Hardening subfolder of PSM installation folder, open the PSMConfigureAppLocker.xml configuration file and edit the AllowedApplications section:

    1. At the beginning of the Microsoft Edge processes section, remove the following line:

        
      <!-- If relevant, uncomment this part to allow Edge webform based connection clients

    2. At the end of the Microsoft Edge processes section, remove the following line:

        
      End of Microsoft Edge process comment -->

    3. Specifically, make sure that the following line is uncommented:

        
      <Application Name="Edge" Type="Exe" Path="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" Method="Hash" />

    4. Verify that the path specified in the xml matches the browser installation path.

    5. Add the following line:

        
      <Application Name="msedgedriver" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\msedgedriver.exe" Method="Hash" />

  3. Save the PSMConfigureAppLocker.xml configuration file and close it.

  4. Open PowerShell in C:\Program Files (x86)\CyberArk\PSM\Hardening and run the following command to start the script:

     

    “.\PSMConfigureAppLocker.ps1”

  5. For details, see Run AppLocker rules.

In-Domain environments

Perform the PSM  hardening, including GPO settings, as specified in PSM Hardening.

Out-of-Domain environments

Run the PSMHardening.ps1 script in the PSM\Hardening folder with $SUPPORT_WEB_APPLICATIONS set to $true inside the script.

 

After running this script, make sure the output logs are empty.

Certificates

If the target web application uses an HTTPS certificate or any other certificate, make sure that the certificate is properly installed and valid on the PSM machine.

Test the connection

Log on to the PSM server as an administrative user. Verify that you can open the browser and access the login page of the target web application.

The web browser driver must correspond to the version of the installed browser.