General settings
This topic describes how to configure the general settings for the PSM.
Overview
In Web Access Options, the General Settings parameters in the Privileged Session Management section define how the PSM functions.
These parameters are divided into the following groups:
General Setting > Parameter Name | PSM capability | ||||||
---|---|---|---|---|---|---|---|
Search properties |
Define the password and recording properties that can be used to search for session recordings. |
||||||
Server settings |
Define the general PSM server settings. |
||||||
Configure the PSM log files. |
|||||||
Session settings |
Define single sessions and the way that PSM handles recordings that cannot be uploaded to the Vault.
|
||||||
Recorder settings |
Configure the session recorder |
||||||
Connection client settings |
Configure connection clients. |
Search properties
The parameters in SearchProperties define the password and recording properties that can be used to search for session recordings.
Parameter |
Description |
---|---|
MaxRecords |
Specifies the maximum number of session recordings that are included in the recordings search results. Default: 1000 |
Recording |
Defines the recording properties that are searched. |
Password |
Define the password properties that are searched. |
Server settings
Define the general PSM server settings.
Parameter |
Description |
---|---|
MaxConcurrentTSSessions |
Specifies the maximum number of allowed concurrent PSM sessions. To achieve best performance for user sessions, set a maximum number of concurrent sessions that is appropriate to the size of your PSM implementation. For details about the maximum number of concurrent sessions that is supported for different PSM implementations, see |
MaxConcurrentUploaders |
Specifies the maximum number of allowed concurrent processes to upload recording files to the Vault. |
Specifies the interval in seconds between each configuration refresh process. |
|
ClearUserProfilesInterval |
The number of days between processes that clear user profiles. Specify '0' (zero) to disable. Default: 30 |
DisableExceptionHandling (under Advanced Settings) |
Determines whether or not a crash dump is created when a system error occurs. |
ShutdownTimeout (under Advanced Settings) |
Specifies the maximum time in seconds to wait for internal jobs to finish when shutting down the server. |
EnableRadiusAuthWithNLACredentials (under Advanced Settings) |
For PSM for Windows: When using RADIUS authentication in CyberArk, where the RADIUS server is configured to work with LDAP, this parameter determines whether or not PSM requires the user to authenticate again after network level authentication (NLA). |
(under Advanced Settings) |
The default Smart Card authentication is based on PKI with Distinguished Name (DN). This parameter configures the authentication to be based on PKI with Principal Name (PKI\PN). |
Clean the Shadow user profile
This section describes how to configure PSM to clean Shadow user profiles.
When users initiate a connection (session) to a target machine via PSM, a PSM Shadow user is automatically created on the PSM machine and that's the user that is used to log on to the target machine and perform actions.
The purpose of the Shadow user is to isolate the session. This enables programs launched on the same server by different
During the established session, some information is saved in the Shadow user profile, which can ultimately fill up the PSM server's storage.
PSM includes an automatic cleanup process in order to manage the PSM server's storage space. You can change the default settings, such as the threshold of the Shadow user profile folder size or which subfolders to empty.
For the full list of settings, see Shadow user profile settings.
When the user profile folder exceeds the set threshold, the end user receives a warning at the beginning of the session.
To modify the default settings of the Shadow user profile:
-
In the PVWA , click Administration> Options.
-
Go to Privileged Session Management > General Settings > Server Settings.
-
Right-click Server Settings and select Add User Profile Settings.
If your PSM servers are 11.6 or earlier versions, you need to restart them after you add this section. |
Shadow user profile settings
The following table includes the Shadow user profile settings.
Parameter |
Description |
---|---|
UserProfileThreshold |
The Shadow user profile folder on the PSM machine is limited in size. Set this parameter to define the threshold in MB. When the folder exceeds the threshold, a message is displayed to the user at the beginning of each session. Default: 100 |
NotificationLevel |
When the Shadow user profile folder exceeds the UserProfileThreshold, the corresponding user's session responds according to the following:
Default: Notify |
NotificationText |
|
Default Value | Notify |
NotificationText | |
Description | The message displayed to the user at the beginning of a session when the Shadow user profile folder on the PSM machine exceeds the UserProfileThreshold. |
Acceptable Values | String |
Default Value |
User profile storage space has been exceeded. Please contact your administrator |
CleanupInterval | |
Description |
Define an interval (in hours) when all Shadow user profile folders are cleaned. Shadow user profile folders are cleaned when 70% of the UserProfileThreshold is reached. Use '0' to disable cleanup. Use '0' to disable cleanup. Default: 24 |
CleanupFolders |
The Shadow user profile folders to be cleaned. Use '-' to entirely remove the Shadow User from the PSM machine. Default: Desktop, Documents, Downloads, Favorites, Links, Music, Pictures, Saved Games, Videos |
CleanupProcessTimeout |
The timeout (in seconds) for every Shadow user profile folder removal. If the timeout is reached before the folder is deleted, PSM will try to delete the folder at the next CleanupInterval. Default: 120 |
Configure privileged sessions
The following parameters in Session Settings configure privileged sessions:
Parameter |
Description |
---|---|
MaxSessionDuration |
This parameter determines the maximum duration of the session, in minutes. This can be specified as a general PSM parameter or in a specific platform. When users log off from the remote Windows machine, the sessions on both the PSM and the remote machine are ended. However, when users disconnect the session by clicking Close or if the MaxSessionDuration parameter has expired, the PSM session is automatically ended, but the session on the remote machine continues running. The next time they log onto the same remote machine through the PSM, they will continue the same session as before. To prevent this, make sure that the Terminal Server is configured to end disconnect sessions after a specific time period. |
EnforceDualControlTimeframeOnPSMConnections |
Determines whether to enforce the Timeframe set in the Dual Control request on the PSM connection. If the parameter is set to Yes, PSM sessions are terminated at the end of the Timeframe or at the end of the MaxSessionDuration, whichever is sooner. The user receives a notification before the session is terminated. The timing of the warning is based on the WarningDisconnectionInterval value . |
WarningDisconnectionInterval |
This parameter specifies the number of minutes before the user’s session will be disconnected that a warning message about the disconnection will be displayed. |
EndUserMessageTimeout |
The parameter specifies the maximum number of seconds that end user messages will be displayed. |
Upload recorded sessions to the Vault
The following parameters in Session Settings determine how the PSM handles retries when the Vault is not available and recordings cannot be uploaded.
Parameter |
Description |
---|---|
DelayBetweenUploadRetries |
This parameter specifies the delay in seconds between upload retries to the Vault. |
MaxUploadRetries |
This parameter specifies the maximum number of uploading retries to the Vault. |
Manage recording sessions
The following parameters, in Recorder Settings, define how the PSM will manage recordings:
Parameter |
Description |
||
---|---|---|---|
EnableDynamicFramesPerSecond |
This parameter dynamically adjusts the frames per second rate of the PSM video recorder to decrease the performance impact. This may result in reduced quality when playing the recorded videos.
|
||
FramesPerSecond |
This parameter specifies number of frames to capture per second. The default value is 3. This parameter is used only when EnableDynamicFramesPerSecond is set to No. |
||
LocalRecordingsFolder |
This parameter specifies the name of the local folder where recordings are saved until they are uploaded to the Vault. By default, recordings are temporarily stored in the PSM installation folder.
|
Configure the PSM Log Files
The types of messages included in the PSM log files are determined by the TraceLevels parameters in the Connection Client Settings, as follows:
The PSMTrace.log is configured by the following parameters in Server Settings:
Parameter |
Description |
---|---|
LogRotationSize |
This parameter defines the maximum size in MB of the log file before it is rotated to another location, and a new log file is started. |
TraceLevels |
This parameter sets the debug level of the PSM Server. |
A new log file is created for each session for the recorder and the connection client. The trace levels for these files are specified in the following parameters:
Log |
Description |
---|---|
<SessionID>.Recorder.log |
The <SessionID>.Recorder.log is configured in the Recorder Settings. |
<SessionID>.<connection client >.log |
The <SessionID>.<connection client >.log is configured in the Connection Client Settings. |
For more information about logging for the PSM Recorder, refer to PSM activity logs.
Configure PSM server details
The PSM server connection details determine how the PVWA will access the PSM server. You can configure as many PSM servers as you need.
The following parameters in the Configured PSM Servers parameters define the PSM server details:
Parameter |
Description |
---|---|
Address |
This parameter specifies the address of the PSM server machine used by passwords associated with the platform that uses this PSM server. |
Port |
This parameter specifies the port used to access the PSM Server machine used by passwords associated with the platform that uses this PSM server. |
Safe/Folder/Object |
These parameters specify the location where the password of the logon account for the PSM Server is stored, and the Object parameter specifies the name of the password. |