Privilege Cloud Connector internal network and machine requirements

This topic describes the internal network and machine requirements for the Privilege Cloud Connector.

These specifications are based on the entry-level industry standards, for small to mid-range servers. For other implementation sizes, requirements should be customized according to your needs.

CyberArk may choose not to provide maintenance and support services for Privilege Cloud with relation to any of the platforms and systems listed below that have reached their formal End-of-Life date, as published by their respective vendors from time to time. For more details, contact your CyberArk support representative.

Connector requirements in the ISPSS Shared Services environment

In the ISPSS environment, the Privilege CloudConnector and the CyberArk Identity Connector can be installed on the same machine.

See CyberArk Identity Connector requirements

Internal network requirements

The Connector, installed inside the customer’s network, requires access to targets within the customer’s network to enable password rotation and session isolation capabilities. To do so, the Connector requires access to the following targets:

Component	Manage/Access Target Devices, like servers and routers
Connector	TCP/3389 or TCP/22 Connector ports and protocols
PSM for SSH	TCP/22

Component

Manage/Access Target Devices, like servers and routers

Connector

TCP/3389 or TCP/22

Connector ports and protocols

PSM for SSH

TCP/22

If you are installing or upgrading to Privilege CloudConnector version 12.1.1, you must install Microsoft .NET Framework 4.8 on the Connector machine.

Software requirements

Privilege Cloud Connector can be installed on AWS, Microsoft Azure, and Google Cloud Platforms.

Network Level Access (NLA) authentication must be disabled on the server.

The following table includes the server software specifications.

Machine specifications when using the Connector Management installer

The following machine specifications refer to the host machine running the Connector management agent, and do not refer to the service-specific requirements that apply to specific service connectors.

Component	Specification
Operating system	Microsoft Windows Management agent: Microsoft Windows 2016, 2019, and 2022 CPM: Microsoft Windows 2016, 2019, and 2022 PSM: Microsoft Windows 2016, 2019, and 2022 Note: * When installing PSM on MS Windows 2019 and 2022, you will need PSMConnect and PSMAdminConnector domain users. The machine on which the Secure Tunnel is installed must have an English language operating system. Japanese operating systems are supported.

Component

Specification

Operating system

Microsoft Windows

Management agent: Microsoft Windows 2016, 2019, and 2022

CPM: Microsoft Windows 2016, 2019, and 2022
PSM: Microsoft Windows 2016, 2019*, and 2022*

Note:

* When installing PSM on MS Windows 2019 and 2022, you will need PSMConnect and PSMAdminConnector domain users.
The machine on which the Secure Tunnel is installed must have an English language operating system.
Japanese operating systems are supported.

Drives

Drive	Min. available space
C: or other drive which includes :\Program Files	The Connector Managemnet is installed by default in the C:\Program Files folder. If your :\Program Files folder is located in any other drive, it can be installed there. When installing, enter the full path of the alternative installation folder, in English. The Management Agent is installed in a subfolder in the specified parent folder. Min. available space: 10GB to support CPM/PSM initial download.

Drive

Min. available space

or other drive which includes
:\Program Files

The Connector Managemnet is installed by default in the C:\Program Files folder.
If your :\Program Files folder is located in any other drive, it can be installed there.

When installing, enter the full path of the alternative installation folder, in English.

The Management Agent is installed in a subfolder in the specified parent folder.

Min. available space: 10GB to support CPM/PSM initial download.

User

You must be a local administrator user in the Windows instance that will be used as the connector host.

Component	Specification
Operating system	Microsoft Windows Management agent: Microsoft Windows 2016, 2019, and 2022 CPM: Microsoft Windows 2016, 2019, and 2022 PSM: Microsoft Windows 2016, 2019, and 2022 Note: * When installing PSM on MS Windows 2019 and 2022, you will need PSMConnect and PSMAdminConnector domain users. The machine on which the Secure Tunnel is installed must have an English language operating system. Japanese operating systems are supported.

Component

Specification

Operating system

Microsoft Windows

Management agent: Microsoft Windows 2016, 2019, and 2022

CPM: Microsoft Windows 2016, 2019, and 2022
PSM: Microsoft Windows 2016, 2019*, and 2022*

Note:

* When installing PSM on MS Windows 2019 and 2022, you will need PSMConnect and PSMAdminConnector domain users.
The machine on which the Secure Tunnel is installed must have an English language operating system.
Japanese operating systems are supported.

Component	Type	version
.Framework	.NET	4.8
Windows services	Windows Remote Management with WinRMListener and PSRemoting functionality. Required temporarily for the deployment process.

Component

Type

version

.Framework

.NET

4.8

Windows services

Windows Remote Management with WinRMListener and PSRemoting functionality.

Required temporarily for the deployment process.

Due to RDS licensing enforcement in Windows 2019 and 2022, a per-user license is no longer supported for local users. We recommend using a per-device RDS license.

To work with a per-user license on Windows 2019 and 2022 machines, PSM application users must be moved to the domain level. See Move PSM application users to the domain level for details.

Hardware requirements

The Privilege Cloud Connector and its various components are most often installed on the same host machine. In other cases, such as multiple PSM instances or CPM DR solutions, the specific components are installed on separate machines.

In the ISPSS environment, the Privilege Cloud Connector and the CyberArk Identity Connector ca be installed on the same machine.

This section presents the hardware requirements for these scenarios, considering that Secure Tunnel can be added to each of these scenarios with no additional hardware requirements.

Privilege Cloud Connector includes	See hardware requirements
Both PSM and CPM components	PSM (the most demanding component)
PSM only	PSM
CPM only	CPM
CyberArk Identity Connector only	CyberArk Identity Connector requirements

Connector PSM hardware requirements

The following table presents the HW specifications for Privilege CloudConnector with PSM component.

Specifications

PSM hardware specifications per implementation
Small implementation (1-10 concurrent RDP/SSH sessions)	Mid-range implementation (11-50 concurrent RDP/SSH sessions)	Large implementation (51-100 concurrent RDP/SSH sessions)
8 core processor (Intel compatible) 8GB RAM Network adapter (1Gb) 80GB storage	16 core processors (Intel compatible) 16GB RAM Network adapter (1Gb) 80GB storage	32 core processors (Intel compatible 2.1 GHz - 2.6 GHz) 32GB RAM Network adapter (1Gb) 250GB storage

Installing the Connector server on a virtual machine requires allocating virtual hardware resources that are equivalent to the physical hardware specifications. For details, refer Virtual machine installation settings below.

Connector CPM hardware requirements

The following table presents the specifications for Privilege Cloud Connector with CPM component - physical and virtual server requirements.

Specifications

CPM hardware specifications
Small implementation (<1,000 managed passwords)	Mid-range implementation (1,000-20,000 managed passwords)	Large implementation (20,000 – 100,000 managed passwords)	Very large implementation (more than 100,000 managed passwords)
Hardware specifications
Quad core processor (Intel compatible) 8GB RAM 2X 80GB SATA/SAS hot-swappable drives RAID Controller Network adapter (1Gb) DVD ROM	2X Quad core processor (Intel compatible) 16GB RAM 2X 80GB SATA/SAS hot-swappable drives RAID Controller Network adapter (1Gb) DVD ROM	2X Eight core processors (Intel compatible) 32GB RAM 2X 80GB SAS hot-swappable drives RAID Controller Network adapter (1Gb) DVD ROM	4X Eight core processors (Intel compatible) 64GB RAM 2X 80GB SAS hot-swappable drives RAID Controller Network adapter (1Gb) DVD ROM
Software prerequisites
Windows 2022, Windows 2019, Windows 2016 .NET Framework 4.8 CPM can be installed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platforms

Virtual machine installation settings

If you are deploying the Privilege Cloud Connector on a virtual machine, we recommend you do the following to ensure optimal performance:

In VMware based environments, install VMware Tools on every Connector VM.
Determine the amount of processing power used by installing VMware Tools and examining the PerfMon counter called [VM Processor ->Effective VM Speed in MHz].
Make sure that enough memory is allocated for the Connector VM at any given time.
use the latest version of the VM.
For VMware-based environments, version 5.5 and above, make sure hyper-threading is enabled in the BIOS for processors that support it.
Set a fixed amount of processing power reservation (MHz reservation) on the VM. You can examine the amount of expected processing power that will be used daily by Connector in your environment and reserve processing power accordingly.

AWS requirements

Small (1-5 concurrent RDP/SSH sessions)	Mid-Range (6-30 concurrent RDP/SSH sessions)	Large (31-60 concurrent RDP/SSH sessions)
C4.2xlarge 80GB storage	C4.4xlarge 80GB storage	C4.8xlarge 80GB storage

Small
(1-5 concurrent RDP/SSH sessions)

Mid-Range
(6-30 concurrent RDP/SSH sessions)

Large
(31-60 concurrent RDP/SSH sessions)

C4.2xlarge
80GB storage

C4.4xlarge
80GB storage

C4.8xlarge

80GB storage

Azure requirements

Small (1-5 concurrent RDP/SSH sessions)	Mid-Range (6-30 concurrent RDP/SSH sessions)	Large (31-60 concurrent RDP/SSH sessions)
Standard_F8s_v2 80GB storage	Standard_F16s_v2 80GB storage	Standard_F32s_v2 80GB storage

Concurrent session support

The maximum concurrency is lower (up to 40%) when installing the PSM server on a virtual machine.

Up to 100 concurrent sessions per Connector server are supported.
The concurrent sessions ranges are based on the RDP and SSH connections performance measurements.
Running resource-intensive applications like Toad, vSphere Client and so on, on the Connector server will result in lower concurrency.
The concurrent session’s ranges assume Connector is running on a dedicated server.
The concurrent session’s ranges are based on performance measurements while video recording user’s activities in HD resolution (one screen). Video recording resolution is affected by the desktop resolution of the client machine from which the connection was made. This means that performing connections from client machines with more than one HD screen, or with a higher resolution screen, will result in lower concurrency.

Chrome concurrent sessions

When adding concurrent sessions per user, make sure to increase the default timeout per session accordingly.
When increasing the number of Chrome sessions, regardless of PSM usage, make sure to follow best practices regarding machine CPU and server capabilities.
When using multiple Chrome sessions simultaneously, the sessions will consume equivalent CPU and RAM resources. For example, if you open four PSM sessions, it would consume CPU and RAM resources equivalent to four PSM concurrent sessions.

Small implementation	Mid-range implementation	Large implementation
Maximum number of Chrome sessions per user - 15 concurrent connections	Maximum number of Chrome sessions per user - 50 concurrent connections	Maximum number of Chrome sessions per user - 100 concurrent connections
Maximum total number of Chrome sessions per PSM server - 15 concurrent connections	Maximum total number of Chrome sessions per PSM server - 50 concurrent connections	Maximum total number of Chrome sessions per PSM server - 100 concurrent connections

Microsoft Edge concurrent sessions

When adding concurrent sessions per user, make sure to increase the default timeout per session accordingly.
When increasing the number of Microsoft Edge sessions, regardless of PSM usage, make sure to follow best practices regarding machine CPU and server capabilities.
When using multiple Microsoft Edge sessions simultaneously, the sessions will consume equivalent CPU and RAM resources. For example, if you open four PSM sessions, it would consume CPU and RAM resources equivalent to four PSM concurrent sessions.

Small implementation	Mid-range implementation	Large implementation
Maximum number of Microsoft Edge sessions per user - 13 concurrent connections	Maximum number of Microsoft Edge sessions per user - 45 concurrent connections	Maximum number of Microsoft Edge sessions per user - 100 concurrent connections
Maximum total number of Microsoft Edge sessions per PSM server - 15 concurrent connections	Maximum total number of Microsoft Edge sessions per PSM server - 45 concurrent connections	Maximum total number of Microsoft Edge sessions per PSM server - 100 concurrent connections

Privilege Cloud architecture