Configure the PSM servers through the Secure Tunnel wizard Configure the remote access toggle on the PSM connectors

Configure remote access for employees

This topic describes how to enable privileged users to connect remotely to target machines.

Overview

Enable privileged users in your organization to connect to target machines through Privilege Cloud from outside of your organization's network.

Privilege Cloud uses CyberArk Remote Access and HTML5 to enable secure remote access sessions through PSM from any web browser and any end user platform. This functionality eliminates the need for VPN clients while still enabling privileged user’s to connect and perform critical work.

Behavior details:

  • When connecting remotely, after clicking Connect in the Privilege Cloud Portal, the session is launched in a new tab in the web browser.

  • This method is supported in Windows, Mac, and Unix/Linux.

Prerequisites

  • This connection method is not supported with Basic User licenses. Ensure you have alternative licenses (Privilege Standard, Privilege Enterprise, Vendor PAM) configured in your system.

Before you begin

Step 1: Contact your CyberArk account team

  • Contact your account team and request that they enable HTML5 gateway.

Step 2: Prepare the Connector machines and the relevant certificates

Certificates are required for validation in order to allow secure RDP over TLS communication with the Privilege Cloud backend.

If certificates are used as part of your organizational policy, obtain the following from your IT department:

  • Root CA certificates as well as all intermediate certificates.
    Install the CA public certificates and all intermediate certificates on all the Connector machines (if you have not deployed the Connector yet, install the certificates on the machine designated for the Connector). At a later stage, you will also need to provide these certificates to CyberArk support in order to upload them to the Privilege Cloud backend.

    Certificates sent to CyberArk support for upload to the Privilege Cloud backend must be in PEM or DER format.

  • The specific certificates of the Connector machines.

    At a later stage you will need to upload these certificates to the RDS (after you deploy the Connector if you have not deployed it yet) for secure communication with the Privilege Cloud backend.

    The certificates must meet these guidelines:

    Guideline

    Basic/Connector behind a load balancer without SSL termination

     

    Connector behind a load balancer with SSL termination

    Format

    PFX

    		 PFX

    Subject \Common Name (CN)

    FQDN of the Connector server.

    FQDN of the load balancer.

    Note: the load balancer needs to be able to trust the Connector over TLS networking.

    SubjectAltName (SAN)

    FQDN of the Connector server.

    If the Connector servers are behind a load balancer, then the FQDN of the load balancer.

    		  

If you cannot obtain the certificates from your IT department, generate certificates as described in Generate certificates for the PSM servers.

 

For testing purposes, you may use the default Windows Remote Desktop certificates of the Connector machines. These certificates will be uploaded to the Privilege Cloud backend to create a trust with the Connector machines. In this case, provide the certificates from all the PSM machines.

Any change to the machine certificate requires an update in the Privilege Cloud backend.

Step 3: Deploy the Privilege Cloud Connector

If the Privilege Cloud Connector is not deployed, follow the instructions in Deploy the Privilege Cloud Connector.

Step 4: Set the master policy to work with PSM

Step 5: Open port 443 between the Secure Tunnel and the Connector machines

To enable SSL authentication, make sure that port 443 is open between the Secure Tunnel and the PSM machines. This is required for PSM REST APIs to work with Privilege Cloud Portal .

Step 6: (Optional) Configure non-default keyboard layout

HTML5 sessions support various keyboard layouts in addition to the default en-us-qwerty layout. Meaning that you can monitor sessions of employees using a different keyboard layout. To set a different layout, you need the assistance of CyberArk support.

Provide CyberArk support with the layout that you require, and they will set it during configuration.

  • fr-fr-azerty
  • fr-be-azerty
  • fr-ch-qwertz
  • de-ch-qwertz
  • de-de-qwertz
  • en-us-qwerty
  • en-gb-qwerty
  • hu-hu-qwertz
  • it-it-qwerty
  • ja-jp-qwerty
  • pt-br-qwerty
  • es-es-qwerty
  • es-latam-qwerty
  • sv-se-qwerty
  • tr-tr-qwerty

  • ca-psm-jp

  • ca-psm-unicode
  • failsafe

Configuration workflow

Hover over the image for more information. Click the image to go to the procedure.

 

When you reach a task that requires the assistance of CyberArk support, inform your representative for further assistance.

Step 1: Configure the RDS with the certificate

This section describes how to configure the Remote Desktop Services on the PSM server to use your SSL certificate.

You have the following options, depending on your environment:

 

For testing purposes, you may use the default Windows Remote Desktop certificates of the Connector machines. These certificates will be uploaded to the Privilege Cloud backend to create a trust with the Connector machines . In this case, provide the certificates from all the PSM machines.

Any change to the machine certificate requires an update in the Privilege Cloud backend.

  1. On the PSM machine open Server ManagerRemote Desktop Services.

  2. Open Tasks Edit Deployment Properties.

  3. On the Deployment Properties page, do the following, and then click OK:

    1. In the left pane, click Certificates.
    2. From the list of certificates in the Manage certificates pane, click RD Connection Broker – Enable Single Sign On.
    3. Click Select existing certificates.

  4. On the Select Existing Certificate page, do the following, and then click OK:

    1. Select Choose a different certificate.
    2. In Certificate path, enter the full path to the certificate (use Browse).
    3. In Password, enter the private key password.
    4. Select the Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers check box.

  5. For security purposes, delete the PFX file that you have just uploaded to the RDS settings.

  1. On the PSM server, open the Microsoft Management Console (MMC).

  2. Click File > Add/Remove Snap-in.

  3. On the Add or Remove Snap-in page, in the left pane, under Available snap-ins, select Certificates and then click Add.

  4. On the Certificate Snap-in page, select Computer account, and then click Finish.

  5. 5. On the Add or Remove Snap-in page, click OK.

  6. Under Console Root, select the Remote Desktop > Certificates folder.

  7. Right-click the certificate, and select All Tasks > Export.

  8. In the Certificate Export Wizard, on the Export File Format page, select Base-64 encoded x.509 (.CER), and then click Next.

  9. Click Finish to complete the export.

Step 2: Configure the PSMs through the Secure Tunnel wizard

Add the PSMs designated for remote access through the Secure Tunnel wizard.

 

You perform this task using Secure Tunnel version 2.0.

For details on the Secure Tunnel, see Deploy Secure Tunnel.

To configure the PSMs through the Secure Tunnel

  1. Double-click the Secure Tunnel installation executable file to run the Secure Tunnel wizard.
  2. On the Configure on-premise components page, add the PSMs that you want to open for remote access.

  3. Enter the following information:

    Field

    Description

    Component Type

    RDP-PSM

    Host Address

    The hostname of the PSM server (FQDN).

    The FQDN (case sensitive) must be identical to those in the certificates and the list of machines that were provided to CyberArk support.

    If the PSM installed on same machine then add the hostname of the local machine.

    Destination Port

    Click Advanced to display this column.

    The destination port is 3389.

    Access through Secure Tunnels

    You can configure which Secure Tunnels your servers will access through, even if these Secure Tunnels are running on a different machine.
  4. click Configure Components.

Step 3: Configure the PSMs in the Privilege Cloud portal

Configure the PSM gateway and associate it with the relevant PSMs. Repeat this procedure for all PSMs and PSM farms.

To configure the PSMs in the Privilege Cloud portal

  1. In the Privilege Cloud portal, click Administration Configuration Options.
  2. In the left pane, right-click ConfigurationsPrivilege Session Manager, and then click Add Configured PSM Gateway Servers.
  3. Right-click Configured PSM Gateway Servers, and then click Add PSM Gateway server.
  4. In the Properties pane, enter an ID for the PSM Gateway server.

  5. In the left pane, expand the PSM Gateway server, click Connection Details, and then add the address of the PSM gateway.

    PSM gateway address format:

    Webaccess-<Privilege Cloud portal subdomain>.privilegecloud.cyberark.cloud

    Example:

    Privilege Cloud portal domain name

    PSM gateway address
    mySubDomain.privilegecloud.cyberark.cloud webaccess-<mySubDomain>.privilegecloud.cyberark.cloud
  6. In the left pane, locate and expand the PSM with which you want to associate the HTML5 gateway. Right-click Connection Details, and then click Add PSM Gateway.

  7. Under the Connection Details, do the following:

    • Click PSM Gateway, and in the Properties pane, enter the ID of the PSM gateway.
    • Click Server, and in the Properties pane, and in the Address field enter the host name of the PSM as defined in your certificate. Use the exact FQDN (case sensitive).
  8. Click Apply.

Step 4: Configure the remote access toggle on the PSM connectors

In order for end-users to connect to target machines both from within the organizational network (RDP session) and remotely (HTML5 session) you must configure the remote access toggle on the PSM connectors under all the platforms that are used for both connection types.

To configure the remote access toggle:

  1. In the Privilege Cloud portal, click the Administration button, and then click Platform Management.

  2. Select the relevant target platform, click the ellipsis button next to that platform, and then click Edit.

  3. In the left pane, expand UI and WorkflowsPrivilege Session Manager. Make sure that the platform is configured to work with a PSM server that is being configured for remote access.

  4. In the left pane, expand UI and WorkflowsConnection Components.

  5. Right-click the relevant PSM connector, and then click Add Override User Parameters.

  6. Right-click Override User Parameters, and then click Add Parameter.

  7. Set the following properties:

    Property

    Value

    Name

    AllowSelectHTML5

    DisplayName

    Enter a logical name, like Remote Access. This is the name displayed to the user in the UI. If this field is empty, the UI shows the parameter name.

    Type

    CyberArk.TransparentConnection.BooleanUserParameter, CyberArk.PasswordVault.TransparentConnection

    Value

    Yes\No (according to the required default value)

Troubleshooting connection issues

If end users fail to connect for some reason, they receive an error code. The following table include the list of error codes, possible causes, and troubleshooting instructions.

Error code

Possible cause

Troubleshooting

PSMGW0001E

An issue in the HTML5 security layer.

Contact CyberArk support

PSMGW0002E

An internal HTML5 gateway error.

Contact CyberArk support

PSMGW0003E - PSMGW0006E

The HTML5 gateway is reachable, but either busy or unavailable.

Contact CyberArk support

PSMGW0007E

PSM is unreachable

Check the PSM status or logs.

If you cannot resolve the issue yourself, contact CyberArk support.

 

 

PSMGW0008E

Failed to connect to PSM.

  • Check the PSM status or logs.

If you cannot resolve the issue yourself, contact CyberArk support.

PSMGW1001E

Unexpected error code, or bad error page redirection.

Contact CyberArk support

PSMGW session tab is closed during an active session

PSM or guacd crashed, or experienced an unexpected error

Check the PSM status or logs.

If you cannot resolve the issue yourself, contact CyberArk support.

Connect remotely to target machines