Deploy the Privilege Cloud Connector

This topic describes how to deploy the Connector.

Overview

The Privilege Cloud Connector is a server that hosts the Secure Tunnel, PSM, and CPM and essentially manages the major functionality of Privilege Cloud.

For easier reading, this documentation refers to the Privilege Cloud Connector as "the Connector".

Installation considerations

Consideration

Details

Security and hardening

A GPO hardening policy (PSM_CPM) secures the Connector.

GPO hardening script options:

  • Connector with both CPM and PSM. Use the single-file unified GPO hardening script. runs automatically as part of the installation process and applies the GPO hardening policy settings to the PSM and CPM components when they are installed on the same machine. Learn more about Connector hardening.

  • Connector with PSM only. When installing only the PSM on a Connector machine, use the dedicated PSM_GPO package.

High availability and disaster recovery

The basic Privilege Cloud deployment requires one Connector. However, you can deploy multiple PSMs for high availability and an additional CPM to support Disaster Recovery (DR).

Maximum number of CPMs

Each environment can include a maximum of 60 registered CPMs.

 
  • Upgrade the Connector once a year, with the assistance of Cloud Services, to align with the latest version, to provide additional capabilities, enhancements, performance improvements, and bug fixes.
  • Verify that outbound traffic from the Connector server is always routed through the same public-facing IP.

Before you begin

  • To enable secure communication between the Privilege Cloud backend and your on-premise components, provide CyberArk Support with the public-facing IP addresses that your organization uses to access the internet.

  • Ensure you have the Privilege Cloud admin user name and password, received from CyberArk Support

  • Ensure you have a local Admin user, with full Admin rights. For In-domain deployments, this must be a domain user.

 

To complete the deployment, review the Security Fundamentals topic in order to fully secure the Connector server deployment. For details, see Security Fundamentals.

Prepare your machine

  1. From the CyberArk marketplace software area, download the latest Privilege Cloud version software package.

    1. By default, the following components are selected, including the following files:

      Component

      Selected files

      Privilege Cloud Connector Privilege-Cloud-Connector-[latest release].zip
      Secure Tunnel Client Installer PrivilegeCloudSecureTunnelInstaller-RIs-v3x.zip
      GPO

      Privilege Cloud Connector PSM_CPM Hardening GPO-v2.2.0.zip (for installation of both CPM and PSM on the same machine)

      Privilege Cloud Connector PSM Hardening GPO v2.0.0.zip (for PSM installations only)

    2. To support UNIX and Linux machines, select and download the PSM for SSH component. Download the relevant file for your environment:

      Privileged Session Manager for SSH (PSM for SSH)
      • PrivilegedSessionManagerSSHProxy-RHELinux8-Intel64-RIs-v13.2.zip

      • PrivilegedSessionManagerSSHProxy-RHELinux-Intel64-RIs-v13.2.zip

  2. From CyberArk Integrations and Tools area, download the Privilege Cloud Tools package, including all available files, and locate the package in a dedicated folder, commonly called Privilege Cloud Tools.

  3. From the downloaded Tools package, extract the PSMPrerequisites check:

    In the Privilege Cloud Tools>PSM Prerequisites folder, extract the PSMCheckPrerequisites_PrivilegeCloud.zip file. The following files are extracted:

    • Readme.txt

    • PSMCheckPrerequisites_PrivilegeCloud.ps1

    • VaultOperationsTester folder

  4. Copy the PSM_CPM GPO Hardening packages to the domain server and extract the zip packages.

  5. Disable the antivirus agent if it is installed on your server.

Check the Privilege Cloud prerequisites

Before installing Privilege Cloud, determine whether the environment has the necessary prerequisites installed. The prerequisites check applies to general environment, PSM, CPM connectivity and Secure Tunnel prerequisites.

Learn which checks are run in Privilege Cloud installer checked items.

To check machine prerequisites:
  1. From the Privilege Cloud Tools kit downloaded in Prepare your machine, copy the PSMCheckPrerequisites_PrivilegeCloud.zip file to the Connector server and extract the zip file.

    The following files are extracted:

    • PSMCheckPrerequisites_PrivilegeCloud.ps1 PowerShell script

    • Readme.txt file

    • VaultOperationsTester folder, with files required for the CPM connectivity test

  2. Run the Powershell command with a Local Admin user:

    • For out of domain deployments

      .\PSMCheckPrerequisites_PrivilegeCloud.ps1 -OutOfDomain
    • For in-domain deployments

      .\PSMCheckPrerequisites_PrivilegeCloud.ps1

    The prerequisites check displays a list of checked items, together with an indication if the check succeeded or failed.

  3. Troubleshoot the displayed errors.

    Error indication

    Perform the following

    Link to a solution

    Click the link for relevant instructions.

    Tip on how to resolve the issue

    Perform the necessary steps according to the tip .

    Recommendation to rerun the script with a -troubleshooting flag

    1. Before repeating the check, in the folder where the check script is located, edit or delete the runtime file PSMCheckPrerequisites_PrivilegeCloud.ini.

    2. Rerun the check. For each error, a series of possible solutions is displayed.

    3. Select the relevant solution. A related script is run to automatically resolve the issue.

    Indication of failure

    For checks that are self-explanatory and need no further instructions, perform necessary steps to resolve the issue.

  4. After the prerequisites check is run, a prompt appears recommending to run the CPM connectivity test.
    Ensure you have your Privilege Cloud Admin user name and password, and choose one of the following:

    • Click Yes to run the test

    • At any time, run the CPM connection test Powershell command:

     
    .\PSMCheckPrerequisites.ps1 -CPMConnectionTest

Run the Connector installer

The Connector setup wizard is a command line wizard.

To run the setup:

  1. From the Privilege Cloud software package downloaded in Prepare your machine, copy the Connector zip file to the Connector server and extract it.

  2. Log into the Connector machine using your local Admin user.

  3. Run the Connector executable file.

    The Connector verifies the prerequisites. If any are missing, it installs them, and then, if required, restarts the server.

    After the server restarts, the command line interface is launched automatically.

  4. Enter the Privilege Cloud admin user name.

  5. Enter the Privilege Cloud admin password.

     

    The password can contain only ASCII characters.

  6. Enter the logged-in administrator password (user credentials with local administrative rights).

    For in-domain deployments, the administrator must be a domain user.

     

    The password is not saved. It is just used to run the setup.

  7. Enter the Vault DNS in the following format:  vault-<subdomain>.privilegecloud.cyberark.com. See details in Dynamic configuration (recommended)

    In cases where outbound traffic from your organization has been defined to use static IPs, as described in Outbound traffic network and port requirements, enter the Vault IP. See details in Static configuration (if dynamic configuration does not apply).

  8. Enter the full installation path for the Connector.

     

    When installing multiple PSMs, verify that each PSM has a the same path to the same recordings directory.

  9. Select the installation mode (POC yes/no).

     

    Do not use POC mode in production. Hardening is not applied in POC mode.

  10. Select the components that you want to install: CPM/PSM/Both.

    Option

    When?

    Both (default)

    Select this option when you are deploying your first Connector.

    CPM

    Select this option if you are deploying an additional Connector to support CPM in DR mode.

    To learn more, see Set up a Disaster Recovery CPM.

    PSM

    Select this option if you are deploying an additional connector to support PSM high availability.

    To learn more, see Set up PSM high availability.

  11. Select the installation mode for CPM:

    Option

    When?

    Active (default)

    Select this option if you are deploying your first Connector.

    Passive

    Select this option if you are deploying an additional Connector to support CPM in DR mode.
  12. Enter the CPM application ID (optional).

    If you do not enter the CPM application ID, the instance hostname is used by default.

    The installation starts to run, notifying you of its progress and of each completed step. The installation may restart the machine several times, to apply the Connector settings.

    When the installation has completed all relevant steps, a notice appears indicating the installation is completed successfully.

  13. Verify PSM connectors are operating properly. See Check Privilege Cloud Connector functionality.

For an in-domain deployment, continue to Apply GPO hardening for in-domain deployment.

Apply GPO hardening for in-domain deployment

This section describes the automatic hardening procedure for in-domain deployments and the procedures for applying these files in your environment.

When the Connector is deployed on an in-domain server, the automatic hardening procedure is based on a predefined GPO (Group Policy Object), which sets the hardening policy.

Considerations:

Dedicated OU in the Active Directory

To ensure the GPO hardening applies to all Connector servers in the active directory, and does not affect other servers, make sure they are all located under a dedicated organizational unit (OU) in the active directory.

GPO file

The GPO hardening of the Connector server is based on a unified GPO file that applies to both the PSM and CPM.

To apply the hardening GPO

  1. Download the version's Privilege Cloud Unified Hardening GPO file as described in Prepare your machine.
  2. Import the GPO file to your Active Directory domain.

    1. Open the Group Policy Management Console (GPMC.msc).

    2. Create a GPO:   
      1. Expand Group Policy Management> <yourDomain>, then right-click Group Policy Objects and select New. The New GPO window appears.

      2. In the Name field, specify a name for the Unified GPO indicating the purpose and current version (for example, Unified Hardening vN.N), and click OK.

    3. In the list of Group Policy Objects, right-click the new Hardening GPO and select Import Settings.
    4. In the Welcome to the Import Settings Wizard window, click Next, and define the following:

      Tab/field

      Action

      Backup GPO window

      Click Next.

      Backup location screen

      Click Browse and select the location where you stored the version's unified Hardening GPO settings, for example Privilege Cloud Connector Unified Hardening GPO and click OK.

      The folder path appears in the Backup Location window.

      Click Next.

      Source GPO window

      Click Next.

      Scanning Backup window

      Click Next.

      Completing the Import Settings Wizard window

      Click Finish.

      The Import window appears indicating the progress of the GPO import.

    5. When the GPO import process has completed. Click OK.
    6. After import, select the GPO and in the Settings tab verify the settings have been imported successfully.

  3. Link the GPO file to the dedicated CyberArk OU containing CyberArk servers.

    1. Make sure all Connector servers are located under the dedicated OU, so the GPO will not affect any other server.

    2. In the Group Policy Management Console, right-click the OU, then select Link an Existing GPO.

    3. Select the Unified Hardening GPO and click OK. The Unified Hardening GPO policy appears in the Linked Group Policy Objects tab.

  4. It is time to restart the Connector machine. Restart the machine so it will pull the updated GPO

    -Or-

    run gpupdate /force on the upgraded machines.

  5. Optionally, to support the following functions in Privilege Cloud, customize the GPO settings according to these guidelines:

    To support

    GPO update guidelines

    Direct RDP connections

    Add the following setting to the Group Policy with the appropriate Domain Security Group(s) or Users.

    Select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies/User Rights Assignment > Access this computer from the network (NT AUTHORITY\NETWORK SERVICE, BUILTIN\Administrators, Domain\RDPUserGroup).

    See Connect using RDP.

    Domain-level PSMConnect/PSMAdminConnect

    See Move PSM application users to the domain level.

    Take care when adding any domain-specific settings to the GPO and configure domain-specific settings according to CyberArk guidelines and documentation.

Perform post-installation steps

  1. Complete PSM deployment, see Complete PSM deployment.

  2. Perform post-installation steps to complete the Connector deployment, see Perform Privilege Cloud Connector post-installation steps.

  3. Enable the existing antivirus agent, or install an industry standard antivirus software.