Deploy Secure Tunnel

This topic describes how to set up and configure Secure Tunnel in order to securely connect Privilege Cloud with your LDAP, RADIUS,  SIEM servers, and PSM for remote access. For details, see Connect your LDAP directory server, Connect to SIEM, Configure RADIUS authentication, and Configure the PSMs through the Secure Tunnel wizard

Supported configurations

For details about supported Secure Tunnel configurations, see Secure Tunnel configurations.

For details about Secure Tunnel high availability, see Set up Secure Tunnel high availability.

Before you begin

    1. Disable the antivirus agent if it is installed on your server.

    2. Consider the following:

      Consideration

      Comment

      Connector client machine name must be unique

      The name of the Connector client machine must be unique across domains. Only the machine host name is used to generate the tunnel ID and therefore it must be unique, even if the machines are deployed in multiple domains.
      Secure Tunnel port Check that this port is free for use. If not, see Secure Tunnel troubleshooting for steps on how to configure a different port.

      Remote access for employees

      If you are configuring remote access for your employees, you must also configure the designated PSMs. For details, see Configure remote access for employees.

      Configure Secure Tunnel to connect through a proxy server

      • This option is supported in Secure Tunnel v3.1 and up.

      • Connecting to Privilege Cloud through proxy is supported by Secure Tunnel only when LDAP/RADIUS/SIEM/Remote Access are in a network where the internet connection is behind a proxy.

      • Connecting through a proxy applies to Secure Tunnel only, and does not affect CPM or PSM components.

Install and configure Secure Tunnel

Install and configure the Secure Tunnel on the Connector machine.

Check Which Secure Tunnel version do I have?, and perform the procedure according to your Secure Tunnel version.

To install and configure the Secure Tunnel:

 

The Secure Tunnel includes an installation tool and a configuration tool. When you install the Secure Tunnel for the first time, the configuration tool is launched automatically after the installation is complete. To make changes to a previously installed Secure Tunnel, run the configuration tool.

  1. Ensure that the Connector client machine ID is unique, even when the machines are deployed in multiple domains. See examples below:

    Acceptable machine name setup

    Non-acceptable machine name setup
    Cyberark1.domainA.com Cyberark1.domainA.com
    Cyberark2.domainB.com Cyberark1.domainB.com
  2. From the Privilege Cloud software package that you downloaded in Prepare your machine, copy the Secure Tunnel zip file and unzip the package.
  3. On the Select Installation Folder page, enter the location of the installation folder, and click Next.

  4. On the Ready to Install page, click Install.

    When the installation is complete, click Finish, and the configuration tool is launched.

    If you do not want to configure the Secure Tunnel at this time, you can close the wizard and launch the configuration tool later. When you close the installation wizard, a shortcut to the configuration tool is created on the desktop. You can open the configuration tool either from the desktop shortcut or from the installation folder at any time.

  5. On the Authenticate to Privilege Cloud page, enter the following details and click Next.

    Subdomain or Customer ID

    • The subdomain is your system identifier in the system address, as displayed in the Privilege Cloud Portal FQDN: https://<subdomain>.Privilegecloud.cyberark.com .

      Enter only the <subdomain> identifier, not the whole URL.

    • Alternatively, use the Customer ID provided to you by CyberArk Support.
    User name & Password

    Enter the credentials provided by CyberArk Support.

  6. Optionally, configure Secure Tunnel to connect through a proxy server. If you do not want Secure Tunnel to work on proxy, skip this step.

    1. As Administrator, access C;/Program Files/CyberArk/PrivilegeCloudSecureTunnel/config and open application.properties in Notepad.

    2. Edit the following properties:

      • proxyservice.explicitProxyAddress - remove the comment (#) and add the IP/FQDN of the proxy server

      • proxyservice.explicitProxyAddress - remove the comment (#) and add the port number that supports communications with the proxy server

      • proxyservice.explicitProxyDnsResolving - To resolve DNS under the proxy, remove the comment (#) and set the value to true.

      For example:

    3. Save the application.properties file.

    4. Return to the Secure Tunnel installer wizard and complete the wizard installation.

    5. Restart the CyberArkPrivilegeCloudSecureTunnel service as described in the last step.

  7. On the Configure on-premise components page, add the components that you want to connect through the Secure Tunnel, and click Configure Components.

    Enter the following information:

    Field

    Description

    Component Type

    Select one of the following components:

    • LDAP: Up to sixty servers can be connected to Privilege Cloud at one time.

    • RADIUS: Up to five servers can be connected to Privilege Cloud at one time.

    • SIEM: Up to five Syslog servers can be connected to Privilege Cloud at one time.

    • PSM-RDP: No limit to how many servers can be connected to Privilege Cloud at one time.

    Host Address

    The hostname or IP address of component server.

    LDAP, SIEM, and PSM for remote access use TLS communication and must include a hostname.

    If you want to use an IP address for the RADIUS server, the value must be the IP address of the backend Connector and not the on-premise component. Get this IP address from cyberark support.

    The following domains cannot be used as host names for Secure Tunnel configuration:

    *.aws.com

    *.amazonaws.com

    *.amazon.com

    *.cyberark.com

    *.cyberark.cloud

    Destination Port

    The port used for connecting the Secure Tunnel server to the component server.

    Click Advanced to display this column.

    Typically, the ports used for these components are:

    • LDAP - 636
    • SIEM - 1468
    • RADIUS - 1812

    If you are using different ports, edit this field for the relevant component.

    Remote Port

    The port used by the CyberArk to interface with your Secure Tunnel.

    Click Advanced to display this column. The Remote Port is provided to you by CyberArk support.

    Each interface has a default port. For multiple instances the ports are numbered sequentially.

    Typically, the ports used for these components are:

    • LDAP - 3636 (first LDAP instance), 3637, etc.
    • SIEM - 1468 (first SIEM instance), 1469, etc.
    • RADIUS - 1812 (first RADIUS instance), 1813, etc.

    Access through Secure Tunnels

    You can configure which Secure Tunnels your servers will access through, even if these Secure Tunnels are running on a different machine.

  8. Optionally, only if you are configuring the Secure Tunnel to connect through a proxy server, restart Secure Tunnel:

    In Windows Task Manager > Services, restart CyberArkPrivilegeCloudSecureTunnel.

To install the Secure Tunnel:

  1. Download the Secure Tunnel v2.x zip file from the CyberArk Marketplace>Privilege Cloud Software package v12.2, and unzip the package.
  2. Double-click the Secure Tunnel installation executable file to run the Secure Tunnel installation wizard.
  3. On the Select Installation Folder page, enter the location of the installation folder, and then click Install.
  4. On the Authenticate to Privilege Cloud page, enter the credentials provided to you by CyberArk Support.

  5. On the Configure on-premise components page, add the components that you want to connect through the secure tunnel, and then click Configure Components.

    Enter the following information:

    Field

    Description

    Component Type

    Select one of the following components:

    • LDAP: Up to sixty servers can be connected to Privilege Cloud at one time.

    • RADIUS: Up to five servers can be connected to Privilege Cloud at one time.

    • SIEM: Up to five Syslog servers can be connected to Privilege Cloud at one time.

    • PSM-RDP: No limit to how many servers can be connected to Privilege Cloud at one time.

    Host Address

    The hostname or IP address of component server.

    LDAP, SIEM, and PSM for remote access use TLS communication and must include a hostname.

    If you want to use an IP address for the RADIUS server, the value must be the IP address of the backend Connector and not the on-premise component. Get this IP address from cyberark support.

    The following domains cannot be used as host names for Secure Tunnel configuration:

    *.aws.com

    *.amazonaws.com

    *.amazon.com

    *.cyberark.com

    *.cyberark.cloud

    Destination Port

    The port used for connecting the Secure Tunnel server to the component server.

    Click Advanced to display this column.

    Typically, the ports used for these components are:

    • LDAP - 636
    • SIEM - 1468
    • RADIUS - 1812

    If you are using different ports, edit this field for the relevant component.

    Remote Port

    The port used by the CyberArk to interface with your Secure Tunnel.

    Click Advanced to display this column. The Remote Port is provided to you by CyberArk support.

    Each interface has a default port. For multiple instances the ports are numbered sequentially.

    Typically, the ports used for these components are:

    • LDAP - 3636 (first LDAP instance), 3637, etc.
    • SIEM - 1468 (first SIEM instance), 1469, etc.
    • RADIUS - 1812 (first RADIUS instance), 1813, etc.

    Access through Secure Tunnels

    You can configure which Secure Tunnels your servers will access through, even if these Secure Tunnels are running on a different machine.

  6. To add, edit, or remove on-premise components, run the Secure Tunnel Installation wizard again, and make the necessary changes.

Post installation steps

After installing Secure Tunnel:

  1. Enable antivirus on the secure tunnel server.

    If antivirus is not installed on the server, install it now.

  2. You can now connect to secure tunnel any of the following:

Supported connections - scope

The following table includes the number of component connections, per component type, that the Secure Tunnel supports.

Component

Max supported

LDAP

60

RADIUS

5

Component

Max supported

LDAP

30

RADIUS

5

Which Secure Tunnel version do I have?

There are a number of ways to determine which Secure Tunnel version you have installed.

  • If you have not yet installed the Secure Tunnel, the version is indicated in the executable file name as well as when you right-click the executable file.

  • If you already have Secure Tunnel installed, you can open the Windows Apps on the machine on which the Secure Tunnel is installed to see the version number.

    Or on the Secure Tunnel desktop, hover over the PrivilegeCloudSecureTunnelInstaller icon

Set up Secure Tunnel high availability

Configure authentication methods

Secure Tunnel logs