Install the CyberArk Identity Connector

This topic describes how to install the CyberArk Identity Connector.

You can install additional connectors for load balancing and failover. You might also want to install more than one connector if you use multiple CyberArk Identity tenants. In most cases, you should install two connectors in a production environment. CyberArk Identity determines which connector to use by monitoring connector health and making a random selection with a bias toward healthy connectors.

Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.
CyberArk recommends enabling automatic updates to keep up-to-date with the current version of the connector; however, we understand that in some environments it might not be possible to update software that has gone into production environments. Therefore, connector installations are supported up to the last two previous versions.

Before you begin

You must meet the following hardware, software, and networking requirements to install the CyberArk Identity Connector.

Server requirements

The following table describes the requirements for the domain-joined Windows server where you plan to install the CyberArk Identity Connector.

Requirement Description

Host computer joined to the domain controller

If you are referencing accounts in an Active Directory tree or forest, the connector can be joined to any domain controller in the tree (it does not need to be the root). In addition, that domain controller must have two-way, transitive trust relationships with the other domain controllers. See Authenticate users in multiple domains for the details.

This computer must be in your internal network and meet or exceed the following requirements:

  • Windows Server 2012 or later

  • 8 GB of memory, of which 4 GB should be available for connector cache functions

  • 2 core CPU

  • Has Internet access so that it can access the CyberArk Identity.

  • Has a GlobalSign Root CA - R3 certificate installed in the Local Machine Trusted Certificate root authorities store.

    Refer to https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates for more certificate detail.

  • Microsoft .NET version 4.5 or later; if it isn’t already installed, the installer installs it for you.

  • Be a server or server-like computer that is always running and accessible.

Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.

Permissions on the connector machine

To install the CyberArk Identity Connector, you need to be the local administrator on the CyberArk Identity Connector machine. To integrate with Active Directory, you must also be a domain user.

Execute VBScript

The server must be able to execute VBScript during the installation.

User and permission requirements

The following table describes the minimum permissions required to install and run the CyberArk Identity Connector.

User

Permissions/Privileges

Reason
Local account or service account on the Windows server that runs the connector

 

Administrator Program installation
Read permission to the deleted objects container To sync deleted objects in AD with CyberArk Identity.

You have two options to provide Read permission to the deleted objects container:

  • You must be the domain administrator of the Active Directory domain for the relevant deleted objects container. If you are deleting users in multiple domains, make sure that you are the domain administrator for all those domains.

  • Delegate read permissions to the service account for the deleted objects container in the corresponding domain.

If you do not take one of the above actions, users deleted in Active Directory will be listed on the Users page in the Admin Portal until you manually delete them. However, they will not have access to CyberArk Identity.

A CyberArk Identity user in a Role with the Register and Administer Connectors Administrative Right.

Register and Administer Connectors

To register the connector with your CyberArk Identity tenant.

The following table describes additional permissions required for optional connector features.

Services

Required Rights and Privileges

Manage mobile device objects in Active Directory

To manage mobile device objects in Active Directory, you need to delegate the necessary permissions to the connector.

  • At least read permission to the container that has the CyberArk Identity user accounts.
  • A broader set of permissions (write all properties, delete, read permissions, and all validated writes) on the container that has the enrolled device objects.

See Permissions for managing mobile device objects in Active Directory.

Register the connector as an Active Directory proxy (e.g. only for App Gateway)

If you want to register a connector as an Active Directory proxy, you need to have Read permissions to the Active Directory server.

Set up ADUC property page extension

To extend the user interface on the Active Directory Users and Computers console, you need to provide the enterprise administrator user name and password. The extension only applies to using Active Directory Group Policies to manage mobile devices.

Self-service password reset and account unlock

To allow Active Directory users to change their passwords through CyberArk Identity, you need to delegate appropriate permissions. Refer to Delegate permissions to reset passwords and unlock accounts.

Network and firewall requirements

All connections to the internet made by CyberArk Identity (including the CyberArk Identity Connector and mobile management) are outbound in nature. No internet facing ingress ports are required. All outbound connections are made via TCP to either port 80 or 443 and should not have any restrictions.

To provide the redundancy and availability of an always available cloud service, the destination resource, IP address, and host for outbound connections will vary over time amongst thousands of addresses. Additionally, the range of which also changes as new resources are provisioned or removed.

Use of deep packet inspection filtering of HTTPS or SSL traffic by web proxies or security software may cause connectivity issues with CyberArk Identity. In all cases, the ports and addresses discussed below should be excluded from packet inspection to allow for normal service operation.

You have the following options for allowing outbound traffic required for the CyberArk Identity Connector.

Option Description

Add the traffic source to an allow list

Given the variability of connection targets, the simplest allow list configuration is typically one where filters are based on the traffic source. Specifically, it relates to configurations where you allow all outbound traffic from the host machine and account running the CyberArk Identity Connector and for outbound requests made by iOS, Android, and Mac clients. This allow list may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Add source ports to an allow list

You can also use an allow list configuration where all outbound traffic on ports 80 and 443 is allowed from the host machine and account running the CyberArk Identity Connector, as well as outbound requests made by iOS, Android, and Mac clients. This allow list may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Add destinations to an allow list

If destination approval is required, you can add outbound ports or TCP Relay IP ranges to an allow list.

Do not delete any CyberArk related IP and Hostnames until you are successfully up and running on the CyberArkcloud.
Port numbers Resource

443

*.idaptive.app

80

privacy-policy.truste.com

80

ocsp.verisign.com

80

ocsp.globalsign.com

80

secure.globalsign.com

If adding an entire domain (*.idaptive.com and *.idaptive.app) to an allow list is not acceptable per security policy, then you need to add the TCP Relay IP ranges for your relevant CyberArk Identity tenant region to an allow list.

Download the relevant file that contains the IP address ranges information from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.

Use the following table to find the AWS TCPRelay IP address ranges for each tenant's region:

Region IP Address Range
US East

3.14.30.0/27 (adding 4 May 2019)

18.216.13.0/26

34.236.32.192/26

34.236.241.0/29

34.214.243.200/29

US West

13.56.112.160/29

13.56.112.192/26

34.215.186.192/26

34.214.243.200/29

Canada

35.183.13.0/26

35.182.14.200/29

Europe

18.194.95.128/26

18.194.95.32/29

34.245.82.128/26

34.245.82.72/29

35.176.92.72/29

35.176.92.128/26

Brazil

18.231.105.192/26

18.231.194.0/29

Australia

13.211.166.128/26

13.211.12.240/29

Japan

13.231.6.128/26

13.231.6.96/26

Singapore

13.250.186.64/26

13.250.186.24/29

Install the CyberArk Identity Connector

This topic describes how to install the CyberArk Identity Connector to integrate your Active Directory/LDAP service with CyberArk Identity. The connector allows you to, among other things, specify groups whose members can enroll and manage devices. It also monitors Active Directory/LDAP for group policy changes, which it sends to CyberArk Identity to update enrolled devices.

Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.

You should configure one or more connectors to provide continuous up time for CyberArk Identity services. Each connector you add is listed in the Admin Portal in Settings > Network > CyberArk Identity Connector.

CyberArk Identity provides load balancing among all connectors with the same services installed. For example, when a request comes in, CyberArk Identity routes the request among the available connectors. If one connector becomes unavailable, the request is routed among the other available connectors providing automatic failover.

To install a connector on a host computer

  1. Log in to the host computer with an account that has sufficient permissions to install and run the connector.

  2. Sign in to the CyberArk Identity Admin Portal, then go to Settings > Network > CyberArk Identity Connectors > Add CyberArk Identity Connector and click 64-bit in the Download pane.

    The download begins.

  3. Extract the files, then double-click the installation program: CyberArk Installer.

    In the file name, rr.r indicates the release version and aa indicates the processor architecture (64-bit).

    Click Yes to continue if the User Account Control warning displays.

  4. Click through the installation wizard to install the CyberArk Identity Connector, then click Finish to launch the CyberArk Connector Configuration wizard.

  5. Type the administrative user name and password for your CyberArk Identity account, then click Next.

  6. (Optional) If you are using a web proxy service, select the associated check box and specify the IP address, port, user name, and password to use.

    The web proxy server must support HTTP1.1 chunked encoding.

  7. Assign connector permissions for user delete activities, then click Next.

    To synchronize deleted objects in AD with CyberArk Identity, you must select an account that has read permission to the Deleted Objects container. You can use an account that is a member of the Domain Admins group, or you can delegate read permissions to the service account for the deleted objects container.

    If you are deleting users in multiple domains, make sure that you are the domain administrator for all those domains.

    To specify an account with read permission to the Deleted Objects container, you have the following options.

    Option Description

    Use current user credential

    Use the credentials for the account you are currently logged into to install the connector.

    Specify alternate user credential

    Use credentials for a different account. Consider this option if the account you are currently using does not have read permissions to the Deleted Objects container.

    If you do not specify credentials with read permission to the Deleted Objects container, then users deleted in Active Directory will remain on the Users page in the CyberArk Identity Admin Portal until you manually delete them. However, these deleted users will not have access to any CyberArk Identity functionality.

    After you click Next, the configuration wizard performs several tests to ensure connectivity.

  8. Click Next after the tests complete to register the connector with your tenant.

  9. Click Finish to complete the configuration and open the connector configuration panel, which displays the status of the connection and your customer ID.

    After you have installed and configured at least one connector, the following changes appear in your tenant.

    • You can add AD objects to Roles.

      AD users and groups are not visible in Core Services > Users until they sign in; however, you can still search for them to add them to Roles.

    • You can review connector details in the CyberArk Identity Admin Portal at Settings > Network > CyberArk Identity Connectors.

      Refer to the following table for a description of the column headings associated with each connector:

      Column header Indicates

      CyberArk Identity Connector

      The name of the computer

      Forest

      The domain name for the domain controller to which the connector is joined.

      Version

      The version of the connector software.

      You can configure the connector to update automatically—see Update the CyberArk Identity Connector

      Last ping

      The last time the CyberArk Identity successfully pinged the connector.

      Hostname

      The DNS short name. You can also enter a fully qualified domain name to the IE local intranet zone.

      See Enabling IWA Service on the connector to change this name.

      Enabled Services

      Service

      Description

      AD Proxy

      Displays if the Active Directory proxy service is enabled on the connector. If enabled, it means you use the Active Directory proxy service to authenticate CyberArk Identity users who have Active Directory accounts.

      LDAP Proxy

      Displays if the LDAP proxy service is enabled on the connector. If enabled, it means you use the LDAP proxy service to authenticate CyberArk Identity users who have LDAP accounts.

      App Gateway

      Displays if the App Gateway service is enabled on the connector. The App Gateway service provides remote access and single sign on to web applications provided by internal web servers (see App Gateway).

      RADIUS Client

      Displays if the connector is enabled for use as a RADIUS client.

      RADIUS Server

      Displays if the connector is enabled for use as a RADIUS server for customers who support RADIUS authentication.

      Web Server (IWA) -- Displays if the connector is configured to accept an Integrated Windows authentication (IWA) connection as sufficient authentication for users with Active Directory accounts. IWA is not available to CyberArk Identity account users.

      Status

      Active indicates that the CyberArk Identity can communicate with the connector.

      Inactive indicates that CyberArk Identity cannot communicate with the connector.

Install additional connectors

You use the same procedure to download the installation wizard to the host computer and then run the wizard to install and register additional connectors. After you install and register the connector, it is added to the CyberArk Identity Connector page.

The host computer must be joined to the same Active Directory domain controller as the first connector in the same trust domain or forest.