Install the CyberArk Identity Connector

This topic describes how to install the CyberArk Identity Connector.

You can install additional connectors for load balancing and failover. You might also want to install more than one connector if you use multiple CyberArk Identity tenants. In most cases, you should install two connectors in a production environment. CyberArk Identity determines which connector to use by monitoring connector health and making a random selection with a bias toward healthy connectors.

CyberArk Identity Connector installation guidelines

To ensure the CyberArk Identity Connector is installed properly, you must adhere to the following guidelines.

Consider	Guideline
Load balancing and failover	You can install additional connectors for load balancing and failover. You might also want to install more than one connector if you use multiple CyberArk Identity tenants. In most cases, you should install two connectors in a production environment. CyberArk Identity determines which connector to use by monitoring connector health and making a random selection with a bias toward healthy connectors. We recommend to configure one or more connectors to provide continuous up time for CyberArk Identity services. Each connector you add is listed in the Identity Administration portal in Settings > Network > CyberArk Identity Connector. CyberArk Identity provides load balancing among all connectors with the same services installed. For example, when a request comes in, CyberArk Identity routes the request among the available connectors. If one connector is unavailable, the request is routed among the other available connectors providing automatic failover.
Automatic updates	CyberArk recommends enable automatic updates to keep up-to-date with the current version of the connector; however, we understand that in some environments it might not be possible to update software that has gone into production environments. Therefore, connector installations are supported up to the last two previous versions.

Consider

Guideline

Load balancing and failover

We recommend to configure one or more connectors to provide continuous up time for CyberArk Identity services. Each connector you add is listed in the Identity Administration portal in Settings > Network > CyberArk Identity Connector.

CyberArk Identity provides load balancing among all connectors with the same services installed. For example, when a request comes in, CyberArk Identity routes the request among the available connectors. If one connector is unavailable, the request is routed among the other available connectors providing automatic failover.

Automatic updates

CyberArk recommends enable automatic updates to keep up-to-date with the current version of the connector; however, we understand that in some environments it might not be possible to update software that has gone into production environments. Therefore, connector installations are supported up to the last two previous versions.

Before you begin

You must meet the following hardware, software, and networking requirements to install the CyberArk Identity Connector.

Server requirements

The following table describes the requirements for the domain-joined Windows server where you plan to install the CyberArk Identity Connector.

Requirement	Description
Host computer joined to the domain controller	If you are referencing accounts in an Active Directory tree or forest, the connector can be joined to any domain controller in the tree (it does not need to be the root). In addition, that domain controller must have two-way, transitive trust relationships with the other domain controllers. See Authenticate users in multiple domains for the details. This computer must be in your internal network and meet or exceed the following requirements: Windows Server 2012 or later 8 GB of memory, of which 4 GB should be available for connector cache functions 2 core CPU Has Internet access so that it can access the CyberArk cloud services. Has a GlobalSign Root CA - R3 certificate installed in the Local Machine Trusted Certificate root authorities store. Refer to https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates for more certificate detail. Microsoft .NET version 4.5 or later; if it isn’t already installed, the installer installs it for you. Be a server that is always running and accessible. Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.
Permissions on the connector machine	To install the CyberArk Identity Connector, you need to be the local administrator on the CyberArk Identity Connector machine. To integrate with Active Directory, you must also be a domain user.
Execute VBScript	The server must be able to execute VBScript during the installation.

Requirement

Description

Host computer joined to the domain controller

If you are referencing accounts in an Active Directory tree or forest, the connector can be joined to any domain controller in the tree (it does not need to be the root). In addition, that domain controller must have two-way, transitive trust relationships with the other domain controllers. See Authenticate users in multiple domains for the details.

This computer must be in your internal network and meet or exceed the following requirements:

Windows Server 2012 or later
8 GB of memory, of which 4 GB should be available for connector cache functions
2 core CPU
Has Internet access so that it can access the CyberArk cloud services.
Has a GlobalSign Root CA - R3 certificate installed in the Local Machine Trusted Certificate root authorities store.

Refer to https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates for more certificate detail.
Microsoft .NET version 4.5 or later; if it isn’t already installed, the installer installs it for you.
Be a server that is always running and accessible.

Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.

Permissions on the connector machine

To install the CyberArk Identity Connector, you need to be the local administrator on the CyberArk Identity Connector machine. To integrate with Active Directory, you must also be a domain user.

Execute VBScript

The server must be able to execute VBScript during the installation.

User and permission requirements

The following table describes the minimum permissions required to install and run the CyberArk Identity Connector.

User	Permissions/Privileges	Reason
Local account or service account on the Windows server that runs the connector	Administrator	Program installation
Read permission to the deleted objects container	To sync deleted objects in AD with CyberArk Identity. You have two options to provide Read permission to the deleted objects container: You must be the domain administrator of the Active Directory domain for the relevant deleted objects container. If you are deleting users in multiple domains, make sure that you are the domain administrator for all those domains. Delegate read permissions to the service account for the deleted objects container in the corresponding domain. If you do not take one of the above actions, users deleted in Active Directory will be listed on the Users page in the Identity Administration portal until you manually delete them. However, they will not have access to CyberArk Identity.
A CyberArk Identity user in a Role with the Register and Administer Connectors Administrative Right.	Register and Administer Connectors	To register the connector with your CyberArk Identity tenant.

User

Permissions/Privileges

Reason

Local account or service account on the Windows server that runs the connector

Administrator

Program installation

Read permission to the deleted objects container

To sync deleted objects in AD with CyberArk Identity.

You have two options to provide Read permission to the deleted objects container:

You must be the domain administrator of the Active Directory domain for the relevant deleted objects container. If you are deleting users in multiple domains, make sure that you are the domain administrator for all those domains.
Delegate read permissions to the service account for the deleted objects container in the corresponding domain.

If you do not take one of the above actions, users deleted in Active Directory will be listed on the Users page in the Identity Administration portal until you manually delete them. However, they will not have access to CyberArk Identity.

A CyberArk Identity user in a Role with the Register and Administer Connectors Administrative Right.

To register the connector with your CyberArk Identity tenant.

The following table describes additional permissions required for optional connector features.

Services	Required Rights and Privileges
Manage mobile device objects in Active Directory	To manage mobile device objects in Active Directory, you need to delegate the necessary permissions to the connector. At least read permission to the container that has the CyberArk Identity user accounts. A broader set of permissions (write all properties, delete, read permissions, and all validated writes) on the container that has the enrolled device objects. See Permissions for managing mobile device objects in Active Directory.
Register the connector as an Active Directory proxy (e.g. only for App Gateway)	If you want to register a connector as an Active Directory proxy, you need to have Read permissions to the Active Directory server.
Set up ADUC property page extension	To extend the user interface on the Active Directory Users and Computers console, you need to provide the enterprise administrator user name and password. The extension only applies to using Active Directory Group Policies to manage mobile devices.
Self-service password reset and account unlock	To allow Active Directory users to change their passwords through CyberArk Identity, you need to delegate appropriate permissions. Refer to Delegate permissions to reset passwords and unlock accounts.

Network and firewall requirements

All connections to the internet made by CyberArk Identity (including the CyberArk Identity Connector and mobile management) are outbound in nature. No internet facing ingress ports are required. All outbound connections are made via TCP to either port 80 or 443 and should not have any restrictions.

To provide the redundancy and availability of an always available cloud service, the destination resource, IP address, and host for outbound connections varies. Additionally, the range of which also changes as new resources are provisioned or removed.

Use of deep packet inspection filtering of HTTPS or SSL traffic by web proxies or security software may cause connectivity issues with CyberArk Identity. In all cases, the ports and addresses discussed below should be excluded from packet inspection to allow for normal service operation.

You have the following options for allowing outbound traffic required for the CyberArk Identity Connector.

Option

Description

Add the traffic source to an allow list

Given the variability of connection targets, the simplest allow list configuration is typically one where filters are based on the traffic source. Specifically, it relates to configurations where you allow all outbound traffic from the host machine and account running the CyberArk Identity Connector and for outbound requests made by iOS, Android, and Mac clients. This allow list may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Add source ports to an allow list

You can also use an allow list configuration where all outbound traffic on ports 80 and 443 is allowed from the host machine and account running the CyberArk Identity Connector, as well as outbound requests made by iOS, Android, and Mac clients. This allow list may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Add destinations to an allow list

If destination approval is required, you can add outbound ports or elastic IP addresses to an allow list.

Do not delete any CyberArk-related IP and Hostnames until you have successfully deployed the connector.

Port numbers	Resource
443	.idaptive.app is always required .id.cyberark.cloud is also required if your tenant was deployed after July 2022
80	privacy-policy.truste.com
80	ocsp.verisign.com
80	ocsp.globalsign.com
80	crl.globalsign.com
80	secure.globalsign.com

If adding an entire domain to an allow list is not acceptable per your organization's security policy, then you need to add the TCPRelay IPs allocated to your pod to an allow list. Contact CyberArk support for the IP addresses.

If your domain controller is on a private WAN, allow communication on the following ports (inbound to the domain controller) to facilitate communication between the domain controller and the connector host.

Port	Protocol	Purpose
389	TCP/UDP	LDAP
636	TCP	LDAP SSL
3268	TCP	LDAP GC
3269	TCP	LDAP GC SSL
88	TCP/UDP	Kerberos

Install the CyberArk Identity Connector

This topic describes how to install the CyberArk Identity Connector to integrate your Active Directory/LDAP service with CyberArk Identity. The connector allows you to specify groups whose members can enroll and manage devices. It also monitors Active Directory/LDAP for group policy changes, which it sends to CyberArk Identity to update enrolled devices.

Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.

You should configure one or more connectors to provide continuous up time for CyberArk Identity services. Each connector you add is listed in the Identity Administration portal in Settings > Network > CyberArk Identity Connector.

CyberArk Identity provides load balancing among all connectors with the same services installed. For example, when a request comes in, CyberArk Identity routes the request among the available connectors. If one connector becomes unavailable, the request is routed among the other available connectors providing automatic failover.

View the following video to learn how to install the CyberArk Identity Connector and then perform the steps described in the following procedure.

k7xl7j9lh2

To install a connector on a host computer

Log in to the host computer with an account that has sufficient permissions to install and run the connector.
Sign in to the Identity Administration portal, then go to Settings > Network > CyberArk Identity Connectors > Add CyberArk Identity Connector and click 64-bit in the Download pane.

The download begins.
Extract the files, then double-click the installation program: CyberArk Installer.

In the file name, rr.r indicates the release version and aa indicates the processor architecture (64-bit).

Click Yes to continue if the User Account Control warning displays.
Click through the installation wizard to install the CyberArk Identity Connector, then click Finish to launch the CyberArk Connector Configuration wizard.
Type the administrative user name and password for your CyberArk Identity account, then click Next.
(Optional) If you are using a web proxy service, select the associated check box and specify the IP address, port, user name, and password to use.

The web proxy server must support HTTP1.1 chunked encoding.

Assign connector permissions for user delete activities, then click Next.

To synchronize deleted objects in AD with CyberArk Identity, you must select an account that has read permission to the Deleted Objects container. You can use an account that is a member of the Domain Admins group, or you can delegate read permissions to the service account for the deleted objects container.

If you are deleting users in multiple domains, make sure that you are the domain administrator for all those domains.

To specify an account with read permission to the Deleted Objects container, you have the following options.

Option	Description
Use current user credential	Use the credentials for the account you are currently logged into to install the connector.
Specify alternate user credential	Use credentials for a different account. Consider this option if the account you are currently using does not have read permissions to the Deleted Objects container.

If you do not specify credentials with read permission to the Deleted Objects container, then users deleted in Active Directory will remain on the Users page in the Identity Administration portal until you manually delete them. However, these deleted users will not have access to any CyberArk Identity functionality.

After you click Next, the configuration wizard performs several tests to ensure connectivity.

Click Next after the tests complete to register the connector with your tenant.

Click Finish to complete the configuration. The connector configuration panel displays, showing the status of the connection and your customer ID.

If you have pending Windows updates that require a restart, a prompt displays asking if you want to restart now or manually restart later. You can choose to restart later without any impact to connector functionality.

After you have installed and configured at least one connector, the following changes appear in your tenant.

You can add AD objects to roles.

AD users and groups are not visible in Core Services > Users until they sign in; however, you can still search for them to add them to roles.

You can review connector details in the Identity Administration portal at Settings > Network > CyberArk Identity Connectors.

Refer to the following table for a description of the column headings associated with each connector:

Column header

Indicates

CyberArk Identity Connector

The name of the computer.

Forest

The domain name for the domain controller to which the connector is joined.

Version

The version of the connector software.

You can configure the connector to update automatically—see Update the Identity Connector.

Last ping

The last time the CyberArk Identity successfully pinged the connector.

Hostname

The DNS short name. You can also enter a fully qualified domain name to the IE local intranet zone.

See Manage Integrated Windows Authentication (IWA) to change this name.

Enabled Services

Service	Description
AD Proxy	Displays if the Active Directory proxy service is enabled on the connector. If enabled, it means you use the Active Directory proxy service to authenticate CyberArk Identity users who have Active Directory accounts.
LDAP Proxy	Displays if the LDAP proxy service is enabled on the connector. If enabled, it means you use the LDAP proxy service to authenticate CyberArk Identity users who have LDAP accounts.
App Gateway	Displays if the App Gateway service is enabled on the connector. The App Gateway service provides remote access and single sign on to web applications provided by internal web servers.
RADIUS Client	Displays if the connector is enabled for use as a RADIUS client.
RADIUS Server	Displays if the connector is enabled for use as a RADIUS server for customers who support RADIUS authentication. Web Server (IWA) -- Displays if the connector is configured to accept an Integrated Windows authentication (IWA) connection as sufficient authentication for users with Active Directory accounts. IWA is not available to CyberArk Identity account users.

Status

Active indicates that the CyberArk Identity can communicate with the connector.

Inactive indicates that CyberArk Identity cannot communicate with the connector.

Install additional connectors

You use the same procedure to download the installation wizard to the host computer and then run the wizard to install and register additional connectors. After you install and register the connector, it is added to the CyberArk Identity Connector page.

The host computer must be joined to the same Active Directory domain controller as the first connector in the same trust domain or forest.