PSM installation considerations
The scope of your implementation determines where the PSM server will be installed and how many PSM servers you require. The following considerations will help you define the size and the capacity of your implementation.
Planning capacity
Determine the amount of storage required in the Vault or external storage device to store session recordings before installation. The following considerations will help you calculate the amount of Vault or external device storage that you will need.
| Consideration |
Description |
||
|---|---|---|---|
|
Size of session recordings |
The number of activities performed during each session and the session type (GUI or Text) determine the size of each recording. Typically, recordings vary from 50-250 KB/minute.
|
||
|
Activity in your enterprise |
The number of concurrent sessions that PSM will create and store in the Vault determine the size of your implementation. |
||
|
Recordings Retention Period |
The length of time that recordings will be retained according to your enterprise audit policy. |
The following sample scenario shows how to calculate the required space in the Vault for a PSM implementation:
| Consideration |
Enterprise requirement |
PSM implementation requirement |
|---|---|---|
|
Activity in your enterprise |
The sample enterprise’s IT consists of 100 employees who manage their Windows machines. |
|
|
Size of session recordings |
The amount of required recorded IT activities is estimated to be 100 daily sessions of 10 minutes each. |
The number of daily minutes in session recordings – 100 * 10 = 1,000 minute |
|
Recordings Retention Period |
The enterprise’s audit policy requires session recordings to be kept for 3 years.
|
The number of days to retain the recordings – 365 * 3 = 1,095. |
|
The estimated required space |
|
(1,000 * 1,095) * 250 (kb/min) = ~273GB |
Determine the hardware required for PSM
The number of required PSM severs depends on load-balancing, high availability and network topology considerations that are described in the sections below. For details about hardware and software specifications for different implementation sizes, see
PSM can also be installed on the same machine as the CPM or the PVWA, reducing the number of machines to maintain.
Recommended settings for installing PSM on a virtual machine
When installing PSM on a virtual machine (VM), it is recommended to apply the following steps in order to ensure optimal PSM performance:
-
In VMware based environments, install VMware Tools on every PSM VM.
-
Reserve enough VM resources to avoid a potential situation in which the virtual machine on which PSM is installed does not receive enough resources:
It is recommended to set a fixed amount of processing power reservation (MHz reservation) on the VM. You can examine the amount of expected processing power that will be utilized in day-to-day use by PSM in your environment and reserve processing power accordingly.
In VMware, you can determine the amount of processing power that is utilized by installing VMware Tools and examining a PerfMon counter called [VM Processor ->Effective VM Speed in MHz].
Similarly to processing power reservation, make sure that enough memory is allocated for the PSM VM at any given time.
-
It is recommended that the latest version of the VM is used for the PSM VM. This will ensure that the most updated virtual hardware available is used.
-
For VMware based environments, version 5.5 and above, make sure hyper-threading is enabled in the BIOS for processors that support it.
-
Connect to the PSM server with Microsoft Remote Desktop Services (RDS) Session Host
Make sure you have the appropriate RDS CAL licensing. PSM can work with any RDS CAL License scheme (either per user or per device). For more information about purchasing an RDS CAL, contact your Microsoft representative.
|
Due to RDS licensing enforcement in Windows 2019, a per-user license is no longer supported for local users. We recommend using a per-device RDS license. To work with a per-user license on a Windows 2019 machine, PSM users must be moved to the domain level. See PSMConnect and PSMAdminConnect Domain Users for details. |
Connect to the PSM Server through an HTML5 gateway
You can configure PSM to provide secure remote access to a target machine through an HTML5 gateway. The HTML5 gateway tunnels the session between the end user and the PSM machine using a secure WebSocket protocol (port 443). This eliminates the requirements to open an RDP connection from the end-user's machine. Instead, the end user only requires a web browser to establish a connection to a remote machine through PSM. For details about configuring PSM to work with HTML5, see
Connect to the PSM Server with Microsoft Remote Desktop Gateway
PSM can be configured to work with the Microsoft Remote Desktop Gateway which tunnels the RDP session betstween the user and the PSM machine using HTTPS protocol (port 443), providing a secure connection without needing to open the firewall. All information that is transferred between the user and thePSM machine is encrypted and protected by the HTTPS protocol, which enables secure cross-network and remote access. For more information about Microsoft Remote Desktop Gateway, refer to http://technet.microsoft.com/en-us/library/cc731264.aspx.
Multiple PSMs
The Enterprise Password Vault can work with multiple instances of PSM that access the same Vault. This enables you to work with the following scenarios:
| ■ | Load balancing implementations |
| ■ | Access to managed devices that are located in different networks. A PSM server can be installed in each network segment to communicate with the remote machines using native protocols and without the need to open the enterprise firewall, as shown in the following diagram. |
PSM Cross-Network Architecture
Establish connections through PSM when NLA authentication is enabled on the PSM Server
When establishing connections through PSM to target systems, users can connect through the PVWA or through PSM for Windows.
However, in environments where NLA authentication is enabled on the PSM server, connection through the PVWA is not supported. Connection to the target system occurs using PSM for Windows. No additional configuration is required.
Establish connections through PSM from a Unix/Linux device
You can access PSM from a Unix/Linux device in one of the following ways:
-
Connect through the PVWA portal from a Unix/Linux device using an HTML5 gateway. For details about configuring PSM to work with HTML5,see
-
Connect from any desktop platform through PSM for Windows using a standard RDP client application. This is relevant even when working on a Unix/Linux workstation.
Supported PSM connection methods
This table describes the PSM connection methods you can use with different PSM implementations.
|
Connection Method |
||||
|---|---|---|---|---|
|
PVWA |
PSM for Windows |
|||
| ActiveX | RDP File | RDP File with RemoteApp |
HTML5 |
Standard RDP Client from the users’ desktop (no RemoteApp) |
|
PSM Implementation: Connection broker used as load balancer |
||||
|
ü *PSM Protocol 1 |
|
ü |
||
|
PSM Implementation: NLA enabled on PSM server When NLA is enabled on the PSM server, the system is configured to enable only one method of connection through PSM. You can connect through PVWA from your desktop using an RDP client application. |
||||
| ActiveX | RDP File | RDP File with RemoteApp |
HTML5 |
Standard RDP Client from the users’ desktop (no RemoteApp) |
|
|
ü |
|||
|
PSM Implementation: NLA enabled on the RDP client When NLA is enabled on the RDP client, you can connect with PVWA from your desktop using an RDP client application. |
||||
| ActiveX | RDP File | RDP File with RemoteApp |
HTML5 |
Standard RDP Client from the users’ desktop (no RemoteApp) |
|
ü |
ü |
|||
|
PSM Implementation: RD Gateway with single-sign-on (one authentication for the RD gateway and the Vault) You can configure certain RDP client applications to use the same credentials to authenticate to both the PSM server (Vault) and the RD Gateway. |
||||
| ActiveX | RDP File | RDP File with RemoteApp |
HTML5 |
Standard RDP Client from the users’ desktop (no RemoteApp) |
|
ü *PSM Protocol 1 |
|
ü |
||
|
PSM Implementation: RD Gateway with separate authentication to the RD gateway and to the Vault |
||||
| ActiveX | RDP File | RDP File with RemoteApp |
HTML5 |
Standard RDP Client from the users’ desktop (no RemoteApp) |
|
ü |
ü |
ü |
ü |
|
|
PSM Implementation: Windows client machine |
||||
| ActiveX | RDP File | RDP File with RemoteApp |
HTML5 |
Standard RDP Client from the users’ desktop (no RemoteApp) |
|
ü |
ü |
ü |
ü |
ü |
|
PSM Implementation: Mac client machine |
||||
| ActiveX | RDP File | RDP File with RemoteApp |
HTML5 |
Standard RDP Client from the users’ desktop (no RemoteApp) |
|
ü |
ü |
ü |
ü |
|
|
PSM Implementation: Unix/Linux client machine |
||||
| ActiveX | RDP File | RDP File with RemoteApp |
HTML5 |
Standard RDP Client from the users’ desktop (no RemoteApp) |
|
ü |
ü |
|||
*PSM Protocol 1 - Configuration required for PSM to work with the older PSM Protocol 1.
|
The PSM Protocol 1 does not support connections using RDP files, HTML5, the RemoteApp user experience, or connections directly from the user's desktop. |
