Configure PSM to connect to Web applications

PSM supports secured connection to web applications using a web browser.

For configuration details, see Web applications for PSM .

Configure PSM to run web applications

  1. Log on to the PSM machine as an administrative user.

  2. Open the PSMHardening.ps1 script in the C:\Programs Files (x86)\CyberArk\PSM\Hardening folder in a text editor, and check the value of $SUPPORT_WEB_APPLICATIONS. If it is not set to $true, change the value to $true and rerun the hardening script.

Deploy the dispatcher

WebAppDispatcher v12.6 is deployed with PSM v13.0. To also support web application connections via the Edge browser, download the latest webapp dispatcher from the CyberArk marketplace and copy it to the Components folder under the PSM Installation folder, overwriting the existing files.

Configure the Browser

Use the relevant procedure for your browser:

Chrome

Install Google Chrome (32-bit) on the PSM machine.

Configure AppLocker to enable Chrome to run.

  1. Remove the read-only permission from the PSMConfigureAppLocker.xml file.

  2. In the Hardening subfolder of PSM installation folder, open the PSMConfigureAppLocker.xml configuration file and edit the AllowedApplications section:

    At the beginning of the Google Chrome processes section, remove the following line:

      
    <!-- If relevant, uncomment this part to allow Google Chrome webform based connection clients

    At the end of the Google Chrome processes section, remove the following line:

      
    End of Google Chrome process comment -->

    Specifically, make sure that the following line is uncommented:

      
    <Application Name="GoogleChrome" Type="Exe" Path="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Method="Hash" />

    Verify that the path specified in the xml matches the browser installation path.

  3. Save the PSMConfigureAppLocker.xml configuration file and close it.

  4. Open PowerShell in C:\Program Files (x86)\CyberArk\PSM\Hardening and run the following command to start the script:

     

    “.\PSMConfigureAppLocker.ps1”

For details, see Run AppLocker rules.

In-Domain environments

Perform the PSM  hardening, including GPO settings, as specified in PSM Hardening.

Out-of-Domain environments

Run the PSMHardening.ps1 script in the PSM\Hardening folder with $SUPPORT_WEB_APPLICATIONS set to $true inside the script.

 

After running this script, make sure the output logs are empty.

Edge

Install Microsoft Edge (32-bit) on the PSM machine. Download the Edge driver and place it in the C:\Programs Files (x86)\CyberArk\PSM\Components folder.

Configure AppLocker to enable Edge to run.

  1. Remove the read-only permission from the PSMConfigureAppLocker.xml file.

  2. In the Hardening subfolder of PSM installation folder, open the PSMConfigureAppLocker.xml configuration file and edit the AllowedApplications section:

    1. At the beginning of the Microsoft Edge processes section, remove the following line:

        
      <!-- If relevant, uncomment this part to allow Edge webform based connection clients

    2. At the end of the Microsoft Edge processes section, remove the following line:

        
      End of Microsoft Edge process comment -->

    3. Specifically, make sure that the following line is uncommented:

        
      <Application Name="Edge" Type="Exe" Path="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" Method="Hash" />

    4. Verify that the path specified in the xml matches the browser installation path.

    5. Add the following line:

        
      <Application Name="msedgedriver" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\msedgedriver.exe" Method="Hash" />

  3. Save the PSMConfigureAppLocker.xml configuration file and close it.

  4. Open PowerShell in C:\Program Files (x86)\CyberArk\PSM\Hardening and run the following command to start the script:

     

    “.\PSMConfigureAppLocker.ps1”

  5. For details, see Run AppLocker rules.

In-Domain environments

Perform the PSM  hardening, including GPO settings, as specified in PSM Hardening.

Out-of-Domain environments

Run the PSMHardening.ps1 script in the PSM\Hardening folder with $SUPPORT_WEB_APPLICATIONS set to $true inside the script.

 

After running this script, make sure the output logs are empty.

Certificates

If the target web application uses an HTTPS certificate or any other certificate, make sure that the certificate is properly installed and valid on the PSM machine.

Test the connection

Log on to the PSM server as an administrative user. Verify that you can open the browser and access the login page of the target web application.

The web browser driver must correspond to the version of the installed browser.