Install PSM in a Load-Balancing Environment

Installing multiple PSMs in an load balancing configuration offers you enhanced availability, improved performance and better utilization of hardware resources compared to an active-passive cluster.

The load balancing architecture relies on an external tool that reflects multiple PSM servers as a single IP or DNS address. PSM load balancing supports off-the-shelf load balancers.

PSM provides a service to determine the PSM service availability (health) and reports it, upon request, to the load balancer.

This section describes how to configure the PSM servers in a load-balanced environment.

Load balancing recommendations

The following recommendations are for big or small implementations, whether deployed on cloud or on premise.

To learn more, see Example of how to configure a load balancer

Recommendation

Description

Application load balancing

We recommend using an application-aware load balancing platform, deployed as a reverse proxy, for both big and small implementations.

Deploy either a hardware or a virtual appliance that best addresses capacity, feature set and support options. Hardware options usually offer the greatest scalability, while virtual appliances offer added deployment flexibility.

Health monitoring

Configure the load balancer to combine RDS and PSM application-level monitoring.

For PSM, configure HTTP health check by integrating with the PSM Health Check web service, and configure TCP monitoring for RDS service health check, as recommended by Microsoft, to achieve complete active application-level monitoring.

SSL configuration

Enable SSL passthrough, to protect the communication line between the load balancer and the PSM nodes. For limited cases where the security of the communication line is not a concern, you can use SSL acceleration/termination.

Routing algorithm

Set load balancing method to least connections so the load, on average, is balanced equally between the nodes within the PSM pool.

Load balancer high availability

We recommend to setup high availability of the load balancer itself.

DNS load balancing

We recommend using DNS load balancing for both big and small implementations.
 

Live monitoring of other sessions is required to be routed to specific PSM hosts where the target live session resides, bypassing the normal routing algorithm.

Configure PSM to work with load balancing

This section describes how to configure PSM to work with load balancing.

Considerations

  • The same version of PSM must be installed on all PSM servers in an environment with load balanced PSMs.

  • The RemoteApp feature requires a connection broker and a session collection to be associated with it. This is required, whether the connection broker is used for load balancing or not. If these prerequisites are not set up, the PSM installation will not be able to install the RemoteApp feature. If this happens, repair the installation and add the RemoteApp feature at a later stage, after setting up the the prerequisites.

  • After installing the first PSM server, before installing additional PSM servers, make sure the user who will perform installation is not a direct owner in the PSMUnmanagedSessionAccounts Safe.

PSM in a load balancing environment

This section describes how to configure CyberArk components to support PSM deployment in a load balanced environment.

A pre-requisite for this step is that PSM servers must have a virtual IP/DNS address.

  1. Install the first PSM on the first PSM server, then install the second PSM on the second and any additional PSM servers.

     

    For information about installing PSM, refer to Privileged Session Manager

  2. Log onto the PVWA as an administrator user and define the new PSM server. Reference the RDS farm DNS record as follows:

    1. Click ADMINISTRATION to display the System Configuration page, then click Options to display the Web Access Options parameters.

    2. Display the Privileged Session Management parameters, then expand Configured PSM Servers.

    3. Copy an existing configured PSM Server and paste it in Configured PSM Servers to create an additional configured server that you can change.

       

      It is important to copy an existing PSM server and modify it, and not use the Add PSMServer option, so that you retain the same PSMProtocolVersion property for the PSM Farm and for the configured servers
    4. Change the following properties:

      • ID – The RDS farm name. For example, PSMs for PSM farm psm-group-1.

         

        This ID must be unique

      • Name – The name of the PSM group server.
    5. Expand Connection Details, then select Server and specify the following properties:

      • Address – Specify the virtual IP address of the cluster. For example 10.10.10.1.

      • Safe - The Safe where the account for the logon account for the PSM Server is stored. For example, PSM.

      • Folder - The folder where the account for the logon account for the PSM Server is stored. For example, root.

      • Object - The name of the account that is used by the logon account for the PSM Server. For example, PSMServer.

      • AdminObject – An internal account used to facilitate live session monitoring. This account is created and managed automatically by the CPM and must not be managed manually.

    6. Click Apply to save the new configurations.
  3. In the PVWA, enable the PSM cluster with the relevant platform. For example, WindowsLocal.

    1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

    2. Select the platform to configure for the PSM cluster, then click Edit.

    3. Expand UI & Workflows, then select Privileged Session Management; the PSM parameters for this platform are displayed with their default values.

    4. In the Properties list, specify the following property:

      ID – The unique ID of the PSM cluster server. This ID is taken from the list of PSM Servers configured in Options. According to the examples used throughout this procedure, this is PSM-group-1.

    5. Click Apply to save the new configurations.
       

      The PSMProtocolVersion property of the PSMFarm in PVConfiguration.xml must be the same as the other PSM servers in the PVConfiguration.xml.

To enable PSM live monitoring in a load balanced PSM environment, the following configuration and prerequisites must be applied.

  1. In the PVWA system configuration, check that all PSM servers are configured properly

    1. Log onto the PVWA with an administrative user.

    2. Click ADMINISTRATION to display the System Configuration page, then click Options to display the Web Access Options parameters.

    3. Expand the Privileged Session Management , and then expand Configured PSM Servers.

    4. Make sure that all the PSM servers in your environment are configured and that a correct IP address and PSMAdminConnect user is set for each one.

       

      In implementations with load balanced PSMs, the PSMAdminConnect user that is used to establish the monitoring session is the one that is associated with the PSM server where the privileged session is running. The PSMAdminConnect user in the “Configured PSM Servers” that is associated with the farm entry section is ignored
    1. Click Apply to save the new configurations.
  2. Make sure that the following prerequisites are met:

    • The PSM server must allow remote connections for the PSMAdminConnect user.

    • A connection from the end user machine to the PSM server must be allowed.

    • When using RD Connection Broker, the PSMAdminConnect user that is associated with any of the PSM servers must be a local user.

    • When enabling an SSL connection to the PSM servers, a certificate that includes the PSM itself and the DNS of the Load Balancer address must be issued for each PSM server.