Deploy Secure Tunnel

This topic describes how to set up and configure Secure Tunnel in order to securely connect to your SIEM servers and your remote access PSM servers.

For details, see Connect to SIEM and Configure the PSMs through the Secure Tunnel wizard.

Before you begin

  • Consider the following:



    Connector client machine name must be unique

    The name of the Connector client machine must be unique across domains. Only the machine host name is used to generate the tunnel ID and therefore it must be unique, even if the machines are deployed in multiple domains.

    Secure Tunnel port Check that this port is free for use. If not, see Secure Tunnel troubleshooting for steps on how to configure a different port.

    Remote access for employees

    If you are configuring remote access for your employees, you must also configure the designated PSMs. For details, see Configure remote access for employees.

Install and configure Secure Tunnel

Install and configure the Secure Tunnel on the Connector machine.

To install and configure the Secure Tunnel:


The Secure Tunnel includes an installation tool and a configuration tool. When you install the Secure Tunnel for the first time, the configuration tool is launched automatically after the installation is complete. To make changes to a previously installed Secure Tunnel, run the configuration tool.

  1. From the Privilege Cloud software package that you downloaded in Deploy the Privilege Cloud Connector, copy the Secure Tunnel zip file and unzip the package.
  2. On the Select Installation Folder page, enter the location of the installation folder, and click Install.
  3. On the Ready to Install page, click Finish.

    When the installation is complete the configuration tool is launched.

    If you do not want to configure the Secure Tunnel at this time, you can close the wizard and launch the configuration tool later. When you close the installation wizard, a shortcut to the configuration tool is created on the desktop. You can open the configuration tool either from the desktop shortcut or from the installation folder at any time.

  4. On the Authenticate to Privilege Cloud page, enter the Customer ID provided to you in the Welcome to CyberArk Identity Security Platform email and the installeruser name (installeruser@<suffix>) and password that you set before you started the installation process (see Before you begin).
  5. On the Configure on-premise components page, add the components that you want to connect through the secure tunnel, and click Configure Components.

    Enter the following information:



    Component Type

    Select one of the following components:

    • SIEM: Up to five Syslog servers can be connected to Privilege Cloud at one time.

    • PSM-RDP: No limit to how many servers can be connected to Privilege Cloud at one time.

    Host Address

    The hostname or IP address of component server.

    PSM for remote access uses TLS communication and must include a hostname.

    The following domains cannot be used as host names for Secure Tunnel configuration:






    Destination Port

    The port used for connecting the Secure Tunnel server to the component server.

    Click Advanced to display this column.

    Typically, the ports used for these components are:

    • SIEM - 1468

    If you are using different ports, edit this field for the relevant component.

    Remote Port

    The port used by the CyberArk to interface with your Secure Tunnel.

    Click Advanced to display this column. The Remote Port is provided to you by CyberArk support.

    Each interface has a default port. For multiple instances the ports are numbered sequentially.

    Typically, the ports used for these components are:

    • SIEM - 1468 (first SIEM instance), 1469, etc.

    Access through Secure Tunnels

    You can configure which Secure Tunnels your servers will access through, even if these Secure Tunnels are running on a different machine.

Post installation steps

After installing Secure Tunnel you can:

Supported connections - scope

The following table includes the number of component connections, per component type, that the Secure Tunnel supports.


Max supported




Max supported