Deploy Secure Tunnel
This topic describes how to set up and configure Secure Tunnel in order to securely connect to your SIEM servers and your remote access PSM servers.
For details, see Connect to SIEM and Configure the PSMs through the Secure Tunnel wizard.
Before you begin
-
Consider the following:
Consideration
Comment
Connector client machine name must be unique
The name of the Connector client machine must be unique across domains. Only the machine host name is used to generate the tunnel ID and therefore it must be unique, even if the machines are deployed in multiple domains.
Secure Tunnel port Check that this port is free for use. If not, see Secure Tunnel troubleshooting for steps on how to configure a different port. Remote access for employees
If you are configuring remote access for your employees, you must also configure the designated PSMs. For details, see Configure remote access for employees.
Install and configure Secure Tunnel
Install and configure the Secure Tunnel on the Connector machine.
To install and configure the Secure Tunnel:
|
The Secure Tunnel includes an installation tool and a configuration tool. When you install the Secure Tunnel for the first time, the configuration tool is launched automatically after the installation is complete. To make changes to a previously installed Secure Tunnel, run the configuration tool. |
- From the Privilege Cloud software package that you downloaded in Deploy the Privilege Cloud Connector, copy the Secure Tunnel zip file and unzip the package.
- On the Select Installation Folder page, enter the location of the installation folder, and click Install.
-
On the Ready to Install page, click Finish.
When the installation is complete the configuration tool is launched.
If you do not want to configure the Secure Tunnel at this time, you can close the wizard and launch the configuration tool later. When you close the installation wizard, a shortcut to the configuration tool is created on the desktop. You can open the configuration tool either from the desktop shortcut or from the installation folder at any time.
- On the Authenticate to Privilege Cloud page,
-
On the Configure on-premise components page, add the components that you want to connect through the secure tunnel, and click Configure Components.
Enter the following information:
Field
Description
Component Type
Select one of the following components:
-
SIEM: Up to five Syslog servers can be connected to Privilege Cloud at one time.
-
PSM-RDP: No limit to how many servers can be connected to Privilege Cloud at one time.
Host Address
The hostname or IP address of component server.
PSM for remote access use
The following domains cannot be used as host names for Secure Tunnel configuration:
*.aws.com
*.amazonaws.com
*.amazon.com
*.cyberark.com
*.cyberark.cloud
Destination Port
The port used for connecting the Secure Tunnel server to the component server.
Click Advanced to display this column.
Typically, the ports used for these components are:
- SIEM - 1468
If you are using different ports, edit this field for the relevant component.
Remote Port
The port used by the CyberArk to interface with your Secure Tunnel.
Click Advanced to display this column. The Remote Port is provided to you by CyberArk support.
Each interface has a default port. For multiple instances the ports are numbered sequentially.
Typically, the ports used for these components are:
- SIEM - 1468 (first SIEM instance), 1469, etc.
Access through Secure Tunnels
You can configure which Secure Tunnels your servers will access through, even if these Secure Tunnels are running on a different machine.
-
Post installation steps
After installing Secure Tunnel you can:
Supported connections - scope
The following table includes the number of component connections, per component type, that the Secure Tunnel supports.
|
Component |
Max supported |
|---|---|
|
SIEM |
5 |
|
Component |
Max supported |
|---|---|
|
SIEM |
5 |
