Set up PSM high availability

Privilege Cloud can be configured to recognize multiple instances of PSMs, to meet the requirements of high availability and load balancing implementations, as well as distributed network architecture.

Load balancing offers you enhanced availability, improved performance, and optimal usage of hardware resources.

The load balancing architecture relies on an external tool that reflects multiple PSM servers as a single IP or DNS address. PSM load balancing supports off-the-shelf load balancers.

PSM provides a service to determine the PSM service availability (health) and reports it, upon request, to the load balancer.

This section describes how to configure the PSM capabilities in a load-balanced environment.

Load balancing recommendations

The following recommendations are for big or small implementations, whether deployed on cloud or on premise.

To learn more, see Example for configuring a load balancer.

Recommendation

Description

Application load balancing

We recommend using an application-aware load balancing platform, deployed as a reverse proxy, for both big and small implementations.

Deploy either a hardware or a virtual appliance that best addresses capacity, feature set and support options. Hardware options usually offer the greatest scalability, while virtual appliances offer added deployment flexibility.

Health monitoring

Configure the load balancer to combine RDS and PSM application-level monitoring.

For PSM, configure HTTP health check by integrating with the Deploy PSM Health Check, and configure TCP monitoring for RDS service health check, as recommended by Microsoft, to achieve complete active application-level monitoring.

SSL configuration

Enable SSL passthrough, to protect the communication line between the load balancer and the PSM nodes. For limited cases where the security of the communication line is not a concern, you can use SSL acceleration/termination.

Routing algorithm

Set load balancing method to least connections so the load, on average, is balanced equally between the nodes within the PSM pool.

Load balancer high availability

We recommend to setup high availability of the load balancer itself.

DNS load balancing

We recommend using DNS load balancing for both big and small implementations.
 

Live monitoring of other sessions is required to be routed to specific PSM hosts where the target live session resides, bypassing the normal routing algorithm.

Configure PSM to work with load balancing

This section describes how to configure PSM to work with load balancing.

 

The same version of PSM must be installed on all Connector servers in an environment with load balanced PSMs.

Before you begin, make sure that the PSM servers have a virtual IP/DNS address.

Step 1: Install the PSMs on the machines :

Install the first PSM on the first Connector server, then install the second PSM on the second and any additional Connector servers.

For details on installing PSM, see Deploy the Privilege Cloud Connector.

Step 2: Configure the PSMs via the Privilege Cloud portal ( Reference the RDS farm DNS record)

  1. In the Privilege Cloud Portal, click Administration > Configuration Options.

  2. Go to Configurations > Privileged Session Management > Configured PSM Servers.

  3. Copy an existing configured PSM server and paste it under Configured PSM Servers to create an additional configured server that you can change.

     

    It is important to copy an existing PSM server and modify it, and not use the Add PSMServer option, so that you retain the same PSMProtocolVersion property for the PSM Farm and for the configured servers.

  4. Change the following properties in the additional server that you created:

    Property

    Description

    ID

    The RDS farm name. For example, PSMs for PSM farm psm-group-1.

    The ID must be unique.

    Name

    The name of the PSM group server.

  5. Expand Connection Details, and then click Server. Enter the following properties, and then save your changes:

    Property

    Description

    Address

    Enter the virtual IP address of the cluster.

    For example 10.10.10.1.

    Safe

    The Safe where the account for the logon account for the PSM Server is stored.

    For example, PSM.

    Folder

    The folder where the account for the logon account for the PSM Server is stored.

    For example, root.

    Object

    The name of the account that is used by the logon account for the PSM Server.

    For example, PSMServer.

    AdminObject

    An internal account used to facilitate live session monitoring. This account is created and managed automatically by the CPM and must not be managed manually.

Step 3: Enable the PSM cluster with the relevant platform

  1. In the Privilege Cloud portal, click Administration > Platform Management.
  2. Open the platform to configure the PSM cluster for editing.
  3. In the left pane, go to UI & Workflows, then select Privileged Session Management.

  4. In the Properties pane, in the IDfield, enter the unique ID of the PSM cluster server. The same ID you configured in the previous step.

Step 4: Move PSM application users to the domain level

For details, see Move PSM application users to the domain level