Deploy the Privilege Cloud Connector

This topic describes how to deploy the Connector.

Overview

The Privilege Cloud Connector is a server that hosts the Secure Tunnel, PSM, and CPM and essentially manages the major functionality of Privilege Cloud.

For easier reading, this documentation refers to the Privilege CloudConnector as "the Connector".

Installation considerations:
  • Security and hardening. A single unified GPO hardening policy (PSM_CPM) secures the Connector. The GPO hardening script runs automatically as part of the installation process and applies the GPO hardening policy settings to the PSM, and CPM components. Learn more about Connector hardening.

  • High availability and disaster recovery. The basic Privilege Cloud deployment requires one Connector. However, you can deploy multiple PSMs for high availability and an additional CPM to support Disaster Recovery (DR).

 
  • Upgrade the Connector once a year, with the assistance of Cloud Services, to align with the latest version, to provide additional capabilities, enhancements, performance improvements, and bug fixes.
  • Verify that outbound traffic from the Connector server is always routed through the same public-facing IP.

Before you begin

  • To enable secure communication between the Privilege Cloud backend and your on-premise components, provide CyberArk Support with the public-facing IP addresses that your organization uses to access the internet.

  • Ensure you have the Privilege Cloud admin user name and password, received from CyberArk Support

  • Ensure you have a local Admin user, with full Admin rights. For In-domain deployments, this must be a domain user.

 

To complete the deployment, review the Security Fundamentals topic in order to fully secure the Connector server deployment. For details, see Security Fundamentals.

Prepare your machine

  1. From the CyberArk marketplace software area, download the latest Privilege Cloud version software package.

    1. By default, the following components are selected, including the following files:

      Component

      Selected files

      Privilege Cloud Connector Privilege-Cloud-Connector-13.0.zip
      Secure Tunnel Client Installer PrivilegeCloudSecurTunnelInstaller-RIs-v3x.zip
      GPO

      Privilege Cloud Connector PSM_CPM Hardening GPO-v01.zip

    2. To support UNIX and Linux machines, select and download the PSM for SSH component. Download the relevant file for your environment:

      Privileged Session Manager for SSH (PSM for SSH)
      • PrivilegedSessionManagerSSHProxy-RHELinux8-Intel64-RIs-v13.0.zip

      • PrivilegedSessionManagerSSHProxy-RHELinux-Intel64-RIs-v13.0.zip

  2. From CyberArk Integrations and Tools area, download the Privilege Cloud Tools package, including all available files, and locate the package in a dedicated folder, commonly called Privilege Cloud Tools.

  3. From the downloaded Tools package, extract the PSMPrerequisites check:

    In the Privilege Cloud Tools>PSM Prerequisites folder, extract the PSMCheckPrerequisites_PrivilegeCloud.zip file. The following files are extracted:

    • Readme.txt

    • PSMCheckPrerequisites_PrivilegeCloud.ps1

    • VaultOperationsTester folder

  4. Copy the PSM_CPM GPO Hardening packages to the domain server and extract the zip packages.

Check the Privilege Cloud prerequisites

Before installing Privilege Cloud, determine whether the environment has the necessary prerequisites installed. The prerequisites check applies to general environment, PSM, CPM connectivity and Secure Tunnel prerequisites.

Learn which checks are run in Privilege Cloud installer checked items.

To check machine prerequisites:
  1. From the Privilege Cloud Tools kit downloaded in Prepare your machine, copy the PSMCheckPrerequisites_PrivilegeCloud.zip file to the Connector server and extract the zip file.

    The following files are extracted:

    • PSMCheckPrerequisites_PrivilegeCloud.ps1 PowerShell script

    • Readme.txt file

    • VaultOperationsTester folder, with files required for the CPM connectivity test

  2. Run the Powershell command with a Local Admin user:

    • For out of domain deployments

      .\PSMCheckPrerequisites_PrivilegeCloud.ps1 -OutOfDomain
    • For in-domain deployments

      .\PSMCheckPrerequisites_PrivilegeCloud.ps1

    The prerequisites check displays a list of checked items, together with an indication if the check succeeded or failed.

  3. Troubleshoot the displayed errors.

    Error indication

    Perform the following

    Link to a solution

    Click the link for relevant instructions.

    Tip on how to resolve the issue

    Perform the necessary steps according to the tip .

    Recommendation to rerun the script with a -troubleshooting flag

    1. Before repeating the check, in the folder where the check script is located, edit or delete the runtime file PSMCheckPrerequisites_PrivilegeCloud.ini.

    2. Rerun the check. For each error, a series of possible solutions is displayed.

    3. Select the relevant solution. A related script is run to automatically resolve the issue.

    Indication of failure

    For checks that are self-explanatory and need no further instructions, perform necessary steps to resolve the issue.

  4. After the prerequisites check is run, a prompt appears recommending to run the CPM connectivity test.
    Ensure you have your Privilege Cloud Admin user name and password, and choose one of the following:

    • Click Yes to run the test

    • At any time, run the CPM connection test Powershell command:

     
    .\PSMCheckPrerequisites.ps1 -CPMConnectionTest

Run the Connector installer

The Connector setup wizard is a command line wizard.

To run the setup:

  1. From the Privilege Cloud software package downloaded in Prepare your machine, copy the Connector zip file to the Connector server and extract it.

  2. Log into the Connector machine using your local Admin user.

  3. Run the Connector executable file.

    The Connector verifies the prerequisites. If any are missing, it installs them, and then, if required, restarts the server.

    After the server restarts, the command line interface is launched automatically.

  4. Enter the Privilege Cloud admin user name.

  5. Enter the Privilege Cloud admin password.

     

    The password can contain only ASCII characters.

  6. Enter the logged-in administrator password (user credentials with local administrative rights).

    For in-domain deployments, the administrator must be a domain user.

     

    The password is not saved. It is just used to run the setup.

  7. Enter the Vault DNS in the following format:  vault-<subdomain>.privilegecloud.cyberark.com. See details in Dynamic configuration (recommended)

    In cases where outbound traffic from your organization has been defined to use static IPs, as described in Outbound traffic network and port requirements, enter the Vault IP. See details in Static configuration (if dynamic configuration does not apply).

  8. Enter the full installation path for the Connector.

     

    When installing multiple PSMs, verify that each PSM has a the same path to the same recordings directory.

  9. Select the installation mode (POC yes/no).

     

    Do not use POC mode in production. Hardening is not applied in POC mode.

  10. Select the components that you want to install: CPM/PSM/Both.

    Option

    When?

    Both (default)

    Select this option when you are deploying your first Connector.

    CPM

    Select this option if you are deploying an additional Connector to support CPM in DR mode.

    To learn more, see Set up a Disaster Recovery CPM.

    PSM

    Select this option if you are deploying an additional connector to support PSM high availability.

    To learn more, see Set up PSM high availability.

  11. Select the installation mode for CPM:

    Option

    When?

    Active (default)

    Select this option if you are deploying your first Connector.

    Passive

    Select this option if you are deploying an additional Connector to support CPM in DR mode.
  12. Enter the CPM application ID (optional).

    If you do not enter the CPM application ID, the instance hostname is used by default.

    The installation starts to run, notifying you of its progress and of each completed step. The installation may restart the machine several times, to apply the Connector settings.

    When the installation has completed all relevant steps, a notice appears indicating the installation is completed successfully.

  13. Verify PSM connectors are operating properly. See Check the Privilege Cloud Connector functionality.

For an in-domain deployment, continue to Apply GPO hardening for in-domain deployment.

Apply GPO hardening for in-domain deployment

This section describes the automatic hardening procedure for in-domain deployments and the procedures for applying these files in your environment.

When the Connector is deployed on an in-domain server, the automatic hardening procedure is based on a predefined GPO (Group Policy Object), which sets the hardening policy.

Considerations:

Dedicated OU in the Active Directory

To ensure the GPO hardening applies to all Connector servers in the active directory, and does not affect other servers, make sure they are all located under a dedicated organizational unit (OU) in the active directory.

GPO file

The GPO hardening of the Connector server is based on a unified GPO file that applies to both the PSM and CPM.

To apply the hardening GPO

  1. Download the version's Privilege Cloud PSM_CPM Hardening GPO file as described in Prepare your machine.
  2. Import the GPO file to your Active Directory domain.

    1. Open the Group Policy Management Console (GPMC.msc).

    2. Create a GPO: 
      1. Expand Group Policy Management> <yourDomain>, then right-click Group Policy Objects and select New. The New GPO window appears.
      2. In the Name field, specify a name for the PSM_CPM GPO indicating the purpose and current version (for example, PSM_CPM Hardening vN.N), and click OK.
    3. In the list of Group Policy Objects, right-click the new Hardening GPO and select Import Settings.
    4. In the Welcome to the Import Settings Wizard window, click Next. The Backup GPO window appears.

    5. Click Next. The Backup location screen appears.
    6. Click Browse, and select the location where you stored the version's PSM_CPM Hardening GPO settings, for example Privilege Cloud Connector PSM_CPM Hardening GPO and click OK. The folder path appears in the Backup Location window.

    7. Click Next. The Source GPO window appears.

    8. Click Next. The Scanning Backup window appears.
    9. Click Next. The Completing the Import Settings Wizard window appears.
    10. Click Finish. The Import window appears indicating the progress of the GPO import.
    11. When the GPO import process has been completed, click OK.
  3. Link the GPO file to the dedicated CyberArk OU containing CyberArk servers.

    1. Make sure all Connector servers are located under the dedicated OU, so the GPO will not affect any other server.

    2. In the Group Policy Management Console, right-click the OU, then select Link an Existing GPO.

    3. Select the PSM_CPM Hardening GPO and click OK. The PSM_CPM GPO harding policy appears in the Linked Group Policy Objects tab.

    Do not add any domain-specific settings to the GPO, and make sure that there are no domain-specific settings in the GPO, unless configured manually according to CyberArk guidelines and documentation. For example, "Domain\Domain Admins", "Domain\Connect", "Domain\AdminConnect".