ARCON

Installation and Configuration Guide | Version

4.8.5.0_U16 SP2
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Table of Contents
1 Introduction ................................................................................................................................................................................... 8
2 About this Guide........................................................................................................................................................................... 9
3 Product Overview..................................................................................................................................................................... 11
3.1 Solution Benefits ..................................................................................................................................................................... 11
3.2 Solution Architecture ............................................................................................................................................................ 11
3.3 Communication Flow............................................................................................................................................................. 12
4 ARCON PAM Deployment.................................................................................................................................................... 14
4.1 Prerequisites: Infrastructure Requirement.................................................................................................................. 14
4.2 Database Installation and Configuration ...................................................................................................................... 14
4.2.1 Prerequisites: SQL Server Setup.....................................................................................................................................14
4.2.2 SQL Server Express Installation......................................................................................................................................14
4.2.3 DB User Creation and Assign Permission ...................................................................................................................22
4.2.4 Folder Creation for database and Log files.................................................................................................................22
4.2.4.1 Database................................................................................................................................................................................ 22
4.2.5 Database Creation, Restoration and Owner Assignment ....................................................................................23
4.2.5.1 ARCOSDB ............................................................................................................................................................................. 23
4.2.5.2 ARCOSRDPDB.................................................................................................................................................................... 23
4.2.5.3 Create Database................................................................................................................................................................. 24
4.2.5.4 Database Restore............................................................................................................................................................... 25
4.2.5.5 Database Ownership and Recovery ........................................................................................................................... 29
4.2.5.6 Assign Database Role to New User (arcossqladmin) ........................................................................................... 31
4.3 Web Component Configuration........................................................................................................................................ 32
4.3.1 Install Frameworks and Controls ...................................................................................................................................33
4.3.2 Enable IIS Server on Web Server (Windows Only)..................................................................................................33
4.3.3 Configure ARCON PAM Client Manager....................................................................................................................33
4.3.3.1 Import SSL Certificate for ARCON PAM Client Manager................................................................................. 34
4.3.3.2 Assign SSL Certificate to ARCON PAM Client Manager ................................................................................... 34
4.3.3.3 Application Pool Setting for ARCON PAM Client Manager ............................................................................. 34
4.3.3.4 Database (DB) Settings Creations............................................................................................................................... 36
4.3.3.5 Test ARCON PAM Client Manager component on IE Browser ...................................................................... 37
4.3.4 Settings Deployment ...........................................................................................................................................................38
4.3.4.1 Pre-requisites ...................................................................................................................................................................... 38
4.3.4.2 Deployment Steps.............................................................................................................................................................. 39

2
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
4.3.4.3 Configuration....................................................................................................................................................................... 46
4.3.5 Configure ARCON PAM User Access Log Viewer Web Component...............................................................47
4.3.5.1 Application Pool Setting for ARCON PAM User Access Log Viewer Web ................................................. 49
4.3.5.2 Test ARCON PAM User Access Log Viewer Web component on Browser................................................ 50
4.3.6 ARCON PAM API Component Configuration...........................................................................................................51
4.3.6.1 Database(DB) Settings Creations................................................................................................................................ 52
4.3.7 License Registration and Login........................................................................................................................................53
4.3.7.1 ARCON PAM Server License Registration .............................................................................................................. 53
4.3.7.2 Domain Creation ................................................................................................................................................................ 54
4.4 ARCON PAM Windows Components............................................................................................................................. 58
4.4.1 ARCON Auto Healing Service..........................................................................................................................................59
4.4.1.1 Overview ............................................................................................................................................................................... 59
4.4.1.2 Installation ............................................................................................................................................................................ 60
4.4.2 ARCON WinVaulting Service...........................................................................................................................................67
4.4.2.1 Overview ............................................................................................................................................................................... 67
4.4.2.2 Prerequisites........................................................................................................................................................................ 68
4.4.2.3 Installation ............................................................................................................................................................................ 68
4.4.3 ARCOS Alert Service ...........................................................................................................................................................69
4.4.3.1 Overview ............................................................................................................................................................................... 69
4.4.3.2 Prerequisites........................................................................................................................................................................ 70
4.4.3.3 Installation ............................................................................................................................................................................ 70
4.4.4 ARCOS Failover Manager..................................................................................................................................................76
4.4.4.1 Overview ............................................................................................................................................................................... 76
4.4.4.2 Scenario.................................................................................................................................................................................. 76
4.4.5 ARCOS Log Archiver Service ...........................................................................................................................................82
4.4.5.1 Overview ............................................................................................................................................................................... 82
4.4.5.2 Installation ............................................................................................................................................................................ 83
4.4.6 ARCOS Log Archiver Service ONS.................................................................................................................................91
4.4.6.1 Overview ............................................................................................................................................................................... 91
4.4.6.2 Installation ............................................................................................................................................................................ 92
4.4.7 ARCOS Log Manager Service...........................................................................................................................................97
4.4.7.1 Overview ............................................................................................................................................................................... 97
4.4.7.2 Installation ............................................................................................................................................................................ 97
4.4.8 ARCOS Log Manager Service ONS ............................................................................................................................. 104
4.4.8.1 Overview .............................................................................................................................................................................104
4.4.8.2 Installation ..........................................................................................................................................................................104

3
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
4.4.9 ARCOS Scheduled Password Change Service........................................................................................................ 111
4.4.9.1 Overview .............................................................................................................................................................................111
4.4.9.2 Installation ..........................................................................................................................................................................111
4.4.10 ARCOS Viewed Password Change Service ............................................................................................................. 117
4.4.10.1 Overview .............................................................................................................................................................................117
4.4.10.2 Installation ..........................................................................................................................................................................118
4.5 Broker ....................................................................................................................................................................................... 123
4.5.1 Secure Gateway.................................................................................................................................................................. 123
4.5.1.1 Secure Gateway Server Configuration....................................................................................................................123
4.5.2 RDP Proxy............................................................................................................................................................................. 130
4.5.2.1 Overview .............................................................................................................................................................................130
5 LOB or Profile Master ...........................................................................................................................................................134

4
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

About this manual

This user manual is a comprehensive documentation for those wanting to get the most out of ARCON PAM
(Privileged Access Management). It combines step–by–step instructions to help you install ARCON PAM and
configure database.
• Disclaimer
• Copyright Notice
• Related Documents
• Target Audience
• Symbols & Conventions
• Acronyms
• POC (Point of Contacts) & Support Information

Disclaimer
This manual of ARCON PAM solution is being published to guide administrators with the step-by-step
procedures involved in installing ARCON PAM and configuring database.
The manual is in the nature of a guide for the users and, if any of the statements in this document are at
variance or inconsistent it shall be brought to the notice of ARCON PAM through the support team. Wherever
appropriate, references have been made to facilitate better understanding of the PAM solution. The ARCON
PAM team has made every effort to ensure that the information contained in it was correct at the time of
publishing.
This Manual of ARCON PAM solution contains information, which is the intellectual property of ARCON PAM.
This document is received in confidence and its contents cannot be disclosed or copied without the prior
written consent of ARCON PAM.
Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. ARCON PAM
disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a
particular purpose; merchantability; non-infringement of intellectual property or other rights of any third party
or of ARCON PAM; indemnity; and all others. The reader is advised that third parties can have intellectual
property rights that can be relevant to this document and the technologies discussed herein, and is advised to
seek the advice of competent legal counsel, without obligation of ARCON PAM.

Copyright Notice
Copyright © 2022 ARCON PAM All rights reserved.
ARCON PAM retains the right to make changes to this document at any time without notice. ARCON PAM
makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in
the document nor does it make a commitment to update the information contained herein.

Trademarks
Other product and corporate names may be trademarks of other companies and are used only for explanation
and to the owners' benefit, without intent to infringe.

Related Documents
Below are the related documents, which help to understand the ARCON PAM in detail

5
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
• ARCON PAM Overview Guide gives the overview of ARCON PAM Privilege Access Management.
• ARCON PAM Client Manager Guide describes a web console which supports multi-domain
authentication, dual factor authentication, multi-tenancy and target connectors.
• ARCON PAM Privileged Access Management (PAM) User Guide describes the features, benefits,
functionalities.
• ARCON PAM Set-up Pre-requisite describes the hardware and software required for deployment of
ARCON PAM in the user environment.
• ARCON PAM Troubleshoot provides the basic information for ARCON PAM issues.
• ARCON PAM Administrative Guide describes the process to administer, manage, and monitor Privilege
Identities and servers across the organization.

Target Audience
This guide is intended for auditors, consultants and security experts responsible for securing, auditing and
monitoring server administration processes; especially remote server management. It is also useful for IT
decision makers seeking for a tool to improve the security and auditing of their servers or to facilitate
compliance to the unique standard.
The following skills and knowledge are necessary for a successful ARCON PAM administrator:
• Basic system administration knowledge.
• Basic understanding of networks, TCP/IP protocols, and general network terminology.
• Working knowledge of the Windows operating system is not mandatory, but highly useful.
• In-depth knowledge of various servers and server applications is required for forensics situations.

Symbols and Conventions

The Following are the symbols and conventions used in this manual:

Symbols Description

Note Indicates helpful tips, shortcuts, and suggestions.

Information Indicates additional information.

0
This manual uses the following conventions to refer to sections, navigation, and other information.

Convention Description

Bold Keywords and menu names are displayed in bold.

0
Acronyms
The acronyms used in this manual are as follows:

Acronyms Description

PAM Privileged Access Management

LOB Line of Business

SSH Secure Shell

6
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Acronyms Description

RDP Remote Desktop Protocol

DB Database

IIS Internet Information Services

EPAM Enterprise Privilege Access

Management

PVSL Password Vault & Session Logging

SGS Secure Gateway Server

0
POC (Point of Contacts) & Support Information
The product is developed and maintained by ARCON TechSolutions Private Limited
web: https://arconnet.com/

Sales Contact
You can directly contact us with sales related topics at the email address <[email protected]>, or leave us
your contact information and we will call you back.

Support Contact
To access ARCON PAM Support Centre (ASC), Sign in with your account.
• Remote support is available 24*7.
• ARCON PAM Support System is available only for registered users with a valid support package.
• ARCON PAM Support Centre (ASC): https://support.arconnet.com/
• Central Support e-mail address: <[email protected]>
• Support hotline:
Global: +91 8080005577 (For ARCON PAM Support Press 3)
UAE: 800035703628 (Press 1)

7
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

1 Introduction
This guide provides the Installation and configuration instruction for system Administrators and security
Administrators for ARCON Privileged Access Management (PAM) suite. For more information about its
features, benefits, functionalities, and basic procedures, see the ARCON Related Document.
ARCON PAM ships with a number of documents that helps you to use the various features of the product. See
the following section for a list of guides.
The following section include the document convention, list of documentation for the product, and where to get
additional product information and technical support.

8
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

2 About this Guide

This Guide describes the ARCON Privilege Access Management and its installation and configuration
processes. The book has been divided into the following sections:
The first part of the guide introduces you to the ARCON Privilege Access Management and its unique
features.
The second part of the guide takes you through pre-requisites required for infrastructure.
The third part of the guide shows how to install and configure database; database creation, restoration and
ownership.
The forth part of the guide describes how to configure web components and license registration.
The fifth part of the guide puts you through the secure gateways configuration.
The sixth part of the guide explains the creation of LOB, users, services, user group and service group.

Part 1: Introduction
The first part of the book contains the following information:
• ARCON Privilege Access Management – An introduction to the concept of application identity and the
risks involved, as well as the solution requirements.

Part 2: Preparing to Install Privilege Access Management

The second part of the book contains the following information:
• Prerequisite for Infrastructure Requirement – The infrastructure requirement for ARCON Privilege
Access Management.

Part 3: Installing and Configuring ARCON PAM Database

The third part of the book contains the following information:
• Pre-requisite for SQL Server Set-up – The system requirements for the SQL Setup.
• Installing SQL Server – A step-by step guide to install SQL Server.
• DB User Creation and Assign Permission – A step-by step guide to create user required for ARCON
PAM database.
• DB Folder Creation – A step-by step guide to create two DB folders required for ARCON PAM Privilege
Account Management solution.
• DB Creation, Restoration and Ownership – A step-by step guide to create two databases, configure
those databases and give them the ownership.

Part 4: Web Component Configuration

The forth part of the book contains the following information:
• Enable IIS Server – A step-by-step guide to enable IIS Server on Windows.
• Install Framework and Controls – An overview of various frameworks and controls to be installed.
• Configure ARCON PAM Client Manager Online – A step-by-step guide on how to configure ARCON
PAM Client Manager Online on IIS Manager.

9
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
• Configure ARCON PAM User Access Log Viewer Web Component – A step-by-step guide on how to
configure ARCON PAM User Access Log Viewer Web, assign Application Pool settings and test the web
component configuration on browser.
• ARCON PAM Database Settings Creation – A step-by-step guide on how to create DB settings for
ARCON PAM Client Manager.
• License Registration and Login – A guide about to license registration and login into ARCON PAM
Server Manager.

Part 5: Secure Gateway Configuration

The fifth part of the book contains the following information:
• With Windows Server – A guide to install freeSSHd.
• With UNIX / Linux Server – A guide to configure and map secure gateway server.

Part 6: LOB/Profile Master and Manager

The sixth part of the book contains the following information:
• Creating LOB – A guide to create LOB.
• User/Service Creation and Mapping – A guide to User/Service creation and mapping.
• Creating User – A guide to create user.
• Creating Service – A guide to create service.
• Creating User and Service Group – A guide to create user and service group.
• Mapping User to User Group – A guide to map user to user group.
• Mapping Service to Server Group – A guide to map service to server group.
• Mapping Server/Service Group – A guide to map server/service group.
• Mapping Service to Users – A guide to map service to users.
• Mapping Service to Multiple Users – A guide to map service to multiple users.
• Mapping Users to LOB – A guide to map users to LOB.
• Removing Users from LOB – A guide to remove users from LOB.
• Sharing Users between LOB(s) – A guide to share users between LOBs.
• Mapping User Group/s to LOB – A guide to map user groups to LOB.
• Removing User Group from LOB – A guide to remove user group from LOB.
• Mapping Service(s) to LOB – A guide to map service to LOB.

10
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

3 Product Overview
The product overview gives information about the high level and full life cycle description and product
offerings provided by ARCON PAM Privilege Access Management solution.
ARCON Privilege Access Management (PAM) solution is a high level access security solution for managing the
privilege accounts in an enterprise. The solution allows organization to secure, control, monitor and audit all
the activities associated with all types of Privilege Identities such as Administrators on Windows server, Root
on UNIX server, Cisco Enable in Cisco, etc.
ARCON PAM Privilege Access Management uses a highly secured Digital Vault which is also known as
Password Vault to store the Privilege password of privilege identities. This Password Vault is the heart of the
solution. The audit and session logging activities associated with the privilege account is kept in this vault with
highest security standards. The password vault uses numerous secured methodology to authenticate, encrypt,
audit and protect data.
The ARCON PAM Privilege Access Management solution uses following components:
Single Sign On: Single Sign-On enables Administrators to enter the login id and password only once to logon
into multiple systems or domains within an enterprise. The username and password is authenticated with local
repository or Active Directory of the windows server through LDAP protocol.
Password Vault: Password Vault is the heart of the ARCON PAM solution where passwords and sensitive data
of privilege accounts are stored. It is the central repository for passwords and auditing management. It is
designed with the state-of-art technology and can be installed on dedicated server as well as on the application
server depending on the enterprise infrastructure.
Access Control: ARCON PAM Access Control manages super-users authentication and authorization based on
assigned privileges. It enables organization to secure, control and monitor privilege account by using vault
technology. It empowers the organization and gives complete visibility and control of privilege account and
super users in an enterprise. Also enables centralized management and auditing of the privilege account.
Session Monitoring: The Session Monitoring enables enterprise to secure, control and monitor the access of
privilege account. It automatically creates video log which records all activity of the Administrators for each
minutes and seconds on the server. These recordings are stored in ARCON PAM database and accessible to
authorized auditors. All activities are fully monitored and strictly meet the auditing and governance standards.
Realtime Data Synchronization Process and Near Zero Downtime Application Failure: ARCON PAM
supports High Availability by real-time data synchronization and near zero down time application failure. The
Data Synchronization process for HA (High Availability) establishes consistency among data from a source to a
target data storage and vice versa and the continuous harmonization of the data over time.

3.1 Solution Benefits

• Secure, Manage and Protect Privilege Account
• Minimize Shared Administrative Accounts
• Reliably Control and Monitor Privilege Account
• Audit and Comply with governance requirement
• Streamline Password Management
• Easily Integrate with Enterprise
• Simple to Deploy

3.2 Solution Architecture

The ARCON PAM solution securely manages, stores, archive and transfers all your privilege Administrative
passwords within your organization internally or remotely. These secured passwords are kept in the password
vault.

11
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
The password vault which acts as a ‘Bunker’ is the heart of the solution. It is secured with multiple layer of
security which includes Firewall, Authentication, Authorization, Access control, Encryption, Session
monitoring, etc. These layers make the solution secure for the Privilege Accounts present in an organization.
The PAM architecture is very simple and seamlessly integrates with the complex infrastructure of an
enterprise. It can be deployed within a short period of time and can be accessed through Web interface. The
various API’s help the solution to be more secure.
The following diagram shows the various components of PAM solution:

The PAM architecture consists of two important components. First is ARCON PAM Secured Vault which stores
data and protect it through authentication and authorization. The Vault server manages numerous services
within ARCON PAM which are required for the successful operation of the PAM solution.
Second is the Secured Gateway Server which uses a unique technology to channelize all the traffic. It uses a
secured server that runs proprietary components to manage all traffic directly from a user machine to the
target devices. Secured port are used to channelize these traffics. Major advantage of this technique is, it makes
ARCON PAM highly scalable as it is not dependent on ‘RDP’ to access the application server. Further, this
technology helps in managing highly complex environments including distributed datacenters, wherein all
devices across data center can be managed by single instance of ARCON PAM.

3.3 Communication Flow

• Enter the ARCON PAM portal URL on the browser. The request goes to the ARCON PAM Application
Server and the login page of ARCON PAM is displayed on the machine.
• Enter the login credentials and click OK button. The user will get authenticated in either of the two
ways:
If the user is a local repository user, the credentials will get authenticated with the database
server [password vault (PVSL)]. OR
If he’s a domain user, the credentials will get authenticated with Active Directory.
• If dual factor authentication is enabled for the user, they will get authenticated twice and on successful
with AD or password vault, Client Manager will open.

12
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

 Depending on the access granted, user can search the Hostname/IP Address/Service Type
which are populated on the portal.

• On clicking the Open Connection icon the request goes to the application server and the necessary
executable files are downloaded on the User’s machine, under temp folder with the help of the browser
plugin. On execution of this executable a secured (SSH) connection is locally established from the user’s
machine to the ARCON PAM Secured Server which eventually routes it to target server/device. Thus
the session is delivered on the User’s Machine.
• Simultaneously, the session also establishes a dedicated connection with ARCON PAM Application
Server through which the activities performed by the Administrators / users are logged and saved in the
password vault (database) on real time.
• Whereas for a Thick client, when a user Clicks Open Connection, Application execute the .exe of Third
Party Application from the User’s local machine at the given path which is configured in User’s My
Preference Tab in the ARCON PAM portal.

13
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4 ARCON PAM Deployment

Before preparing to install you need to plan the various requirement required for the solution in your
organization. This chapter provides various information that is required for installing and configuring the
solution.
During this preparation phase you may have to gather information regarding hardware and software
requirements; and how to manage the passwords of the privilege accounts.
Depending on your infrastructure, the decision for architecture and the Password Vault; where and how it will
be installed and configured and whether or not you want to manage it through the secured gateway sever will
be taken.
Further this chapter provides information you should review before installing.
ARCON Privilege Access Management. It discusses the following topics:
Pre-requisite for Infrastructure Requirement

4.1 Prerequisites: Infrastructure Requirement

Before installing the ARCON PAM application, you should read the ARCON PAM Set-up Pre-
requisite document to ensure that your environments meets the minimum installation requirement for the
ARCON PAM product.
Pre-requisite required for successful implementation is as follows:
• ARCON PAM Implementation Setup files
• Windows based Server with IIS for Application Server (EPAM).
• Windows based Server with SQL pre-installed for Password Vault Server (PVSL).
• UNIX based Server for Secure Gateway (SGS) - depending on the architecture finalized by the
organization.

4.2 Database Installation and Configuration

This chapter describes how to install MS SQL Server 2014 for ARCON Privilege Access Management.
This chapter discusses the following topics:
• SQL Server Setup Pre-requisites
• SQL Server Express Installation
• DB User Creation
• Folder Creation for database
• Database Creation, Restoration and Owner Assignment

4.2.1 Prerequisites: SQL Server Setup

Before installing the SQL Server Express edition, you should have the SQL Server Express edition setup file
with you. Also your environment should have the minimum installation requirement for MS SQL Server Express
edition.
4.2.2 SQL Server Express Installation
The SQL Server setup installs the below components which is required by the ARCON Privilege Access
Management.
• DOT NET Framework 3.5 SP1
• SQL Server support files

14
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
The below process shows how to install the SQL Server Express in Windows.
1. Double click the SQL Server Express setup file.
2. The SQL Server Installation Center window opens. On the right hand side, click on New SQL Server
stand-alone Installation or add features to an existing installation link.

3. The Microsoft Software License Terms page opens. To install the SQL Server Express edition, click on
checkbox I accept the license terms and accept the license terms.
4. Click on Next button.

15
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

5. On Microsoft Update page, click checkbox Use Microsoft Update to check for updates (recommended).

 Important updates for Windows and other Microsoft software will get automatically updated.

6. Click Next button.

16
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

7. On the Feature Selection page, select all the below checkboxes for express features to get installed:
Instance Features
Database Engine Services
SQL Server Replication
8. Shared Features

• Client Tools Connectivity

• Client Tools Backward Compatibility
• Client Tools SDK
• Management Tools - Basic
Management Tools – Complete
• SQL Client Connectivity SDK
• LocalDB

Change the path of the Shared feature directory to E:\ drive and click Next button.

17
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

• On Feature Rules page, click on Show Details button to view the details and click Next button.
• On Instance Configuration page, select the default instance if there is only one instance running for the
SQL Server.
If there are more than one instance
Click Normal Instance radio button.
Create an instance called ARCON PAM. This instance id is specifically dedicated for ARCON
PAM database only.

 SQL Server name should not be more than 15 characters.

Click Next button.

• On Server Configuration page,

Service Accounts tab - change the startup type of SQL Server Database Engine service
to Automatic.
Collation tab - keep the default settings and click Next button.

18
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

• On Database Engine Configuration page, on Account Provisioning tab, on Authentication Mode.

Windows authentication mode: uses domain username and password for authentication.
Mixed Mode (SQL Server Authentication and Windows authentication): uses SQL Server super
username and password for authentication and to create and manage multiple users.

 If Mixed Mode is not selected then the administrator will not be able to login into the
arcossqladmin which is the SQL user for the ARCOS database application.

• Select the Mixed Mode for authentication. The Specify the password for the SQL Server system
administrator (sa) account will get active.
Enter the password for the ‘SA’ account which is the internal SQL Administrator account.
Enter the same SA password on theConfirm Passwordfield.

 You should use complex password for the SA account.

To specify the SQL Server Administrator, click Add Current User to login with the Default
windows user.
Click on Add button, to add admin and user for the SQL Server.
arcossqladmin\Domain as admin
arcossqladmin\SQL2008R2Serviceas User
Click Data Directory tab, change the Data root directory to any specific drive e.g. E:\drive.
Create ARCON PAM folder on the specified drive i.e. E drive and update the location to specified
drive i.e. E:\ARCOS.

19
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

 We recommend you not to store data on the C drive even you have plenty of space.
When you change the Data root directory the Temp DB directory is also changed.

Change the User database directory to E:\ARCON Solutions\ARCOS Database

Change the Backup directory to E:\ARCON Solutions\ARCOS Backup
No changes are required on the FILESTREAM tab.
Click Next button.

• On Feature Configuration Rules page, click the Show Details button. The status of all the rules
applicable is changed to Passed status. Click Next button.
• On Installation Progress page, you can see the progress of your SQL Server installation.

 The installation will take approximately 20 minutes depending on the performance of your
machine.

20
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

• Once the SQL Server setup is complete, restart the system/computer.

21
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.2.3 DB User Creation and Assign Permission

This section provides information about creating a SQL database user for ARCON PAM database application.
Use the following steps to create and assign privileges to DB user i.e. arcossqladmin:
1. Login to SQL Server with the default Windows authentication instance or ‘SA’ instance which we
created using Mixed Mode authentication while configuring the database engine. The Microsoft SQL
Server Management Studio application opens.
2. On the left hand side, on Object Explorer pane, click on the + sign of Security.
3. Right click on Logins and click on New Login option. The New Login window opens.
4. On the General option, set the following details:
Enter the Login name as arcossqladmin.
Click on the SQL Server authentication radio button.
Enter complex Password for the user.
Click on the SQL Server authentication radio button.
Uncheck the Ensure password policy checkbox.
5. Click on the Server Roles option to set the privileges for arcossqladmin use
Check the public and sysadmin Server roles checkbox.
6. Click on the Status option, to set the below parameters.
Permission to connect database engine: click on Grant radio button
Login: Click on Enabled radio button
7. Click OK button.

4.2.4 Folder Creation for database and Log files

This section provides information about what is database, types of database files i.e. Log Data File (LDF) and
Meta Data File (MDF) files and to create database folder for ARCON PAM (ARCOSDB and ARCOSRDPDB).
4.2.4.1 Database
When any database is created, two files are generated, namely Meta Data File (MDF) and Log Data File
(LDF). The MDF and the LDF are the standard formats of SQL to store the data.
The MDF is a primary master data and is important in the SQL database, the LDF is the log data.
4.2.4.1.1 Log Data File (LDF)

Log data is used for the transaction purpose, as it is a temporary memory. The LDF file is used only when
performing the recovery of the database. When performing the update or delete process, it holds the data in
the temporary LDF file. So, even if the LDF file is deleted, it won’t have much effect on data. If a new blank LDF
file is created, it will work and the data will not be lost.
When any database is configured, there are three types of recovery modes in SQL –
• Full
• Simple.
• Bulk-Logged

Full Mode: In the full mode, the data can be recovered because it stores the temporary data in the LDF file.
From the LDF file, the deleted data can be recovered up to a certain extent only.
If you configure database in full recovery mode, then only clustering and mirroring can be configured.
To configure clustering and mirroring, the full recovery mode should be enabled.

22
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

 If the full recovery mode has not been configured, clustering and the mirroring cannot take place.

Simple Mode: In the simple mode, there is no recovery; you cannot recover any loss of data from the LDF.

Bulk Logged Mode: The bulk-logged recovery model is a special-purpose recovery model that should be used
only intermittently to improve the performance of certain large-scale bulk operations, such as bulk imports of
large amounts of data. Much of the description of backup under the full recovery model also applies to the bulk-
logged recovery model. This topic looks only at considerations that are unique to the bulk-logged recovery
model.

 By default, ARCOSDB should be in a full recovery mode. For the ARCOSRDPDB, if the database is
kept in full recovery mode, the database will grow rapidly. Hence, it is recommended to keep in simple
mode.

4.2.4.1.1.1 Create DB Folder for Database (.mdf) and Log (.ldf) files

Use the following steps to create folder for database (.mdf) and log (.ldf) files.
1. Click Start button on Windows.
2. Double click on My Computer. The My Computer window opens. Double click on the Drive for e.g. E
drive.
3. Click on the New Folder option and create below two folders:
<:\Drive> ARCON Solutions\ARCOS Database\ARCOSDB
<:\Drive> ARCON Solutions\ARCOS Database\ARCOSRDPDB

In a real scenario, the two database folders created for ARCON PAM may not be on the same drive of the
server, but for the performance improvement it is advised to install and configure two databases on two
different drives.
4.2.5 Database Creation, Restoration and Owner Assignment
This section provides information about database creation, restoration and assign ownership to the ARCON
PAM database.
In ARCON PAM application two database ARCOSDB and ARCOSRDPDB are created.
4.2.5.1 ARCOSDB
The ARCOSDB database contains the actual data of the application. If there are multiple database on the
database server the ARCOSDB folder should be given the ownership and should be given the Full recovery
mode.
4.2.5.2 ARCOSRDPDB
When configuring the ARCOSRDPDB, make sure to configure the database in simple mode, so that the LDF file
does not increases in size. When performing Insert, the MDF will grow and the LDF will not have any impact.
Video logs are stored in ARCOSRDPDB database for temporary period. The video logs are captured for every
action which takes place for each minute and second on the server. As the Log Manager Service archives or
removes the data from ARCOSRDPDB database hence, this database is always in use.
When the ARCOSRDPDB is configured for multiple drives, we recommend you to configure both the databases
on multiple drives.

23
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
For example, the client provides a server of 500 GB and it is partitioned as follows: C drive is given 100GB and
the remaining 400GB is divided into 200GB and 200GB or 100GB and 300GB. We recommend you to have at
least 100GB space for ARCOSRDPDB database. If the Log Manager Service fails and you cannot recognize the
Log Manager Service for 1 to 3 weeks it will increase the database size.
When configuring the ARCOSRDPDB, configure it in such a way that such a disaster should not occur and even
if it does happens, it should be manageable only in the production environment.
When the application is moved to DR, it means production environment is not available.
If there is an application issue or if you have moved to DR, it means that the production has failed. If it is an
infrastructure issue, this needs to be checked with the infra team. If it is an application or configuration issue
and the drive size is not configured properly, the application goes down. Due to which the given application
cannot be accessed and this will be considered as a disaster.
When configuring the application, there should be sufficient drive space for ARCOSDB and ARCOSRDPDB. It
is not necessary, if there are only 10 users. However, if the organization has more than 1000 users, then
consider a scenario for may be 6 months or 1 year down the line. If there is a space, it means, that the
infrastructure is available for ARCON PAM and there are chances of growing it.
When configuring the RDP DB check if the disk space is available, at least 100 GB should be dedicated for the
ARCOSRDPDB, even if it is not used, For example, for 300 GB drive create 100 GB for D drive and 200 GB for
ARCOSRDPDB.
When configuring or providing the prerequisite for ARCON PAM implementation, ensure to have a separate
drive for the log or the video log, images or video files.
The separate drive may not be on the same server or on the physical drive. It can be a SAN storage type. There
is a separate drive mapped to the system, which means the logs are separate. For a given hardware drive, hard
disk or physical drive, you can utilize these drives in the database configurations or for the database files.
The program files are created for the services. Do not install the services on the C drive, as according to most of
the organization policies, it is recommended not to install application or EXE’s on the C drive as all the Windows
operating systems files are present in this drive.
For example: If the Windows or any Operating System crashes the Administrator will format the C drive. If the
application or the database is present in the C drive during formatting it will be lost. Hence you should always
install SQL or any other EXE or components, in other drives.
4.2.5.3 Create Database
This section provides information about how to create ARCOSDB and ARCOSRDPDB database.
4.2.5.3.1 Create ARCOSDB database

Use the following steps to create database (ARCOSDB) for the new user (arcossqladmin).
1. Login to SQL Management studio with the newly created User ID (arcossqladmin).
2. On the left hand side, on Object Explorer pane, right click on Databases option and select New
Database, New Database window opens.
3. Enter the Database Name as ARCOSDB.
4. On the Database file area, horizontal scroll till the Path column.
5. On the Path column, click on the ellipse button and change the path of ‘ARCOSDB_DATA and
‘ARCOSDB_LOG’ file to ARCOS Database folder present in ARCON Solutions i.e.<:\Drive> ARCON
Solutions\ARCOS Database\ARCOSDB

 Select the path of the folders which you have created in Create DB Folder for Database (.mdf)
and Log (.ldf) files.

24
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

6. Click OK button.

4.2.5.3.2 Create ARCOSRDPDB database

For creating ARCOSRDPDB folder repeat the steps 2- 5 of Create ARCOSDB database.

 You should give the folder name as ARCOSRDPDB instead of ARCOSDB.

4.2.5.4 Database Restore

This section provides information about how to restore the blank database of ARCON PAM on specified drive.
The backup database is the blank file.
During restoring ARCON PAM application do not select the database other than ARCOSDB and
ARCOSRDPDB and the physical path should be assigned properly.
4.2.5.4.1 Restore template ARCOSDB from setup files

This section helps you to restore ARCOSDB template from ARCON PAM setup files.
Use following steps to restore ARCOSDB template from ARCON PAM setup files:
1. On the left hand side, on Object Explorer pane, click on + sign of Databases option and right click
on ARCOSDB database > Tasks > Restore > Database. The Restore Database window opens.

25
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

2. On the left hand side pane, click on the General option, set the following details:
Source: Click on Device radio button.
Database: Select ARCOSDB from the drop down list.
Click on the ellipse button above the ARCOSDB selected and select the template database
present in the ARCON PAM setup file i.e. ARCOSDB_Backup_Blank.

26
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

3. On the Restore plan, check the Restore checkbox to set the backup to restore.
4. On the left hand side pane, click on the Files option to map the database file i.e. ARCONDB to .mdf
and .ldf files.
5. Click on the ellipse of Restore As column and map the data and log files
ARCONDB_Data: Map it to the .mdf file present in the ARCON Solution>ARCOS Database >
ARCOSDB >ARCOSDB.mdf.
ARCONDB_Log: Map it to the .ldf file present in the ARCON Solution >ARCOS Database >
ARCOSDB >ARCOSDB.ldf.

27
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

6. On the left hand side pane, click on the Options option, in the Restore Options, check the
checkbox Overwrite the existing database (WITH REPLACE).
7. Click OK button.

28
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

8. Wait for few minute for the database ‘ARCOSDB’ to get restored.
9. A pop window ‘Database ARCOSDB restored successfully’ opens.
10. Click OK button.

4.2.5.4.2 Restore template ARCOSRDPDB from setup files

Right click on ARCOSRDPDB folder and repeat the steps from 1-4 from above process i.e. Restore template
ARCOSDB from ARCON PAM setup files.

 Map the ARCOSRDPDB_Data folder to ARCOSRDPDB.mdf and ARCOSRDPDB_Log folder

to ARCOSRDPDB.ldf

4.2.5.5 Database Ownership and Recovery

This section provides information about how to create ownership and recover the ARCON PAM database.
4.2.5.5.1 Ownership and Recovery mode for ARCOSDB

Use the following steps to set the ownership and recovery mode of ARCOSDB to Full.
1. Right click the ARCOSDB folder, click Properties, Database Properties window opens.
2. On the left hand side pane Select a page, click the Files option.
3. On the right hand side, in Owner field enter arcossqladmin.

29
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4. On the left hand side pane Select a page, click the Options option.
5. On the right hand side, for Recovery model select Full from the dropdown list.
6. Click OK button.

4.2.5.5.2 Recovery mode for ARCOSRDPDB

Use the following steps to set the recovery mode of ARCOSRDPDB to simple.
1. Right click the ARCOSRDPDB folder, click on Properties, Database Properties window opens.
2. On the left hand side pane Select a page, click on the Options option.
3. On the right hand side, for Recovery model select Simple from the drop down list.

 The bulk log is a middle type of recovery mode, which is in between the full mode and simple
mode. The bulk log is not recommended from Microsoft. So, select the full mode or the simple
mode.

4. Click OK button.

30
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.2.5.6 Assign Database Role to New User (arcossqladmin)

This section provides information about how to assign roles and privileges to new user (arcossqladmin).
Use the following steps to assign database role to new user (arcossqladmin).
1. On the left hand side, on Object Explorer pane, click on + sign of Security option, click on + sign of Logins
option. You will see the various users created.
2. Right click on new user created (arcossqladmin) and click Properties. The Login Property –
arcossqladmin opens.
3. On the left hand side pane, click on the User Mapping option, set the following details.
Users mapped to this login table, check the checkbox for ARCOSDB database. The Database role
membership for ARCOSDB area will get active. Check the checkbox and select the following roles
for the ARCOSDB.
db_datareader
db_datawriter
db_dlladmin
db_owner
public – default selected

Users mapped to this login table, check the checkbox for ARCOSRDPDB database. The Database
role membership for ARCOSRDPDB area will get active. Check the checkbox and select the
following roles for the ARCOSRDPDB.

31
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
db_datareader
db_datawriter
db_dlladmin
db_owner
public – default selected
4. Click OK button.

4.3 Web Component Configuration

This chapter describes how to configure various web components on Windows Server 2008.
This chapter discusses the following topics:
• Enable IIS Server on Web Server (Windows Only)
• Install Frameworks and Controls
• Configure ARCON PAM Client Manager
• Import SSL Certificate for ARCON PAM Client Manager
• Assign SSL Certificate
• Configure Video Log Viewer Web Configuration
• DB Settings Creation
• Settings Deployment
• License / Domain Creation
• Video Log Viewer Web Configuration

32
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.3.1 Install Frameworks and Controls

.Net Framework and other Windows Components are required to be installed on all the ARCON PAM Solution
Servers.
Follow the below mentioned steps to install Framework and Controls:
• Opens Windows Server Manager.
• In Dashboard, Click on Add roles and Features
• Click Next.
• Select Role-based or feature-based installation radio button and Click Next.
• Select Select a server from the server pool radio button and click Next.
• Click Next.
• Select .NET Framework 3.5 Features, .NET Framework 4.5, Telnet Client checkboxes.
• Select Desktop Experience from User Interfaces and Infrastructure checkbox and Click Next.
• Click Install.
• Click Finish.

 Server Reboot is required.

4.3.2 Enable IIS Server on Web Server (Windows Only)

If you are installing ARCON PAM Privilege Identity Management on Windows Server 2012 and above, it’s
necessary to enable the IIS Server. The below procedure shows how to enable IIS Server on Windows Server
2012 and above.
To enable IIS on Web Server that is running on Windows Server 2012 or above:
• Opens Windows Server Manager.
• In Dashboard, Click on Add roles and Features.
• Click Next.
• Select Role-based or feature-based installation radio button and Click Next.
• Select Select a server from the server pool radio button and click Next.
• Select Web Server (IIS) checkbox and click Next.
• Click Next.
• Select all the options of IIS except FTP and click Next.
• Click Install.
• Click Finish.

 Server Reboot is recommended.

4.3.3 Configure ARCON PAM Client Manager

This section provides information about how to configure ARCON PAM Client Manager on IIS Manager, import
or create or assign SSL certificate, assign Application Pool settings and test the web component is configured
properly on browser.
Use the following steps to configure ARCON PAM Client Manager:
1. Create ARCONClientManager Online folder on ARCON Solutions path
e.g. :\ARCON Solutions\ARCOSClientManagerOnline
2. Copy the ARCOSClientManagerOnline zip file from the ARCOS setup folder to the above drive location
created i.e. <Drive>:\ARCON Solutions\ARCOSClientManagerOnline
3. Unzip the ARCOSClientManagerOnline file.

33
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
4. GotoStart button and type run.
5. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
6. Click on the arrow sign of your <server name>.
7. Right click on the Sites and click on Add Web Site.
8. Enter the following details on the Add Web Site window:
Site Name: ARCOSClientManagerOnline
Physical Path: Select the path of where the ARCONClientManager folder is created.
e.g. :\ARCON Solutions\ARCOSClientManagerOnline
Type: https
Port: 443
9. Click OK button.

 Install Certificate if applicable.

4.3.3.1 Import SSL Certificate for ARCON PAM Client Manager

This topic provides information about how to Import SSL Certificate for ARCON PAM Client Manager provided
by the client.
Use the following steps to import certificate for ARCOSClientManagerOnline:
1. Goto Start button and type run.
2. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
3. Click on the arrow sign of your <server name>.
4. Double click on the Server Certificate icon. The Internet Information Services (IIS) Manager window
opens.
5. On right hand side Actions pane, click Import link. The Import Certificate window opens.
6. Click on ellipse button of Certificate file (.pfx) and select the path of the certificate from the directory.
7. Enter the Password.
8. Click OK button. The certificate imported is displayed on the Server Certificate page.

4.3.3.2 Assign SSL Certificate to ARCON PAM Client Manager

This topic provides information about how to assign self-signed certificate to ARCON PAM Client Manager.
Use the following steps to assign self-signed or SSL certificate to ARCOSClientManagerOnline:
1. On Internet Information Services (IIS) Manager window, on the left hand side Connection pane, click
on Sites.
2. In Run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
3. Click on the arrow sign of Sites, click ARCOSClientManagerOnline icon.
4. Double click on SSL Settings icon.
5. On SSL Settings page, click on Require SSL checkbox.
6. On Client Certificate: click on Accept radio button.
7. On right hand side Actions pane, click Apply link.
8. The Alerts ‘The changes have been successfully saved’ pops up.

4.3.3.3 Application Pool Setting for ARCON PAM Client Manager

This topic provides information about how to configure Application Pool for ARCON PAM Client Manager.
Application Pool
Application Pool is a logical grouping of web application that executes in a common process. It is the heart of
the website. It enables to isolate the web application for better security, reliability, and availability and
performance and help the web application to keep running without impacting each other. The worker process

34
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
serves as the process boundary that separates each application pool so that when one worker process or
application is having an issue or recycles, other applications or worker processes are not affected. One
Application Pool can have multiple worker process.
For example, if you wanted every web application to execute in a separate process you have to create an
application pool for each web application or in other words it is a group of one or more url’s that are served by a
worker process or a set of worker processes.
Use the following steps to assign application pool settings to ARCOSClientManagerOnline component.
1. Go to Start button and type Run.
2. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
3. On the left hand side pane, click on Application Pool. Application Pool page opens in middle.
4. Click on ARCOSClientManagerOnline on the Application Pool pane.
5. On the right hand side Actions pane, click on Basic Settings in Edit Application Pool window opens.
6. For .NET Framework version select .NET Framework v2.0 from the drop down list.

 In Windows 2012, default pool is set to 4.0 change it to 2.0 as the ARCON PAM application is
developed on .NET Framework version 2.0

7. On the right-hand side Actions pane, click on Advanced Settings. The Advanced Settings window opens.

• Enable 32 bit Applications: False

If this setting is set to True, it enables the 32-bit application to run on a 64-bit machine.
• Load User Profile: True

Load User Profile is used to isolate the web application. For example when this option is set to
False (the user profile is not loaded) the application will use the c:\windows\temp folder as its
temporary directory. If you have other application pools still they will use the same c:
\windows\temp folder.
If you set the option to True the load user profile temporary directory will change from windows
temporary folder to user profile’s temporary folder i.e. C:
\Users\apppooluserid\AppData\Local\Temp.

35
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

8. Click OK button.
4.3.3.4 Database (DB) Settings Creations
This section provides information about how to create DB settings for ARCON PAM Client Manager.
Use the following steps to create DB settings for ARCON PAM Client Manager:
1. Goto <Drive>:\ARCON Solutions\ARCOSClientManagerOnline\DBSetting folder.
2. Double click on ‘ARCOSDBSettingCreator.exe’ file.
3. The ARCON PAM Database DBSettings.ini File Creator window opens. Enter the following details:
Connection Details (Primary)
Server IP– address where Database is located
Server Port– port on which the ARCON PAM Database will listen (Default port is - 1433)
Server Name– name of the server / IP address
User Name– ARCON PAM Database name
User Password– ARCON PAM database password
4. Click on Generate ini File button, to generate the ini file. The DBSetting.ini file is generated inside the
DBSetting folder.

36
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.3.3.5 Test ARCON PAM Client Manager component on IE Browser

This topic provides information about how to test ARCON PAM Client Manager Online component on Internet
Explorer.
Use the following steps to test ARCOSClientManagerOnline component on IE browser.
1. On IIS Manager window.
2. On the left hand side pane, right click on ARCOSClientManagerOnline \Manage Web Site\ Browse.

37
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
3. The Client Manager web page opens on Internet Explorer as seen below.

4.3.4 Settings Deployment

This document will guide you through the steps involved in deployment for the ARCON Privileged Access
Management (PAM) Settings. The following steps are to be followed for the successful deployment of ARCON
PAM Settings in your environment.
4.3.4.1 Pre-requisites
Before installing the ARCON PAM Settings, you should check the points enlisted below to ensure that your
environments meets the minimum installation requirement for the ARCON PAM Settings.
Pre-requisite required for successful implementation is as follows:
• ARCON PAM AdminSettings package
• Windows based Server with IIS for Application Server (EPAM).
• NET Core Hosting Bundle version 2.2.6.
• VC++ 2015 redistributable x64 and x86 (Both)
• rewrite_amd64.msi

4.3.4.1.1 Install Dependencies

The following dependencies are to be checked and installed if not present already.
41 IIS Features
NET Core Hosting Bundle version 2.2.6.
Install VC++ 2015 redistributable x64 and x86 (Both)
rewrite_amd64.msi

 Self Signed Certificate is not supported.

38
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
4.3.4.2 Deployment Steps
4.3.4.2.1 Deploy AdminSettings package

This section provides information about how to configure ARCON PAM Settings on IIS Manager.
Use the following steps to configure ARCON Settings:
1. Create AdminSettingsfolder on ARCON Solutions path e.g. <Drive>:\ARCON Solutions\AdminSettings
2. Copy the AdminSettings.zip and unzip files to the above drive location created. <Drive>:\ARCON
Solutions\AdminSettings
3. Unzip the AdminSettings
4. Kindly check for the AdminAPI folder e.g. <Drive>:\ARCON Solutions\AdminSettings, everyone has the
permission at the folder level.
0

0
5. Inside AdminSettings folder, we will have AdminUI folder and AdminAPI folder
0

39
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

0
4.3.4.2.2 Add Application in ARCOSClientManagerOnline

This section provides information about how to add application in the already hosted site on IIS Manager.
If Using SSL certificate
ARCOSClientManagerOnline Site host name should not be blank and if using SSL certificate, use the
certificate name as the Host Name as shown below.
0

0
And the same should be updated on the Host file c:\windows\system32\drivers\etc\hosts

40
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.3.4.2.3 ARCON PAM AdminUI

This section provides information about how to add ARCON PAM Settings Admin UI application in
ARCOSClientManagerOnline on IIS Manager.
Use the following steps to add a new Application Pool for AdminUI.0
1. Goto Start button and type run.
2. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
3. On the left pane, click on Application Pool.
4. Select Add Application Pool.
0

0
5. Enter the following details.

41
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
a. Name: AdminUI
b. The .NET CLR version should be set to No Managed Code.
0

0
6. Enable the checkbox Start application pool immediately.
7. Click OK.
8. Add a new application for AdminUI under the ARCOSClientManagerOnline
a. Right-click on the website hosted for UI.
b. Select Add Application…
0

42
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

0
9. Enter the following details on the Add application window:
a. Alias:AdminUI
b. Physical Path:Selectthe path of where the AdminUI folder is created.
c. Select application pool as AdminUI
d. The Application Pool should be the same as the name of the Application Pool created for .Net
Core. (In this case: AdminUI)
0

0
10. Click on OK.

ARCON PAM Admin API

This section provides information about how to add ARCON PAM Settings Admin API application in
ARCOSClientManagerOnline on IIS Manager.
Use the following steps to add a new Application Pool for AdminAPI.
1. Go to Start button and type Run.

43
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
2. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
3. On the left pane, click on Application Pool.
4. Select Add Application Pool.
0

0
5. Enter the following details. The .NET CLR version should be set to No Managed Code.
0

0
6. Enable the checkbox Start application pool immediately.

7. Click OK button.

8. Add a new application for Web API under the ARCOSClientManagerOnline website. Right-click on the
website hosted for UI. Select Add Application…
00

44
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

0
9. Enter the following details on the Add application window:
a. Alias:AdminAPI
b. Physical Path:Select the path of where the AdminAPI folder is created.
c. Select application pool as AdminAPI

 The Application Pool should be the same as the name of the Application Pool created
for .Net Core. (In this case: AdminAPI)

45
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

0
10. Click on OK.
0
Hosting AdminAPI inside AdminUI

4.3.4.3 Configuration
4.3.4.3.1 AdminUI Configuration

• In the settings assets folder (\AdminUI\assets), in file config.json, update the value parameter of
“baseUrl” to the Url on which WebAPI will be hosted in IIS(in this case: https://
testarcpamapp.testad.com/AdminAPI)

4.3.4.3.2 AdminAPI Configuration

• In AdminAPI’s folder (\AdminAPI), in appsettings.json, update the value parameter of “authUrl“ to the
Url on which WebAPI will be hosted in IIS (in this case: https://testarcpamapp.testad.com/AdminAPI)
• In AdminAPI’s folder (\AdminAPI), in appsettings.json, update the value parameter of “UiUrl“ to the Url
on which the settings UI will be hosted in IIS (in this case: https://testarcpamapp.testad.com/AdminUI/)
• In AdminAPI folder (\AdminAPI\DBSetting), open ARCOSDBSettingCreator.exe and
generate dbsetting.ini pointing to ARCOSDB

4.3.4.3.3 ARCOSClientManagerOnline Configuration

• In publish of ACMO → SAML folder → samlSPEntities.json → change the value of key:

ConsumerServiceUrl and TargetUrl ofEntityCode:”PAMAS”to the Url on which Web API is hosted. (In
this case:
ConsumerServiceUrl: https://testarcpamapp.testad.com/AdminAPI/api/SettingViewand
TargetUrl: https://testarcpamapp.testad.com/AdminUI)

46
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
Access the application through ACMO → Manager Tab → Settings.

 Only Administrators can assign the Settings privileges to the Users in the Server Manager. Once the
privilege is assigned, Users can see the settings tab in the ACMO.

4.3.5 Configure ARCON PAM User Access Log Viewer Web Component
This section provides information about how to configure ARCON PAM User Access Log Viewer Web, assign
Application Pool settings and test the web component configuration on browser.
ARCON PAM User Access Log Viewer Web or Video Log Viewer Web component is used to view the video log
captured by the ARCON PAM application. The Log Viewer Web folder is on the Vault Server (Database Server).
Basically in a scenario where there is only one sever all the web components are installed on that particular
server only.
In the actual implementation process, the App server is different from the Vault server.
Use the following steps to configure the ARCON PAM User Access Log Viewer Web component.
1. Create ARCOSUserAccessLogViewerWeb Online folder on ARCON Solutions path e.g. <Drive>:\ARCON
Solutions\ ARCOSUserAccessLogViewerWeb
2. Copy the ARCOSUserAccessLogViewerWeb zip file from the ARCOS setup folder to the above drive
location created i.e. <Drive>:\ARCON Solutions\ ARCOSUserAccessLogViewerWeb
3. Unzip the ARCOSUserAccessLogViewerWeb file.

 The video logs created will be stored in this folder therefore you should have sufficient space on
this drive (Minimum: 1 TB for High Quality files).

 The Server Administrator should have rights to enter into this path.

47
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4. Goto Start button and type run.

5. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
6. Click on the arrow sign of your <server name>.
7. Right click on the Sites and click on Add Web Site.
8. Enter the following details on the Add Web Site window:
Site Name: ARCOSUserAccessLogViewerWeb
Physical Path: Select the path of where the ARCOSUserAccessLogViewerWeb folder is created.
Site Type: http
IP Address: All Unassigned
Port: 8181
Click OK button.

48
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.3.5.1 Application Pool Setting for ARCON PAM User Access Log Viewer Web
This topic provides information about how to configure Application Pool for ARCON PAM User Access Log
Viewer Web component.
Use the following steps to assign application pool settings to ARCON PAM User Access Log Viewer Web
component.
1. Goto Start button and type run.
2. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
3. On the left hand side pane, click on Application Pool. Application Pool page opens in middle.
4. Click on ARCOSUserAccessLogViewerWeb on the Application Pool pane.
5. On the right hand side Actions pane, click on Basic Settings in Edit. Application Pool window opens.
6. For .NET Framework version select .NET Framework v2.0 from the dropdown list.

 In Windows 2012, default pool is set to 4.0 change it to 2.0 as the ARCON PAM application is
developed on .NET Framework version 2.0

7. On the right hand side Actions pane, click on Advanced Settings. Advanced Settings window opens.
Enable 32 bit Applications : True
This setting enables the 32-bit application to run on 64 bit machine.

49
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
Load User Profile: True
Load User Profile is used to isolate the web application. For example when this option is set to
False (the user profile is not loaded) the application will use the c:\windows\temp folder as its
temporary directory. If you have other application pools still they will use the same c:
\windows\temp folder.
If you set the option to True the load user profile temporary directory will change from windows
temporary folder to user profile’s temporary folder i.e. C:
\Users\apppooluserid\AppData\Local\Temp.

4.3.5.2 Test ARCON PAM User Access Log Viewer Web component on Browser
This topic provides information about how to test ARCON PAM User Access Log Viewer Web component on
Internet Explorer.
Use the following steps to Test ARCON PAM User Access Log Viewer Web on IE Browser:
1. On IIS Manager window, on the left hand side pane, right click
on ARCOSUserAccessLogViewerWeb\Manage Web Site\ Browse.
2. The web page opens on Internet Explorer browser.

50
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.3.6 ARCON PAM API Component Configuration

This section provides information about how to configure ARCONPAMAPI, assign Application Pool settings
and test the web component configuration on browser.
ARCONPAMAPI component is used for 3rd Party integrations.
Use the following steps to configure the ARCONPAMAPI component.
• Create ARCONPAMAPI folder on ARCON Solutions path e.g. <Drive>:\ARCON
Solutions\ ARCONPAMAPI
• Copy the ARCONPAMAPI zip file from the ARCOS setup folder to the above drive location
created e. <Drive>:\ARCON Solutions\ ARCONPAMAPI
• Unzip the ARCONPAMAPI
• Goto Start button and type run.
• In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
• Click on the arrow sign of your <server name>.
• Right-click on the Sites and click on Add Web Site.
• Enter the following details on the Add Web Site window:
Site Name:ARCONPAMAPI
Physical Path:Select the path of where the ARCONPAMAPI folder is created.
Site Type: https
IP Address:All Unassigned
Port: 8444
Click OK
0

51
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.3.6.1 Database(DB) Settings Creations

This section provides information about how to create DB settings for ARCONPAMAPI.
Use the following steps to create DB settings for ARCONPAMAPI:
• Goto <Drive>:\ARCON Solutions\ ARCONPAMAPI\DBSetting
• Double click on ‘ARCOSDBSettingCreator.exe’
• The ARCON PAM Database DBSettings.ini File Creator window opens. Enter the following details:
Connection Details (Primary)
Server IP– Address where Database is located
Server Port– Port on which the ARCON PAM Database will listen (Default port is - 1433)

52
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
Server Name– Name of the server / IP address
User Name– ARCON PAM Database name
User Password– ARCON PAM database password

Click on Generate ini File button, to generate the ini file. The DBSetting.ini file is generated inside the
DBSetting folder.
0

0
4.3.7 License Registration and Login
This section provides information about license registration and login into ARCON PAM Server Manager.
4.3.7.1 ARCON PAM Server License Registration
If you are registering ARCON PAM for first time, then follow below steps on Application Server:
1. Goto Start button and type run.
2. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
3. Click on the arrow sign of your <server name>.
4. Click on the arrow sign of Sites.
5. Double click ARCOSClientManagerOnline.
6. On right hand side Actions pane, on Browse Web Site, click Browse *:443 (https) link.
7. ARCON PAM url https://localhost/ will open
8. Click Continue to this website (not recommended) link.

53
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
9. ARCON PAM License Registration screen pops-up.

A] Register Using License Key:

Enter the 25 digit key in the License Key (Enter the 25 digit key.) text boxes.
Select the validity dates in Valid From and Valid To fields.
OR
B] Register Using License Text:
Enter the alphanumeric text key in the License Text (Enter the alphanumeric text key.) text box.

 When you register using License Text, the license validity is auto updated in
backend.
The license key or license text will be provided by ARCON Team.

10. Click OK button. A message “Registration Key updated” window pops-up for successful registration.
11. Click OK button. The ARCON PAM Domain Registration screen pops-up.

 To register the domain read the Domain Creation chapter.

4.3.7.2 Domain Creation

In ARCON PAM the Administrator can create domain in two ways:
1. AD Integration (LDAP/ LDAP SSL)
2. ARCOSAUTH Local Repository Creation

4.3.7.2.1 AD Integration (LDAP or LDAP SSL)

This topic provides information about how to enter the domain details on the Domain Registration pop-up
window.

54
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
After entering the correct license key a Domain Registration window pops-up. The Administrator has to enter
the details of the domain. Domain created is an Active Directory domain through LDAP/LDAP SSL) protocol.

To configure Domain Registration through AD Integration (LDAP / LDAP SSL)

Use the following steps to enter the domain details on the Domain Registration pop-up window.
1. Enter the following details in ARCON PAM Domain Registration screen.
Enter the Domain Server name.
Enter the Domain Name.
Enter the Domain Extension e.g. COM, CO, etc.
Enter the Application Administration name. This Application Admin name is the first user to
enter in the ARCON PAM Server Manager with all the privileges.
Enter the Domain Password. This password is the password which you type when you enter into
your domain or standalone system.
Enter the Confirm Password.
Click on Finish button.

55
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

2. A message “Authentication Successful. Application will close now” window pops-up for successful
domain registration.

3. Click OK button. The ARCON PAM portal is seen on the computer screen.

4.3.7.2.2 ARCOSAUTH Local Repository Creation

The second way to create the domain is by running the SQL script at the backend which is provided by the
support team. The SQL script contains all the default ARCOSAUTH (Local Repository) domain configuration.
This topic provides information about how to create the domain by running the SQL script at the backend.
The first user created would be ARCOSADMIN and it will have all the privileges.
Use the following steps to create ARCOSAUTH Local Repository.
1. Open the SQL Server Management Studio.
2. Copy the script in the Query Analyzer.
3. Select the ARCOSDB database from the Available Database drop down list.
4. Click Execute. The query gets executed successfully and the local domain ARCOSAUTH is created.
5. Login into the ARCON PAM portal.

 The username and password for ARCOSAUTH domain will be provided by the support team.

4.3.7.2.3 ARCON PAM Portal Login

On successful domain registration, login into the ARCON PAM portal with the domain details you have entered
while registration of the ARCON PAM application.

56
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Follow below steps to login into the ARCON PAM portal or Server Manager.
1. Enter the User Name i.e. Application Admin or first username you have entered on the Domain
Registration window. This user has all the privileges of the server manager.
2. Enter the Password i.e. Domain Password name that you have entered on the Domain
Registration window.
3. The Domain name will get automatically selected for the first time.
4. Click on Login button, the ARCON PAM Server Manager application opens.

57
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.4 ARCON PAM Windows Components

ARCON DeskInsight:-
ARCON DeskInsight is used for managing Laptop/desktop password and connection between local systems.
0
ARCON DeskInsight Master:-
ARCON Deskinsight Master will provide you a full and accurate scan of all your network devices. Including
Windows and Desktops machines. If it's on your network and same OU in AD, this service can find it. Used to
fetch data from AD server.
0
ARCON Folder Sync Service:-
ARCON Folder Sync Service synchronizes data from source to destination server. This service can synchronize
video logs, text files, images, etc. after configured time interval. It is designed to save time setting up and
running backup jobs while having nice visual feedback along the way.
ARCON Folder Sync Service ARCON PAM Windows Component is used to Replicate Data in Folder from One
server to another.
0
ARCOS Alert Service:-
ARCOS Alert Service sends alerts as per the criteria or the requirement defined in the application ie whenever
a particular action is triggered or a condition is satisfied the alert is sent to the administrator.
0
ARCOS DB Sync Service:-
In ARCOS, there are multiple environments for redundancy. In some of the setups have SQL Express edition.
SQL Express edition does not support replication, mirroring or log shipping. In such cases, ARCON provides this
tool to overcome this challenge.
0
ARCOS Log Archiver Service:-
ARCOS Archival Service is installed on ARCOS Server* to archive video logs in playable Video Format. The logs
are converted and archived into viewable video formats for transfer / share or audit logging. Logs are stored
in .avi format and can be viewed using Windows Built-in Media Player. These logs can be retained for audit trail
and retention of data.
0
ARCOS Log Manager Service:-
ARCOS Log Manager Service Windows Component is used to convert Binary Video Logs in Database to
Encrypted Video Logs on Local Drive.
0
ARCOS PerfMonIT:-

58
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
This is to monitor the performance of ARCOS Servers. (ARCOS Server Performance Monitor). Windows
Component is used to Check HW/SW Details of Servers
0
ARCOS SIEM Connector Service:-
ARCOS SIEM Connector Service is an ARCON PAM Component which is used to send unencrypted Data to
Database Tables related to SIEM.
0
ARCOS SPC Service:-
ARCOS SPC Service is an ARCON PAM Windows Component which is used to change Password Automatically
(On a Schedule).
0
ARCOS VPC Service:-
ARCOS VPC Service is an ARCON PAM Windows Component which is used to change Password of Service
whose password has been viewed by User.
0
ARCOS Staging Log Sync Service:-
ARCOS Staging Log Sync Service is an ARCON PAM Windows Component which is used to send Video Logs
from Staging Server to Centralized Location.
0
ARCOS TS Plugin:-
ARCOS TS Plugin ARCON PAM Windows Component is used to restrict / elevate process on Target Windows
Device.
0
ARCON PAM Windows Vaulting Service
ARCON PAM Vaulting Service is used to perform following actions:
1. Privileged IDs password discovery.
2. Change password for Windows type of devices.

 WinPWD version has been updated and renamed as ARCON PAM Windows Vaulting Service

ARCOSADScannerService
This service is used to scan details of Active Directory and fetch User/ Device details.
ARCOSUserOnboardingService
This service is used to auto onboard or deboard users/ devices. These users and device details are scanned from
Active Directory, using ARCOSADScannerService.
4.4.1 ARCON Auto Healing Service
4.4.1.1 Overview
Auto Healing is the process of automatically changing passwords for services using privileged accounts in case
of password failure. Auto healing shall be attempted for all Password change Processes such as Manual, SPC,
and VPC.
Password Reconciliation is a process used to analyze failed scheduled passwords and auto-heal them on both
ARCON PAM and the target server. The reconciliation process compares the passwords in Vault and the target
system repository determines the difference between the two repositories and applies the latest changes on
the servers.

4.4.1.1.1 Pre-requisites

.net Framework 4.7.2 version needs to be installed.

59
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
4.4.1.2 Installation
To install the ARCON Auto Healing Service, follow the steps below:
1. Right-click on the ARCONAutoHealingSetup.msi file and click Install.

2. Click on the Next button in the ARCON Auto Healing Service Setup Wizard screen to process the setup.

3. Click on the Browse button to select the installation folder. Select the radio button Everyone (applicable for
anyone using this system) or Just me (applicable for the logged-in user) and then click on the Next button to
confirm the setting.

60
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4. Click on the Next button to start the installation.

61
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

62
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

5. Click on the Close button as the installation has been completed successfully on the system.

6. You can view the service running using the following path:
Run → services.msc → ARCON Auto Healing Service

 Copy DB Settings from ACMO folder to all installed service folders for services to run/start.

4.4.1.2.1 Configuring the ARCON Auto Healing Service

Upon successful installation, configure the ARCON Auto Healing Service following the steps below:
1. Navigate to the ARCON Auto Healing Service and open the autohealconfig.ini file in Notepad.

63
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

2. Define configurations in the autohealconfig.ini file referring to the following table.

64
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

ServiceInterval 60000 Service Interval time for the service log.

The service interval is configured in
milliseconds.
For example: 60,000 milliseconds is equal
to 1 minute.

IsUserNameAfterPassword false This config is used for appending username

after password (used for password change
process of linux domain id’s)
Configurable value : true/false

65
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

UserGatewayServerForPWDChange true Set this value as 'true' to change the

password through gateway server

SSHConnectionTimeout 60 In Seconds specify the time after which

ARCON PAM should timeout the SSH
Connection

IsEnforceSUSEForPWDChange false Override password change tags through

suse.
Configurable value : true/false

IsEnforceToRestartService false Allow self restart of service

Configurable value : true/false

ResatrtServiceIntervalInDays 1 Restart service after 'n' configured days

ResatrtServiceByTime 2 Restart service after ’n' configured hrs

NewSecureGatewaywithlatestChiphers true This config is used for checking ciphers

while connection to gateway server.
Configurable value : true/false

StartEndTime 00:00~00:00 This config is used for setting the time for
the password change process by ARCON
Auto Healing service.
Eg- 00:00~06:00
The above config would allow password
change from 00:00 hrs to 06:00 hrs.

DefaultLOBs DEFAULT LOB 1 This config is used for allowing ARCON

Auto Healing Service to run for all /
particular LOB
Configurable value : NA for All LOB
Configurable value : LOB/LOB’s name
(comma separated)

ShowDebugLogs true This config is used for allowing ARCON

Auto Healing Service to store logs in event
viewer.
Configurable value : true/false

66
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

StartEndDate Eg- 1~31 This config is used for setting the date for
the password change process by ARCON
Auto Healing Service.
Eg- 1~15
The above config would allow password
change from 1st day of month to 15th day
of month.

ServiceName ARCON AH Service Installed Service Name should be same

3. Click File → Save to save the configurations.

4.4.2 ARCON WinVaulting Service
4.4.2.1 Overview
ARCON PAM WinVaulting Service is used to perform the following actions:
• Privileged IDs password discovery.
• Change the password for Windows type of devices.

 WinPWD version has been updated and renamed as ARCON PAM WinVaulting Service.

The Windows password change service is required on the Windows server to perform the password change.
ARCOS does not have any other agent other than Windows password change service for the password change
of Windows account. Otherwise, no agent is required on UNIX, Windows, or Oracle. The agent is required only
for Windows if the given server is in the workgroup. If a server is on the domain, only one server is required
with this service. One can install a domain controller or an active directory. Do not install it on the Windows
server, which is in the active directory. If a server is in the workgroup, this service is required. This works on a
45045 port that is defined and already documented. Hence, the scheduled password causes this service. When
using Windows, it is connected to the Windows password change service. If it is a domain controller based or
the domain-based account or the local account of the server, which is in a domain, the Windows password
change service is not required.
In ARCOS, one can configure the settings for using the centralized password change service or the distributed
service. Every server has its own password change service irrespective of the server being in the domain. One
can configure it in ARCOS, whether there is a centralized service or an individual service.
There could be multiple domains, as one of the clients has eight domains in their environment. Each domain is
completely isolated from each individual domain. There are eight centralized password change services that are
configured. Every domain has a different password change service server that can be configured in ARCOS.
Whenever ARCOS tries to change the password of the domain account, it connects to the respective
centralized password change service. The centralized password change service is the same service and it is
called a centralized Windows password change service. This service is installed only on the target device.
If it is a centralized implementation on one server in a workgroup, then every workgroup server is required.
This service is also required on all the servers in ARCOS when performing the performance monitoring for the
application and database vault. This service is required when the gateways server is Windows. It is, however,
not required when the gateway server is UNIX. This can only be installed on Windows servers, as this is a
Windows-based application. To perform the performance monitoring, the Windows password change service

67
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
should be installed on the application server and on the vault server. The performance monitoring service
connects only to this service.
There are two components of the Windows password change service, scheduled password change service and
performance monitoring. It is not necessary that there should be only one centralized password change service.
Single and multiple options are available besides the centralized password change service. Depending upon the
domain, ARCOS recognizes the domain and connects to the particular IP port. These ports should be opened
from the vault servers. Earlier, there was a requirement of the direct port for the password change of Windows,
but now it is not required. ARCOS uses a secure server if available. Initially, the 45045 port is required to be
opened from the desktop, but now it is not. One can open it from the gateway or secured server. ARCOS
connects to the secured server and then to the centralized password change service. The service is installed at
its location, as only port routing has changed. The UNIX password change connects to the UNIX server and
then it changes the password.
If this service is installed on the active directory and the particular servers are in the active directory, this
service is not required on all the servers, but only on one server. In ARCOS, one can change the password from
one domain controller to subsequent domain servers. If a given account is a domain-based account, it is on the
active directory. If it is a local account, the individual server has a local account. By default, every Windows
server has an administrator account that does not change. In any environment, one must have an administrator
account. A normal administrator account remains the same or it can be renamed.
The ARCON WinVaulting Service Port is static. In the future, one may need to configure some other ports for
different servers or the complete environment has to change. Hence, the ARCON WinVaulting Service Port is
configurable. This is a standard configuration that can be changed in case some performance tuning is required.
According to the database configuration, the services are in the back end. Hence, they are monitored
automatically. Here, the password change service provides all the details.
4.4.2.2 Prerequisites
• .net Framework 4.7.2 needs to be installed on the server. The server should be restarted post .net
installation.
• Install ARCON WinVaulting Service in ARCON App server/CPC/One of the Windows servers part of
the respective domain. The ARCON WinVaulting Service should run under a non-interactive Domain
Account (this service account should be set to Never Expire), which holds the right to change/reset
other privilege account passwords on the same domain. It should also have sufficient rights (Domain
Administrator rights) to be able to change/reset the password of Windows Local Administrator
accounts.

4.4.2.3 Installation
Installing the ARCON WinVaulting Service
To install the ARCON WinVaulting Service, follow the steps below:
1. The Product Team will share the WinVaultingServiceSetup.msi file.
2. Right-click on the WinVaultingServiceSetup.msi file and click Install. The installer wizard displays the
ARCONWinVaultingService being installed.

68
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

3. You can view the ARCONWinVaultingService running using the following path:
Run → services.msc → ARCON Pam Windows Vaulting Service running

4.4.3 ARCOS Alert Service

4.4.3.1 Overview
In the ARCOS Alert Service, there is only one configuration file available. This service manages emailing,
dynamic reporting, schedulers, and so on. For example, to email a specific report to a specific user on a daily,
weekly, or monthly basis, the ARCOS Alert Service can be configured.
The ARCOS Alert Service also manages the workflows.
For example, if some users request passwords or device access, the ARCOS Alert Service monitors such
requests. It generates an email and sends it to the users based on the configuration.
If there are multiple application servers, one can have the server in the DMZ zone and the workflow manager to
perform approval mechanisms. For this multiple links can be configured. It provides different links for different
servers and IP addresses through email.
Different functionalities of the ARCOS Alert Service are as follows:
• Sending alerts
• Sending alert notification emails
• Sending password requests
• Sending notification emails
• Sending service request emails
• Sending passwords on requested time

69
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
• Scheduling reports

Consider the scenario below for sending the password at the requested time:
Scenario: If a password is requested for the next day at 5 P.M., the password will be approved and sent at the
requested time.
Consider that an organization has multiple data centers at different locations in India – Mumbai, Delhi,
Bangalore and Chennai. However, the administrators are not spread across all these centers. Now, User A
requests the password for the XYZ server and the server requires approval from User B. This service detects
the password requestor i.e. User A, drafts an email, and then sends it to User B. User B proceeds for the further
actions. In such a case, the ARCOS Alert Service performs the password release based on the time. If a
password is requested on the next day at 12 P.M., this service approves the password on the same day but
releases the password only at the requested time. It always sends the password in the ARCOS mailbox and not
in the email account of the requestor. In ARCOS, each user has a separate mailbox.
4.4.3.2 Prerequisites
.net Framework 4.7.2 version needs to be installed.
4.4.3.3 Installation
Firstly, the ARCOS Alert Service must be installed and then configure the following fields:
• Service Interval
• Mail Subject Prefix
• Mail CC
• Mail Footer
• ARCOS ACMO URL

4.4.3.3.1 Installing the ARCOS Alert Service

To install the ARCOS Alert Service, follow the steps below:

1. Right-click on the ARCOSAlertServiceSetup.msi file, the following options as in the below image will be
displayed. Click Install.

2. If the application has never been installed before, then the following screen shall appear. Click Next.

70
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

3. Browse and select the installation path where you want to install the file.

 • Recommended folder path - X:\ARCON_Solutions\ARCON_Program_Files\ARCOS Alert

Service\
• Here ‘X' denotes the drive where ARCON’s ancillary services will be installed

71
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4. Click Next. The installer is ready to install ARCOS Alert Service on your computer.

72
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
5. Click Next to start the installation.
6. Once ARCOS Alert Service is successfully installed, click Close.

7. You can view the ARCOS Alert Service running using the following path:
Run → services.msc → ARCOS Alert Service running

 Copy DB Settings from ACMO folder to all installed service folders for services to run/start.

4.4.3.3.2 Configuring the ARCOS Alert Service

Upon successful installation, configure the ARCOS Alert Service following the steps below:
1. Navigate to the ARCOS Alert Service folder and open the alertconfig.ini file in Notepad.

2. Define configurations in the alertconfig.ini file referring to the following table.

73
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

ServiceInterval 60000 Service Interval time for the service log. The
service interval is configured in milliseconds.
For example: 60,000 milliseconds is equal to
1 minute.

MailSubjectPrefix
ARCON PAM Alert The mail subject prefix is available only when
it runs alerts. Otherwise, the prefixes are not
applicable. The Mail Subject Prefix service is
responsible for sending emails for every
activity that is performed on the email level. If
an email is not received properly even after
the successful configuration of this service, it
means the ARCOS Alert Service is not
working properly.

74
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

MailCC Leave it blank The default value for the Mail CC

configuration is kept blank. One can add the
recipient email ID in any email for backup
purposes. It can be configured in such a way
that any email that is sent should have at least
one Mail CC. The Mail CC should be
configured for sending the backup type of
emails.

MailFooter <BR><BR><BR>Please The mail footer configuration is a standard

ensure that your Web/IT/ footer for all emails. One can set the standard
Email administrator permits e- footer for every sent email. The standard
mails with attachments. This is footer can be configured according to the
an auto-generated e-mail from client’s requirements.
ARCON PAM. Please do not
reply to this e-mail. It has been
sent from an e-mail account
that may not be monitored. In
case of any assistance or
query please contact ARCON
PAM Administrator.

ARCOSACMOURL <PAM URL> The ARCOS ACMO URL must be changed to

the PAM URL

MailBodyPanelParam <PAM URL>/resources/ The email logo URL must be configured here
images/arcos-logo.png

ScheduleReportsFormat PDF CSV OR PDF

PDFCreatedFor <Client Name> PDF created for <client name>

PDFCreatedBy ARCON PDF created by <ARCON>

PDFInitiated Daily Configure frequency for daily reports to be

generated

PDFImage X: Report cover header page image

\ARCON_Solutions\ARCON_
Program_Files\ARCOS Alert
Service\ReportCoverHeaderP
age.png

PDFHeaderText Leave it blank Text to be mentioned for the PDF Header

(not in use)

DeferSchedulingProcess Leave it blank If DeferSchedulingProcess then ScheduleLog

is On, if blank then ScheduleLog is off

 ‘X' denotes the drive where ARCON’s Logs are stored.

75
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
3. Click File → Save to save the configurations.
4.4.4 ARCOS Failover Manager
4.4.4.1 Overview
Ensuring data is available at any point in time is the topmost priority for any organization. Auto Failover is a
mode if the database is not online, it would automatically be redirected to an alternative and the database
would be up and available. In ARCON PAM we have a Primary Database Server and a High Availability Server
to ensure that the database environment is restored with minimal impact on the business. ARCON PAM
Automatic Failover Automatically initiates a fast-start failover without human intervention after the primary
database has been unavailable for a set period. i.e. If the Primary Server is Down and not accessible due to
network failure or any other reason, ARCON Auto Failover Manager will connect to SQL Cluster IP of DC and
will perform a DB Check and if successful, it will continue to do so after 60 Seconds (Configurable) interval.

4.4.4.2 Scenario

There are two ARCON PAM Database Servers (Primary and HA) in DC and one in DR Environment. MSSQL
Clustering with Common Storage is used to achieve High Availability between Primary and HA Database
Server in DC. MSSQL Log Shipping is used to replicate ARCON PAM Database from DC to DR Environment.
ARCON Auto Failover Manager will connect to SQL Cluster IP of DC and will perform a DB Check and if
successful, it will continue to do so after 60 Seconds (Configurable) interval. If DB Check is unsuccessful,
ARCON Auto Failover Manager will attempt twice after 5 Seconds (Configurable) interval. After Three
Unsuccessful attempts, ARCON Failover Manager will Connect to DR Database Server and will bring the
ARCON PAM Database in Read-Write Mode. Once ARCON PAM Databases are Online, it will automatically
start all the ARCON Windows Components.

76
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
4.4.4.2.1 Configuration Requirement

Following are the settings required for Automatic Failover Manager:

1. Primary Server database connection details.
2. DR Server database connection details.
3. List of ARCON Windows Component to Autostart on DR Server
4. The service interval for connecting the Primary database and validating if the database is running.
5. Number of failed attempts for validating if the database is running
6. In case of failure, an interval for connecting Primary DB and validate if DB is running.

4.4.4.2.2 Configuration Steps

1. Install and Run service as Administrator account.

a. Database Details : Use dbsetting.exe to generate db setting file, provide primary and DR
database details.

77
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Steps to create dbsetting.ini file are as follows:

i. Double click on ‘ARCOSDBSettingCreator.exe’ file.
ii. The ARCON PAM Database DBSettings.ini File Creator window opens. Enter the
following details:
Connection Details (Primary)
• Server IP – address where Database is located
• Server Port – port on which the ARCON PAM Database will listen (Default port is -
1433)
• Server Name – the name of the server / IP address
• User Name – ARCON PAM Database name
• User Password – ARCON PAM database password

78
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

iii. Enter all the above details and click Test Connection. The following success message will
be displayed.
Test Connection Success For Primary Database.
iv. Select Connection Details (DR Server) checkbox. Enter the following details:
Connection Details (DR Server)
• Server IP– address where Database is located
• Server Port– port on which the ARCON PAM Database will listen (Default port is -
1433)
• Server Name– the name of the server / IP address

v. Enter all the above details and click Test Connection. The following success message will
be displayed.
Test Connection Success For DR Database.

 DR Database login user should have restoring rights on DR Server.

vi. Enter the following details:

Database Name Details:
• Primary Database – Select Use Default check box. "ARCOSDB" will be displayed in
text field.
• RDP Database – Select Use Default check box. "ARCOSRDPDB" will be displayed
in text field.

 Do not change values in Primary Database and RDP Database text fields.

vii. Click Generate ini File button, to generate the ini file. The DBSetting.ini file is generated
inside the DBSetting folder.
viii. The following screen will be displayed.

b. ARCOSFailoverManagerConfig :
The ARCOSFailoverManagerConfig file will be displayed on the below path after installing
Service on DR Server:
X:\ARCON_Solutions\ARCON_Program_Files\ARCOSAutoFailover

 ‘X' denotes the drive where ARCON’s ancillary services will be installed.

79
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

The ARCOS Failover Manager config file is required to manage the following:
i. ServiceInterval: This is the time interval at which service will check the connection with
the primary database. Set time in milliseconds, default time is 60000 milliseconds.
ii. PRFailedThresholdValue: If the service failed to connect to the primary database. Set this
time interval for multiple attempts in 1 min default is 1500 seconds.
iii. PRConnectAttemptInterval: Set this in numbers as in how many PRFailedThresholdValue
attempts, for example: If the service failed to connect primary database, then connect try
will be PRFailedThresholdValue * PRConnectAttemptInterval = 1500(sec)*8(times)
iv. ServicesToFailover: List down the windows service which you want to start after DR
recovered.

 Use the Service name of Services and not the Display name of Services
(Services.msc > Select a service > Right-click and select Properties).

 SQL Queries can be configured from ARCOSAutoFailover config file.

4.4.4.2.3 Logs

Logs shall be generated for ARCOS Failover service and saved in “Applications and services logs” in Event
Viewer window as shown below.

80
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

81
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.4.5 ARCOS Log Archiver Service

4.4.5.1 Overview
The ARCOS Log Archiver Service is the next step of the ARCOS Log Manager Service. This service plays an
important role when the images are transferred from the database to a physical disk. This service converts all
the setup.
ARCOS Archival Service is installed on ARCOS Server* to archive video logs in playable Video Format. The logs
are converted and archived into viewable video formats for transfer/share or audit logging. Logs are stored
in .avi format and can be viewed using Windows Built-in Media Player. These logs can be retained for audit trail
and retention of data.
4.4.5.1.1 Pre-requisites

Following are the prerequisite required for ARCOS Log Archiver Service:

82
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
1. .net Framework 4.7.2 version needs to be installed.
2. In ARCON PAM Settings enable the following configurations. To configure the PAM Settings follow the
given path: ACMO → Manager → Settings → Logs → Archival Service
0

a. Enable ARCOS Log Archiver Service

b. Enable ARCOS Log Archiver Service - Is Delete Service Log (If Archive Success)
c. Set the value as needed for ARCOS Log Archiver Service - Archive Older Than Hours

4.4.5.2 Installation
For the Installation following steps need to be followed.
1. Right-click on the .msi file ARCOSLogArchiverServiceSetup.msi, the following options as in the below
image will be displayed. Click on Install.
0

2. If the application has never been installed before then the following screen shall appear. Click Next.
0

83
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

3. Browse and select the installation path where you want to place the file. Preferably the path as X:
\ARCON_Solutions\ARCON_Program_Files\ARCOS Log Archiver Service\
Note: ‘X' denotes the drive where ARCON’s ancillary services will be installed.
4. Select the radio button Everyone (applicable for anyone using this system) or Just me (applicable for the
logged-in user) and click Next to confirm the setting.
0

84
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

5. Click next to confirm the installation.

0

85
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

6. Click Close as the installation has been completed successfully on the system
0

86
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

7. You can view the service running using the following path:
Run → services.msc → ARCOS Log Archiver Service running

 Copy DB Settings from the ACMO folder to all the installed service folders for services to run/start.

4.4.5.2.1 Log Archiver Configuration File

Once the service is installed on the system, you need to configure the resolution, interval of Video logs in
the ARCOSLAConfig.ini file.
To navigate, use the following path (this path is the installation path which is selected in step 3):
X:\ARCON_Solutions\ARCON_Program_Files\ARCOS Log Archiver Service\ Open the file in the notepad
application.

Define the configurations in the ARCOSLAConfig.ini file as listed in the table below:

87
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

0
Below listed are the Log Archiver Service names & values for the ARCOSLAConfig.ini file

Config Name Config Value Description

ServiceInterval 60000 This config is used for restarting the Log Archiver
service after a particular time interval ( in
milliseconds)

EnableTraceLog false Traces the functionality. You can enable or disable

Trace Logs. Trace Logs when enabled can be used for
troubleshooting, if service logs does not functions
properly.
If the trace log is enabled, it generates a log in
the Event Viewer. Every service creates logs in
the Event Viewer.
If there is any problem in a service and it does not
function properly, then one should go to the Event
Viewer and check the respective event logs.
Configurable Values: true or false.

VideoWidth 1024 Configures width of the video log.

 Should be configured same as the Log

Manager configuration.

88
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

VideoHeight 768 Configures height of the video log.

 Should be configured same as the Log

Manager configuration.

VideoFrameRate 1 Configures frame rate of the video log.

Video is a sequence of frames. When images are
converted into a video, it gets written as one file with
encoding of images. When a media player
understands the encoding and plays it as a video, the
video is played frame by frame.
The default value for the frame rate is set to 2. The
value 2 means, there are 2 frames in 1 second. This
frame rate can be too fast for some clients, one can
change the frame rate value from 2 to 1, which means
1 frame per second. But one cannot go below the
frame rate 1 frame per 1 second. 1 frame cannot be
divided in multiple seconds. One can configure 1
frame per second or 2 frames per second or more
than that.

VideosPerCycle 10 Configures number of image session logs to be

converted to video logs for the set interval. In other
words, it refers to the number of videos that the
archival service should have in one cycle.
For example, if VideosPerCycle value is set to 10 and
Interval is set to 60,000 milliseconds, then 10 image
session logs are converted to Video log after every 1
minute (service interval cycle).

VideosBitRate 300000 Configures Bit rate of video log. By default, the value
is 3 lac

 It is not recommended to change the default

value. If changed, it reduces the video quality
after 5 - 10 seconds.

89
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

logordertype 0 Configure the value for log order type. The valid
values are 0, 1, 2.
0: All images are considered for conversion from
Image log to Video Log

 If the value is set to 0 then only one service

needs to be installed. If both services are
installed, the value needs to be set to either 1
or 2 depending on the values set in ARCOS
Log Archiver Service ONS. Failing to do so
can lead to a malfunction.

1: Only Odd number images record will be considered

for conversion from Image log to Video Log
2: Only Even number images record will be
considered for conversion from Image log to Video
Log

 If you want to generate

both Odd and Even Video logs, you need to
configure ARCOS Log Archiver Service
ONS from ARCON PAM Windows
Components Installer folder. Post
installation of this service the values in config
file should be configured. For example, if the
logordertype value in Archival Service is
configured to 1, then the logordertype value
in Archival ONS should be configured to 2.
This will download both the Odd and Even
Video logs simultaneously. Thus, increasing
the performance.

VideoFormat .Mp4 Configures format of video. The valid values are:

• .Mp4
• .avi

90
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

IsStagingLogServer
false Staging Log Server is used to store logs before they
are transferred to Database Server. Logs are
compressed and stored on this Server.
In a few organizations, the size of logs generated per
day is higher and users accessing ARCON PAM are of
greater volume. The bandwidth falls short for
transferring logs to Database Server. In such a
scenario, Log Staging Server is used to store logs.
These logs are then transferred to Database Server in
the configured time interval. The status of the logs can
be monitored by hosting on URL.
Configurable Values: true or false

ARCOSLogFolder X: ARCOS Log source folder

\ARCON_Solutions\A
RCON_Web\ARCOSU
serAccessLogViewer
Web\ARCOSLogMana
gerServiceLog

ARCOSArchivedLogFolder X: ARCOS Log destination folder

\ARCON_Solutions\A
RCON_Web\ARCOSU
serAccessLogViewer
Web\ARCOSLogMana
gerServiceLog_Archiv
ed

ARCOSWebDTURL (ARCON https://10.10.2.0/ ARCON PAM Web API URL which is hosted locally.
PAM Web API URL)
 It is recommended to host the API on
Database server as it reduces the time
required for connectivity.

 ‘X' denotes the drive where ARCON’s Logs are stored.

4.4.6 ARCOS Log Archiver Service ONS

4.4.6.1 Overview
In ARCOS, the Log Archiver Service and Log Archiver Odd Number Series (ONS) service are two different
threads that run at the same level and have the same functionality
4.4.6.1.1 Pre-requisites

• .net Framework 4.7.2 version needs to be installed.

• Install the Log Archiver Service

91
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
4.4.6.2 Installation
For the Installation following steps need to be followed.
1. Right-click on the .msi file ARCOSLogArchiverServiceSetup_ONS.msi, the following options as in the
below image will be displayed. Click on Install.
0

2. If the application has never been installed before then the following screen shall appear. Click Next.
0

3. Browse and select the installation path where you want to place the file. Preferably the path as
X:\ARCON _Solutions\ARCON_Program_Files\ARCOS Log Archiver Service ONS\
Note: ‘X' denotes the drive where ARCON’s ancillary services will be installed.
4. Select the radio button Everyone (applicable for anyone using this system) or Just me (applicable for the
logged-in user) and click Next to confirm the setting.
0

92
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

5. Click Next to confirm the installation.

0

93
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

6. Click Close as the installation has been completed successfully on the system.
0

94
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

7. You can view the service running using the following path:
Run → services.msc → ARCOS Log Archiver Service ONS running

 Copy DB Settings from the ACMO folder to all the installed service folders for services to run/start.

4.4.6.2.1 Log Archiver Service ONS Configuration File

Once the service is installed on the system, you need to copy the ARCOSLAConfig.ini (Configurations for which
are already set in Log Archiver Service ) file from the following folder X:
\ARCON_Solutions\ARCON_Program_Files\ARCOS Log Archiver Service\ to X:\ARCON
_Solutions\ARCON_Program_Files\ARCOS Log Archiver Service ONS\

 ‘X' denotes the drive where ARCON’s ancillary services will be installed.

Listed below is the only configuration value that needs to be changed in the copied ARCOSLAConfig.ini file:

95
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

logordertype 1 Configure the value for log order

type. The valid values are: 0, 1, 2.
0: All images are considered for
conversion from Image log to Video
Log

 If the value is set to 0 then

only one service needs to
be installed. If both
services are installed, the
value needs to be set to
either 1 or 2 depending on
the values set in ARCOS
Log Archiver Service.
Failing to do so can lead to
a malfunction.

1: Only Odd number images record

will be considered for conversion
from Image log to Video Log
2: Only Even number images record
will be considered for conversion
from Image log to Video Log

 If you want to generate

both Odd and Even Video
logs, you need to
configure ARCOS
Log Archiver Service
ONS from ARCON PAM
Windows Components
Installer folder. Post
installation of this service
the values in config file
should be configured. For
example, if the
logordertype value
in Archival Service is
configured to 1, then the
logordertype value
in Archival ONS should be
configured to 2. This
will download both the
Odd and Even Video logs
simultaneously. Thus,
increasing the
performance.

96
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.4.7 ARCOS Log Manager Service

4.4.7.1 Overview
ARCOS Log Manager Service configuration allows ARCON PAM to capture images during session recording for
any GUI based access taken by the User. The images are transferred to Database Server on a real-time basis. It
does not cache anything on the local server and memory, as it sends them to the ARCOS vault server. The
ARCOS vault server consists of two databases, ARCOS DB and ARCOS RDP DB. If the images are captured in
the form of command logs, they are sent to the ARCOS DB and on the other hand, the video logs are sent to the
ARCOS RDP DB. The database cannot store a huge amount of binary files or images because it slows down the
performance. Based on the configuration, the ARCOS log manager service copies all the logs from the database
and stores them to the physical storage in JPEG format, so that the RDP DB database can always remain light in
size depending upon the load.
When configuring ARCOS Log Manager Service, make sure that the RDP DB has at least 100 GB of free space,
so that even if it grows, one does not have any application performance issue in the backup.

4.4.7.1.1 Pre-requisites

.net Framework 4.7.2 version needs to be installed.

4.4.7.2 Installation
To install the ARCOS Log Manager Service, follow the steps below:
1. Right-click on the ARCOSLogManagerServiceSetup.msi file and click Install.

2. Click on the Next button in the ARCOS Log Manager Service Setup Wizard screen to process the setup.

97
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

3. Click on the Browse button to select the installation folder. Select the radio button Everyone (applicable for
anyone using this system) or Just me (applicable for the logged-in user) and then click on the Next button to
confirm the setting.

 • Recommended folder path - X:\ARCON_Solutions\ARCON_Program_Files\ARCOS Log

Manager
• Here ‘X' denotes the drive where ARCON’s ancillary services will be installed.

98
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4. Click on the Next button to start the installation.

99
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

5. Click on the Close button as the installation has been completed successfully on the system.

100
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

6. You can view the service running using the following path:
Run → services.msc → ARCOS Log Manager Service

 Copy DB Settings from ACMO folder to all installed service folders for services to run/start.

4.4.7.2.1 Configuring the ARCOS Log Manager Service

Below listed are the ARCOS Log Manager Service Configuration names & values for the logordertype.ini and
watermark.ini.
logordertype.ini and watermark.ini files are located at - X:\ARCON_Solutions\ARCON_Program_Files\ARCOS
Log Manager Service\ (this path is the installation path which is selected in step 3).

101
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Set the configurations in the logordertype.ini file referring to the following table:

102
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

logordertype 0 This config is used to set the session

ids to be recorded.
Configurable values: 0/1/2
• 0 - Normal records, will record
all the session ids
• 1 - Odd records, will record all
the odd session ids
• 2 - Even records, will record all
the even session ids

 Only configure if Log Manager ONS is installed.

Set the configurations in the watermark.ini file referring to the following table:

Config Name Config Value Description

_bolIsWaterMarkEnabled true This config is used to Enable or

Disable Watermark in Video. To
enable Watermark, configure the
value to True.
Configurable value : true/false

_waterMarkText Client Name or ARCON Enter the Text to be displayed in

Watermark

_waterMarkFontName arial Font Name for Watermark

_waterMarkFontColor White Font Color for Watermark

_waterMarkFontSize(if 20 Font Size for Watermark

_bolIsTextOutlineForWaterMarkE
nabled is true recommended
size=20)

_debuglog false If the value is set to false, it will not

generate the debug logs. If the
value is true it will generate the
debug logs.
Configurable value : true/false

_bolIsTextOutlineForWaterMarkE true This config will enable/disable

nabled = true or false outline for the value of the
_waterMarkText config and the
timestamp
Configurable value : true/false

103
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4.4.8 ARCOS Log Manager Service ONS

4.4.8.1 Overview
In ARCOS, the ARCOS Log Manager Service and ARCOS Log Manager Odd Number Series (ONS) service are
two different threads that run at the same level and have the same functionality.
In the ARCOS Log Manager ONS service, the default value for the log order type is set to 1. If both the services
are installed, one has to configure the value for the ARCOS Log Manager Service as 2 and the value for the Log
Manager ONS service as 1. It means selecting even and odd services. The ARCOS Log Manager Service selects
only even records and the Log Manager ONS service selects only odd number series. At the same time, a given
archiving process gets doubled.

4.4.8.1.1 Pre-requisites

• .net Framework 4.7.2 version needs to be installed

• Install ARCOS Log Manager Service

4.4.8.2 Installation
To install the ARCOS Log Manager Service ONS, follow the steps below:
1. Right-click on the ARCOSLogManagerServiceONSSetup.msi file and click Install.

2. Click on the Next button in the ARCOS Log Manager Service ONS Setup Wizard screen to process the setup.

104
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

3. Click on the Browse button to select the installation folder. Select the radio button Everyone (applicable for
anyone using this system) or Just me (applicable for the logged-in user) and then click on the Next button to
confirm the setting.

 • Recommended folder path - X:\ARCON_Solutions\ARCON_Program_Files\ARCOS Log

Manager Service ONS\
• Here ‘X' denotes the drive where ARCON’s ancillary services will be installed.

105
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

4. Click on the Next button to start the installation.

106
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

107
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

5. Click on the Close button as the installation has been completed successfully on the system.

6. You can view the service running using the following path:
Run → services.msc → ARCOS Log Manager Service

 Copy DB Settings from ACMO folder to all installed service folders for services to run/start.

4.4.8.2.1 Configuring the ARCOS Log Manager Service ONS

Below listed are the ARCOS Log Manager Service ONS Configuration names & values for the logordertype.ini
and watermark.ini.
logordertype.ini and watermark.ini files are located at - X:\ARCON_Solutions\ARCON_Program_Files\ARCOS
Log Manager Service ONS\ (this path is the installation path which is selected in step 3).

108
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Set the configurations in the logordertype.ini file referring to the following table:

109
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

logordertype 1 This config is used to set the session

ids to be recorded.
Configurable values: 0/1/2
• 0 - Normal records, will record
all the session ids
• 1 - Odd records, will record all
the odd session ids
• 2 - Even records, will record all
the even session ids

 Only configure if Log Manager ONS is installed.

Set the configurations in the watermark.ini file referring to the following table:

Config Name Config Value Description

_bolIsWaterMarkEnabled true This config is used to Enable or

Disable Watermark in Video. To
enable Watermark, configure the
value to True.
Configurable value : true/false

_waterMarkText Client Name or ARCON Enter the Text to be displayed in

Watermark

_waterMarkFontName arial Font Name for Watermark

_waterMarkFontColor White Font Color for Watermark

_waterMarkFontSize(if 20 Font Size for Watermark

_bolIsTextOutlineForWaterMarkE
nabled is true recommended
size=20)

_debuglog false If the value is set to false, it will not

generate the debug logs. If the
value is true it will generate the
debug logs.
Configurable value : true/false

110
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config Value Description

_bolIsTextOutlineForWaterMarkE true This config will enable/disable

nabled = true or false outline for the config value of the
_waterMarkText and the
timestamp
Configurable value : true/false

4.4.9 ARCOS Scheduled Password Change Service

4.4.9.1 Overview
The automatic password change process is performed by a Scheduled Password Change (SPC) service. This
service allows the administrator to change the passwords of the target device on the scheduled date every
month automatically. Based on the LOB/Profile Default Configuration configured in ARCOS, the automatic
password change refers to the password change policy. It fulfills basic requirements of compliance such as the
number of upper case and lower case characters in the password, the length of the password, special characters
used in the password, and so on. Based on the organization’s policy and compliance requirements, one can
configure the type of passwords that ARCOS should generate and update them on the devices. Henceforth, we
will call the Schedule Password Change as SPC service.
4.4.9.1.1 Pre-requisites

.net Framework 4.7.2 needs to be installed on the server. The server should be restarted post .net installation.
4.4.9.2 Installation
For the installation the following steps need to be followed:
1. Right-click on the .msi file ARCOSSPCServiceSetup.msi, the following options as in the below image will
be displayed.

2. If the application has never been installed before then the following screen shall appear. Click Next.

111
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

3. Browse and select the installation path where you want to place the file.

 • Recommended path - X:\ARCON_Solutions\ARCON_Program_Files\ARCOS Scheduled

Password Change Service\
• ‘X' denotes the drive where ARCON’s ancillary services will be installed

4. Select the radio button Everyone (applicable for anyone using this system) or Just me (applicable for the
logged-in user) and click Next to confirm the setting.

112
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

5. Click Next to confirm the installation.

113
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
6. Click Close as the installation has been completed successfully on the system.

 Copy DB Settings from the ACMO folder to all the installed service folders for services to start and
then run.

Below listed are the Scheduled Password Change Configuration names & values for the spcconfig.ini.

114
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

The spcconfig.ini file is located at - X:\ARCON_Solutions\ARCON_Program_Files\ARCOS Scheduled Password

Change Service\ (this path is the installation path which is selected in step 3)

Config Name Config value Description

Service Interval 60000 This config is used for restarting the

SPC service after a particular time
interval ( in milliseconds)

115
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

MaxPwdAgeRange 23 This config is used for the password

change process of those services
whose max password age is less
than 1 day.
For services whose max password
age is greater than 1 day→Config
value is set to 0
It is configured based on equation-
(24*Max password age of the
service) - config value

IsUserNameAfterPassword false This config is used for appending

username after password (used for
password change process of linux
domain id’s)
Configurable value : true/false

WindowsPWDChangeServicePort 45045 Mandatory windows password

change port number

UserGatewayServerForPWDChange true Set this value as 'true' to change the

password through gateway server

IsUseReplaceKeywordInPasswordCh true This config is used for the password

ange change process in database
services where the “replace”
keyword is used in the password
change command.
Configurable value : true/false

SSH connection timeout 60 This config is used to set timeout

for ssh connection.(in seconds)

IsEnforceSUSEForPWDChange false Override password change tags

through suse.
Configurable value : true/false

IsEnforceToRestartService false Allow self restart of service

Configurable value : true/false

RestartServiceIntervalInDays 1 Restart service after 'n' configured

days

RestartServiceByTime 2 Restart service after ’n' configured

hrs

116
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

IsServiceOutsideCluster false This config is used for indicating if

service is present in windows
cluster.
Configurable value : true/false

SPCDependentOn ARCOS Alert Service Name of windows service on which

SPC is dependent on.

NewSecureGatewayWithLatestCiphe true This config is used for checking

rs ciphers while connection to
gateway server.
Configurable value : true/false

StartEndTime 00:00~00:00 This config is used for setting the

time for the password change
process by SPC service.
Eg- 00:00~06:00
The above config would allow
password change from 00:00 hrs to
06:00 hrs.

DefaultLOB →NA for All LOB This config is used for allowing SPC
to run for all /particular LOB
→LOB/LOB names
Configurable value : NA for All LOB
(comma separated)
Configurable value : LOB/LOB’s
name (comma separated)

ShowDebugLogs true This config is used for allowing SPC

to store logs in event viewer.
Configurable value : true/false

StartEndDate Eg- 1~31 This config is used for setting the

date for the password change
process by SPC.
Eg- 1~15
The above config would allow
password change from 1st day of
month to 15th day of month.

ServiceName ARCON SPC Service Installed Service Name should be

same

4.4.10 ARCOS Viewed Password Change Service

4.4.10.1 Overview
ARCOS Viewed Password Change (VPC) Service allow you to view the password of any services configured in
ARCON PAM. Once the password is viewed by the VPC service, the Scheduled Password Change (SPC) service
will rotate the password as configured in the VPC when viewing the password. Once the password has been

117
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
viewed and the set time (Password Open till) is over the password will get vaulted. Henceforth, we will call the
Viewed Password Change as VPC service.
4.4.10.1.1 Pre-requisites

.net Framework 4.7.2 needs to be installed on the server. The server should be restarted post .net installation.
4.4.10.2 Installation
For the installation the following steps need to be followed:
1. Right-click on the ARCOSViewedPasswordServiceSetup.msi file, the following options as in the below
image will be displayed.

2. If the application has never been installed before then the following screen shall appear. Click on the
Next button.

3. Browse and select the installation path where you want to place the file.

 • Recommended path - X:\ARCON_Solutions\ARCON_Program_Files\ARCOS Viewed Password

Change Service\

118
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
• ‘X' denotes the drive where ARCON’s ancillary services will be installed

4. Select the radio button Everyone (applicable for anyone using this system) or Just me (applicable for the
logged-in user) and then click on the Next button to confirm the setting.

5. Click on the Next button to confirm the installation.

119
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

6. Click on the Close button as the installation has been completed successfully on the system.

 Copy DB Settings from ACMO folder to all installed service folders for services to run/start.

4.4.10.2.1 Configuring the ARCOS Viewed Password Change Service

Below listed are the Viewed Password Change Configuration names & values for the spcconfig.ini.

120
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

The spcconfig.ini file is located at - X:\ARCON_Solutions\ARCON_Program_Files\ARCOS Viewed Password

Change Service\ (this path is the installation path which is selected in step 3)

121
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

Config Name Config value Description

Service Interval 60000 This config is used for restarting the VPC
service after a particular time interval (in
milliseconds)

MaxPwdAgeRange 23 This config is used for the password change

process of those services whose max
password age is less than 1 day.
For services whose max password age is
greater than 1 day→Config value is set to 0
It is configured based on equation-
(24*Max password age of the service) -
config value

IsUserNameAfterPassword false This config is used for appending username

after password (used for password change
process of linux domain id’s)
Configurable value : true/false

UserGatewayServerForPWDChange true Set this value as 'true' to change the

password through gateway server

WindowsPWDChangeServicePort 45045 Mandatory windows password change

port number

IsUseReplaceKeywordInPasswordChange true This config is used for the password change

process in database services where the
“replace” keyword is used in the password
change command.
Configurable value : true/false

SSH connection timeout 60 This config is used to set timeout for ssh
connection.(in seconds)

IsEnforceSUSEForPWDChange false Override password change tags through

suse.
Configurable value : true/false

IsEnforceToRestartService false Allow self restart of service

Configurable value : true/false

RestartServiceIntervalInDays 1 Restart service after 'n' configured days

RestartServiceByTime 2 Restart service after ’n' configured hrs

IsServiceOutsideCluster false This config is used for indicating if service is

present in windows cluster.
Configurable value : true/false

122
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

VPCDependentOn ARCOS Alert Name of windows service on which VPC is

Service dependent on.

NewSecureGatewayWithLatestCiphers true This config is used for checking ciphers

while connection to gateway server.
Configurable value : true/false

StartEndTime 00:00~00:00 This config is used for setting the time for
the password change process by VPC
service.
Eg- 00:00~06:00
The above config would allow password
change from 00:00 hrs to 06:00 hrs.

DefaultLOB →NA for All LOB This config is used for allowing VPC to run
for all /particular LOB
→LOB/LOB names
Configurable value : NA for All LOB
(comma separated)
Configurable value : LOB/LOB’s name
(comma separated)

ShowDebugLogs true This config is used for allowing VPC to

store logs in event viewer.
Configurable value : true/false

StartEndDate Eg- 1~31 This config is used for setting the date for
the password change process by VPC.
Eg- 1~15
The above config would allow password
change from 1st day of month to 15th day
of month.

ServiceName ARCON VPC Installed Service Name should be same

Service

4.5 Broker
4.5.1 Secure Gateway
SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH
client application with an SSH server. Common applications include remote command-line login and remote
command execution, but any network service can be secured with SSH.
This document describes configuring and mapping a secured gateway with UNIX/Linux Server.
4.5.1.1 Secure Gateway Server Configuration
This section helps you to configure the Secure Gateway Server.
ARCON PAM uses SSH Tunneling (Port Forwarding) for routing its connection via end machines. The target
server ports are not opened directly from end-user machines hence SSH Tunneling feature is used to route the
connections. To configure such connections AllowTcpforwarding should be enabled and UseDNS should be
disabled and the sshd_config file.

123
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

AllowTcpForwarding
Port forwarding allows you to forward a port on the local (SSH client) machine to a port on the remote (SSH
server) machine, which is then forwarded to a port on the destination machine. In this forwarding type, the SSH
client listens on a given port and tunnels any connection to that port to the specified port on the remote SSH
server, which then connects to a port on the destination machine. The destination machine can be the remote
SSH server or any other machine.

UseDNS
This change is an extension to support the above TCP Forwarding configuration. In an ideal scenario, this value
is "Yes" because it specifies whether sshd should look up the remote hostname and check that the resolved
hostname for the remote IP address maps back to the very same IP address.
The default value for the UseDNS option changed from "yes" to "no". With this change, sshd no longer converts
a client's IP address back into a hostname. This prevents the use of hostnames during forward via the Secure
Gateway Server and the host match blocks in the configuration file.

Use the following steps to configure the Secure Gateway Server:

1. Login to ARCON PAM Secured Server with root or (root equivalent) access:

2. Using VI editor, open sshd_config file through path /etc/ssh/:

124
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

3. The default value for AllowTcpforwarding is “No”. Change the value to “Yes” (# is commented, to
uncomment the same remove the #):

4. Use DNS value should be “no”:

125
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

5. Save the file using the command ZZ or : wq:

6. Add arcossshadmin user by using the below command setting a complex password. This user account
will be used as ARCON PAM Gateway Server user under ARCON PAM.

126
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

7. The user will be created and updated.

4.5.1.1.1 Secure Gateway Server Configuration in Server Manager

VPN Servers are Secure Gateway Servers (SGS) for ARCON PAM. If VPN Server is configured in ARCON PAM,
the connection is invoked from the user’s workstation to SGS and then from SGS to the target server/devices,
or else the connection is established directly from the user's machine to the Target Device. The connection to
SGS server is always on the secured port.
Use the following steps to configure VPN Servers:
1. Login to ARCON PAM Server Manager.

127
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
2. From the Tools menu select Advanced Configuration.
3. Select Default Configuration and then click on VPN Servers. The following screen will be displayed:

4. Enter the required details and click on Create button to configure VPN Server.
Click Modify to edit the existing configuration.
Select Is Active checkbox to enable the configuration.

4.5.1.1.2 Secure Gateway Mapping with LOB/Profile

You can map different LOBs to a particular VPN Server using LOB/Profile - VPN Server Details.
Use the following steps to map LOBs to VPN Server:
1. Login to ARCON PAM Server Manager.
2. From the Tools menu select Advanced Configuration.
3. Select LOB/Profile Default Configuration.
4. Select LOB/Profile - VPN Server Details tab. The following screen will be displayed:

128
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

5. Select LOB / Profile and VPN Server from the dropdown list and click on Assign.
6. The connection to the target server/devices under the selected LOB will be invoked through VPN
Server.

4.5.1.1.3 Port Requirements

Source Destination Port Protocol Description Unidirecti

Device Device onal / Bidir
ectional

End User Gateway 22 SSH Port Secure Gateway Unidirecti

Server Server (SGS) onal

Gateway Target Target HTTPs / SSH / Database / Port of access of Unidirecti

Server Application Application Application Port / etc. target services onal
Ports

4.5.1.1.4 Security and Cipher

Following ciphers are used by the ARCON PAM application for establishing the tunnel hence required to be
enabled on the gateway servers and target services:

KexAlgorithms:
ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group-exchange-sha256
MACs:

129
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
hmac-sha2-512, hmac-sha2-256, hmac-ripemd160
Ciphers:
aes256-ctr, aes192-ctr, aes128-ctr
4.5.2 RDP Proxy
4.5.2.1 Overview
End-user can open a Remote Desktop Protocol (RDP) client and enter the proxy IP Address and credentials for
PAM (username, password). End-user will be able to view the RDP service assigned and take a session through
the proxy. The connection is routed through a proxy, session monitoring, and logs are available in the PAM
vault.

4.5.2.1.1 Accessing the RDP Services

To access the RDP nodes, follow the below steps:

1. Open any RDP Client, for example, Microsoft RDP Client/Microsoft Remote Desktop to login to the
ARCON PAM RDP Proxy Console.

2. Enter the target server IP Address and ARCON Authentication details like username and password.

 If the Authentication details are not available, enter the proxy IP Address and proceed from step 4.

 • The RDP Proxy will use the ARCON Authentication details provided by the user
• If the connection is assigned to him, RDP Proxy will connect to the target device and it will
proxy back to machine.

130
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

3. Click on Connect to connect the assigned connection.

 If the user doesn’t enter the ARCON Authentication details like ARCON Username and ARCON
Password, then ARCON RDP Proxy will flash the user to enter the details on RDP Proxy Login Screen.

131
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2
4. Enter the Username and Password to ARCON RDP Proxy login.
5. Click on Login.

6. Select the required service and click on Connect.

132
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

 • The user will be connected to the target server via RDP Proxy.
• Entire user session will be recorded and logs will be available in ARCON PAM vault.

133
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

5 LOB or Profile Master

In ARCON PAM user are of two types’ domain user and local user. The domain users are present in the active
directory and are authenticated using active directory whereas the local users are present locally. The login
credentials are authenticated according to the domain name specified during the login process. The LOB’s are
created and fetched according to the domain name. Once the LOBs are created ARCON PAM application
follows a maker-checker principle for authorization.
The maker-checker principle is used for each request made by the user, for this feature there should be at least
two Administrator which are necessary for its confirmation / authorization. While one Administrator may
create a user, the other Administrator would be involved in confirmation/authorization of the same. Once the
users are created services are added for the users.
A service is an instance of a server, assume there are 4 users on a windows server such as Administrator, SYS,
TEST, and UAT. Now, each user will have a unique service. This will help Administrator to have a proper control
over the service which is mapped to a particular user. Due to this Administrator ID can get user wise audit trail
for each action which are performed under ARCON PAM. As the Administrators are responsible for managing
services they should be assigned Add Service privilege to create, delete or update a service.
After creating the services the Administrator should create user group and server group; map user group to
users and server group to services. After the above process the server group are mapped to user group. For
mapping the Administrator should be assigned Assign Service Group To User Group privilege to perform group
mapping.
The services are then mapped to users. The connections to the users are established in Map Users /
Services screen. The Administrator should be assigned Assign Service To User privilege to map services to
user. The services are assigned to a user based on the services available in the server group, where the users
are a part of the user group.
To assign an existing or newly created services to single or multiple users map services to multiple users. In
addition, this allows Administrator to restrict commands for the user.
The next step is to map the user to LOB, map user groups to particular LOB. When LOB is assigned to User
Group, the users available under User Group can be mapped to services assigned to that LOB. To assign LOB to
User Group, the Administrator should have Assign LOB To User Group privilege.
Next map service to LOB to assign LOB to Service, the Administrator should have Assign LOB To
Service privilege.
Next map a service group(s) to a particular LOB. When LOB is assigned to Service Group, the service available
under Service Group can be mapped to users of that LOB. To assign LOB to Service Group, the Administrator
should have Assign LOB To Service Group privilege.

 The Administrator can create multiple LOBs and map those LOBs.

134
Installation and Configuration Guide | Version
4.8.5.0_U16 SP2

 For more detail about the process refer the ARCON PAM Administrative guide.

135
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any
means such as electronic, mechanical, photocopying, recording, or otherwise without permission.