0% found this document useful (0 votes)
227 views20 pages

06 - PAM I and C - Pre Implementation

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
227 views20 pages

06 - PAM I and C - Pre Implementation

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Pre-Implementation

CyberArk University

© 2024 CyberArk Software Ltd. All rights reserved


PAM Suite Basic Architecture
Windows AD

HTTPS Windows
Vault Administrators Server or Desktop
(PVWA Access)
SSH
Windows RDP
Cisco Router

HTTPS
RDP

End Users TCP Unix/Linux Server


1858
(PVWA Access) ICMP

HTTPS-Web Front-End
RDP terminal Service
Data Center 1 Data Center 2
DR to Vault heart-beat ping
(Primary Site) (DR Site)
TCP TCP TCP 1858 – CyberArk Communication
1858 RDP 1858
SSH or Telnet
TCP 1858
TCP 1858 Windows native NTLM or WMI

TCP TCP
1858 1858

Vault Server PSM Server Components Server DR Vault Server PSM Server DR Components Server
CyberArk Brokered and • Password Manager CyberArk DR Brokered and • Password Manager
Repository recorded sessions • Password Vault Web Repository recorded sessions • PVt Web Access
Access • Replication Backup
• Replication Backup

© 2024 CyberArk Software Ltd. All rights reserved


Privileged Access Manager System Requirements

© 2024 CyberArk Software Ltd. All rights reserved


Sample System
Requirements: Small Implementation
(Less than 20,000 managed
Medium Implementation
(20,000- 100,000 managed
Large Implementation
(More than 100,000 managed

Vault and DR Servers


passwords) passwords) passwords)

• The table lists the recommended • 8-12 physical cores x 86-


64 architecture
• 24-48 physical cores x
86-64 architecture
• 60 or more physical cores
x 86-64 architecture
specifications for standalone • 32-64 GB RAM • 64-128 GB RAM • 256 or more GB RAM
Vault servers and standalone DR • 2 x 80 GB SSD [1] • 1 x 80 GB SSD, 2 x 512 • 1 x 80 GB SSD, 2 x 512
Vault servers GB SSD [1] GB SSD [1] [3]
• RAID 10 with SAS hot-
swappable drives • RAID 10 with SAS hot- • RAID 10 with SAS hot-
• Hardware and software swappable drives swappable drives
• RAID Controller
specifications for the Vault Server • RAID Controller • RAID Controller
• 1 GB Network adapter
are detailed in the Privileged • 1 GB Network adapter • 1 GB Network adapter
• 1 USB port
Access Manager System • 1 USB port • 1 USB port
• Additional SSD storage
Requirements available online at for PSM (optional) [2] • Additional SSD storage • Additional SSD storage
docs.cyberark.com for PSM (optional) [2] for PSM (optional) [2]

© 2024 CyberArk Software Ltd. All rights reserved NEXT


Sample System
Requirements:
Small Mid-range Large Very Large
Implementation Implementation Implementation Implementation
(<1,000 managed (1,000-20,000 managed (20,000-100,000 (more than 100,000

PVWA Server
passwords) passwords) managed passwords) managed passwords)

Hardware specifications

• The following table lists the • Quad core processor


• 2X Quad core
• 2X Eight core • 4X Eight core
processor
recommended specifications for the (Intel compatible)
(Intel compatible)
processors
(Intel compatible)
processors
(Intel compatible)
• 8GB RAM
PVWA servers • 16GB RAM
• 32GB RAM • 64GB RAM
• 2X 80GB SATA/SAS
• 2X 80GB SATA/SAS
hot-swappable • 2X 80GB SAS hot- • 2x 80GB SAS hot-
• PVWA can be installed on Amazon drives
hot-swappable
drives
swappable drives swappable drives

Web Services (AWS), Microsoft • RAID Controller


• RAID Controller
• RAID Controller • RAID Controller

• Network adapter • Network adapter • Network adapter


Azure, and Google Cloud Platforms (1Gb)
• Network adapter
(1Gb)
(1Gb) (1Gb)

• DVD ROM • DVD ROM • DVD ROM


• Hardware and software • DVD ROM

specifications for PVWA servers are Software prerequisites

detailed in the Privileged Access •



Windows 2022, Windows 2019, Windows 2016
IIS 10.0, 8.5
Manager System Requirements •

.Net Framework 4.8
Internet Explorer 11.0
available online at •

Chrome (any version released in the last six months on Windows and Linux/UNIX)
Firefox (any version released in the last six months on Windows and Linux/UNIX)
docs.cyberark.com Not supported for the Monitoring module

• PVWA can be installed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platforms

© 2024 CyberArk Software Ltd. All rights reserved NEXT


Sample System
Requirements:
Small Mid-range Large Very Large
Implementation Implementation Implementation Implementation

CPM Server
(<1,000 managed (1,000-20,000 managed (20,000-100,000 (more than 100,000
passwords) passwords) managed passwords) managed passwords)

Hardware specifications
• The following table lists the
recommended specifications for • Quad core processor
(Intel compatible)
• 2X Quad core
processor
• 2X Eight core
processors
• 4X Eight core
processors
the CPM servers • 8GB RAM
(Intel compatible) (Intel compatible) (Intel compatible)

• 16GB RAM • 32GB RAM • 64GB RAM



• CPM can be installed on Amazon
2X 80GB SATA/SAS
hot-swappable • 2X 80GB SATA/SAS • 2x 80GB SAS hot- • 2x 80GB SAS hot-
drives hot-swappable swappable drives swappable drives
Web Services (AWS), Microsoft • RAID Controller
drives
• RAID Controller • RAID Controller
Azure, and Google Cloud • Network adapter
• RAID Controller
• Network adapter • Network adapter

Platforms (1Gb) Network adapter
(1Gb)
(1Gb) (1Gb)

• DVD ROM • DVD ROM • DVD ROM



• Hardware and software DVD ROM

specifications for CPM servers Software prerequisites

are detailed in the Privileged • Windows 2022, Windows 2019, Windows 2016

Access Manager System .Net Framework 4.8
• CPM can be installed on Amazon Web Services (AWS), Microsoft Azure, and Google cloud Platforms
Requirements available online at
docs.cyberark.com

© 2024 CyberArk Software Ltd. All rights reserved NEXT


Sample System
Requirements:
Small Implementation Mid-range Implementation Large Implementation
(1-10 concurrent (11-50 concurrent (51-100 concurrent

PSM Servers
RDP/SSH sessions) RDP/SSH sessions) RDP/SSH sessions)

Hardware Specifications: Physical Servers

• The following table lists the • 8 core processor


(Intel compatible)
• 16 core processors
(Intel compatible)
• 32 core processors
(Intel compatible 2.1 GHz –
recommended specifications for • 8GB RAM • 16GB RAM
2.6 GHz)


PSM servers • 2X 80GB SATA/SAS hot- • 2X 80GB SATA/SAS hot-
32GB RAM

swappable drives swappable drives • 2x 250GB SAS hot-

• The maximum concurrency is


swappable drives (15K RPM)
• RAID Controller • RAID Controller
• RAID Controller
• •
lower (up to 40%) when installing Network adapter (1Gb) Network adapter (1Gb)
• Network adapter (1Gb)
• DVD ROM • DVD ROM
the PSM server on a virtual • DVD ROM

machine Chrome concurrent sessions

• Optimal performance can be • When adding concurrent sessions per user, make sure to increase the default timeout per session
accordingly.
achieved on physical dedicated • When increasing the number of Chrome sessions, regardless of PSM usage, make sure to follow
best practices regarding machine CPU and server capabilities.
hardware • Maximum number of Chrome • Maximum number of Chrome • Maximum number of Chrome
sessions per user – 15 sessions per user – 50 sessions per user – 100
concurrent connections concurrent connections concurrent connections
• Maximum total number of • Maximum total number of • Maximum total number of
Chrome sessions per PSM Chrome sessions per PSM Chrome sessions per PSM
server – 15 concurrent server – 50 concurrent server – 100 concurrent
connections connections connections

© 2024 CyberArk Software Ltd. All rights reserved NEXT


Vault Servers Setup
Review the document “Digital Vault Security
Standard” at https://docs.cyberark.com

• The Digital Vault should be installed on a


dedicated physical machine
(recommended) from original Microsoft
installation media.
• Built from the original Microsoft installation
media.
• No third-party software, such as anti-virus
or remote management solutions.
• The Digital Vault Server shall not be a
member of any enterprise domain.
• Isolate the Digital Vault Server, in a secure
VLAN.

© 2024 CyberArk Software Ltd. All rights reserved


Privileged Access Manager Integrations

© 2024 CyberArk Software Ltd. All rights reserved


• Create an LDAP Bind account with READ ONLY access to the
directory
⎼ Have the Username, Password, and DN available

LDAP
⎼ Interactive logon is not required

• Create four LDAP groups to serve as roles for granting access


Integration to the vault
⎼ CyberArk Administrators
⎼ CyberArk Safe Managers
⎼ CyberArk Auditors
⎼ CyberArk Users

• In support of LDAP/S, Install all relevant Root and Intermediate


Certificates for the CA that issued the certificate on the directory
LDAP servers to the Vault Servers
⎼ Update hosts file on the vault servers with directory server names

Have a resource from the team responsible for


LDAP directory servers available
© 2024 CyberArk Software Ltd. All rights reserved
• Have the IP address of all SMTP Gateways Available.

• Ensure that any Layer 3 firewall rules or ACLs allow


Email communications from the Vault Servers to the SMTP
Gateway
Integration • The Vault Server must be authorized to send SMTP
messages to the SMTP Gateway

• Schedule SMTP gateway administrator to be available


during the integration

• Please refer to the “Standard Ports and Protocols” at


email https://docs.cyberark.com/

Have a resource from the team responsible


for SMTP Gateways available

© 2024 CyberArk Software Ltd. All rights reserved


SNMP • Have IP Addresses of all servers that can accept
Monitoring SNMP traps available.

Integration • Upload SNMP v1 or v2 MIB files.

• Have Community String available.

Have a resource from the team responsible


for SNMP servers available.
SNMP

© 2024 CyberArk Software Ltd. All rights reserved


SIEM • Find out the relevant SIEM vendor for the organization
Monitoring in question.

Integration • Have IP addresses of all servers that can accept


SYSLOG information available.

Have a resource from the team responsible


for SYSLOG servers available.
SIEM

© 2024 CyberArk Software Ltd. All rights reserved


RADIUS or RSA
• Have the IP addresses of all RSA or RADIUS servers
available
Integration • Create host entries in RSA or RADIUS for all Vault
servers

• Have the “secret” that was used during host entry


creation available

Have a resource from the team responsible


RADIUS OR RSA for SYSLOG servers available.

© 2024 CyberArk Software Ltd. All rights reserved


NTP
Integration • Have the IP addresses of all NTP servers available

NTP

© 2024 CyberArk Software Ltd. All rights reserved


Sample Agenda and Considerations

© 2024 CyberArk Software Ltd. All rights reserved


Onsite Day 1
Install and perform initial configuration of the Production and DR
Vaults including advanced Vault integration such as SNMP, SMTP,
SYSLOG and any others that were agreed upon.
Sample Agenda for
“Getting Started”
Onsite Day 2
Install and perform initial configuration of the Central Policy Manager,
Four-day Engagement Password Vault Web Access 1 and 2, Privileged Session Manager,
Secure Replication Utility and the Private-Ark Client.
This agenda is intended as a general example.
Onsite Day 3
Perform advanced configuration for the CPM, PVWAs and PSM.
Test CPM management on 3-5 types of the out-of-the-box plug-ins.
Test PSM workflows on 3-5 types of the out-of-the-box connectors.

Onsite Day 4
Troubleshoot any issues discovered during the CPM testing and PSM
workflows. Perform overview session with administrators. Go over and
assist in documenting the Master Policy, Access Control Model data
and permission structures. Set up and go over support access and
procedures.

© 2024 CyberArk Software Ltd. All rights reserved NEXT


Other Considerations
• Have test accounts available for CPM testing
⎼ Windows local administrator
⎼ Windows Domain Account
⎼ Linux SSH or Cisco
⎼ Other relevant accounts
• Make sure firewalls will not interfere with
communication between CyberArk servers or with
clients.
• Get an estimate of how many accounts will be
managed and what type they might be. (Windows
domain or enterprise admin, Unix root, Oracle
SYS,etc.)

cyberark.com
© 2024 CyberArk Software Ltd. All rights reserved
Could I please have the following items so

Sample
we can effectively communicate about our
engagement?

Contact Info Contact Name: _______________________


Contact Phone: _______________________

Request Contact Email: _______________________


Contact Site Location (if onsite): __________
____________________________________
____________________________________
____________________________________
____________________________________
____________________________________
____________________________________
____________________________________
____________________________________

© 2024 CyberArk Software Ltd. All rights reserved


Summary This session covered:

• General system hardware


requirements

• Integration requirements

• Review of a sample four day


agenda

© 2024 CyberArk Software Ltd. All rights reserved

You might also like