This post summarizs the steps to deploy your P-Cloud.


Once you subscribed P-Cloud, you will get an activation email to activate your account. 

Your account will looks like

Your email will be used as MFA to authenticate your access to your p-cloud environment.

P-cloud url : https://<company name>

After logged in, it will look like this:

Connector Server 

1 CyberArk Identity Connector Service

Creates a secure Websocket Tunnel between the Identity tenant and the on premise LDAPS system

LDAPS , Radius

2 CyberArk Password Manager

All password management and rotation capabilities

3 CyberArk Privileged Session Manager

4 CyberArk Privilege Cloud Secure tunnel Service

SIEM and HTML5 Gateway integration

The Vault and Its Clients


 1 Server Sizing

  • Separate CPM and PSM if needed
    • PSM and CPM will have different size requirements
      • PSM (1-10, 11-50, 51-100) sessions
      • CPM (<1000, 1000-20000,20000-100000, 100000+ ) managed passwords

2 Minimum Server requirements

  • 8 Cores, 8GB RAM
  • Windows Server 2016 or 2019
  • Domain Joined (for full PSM features)
  • All connector servers need to be deployed into an OU that has GPO inheritance disabled

3 Design Consideration for Architecture

  • Components : PSM, CPM, Identity Connector (2 for resilience ), Secure Tunnel (2)
  • PSM best practice for HA
  • CPM Active /DR best practice
  • AAM  – separate VM
  • PSM for Unix – Separate

4  LDAP Requiremetns

  • Domain Joined
  • Read permissions on the deleted objects container
    • Domain admin
    • Delegate read permissions to a service account

5  RDS 

  • RDS license server
  • RDS Cal on your connector server
    • Windows 2019 Per-User CAL if Connector Server OS is 2019
    • Per-device CAL
  • RDS should not be installed prior to the implementation

6  Firewall

7  Verify Prerequisites

– Troubleshooting flag

  • script to validate required network traffic and local settings:
  • Privilege Cloud Checklist:
  • Remtoe Access for Privilege Cloud:

Identity Installation

 CyberArk Identity Connector

  • installeruser
    • reset passowrd. and password will expire 24 hours
    • No MFA


By netsec

Leave a Reply