Deploy CyberArk Cloud PAM Solution on Two Connector Servers for Azure AD Cloud Only Enterprise

Identity Integration with Azure AD

4. Activate InstallerUser and Reset Password

Enable [email protected] this account. nnnn is the number. This account will reset its password and will be disabled every 24 hours.

5. After Azure AD service integrated into Identy, you can add roles

Mapping those Privilege Cloud roles with your security group created in your Azure AD

6. Policy

Create an Azure MFA policy and apply to your Privilege Cloud Groups. Also make it as top priority so it can be applied to those users. 

1. Public IPv4 Address which will be used to access CyberArk Privilege Cloud

2. Create CyberArk Administrator, CyberArk Auditor and CyberArk User groups.

▪ Recommended naming convention is CA-Admins, CA-Auditors, and CA-EndUsers

3. Firewall rules

Allow to Microsoft Updates 

4. Connector Servers

Windows 2022, deployed into an OU with GPO inheritance disabled

Joined into Windows Domain

.Net Framework 4.8 installed

No Anti-Virus software

RDS license

Latest patches and updates

5. SIEM information

6. Create Windows Reconcile Account 

If you are cloud-only environment, you might not need it. It will be only for local admin accounts.

7. Snapshots for VMs

8. For EPM LCD, and Alero Vendor Access, you will need a certificate for HTML5 gateway

9. System Requirements.

• Outbound traffic network and port requirements
• Privilege Cloud Connector internal network and machine requirements
• PSM for SSH requirements
• Privilege Cloud supported browsers
• Connector ports and protocols
• Standard Ports used for Accounts Discovery

Install Identity Connectors on Servers

Download Softwares and Tools

1. Download Softwares (CyberArk Privilege Cloud Tools) from Market place – CyberArk Integrations and tools

This package is a collection of pre/post implementation tools required to deploy CyberArk Privilege Cloud Connector Components

The package contains the following tools:

• Add-PSMApps
• CreateCredFile-Helper.zip
• Connector Management Prerequisites (Only for CM, otherwise use PSMCheckPrerequisites_PrivilegeCloud.zip)
• LDAPSCertificateTool.zip
• ldp.zip
• PSMCheckPrerequisites_PrivilegeCloud.zip
• PSMCodec.exe
• PSMP AutoInstall Script(psmpwiz.sh).zip
• PSM Convert local2domain Users (Set-DomainUser)
• Onboard PrivilegeCloud Admin(For Standalone)
• Reports (LicenseCapacity and UserReport)

2. Download CyberArk Privilege Cloud Software

1. Install Privilege Cloud Connector (Primary server and secondary server)

• PSM will be active on both servers
• CPM will be active on primary and standby for secondary

2. Install Secure Tunnel

It will be installed on both connector servers. But the configuration will be saved in vault. When you need to change configuration, just need to change on one server. The second server will retrieve configuration from vault. 

• For Syslogs traffics
• For PSM-RDP traffics

3. Reset installeruser account password and activate it for installation

Add Identity Connectors

The CyberArk Identity Connector is a multipurpose service that provides support for key features and enables secure communication between other services on your internal network or a cloud instance. Not all services require a connector, however. For example, if all users are CyberArk Cloud Directory user accounts, the connector isn’t required.

You can install additional connectors for load balancing and failover. You might also want to install more than one connector if you use multiple Identity Administration tenants. In most cases, you should install two connectors in a production environment. Identity Administration determines which connector to use by monitoring connector health and making a random selection with a bias toward healthy connectors.

The following diagram illustrates the default ports used by the Identity Connector.

1. From Identity Administration page, select Connector Management

2. Add a connector 

3. Define installation details

4. Copy script and run it in the connector servers