This post summarizes some unique points for setting up a CyberArk SaaS Cloud PAM solution for a small or medium-sized Cloud only (Azure AD) enterprise. Cloud only here means no domain service or a one-way sync-ed (from Azure AD to Azure Domain Service).
Table of Contents
Identity Integration with Azure AD
1. Add Azure Active Directory
2. Configure Azuer Active Directory Service
3. Create A New Azure APP Registration
To add AAD as a directory source, you need to register an application in your Azure account with appropriate access to the Microsoft Graph API. You can then authenticate using the Azure application’s Application ID, Directory ID, and Client Secret.
Your Azure Active Directory users can now log in to CyberArk Identity using their Azure Active Directory credentials. Add them to roles so you can grant permissions to applications, enforce authentication profiles, and more.
After entering a username, users are redirected to login.microsoftonline.com for authentication, then redirected back to the User Portal after successfully completing authentication mechanisms.
MFA from Azure is supported well since it will use Azure AD credentials to log in.
4. Activate InstallerUser and Reset Password
Enable [email protected] this account. nnnn is the number. This account will reset its password and will be disabled every 24 hours.
5. After Azure AD service integrated into Identy, you can add roles
Mapping those Privilege Cloud roles with your security group created in your Azure AD
Create an Azure MFA policy and apply to your Privilege Cloud Groups. Also make it as top priority so it can be applied to those users.
1. Public IPv4 Address which will be used to access CyberArk Privilege Cloud
2. Create CyberArk Administrator, CyberArk Auditor and CyberArk User groups.
▪ Recommended naming convention is CA-Admins, CA-Auditors, and CA-EndUsers
3. Firewall rules
Allow to Microsoft Updates
All outbound traffic
o https://docs.cyberark.com/Product-Doc/OnlineHelp/PrivCloud-SS/Latest/en/Content/Privilege Cloud/PrivCloud-sys-req-networks.htm
• Management ports
o Standard ports and protocols https://docs.cyberark.com/Product-Doc/OnlineHelp/PrivCloud-SS/Latest/en/Content/PAS SysReq/Standard Ports – CPM.htm
• Palo Alto or Next Gen Firewalls
4. Connector Servers
Windows 2022, deployed into an OU with GPO inheritance disabled
Joined into Windows Domain
.Net Framework 4.8 installed
No Anti-Virus software
Latest patches and updates
5. SIEM information
6. Create Windows Reconcile Account
If you are cloud-only environment, you might not need it. It will be only for local admin accounts.
7. Snapshots for VMs
8. For EPM LCD, and Alero Vendor Access, you will need a certificate for HTML5 gateway
This package is a collection of pre/post implementation tools required to deploy CyberArk Privilege Cloud Connector Components
The package contains the following tools:
Connector Management Prerequisites (Only for CM, otherwise use PSMCheckPrerequisites_PrivilegeCloud.zip)
PSMP AutoInstall Script(psmpwiz.sh).zip
PSM Convert local2domain Users (Set-DomainUser)
Onboard PrivilegeCloud Admin(For Standalone)
Reports (LicenseCapacity and UserReport)
2. Download CyberArk Privilege Cloud Software
CyberArk is proud to announce the release of Privilege Cloud version 13.2!
This release includes the following improvements to Privilege Cloud:
Privileged Session Manager (PSM) enhancements
Support for ‘non-sticky’ sessions
Conjur Enterprise plugin
Custom plugin development improvement
Access Amazon Web Services (AWS) console with STS
Accessibility improvements (Privilege Cloud standard only)
Secure Tunnel enhancements
1. Install Privilege Cloud Connector (Primary server and secondary server)
PSM will be active on both servers
CPM will be active on primary and standby for secondary
2. Install Secure Tunnel
It will be installed on both connector servers. But the configuration will be saved in vault. When you need to change configuration, just need to change on one server. The second server will retrieve configuration from vault.
For Syslogs traffics
For PSM-RDP traffics
3. Reset installeruser account password and activate it for installation
Add Identity Connectors
The CyberArk Identity Connector is a multipurpose service that provides support for key features and enables secure communication between other services on your internal network or a cloud instance. Not all services require a connector, however. For example, if all users are CyberArk Cloud Directory user accounts, the connector isn’t required.
You can install additional connectors for load balancing and failover. You might also want to install more than one connector if you use multiple Identity Administration tenants. In most cases, you should install two connectors in a production environment. Identity Administration determines which connector to use by monitoring connector health and making a random selection with a bias toward healthy connectors.
The following diagram illustrates the default ports used by the Identity Connector.
1. From Identity Administration page, select Connector Management
2. Add a connector
3. Define installation details
4. Copy script and run it in the connector servers