CyberArk P-Cloud (CyberArk Privilege Cloud) Deployment

cc 好物分享

This post summarizs the steps to deploy your P-Cloud.

Interface

Once you subscribed P-Cloud, you will get an activation email to activate your account. 
Your account will looks like cludadminjnetsec@cyberark.cloud.1234
Your email will be used as MFA to authenticate your access to your p-cloud environment.
P-cloud url : https://<company name>.cyberark.cloud
After logged in, it will look like this:

Connector Server 

1 CyberArk Identity Connector Service

Creates a secure Websocket Tunnel between the Identity tenant and the on premise LDAPS system

LDAPS , Radius

2 CyberArk Password Manager

All password management and rotation capabilities

3 CyberArk Privileged Session Manager

4 CyberArk Privilege Cloud Secure tunnel Service

SIEM and HTML5 Gateway integration

The Vault and Its Clients

Pre-implementation

 1 Server Sizing

  • Separate CPM and PSM if needed
    • PSM and CPM will have different size requirements 
      • PSM (1-10, 11-50, 51-100) sessions
      • CPM (<1000, 1000-20000,20000-100000, 100000+ ) managed passwords

2 Minimum Server requirements
  • 8 Cores, 8GB RAM
  • Windows Server 2016 or 2019
  • Domain Joined (for full PSM features)
  • All connector servers need to be deployed into an OU that has GPO inheritance disabled

3 Design Consideration for Architecture
  • Components : PSM, CPM, Identity Connector (2 for resilience ), Secure Tunnel (2)
  • PSM best practice for HA
  • CPM Active /DR best practice
  • AAM  - separate VM
  • PSM for Unix - Separate
4  LDAP Requiremetns
  • Domain Joined
  • LDAPS
  • Read permissions on the deleted objects container
    • Domain admin
    • Delegate read permissions to a service account
    • https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/CoreServices/Connector/Add-AD.htm?tocpath=Setup%7CAdd%20Users%7CAdd%20users%20from%20an%20external%20directory%20service%7C_____1#Userandpermissionrequirements
5  RDS 
  • RDS license server
  • RDS Cal on your connector server
    • Windows 2019 Per-User CAL if Connector Server OS is 2019
    • Per-device CAL
  • RDS should not be installed prior to the implementation
6  Firewall

7  Verify Prerequisites
- Troubleshooting flag
  • script to validate required network traffic and local settings: https://cyberark-customers.force.com/s/article/Privilege-Cloud-How-to-run-the-PSMCheck
  • Privilege Cloud Checklist: https://cyberark-customers.force.com/s/article/Privilege-Cloud-Remote-Access-PreImplementation-Checklist
  • Remtoe Access for Privilege Cloud: https://cyberark-customers.force.com/s/article/Privilege-Cloud-PreImplementation-Checklist

Identity Installation

 CyberArk Identity Connector

  • installeruser 
    • reset passowrd. and password will expire 24 hours
    • No MFA

References

https://blog.51sec.org

版权声明:
作者:cc
链接:https://www.techfm.club/p/52128.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>