Background
The Centrify Agent for Windows™ provides organizations with the ability to secure Windows systems. This article's goal is to introduce the basic information (pre-requisites, communications), deployment scenarios and tools available for each deployment option. The next articles in the series focus on specialized topics or use cases.
Functionality
Here are the capabilities (at the time of this writing - current version 2017.3) based on the type of Centrify product subscription bundle:
Centrify Identity Services Platform - Endpoint Services 
- Multi-factor Authentication
- Console
- Remote
- Screen saver unlock
- Offline mode
- Windows 10 MDM Enrollment
- Zero Sign-On
- Audit Trail
Centrify Infrastructure Service

- Access Control: Provided via Centrify Zones in Active Directory.
- Privilege Elevation: Provided by the Centrify's DirectAuthorize.
- MFA enabled via Role-based Access Control (all scenarios as above + privilege elevation).
- Audit Trail: Provides a catalogue of events (to enrich SIEM functionality).
- Session Capture: Advanced auditing capability that allows the capturing of user activity plus replay.
- Shared Account Password Management: secure local account passwords, implement policy, etc.
- Privilege Session Management: provide secure access via RDP.
- Windows Service Management: secure services, scheduled tasks and IIS Application pool accounts.
Deployment Scenarios
The scenarios are divided in system class (server/desktop and laptop)and are based on the experiences of our existing customer base. Note that we will provide the details in generic lab format given that each organization's deployments has unique requirements.
- On-premises deployment using an image source (e.g. the software is installed in the system with the Windows source and it's configured via GPO or other methods).
- On-premises deployment using Group Policy or MSI-aware software change and configuration management tool (like Config Manager (SCCM), LANDesk, Symantec, Altiris, etc).
- IaaS deployment: A system is launched in AWS, Azure or GCP and as part of the launch process, the system is configured to provide services like MFA, zone access control, privilege elevation, audit, etc. Upon termination, the system is gracefully decommissioned.
- Persistent or non-persistent VDI: Using VDI technologies like VMWare's Horizon View or IaaS like Amazon WorkSpaces.
Overview Process by System Class
Server or Secure Workstation
- PKI trust is established between the Windows system and the Centrify Identity Services platform.
- Install the Centrify Agent for Windows™ at the proper order/timing.
- The system is joined to a Centrify Zone (and corresponding computer roles).
In this scenario, Identity Services Platform functionality (like MFA or rescue options) is configured based on zone settings. - Optionally the local Administrator user credential is put in the Identity Services vault and it's password is set under management.
- Additional settings like proxies, audit trail settings, Direct Audit installation, etc are configured via Group Policy.
- At system sunset (via decommissioning or termination), the proper hygiene is followed: remove the system from the zone (release license), unenroll from Centrify Identity Platform, remove any credentials from the vault and final termination.
Desktop or Laptop
- PKI trust is established between the Windows system and the Centrify Identity Services platform.
- Install the Centrify Agent for Windows™ at the proper order/timing.
- The system is configured to use a specific Centrify Identity Services platform instance.
In this scenario, subsequent configuration comes from Group Policy. - Optionally the local Administrator user credential is put in the Identity Services vault and it's password is set under management.
- Additional settings like proxies, audit trail settings, Direct Audit installation, etc are configured via Group Policy.
- At system sunset (via decommissioning or termination), the proper hygiene is followed: unenroll from Centrify Identity Platform, remove any credentials from the vault and final termination.
Toolbox
- Centrify Agent for Windows™ - Official Documentation.
https://docs.centrify.com/en/css/2017.2-html/index.html#page/Managing_Windows/win_adm_install_agents.html
This is the constantly-evolving documentation. The information in this and subsequent posts is a compilation of information found there. - Centrify Agent for Windows™ MSI package and Transform (.mst) file.
These files are required for GPO or Configuration Management Tool deployments.
Where to obtain: Centrify Download Center, Centrify Identity Platform Admin Portal.


This is the contens of the Agents folder in the Infrastructure Services zip file. - Centrify Group Policy Management Editor Extension
The templates expose the Centrify Group Policy Management Objects.
How to obtain: Centrify Download Center. (Link to 2017.3) - Centrify Licensing Service
To be able to use the GPO feature, you need an installed Centrify license in Active Directory via this service.
How to obtain: Centrify Download Center. (Link to 2017.3)
How to obtain your license key: sent with your software subscription welcome email. - Centrify DirectControl PowerShell
Key tool for automation, especially when launching server images on-demand.
How to obtain: Centrify Download Center. (Link to 2017.3) - Active Directory Module for PowerShell
Key tool for automation, especially when performing Active Directory operations like Group Membership.
How to obtain: Install the feature. (e.g. Install-WindowsFeature RSAT-ADDS) - Centrify Access Manager MMC Console
This is where all the manual administration of Zones, Access, RBAC is implemented.
How to obtain: Centrify Download Center. (Link to 2017.3)

- Centrify Audit Manager
Allows for the configuration of DirectAudit installations.
How to obtain: Centrify Download Center. (Link to 2017.3) - Centrify PowerShell Samples
Allows for the enrollment in the Centrify vault, secure or retrieve credentials.
How to obtain: Centrify GitHub, Community Post.
Centrify Agent for Windows™ Pre-Requisites
Official documentation: https://docs.centrify.com/en/css/2017.2-html/index.html#page/Managing_Windows/win_adm_install_agents.html
- The computer is running a supported Windows 64-bit operating system version.
- The computer is joined to Active Directory.
- The computer has sufficient processing power, memory, and disk space for the agent to use.
Read the minimum requirements for each Windows version here. Note that you need to add to the minimum spec depending on the use case. - The computer has the .NET Framework, version 4.5.2 or later.
This requirement changes between versions. - The computer has Windows Installer version 3.1, or later.
- For secure communications and capabilities such as MFA, enrollment and vaulting, the Windows system must trust the Integrated Windows Authentication (IWA) trust CA certificate from the Centrify Identity Platform.
Network Communications
Between Centrify Connector and Windows Client and Active Directory Domain Controllers (all use cases). These are the "well-known" ports required for Active Directory communication.
Protocol | Port | Direction | Comment |
---|
SMB/CIFS | TCP 445 | Centrify Connector and Windows client to DC | Group policy relies on this port. |
RPC | TCP 135 | Centrify Connector and Windows client to DC | Group policy relies on this port. |
RPC Endpoint ("TCP Dynamic") | TCP 49152-65535 | Centrify Connector and Windows client to DC | Group policy may rely on these ports. |
LDAP | TCP/UDP 389 | Centrify Connector and Windows client to DC | |
Kerberos Password | TCP 464 | Centrify Connector and Windows client to DC | |
Kerberos | TCP 88 | Centrify Connector and Windows client to DC | |
Global Catalog | TCP 3268 | Centrify Connector and Windows client to DC | |
Between the Centrify Connector to the target Windows System (server and secure workstation use cases)
Between the Centrify Agent for Windows and a Proxy Server (optional scenario)
Notes: Since Centrify Identity Platform 17.6, MFA clients can leverage the Centrify Connector to proxy traffic.
Between the Centrify Connector and a RADIUS Service (optional scenario)
Questions and lanning Considerations for Each Deployment Type
Centrify Identity Services Platform - Endpoint Services
- How will the PKI certificate be distributed?
- What functionality is required? (MFA, Windows 10 MDM enrollment, ZSO, Vaulting of Admin Accounts).
- Interoperability: Should Windows Credential providers be excluded from the chain.
- Usability: What will be the grace period for MFA on screen saver unlock?
- Offline/Safe Mode MFA: Will this be enabled? What rescue users will be designated?
- Communications: Depends on functionality or usage.
- Audit Trail: Should the Centrify events be sent to the SIEM tool.
Centrify Infrastructure Services - Access Control and Privilege Elevation
- How will the PKI certificate be distributed?
- What functionality is required? (Access Control, Privilege Elevation MFA on login/elevation, Windows 10 MDM enrollment, ZSO, Vaulting of Admin Accounts).
- Interoperability: Should Windows Credential providers be excluded from the chain.
- Usability: What will be the grace periods for MFA on screen saver unlock and/or privilege elevation?
- Offline/Safe Mode MFA: Will this be enabled? Who will be assigned Rescue Rights roles?
- Communications: Depends on functionality or usage.
- Audit Trail: Enabling integrations with Splunk, IBM Q-Radar or HP ArcSight
Centrify Infrastructure Services - Auditing and Monitoring Service
- Functionality to be enabled: session capture vs. events only (EU privacy considerations).
- Will users be notified that they are being audited?
- What's the retention policy for session data by system class?
Centrify Infrastructure Services - Privilege Service Vault
- Is the system going to be added to the vault for secure access purposes?
- Are there any credentials that are going to be vaulted automatically? Will these passwords be managed?
- What needs to happen when the system is decommissioned/terminated? What will happen with he credentials and history?
Articles in this series
Related Topics
Conclusion
We have you covered in the Windows Platform. Subsequent articles will focus on specific deployment scenarios.