Customer wants to set up Centrify Client in private AWS subnet that has no direct connectivity to internet. They want to use Centrify Connectors as the HTTP to PAS (Privilege Access Service) tenant, and also want redundancy in case a connector is not available, as setting up redundant connectors is not currently possible through Centrify directly.Approach 1: Use AWS Internet Gateway/NAT Gateway
Install and set up AWS Internet Gateway/NAT Gateway is simple and straight-forward. Outbound traffic to internet passes through it. It is AWS managed so AWS handles the redundancy and scalability requirements. Outbound traffic to PAS does not route through Centrify Connectors, and there is no extra setup required in Centrify Clients. This is the preferred approach.Approach 2: Use NLB (Network Load Balancer) and connectors
Some customers prefer not to use AWS Internet Gateway for various reasons. This requires the use of Centrify Connectors as the http proxy to the internet. Also, NLB (Network Load Balancer) is used as a front to the Connectors to provide failover/redundancy in case one of the connectors is unavailable. This document describes the required configuration steps using this approach.AWS setup
1. Private subnet (10.11.7.0/24)
a. This subnet has no direct outbound internet access.
b. Centrify Client will be installed in this subnet.
c. All AWS instances in this subnet has no public IP addresses.
2. Public subnet (10.11.1.0/24)
a. An AWS NAT gateway is attached to this subnet for internet access.
b. Two connectors are installed in this public subnet.
c. Security group is set up to disallow inbound web traffic. Only inbound SSH and RDP traffic is allowed from trusted sources (e.g., corporate IP address)
d. The Network Load Balancer is set up in this subnet.
e. Make sure that the security group for the connectors allow inbound access to port 8080 from the current subnet (or the subnet that NLB is installed).
3. Network Load Balancer setup
a. Configure load balancer:
b. You need to set up the availability zone to the VPC and the availability zone where the connectors will be installed (Public subnet 10.11.1.0/24 in this case)
c. On "Step 2: Configure Security Settings
", since we will be using port 8080 for the listener, you can click on the button "Next:Configure Routing
d. Configure Routing:
e. Make sure that you select TCP for health check protocol and select to use "traffic port" for health check port.
f. For "Step 4: Register Targets"
, Select the Centrify Connector instances as the targets.
4. Verify that the targets are "healthy" from NLB's perspective.
a. Select "Target Groups" under "Load Balancing"
b. Select the target group that you just created, by clicking on the name of the Target group.
c. Verify that:
i. The target group is associated with the NLB that you just created
ii. Verify that "Protocol:Port"
is set up as "TCP:8080"
iii. Verify that "Target type"
iv. Go into "Group Details"
1. In "Health check settings"
, verify that:
a) Protocol is set to TCP
b) Port is set to traffic-port
v. Go into "Targets
1. Make sure that both connector instances are listed.
2. Make sure that "Status
" is healthy.
5. You need to copy down the FQDN of the NLB as you need this in Centrify Client
Centrify Client setup and verification
1. Verify that the system has no direct access to internet.
[root@ip-10-11-7-19 ~]# curl https://ABC0123.my.centrify.net/sysinfo/version
curl: (7) Failed to connect to ABC0123.my.centrify.net port 443: Connection timed out
2. Verify that we can set up to use NLB as the proxy, which forwards the HTTP request to Centrify Connector:
[root@ip-10-11-7-19 ~]# export PROXY=xxxx-nlb-<some_unique_id>.elb.us-east-2.amazonaws.com
[root@ip-10-11-7-19 ~]# curl --proxy http://$PROXY:8080 https://ABC0123.my.centrify.net/sysinfo/version
3. Now you can enroll the agent:
[root@ip-10-11-7-19 ~]# cenroll -t ABC0123.my.centrify.net -F all -c $CODE -p http://$PROXY:8080 -S "Connectors:<name_of_connector>" -l <role_that_can_login>
Enrolling in https://ABC0123.my.centrify.net/ ...
Centrify agent started.
Enabled features: AgentAuth, AAPM, DMC
4. Test user login:
[root@ip-10-11-7-19 ~]# ssh john@localhost
Created home directory
__| __|_ )
_| ( / Amazon Linux 2 AMI
[john@ip-10-11-7-19 ~]$ id
uid=3270890164(john) gid=3270890164(john) groups=3270890164(john),6593694(s3_users),2372896416(linux_auth_users)
5. Verify that proxy information is set up correctly:
[root@ip-10-11-1-234 ~]# cedit -l