Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

[HOWTO] Setup Centrify Client in private AWS subnet with Network Load Balancer for Redundancy

Privileged Access Service ,  

30 September,20 at 10:49 PM

Customer wants to set up Centrify Client in private AWS subnet that has no direct connectivity to internet.  They want to use Centrify Connectors as the HTTP to PAS (Privilege Access Service) tenant, and also want redundancy in case a connector is not available, as setting up redundant connectors is not currently possible through Centrify directly.

Approach 1:   Use AWS Internet Gateway/NAT Gateway
Install and set up AWS Internet Gateway/NAT Gateway is simple and straight-forward.    Outbound traffic to internet passes through it.  It is AWS managed so AWS handles the redundancy and scalability requirements.   Outbound traffic to PAS does not route through Centrify Connectors, and there is no extra setup required in Centrify Clients.   This is the preferred approach.

Approach 2:  Use NLB (Network Load Balancer) and connectors
Some customers prefer not to use AWS Internet Gateway for various reasons.   This requires the use of Centrify Connectors as the http proxy to the internet.   Also, NLB (Network Load Balancer) is used as a front to the Connectors to provide failover/redundancy in case one of the connectors is unavailable.  This document describes the required configuration steps using this approach.

AWS setup

1. Private subnet  (
    a. This subnet has no direct outbound internet access.
    b. Centrify Client will be installed in this subnet.
    c. All AWS instances in this subnet has no public IP addresses.

2. Public subnet (
    a. An AWS NAT gateway is attached to this subnet for internet access.
    b. Two connectors are installed in this public subnet.
    c. Security group is set up to disallow inbound web traffic.  Only inbound SSH and RDP traffic is allowed from trusted sources (e.g., corporate IP address)
    d. The Network Load Balancer is set up in this subnet.
    e. Make sure that the security group for the connectors allow inbound access to port 8080 from the current subnet (or the subnet that NLB is installed).

3. Network Load Balancer setup
(for more detailed information on setting up an  AWS Network Load Balancer, please see the following documentation from AWS:
    a. Configure load balancer: 
    User-added image
    b. You need to set up the availability zone to the VPC and the availability zone where the connectors will be installed (Public subnet in this case)
    c. On "Step 2: Configure Security Settings", since we will be using port 8080 for the listener, you can click on the button "Next:Configure Routing
    d. Configure Routing:
    User-added image
    e. Make sure that you select TCP for health check protocol and select to use "traffic port" for health check port.
    f. For "Step 4: Register Targets", Select the Centrify Connector instances as the targets.

4. Verify that the targets are "healthy" from NLB's perspective.
    a. Select "Target Groups" under "Load Balancing"
User-added image
    b. Select the target group that you just created, by clicking on the name of the Target group.
User-added image
    c. Verify that:
        i. The target group is associated with the NLB that you just created
User-added image
        ii. Verify that "Protocol:Port" is set up as "TCP:8080"
User-added image
        iii. Verify that "Target type" is instance
User-added image
        iv. Go into "Group Details" tab:
            1. In "Health check settings", verify that:
                a) Protocol is set to TCP
                b) Port is set to traffic-port
User-added image
        v. Go into "Targets" tab:
            1. Make sure that both connector instances are listed.
            2. Make sure that "Status" is healthy.
User-added image

5. You need to copy down the FQDN of the NLB as you need this in Centrify Client
User-added image

Centrify Client setup and verification

1. Verify that the system has no direct access to internet.  
[root@ip-10-11-7-19 ~]# curl
curl: (7) Failed to connect to port 443: Connection timed out

 2. Verify that we can set up to use NLB as the proxy, which forwards the HTTP request to Centrify Connector:
[root@ip-10-11-7-19 ~]# export PROXY=xxxx-nlb-<some_unique_id>
[root@ip-10-11-7-19 ~]# curl --proxy http://$PROXY:8080
"success": true,
"Result": {
"Cloud": "20.x.142-Release-<some_verison_information>",
"Storage": {
"Schema": "20.x.142-405108",
"Client": "20.x.142-405108",
"Server": "20.x.142-405108"
"StorageEngine": "Cloud.Core.Persistence.Engines.Azure",
"Lib": "20.6.142-405108",
"Active": true,
"Name": "",
"Region": "US-West"
"Message": null,
"MessageID": null,
"Exception": null,
"ErrorID": null,
"ErrorCode": null,
"IsSoftError": false,
"InnerExceptions": null

3. Now you can enroll the agent:
[root@ip-10-11-7-19 ~]# cenroll -t -F all -c $CODE -p http://$PROXY:8080 -S "Connectors:<name_of_connector>" -l <role_that_can_login>
Enrolling in ...
Centrify agent started.
Enabled features: AgentAuth, AAPM, DMC
Enrollment complete.

4. Test user login:
[root@ip-10-11-7-19 ~]# ssh john@localhost
Enter Password:
Created home directory
       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
[john@ip-10-11-7-19 ~]$ id
uid=3270890164(john) gid=3270890164(john) groups=3270890164(john),6593694(s3_users),2372896416(linux_auth_users)
[john@ip-10-11-7-19 ~]$

5. Verify that proxy information is set up correctly:
[root@ip-10-11-1-234 ~]# cedit -l
ProxyURL: http://xxxx-nlb-<some_long_string>