A Centrify Connector on an AWS private subnet allows you to:
- Gain better accountability of who is accessing the private subnet,
- Apply role-base access to the private subnet,
- Password vault local and domain service accounts being used in the private subnet,
- Provide MFA login for Windows or Linux servers in the private subnet,
- Integrate with an Active Directory domain that is associated with the private subnet,
- Provide MFA for other AWS services such as AWS Workspaces.
This article will go over the AWS and Centrify configurations you will need to use a Centrify Connector on an AWS private subnet.
This article assumes you have a custom VPC that contains:
- A public subnet
- A private subnet
- NAT Gateway or NAT instance to provide Internet access to the private subnet
1. Create Instances
The Centrify Connector only installs on Windows 2008 r2 or above, so you will need to :
a) Create a Windows EC2 instance on the public subnet. This instance will be used as an initial bastion host to set up the Centrify Connector in the private subnet. At minimum, you can use a Microsoft Windows Server 2008 R2 Base on a t2.micro. Create a new Security Group dedicated only for the Bastion host that allows RDP access from 0.0.0.0/0 or "My IP".
b) Create a Windows EC2 instance on the private subnet to install the Centrify Connector on. At minimum, you can use a Microsoft Windows Server 2008 R2 Base on a t2.large. Create a new security group that only allows RDP access from the Bastion host's Security Group, and allows all traffic from the Security Group itself.
2. Prepare the Centrify Connector server
(Optional) Before you install the Centrify Connector, join the system to Active Directory if you plan to do any Active Directory integration. The system can joined to:
- Active Directory installed on EC2 instances
- On-premise AD through AD Connector
- AWS hosted Simple AD
- AWS managed Microsoft AD
3. Download the Centrify Connector installer
Log into your Centrify Admin Portal from the Bastion host and download the Centrify Connector. You may not be able or want to disable Internet Explorer Protected mode on the Centrify Connector server. Once the Centrify Connector installer has been downloaded, copy the installer to the Centrify Connector server over RDP.
4. Install the Centrify Connector
Follow these instructions to install the Centrify Connector. If the server is joined to AWS managed Microsoft AD, skip the following two wizard options during the Centrify Connector installation, since AWS will not allow you permissions to access:
1) Activating Centrify Property Pages in AD
2) Read permissions for AD deleted objects
5. Add TCP 443 to the Network ACL
If you have locked down the Network ACL, be sure to add HTTPS(443) to both the Inbound Rules and Outbound Rules. The Centrify Connector needs to communicate with your Centrify tenant over TCP 443.
Other AWS related articles: