Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Installing the Centrify Connector on an AWS private subnet

11 April,19 at 11:51 AM

CC on AWS.png

A Centrify Connector on an AWS private subnet allows you to:

  • Gain better accountability of who is accessing the private subnet,
  • Apply role-base access to the private subnet,
  • Password vault local and domain service accounts being used in the private subnet,
  • Provide MFA login for Windows or Linux servers in the private subnet,
  • Integrate with an Active Directory domain that is associated with the private subnet, 
  • Provide MFA for other AWS services such as AWS Workspaces

This article will go over the AWS and Centrify configurations you will need to use a Centrify Connector on an AWS private subnet.


This article assumes you have a custom VPC that contains:

  • A public subnet
  • A private subnet
  • NAT Gateway or NAT instance to provide Internet access to the private subnet

1. Create Instances

The Centrify Connector only installs on Windows 2008 r2 or above, so you will need to :

a) Create a Windows EC2 instance on the public subnet. This instance will be used as an initial bastion host to set up the Centrify Connector in the private subnet. At minimum, you can use a Microsoft Windows Server 2008 R2 Base on a t2.micro. Create a new Security Group dedicated only for the Bastion host that allows RDP access from or "My IP". 

b) Create a Windows EC2 instance on the private subnet to install the Centrify Connector on. At minimum, you can use a Microsoft Windows Server 2008 R2 Base on a t2.large. Create a new security group that only allows RDP access from the Bastion host's Security Group, and allows all traffic from the Security Group itself.

CC security group.png 


2. Prepare the Centrify Connector server

(Optional) Before you install the Centrify Connector, join the system to Active Directory if you plan to do any Active Directory integration. The system can joined to:

  • Active Directory installed on EC2 instances
  • On-premise AD through AD Connector
  • AWS hosted Simple AD
  • AWS managed Microsoft AD 

3. Download the Centrify Connector installer

Log into your Centrify Admin Portal from the Bastion host and download the Centrify Connector. You may not be able or want to disable Internet Explorer Protected mode on the Centrify Connector server. Once the Centrify Connector installer has been downloaded, copy the installer to the Centrify Connector server over RDP. 


4. Install the Centrify Connector

Follow these instructions to install the Centrify Connector. If the server is joined to AWS managed Microsoft AD, skip the following two wizard options during the Centrify Connector installation, since AWS will not allow you permissions to access:

1) Activating Centrify Property Pages in AD

AD property pages.png

2) Read permissions for AD deleted objects

Deleted Objects.png     


5. Add TCP 443 to the Network ACL

If you have locked down the Network ACL, be sure to add HTTPS(443) to both the Inbound Rules and Outbound Rules. The Centrify Connector needs to communicate with your Centrify tenant over TCP 443.


Other AWS related articles: