Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Preparing for your Privilege Management Deployment with the Centrify Infrastructure Service - Part 2

16 October,19 at 04:18 PM

After Preparing for your Privilege Management Deployment with the Centrify Infrastructure Service - Part 1, you will want to configure your
Active Directory connection and start considering the import of the systems and accounts that will be managed.

-You will want to identify the Windows hosts for Centrify Connectors installations.  These Connectors will serve as your proxy into
Active Directory.The Connector handles everything from AD authentication requests and managing account passwords to remote sessions
to your systems via SSH and RDP. It is important that you have at least two Connectors installed in your AD domain.
You may needadditional Connectors depending on your network environment, domain/foresttrusts, number of users authenticating, etc...

Determining whether you need a connector

Supporting user authentication for multiple domains

Overall Requirements


-Before installing the Connectors, you will want to do the following

  • Check the firewall rules from the Centrify Connectors to the Centrify Cloud Service or on-premises Centrify Service instance.
  • These requirements change depending on your deployment method (cloud vs. on-prem), but in both cases port 443 must be available for TCP/IP.
  • Check the firewall rules from the Centrify Connectors to the systems that will have local accounts managed or be access remotely using SSH or RDP.
  • Essentially, the Connectors will be acting as jump boxes into the systems, so you will want to know what ports are going to be used for these operations in advance. 
    • Windows systems should be accessible via RDP if you will be establishing remote login through the Infrastructure Service. The default port is 3389, but this port is customizable. 
    • Windows systems that will have local accounts managed for password rotation will need to have one of the following protocols. This port is also customizable.
    • Unix, Cisco, and other networking devices will need SSH on port 22, by default. 
    • Managing systems

How to install a Centrify Connector

User-added image


User-added image

-You will want to identify and set your Corporate IP Range. This will allow you to specify if users can access a system while they are off the corporate network. You will need to
know the public IP ranges of your network environment. This IP range can also be used to change a user's authentication profile to require a second and/or third form of authentication
to SSH/RDP to a system or checkout an account password.

How to set Corporate IP ranges

User-added image

-You will want to identify and set the subnets to be associated with each Connector. This will enhance network performance so that remote sessions are sent to the Connector
that is best suited for the system being accessed. Also, if you are using a local client for remote sessions, like Putty or Remote Desktop, then it is required that you map your subnets
to the Connectors. For example the local client will make a jump to a Windows system via direct connection to the Connector over port 5555 for RDP sessions.
In order for this to be successful the service will need to know which Connector the local client should reach out to for a particular system. The local client will use the same process for
SSH sessions, but on port 22.

Mapping system subnets to connectors

User-added image


User-added image