After Preparing for your Privilege Management Deployment with the Centrify Infrastructure Service - Part 1, you will want to configure your
Active Directory connection and start considering the import of the systems and accounts that will be managed.
-You will want to identify the Windows hosts for Centrify Connectors installations. These Connectors will serve as your proxy into
Active Directory.The Connector handles everything from AD authentication requests and managing account passwords to remote sessions
to your systems via SSH and RDP. It is important that you have at least two Connectors installed in your AD domain.
You may needadditional Connectors depending on your network environment, domain/foresttrusts, number of users authenticating, etc...
-Before installing the Connectors, you will want to do the following
- Check the firewall rules from the Centrify Connectors to the Centrify Cloud Service or on-premises Centrify Service instance.
- These requirements change depending on your deployment method (cloud vs. on-prem), but in both cases port 443 must be available for TCP/IP.
- Check the firewall rules from the Centrify Connectors to the systems that will have local accounts managed or be access remotely using SSH or RDP.
- Essentially, the Connectors will be acting as jump boxes into the systems, so you will want to know what ports are going to be used for these operations in advance.
- Windows systems should be accessible via RDP if you will be establishing remote login through the Infrastructure Service. The default port is 3389, but this port is customizable.
- Windows systems that will have local accounts managed for password rotation will need to have one of the following protocols. This port is also customizable.
- RPC over TCP on 135
- SMB on 445
- WinRM (HTTP/HTTPS) on 5985/5986
- Windows Management port for password operations
- Unix, Cisco, and other networking devices will need SSH on port 22, by default.
- Managing systems
-You will want to identify and set your Corporate IP Range. This will allow you to specify if users can access a system while they are off the corporate network. You will need to
know the public IP ranges of your network environment. This IP range can also be used to change a user's authentication profile to require a second and/or third form of authentication
to SSH/RDP to a system or checkout an account password.
-You will want to identify and set the subnets to be associated with each Connector. This will enhance network performance so that remote sessions are sent to the Connector
that is best suited for the system being accessed. Also, if you are using a local client for remote sessions, like Putty or Remote Desktop, then it is required that you map your subnets
to the Connectors. For example the local client will make a jump to a Windows system via direct connection to the Connector over port 5555 for RDP sessions.
In order for this to be successful the service will need to know which Connector the local client should reach out to for a particular system. The local client will use the same process for
SSH sessions, but on port 22.