Fault Tolerant on Windows
Axidian Privilege components are installed on three servers. This type of installation allows you to separate the managing components from the components that provide access. An additional server is used for fault tolerance. Suitable for implementation and operation in production. Deployment scheme with balancing.
Before starting the installation, please prepare the environment.
Wizard Launch
Web wizard is a web application that allows you to install, upgrade, or change the configuration of Axidian Privilege. The master is supplied as part of the PAM distribution. To use the wizard, you will need to run it in a Docker container using a special script.
The wizard must be launched on the host on which one of the PAM roles will be installed (management server or access server), otherwise attempting to install PAM will result in an error.
Download and unpack the Web Wizard distribution on your Linux machine and go to the distribution directory.
Run the command:
sudo bash run-wizard.sh
Wait for the script to complete.
Once the script is completed, go to the URL you see in the console.
In the Authentication Code field, enter the value you see in the console after executing the script.
Code example:vVHyTVRyKX5pxUKM6e1ZgCWEnOdXFdOy
.infoBy default, the code will be requested again after 2 hours, which means that all the work needs to be completed during this time.
Click Enter and proceed to work with the wizard.
Scenario
- Select New PAM Installation.
- Click Next to proceed to the next step of the wizard.
More about scenarios
Hosts Scheme
A host is a physical or virtual server on which the PAM components will be located.
In the Hosts Scheme step, enter the fully qualified domain name of the management server in the PAM FQDN field.
Example: pam.my-company.local.Add Management Server, RDS Access Server, SSH Access Server, PostgreSQL Access Server. Please note that you cannot add multiple hosts with the same address.
Management Server
RDS Access Server
SSH Access Server
PostgreSQL Access Server
infoManagement Server and RDS Access Server can be located on the same host.
RDP Access Server, SSH Access Server, PostgreSQL Access Server can be located on the same host.Review the host table and make sure that the data entered is correct. If you need to edit the host data, click on the line with the desired host, make changes and click Save. If you need to delete a host, click
next to that host.
For the Balancer setting, select HAProxy. This is a balancer that is shipped with PAM and is installed and configured as part of the PAM installation process. You can specify a maximum of 2 HAProxy balancers.
infoIf you use a third-party load balancer, please note that you will need to configure it yourself. Make sure PAM is available at the address specified in the PAM FQDN field.
Add a balancer. Please note that you cannot add multiple balancers with the same address.
Balancer
Click Next to proceed to the next step of the wizard.
Ports
Ports of PAM components must be unique. Ports of HAProxy must be unique.
Specify ports for PAM components according to your network architecture or leave the default values.
Component Default port SSH Proxy 2222 RDP Proxy 3390 PostgreSQL Proxy 5432 MC/UC HTTP 80 MC/UC HTTPS 443 Gateway Service 8443 Specify ports for HAProxy according to your network architecture or leave the default values.
HAProxy Default port HAProxy SSH 2222 HAProxy RDP 3390 HAProxy PostgreSQL 5432 HAProxy HTTP 80 HAProxy HTTPS 443 Click Next to proceed to the next step of the wizard.
Certificates
In this step you need to download previously prepared certificates.
- Upload the CA certificate without the private key in PEM (Base64) format with the
.crt
extension. - Upload certificates for hosts with the
.pfx
extension or a wildcard certificate and specify the password. - Click Next to proceed to the next step of the wizard.
Databases
- Select Server Type Microsoft SQL.
- Enter Server Address and MSSQL Instance Name.
- Enable the Secure connection to DBMS checkbox.
- Enter username and password for the database account.
- For the Encryption keys setting, select Generate new.
- Enter the names of the databases you created in the Preparation for Installation step:
- DB for privileged accounts
- DB for authenticators of PAM users
- DB for PAM events
- DB for Scheduled Jobs of the Core component
- DB for Scheduled Jobs of the Idp component
- Click Next to proceed to the next step of the wizard.
Data Storage
- Select Storage Type File System.
- If necessary, edit the Storage root directory field.
- Click Next to proceed to the next step of the wizard.
Other storage types
User Directories
- Click Add User Directory.
- In the Directory Service field, select one of the values: FreeIPA, OpenLDAP.
- Enter a value in the Directory ID field.
- Enter a value in the Domain DNS field.
- Enter a value in the DN of user container field.
- Enter the username and password for the account.
- Enable the Use LDAPS checkbox.
- If necessary, change the mapping of user attributes and/or user group attributes.
- Click Add.
- Click Next to proceed to the next step of the wizard.
You can add multiple user directories.
Role Administrators
You can only specify one role administrator in the wizard.
- Select a user account from the directory to be granted rights to manage PAM roles. This user will be able to grant access rights to the PAM management console to other users.
- Click Next to proceed to the next step of the wizard.
User Authentication
- For the Authentication Mechanism setting, select Windows.
- Tick the Enable two-factor authentication for all users by default checkbox.
- For the Second Factor Type setting, select TOTP.
- Tick the components for which you want to enable second factor caching:
- Management Console
- User Console
- Desktop Console
- SSH Proxy
- RDP Proxy
- RDS Proxy
- If necessary, edit the Cache Time field.
- Click Next to proceed to the next step of the wizard.
TOTP Second Factor via Email
RADIUS authentication
Access Server
- If necessaty, edit the Agent Maximum Response Time and Agent Healthcheck Interval fields.
- Click Next to proceed to the next step of the wizard.
Logging
- If necessaty, edit the Logging Level, the maximum number of management server log files, and the maximum number of access server log files.
- Click Next to proceed to the next step of the wizard.
Syslog Events
If necessaty, add a Syslog server.
Syslog server
Click Next to proceed to the next step of the wizard.
Backup
A backup file of the wizard is an encrypted file that is used to restore the wizard state. You will need this file the next time you upgrade PAM to a new version or change the configuration of the current version of PAM.
Save the backup file of the wizard and remember its password.
Without this file and the password to it, you will not be able to change the configuration of your PAM installation in the future or update PAM to a new version via the wizard.
- Set a password for the backup file.
- Click Download backup.
- Click Next to proceed to the next step of the wizard.
Installation
- For the Installation method setting, select From the wizard.
- Click Install PAM.
- Track the process of installation using the progress bar. Wait until the installation is completed.
- Open the management console in a new tab to configure Axidian Privilege. Log in to the console using the credentials you specified in the Role Administrators step. For detailed information on initial setup, see the First Launch page.
- Click Stop the wizard or run the following command in the terminal:
sudo bash stop-wizard.sh