Skip to main content
Version: Axidian Privilege 3.0

Fault Tolerant on Windows

Axidian Privilege components are installed on three servers. This type of installation allows you to separate the managing components from the components that provide access. An additional server is used for fault tolerance. Suitable for implementation and operation in production. Deployment scheme with balancing.

Before starting the installation, please prepare the environment.

Wizard Launch

Web wizard is a web application that allows you to install, upgrade, or change the configuration of Axidian Privilege. The master is supplied as part of the PAM distribution. To use the wizard, you will need to run it in a Docker container using a special script.

caution

The wizard must be launched on the host on which one of the PAM roles will be installed (management server or access server), otherwise attempting to install PAM will result in an error.

  1. Download and unpack the Web Wizard distribution on your Linux machine and go to the distribution directory.

  2. Run the command:

    sudo bash run-wizard.sh

  3. Wait for the script to complete.

  4. Once the script is completed, go to the URL you see in the console.

  5. In the Authentication Code field, enter the value you see in the console after executing the script.
    Code example: vVHyTVRyKX5pxUKM6e1ZgCWEnOdXFdOy.

    info

    By default, the code will be requested again after 2 hours, which means that all the work needs to be completed during this time.

  6. Click Enter and proceed to work with the wizard.

Scenario

  1. Select New PAM Installation.
  2. Click Next to proceed to the next step of the wizard.
More about scenarios

The Web Wizard is used to perform one of three scenarios:

  • New PAM Installation is an Axidian Privilege installation.
  • PAM Upgrade is an upgrading of all Axidian Privilege components to the new version. For example, from 2.10 to 3.0. During the upgrade PAM will be unavailable. All current sessions will be terminated.
  • PAM Configuration Change is making changes to the current PAM installation. For example, changing the set of hosts. The PAM version will remain the same. During the configuration change PAM will be unavailable. All current sessions will be terminated.

Hosts Scheme

A host is a physical or virtual server on which the PAM components will be located.

  1. In the Hosts Scheme step, enter the fully qualified domain name of the management server in the PAM FQDN field.
    Example: pam.my-company.local.

  2. Add Management Server, RDS Access Server, SSH Access Server, PostgreSQL Access Server. Please note that you cannot add multiple hosts with the same address.

    Management Server
    1. Click Add Host.
    2. For the Host Operating System setting, select Windows.
    3. Enable the Management Server checkbox.
    4. Enter the IP address or DNS in the Host Address field. Please note that you cannot add multiple hosts with the same address.
    5. Enter the port in the Port field.
    6. Select the account type for the host: a shared domain account or a separate account for this host.
    7. Enter Login in UPN or SAM format and Password for the specified account.
    8. Click Add.
    RDS Access Server
    1. Click Add Host.
    2. For the Host Operating System setting, select Windows.
    3. Enable the RDS Access Server checkbox.
    4. Enter the IP address or DNS in the Host Address field. Please note that you cannot add multiple hosts with the same address.
    5. Enter the port in the Port field.
    6. Select the account type for the host: a shared domain account or a separate account for this host.
    7. Enter Login in UPN or SAM format and Password for the specified account.
    8. Click Add.
    SSH Access Server
    1. Click Add Host.
    2. For the Host Operating System setting, select Linux.
    3. Enable the SSH Access Server checkbox.
    4. Enter the IP address or DNS in the Host Address field. Please note that you cannot add multiple hosts with the same address.
    5. Enter the port in the Port field.
    6. Select the method for authenticating your account on the host: by password or by SSH key.
    7. If you selected by password in the previous step, then enter Login and Password. If you selected by SSH key in the previous step, then enter Login, sudo password, SSH key and Passphrase.
    8. Click Add.
    PostgreSQL Access Server
    1. Click Add Host.
    2. For the Host Operating System setting, select Linux.
    3. Enable the PostgreSQL Access Server checkbox.
    4. Enter the IP address or DNS in the Host Address field. Please note that you cannot add multiple hosts with the same address.
    5. Enter the port in the Port field.
    6. Select the method for authenticating your account on the host: by password or by SSH key.
    7. If you selected by password in the previous step, then enter Login and Password. If you selected by SSH key in the previous step, then enter Login, sudo password, SSH key and Passphrase.
    8. Click Add.
    info

    Management Server and RDS Access Server can be located on the same host.
    RDP Access Server, SSH Access Server, PostgreSQL Access Server can be located on the same host.

  3. Review the host table and make sure that the data entered is correct. If you need to edit the host data, click on the line with the desired host, make changes and click Save. If you need to delete a host, click next to that host.

  4. For the Balancer setting, select HAProxy. This is a balancer that is shipped with PAM and is installed and configured as part of the PAM installation process. You can specify a maximum of 2 HAProxy balancers.

    info

    If you use a third-party load balancer, please note that you will need to configure it yourself. Make sure PAM is available at the address specified in the PAM FQDN field.

  5. Add a balancer. Please note that you cannot add multiple balancers with the same address.

    Balancer
    1. Click Add balancer.
    4. Enter the IP address or DNS in the Balancer Address field.
    5. Enter the port in the Port field.
    6. Select the method for authenticating your account on the host: by password or by SSH key.
    7. If you selected by password in the previous step, then enter Login and Password. If you selected by SSH key in the previous step, then enter Login, sudo password, SSH key and Passphrase.
    8. Click Add.

  6. Click Next to proceed to the next step of the wizard.

Ports

info

Ports of PAM components must be unique. Ports of HAProxy must be unique.

  1. Specify ports for PAM components according to your network architecture or leave the default values.

    ComponentDefault port
    SSH Proxy2222
    RDP Proxy3390
    PostgreSQL Proxy5432
    MC/UC HTTP80
    MC/UC HTTPS443
    Gateway Service8443

  2. Specify ports for HAProxy according to your network architecture or leave the default values.

    HAProxyDefault port
    HAProxy SSH2222
    HAProxy RDP3390
    HAProxy PostgreSQL5432
    HAProxy HTTP80
    HAProxy HTTPS443

  3. Click Next to proceed to the next step of the wizard.

Certificates

In this step you need to download previously prepared certificates.

  1. Upload the CA certificate without the private key in PEM (Base64) format with the .crt extension.
  2. Upload certificates for hosts with the .pfx extension or a wildcard certificate and specify the password.
  3. Click Next to proceed to the next step of the wizard.

Databases

  1. Select Server Type Microsoft SQL.
  2. Enter Server Address and MSSQL Instance Name.
  3. Enable the Secure connection to DBMS checkbox.
  4. Enter username and password for the database account.
  5. For the Encryption keys setting, select Generate new.
  6. Enter the names of the databases you created in the Preparation for Installation step:
    • DB for privileged accounts
    • DB for authenticators of PAM users
    • DB for PAM events
    • DB for Scheduled Jobs of the Core component
    • DB for Scheduled Jobs of the Idp component
  7. Click Next to proceed to the next step of the wizard.

Data Storage

  1. Select Storage Type File System.
  2. If necessary, edit the Storage root directory field.
  3. Click Next to proceed to the next step of the wizard.
Other storage types

If you select SMB, fill in the following fields:

  • Network path
  • Domain
  • Username
  • Password

If you select S3, fill in the following fields:

  • Network address of the S3 server
  • Path to the storage root directory on the S3 server
  • Access key id
  • Secret access key
  • Region (optional)
  • Location restriction (optional)

User Directories

  1. Click Add User Directory.
  2. In the Directory Service field, select one of the values: FreeIPA, OpenLDAP.
  3. Enter a value in the Directory ID field.
  4. Enter a value in the Domain DNS field.
  5. Enter a value in the DN of user container field.
  6. Enter the username and password for the account.
  7. Enable the Use LDAPS checkbox.
  8. If necessary, change the mapping of user attributes and/or user group attributes.
  9. Click Add.
  10. Click Next to proceed to the next step of the wizard.
info

You can add multiple user directories.

Role Administrators

info

You can only specify one role administrator in the wizard.

  1. Select a user account from the directory to be granted rights to manage PAM roles. This user will be able to grant access rights to the PAM management console to other users.
  2. Click Next to proceed to the next step of the wizard.

User Authentication

  1. For the Authentication Mechanism setting, select Windows.
  2. Tick the Enable two-factor authentication for all users by default checkbox.
  3. For the Second Factor Type setting, select TOTP.
  4. Tick the components for which you want to enable second factor caching:
    • Management Console
    • User Console
    • Desktop Console
    • SSH Proxy
    • RDP Proxy
    • RDS Proxy
  5. If necessary, edit the Cache Time field.
  6. Click Next to proceed to the next step of the wizard.
TOTP Second Factor via Email

If you select Email as the second factor, fill in the following fields:

  • SMTP server
  • Sender email address, it is the address from which the letter will be sent
  • Port
  • Username, it is the login for authorization on the server
  • Password
RADIUS authentication

If you select RADIUS as the authentication mechanism, you will need to specify the RADIUS server details.

  1. Click Add RADIUS Server.
  2. Select an authentication scheme. Possible values: PAP, CHAP, MSCHAPV2. It is not recommended to select the PAP scheme, as it is insecure since the password is transmitted in clear text.
  3. Enter Server Address, Port and Secret.
  4. Leave the Check Message-Authenticator attribute option enabled. This attribute is used to ensure the integrity of packets and protect them from forgery. Disabling the option is only permissible if the software you are using does not support working with this attribute.
  5. Select Name Format for Authentication. Select the Name without domain value for authentication in FreeRadius. Select Name in SAM format or Name in UPN format for NPS RADIUS authentication.

You can specify multiple RADIUS servers to provide system fault tolerance. In this case, PAM sends the request to the RADIUS servers sequentially, in the order servers are specified in the configuration file. In other words, if it was unable to connect to the first RADIUS server, then PAM will try to connect to next one.

Access Server

  1. If necessaty, edit the Agent Maximum Response Time and Agent Healthcheck Interval fields.
  2. Click Next to proceed to the next step of the wizard.

Logging

  1. If necessaty, edit the Logging Level, the maximum number of management server log files, and the maximum number of access server log files.
  2. Click Next to proceed to the next step of the wizard.

Syslog Events

  1. If necessaty, add a Syslog server.

    Syslog server
    Syslog server is used for integration with SIEM system. Events and text logs are written to the Syslog server in real time, during the active session, not after it is terminated. This allows incidents and anomalies associated with the actions of privileged users to be identified as quickly as possible.

    When adding a Syslog server, you will need to fill in the following fields:
    - Server address
    - Network protocol (TCP or RDP)
    - Port
    - Event format (CEF or LEEF)
    - Syslog version (RFC3164 or RFC5424)

  2. Click Next to proceed to the next step of the wizard.

Backup

A backup file of the wizard is an encrypted file that is used to restore the wizard state. You will need this file the next time you upgrade PAM to a new version or change the configuration of the current version of PAM.

caution

Save the backup file of the wizard and remember its password.

Without this file and the password to it, you will not be able to change the configuration of your PAM installation in the future or update PAM to a new version via the wizard.

  1. Set a password for the backup file.
  2. Click Download backup.
  3. Click Next to proceed to the next step of the wizard.

Installation

  1. For the Installation method setting, select From the wizard.
  2. Click Install PAM.
  3. Track the process of installation using the progress bar. Wait until the installation is completed.
  4. Open the management console in a new tab to configure Axidian Privilege. Log in to the console using the credentials you specified in the Role Administrators step. For detailed information on initial setup, see the First Launch page.
  5. Click Stop the wizard or run the following command in the terminal:
    sudo bash stop-wizard.sh
Manual installation

When you choose to install Axidian Privilege manually, you will be given the option to download the PAM configuration files. These files will need to be distributed across servers manually, and the PAM deployment script will need to be run on each server separately.