Account Lifecycle Manager Cloud Architecture

Component Definitions

Account Lifecycle Manager: Provides a cloud app design and intuitive UI as a front end to Active Directory allowing enterprise IT users to more easily and efficiently request, approve, privilege, manage, and retire service accounts by delegating the Active Directory intricacies to the cloud app.

Thycotic One Identity:Accounts that are used to provision User access to your ALM instance. Thycotic One accounts are used in some of our other products as well. This is not pictured in the architectural diagram as it is contained as part of the ALM sign on process.

ALM Remote Engine: A Windows Service that runs on your organization's hardware. It manages interactions between the ALM cloud service and your Active Directory installation. It also supports ALMs integration with your organizations Secret Server/DSV Instance. This includes support for integration with:

  • Secret Server Cloud
  • DevOps Secrets Vault

App Services: These are shared resources between multiple customers

Databases: These are customer independent for each ALM instance

Active Directory Server: This is the active Directory Server you intend to integrate the ALM Remote Engine with. Please note that relationships between a ALM Remote Engine to a domain within your environment is a 1:1 mapping. This implies that ALM Remote Engines can only manage one domain at a time.

Integrations: Currently there are additional integrations for Azure AD and ServiceNow that are pictured in the reference architecture

Cloud Deployment Network Configuration

  1. Web Application Firewall (WAF): IP Address whitelisting is not necessary unless outbound firewall rules are in place. Public IP is based on geographical location.

    All regions: 45.60.38.37, 45.60.40.37, 45.60.32.37, 45.60.34.37, 45.60.36.37, 45.60.104.37

  2. Content Delivery Network (CDN): IP Address whitelisting is not necessary unless outbound firewall rules are in place. Public IP is based on geographical location.

    All regions: https://docs.microsoft.com/rest/api/cdn/edgenodes/list (type=Standard_Verizon)

  3. ALM Engine: IP Address whitelisting is not necessary unless outbound firewall rules are in place. If outbound firewall rules are in place, the ALM Engine should be allowed to the WAF IP address ranges listed above.
  4. Active Directory Server: Must allow outbound communication from the ALM Remote Engine over TCP 636 (LDAPS) to your Active Directory Server.

  5. Secret Server / DSV: Must allow outbound communication from the ALM Remote Engine over TCP 443 (HTTPS) to one of the following respective credential stores: Secret Server, Secret Server Cloud, or DSV. Please be mindful that if you are integrating with Secret Server Cloud, the ALM Remote Engine must also be able to communicate with the WAF IP address ranges (above) for Secret Server Cloud. DSV uses API Gateway regional endpoints with custom domain names in AWS. If you are integrating with DSV and have outbound restrictions from your ALM Remote Engine, it would be best to whitelist based on the tenant specific DSV custom domain name URL. If there is a hard requirement for outbound filtering based on IP address ranges, your rules will be dependent on this list:

    https://ip-ranges.amazonaws.com/ip-ranges.json (you can filter out EC2 ranges).

  6. Certificate CRLs: Whitelisting is not necessary unless outbound firewall rules are in place. If whitelisting is necessary, access to CRL distribution points is necessary

    accountlifecyclecloud.com: http://crl.godaddy.com/gdig2s1-1019.crl (web server)
    http://crl.godaddy.com/gdroot-g2.crl (web server)
    accountlifecyclecloud.eu: (unknown)
    accountlifecyclecloud.com.au: (unknown)
  7. Azure AD Integration: This is optional and extends its directory service support to include Azure AD. This allows ALM to manage accounts located in Azure AD. As this communication comes from the ALM Remote Engine, access would be outbound to the customer Azure AD environment over TCP 443 (HTTPS)

ALM Single Domain Design Example: Minimal Footprint or Cost

Requirements for Reference Architecture

  • Communication lines in green are required. Lines that are gray and dotted may or may not be required dependent on individual customer requirements.
  • This design is fully supported by Delinea.
  • All ALM Remote Engine servers to be running on Windows Server 2012 or later with .NET 4.7.1 or greater.

  • ALM Remote Engine

    • Minimum System Requirements: 2 Cores, 2 GB RAM
    • Recommended Requirements: 4 Cores, 4 GB RAM.
Arrows indicate direction of initial connection

architecture1

ALM Single Domain Design Example: HA

Requirements for Reference Architecture

  • Communication lines in green are required. Lines that are gray and dotted may or may not be required dependent on individual customer requirements.
  • This design is fully supported by Delinea.
  • All ALM Remote Engine servers to be running on Windows Server 2012 or later with .NET 4.7.1 or greater.

  • ALM Remote Engine

    • Minimum System Requirements: 2 Cores, 2 GB RAM
    • Recommended Requirements: 4 Cores, 4 GB RAM.

  • architecture2

Arrows indicate direction of initial connection

ALM Multiple Domains Design Example: Minimal Footprint or Cost

Requirements for Reference Architecture

  • Communication lines in green are required. Lines that are gray and dotted may or may not be required dependent on individual customer requirements.
  • This design is fully supported by Delinea
  • All ALM Remote Engine servers to be running on Windows Server 2012 or later with .NET 4.7.1 or greater.
  • All ALM Remote Engine servers require communication back to the Web (WAF) ranges over TCP 443. This has been pictured in the company.com domain but has not been pictured for other domains to make it easier to interpret.

  • ALM Remote Engine

    • Minimum System Requirements: 2 Cores, 2 GB RAM
    • Recommended Requirements: 4 Cores, 4 GB RAM.

architecture3

ALM Multiple Domains Design Example: HA

Requirements for Reference Architecture

  • Communication lines in green are required. Lines that are gray and dotted may or may not be required dependent on individual customer requirements.
  • This design is fully supported by Delinea.
  • All ALM Remote Engine servers to be running on Windows Server 2012 or later with .NET 4.7.1 or greater.
  • All ALM Remote Engine servers require communication back to the Web (WAF) ranges over TCP 443. This has been pictured in the company.com domain but has not been pictured for other domains to make it easier to interpret.

  • ALM Remote Engine

    • Minimum System Requirements: 2 Cores, 2 GB RAM
    • Recommended Requirements: 4 Cores, 4 GB RAM.

architecture4

ALM Single Domain with Multiple Data Centers Design Example: HA/DR

Requirements for Reference Architecture

  • Communication lines in green are required. Lines that are gray and dotted may or may not be required dependent on individual customer requirements.
  • This design is fully supported by Delinea.
  • All ALM Remote Engine servers to be running on Windows Server 2012 or later with .NET 4.7.1 or greater.

  • ALM Remote Engine

    • Minimum System Requirements: 2 Cores, 2 GB RAM
    • Recommended Requirements: 4 Cores, 4 GB RAM.

architecture5

ALM Multiple Domains and Data Centers Design Example: HA/DR

Requirements for Reference Architecture

  • Communication lines in green are required. Lines that are gray and dotted may or may not be required dependent on individual customer requirements.
  • This design is fully supported by Delinea.
  • All ALM Remote Engine servers to be running on Windows Server 2012 or later with .NET 4.7.1 or greater.
  • All ALM Remote Engine servers require communication back to the Web (WAF) ranges over TCP 443. This has been pictured in the company.com domain but has not been pictured for other domains to make it easier to interpret.

  • ALM Remote Engine

    • Minimum System Requirements: 2 Cores, 2 GB RAM
    • Recommended Requirements: 4 Cores, 4 GB RAM.

architecture6