Privileged Access Service Deployment Checklist
You will need to perform the following initial tasks to:
-
Gain access to the Privileged Access Service Admin Portal
-
Configure users and roles
-
Add and configure resources to be managed by the Privileged Access Service
The initial steps below are included for customer-managed deployments. For additional customer-managed deployment requirements, see "Customer-managed Privileged Access Service additional requirements." If your deployment is a cloud-based deployment, you can start at the Access the Admin Portal step.
Customer-Managed Steps
The deployment steps in this section apply to you only if you're doing a customer-managed deployment.
Prepare the Virtual Machines
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| - Join primary server node and secondary server nodes to the domain: - Download primary server and secondary server and import into VMWare. On both systems, join your domain using the system properties or with an administrative PowerShell window. - Install the Windows Failover Clustering feature on both nodes (with Server Manager or using PowerShell). |
Deploying Customer-Managed (On-Premises) PAS |
Configure a Shared Virtual Disc Host
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
|
The following steps are not needed if you are using a customer-managed PostgreSQL database. Make sure the database is configured to be reachable by DNS and have the database user configured. |
||
| - Install and configure the required services. - Configure iSCSI disks and target. |
Server Manager > Local Server > File and Storage Services > iSCSI. | Deploying Customer-Managed (On-Premises) PAS |
| - Configure iSCSI Initiators on primary server and secondary server. | Start > Search > Type iSCSI and open iSCSI Initiator. | Deploying Customer-Managed (On-Premises) PAS |
| - Initialize the Virtual Disks using the Primary Node (primary server). | Administrative Tools > Disk Management. | Deploying Customer-Managed (On-Premises) PAS |
Install Privileged Access Service
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| - Establish temporary name resolution for primary node. - Install Privileged Access Service on the primary node. - Primary Node verification and hosts file cleanup. - Install Privileged Access Service on the secondary server. |
- On primary server logged in as a privileged domain user. - On primary server logged in as Domain Admin. - Admin Portal > Settings > Network. - On secondary server logged in as a privileged domain user. |
Deploying Customer-Managed (On-Premises) PAS |
Configure Windows Failover Cluster
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| - Create and validate the cluster. | Administrative Tools > Failover Cluster Manager > Actions, select Create Cluster, this opens the Failover Cluster Wizard. | Deploying Customer-Managed (On-Premises) PAS |
| Configure Privilege Service as a clustered application. | Administrative Tools > Failover Cluster Manager > Actions > Configure Role. | Deploying Customer-Managed (On-Premises) PAS |
Add Cloud Connectors
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| - Configure Wizard. | Connector configuration Wizard. | Deploying Customer-Managed (On-Premises) PAS |
Test Failover
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| - Review failover policies. | Vault properties window. | Deploying Customer-Managed (On-Premises) PAS |
| Conduct failover tests: - Maintenance Mode (drain) - Transfer the role to a different cluster node - Simulate Disk Failure - Simulate Network Failure - Stop cisdb-pgsql Stop IIS Web Service (W3SVC) - Operations: Node recoverability - Operations: Backup - Operations: Upgrade - Operations: Restore - Recover from replicated file |
Deploying Customer-Managed (On-Premises) PAS | |
| Test the Privileged Access Service instance. Backup and recovery of Privileged Access Service. | Deploying Customer-Managed (On-Premises) PAS |
Access the Admin Portal
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| Request a free trial or subscription.>Note: This step is not required if you are performing a customer-managed deployment. | https://delinea.com/products/cloud-suite#trial | Registering for Service |
| Register for a Delinea account with a valid email address. You will receive an “Activate Your Delinea Account” email followed by a “Your Delinea Account Is Ready - Next Steps” email with your account details. Your account details include the user name for an administrative account, a temporary password, and a unique customer identifier. >Note: This step is not required if you are performing a customer-managed deployment. | Email account | Registering for Service |
| Log in to the Admin Portal using the account name, temporary password, and URL from the email notification. The account used to log on for the first time is a Delinea Directory account and is automatically made a member of the System Administrator role with all administrative rights. | Admin Portal Login Screen | Registering for Service |
| Set and confirm the new password to activate your account. | Admin Portal Login Screen |
Install the Connector, Integrate Active Directory or LDAP or Federated Users, and Configure Subnet Mapping
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| Review Cloud Connector requirements. - Check firewall rules for the connections between the Cloud Connectors to the Privileged Access Service. If you are using Discovery, check firewall rules to determine if Cloud Connector can connect to potential resources via SMB and RPC over TCP. |
Online help | Review the Firewall Rules
Determining Whether You Need a Connector Integrating with Microsoft Azure Active Directory Integrating with Idaptive tenants Integrating with Okta |
| Select a host computer to install the Cloud Connector. | Network | Configuring the Connector |
| On the host computer, log in to the Admin Portal and select to add a connector and complete installation. Installing the Cloud Connector integrates your Active Directory/LDAP service with Privileged Access Service. The connector allows you to specify groups whose members can enroll and manage devices. It also monitors Active Directory/LDAP for group policy changes, which it sends to Privileged Access Service to update enrolled devices. |
Admin Portal> Settings > Network > Cloud Connector | How to Install a Connector |
| Map a subnet pattern to a selected set of connectors. | Admin Portal> Settings > Resources > System Subnet Mapping | Mapping System Subnets to Connectors |
Customize the Admin Portal (Optional)
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| Customize settings such as login suffix and tenant URLs. | Admin Portal > Settings > General | Settings UI fields |
| Configure additional customization such as logos and colors for the Admin Portal. | Admin Portal > Settings > General > Account Customization | How to Customize the Admin and Login Window |
Add Corporate IP Ranges
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| Add IP ranges to identify internal and external networks which can be used to specify authentication requirements. | Admin Portal > Settings > Network > Corporate IP Range > Add | How to Set Corporate IP Ranges |
Add Users and Roles
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| Manually create additional System Administrator accounts in the Delinea Directory. You can add Active Directory users in later steps (after you configure the Cloud Connector). Manually create Delinea Directory user accounts in the Delinea Directory.You can also bulk import Delinea Directory users accounts, see How to Bulk import user accounts. |
Admin Portal > Access > Users | Creating Individual Directory Service Users |
| - Add System Administrator accounts to System Administrator roles. - Add Delinea Directory user accounts to roles. By default, users are added to the Everybody role. You can add additional roles with different Administrative rights to control access over who can do what or which policies should be applied to different groups of users. |
Admin Portal > Access > Roles | Adding Roles |
Configure Policies
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| Configure user security for Privileged Access Service, such as password-based authentication. In particular, be sure to configure: - Authentication Policies > Delinea Services - User Security Policies - Devices |
Admin Portal > Access > Policies | Creating Policy Sets and Policy Assignments
Reference Content — Roles |
| Configure multi-factor authentication if applicable: - For MFA with mobile device phone numbers: check that these attributes exist and are provisioned in their directory source (Active Directory, Federation etc.) - For MFA with email: check that email attributes exist and have been provisioned in their directory source (Active Directory, Federation etc.) - For RADIUS for MFA: configure RADIUS - For OATH for MFA: configure OATH |
(MFA mobile) Identity store—such as Active Directory or another LDAP-based service. (MFA email) Identity store—such as Active Directory or another LDAP-based service (RADIUS) Access > Policies > User Security Policies > RADIUS Also refer to your RADIUS client documentation for additional configuration procedures and guidelines. (OATH) Access > Policies > User Security Policies > OATH OTP Exact configuration steps are dependent on your OATH method. |
How to Configure MFA for Third-Party Integration
Configuring the Delinea Connector for Use as a RADIUS Server How to Configure OATH OTP |
| Configure global security settings such as frequency of password rotation, minimum password age, how long passwords can be checked out, and so forth. | Admin Portal > Settings > Resources > Security Settings | How to Set Authentication Security Options |
Configure Password Profiles
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| Customize password profiles for systems, domains, and databases. | Admin Portal > Settings > Resources > Password Profiles | Configuring Password Profiles |
Add and Configure Resources
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| Add resources, such as Systems, Databases, Domains, Accounts, Secrets, SSH keys, Services, that you want managed by the Privileged Access Service using one of the following methods: - Import function (Admin Portal Import function or through PowerShell) - Discovery (for Systems and Accounts only) If you are using Discovery, identify an Active Directory account with local administrator permissions to access resources that will be discovered. - Manually |
(Import) Admin Portal > Resources > Systems > Import to download the PowerShell script. (Discovery) Admin Portal > Discovery > Systems and Accounts or Alternate Accounts > Profiles (Manually) Admin Portal > Resources >Systems, Databases, Domains, Accounts, Secrets, SSH keys, or Services |
Importing Systems, Accounts, Domains, and Databases
Discovering Systems Adding Systems with the Wizard |
| Configure service settings for the following: - Accounts used to run Windows services or scheduled tasks - IIS application pools - Multiplexed accounts used to rotate the password for service accounts |
Admin Portal > Resources > Services | Managing Services |
| Configure permission access for resources. - Individual (all) - Global (Systems and Accounts) - Sets (all) |
(Individual) Admin Portal >Resources > select resource type> Permissions (Global) Admin Portal > Access > Global Account Permissions or Global System Permissions (Sets) Admin Portal > Resources > select resource type> Sets |
Individual
Setting System-Specific Permissions Setting Domain-specific Permissions Setting Database-specific Permissions Setting Secret, Folder, and Set Permissions Setting Service-specific Permissions Global Setting Global Account Permissions Setting Global System Permissions Sets: See Individual references above. |
Configure Web Apps
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| - Add web applications to the Admin Portal app catalog. - Configure application settings. - Assign roles to the application. |
Admin Portal > Apps > Add Web Apps | Adding Web Applications Using the Admin Portal |
Configure Desktop Apps
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| - Add desktop applications to the Admin Portal app catalog. - Configure application settings. - Assign roles to the application. |
Admin Portal > Apps > Add Desktop Apps | Adding Desktop Apps Using the Admin Portal |
Configure Workflow (Optional)
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| Configure workflow (request and approval access) for Web applications, desktop applications and accounts. - Configure roles for requestors and approvers - Enable workflow for an application or an account - Add approver To simplify the process of configuring a “request and approval” workflow, you can enable workflow for all accounts stored in the Privileged Access Service. |
Applications:
Admin Portal > Web Apps or Desktop Apps > select application > Workflow Accounts: Admin Portal > Resources > Accounts > select account > Workflow Global Account Configuration: Admin Portal > Settings > Resources > Global Account Workflow |
Managing Application Access Requests
Enabling Request and Approval Workflow Configuring Global Account Workflow |
Configure Zone Role Workflow for use with Server Suite (Optional)
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| - Configure Zone Role Workflow (request and approval access) for Systems and Domains. - Configure roles for requestors and approvers. - Enable Zone Role Workflow for all computers in a domain. - Add approver Systems must be joined to a zone. |
Systems:
Admin Portal > Resources > Systems > select system > Zone Role Workflow Domains: Admin Portal > Resources > Systems > select system > Zone Role Workflow |
Using Zone Role Workflow |
Configure the Remote Access Kit
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| If you require remote access to systems using PuTTY or local RDP, install a local client kit and enable access for individual users. | Admin Portal > Settings > Resources > User Preferences | Selecting User Preferences |
Enable Auditing for Remote Sessions
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| - Create an audit installation and verify that the environment is working. - Enable auditing and specify the installation name for the systems you manage in the Admin Portal. See the Audit and Monitoring Deployment Checklist for additional details. |
Admin Portal > Settings > Resources > DirectAudit | Enabling Auditing for Remote Sessions |
Install Cloud Clients
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| Install the Cloud Client for Linux or the Cloud Client for Windows to allow computer accounts to run services and to check out account passwords that are stored in the Privileged Access Service. | Admin Portal > Downloads | Installing and Using the Cloud Client for Windows
Enrolling and Managing Computers Using the Cloud Client for Linux |
Educate End Users
| Deployment Step | Configuration location: | Detailed Instructions: |
|---|---|---|
| Educate end users on how to: - Configure a user profile - Register devices - Launch web and desktop apps |
(User profile) Click Profile under your user name in the Admin Portal. (Register devices) Click Profile > Devices > Add Device under your user name in the Admin Portal. (Launch Apps) Admin Portal > Apps > Web Apps or Desktop Apps |
Using the Tabs
Launching Applications Selecting Actions for Desktop Apps |
