Deployment Process Overview
This chapter summarizes what’s involved in deploying Centrify software. It includes simplified diagrams that highlight the steps involved and describes the tasks that are done only once, the tasks that are repeated to complete a deployment, and the tasks that may be part of the deployment project or ongoing administration after deployment.
The individual diagrams provide additional details about what’s involved in each phase or the decisions you will need to make, such as who should be part of the deployment team, where to install the software, and who has permission to do what.
What’s Involved in a Typical Deployment Project
The following illustration provides a visual summary of the overall deployment process and highlights a few keys to a successful deployment.
The next sections provide additional details about each of these phases.
Plan
During the first phase of the deployment, you should collect and analyze details about your organization’s requirements and goals. You can then make preliminary decisions about sizing, network communication, and what your zone structure should look like.
Here are the key steps involved:
-
Assemble a deployment team with Active Directory and UNIX expertise.
The team might also include specialists, such as database administrators, network architects, or application owners. For more information about assembling a deployment team, see Preparing a deployment team.
-
Provide basic training so that members of the deployment team are familiar with Centrify concepts and terminology and know where to go for more information.
-
Analyze the existing environment to determine your goals and requirements and identify target computers on which you plan to install Centrify components.
This step is essential for designing the zone structure if you are migrating any local accounts or legacy profiles. It is also critical if you are deploying the auditing infrastructure. For more information about the questions to answer and factors that affect deployment, see Defining goals for the deployment.
-
Design a basic zone structure that suits your organization.
The zone structure depends primarily on how you want to use zones. For more information about deciding how to use zones, see Why use zones?.
-
Identify a target set of computers for deployment and check that required ports are open.
Default Ports for Network Traffic and Communication
To help you plan for network traffic, the following ports are used in the initial set of network transactions when a user logs on and the agent connects to Active Directory:
- Directory Service - Global Catalog lookup request on port 3268.
- Authentication Services - LDAP sealed request on port 389.
- Kerberos – Ticket Granting Ticket (TGT) request on port 88.
- Network Time Protocol (NTP) Server – Time synchronized for Kerberos on port 123.
- Domain Name Service (DNS) – Host (A), Pointer (PTR), Service Location (SRV) records on port 53.
Depending on the specific components you deploy and operations performed, you might need to open additional ports. The following table summarizes the ports used for different editions of Centrify software.
This port | Is used for | Where it is required |
---|---|---|
389 | Encrypted TCP/UDP communication | Centrify authentication service and privilege elevation service for Active Directory authentication and client LDAP service. |
3268 | Encrypted TCP communication | Centrify authentication service and privilege elevation service for Active Directory authentication and LDAP global catalog updates. |
88 | Encrypted UDP communication | Centrify authentication service and privilege elevation service for Kerberos ticket validation and authentication for agents and Centrify PuTTY. |
464 | Encrypted TCP/UDP communication for Kerberos password changes | Centrify authentication service and privilege elevation service for Kerberos ticket validation and authentication for agents, Centrify PuTTY, adpasswd, and passwd. |
53 | TCP/UDP communication | Centrify authentication service and privilege elevation service for clients using the Active Directory DNS server role for DNS lookup requests. |
445 | Encrypted TCP/UDP communication for delivery of group policies | Centrify authentication service and privilege elevation service for adclient and adgpupdate using Samba (SMB) and Windows file sharing to download and update group policies, if applicable. |
123 | UDP communication for simple network time protocol (NTP) | Centrify authentication service and privilege elevation service to keep time synchronized between clients and Active Directory for Kerberos ticketing. |
22 | Encrypted TCP communication for OpenSSH connections | Centrify authentication service and privilege elevation service to support secure shell connections on remote clients. |
23 | TCP communication for Telnet connections | Centrify authentication service and privilege elevation service to support telnet connections on remote clients if you cannot use secure shell (ssh). By default, telnet connections are not allowed because passwords are transferred over the network as plain text. |
none | ICMP (ping) connections | Centrify authentication service and privilege elevation service to determine whether if a remote computer is reachable. |
1433 | Encrypted TCP communication for the collector connection to Microsoft SQL Server | Centrify authentication service, privilege elevation service, and audit and monitoring service to enable the collector service to send audited activity to the database. |
5063 | Encrypted TCP/RPC communication for the agent connection to collectors | Centrify authentication service, privilege elevation service, and audit and monitoring service to enable the auditing service to record user activity on an audited computer. |
443 | Cloud proxy server to Centrify cloud service | Centrify for mobile device management. |
Network Connections and Database Management for Auditing
If you are planning a deployment with audit and monitoring service installed together with identity and privilege management, you must plan for reliable, high-speed network connections between components that collect and transfer audit data and how network traffic will be affected. You must also plan how you will create and manage the databases that store and retrieve audit data, your data archiving and retention policies, auditor permissions, and other details. For more information about planning and sizing for audit and monitoring service, see the Auditing Administrator’s Guide.
Prepare
After you have analyzed the environment, you should prepare the Active Directory organizational units and groups to use. You can then install administrative consoles and prepare initial zones.
Here are the key steps involved:
-
Create organizational units or containers to define a scope of authority.
For example, if you want to organize all of the UNIX-related information together for your organization, you can create one top-level container for the enterprise, such as Centrify UNIX. If you want to define the scope of authority at a regional or business unit level, you might have separate top-level containers for the different regions or business units, for example, UNIX NA-SA, UNIX EMEA, UNIX PACIFIC or UNIX-Federal, UNIX-Consumer, UNIX-Industrial.
The deployment project team should consult with the Active Directory enterprise administrator to determine the appropriate top-level containers or organizational units and who should be responsible for managing and delegating administrative tasks for the objects in those top-level containers. For more information about creating organizational units or containers in Active Directory, see Designing organizational units for Centrify.
-
Create the appropriate Active Directory security groups for your organization.
Groups can simplify permission management and the separation of duties security model. For more information about using groups, see Security groups to manage Centrify information.
-
Select at least one administrative Windows computer and install Centrify components Access Manager.
This step is not strictly required if you only use existing processes or scripts to perform administrative tasks, but Centrify recommends you have at least one computer where you can use the graphical user interface to perform common tasks. If you are deploying the audit and monitoring service infrastructure, you should also install Audit Manager and Audit Analyzer. For more information about installing Centrify software on Windows, see Installing Authentication & Privilege Services.
-
Start the Access Manager console to run the Setup Wizard for the Active Directory domain.
-
Create a parent zone and the appropriate child zones as identified in your basic zone design.
The hierarchical zone structure you use depends primarily on how you want to use inheritance and overrides. For more information about creating parent and child zones, see Creating the first zone.
-
Determine the target set of computers and make sure that they have the appropriate connectivity.
Deploy
After you have prepared Active Directory, installed administrative consoles on at least one computer, and created at least one zone, you are ready to deploy on the computers to be managed.
Here are the key steps involved:
-
Download agent software from the Centrify Download Center or a network location.
-
Deploy the agent software on discovered computers that are ready for installation.
-
Determine whether there are any local accounts to migrate.
Right-click discovered computers, then click Export Users and Groups to generate a text file containing information about local accounts. Review the text file to determine whether there are any local accounts to migrate to Active Directory.
If there are local accounts that must be able to log on to the discovered computer, import the groups, then users and assign them the default UNIX Login role. For more information about migrating local accounts, see Migrating existing users to hierarchical zones.
-
Join the domain using the adjoin command.
-
Prepare basic group policies.
The most common Windows computer configuration policies to deploy are:
-
Interactive Logon: Message text for users attempting to log on:—Enable and type a message that instructs the user to log on with an Active Directory user name and password.
-
Global Configuration Settings - MaxPollInterval:—Enable and set an interval if you are using Active Directory and the Centrify network time provider. Disable if you are using a native UNIX NTP daemon.
-
Enable Windows NTP Client—Enable if you are using Active Directory and the Centrify network time provider. Disable if you are using a native UNIX NTP daemon.
The most common Centrify computer configuration policies to deploy are:
-
Set login password prompt—Enable and type a message that instructs the user to log on with an Active Directory user name and password.
-
Copy files—Enable to copy configuration files such as those required by autofs or sshd from the SYSVOL folder to managed computers.
-
Generate forwardable tickets—Disable to prevent logon tickets from being sent from one computer to another.
-
Validate
After you have deployed agents on target computers, you should test and verify operations before deploying on the additional computers.
Here are the key steps involved:
- Log on to a target computer using an Active Directory user account and password to verify Active Directory authentication.
- Test password policy enforcement by attempting to change to a password that violates password complexity rules.
- Test account lockout and reset.
Manage
After you have verified the successful deployment on target computers, there are many ways you can refine, manage, and enhance on-going operations.
Here are a few of the key ways you can add value after deployment:
- Add custom roles and role assignments for users, groups, and computers.
- Import custom permissions from sudoers configuration files.
- Deploy group policies on the appropriate organizational units.
- Add the auditing infrastructure and add auditing to custom roles.
- Integrate Centrify software and Active Directory authentication and authorization services with database or web applications.
Deployment Tasks and Administrative Activity
For most deployments, there are tasks that you only perform once for an entire organization, tasks that are repeated until the deployment in complete, and tasks that are essential to deployment, but are also administrative tasks that you perform infrequently or periodically after deployment.
Steps You Only Take Once
In most organizations, you only perform the following tasks once in preparation for the deployment:
-
Assemble a deployment team with Active Directory, UNIX, and other expertise.
-
Provide basic training covering Centrify architecture, concepts, and terminology.
-
Analyze the existing environment:
-
Find a target set of computers that share a common attribute, such as the same operating system or a similar user population.
-
Plan for permissions and the appropriate separation of duties for your organization.
-
Review network connections, ports, firewall configuration.
-
Identify computers for administration.
Basic deployment—Access Manager
Auditing—Audit Manager and Audit Analyzer consoles, collectors, audit databases and servers, and the installation management server
Provisioning service—Zone Provisioning Agent and configuration tool
-
-
Design a basic zone structure that suits your organization.
- Single or multiple top-level parents.
- Initial child zones, for example separate zones for Red Hat Linux and Mac OS X or different functional departments.
-
Create organizational units or containers to define a scope of authority within Active Directory.
-
Create Active Directory security groups for the UNIX Login role and the listed role.
-
Create an Active Directory distribution group for provisioning groups and an Active Directory distribution group for provisioning users if using the provisioning service.
-
Install Access Manager on at least one administrative Windows computer.
-
Open Access Manager for the first time to run the Setup Wizard for the Active Directory domain.
-
Create a parent zone and the appropriate child zones as identified in your basic zone design.
Creating additional zones is an infrequent administrative task that is performed when the need arises. The basic zone design should be sufficient for the scope of your initial deployment.
-
Prepare group policies to be applied.
Steps You Take More than Once During Deployment
During deployment, you perform the following tasks multiple times until you have rolled out the agent to all of the target computers that are in scope for the deployment:
- Download agent software from the Centrify Download Center or a network location.
- Deploy the agent software on computers that are ready for installation.
-
If there are local accounts to migrate that must be able to log on to the discovered computer:
- Import the groups, then users.
- Map groups, then users to the appropriate Active Directory groups and users.
- Assign migrated accounts the default UNIX Login role.
- Join the domain using the adjoin command.
- Verify Active Directory authentication and validate other operations.
After deployment, deploying new or updated agents is an ongoing administrative task that should be performed on a regular basis unless you have change control issues that either prevent software updates, do not allow Internet connections from the computer where Access Manager is installed, or do not want to deploy the agent on computers added to your network.
Steps You Take After Deployment to Begin Managing Zones Effectively
After you have migrated existing user populations, deployed the agent, and joined a domain, there are additional tasks you perform to complete the deployment and transition into effective zone administration.
The following tasks are optional but illustrate common administrative tasks that are often part of the deployment process to prepare for ongoing administration and improvements to operational security and efficiency:
- Create custom roles for accounts that have permission to run privileged commands.
- Create computer roles to link groups of computers with specific user role assignments.
- Map service accounts to Active Directory accounts.
- Deploy the basic set of group policies for computers and users.
What Happens After Deployment?
After deployment, ongoing management of UNIX computers, users, and groups is often handed off to Active Directory or Windows administrators or an internal service desk provisioning team to align with previously established processes and procedures for Windows servers and workstations. This is entirely a matter of organizational policy. However, in many cases UNIX administrators must continue to work with their Windows counterparts to ensure the appropriate rights and roles are assigned and the appropriate group policies are deployed.
Sample Workflow for Deployment Decisions
Centrify software solutions are extremely flexible so that they can be adapted to a wide variety of organizational requirements. All of this flexibility, however, can make deployment decisions difficult, especially in large scale or complex environments. To help you sort out the questions to ask, use the following work flow and responsibilities diagram as a guide.
This sample workflow diagram is only intended as a visual guide to the key design decisions you need to make. Many of these topics are covered in more detail in other chapters in this guide. For many organizations, however, the best guidance comes from an on-site Centrify Professional Services consultant or a Centrify partner with experience designing deployment solutions tailored to your organization’s business requirements. For customized help and advice, contact your Centrify sales representative.