CyberArk PSM integration scenarios

There are different approaches using the Remote Desktop Manager Cyberark PSM Components.

Although this guide covers many ways and techniques, it cannot cover every possible avenue.

Here are mainly the approaches and techniques associated with them:

  • Initial Import
    • From CSV (give a csv template)
  • Synchronization (Using the Remote Desktop Manager Synchronizer entry)
    • From Active Directory Synchronizer
    • From Comma-Separate values (CSV) Synchronizer
  • Dynamic utilization
    • Quick Connect
    • Host

Initial Import of Cyberark Connections From CSV

Create the Cyberark PSM server entry (or multiple)

CyberArk PSM Server
CyberArk PSM Server

Select the Connection Mode you elect on the server.

  • Custom (AD Account with permissions to RDP into the PSM server and an associated account in Cyberark).
  • AAM (Passwordless, see this article).

In this example, Custom is in force; Username/domain/password has been populated manually.

Then choose an RDP Template created beforehand, this template defines the setting of the initial connection on the PSM server.

RDP Template created beforehand
RDP Template created beforehand

Once the Cyberark PSM Server has been added, get the ID of the new entry (Property - Entry Information).

In our example, the ID is 33628378-d4a6-431f-8438-16b75921aef9.

ID of the new entry
ID of the new entry

Create the Cyberark PSM Connection Template

  1. Go to File - Templates - Templates.
    File - Templates - Templates
    File - Templates - Templates
  2. Add a new template.
    Add a new template
    Add a new template
  3. Select CyberArk PSM Connection (Pro-tip: you can filter in the field).
    CyberArk PSM Connection
    CyberArk PSM Connection
  4. Give the template a significant name, some of the remaining fields can be filled, but the CSV should be complete enough if filled properly.
    Template name
    Template name

Create a CSV File for the import

The fields are mapped like this:

COLUMNS
Name Name of the entry
ConnectionType Always “CyberarkPSM”
CyberArkPSM\Component For RDP: PSM-RDP (several options available)
CyberArkPSM\CyberArkJumpConnectionID ID of the Cyberark PSM Server entry
CyberArkPSM\PrivilegedAccount Privileged account to use
Host End point Hostname/IP

Import

Once the PSM Server entry has been created, and the CSV File is populated.

  1. Go to File - Import - Import Session Csv Wizard.
    File - Import - Import Session Csv Wizard
    File - Import - Import Session Csv Wizard
  2. Browse and select the Csv File created beforehand, and click Next.
    Import Csv Wizard
    Import Csv Wizard
  3. Select Selected template.
  4. Select the template we created and click Finish.
    PSMImport
    PSMImport

    Note: You must tick the Generate Direct Mapping check box.
    Generate Direct Mapping check box
    Generate Direct Mapping check box

Imported connections
Imported connections

Synchronization (Using the Remote Desktop Manager Synchronizer entry)

Both those techniques are used to connect to a third-party repository. The first one will connect to a domain controller, and list the servers and computers according to filters and settings.

The general approach and principle of using synchronizers are to keep a list of servers updated from an external information repository, such as Domain Controller, VM host, or even a simple CSV file exported periodically from another system.

Those entries are created following a template, created and configured beforehand.

It’s also granted that the Cyberark PSM integration is already configured and working (PSM Connection and Server Components, Remote Desktop Manager templates, etc.)

From Active Directory Synchronizer

This approach will create entries from an LDAP request on a domain controller.

One downside of this setup is that only the Host field will be filled from the synchronizer, the Privileged Account and the component have to either remain empty, or all using the same setting (coming from the template).

Create the PSM Connection Template

Please refer to Create the Cyberark PSM Connection Template in the previous section.

The template will contain the Privileged account, the PSM Server and Connection Component to use.

Create an Active Directory Synchronizer

Synchronizer- Active Directory
Synchronizer- Active Directory

  1. Enter the domain related data in the General tab.
  2. Then in the Settings tab, select your destination folder for the new entries to be created.
  3. Select the PSM Connection Template.
    PSM Connection Template
    PSM Connection Template
  4. Fill in the rest of the options and save.

Then you only have to run the Synchronizer whenever you need to refresh the server list.

From Comma-Separate values (CSV) Synchronizer

This approach is a mix between the CSV import and the synchronizer.

In most cases, the CSV file will be generated from an external system, and then edited/processed to add and complete the information.

Please refer to Create the Cyberark PSM Connection Template from the previous section for an example of a CSV Template.

That makes it more complex, but more flexible.

Create the PSM Connection Template

Please refer to Create the Cyberark PSM Connection Template in the previous section.

Create a CSV Synchronizer

Synchronizer – Comma-separated values (CSV)
Synchronizer – Comma-separated values (CSV)

Enter the file path, the template to use (created beforehand) and the destination folder.

You can then run the synchronizer every time a new version of the CSV file is produced to keep you list updated.

Dynamic utilization

Quick Connect

Via the Quick Connect toolbar, you can open an ad-hoc session by specifying the host and session type. Read more about the Quick Connect function.

A Cyberark PSM Connection template is required beforehand.

  1. Go to File - Templates - Templates, and add a new template.
  2. In Host, enter $QUICK_CONNECT$
  3. Set a privileged account to be used.
  4. Select the PSM Server that this PSM connection will be using and a Connection component.
    File - Templates - Templates
    File - Templates - Templates

This approach would allow you to create multiple templates for PSM connections reflecting several Privileged Accounts and Connection components.

Utilization

Once a template has been created, it will be showing up in the Quick connect list of templates.

Quick connect
Quick connect

You can then type in the Host of the target endpoint, and launch the session.

Host

Take a look at this link to implement using a host for PSM Integration.

Steps are very similar to the Quick connect, the creation of the template is the exact same, except that the Host field will remain empty.

What is actually interesting about this, is that a variable can be used to populate the Privileged account.

In this example I used the Custom Field #1 variable, here’s the template configuration:

Privileged account variable
Privileged account variable

And the Host entry:

Host entry
Host entry

Custom Fields
Custom Fields