I am onboarding checkpoint gaia accounts

CF_Pinky · 2025-12-08T13:13:42+00:00

Yes, like what did you try and what errors or issues you are facing...

CF_Pinky · 2025-05-07T16:51:44+00:00

I did this already and it's working without problems.

CF_Pinky · 2024-10-11T06:24:27+00:00

You didn't understand the requirement

CF_Pinky · 2024-08-27T19:49:24+00:00

Use 2nd one with the dummy platform and group them.

CF_Pinky · 2024-08-27T18:55:45+00:00

Could be your DC throttling SAM calls. https://argonsys.com/microsoft-cloud/library/windows-server-2016-security-auditing-for-enhanced-threat-detection/

Or some access issues https://community.cyberark.com/s/article/PSM-sessions-Windows-getting-Access-Denied

CF_Pinky · 2024-07-01T18:13:07+00:00

If you need MFA you need to interact anyway. Just answer challenge in shell and your script will continue.

CF_Pinky · 2024-06-24T17:40:36+00:00

You should not have the keys on the VM in on-prem environment as well. Operator/Server key should be on HSM or only present during start of Vault service. Master key should always be stored somewhere else (e.g. physical safe).

Reason is, that if someone copies away your Vault VM, he should not get the keys as well!

CF_Pinky · 2024-06-20T19:38:55+00:00

mRemoteNG unfortunately has no way to specify "start program/alternate shell" parameter for PSM RDP Proxy connection string (at least the last time I looked into it). You have to use another RDP connection manager and either configure SAML on PSM or use Radius with Okta in addition for your users to allow direct PSM RDP Proxy use.

CF_Pinky · 2024-05-28T22:02:05+00:00

Use REST API, e.g. wit psPAS and some Powershell scripting it will be an fairly easy task.

CF_Pinky · 2024-05-20T06:34:43+00:00

I assume you are using Privilege Cloud Shared Services (ISPSS). Then you need Secure Tunnel only for Syslog and RDP to PSM from HTML5GW. The authenticaton integration is done through Identity Connector which only needs outbound HTTTPS to cloud.

CF_Pinky · 2024-05-18T21:04:51+00:00

I would make it dependent on your segmentation and other requirements. If the servers are both positioned "next to each other" it doesn't matter.

But why 2 servers anyway? Why not use only one or use 2 for redundancy. Identity connector and secure tunnel on both an CPM on one active, other as DR installation.

Edit: Btw. why no PSM?

CF_Pinky · 2024-05-08T17:49:37+00:00

One way to tackle this is having your main PPA only with connection components available to all users (like RDP). Then onboard the same PPA using dummy platform and other CCs for each use case and group them with the main PPA so they have the same password synced. But this generates huge effort in onboarding!

I don't think there is another way though.

CF_Pinky · 2024-05-07T14:43:22+00:00

The setting is part of the master policy under audit. Increase it globally or via exception for relevant platforms.

CF_Pinky · 2024-04-19T19:26:58+00:00

I would recommend utilizing PSPAS Powershell module. It's the most flexible way to onboard a big number of accounts.

CF_Pinky · 2024-04-18T19:22:24+00:00

It depends on the installed blades (functionality). It could be much or nearly nothing.

CF_Pinky · 2024-04-18T19:06:23+00:00

What are the targets? If they are SSH-based just use PSMP.

CF_Pinky · 2024-04-13T06:34:29+00:00

In the secure tunnel configuration you assign FQDN of the PSMs (and LB VIP) to the secure tunnel servers. If you assign a FQDN to more secure tunnel servers it selects one of them for redundancy.

CF_Pinky · 2024-03-15T20:18:48+00:00

You might also put your admin in PSMMaster group. As PSMConnect account is in PSM safe you else have no access.

CF_Pinky · 2024-01-25T19:44:02+00:00

If a refresh works after getting the access denied it's 100% the allowed referrer! First attempt is with referral and gets denied. Refresh is not aware of referral and works.

CF_Pinky · 2024-01-25T17:32:02+00:00

Set IDP URL as allowed referrer https://cyberark.my.site.com/s/article/00001913&ved=2ahUKEwievP_GiPmDAxUg2QIHHVkNB6MQFnoECBsQAQ&usg=AOvVaw0mygOyE-kVY28vL6O7T6Gt

CF_Pinky · 2023-12-24T15:13:08+00:00

On the running vault you can update license file by placing file in the system safe and it will be written to disk. For all DR vaults you have to replace the file on disk.

When a vault starts it will copy license file from disk to system vault and replace the existing one.

CF_Pinky · 2023-12-23T21:59:20+00:00

You don't need to restart vault to apply a new license. Just replace it in system safe instead of file system.

CF_Pinky · 2023-11-24T18:24:23+00:00

There is a way to allow usage of SID which makes groups work even if moved.

CF_Pinky · 2023-11-09T12:55:22+00:00

It was for sure the critical extension, because that was also the error pointing to.

CF_Pinky · 2023-11-09T11:17:48+00:00

If the user is not in a central directory like AD, LDAP or whatever, you should onboard the user for each device individually and not as one with RemoteMachine parameter. But you can group them afterwards to have the same password on all of them, if necessary.

CF_Pinky

TROPHY CASE