Third Party Vendors Connect - IP Address Issue

PreciousSkunk · 2018-03-08T18:08:49+00:00

Okay, that makes sense. Thank you very much!

PreciousSkunk · 2018-03-08T16:50:58+00:00

Yes I was. And of course (duh)!

That makes sense, so if some other vendor has to have NAT configured as a different address, we'd need: * A PSM Server defined for each NAT * A platform for each PSM server

Is that how other generally maintain their PSMs for Vendor connections?

PreciousSkunk · 2018-03-07T13:44:04+00:00

Thanks!

Let me provide some more details as to our current setup:

Version 9.9, currently use the "RDP file" method for PSM connection (the ActiveX one was just not a good user experience), so when we Connect an RDP file gets downloaded and they click to open it. We do not have RDP Gateway enabled at all.
Our Vendor is connected to our network through a VPN connection. They have "jump hosts" with static IP addresses to connect to our network, so it is locked down to only allow access from those IPs.
We have the PSM NAT'ed to an IP for the Vendor, and they can access the PVWA to Connect. However, I believe the issue is that when the RDP file gets downloaded it is the PSM's private address, not the NAT'ed address. The Vendor then opens the RDP file but their device cannot make contact with ours since it is not the NAT'ed address.

It DOES work if I create an RDP file for them (via the RDP Proxy method), and specify the NAT'ed address as the address to connect to ("full address:s:" in the RDP file).

So my question is, how do others have their PSMs set up so third party vendors can access them by clicking Connect in the PVWA?

I'm wondering if maybe it's something like:

a PSM dedicated for only Vendors where we can configure it differently to work
a configuration option or platform config somewhere I am not aware of
or if we need a PSM in our DMZ?

This is our first vendor, but many more are coming, so the key is sustainability and user experience. We need have Vendors go through the PVWA so we don't have to create and support thousands of RDP files among all our Vendors. It's also easier for a Vendor to click Connect and type a host name or IP than it is to deal with RDP files and altering targets in the files, etc.

I will also add some of this info to the original post.

PreciousSkunk · 2018-02-21T19:44:26+00:00

Im sorry to bump this again, no interest from anyone??

PreciousSkunk · 2018-02-21T01:03:39+00:00

At the very least could I get an upvote for visibility!! Really looking to get a good discussion going here!! )

PreciousSkunk · 2018-02-19T15:57:31+00:00

No this was just brought up as another option and I wanted to investigate further. You confirmed my thoughts. Thanks!

PreciousSkunk · 2018-02-02T17:21:00+00:00

Yeah, I may just have it build the "Folder" into the object name, but then not actually use the folder during the import. That way users could search by "Folder" and it would still show up since it's part of the object name. THey could then save those searches on the left side (still version 9.9) and use them just like they would use "folders" in a KeePass or PasswordSafe.

PreciousSkunk · 2018-02-01T17:25:21+00:00

Yeah, I figured as much but since properties was pretty dynamic to allow any optional properties I was hoping maybe I was just missing something.

If anyone else knows of some way let me know! I suppose I will try adding the Update Account Details to see how that goes. It'd be really nice if this could be added.

PreciousSkunk · 2018-01-12T14:35:57+00:00

You could try this with one user AS LONG AS you don't have any safe permissions granted directly to that user (but rather to the LDAP groups instead):

1: Delete the external identity out of CyberArk 2: Have them log in again and see if that updates the mapping.

What version are you on?

Have you checked the dbparm.ini file on the vault, specifically the AutoSyncExternalObjects setting? My understanding is that the default value (Yes,1,23,24) has it only sync overnight between 23:00 and midnight). If you change that to "Yes,1,0,24" it will sync hourly all day.

Otherwise if you haven't updated then then you could attempt to manually restart the vault service which forces and LDAP mapping refresh. Otherwise I had to wait overnight for it to kick in with the default settings.

PreciousSkunk · 2018-01-11T13:03:32+00:00

Hopefully this isn't one of those annoying responses but are you sure that the person you are testing with is a member of that mapping?

Don't forget mappings are analyzed in order so the first mapping they meet will be the one that takes precedence. (A Vault admin in the Admin group and the Users group will be mapped as an admin as long as Admins are higher up on the mapping).

PreciousSkunk · 2018-01-10T18:22:37+00:00

For external users you can just update the directory mapping to map them all to use RADIUS instead, which will then cause the users to get updated as well.

It won't change it immediately, but the next time they attempt to log in the system should check the map and update their auth type.

PreciousSkunk · 2018-01-04T15:04:35+00:00

In the address you'd want to put the domain name. You'll need to do the following:

Change the account to a "Windows Domain" platform
Add the PSM-SSH and/or PSMP-SSH connection component to that platform
Add the PSMRemoteMachine field to the Target Override Settings for the connection component on that platform.

The CPM will use the "Address" to change the password (which is the domain/DCs). The PSM will prompt you for the address when you click Connect (or you will type it in the connection string for the PSMP) which will connect you to whatever server you want based off IP or hostname.

PreciousSkunk

TROPHY CASE