Deploying

Describes how deploy the PAM Server and its components.
capam40
You can deploy PAM as a hardware or software appliance. Learn how to deploy the product in different environments and how to set up clustering for high-availability deployments.
Deploy
Privileged Access Manager
The installation or deployment process varies according to which platform you use. The available options include:
  • VMware OVA template
  • Hardware appliance
  • AWS AMI-based instance
  • Microsoft Azure VHD
Members of a cluster must follow these rules:
  • VMware OVA VM instances and the hardware appliance can be in the same cluster site. The AWS AMI instance can only be clustered with other AWS AMI instances in a cluster site. Similarly, a Microsoft Azure VHD instance can only be clustered with other Microsoft Azure VHD instances in a cluster site. Different sites in a multi-site cluster can run on different platforms.
  • All cluster members must be running the same product release version. You can deploy the product in various ways to suit your existing security infrastructure.
Product Deployment Infrastructure
  • Behind a Firewall
    Deploy the product in the DMZ directly behind a firewall to send high-risk users directly to
    Privileged Access Manager
    . This deployment protects devices against users that are authorized to perform upgrades, maintenance, development, and other administration activities.
    For extra security in the DMZ, you can integrate the product with a RADIUS-based multifactor authentication solution like CA Advanced Authentication.
  • Behind an Existing VPN
    Deployment behind an existing VPN provides an extra level of control for high-risk users that are accessing resources through a standard VPN. In this scenario,
    Privileged Access Manager
    is connected to the existing internal network using independent, non-routed, non-bridged Gigabit network connections. High-risk users who access the network through the standard VPN are routed to
    Privileged Access Manager
    for secondary authorization and device access. While the VPN keeps out unauthorized users,
    Privileged Access Manager
    keeps authorized users contained to only the devices they must access.
    SSL/VPN, which was supported in 2.x, is no longer supported in 3.x releases.
  • Parallel to an Existing VPN
    Deploy
    Privileged Access Manager
    in parallel to an existing VPN. High-risk users log in using an SSL connection.
    Privileged Access Manager
    authenticates these users and gives access to specific devices per a configured policy.
  • Between Virtual or Physical Networks
    Deploy the
    Privileged Access Manager
    between networks. The product provides access control and auditing of high-risk users that are granted access to a secure network segment. Access restricts users to only those devices and services necessary to perform their job.
  • In a Citrix XenApp Environment
    In a Citrix XenApp environment,
    Privileged Access Manager
    provides a complete entitlement management security framework. This framework enables companies to satisfy compliance and best practices for increasing numbers of high-risk users accessing the critical information technology infrastructure.