Describes how deploy the PAM Server and its components.
You can deploy PAM as a hardware or software appliance. Learn how to deploy the product in different environments and how to set up clustering for high-availability deployments.
Privileged Access Manager
The installation or deployment process varies according to which platform you use. The available options include:
- VMware OVA template
- Hardware appliance
- AWS AMI-based instance
- Microsoft Azure VHD
Members of a cluster must follow these rules:
- VMware OVA VM instances and the hardware appliance can be in the same cluster site. The AWS AMI instance can only be clustered with other AWS AMI instances in a cluster site. Similarly, a Microsoft Azure VHD instance can only be clustered with other Microsoft Azure VHD instances in a cluster site. Different sites in a multi-site cluster can run on different platforms.
- All cluster members must be running the same product release version. You can deploy the product in various ways to suit your existing security infrastructure.
Product Deployment Infrastructure
- Behind a FirewallDeploy the product in the DMZ directly behind a firewall to send high-risk users directly toPrivileged Access Manager. This deployment protects devices against users that are authorized to perform upgrades, maintenance, development, and other administration activities.For extra security in the DMZ, you can integrate the product with a RADIUS-based multifactor authentication solution like CA Advanced Authentication.
- Behind an Existing VPNDeployment behind an existing VPN provides an extra level of control for high-risk users that are accessing resources through a standard VPN. In this scenario,Privileged Access Manageris connected to the existing internal network using independent, non-routed, non-bridged Gigabit network connections. High-risk users who access the network through the standard VPN are routed toPrivileged Access Managerfor secondary authorization and device access. While the VPN keeps out unauthorized users,Privileged Access Managerkeeps authorized users contained to only the devices they must access.SSL/VPN, which was supported in 2.x, is no longer supported in 3.x releases.
- Parallel to an Existing VPNDeployPrivileged Access Managerin parallel to an existing VPN. High-risk users log in using an SSL connection.Privileged Access Managerauthenticates these users and gives access to specific devices per a configured policy.
- Between Virtual or Physical NetworksDeploy thePrivileged Access Managerbetween networks. The product provides access control and auditing of high-risk users that are granted access to a secure network segment. Access restricts users to only those devices and services necessary to perform their job.
- In a Citrix XenApp EnvironmentIn a Citrix XenApp environment,Privileged Access Managerprovides a complete entitlement management security framework. This framework enables companies to satisfy compliance and best practices for increasing numbers of high-risk users accessing the critical information technology infrastructure.