Server Control Components in PAM
This content describes the Server Control-related components in PAM.
This content describes the Server Control-related components in the unified PAM solution.
2
PAM Server
The Server Control module makes the PAM Server the central management server for all Server Control functions. The Server Control module replaces the Enterprise Management Server in the standalone PIM and PAM SC products. The Server Control module includes components and tools that allow you to:
- Deploy policies to endpoints.
- Define resources
- Define accessors
- Define access levels.
Utility Appliances
In the PAM environment, PIM, and PAM SC Distribution Servers are replaced by
Utility Appliances
. The Utility Appliances are VMware, AWS, or Azure virtual machines that you can freely download and deploy. Utility Appliances host preloaded Distribution Server software that is backwards compatible with PAM SC Endpoint Agents that are currently installed on endpoints. Like the PAM appliances, the Utility Appliances are hardened. PAM protects and controls access to these appliances.Why was the Distribution Server replaced by the Utility Appliance?
Each PAM SC Distribution Server held a full copy of all information from across
all
endpoints, causing a noisy and data-intensive communication paradigm.By contrast, the Utility Appliance only caches information about the Server Control devices to which it is connected. When data changes (for example, a new device is assigned), the cache for that device is invalidated and the next request by the device fetches the updated information.
This model reduces the overall traffic between the components and streamlines data delivery. These features allow you to configure a more frequent polling time and therefore deliver policies more quickly to the devices.
Like PIM and PAM SC Distribution Servers, Utility Appliances sit between PAM and the endpoints that are under Server Control management, maintaining scale and Endpoint load distribution. The PAM implementation also provides optimized communication between PAM and the Utility Appliance, and between the Utility Appliance and the endpoints. The following diagram shows the basic architecture:
/content/Basic_Server_Control_Architecture.png/_jcr_content/renditions/original)
For failover purposes, deploy multiple Utility Appliances in your enterprise. You can place a load balancer between the Server Control Devices and the Utility Appliances under a Source IP algorithm. Load balancers are not provided as part of the PAM infrastructure.
Server Control Agent
The Server Control Agent is a powerful tool for managing security for your native platforms, allowing you to implement the following capabilities:
- Implement a customizable security policy to meet the security requirements of the enterprise
- Provide security for users, groups, and resources beyond what is available in native operating systems
- Centrally manage security across the organization and integrate your Windows and UNIX security policies in a heterogeneous environment
UNIX Authentication Broker (UNAB)
UNIX Authentication Broker (
UNAB
) allows you to log in to UNIX computers using an Active Directory data store. This functionality means that you can use a single repository for all your users. Your users can log in to all platforms with the same username and password.Integrating UNIX accounts with Active Directory enforces strict authentication and password policies and transfers the rudimentary UNIX user and group properties to Active Directory. This integration allows you to manage UNIX users and groups in the same location that you manage Windows users and groups.
In the unified PAM solution, you manage your UNAB hosts from the PAM UI, from where you can:
- Control Active Directory users access to every UNAB host in the enterprise.
- Manage hosts login authorizations.
- Resolve hosts migration conflicts.
- Generate reports.
- Create login authorization and configuration policies for UNAB devices and device groups. Login authorization policies permit or revoke authorization to Active Directory users and user groups on UNAB devices and device groups.
UNAB consists of several components that manage and control access to UNIX hosts by Active Directory users:
- UNAB Authentication Agent:Services and maintains a secure connection with Active Directory to provide the following functionality:
- User authentication and login authorization
- Host registration with Active Directory
- User and group migrations
- Administering local access files
- uxconsole:A UNAB management console to register the UNIX host with Active Directory, migrate users and groups and to register and activate UNAB.
- uxpreinstall:Lets you verify that a UNIX computer complies with UNAB system requirements. Use the uxpreinstall utility to diagnose problems and suggest solutions.
Endpoint Software
PAM SC provides software for two types of Endpoint agents:
- Endpoint AgentsInstall PAM SC Endpoint Agent software on Windows and UNIX servers that you want to secure with PAM SC.
- UNAB Authentication AgentInstall the UNAB Authentication Agent on UNIX servers with an Active Directory data store that you want to act as a single repository for all of your users.