RED IM Integration with Bomgar Privileged Access

Similar documents
JIRA Integration Guide

Microsoft Dynamics CRM Integration with Bomgar Remote Support

Microsoft Dynamics CRM Integration with Remote Support

Security Provider Integration RADIUS Server

Bomgar SIEM Tool Plugin Installation and Administration

Integrate HEAT Software with Bomgar Remote Support

Remote Support Web Rep Console

Bomgar PA Integration with ServiceNow

Real-Time Dashboard Integration Bomgar Remote Support

BMC FootPrints 12 Integration with Remote Support

HEAT Software Integration with Remote Support

Privileged Remote Access SIEM Tool Plugin Installation and Administration

Bomgar Remote Support Integration with BMC Remedy

Bomgar Vault Server Installation Guide

CA Service Desk Integration with Remote Support

Privileged Access Middleware Engine Installation and Configuration

Privileged Access Management Android Access Console 2.2.2

Privileged Identity App Launcher and Session Recording

Security Provider Integration SAML Single Sign-On

Privileged Access Integration Client Guide

BMC Remedy Integration with Remote Support

Security Provider Integration Kerberos Authentication

Remote Support Security Provider Integration: RADIUS Server

Remote Support 19.1 Web Rep Console

Security Provider Integration SAML Single Sign-On

Salesforce Integration Use Case

SIEM Tool Plugin Installation and Administration

Bomgar Privileged Access Smart Cards

Security Provider Integration Kerberos Server

Integration Client Guide

Version Installation Guide. 1 Bocada Installation Guide

Bomgar Appliance Upgrade Guide

Failover Configuration Bomgar Privileged Access

Bomgar Connect Android Rep Console 2.2.6

Bomgar Connect Android Rep Console 2.2.9

Security Provider Integration LDAP Server

Installation Guide. 3CX CRM Plugin for ConnectWise. Single Tenant Version

Privileged Access Administrative Interface 17.1

Privileged Access Access Console User Guide 17.1

Smart Cards for Remote Authentication 3. Prerequisites 3. Install the Smart Card Driver 4

How to Use Session Policies

Two-Factor Authentication Guide Bomgar Remote Support

Bomgar Connect ios Rep Console 2.2.7

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Security in Bomgar Remote Support

Privileged Access Appliance Hardware Installation

Bomgar Cloud Support Admin 18.2

Appliance Upgrade Guide

Android Rep Console

Configuring Failover

VMware AirWatch Certificate Authentication for EAS with ADCS

Aspera Connect Windows XP, 2003, Vista, 2008, 7. Document Version: 1

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Bomgar Remote Support Administrative Guide 16.2

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

KYOCERA Net Admin Installation Guide

Privileged Access Access Console User Guide 18.1

Perceptive Process Mining

Installing and Configuring vcloud Connector

Status Web Evaluator s Guide Software Pursuits, Inc.

Privileged Access Access Console User Guide 18.2

ForeScout CounterACT. Configuration Guide. Version 4.1

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

Privileged Access Management Administrative Guide 15.1

PAN 802.1x Connector Application Installation Guide

ForeScout Extended Module for Advanced Compliance

Security in the Privileged Remote Access Appliance

Privileged Remote Access Failover Configuration

Supporting Apple ios Devices

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

Bomgar Cloud Support Admin 15.2

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

PxM Proof of Concept Configuration. June 2018 Version 3.1

Bomgar Remote Support Administrative Guide 17.1

Remote Support Jumpoint Guide: Unattended Access to Computers in a Network 4. Recommended Steps to Implement Bomgar Jump Technology 5

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline 1.4

ACE Live on RSP: Installation Instructions

The Privileged Access Appliance in the Network

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

AD Sync Client Install Guide. Contents

Perceptive Reflect. Installation and Setup Guide. Version: 2.3.x

Security Provider Integration: SAML Single Sign-On

Installation and Configuration Guide

Authlogics Forefront TMG and UAG Agent Integration Guide

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Remote Support Appliance Installation

Software Development Kit for ios and Android

INSTALLATION GUIDE Spring 2017

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline Collector 2.0

DoD Common Access Card Authentication. Feature Description

Atlas Technology Deployment Guide

Dell Storage Compellent Integration Tools for VMware

CounterACT User Directory Plugin

VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database

Remote Support Jump Client Guide: Unattended Access to Systems in Any Network 3. Recommended Steps for Implementing Bomgar Jump Technology 4

Configuring the SMA 500v Virtual Appliance

DIGIPASS Authentication for Check Point VPN-1

Microsoft SQL Installation and Setup

Privileged Access Jump Client Guide

Transcription:

RED IM Integration with Bomgar Privileged Access 2018 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners. TC:4/4/2018

Table of Contents Bomgar Privileged Access Integration with RED IM 3 Prerequisites for the Bomgar Privileged Access Integration with RED IM 4 Applicable Versions 4 Network Considerations 4 Configure RED IM for Integration with Bomgar Privileged Access 5 Delegation Identity 5 RED IM SDK Web Services 5 Configure Bomgar Privileged Access for Integration with RED IM 6 Create an API Service Account - Bomgar 16.2 and Later 6 Create an API Service Account - Bomgar 16.1 and Earlier 6 Allow ECM Connections 6 Configure the RED IM Plugin for Integration with Bomgar Privileged Access 8 Install the Endpoint Credential Manager 8 Install and Configure the Plugin 9 Test Settings 12 Clear Token Cache 13 Troubleshoot the Bomgar PA and RED IM Integration 14 CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 2

Bomgar Privileged Access Integration with RED IM IMPORTANT! You must purchase this integration separately from both your Bomgar software and your RED IM solution. For more information, contact Bomgar sales. Bomgar's Privileged Access plugin integration with RED IM enables automatic password injection to authorized systems through encrypted Bomgar connections, removing the need to share and expose credentials to privileged accounts. In addition to the retrieval and automatic rotation of standard credentials, the integration also has the ability to retrieve shared credential lists, giving domain admins and other privileged users access to those credentials for use on the targeted systems. te: Auto-rotation occurs only if configured. The integration between Bomgar PA and RED IM enables: One-click password injection and session spawning Credentials never exposed to authorized users of Bomgar Access to systems on or off the network with no pre-configured VPN or other routing in place Passwords always stored securely in the RED IM server The Bomgar Endpoint Credential Manager (ECM) enables the communication between RED IM and Bomgar Privileged Access. The ECM is deployed to a hardened Windows Server inside the firewall, typically in the same network as RED IM. Once the ECM is deployed, Bomgar users see a list of administrator-defined credentials for the endpoints they are authorized to access. A set of these credentials can be selected when challenged with a login screen during an access session, and the user is automatically logged in, having never seen the username/password combination. RED IM handles all elements of securing and managing the passwords, so policies that require the password to be rotated after use are supported with additional configuration provided by the plugin. Bomgar Privileged Access handles creating and managing access to the endpoint and then recording the session and controlling the level of access granted to the user, including what the user can see and do on that endpoint. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 3

Prerequisites for the Bomgar Privileged Access Integration with RED IM To complete this integration, please ensure that you have the necessary software installed and configured as indicated in this guide, accounting for any network considerations. The integration is provided in the form of a plugin (ZIP archive containing the necessary DLL files and other supporting files) for use within Bomgar's Endpoint Credential Manager (ECM). Please ensure you have acquired the proper version of the ECM to be compliant with the version of Bomgar Privileged Access in use, and install the ECM according to the instructions in "Configure the RED IM Plugin for Integration with Bomgar Privileged Access" on page 8. Applicable Versions Bomgar Privileged Access: 15.x and newer RED IM: 5.4.0 and newer Network Considerations The following network communication channels must be open for the integration to work properly. Outbound From Inbound To TCP Port # Purpose ECM Server Bomgar Appliance 443 ECM calls to the Bomgar API. ECM Server RED IM 443 ECM calls to RED IM. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 4

Configure RED IM for Integration with Bomgar Privileged Access The integration requires minimal setup within RED IM and should work with your existing data as it stands. The two main requirements are a delegation identity that can impersonate RED IM web users and the installation of the RED IM SDK Web Services. Delegation Identity 1. Under Delegation > Web Application Identity Impersonation Mappings, select Create Mapping. 2. If an identity already exists that you would like to use for the integration, select it and skip to step 3 below. Otherwise, continue with the following steps: a. Click Add Identity and select Explicit Identity. b. Enter the desired username and password, and then click OK. 3. Select the desired identity and click OK. 4. Select the identities or roles the above user should be able to impersonate, and then click OK. 5. Verify the new mappings, and then click OK to close the dialog. te: If configuring the integration to auto-spin passwords upon check-in, the above account requires the All Access permission. If you are not using this feature, you can skip the steps listed below. 1. Go to Delegation > Web Application Global Delegation Permissions. 2. Add the All Access permission. 3. Select the identities or groups on the left to assign the permission to that identity or group. 4. Check the Ignore Password Checkout box. 5. Click OK. This permission allows users to retrieve and inject credentials regardless of whether the credential is checked out to a different user in the RED IM web application. It only affects the programmatic access to checked out credentials and does not allow them to check out a credential in the web application when in use by another user. RED IM SDK Web Services Please consult the RED IM Admin Guide for instructions on installing and enabling the SDK Web Services. In newer versions of RED IM, the SDK Web Services can be enabled directly from the RED IM console in the Manage Web Appliance section. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 5

Configure Bomgar Privileged Access for Integration with RED IM Several configuration changes are necessary on the Bomgar Appliance to integrate with RED IM. All of the steps in this section take place in the Bomgar /login administrative interface. Access your Bomgar interface by going to the hostname of your Bomgar Appliance followed by /login (e.g., https://access.example.com/login). Create an API Service Account - Bomgar 16.2 and Later 1. Go to Management > API Configuration and create a new API account. 2. Under Permissions, check Full Access to the Command API. 3. For the Reporting API, check Allow Access to Support Session Reports and Recordings and Allow Access to Presentation Session Reports and Recordings. Also be sure to copy the values for both the OAuth Client ID and OAuth Client Secret for use in a later step. 4. Click Add API Account to create the account. Create an API Service Account - Bomgar 16.1 and Earlier The API user account is used from within the integration to make Bomgar Command API calls to Bomgar. 1. Go to /login > Users & Security > Users. 2. Click Create New User and name it Integration or something similar. 3. Leave Must Reset Password at Next Login unchecked. 4. Set Password Expires On to Never Expires. 5. Scroll to the bottom and save the account. Allow ECM Connections PA 17.1 and Later 1. Go to /login > Management > API Configuration. 2. Add or edit an API account. 3. For Endpoint Credential Manager API, check Allow Access. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 6

Prior to PA 17.1 1. Go to Management > Security. 2. Ensure the box Allow Endpoint Credential Manager Connections is checked. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 7

Configure the RED IM Plugin for Integration with Bomgar Privileged Access Install the Endpoint Credential Manager The Endpoint Credential Manager (ECM) must be installed on a system with the following requirements: Windows Vista or newer, 64-bit only.net 4.5 or newer 1. To begin, download the Bomgar Endpoint Credential Manager (ECM) from Bomgar Support at ssc.bomgar.com. Start the Bomgar Endpoint Credential Manager Setup Wizard. 2. Agree to the EULA terms and conditions. Mark the checkbox if you agree, and click Install. te: You are not allowed to proceed with the installation unless you agree to the EULA. If you need to modify the ECM installation path, click the Options button to customize the installation location. 3. Click Install. 4. Choose a location for the credential manager and click Next. 5. On the next screen, you can begin the installation or review any previous step. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 8

6. Click Install when you are ready to begin. 7. The installation takes a few moments. On the screen, click Finish. te: To ensure optimal up-time, administrators can install up to five ECMs on different Windows machines to communicate with the same site on the Bomgar Appliance. A list of the ECMs connected to the appliance site can be found at /login > Status > Information > ECM Clients. te: When multiple ECMs are connected to a Bomgar site, the Bomgar Appliance routes requests to the ECM that has been connected to the appliance the longest. Install and Configure the Plugin 1. Once the Bomgar ECM is installed, extract and copy the plugin files to the installation directory (typically C:\Program Files\Bomgar\ECM). 2. Run the ECM Configurator to install the plugin. 3. The Configurator should automatically detects the plugin and loads it. If so, skip to step 4 below. Otherwise, follow these steps: CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 9

a. First, ensure that the DLL is not blocked. Right-click on the DLL and select Properties. b. On the General tab, look at the bottom of the pane. If there is a Security section with an Unblock button, click the button. c. Repeat these steps for any other DLLs packaged with the plugin. d. In the Configurator, click the Choose Plugin button and browse to the location of the plugin DLL LiebermanRED IMPlugin.dll. 4. After selecting the DLL, click the gear icon in the Configurator window to configure plugin settings. 5. The following settings are available: Setting Name Endpoint URL API User API Password Authenticator Description tes Required The full URL to the RED IM SDK Web Services Delegation identity created. Assign impersonation permissions for various other RED IM identities and/or roles Password of the above delegation identity The authenticator associated with the delegation identity e.g., https://<lieberman-serverhostname>/erpmwebservice/authservice.svc Typically, the NETBIOS domain name for domain accounts. Leave this blank if using an explicit account. Yes Yes Yes CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 10

Setting Name Default Domain for Local Bomgar Users Enable fallback to local account if domain account not found Map Domains Include credentials from Shared Credential Lists Prefer lookup of credentials by IP address over hostname Enable creation of password spin jobs Description tes Required When a value is supplied, the plugin initially attempts to retrieve credentials for the user with the username from Bomgar and the configured default domain When checked, the plugin first attempts to retrieve credentials for the user as a domain user and then, if no match is found, makes a second attempt without the domain Allows for the mapping of fully qualified domain names to their shorter NetBIOS names When checked, the plugin includes credentials from a shared credential list When checked, the plugin attempts to find credentials for the endpoint using its IP address, if available When checked, the plugin creates password spin jobs for credentials checked out via the integration This setting is necessary if some or all Bomgar users are local users but the corresponding accounts in RED IM are domain accounts with the same username portion. This setting is necessary if some or all Bomgar users are domain users but the corresponding accounts in RED IM are domain accounts with the same username portion. This setting is necessary to match domain users in Bomgar to domain users in RED IM. Bomgar reports the logged-in user with the fully qualified domain name (FQDN), while RED IM may expect the NetBIOS name of the domain. It is also used for returning domain credentials for Windows endpoints when the domain of the endpoint is not known. These mappings must be done manually and can be entered one per line as FQDN=NetBIOS (e.g., Example.local=EX). In addition to retrieval of normal managed credentials, the integration can also retrieve endpoint-specific credentials from a shared list. If the IP address is not available, the plugin attempts to find credentials by using the hostname, which is the default behavior. Checking out credentials via the RED IM SDK Web Services does NOT result in a spin job for managed passwords that would normally rotate when checked in via the web interface. To compensate for this, the plugin can examine the credential to see if it is set to auto-spin and then create a job to do so. spin job is created for credentials that do not have random passwords or that are not configured to auto-spin. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 11

Setting Name Job Comment Password Change Template Job IDs Description tes Required A custom job comment can be configured to help distinguish jobs submitted as part of the integration The numeric IDs of the template job shown in the Jobs list in RED IM The string <username> replaces the username with the RED IM identity performing the check-out. It can be replaced anywhere in the string or removed, if desired. It is recommended to create password change jobs that can be used as templates for future jobs submitted by the integration. The basic settings of these jobs are used for each subsequent job with only the password, endpoint-specific information, and scheduling being overridden. There must be a separate template job created and configured for each type of stored credential you would like to rotate. te: Make sure you do not delete the template jobs. Test Settings The settings specific to RED IM can be tested directly from the plugin configuration screen using the Test Settings button. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 12

1. Enter a user account from which to retrieve credentials. 2. Enter an endpoint for which the user account has one or more credentials. 3. View the resulting list. te: actual passwords are retrieved or displayed, only the list of credentials. te: The settings used for the test are the ones currently entered on the screen, not necessarily what is saved. Clear Token Cache To avoid excessive authentication calls to RED IM, the plugin caches authentication tokens (in an encrypted form) for users as they attempt to retrieve secrets through the integration. Subsequent calls use the cached token until it expires. At that point, a new authentication token is retrieved and cached. The Clear Token Cache button allows an admin to clear all cached authentication tokens if such action becomes necessary for maintenance, testing, etc. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 13

Troubleshoot the Bomgar PA and RED IM Integration To assist you, a list of common issues experienced during the integration process has been provided, and steps for resolving these issues are noted. For any issues that involve the ECM service, it is recommended to enable DEBUG level logging. To enable this setting, follow these steps. 1. Open the Bomgar-ECMService.exe config file in a text editor. 2. Edit the file by changing the line <level value="info"/> to <level value="debug"/>. 3. Save the file and restart the ECM service. Common Issues and Resolution Steps Issue Cause Debugging Steps/ Possible Solutions ECM Configurator cannot find or load the plugin ECM Configurator cannot find or load the plugin DLL files were not deployed to ECM install directory. DLL files are being blocked by Windows. Copy ALL files included with the plugin into the ECM install directory, typically C:\Program Files\Bomgar\ECM. Close and re-open the ECM Configurator. While the build server signs the assemblies to help prevent this error, some systems still block the DLLs. To unblock them, right-click on the DLL. Select Properties. In the General > Security section, check the Unblock box. Click OK to save the changes. credentials are returned when using the Test Settings feature ECM has been configured without the proper settings. Repeat these steps with any other DLLs being paged with the plugin DLL. A failure to retrieve credentials using the Test Settings feature in the ECM Configurator is usually a result of some configuration setting being entered incorrectly. First, double-check any usernames and passwords entered. Next, check the logs in Configurator.log to see if the integration is providing any information as to why the test failed. It could be anything from incorrect URLs / ports, authentication failure, or network connectivity issues. The logs may also reveal a perceived failure was not a failure after all. Instead, no matches may have been found, and even if this is unexpected, an empty list is still a valid result. credentials are returned when using the Test Settings feature There is a lack of network connectivity. te: The Test Settings feature does NOT communicate with Bomgar PA at any point. It simply tests the settings related to the password vault system. Also, remember that the test uses the currently entered values and settings whether the settings have been saved or not. This allows you to test different configurations without overwriting existing settings. There is a lack of necessary network connectivity between the ECM server and the password vault system. The resolution could be as simple as adding a rule to the Windows Firewall, or it may require a network administrator to open ports to allow communication. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 14

Issue Cause Debugging Steps/ Possible Solutions Credentials are returned via the Test Settings feature but are not available in the access console Credentials are returned via the Test Settings feature but are not available in the access console Credentials are returned via the Test Settings feature but are not available in the access console Credentials are returned via the Test Settings feature but are not available in the access console Credentials are returned via the Test Settings feature but are not available in the access console ECM has been configured without the proper settings. Bomgar PA has been configured without the proper settings. The ECM service has stopped functioning. There is a lack of network connectivity. The user mapping has failed. The settings on the initial screen of the ECM Configurator tell the ECM service which Bomgar PA instance to connect to and the account to use for authentication. Doublecheck these and review the logs in ECM.log, if necessary. It is possible ECM connections have not been enabled or the API account being used is not configured to be an administrator. Review the steps in "Configure Bomgar Privileged Access for Integration with RED IM" on page 6 Restart the Bomgar ECM Service. A lack of connectivity could be preventing the integration from working. In this case, the missing connection would occur between Bomgar PA and the ECM server. If the ECM is unable to establish a connection to the Bomgar PA Appliance, it is unable to receive requests for credentials. Try loading the /login page in a browser running on the ECM server. If the browser cannot connect, the ECM will also be unable to connect. If the browser test passes, check the ECM.log to see if a connection was successfully established when starting the service. This issue commonly occurs (particularly with domain accounts) when a test is run with a user entered as domain\user or a similar format. However, when connecting through the access console, it is possible for the domain portion to be different or missing altogether. If the Bomgar user is a local user, no domain information is present. The same is true for users authenticating to Bomgar via certain security providers like RADIUS. If the plugin allows for domain mapping or default domains for local users, verify these are configured correctly. Also, check the ECM.log to make sure the values passed to the password vault match what is expected. If the test is successful, note the information used. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback