Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
ASG Remote Desktop with CyberArk
#41
We started already an implementation - need some feedback from another customer and some tests
Regards/Gruss
Oliver
Reply
#42
If you need further testers for feedback, really happy to help :-)
Reply
#43
Hi,
 
I’m hoping you can assist me with an issue I’m having with connecting RDP sessions from ASG via CyberArk PVWA through PSM.
 
I’m aware of the forum postings using the RDP > Programs setting.  I can have the RDP session launch, but it's not calling on PSM.
 
This is the connection string I’m trying to use:

psm /u <user@domain.com> /a <fqdn cyberark pvwa server> /c PSM-RDP

I'm wondering if there is a syntax error in my string, or if I'm missing some other setting.

Any assistance would be greatly appreciated.

Thanks,
Jim
Reply
#44
I think you found the syntax here https://remotedesktop.rocketsoftware.com...?tid=10227

We currently do not have an running Cyberark environment - so I can't tell you if your syntax is correct or not - but it looks like correct!
Did you set the psm call in the "RDP-Programs section" - I think you should be able to try it manually on the server to test it?!? Or is the call blocked? Try to use notepad.exe as Program to call in the remote session - does it open? Then it should also execute the psm command!
Regards/Gruss
Oliver
Reply
#45
@Jim:

The syntax is as follows:

You need to put in the destination server you want to login to into the psm command:

Under: RDP --> Programs you put this:
psm /u <user@domain.com> /a <fqdn destination server> /c PSM-RDP

And under Connection --> Connection you put the Servername/IP of your CyberArk PSM Server (or loadbalancer IP or something)

You don't use PVWA for that Feature at all
Reply
#46
interesting information
Reply
#47
(29-09-2021, 09:39 AM)Vahr001 Wrote: Hey Oliver,

long time no speak, but we are currently in the process of switching our landscape from "classic" Multi-domain personal accounts to a cyberarc environment.
Our main focus is on RDP Connections at the moment, as the unix/linux teams use CyberArc a bit differently (but could also be that an integration to ASGRD would be handy)
As the CyberArc Web UI is quite clumsy to use on a daily basis we were looking into integrating it to our ASGRD Landscape.

Currently we have a working solution like this:

Create a Connection Object in ASGRD
On Connection --> Connection --> Destination: Use DNS Name of the PSM (Which is basically the server that is authenticating your "user", we use MFA on that step and authenticate using a Certificate bound to our domain user we use for administrative purposes
On RDP --> Programs --> Executable path: We use something like this: "psm /u <PAM-User> /a <Destination-Server> /c PSM-RDP"

Hi All, I am happy with the "standard way" to use PSM to connect to a target (as also described by Tim above).....
I made it even a little easier by using following "execution path": "psm /u %Description% /a %Name% /c PSM-rdp"
in this way I only need to update the description en name in the connection->general path within ASG.
(description in a format like: <user@domain.com> (being an entry within Cyberark); and
name in a format like <fqdn destination server>)

However, the problem with this is that the engineers want a predefined filled database pointing to their servers with the proper parameters and don't like to create the individual entries themselves. I am now looking for a method to automaticly fill the ASG database with predefined connections. Which methods are there to get be able to "automaticly" fill a central ASG database with these definitions?
Reply
#48
You can use the Powershell-API!
Regards/Gruss
Oliver
Reply
#49
Just as an addition, we made the connection objects a bit more "variable" as we have the same approach in cyberark, that each department is working with its own defined set of local windows users per server (instead of 1 personal domain user per multiple servers).
e.g. "winadm" for OS Admins, "dbaadm" for Database Admins and so forth. And then we have 3 users per department (counting from 1-3).

We have now created 3 entries per server with the following:
psm /u %CUSTOM_Username%1 /a <fqdn destination server> /c PSM-RDP
psm /u %CUSTOM_Username%2 /a <fqdn destination server> /c PSM-RDP
psm /u %CUSTOM_Username%3 /a <fqdn destination server> /c PSM-RDP

This way each individual user needs to only create a personal variable called "Username" once and put in his/hers departments specific cyberark "Username" (as above mentioned e.g. "winadm")

This leads to having 3 Connections Objects per Server that everybody is being able to use instead of creating multiple objects for the same server.

In our case we have a predifined set of 6 departments that need to have access to "all servers" + optional departments depending on the servers role (web, application, citrix, whatnot)

This would lead as to at least have: Number of servers x mandatory departments x number of users per department

In our case that would have been 4500 x 6 x 3 = 81000 Objects + undefined number of additional Objects for optional departments.
With the other approach we just have a flat number of 4500 x 3 = 13500 independant of how many departments are having access to specific servers.

The "trade off" is that you would need to have everybody assign their personal variable once, but the benefit in our case is tremendously better startup/refresh/caching times because of a lot less objects in the database.
Reply
#50
Shy 
(16-05-2022, 02:37 PM)Vahr001 Wrote: Just as an addition, we made the connection objects a bit more "variable" as we have the same approach in cyberark, that each department is working with its own defined set of local windows users per server (instead of 1 personal domain user per multiple servers).
e.g. "winadm" for OS Admins, "dbaadm" for Database Admins and so forth. And then we have 3 users per department (counting from 1-3).

We have now created 3 entries per server with the following:
psm /u %CUSTOM_Username%1 /a <fqdn destination server> /c PSM-RDP
psm /u %CUSTOM_Username%2 /a <fqdn destination server> /c PSM-RDP
psm /u %CUSTOM_Username%3 /a <fqdn destination server> /c PSM-RDP

This way each individual user needs to only create a personal variable called "Username" once and put in his/hers departments specific cyberark "Username" (as above mentioned e.g. "winadm")

This leads to having 3 Connections Objects per Server that everybody is being able to use instead of creating multiple objects for the same server.

In our case we have a predifined set of 6 departments that need to have access to "all servers" + optional departments depending on the servers role (web, application, citrix, whatnot)

This would lead as to at least have: Number of servers x mandatory departments x number of users per department

In our case that would have been 4500 x 6 x 3 = 81000 Objects + undefined number of additional Objects for optional departments.
With the other approach we just have a flat number of 4500 x 3 = 13500 independant of how many departments are having access to specific servers.

The "trade off" is that you would need to have everybody assign their personal variable once, but the benefit in our case is tremendously better startup/refresh/caching times because of a lot less objects in the database.

@Vahr001, This sounds like you were able to automate the fill of the database also....are there some references/links available of the API to fill like you indicate? also a reference to the custom variable would be nice, as I am not very familiar with configuration of ASG...nor there is extensive knowlege on this in my organisation.....
Reply
#51
For complete API reference just open the help file - Chapter "Powershell API" - only documentation of all CmdLet's - if you need scripts for automating you need to write them...

Custom Variables - got Settings=>Variables - there you can create custom variable names - also press F1 for some help :-)
Regards/Gruss
Oliver
Reply
#52
(16-05-2022, 02:37 PM)Vahr001 Wrote: Just as an addition, we made the connection objects a bit more "variable" as we have the same approach in cyberark, that each department is working with its own defined set of local windows users per server (instead of 1 personal domain user per multiple servers).
e.g. "winadm" for OS Admins, "dbaadm" for Database Admins and so forth. And then we have 3 users per department (counting from 1-3).

We have now created 3 entries per server with the following:
psm /u %CUSTOM_Username%1 /a <fqdn destination server> /c PSM-RDP
psm /u %CUSTOM_Username%2 /a <fqdn destination server> /c PSM-RDP
psm /u %CUSTOM_Username%3 /a <fqdn destination server> /c PSM-RDP

This way each individual user needs to only create a personal variable called "Username" once and put in his/hers departments specific cyberark "Username" (as above mentioned e.g. "winadm")

This leads to having 3 Connections Objects per Server that everybody is being able to use instead of creating multiple objects for the same server.

In our case we have a predifined set of 6 departments that need to have access to "all servers" + optional departments depending on the servers role (web, application, citrix, whatnot)

This would lead as to at least have: Number of servers x mandatory departments x number of users per department

In our case that would have been 4500 x 6 x 3 = 81000 Objects + undefined number of additional Objects for optional departments.
With the other approach we just have a flat number of 4500 x 3 = 13500 independant of how many departments are having access to specific servers.

The "trade off" is that you would need to have everybody assign their personal variable once, but the benefit in our case is tremendously better startup/refresh/caching times because of a lot less objects in the database.

Hi sorry to jump on this but i cant get the custome username or any other variable to work in place of the username for CA. The /a Server name seem to work just fine with %name% but anything for the /u switch doesn't seem to work. Is there a way I can test the variable that's been passed works as expected?
Reply
#53
Just create an external application - notepad.exe - and add some parameters in command line - then execute the ext.app. by right click on one of your connections and choose Ext.App.=>Notepad (just configured) - it will execute Notepad and should pass the variable content from your connection
Regards/Gruss
Oliver
Reply
#54
Or do you just don't know how to use "%CUSTOM"-variables - go to Settings=>Variables
Regards/Gruss
Oliver
Reply
#55
(24-06-2022, 03:07 PM)DevOma Wrote: Or do you just don't know how to use "%CUSTOM"-variables - go to Settings=>Variables

I believe I'm using it correctly but it doesn't seem to be working.

I have added the argument %CustomCred1% as a test and populated that in the options. When i open notepad it tells me the file %CustomCred1%.txt cannot be found rather than the data in CustomCred1

It doesn't look like it is being passed correctly. I have the same issue on an RDP session passing a variable for a program. the %Name% variable seems to be working but CustomCred1 does not along with any %CUSTOM_% variables I have created.

Any help would be appreciated. I'm running Version 15.0.7423.1
Reply
#56
For using %CustomCred1% you need to activate the first field in "Settings=>Environment=>Custom fields" - set any name for the field, edit some credentials and set a value for this field - if you then do the notepad.exe action again, it should pass the content of that field - just tested myself, set the field in my assigned creds (assigned to a connection) - right click the connection and executed with notepad (command line %CustomCred1%.txt) - and it worked!

Don't mix CUSTOM_% variables with extension of connection or credential fields - two different things! One in Settings=>Custom fields and the other Settings=>Variables
Regards/Gruss
Oliver
Reply
#57
(27-06-2022, 09:08 AM)DevOma Wrote: For using %CustomCred1% you need to activate the first field in "Settings=>Environment=>Custom fields" - set any name for the field, edit some credentials and set a value for this field - if you then do the notepad.exe action again, it should pass the content of that field - just tested myself, set the field in my assigned creds (assigned to a connection) - right click the connection and executed with notepad (command line %CustomCred1%.txt) - and it worked!

Don't mix CUSTOM_% variables with extension of connection or credential fields - two different things! One in Settings=>Custom fields and the other Settings=>Variables

That is what I have already done for %CustomCred1%. I have enabled the field and input a credential next to it. the credential does not seem to pass to the notepad file. i just get %CustomCred1%.txt could not be found rather than example.txt could not be found?

I know the %CUSTOM_% variable is different but ultimately thats the one I do want to use but that wouldn't work so i wanted to try the customcred1 to see if it was something i was doing. Is there anything else that needs to be enabled somewhere or am i missing something?
Reply
#58
Did you try to use any other variable from assigned creds? Like %Username%? The connection that you start (connect) need the right credentials assigned - and then it should parse also the content of the assigned credentials
Regards/Gruss
Oliver
Reply
#59
(27-06-2022, 10:28 AM)DevOma Wrote: Did you try to use any other variable from assigned creds? Like %Username%? The connection that you start (connect) need the right credentials assigned - and then it should parse also the content of the assigned credentials
%Name% seems to work as expected when used in my connection string. If i try %username% with notepad it just opens a blank untitled file the same as when i use %name%
Reply
#60
I guess you are doing something wrong - so again a step by step list how to configure and use it

Create a connection - set a name (e.g. TEST-CmdLine) , add role "Credentials" - switch to category Credentials and assign one of your credentials - save the connection
Create external app - notepad - set Filename to "notepad.exe" and "Arguments" to "%Username%".txt - save the external app

Select the connection "Test-CmdLine" - right click and choose from Context-Menu "Ext.App.=>notepad" - so this connection will be used to start the external app and will have access to all connection information including the assigned creds.

Notepad.exe should start with the given user name of your assigned credentials with extension .txt


This feature works for a very long time and so many users are using it - so it must be any wrong configuration I guess
Regards/Gruss
Oliver
Reply




Users browsing this thread: 1 Guest(s)