Deployment Architecture

Disclaimer
The handbook of ARCON PAM solution is being published to guide stakeholders and users. If any of the statements in this document are at
variance or inconsistent it shall be brought to the notice of ARCON PAM through the support team. Wherever appropriate, references have been
made to facilitate better understanding of the PAM solution. The ARCON PAM team has made every effort to ensure that the information
contained in it was correct at the time of publishing.
Nothing in this document constitutes a guarantee, warranty, or license, expressed or implied. ARCON PAM disclaims all liability for all such
guarantees, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non-infringement of intellectual
property or other rights of any third party or of ARCON PAM; indemnity; and all others. The reader is advised that third parties can have
intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of
competent legal counsel, without obligation of ARCON PAM.

Copyright Notice
Copyright © 2022 ARCON PAM All rights reserved.
ARCON PAM retains the right to make changes to this document at any time without notice. ARCON PAM makes no warranty for the use of this
document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the
information contained herein.

Trademarks
Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without
intent to infringe.

Sales Contact
You can directly contact us with sales related topics at the email address <sales@arconnet.com>, or leave us your contact information and we
will call you back.

Introduction
ARCON Deployment encompasses all the processes involved in getting new software or hardware up and running properly in its environment,
including installation, configuration, running, testing, and making necessary changes.

ARCON PAM supports multiple deployment procedures:

Standard and Appliance Deployment

Cloud based Deployment
Distributed Deployment
Near Zero Downtime (Offline mode) Deployment

Standard and Appliance Architecture Configuration (SAC)

The standard architecture configuration is the most compact of the architecture and offers simplicity, performance and cost savings. It consists of
a combined application server (EPAM), Secure Gateway Server (SGS) and a database server (PVSL). This type of environment is typically
deployed in smaller scale organizations or non-production environment.

Recommended OS & DB:

OS: Windows Server 2012 R2+

DB: Windows SQL Server 20012 R2+ standard edition
Gateway: FreeSSHD or Bitwise

Deployment Diagram Example:

Suggested High Availability & DR Strategy

ARCO High Availability DR Resourc

N e
PAM Require
Suite ment

Applicati Load Balancing: ARCON PAM Application Server can be in HA in Active-Active mode. We need to use the option of Lo Shou
on Persistence Hash with Session Stickiness. Failover will be automatic. ad ld
Layer NLB: ARCON PAM Application Server can be in HA in Active-Passive. All the requests will go to Node One and in case Ba plan
Node One fails, Node Two will be active and all the requests will go to Node Two. Failover will be automatic. lan in
cing coor
dinati
on
with
OEM

Databas Microsoft SQL High Availability Always On: We can use MSSQL Cluster Always On between Primary, HA and DR Mi Shou
e Layer Server. Data will be replicated in real time from Primary to HA and to DR. Failover from Primary to HA will be Automatic cro ld
and Failover to DR will be Manual. sof plan
MS SQL Clustering: We can use MSSQL Cluster between Primary and HA Server and MSSQL Log Shipping for t in
Database Replication on DR Server. Failover from Primary to HA will be Automatic and Failover to DR will be Manual. S coor
QL dinati
on
Se with
rve OEM
r
dat
a
re
pli
cat
ion

For Appliance Deployment Architecture, ARCON provides Hardware with standard deployment installation.
Cloud Based Deployment Architecture (AWS)
In the AWS Cloud, Amazon VPC can help our customers by serving as an extension of their existing on-premise datacenter.
Amazon VPC allows for specifying an IP address range so that the existing datacenter can be extended into AWS in a similar way an extenstion
would be made into a new physical data center or branch office. VPN and AWS Direct Connect connectivity options allow these networks to be
seamlessly and securely integrated to create a single corporate network capable of supporting your users and applications regardless of where
they are physically located. It also allows for IT resources hosted in VPC to leverage existing centralized IT systems, like user authentication,
monitoring, logging, change management, or deployment services, without the need to change how users or systems administrators access or
manage your applications.

ARCON PAM in Customer Premises:

ARCON PAM in Cloud:

Scenario: Extended On-premise Datacenter into the Cloud (AWS)
Using this above methodology, ARCON PAM can be implemented either in the local data center & then extended to manage the devices
/applications in the AWS cloud. In a similar manner, ARCON PAM can be implemented in the AWS Cloud & then be extended to manage devices
in the local on-premise datacenter. This would allow for SSO, SSH key based management capabilities, password management, auditing & other
features provided by ARCON PAM to be utilized across both the on-premise and AWS cloud seamlessly.
ARCON PAM would also facilitate the integration of the AWS management console with the solution. This would result in a completely
centralized PAM solution within the hybrid architecture.

ARCON PAM can be implemented in other cloud based services like Microsoft Azure & Google Cloud along with their respective
management consoles in the same manner as explained above for AWS cloud.

Intermediate Architecture Configuration (IAC)

The intermediate architecture configuration offers the flexibility to segregate the application servers while utilizing a central database. It consists
of a combined application server (EPAM) and Secure Gateway Server (SGS) & separate database server (PVSL). Organizations can linearly
scale up this environment by horizontally adding more resources to the existing setup.

This architecture is highly recommended for mid-large scale implementation to ensure automatic failover capabilities with complete redundancy
for each ARCON PAM components.

Recommended OS & DB:

OS: Windows Server 2012 R2+

DB: Windows SQL Server 2012 R2+ standard edition
Gateway: FreeSSHD or Bitwise

Deployment Diagram Example:

Suggested High Availability & DR Strategy

ARCON PAM Suite High Availability DR Resource Requirement

Application Layer Load Balancing: ARCON Load Balancing Should plan in coordination with OEM
PAM Application Server can
be in HA in Active-Active
mode. We need to use the
option of Persistence Hash
with Session Stickiness.
Failover will be automatic.
NLB: ARCON PAM
Application Server can be in
HA in Active-Passive. All the
requests will go to Node One
and in case Node One fails,
Node Two will be active and
all the requests will go to
Node Two. Failover will be
automatic.

Database Layer Microsoft SQL High Microsoft SQL Server data Should plan in coordination with OEM
Availability Always On: We replication
can use MSSQL Cluster
Always On between Primary,
HA and DR Server. Data will
be replicated in real time from
Primary to HA and to DR.
Failover from Primary to HA
will be Automatic and Failover
to DR will be Manual.
MS SQL Clustering: We can
use MSSQL Cluster between
Primary and HA Server and
MSSQL Log Shipping for
Database Replication on DR
Server. Failover from Primary
to HA will be Automatic and
Failover to DR will be Manual.
Advanced Architecture Configuration (AAC)

The Advanced Architecture Configuration offers the most flexibility, scalability, and performance features of all the architectures, hence ARCON
recommends this configuration for large organization. Enterprise can scale this environment by adding more resources into the application,
database & secured server layers. This configuration enables a high degree of redundancy across all ARCON PAM components to manage high
number of sessions. Also high volume connection traffics can be routed on a dedicated secure gateway server to manage high concurrency of
users.

Recommended OS for Application, Database Server, Secured Server and Database

OS for App and DB: Windows Server 2012 R2+

DB: Windows SQL Server 2012 R2+ standard edition
OS for SGS: Any flavor of UNIX (Red hat, Suse, Solaris etc.)

Deployment Diagram Example:

Suggested High Availability & DR Strategy

ARCO High Availability DR Resourc

N e
PAM Require
Suite ment

Applicati Load Balancing: ARCON PAM Application Server can be in HA in Active-Active mode. We need to use the option of Lo Shou
on Persistence Hash with Session Stickiness. Failover will be automatic. ad ld
Layer NLB: ARCON PAM Application Server can be in HA in Active-Passive. All the requests will go to Node One and in case Ba plan
Node One fails, Node Two will be active and all the requests will go to Node Two. Failover will be automatic. lan in
cing coor
dinati
on
with
OEM
 Databas Microsoft SQL High Availability Always On: We can use MSSQL Cluster Always On between Primary, HA and DR Mi Shou
e Layer Server. Data will be replicated in real time from Primary to HA and to DR. Failover from Primary to HA will be Automatic cro ld
and Failover to DR will be Manual. sof plan
MS SQL Clustering: We can use MSSQL Cluster between Primary and HA Server and MSSQL Log Shipping for t in
Database Replication on DR Server. Failover from Primary to HA will be Automatic and Failover to DR will be Manual. S coor
QL dinati
on
Se with
rve OEM
r
data

re
pli
cat
ion

Secure Load Balancing: ARCON PAM Application Server can be in HA in Active-Active mode. We need to use the option of NA Shou
Gateway Persistence Hash with Session Stickiness. Failover will be automatic. ld
plan
Server in
coor
dinati
on
with
OEM

Distributed ARCON PAM

The distributed deployment architecture describes the ability to integrate multiple DataCenters present in different locations in one Instance of
ARCON PAM. Distributed deployments can be used to support scalability and performance across multiple dimensions.

Key Challenge:

The client engages with multiple vendors on project basis to manage critical operational tasks. Privileged accounts were shared with vendors.
However, vendors had uncontrolled and unmonitored access to servers. There were certain instances where an incident had happened and the
Forensic Team was unable to find the root cause. Therefore, secure third-party access was the biggest concern faced by our client. Further, the
tour operator managed four Data Center environments located in four different cities spread across 3 continents. ADMINs used VPN to connect
to Local Data Centers, but had unsecured access to servers.

Solution:

ARCON's enterprise-class suite enables the client to overcome these challenges in a seamless manner. Our product's unique range of
functionalities also enables our client to comply with regulatory and audit requirements.Our client had four different Data center environments
which had no impact during the implementation process. ARCON server was installed at the client's central Data Center whilst and other three
Data Centers were integrated in one Setup. Every privileged account in the client's network now had a secure access as ARCON PAM was
integrated at all layers of the IT infrastructure whilst. This solution provided Audit Trails for each session. All end-users ( Admins and Vendors )
had restricted access to all devices in Data Center. Access was monitored. The solution enabled the client to control all privileged sessions as
every end-user located at all locations around the globe had access to any Device through ARCON Server. Likewise, all Third-party access was
now regulated, monitored, and controlled after the deployment of ARCON Privileged Access Management (PAM) Suite.

Additional Value Adds

Our client had limited bandwidth and wanted to accumulate Video Logs on a Local server and then move them to a Central Location (Where
ARCON server was installed). We installed a staging server at each location to suit our client's environment. A staging Server at each location
enabled the client to accumulate logs during Production Hours. During off Production Hours, Logs were transferred automatically to the Central
Location. This architecture helped in significant reduction of network bandwidth utilization thus ensuring there was no impact on productivity
during production hours.
Near Zero Time (Offline) Architecture

ARCON PAM supports High Availability by real-time data synchronization and near zero down time application failure. The Data Synchronization
process for HA (High Availability) establishes consistency among data from a source to a target data storage and vice versa and the continuous
harmonization of the data over time.
Real Time Data Synchronization

Real Time Data Synchronization between Primary and Secondary Node could be achieved using following scenarios:

AlwaysOn Feature of MS SQL server Enterprise Version (Prerequisite for AlwaysOn feature is explained in this Document). Full ARCON
PAM database of Primary node would be replicated on all secondary nodes.
ARCOS Data Sync Service

Failure of Primary Node

If Primary Node is Down and not accessible due to network failure or any other reason, users have to switch to Secondary Node (Restricted
Mode) manually which will store Session Logs and Activities performed on secondary node to its local database storage.

Below are the ARCON PAM activities that are accessible during Restricted Mode:

My Services(User can take session to assigned services)

Restoration of Primary Node

Once Primary node is restored and accessible then admin have to run the ARCOSDataSync service on secondary node which will synchronize
the data from Secondary Node to Primary Node and Users will be able to see their activities log from Primary Node.

Configuration for Restricted ARCON PAM

Setup a new server with latest version ARCON PAM which is enabled with Restricted Mode.

Steps to deploy Restricted ARCON PAM

1. API Setup for Restricted ARCON PAM

a. Deploy API on full mode application server.
b. DBSetting.ini (Same as full Mode DBSetting)

2.
2. Database Server Setup For Restricted ARCON PAM
a. DB Server Shall contain ARCOSDB.mdf database with Read only Access which will continuously syncing data with Full Mode
ARCOSDB Data And ARCOSDB_RA.mdf(RA Database) with read-write access.
3. Application Server Setup For Restricted ARCON PAM
a. Restricted Mode Application shall deploy on a new application server with same configuration as Full Mode Application Server.
b. Web.config file shall have ARCOS Mode parameter as Restricted
c. Restricted Mode Application shall have two ini file in DBSetiing folder as DBSetting.ini(Same as full Mode) and DBSetting_RA.ini.
d. DBSetting_RA.ini - Server details of Secondary Node and Primary Database is ARCOSDB_RA.
4. ARCOSDataSync Service Setup For Restricted ARCON PAM
a. Install ARCOSDataSync Service on Application/Database server
b. After Installation Folder of ARCOS Data Sync Service will be created on the server path “C:\Program Files (x86)\ARCON
Solutions\”.
c. Go to that path and set the API URL (RA_API) in ARCOSDSConfig.ini
d. DBSetting.ini - Server details of Secondary Node and RDP Database is ARCOSDB_RA.