Professional Documents
Culture Documents
PoC Prerequsites - Beyondtrust Cloud Passwordsafe
PoC Prerequsites - Beyondtrust Cloud Passwordsafe
PoC Prerequsites - Beyondtrust Cloud Passwordsafe
3. (Optional)Application Server:
◼ for 3rd party tools sessions (like MSSQL Studio/ Web Admin consoles/ etc…)
• Windows Server OS: 2016 or 2019 (Std. or enterprise edition)
• 16 GB RAM required
• 80 GB Hard Disk space
• RDS/Terminal Services
Or
Equivalent EC2/Azure Instance
4. Firewall Port:
• Resource Broker to Password Safe Cloud TCP 443.
• End User to Password Safe Cloud TCP 443.
• End User to Resource Broker TCP 4489,4422.
• Resource Broker to Data Centre Server 22,3389, 25,139,443,445,554,
If AD is local port 389/636 will be needed.
• Application Server: RDS Server is required If required to show application session by
BeyondTrust PWS, accordingly port will be required like 1433,1521 or any.
5. Proxy:
• SSL Certificate inspection should not block the URLs by proxy solutions like Zscaler
The Resource Broker software communicates via DNS to the following URLs over HTTPS/443. These
hosts should be allowed in firewall/proxy settings, and accessible from the Resource Broker:
Examples:
If the Tenant URL is https://c06a01.ps.beyondtrustcloud.com/ , Then the name space is c06a01.
Open Powershell in Resource Broker server & test the below connectivity,
To generate the full allow list information for a relay, there is a PowerShell script in the installation
directory under Utilities called GetNamespaceInfo.ps1
2. From the menu, select File > Open, navigate to the file location: C:\Program
Files\BeyondTrust\Resource Broker\Utilities, select the GetNamespaceInfo.ps1 file, then click
the Open button
3. Click the green arrow Run Script icon or press the F5 shortcut key to start the script
4. When the script prompts for the Namespace enter the input as: relay-TENANT (e.g relay-
WUNVENC) then press the enter key
https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/cloud/resource-broker/install-
resource-broker.htm
6. Antivirus Exception: The following paths must not be blocked by antivirus (we recommend
an exceptions rule)
C:\Program Files\BeyondTrust
C:\ProgramData\BeyondTrust
Managed Systems
Windows & Linux servers as Target server as a Privilege assets
To On-board AD Account & Windows server
• Managed Account – “svc_pam” - [A service account used for everyday access to
Windows servers]
• Functional Account (Password Change Permission)– “FA_svc_pam” [A service account
used to rotate the MA account (svc_pam) password on a regular interval]
• “PAM_Requesters_Group” (User need access to PAM portal will be the member of this
Security Group)
** Can have Multiple groups like “Windows_Requester_Group”, “Linux_Requster_Group” etc…
• “PAM_Approvers_Group” (User need access to Approve the requests will be the member
of this Security Group)
** Can have Multiple groups like “Windows_Requester_Group”, “Linux_Requster_Group” etc…
For Discovery
• Scan Account – “svc_scan_pam” [Generally a directory-based account with Admin Rights
used to remotely scan a host and discover asset attributes such as services, scheduled
tasks, and privileged accounts]
PoC Architecture to manage On-Prem Assets & Cloud Assets
Major Use-cases