Pre-requisites & SoW for Password Safe Cloud PoC

1. Password Safe Cloud Instance URL. – From Beyondtrust

2. Resource Broker Server
1. Windows Server OS: 2019 x64 (Standard or Enterprise edition)
2. Minimum 16 GB RAM / 80 GB Hard Disk space.
3. One CPU 4 Core.
4. Recommended Domain Joined. The resource broker should be able to contact all your
systems in the domain.
5. Password Safe URL must resolve from Resource Broker & End User machine. (URL will
be shared by Beyondtrust)
Or
Equivalent EC2 / Azure Instance

3. (Optional)Application Server:
◼ for 3rd party tools sessions (like MSSQL Studio/ Web Admin consoles/ etc…)
• Windows Server OS: 2016 or 2019 (Std. or enterprise edition)
• 16 GB RAM required
• 80 GB Hard Disk space
• RDS/Terminal Services
Or
Equivalent EC2/Azure Instance

4. Firewall Port:
• Resource Broker to Password Safe Cloud TCP 443.
• End User to Password Safe Cloud TCP 443.
• End User to Resource Broker TCP 4489,4422.
• Resource Broker to Data Centre Server 22,3389, 25,139,443,445,554,
If AD is local port 389/636 will be needed.
• Application Server: RDS Server is required If required to show application session by
BeyondTrust PWS, accordingly port will be required like 1433,1521 or any.

5. Proxy:
• SSL Certificate inspection should not block the URLs by proxy solutions like Zscaler

The Resource Broker software communicates via DNS to the following URLs over HTTPS/443. These
hosts should be allowed in firewall/proxy settings, and accessible from the Resource Broker:

Cloud Instance (controlled by BeyondTrust):

INSTANCE-NAME.ps.beyondtrustcloud.com (or simply *.ps.beyondtrustcloud.com)
Storage Account (controlled by Microsoft):
saINSTANCE-NAMEpsstorage.file.core.windows.net (or simply *.file.core.windows.net)

Blob Storage Account (controlled by Microsoft):

saINSTANCE-NAMEpsstorage.blob.core.windows.net (or simply *.blob.core.windows.net)

Service Bus (controlled by Microsoft):

Multiple URLs (recommended to allow *.servicebus.windows.net)

Examples:
If the Tenant URL is https://c06a01.ps.beyondtrustcloud.com/ , Then the name space is c06a01.
Open Powershell in Resource Broker server & test the below connectivity,

Test-NetConnection namespace.ps.beyondtrustcloud.com -port 443

Test-NetConnection sanamespacepsstorage.file.core.windows.net -port 443
Test-NetConnection sanamespacepsstorage.blob.core.windows.net -port 443
Test-NetConnection relay-namespace.servicebus.windows.net -port 443

TO AVOID ALLOWING *.SERVICEBUS.WINDOWS.NET, THERE IS A POWERSHELL

SCRIPT THAT CAN BE USED TO DETERMINE ALL THE GATEWAYS (URLS) FOR THE RELAY
NAME SPACE. THESE URLS WOULD NEED TO BE ALLOWED AND ACCESSIBLE ON THE
RESOURCE BROKER ON PORT 443.

To generate the full allow list information for a relay, there is a PowerShell script in the installation
directory under Utilities called GetNamespaceInfo.ps1

1. Run the Windows PowerShell ISE application

2. From the menu, select File > Open, navigate to the file location: C:\Program
Files\BeyondTrust\Resource Broker\Utilities, select the GetNamespaceInfo.ps1 file, then click
the Open button

3. Click the green arrow Run Script icon or press the F5 shortcut key to start the script

4. When the script prompts for the Namespace enter the input as: relay-TENANT (e.g relay-
WUNVENC) then press the enter key
https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/cloud/resource-broker/install-
resource-broker.htm

6. Antivirus Exception: The following paths must not be blocked by antivirus (we recommend
an exceptions rule)

C:\Program Files\BeyondTrust

C:\ProgramData\BeyondTrust

7. Examples of Accounts & its usage

Managed Systems
Windows & Linux servers as Target server as a Privilege assets
To On-board AD Account & Windows server
• Managed Account – “svc_pam” - [A service account used for everyday access to
Windows servers]
• Functional Account (Password Change Permission)– “FA_svc_pam” [A service account
used to rotate the MA account (svc_pam) password on a regular interval]

To On-board Linux Server & Account

• Managed Account – “svc_linux_users” - [A service account used for everyday access to
Windows servers]
• Functional Account (Password change Permission) – “FA_svc_linux_users” [A service
account used to rotate the Linux MA account (svc_Linux_pam) password on a regular
interval]

To integrate AD with PAM portal for user Authentication

• AD Bind Account (Read Access, Read All)– “PAM_BIND” [this account needs a read access.
Expiry will be with POC time duration]

AD Security Group (for RBAC – Role Back Access Control)

• “PAM_Requesters_Group” (User need access to PAM portal will be the member of this
Security Group)
** Can have Multiple groups like “Windows_Requester_Group”, “Linux_Requster_Group” etc…

• “PAM_Approvers_Group” (User need access to Approve the requests will be the member
of this Security Group)
** Can have Multiple groups like “Windows_Requester_Group”, “Linux_Requster_Group” etc…

For Discovery
• Scan Account – “svc_scan_pam” [Generally a directory-based account with Admin Rights
used to remotely scan a host and discover asset attributes such as services, scheduled
tasks, and privileged accounts]
PoC Architecture to manage On-Prem Assets & Cloud Assets

Major Use-cases

1. Minimal hardware requirement

2. Auto Discovery and classification of Assets
3. Auto on-boarding of Assets
4. RBAC Access and JIT access
5. Session recording, Live Session monitoring, Session Termination
6. Reporting