Session Appliances with Safeguard for Privileged Sessions link
The Asset Administrator can link a Safeguard for Privileged Sessions (SPS) cluster to a SPP (SPP) cluster of one appliance or more for session recording and auditing. The actual link must be between the SPP primary and the Safeguard for Privileged Sessions cluster master. This means that the Safeguard for Privileged Sessions cluster is aware of each node in an SPP cluster and vice-versa.
Once linked, all sessions are initiated by the SPP appliance via an access request and managed by the Safeguard for Privileged Sessions appliance and sessions are recorded via the Sessions Appliance.
|
CAUTION: When linking your Safeguard for Privileged Sessions (SPS) deployment to your SPP (SPP) deployment, ensure that the SPS and SPP versions match exactly, and keep the versions synchronized during an upgrade. For example, you can only link SPS version 6.6 to SPP version 6.6, and if you upgrade SPS to version 6.7, you must also upgrade SPP to 6.7. Make sure that you do not mix Long Term Supported (LTS) and feature releases. For example, do not link an SPS version 6.0.1 to an SPP version 6.1. |
NOTE: If you have a single node Safeguard for Privileged Sessions cluster where the Central Management node is also the Search Master, SPP will be unable to launch sessions. There has to be at least one Safeguard for Privileged Sessions appliance in the cluster that is capable of recording sessions. See the One Identity Safeguard for Privileged Sessions Administration Guide, Managing Safeguard for Privileged Sessions (SPS) clusters.
Safeguard for Privileged Passwords link guidance
Before initiating the link, review the steps and considerations in the link guidance. For more information, see For more information, see SPP and Safeguard for Privileged Sessions appliance link guidance..
Pay attention to the roles assigned to the SPS nodes. The following caution is offered to avoid losing session playback from SPP.
|
CAUTION: Do not switch the role of a Safeguard for Privileged Sessions node from the Search Local role to Search Minion role. If you do, playback of the sessions recorded while in the Search Local role may not be played back from the SPP appliance, and may only be played back via the Safeguard for Privileged Sessions web user interface. Recordings made with the node in Search Minion role are pushed to the Search Master node and are available for download to SPP. For details about Safeguard for Privileged Sessions nodes and roles, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation. |
Standard operating procedure after the initial link
If you add another Safeguard for Privileged Sessions cluster after the initial link, follow these standard operating procedures:
-
Add link connections. See Viewing, deleting, or editing link connections.
-
Identify the session settings on the entitlements access request policy (SPS Connection Policy which is the IP address of the cluster master). For more information, see Creating an access request policy
-
Assign the managed networks. For more information, see For more information, see Managed Networks..
-
Enable the Session Access Enabled toggle.
If the Safeguard for Privileged Sessions Central Management node is down
SPP continues to launch sessions on the managed hosts when the Safeguard for Privileged Sessions Central Management node is down. However, as long as the Central Management node is down, SPP cannot validate existing policies nor can it validate the Safeguard for Privileged Sessions cluster topology. For more information, see Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster in the One Identity Safeguard for Privileged Sessions Administration Guide.
Viewing, deleting, or editing link connections
Once the link is complete, in the web client, navigate to go to Cluster > Session Appliances.
The Session Appliances pane displays the following session details.
Property | Description |
---|---|
Host Name |
The host name of the Safeguard for Privileged Sessions appliance host cluster master. |
Managed Hosts |
Other nodes in the Safeguard for Privileged Sessions cluster identified by the managed host name and IP address. Hover over any Warning icon to see if the Managed Host is Unavailable or Unknown. |
Network Address |
The network DNS name or IP address of the session connection. |
Connection User |
The user name for Safeguard for Privileged Passwords. Do not include spaces in the user name. |
Thumbprint |
A unique hash value that identifies the certificate. |
Description |
(Optional) Descriptive text about the Safeguard for Privileged Sessions session connection (for example, 20 on cluster - 172 primary node). |
Double-click a Host Name row to bring up the Session Module Connection dialog.
Property | Description |
---|---|
Node ID |
The name of the Safeguard for Privileged Sessions Appliance used to authenticate the linked SPS session connection. |
Host Name |
The host name of the Safeguard for Privileged Sessions appliance host cluster master. |
Connection User name |
The user name for Safeguard for Privileged Passwords. Do not include spaces in the user name. |
Description |
(Optional) Descriptive text about the Safeguard for Privileged Sessions session connection (for example, 20 on cluster - 172 primary node). |
Network Address |
The network DNS name or IP address of the session connection. |
Use Host Name For Launch (not IP address) |
If checked, the connection string used to launch a session uses the host name of the Safeguard for Privileged Sessions appliance rather than the IP address. |
Use these toolbar buttons to manage sessions.
Option | Description |
---|---|
Remove |
Remove the selected linked Safeguard for Privileged Sessions session connection. For details on soft versus hard deletes, see Connection deletion: soft delete versus hard delete. |
Edit |
Modify the selected linked Safeguard for Privileged Sessions session connection Description or Network Address on the Session Module Connection dialog. |
Refresh |
Update the list of linked Safeguard for Privileged Sessions session connections. |