Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.11 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Networking

On Networking, view and configure the primary network interface, and if applicable, a proxy server to relay web traffic, and the sessions network interface.

It is the responsibility of the Appliance Administrator to ensure the network interfaces are configured correctly.

CAUTION: For AWS or Azure, network settings user interfaces are read-only. Network settings configured by the AWS or Azure Administrator. Changing the internal network address on a clustered appliance will break the cluster and require the appliance to be unjoined/rejoined.

(web client) To modify the networking configuration settings

  1. Click Settings on the left. The Settings: Appliance page displays.
  2. Click Networking to configure the appliance.
  3. Continue to the Network settings

(desktop client) To modify the networking configuration settings

  1. Navigate to Administrative Tools | Settings | Appliance | Networking.
  2. Click the Edit icon next to the Network Interface or Proxy Server heading to edit or configure the network properties.
  3. Network settings
Network settings

Complete the network settings. For more information, see Modifying the IP address.

Network Interface X0 (primary interface)

Table 119: Network Interface X0 properties
Property Description
MAC Address The media access control address (MAC address), a unique identifier assigned to the network interface for communications
IP Address

The IPv4 address of the network interface

Netmask The IPv4 network mask
Default Gateway The IPv4 default gateway
IPv6 Address The IPv6 address of the network interface
IPv6 Prefix Length The IPv6 subnet prefix length
IPv6 Gateway The IPv6 default gateway
DNS Servers The IP address for the primary DNS servers
DNS Suffixes

The network suffixes for the DNS servers

NOTE: You can modify the network suffixes for the DNS servers by clicking the Edit icon next to the Network Interface X0 heading.

Proxy Server X0

The Proxy Server X0 settings must be configured if your company policies do not allow devices to connect directly to the web. Once configured, Safeguard for Privileged Passwords uses the configured proxy server for outbound web requests to external integrated services, such as Starling.

NOTE: Only HTTP web proxy is supported.

Table 120: Proxy Server X0 properties

Property

Description

Proxy URI

The IP address or DNS name of the proxy server.

Port

The port number used by the proxy server to listen for HTTP requests.

Value: Integer from 1 to 65535.

NOTE: If different ports are specified in the proxy URI and the Port field, the Port field takes precedence.

Username

The user name used to connect to the proxy server.

NOTE: The username and password are only required if your proxy server requires them to be specified.

Password

The password required to connect to the proxy server.

NOTE: The username and password are only required if your proxy server requires them to be specified.

Modifying the IP address

You can change the IP address of an SPP Appliance as long as the other appliances in the SPP cluster are able to see the new subnet.

It is recommended you use the procedure below in a test environment and then deploy the steps in production. Allow plenty of time for the IP address to change. The operation will take several minutes to complete before the cluster has adjusted to the change.

  1. Ensure you are using Safeguard for Privileged Passwords2.4 or above.
  2. Before changing the X0 IP address, make a backup.
  3. Generate a support bundle on the appliance you plan to modify the IP address on. Start with the replica first.
  4. The desktop client will give guidance on screen as you wait for the changes to be completed.
  5. After the X0 IP address change, verify clustering is working. It is recommended you change some data on the primary and verify it appears on the replica by logging on to the replica with the desktop client.
  6. Repeat step 3, 4, and 5 for the other replicas.
  7. Once the replicas are changed, proceed with the Primary.

Safeguard for Privileged Sessions (SPS) IP address change

CAUTION: When SPP and SPS are joined and then the IP address of either the SPS cluster master (Central Management role) or the SPP primary appliance are changed, then the SPP/SPS join will need to be redone. See the information that follows.

  1. Use the following information in the SPS documentation to understand SPS cluster roles, settings, and IP address updating.
  2. If the IP address is changed, you must rejoin the cluster. For more information, see Joining SPS to SPP.
  3. Once the SPS IP addresses are successfully changed, you will need to delete the session connection in the SPP settings and rejoin the SPS cluster master to the SPP primary. For more information, see SPP and SPS sessions appliance join guidance.

Operating system licensing

It is the responsibility of the Appliance Administrator to ensure the operating system is configured. Operating system licensing is automatic in the AWS and Azure deployments.

Use the Operating System Licensing pane to view and configure the operating system of a virtual appliance.

  1. Navigate to Administrative Tools | Settings | Appliance | Operating System Licensing. Click Refresh anytime to refresh the settings.
  2. The display shows if Windows is licensed with KMS or licensed with a product key. Click Details to see additional information.
  3. Click Edit to change the operating system license and select one of the following options.
    • License automatically with KMS: If you select this option, Safeguard will use DNS to locate the KMS server automatically.
    • Specify a KMS server: If KMS is not registered with DNS, enter the network IP address of your KMS server.
    • Specify a license key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.
  4. Click OK.

Support Bundle

To analyze and diagnose issues, One Identity Support may ask the Appliance Administrator or Operations Administrator to send a support bundle containing system and configuration information.

NOTE: As an alternative, you can use the Recovery Kiosk to generate and send a support bundle to a Windows share. For more information, see Recovery Kiosk (Serial Kiosk).

NOTE: Virtual appliance support bundles are generate from the web management console. For more information, see Support Kiosk.

To create a support bundle

  1. Navigate to Administrative Tools | Settings | Appliance | Support Bundle.

  2. Click Generate Support Bundle.
  3. Browse to select a location to save the support bundle .zip file and click Save.
  4. Send the support bundle to One Identity Support.
Related Topics

Troubleshooting

Frequently asked questions

Time

Time displays the current appliance time and allows you to enable Network Time Protocol (NTP) and set the primary and secondary NTP servers. In addition, when enabled, the NTP client status can be displayed.

It is the responsibility of the Appliance Administrator to manage the appliance time.

NOTE: A warning appears if your local time is not within five minutes of the appliance time. One Identity recommends that you set an NTP server to eliminate possible time-related issues.

NOTE: Clustered environments: NTP setting changes are made on the primary appliance in a cluster. When a replica appliance is enrolled into the cluster, it points to the primary appliance's VPN IP address as the Primary NTP Server and the NTP client service is enabled on the replica appliance. When performing a failover operation to promote a replica to be the new primary, the Primary NTP Server is preserved and applied from the 'old' primary appliance.

To enable Network Time Protocol (NTP) and set the primary and secondary NTP servers

  1. Go to Time:
    • In the web client, click  Settings on the left. The Settings: Appliance page displays. Click Time.
    • In the desktop client, navigate to Administrative Tools | Settings | Appliance | Time.
  2. Select the Enable Network Time Protocol (NTP) check box to enable NTP.
  3. Provide the following information:

    • Primary NTP Server: Enter the IP address or DNS name of the primary NTP server.
    • Secondary NTP Server: (Optional) Enter the IP address or DNS name of the secondary NTP server.
  4. Click OK or Save to save your selections.

    When NTP is enabled, the following information about the NTP client status is displayed:

    • Last Sync Time
    • Leap Indicator
    • Poll Interval
    • Precision
    • Reference ID
    • Root Delay
    • Root Dispersion
    • Source
    • Stratum

    NOTE: Select Show Last Sync Details and Hide Details to display more or less information.

Related Topics

How do I set the appliance system time

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating