Password Manager 5.8.2 - Administrator Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager to 5.8.1 Password Manager Architecture Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

Password Manager in Perimeter Network

Password Manager in Perimeter Network

When deploying Password Manager in a perimeter network (also known as DMZ), it is recommended to install the Password Manager Service and the sites in a corporate network at first (i.e. use the Full installation option in the Password Manager setup), and then install only the Self-Service and Helpdesk sites in the perimeter network.

 

When you use this installation scenario, only one port should be open in the firewall between the corporate network and the perimeter network (by default, port number 8081 is used).

For more information on installing the Self-Service and Helpdesk site separately from the Password Manager Service, see Installing Self-Service and Helpdesk Sites on a Standalone Server.

Installing Password Manager in Perimeter Network with Reverse Proxy

Installing Password Manager in Perimeter Network with Reverse Proxy

A reverse proxy is a proxy server that is typically deployed in a perimeter network to enhance security of the corporate network. By providing a single point of access to the servers installed in the intranet, the reverse proxy server protects the intranet from an external attack.

 

If you have the reverse proxy deployed in the perimeter network in your environment, it is recommended to install the Password Manager Service and the Self-Service and Helpdesk sites in the intranet and configure the reverse proxy to redirect requests from external users to the correct intranet URLs of the Password Manager sites.

Management Policy Overview

Management Policy Overview

A Management Policy is a core concept in Password Manager. Management Policies allow you to organize and group settings for dedicated users and helpdesk operators.

Management Policy Components

Management Policy Components

The following diagram illustrates the Management Policy components:

User scope defines user groups from specified AD LDS instances that can access the Self-Service site and use the corresponding workflows. To a single user scope you can add multiple AD LDS connections, you can also use the same connection in the user and helpdesk scopes.

Helpdesk scope defines groups of helpdesk operators from specified AD LDS instances that can access the Helpdesk site and manage users from the user scope using the helpdesk workflows. To a single helpdesk scope you can multiple AD LDS connections, you can also use the same connection in the user and helpdesk scopes.

Self-Service and helpdesk workflows define the tasks that are available to users and helpdesk operators on the Self-Service and Helpdesk sites. For example, Forgot My Password, Assign Passcode, Unlock Account, etc.

Questions and Answers policy comprises a list of secret questions (in the default and additional languages) that users must answer to authenticate themselves and Q&A profile settings that specify various settings for questions and answers such as a minimum length of an answer or a question, a number of required user-defined questions, etc.

User enforcement rules define how users should be enforced to register with Password Manager and reminded to change password. For each enforcement rule a corresponding scheduled task exists. For example, the Invitation to Create/Update Profile scheduled task corresponds to the Invite Users to Create/Update Profiles enforcement rule. By default, the enforcement rules are not configured. To start notifying users to create/update their Q&A profiles and change password, you need to configure the rules after Password Manager installation.

Related Documents