立即与支持人员聊天
与支持团队交流

Password Manager 5.14.2 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Adding or cloning a new Management Policy Configuring access to the Administration Site Configuring access to the Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Customizing help link URL Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Third-party contributions Glossary

Realm deployment

In this scenario, you install several Password Manager Services on separate servers. If all the instances of Password Manager share the same configuration (management policies, general settings, password policies, encryption algorithm, encryption key length, hashing algorithm, attribute for storing configuration data, and realm affinity ID), they are referred to as a realm.

The realm provides for high availability of the service, load balancing, and fault tolerance.

For Password Manager Service instances installed on separate servers, you can use a load balancer to enhance service availability.

To create the Password Manager realm, you need to create replicas of an existing instance by exporting settings from this instance and importing the settings to a new instance.

For more information on how to create realms, see Importing and exporting configuration settings.

Multiple realm deployment

In this scenario, you deploy several Password Manager realms in your environment. You can use this scenario in a complex environment, when several Password Manager configurations are required.

For example, a service provider can deploy two Password Manager realms, one realm to service company A, and the other to company B.

You can also use this scenario for a test deployment of Password Manager. In this case, the first realm is a production deployment of Password Manager, and the second realm can be used for testing purposes.

Password Manager in a perimeter network

When deploying Password Manager in a perimeter network (also known as a DMZ), it is recommended to install the Password Manager Service and the sites in a corporate network at first (that is,use the Full installation option in the Password Manager setup), and then install only the Self-Service and Helpdesk sites in the perimeter network.

When you use this installation scenario, only one port should be open in the firewall between the corporate network and the perimeter network (by default, port number 8081 is used).

For more information on installing the Self-Service and Helpdesk Site separately from the Password Manager Service, see Installing Password Manager Self-Service Site and Helpdesk Site on a standalone server.

Installing Password Manager in perimeter network with read-only domain controllers

If your network topology includes a perimeter network (DMZ) that contains only read-only domain controllers (RODCs), you should consider the following when installing Password Manager in this environment.

Because password changes may not get immediately replicated to RODCs, users may experience downtime when authenticating using an RODC if their passwords were changed or reset on a DC in another Active Directory site.

To mitigate this issue, it is recommended to do either of the following when installing Password Manager in the perimeter network:

  • Install Password Manager Service in a dedicated RODC replication hub site (as shown below), if this hub site exists in your environment.

  • If Password Manager Service cannot be installed in the dedicated RODC replication hub site, do either of the following:

    • For your Management Policy, specify the appropriate writable DC from the hub site in the advanced settings of the domain connection. For more information, see Specifying advanced settings for domain connection.

    • For your Management Policy, specify the hub site in the list of Active Directory sites to which replication changes will be forced. For more information, see Specifying advanced settings for domain connection.

    • Enable change notification on the site link between the dedicated RODC replication hub site (or the site in which an RODC is installed) and the site in which Password Manager Service is installed.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级