Preparing for Deployment

Default port for SSH bastion proxy connections

This article describes the prerequisites of PrivX deployment.

System Requirements

This section describes the system requirements and specifications for PrivX-system components.

Mandatory components

A PrivX deployment must include at least one PrivX server for running PrivX services.

PrivX server

System Configuration

4 GB RAM, 2-core CPU, and 15 GB storage for < 10k users

8 GB RAM, 8-core CPU, and 100 GB storage for < 100k users

Supported architecture

x86-64

Supported operating systems

Red Hat Enterprise Linux 7.4 or later 7.x, 8.x (x86-64)

CentOS 7.4 or later 7.x, 8.x (x86-64)

Supported databases

Local or external PostgreSQL version 9.2 - 12

Network requirements

Internet connectivity

For installing dependant libraries during installation and upgrades

License-server connectivity for PrivX-license activation and verification. The license-server address differs depending on which PrivX version you start(ed) with:

Deployments started with v16 and later:
https://privx.license.privx.io
52.49.87.37
54.74.201.253

Deployments started with older versions:
184.106.60.185:443

Default network ports in use

80, 443 in: Web UI in (80 for HTTP redirect)
8443 in: Client certificate authentication
22 out: Outgoing SSH sessions
2222 in: SSH bastion
1080 in: SSH bastion proxy connections
3389 out: Outgoing RDP sessions
3389 in: RDP bastion
25, 465, 578 out: SMTP notifications
80 in: RDP certificate CRL checks
53 out: DNS
5432 out: External PostgreSQL
6379 out: External Redis
123 out: NTP

Client experience

Supported browsers

Latest versions of:

Firefox
Chrome
Safari
Edge

For better session security, users' browsers should allow cookies from PrivX.

System Security

HSM support

SafeNet Network HSM Luna SA 5
Amazon Cloud HSM
SoftHSM2
nCipher HSM
Thales Vormetric
Generic pkcs11 provider

Target hosts

SSH

Certificate-based authentication - OpenSSH 6.9 or later, see the section called “Enabling Certificate-Based Authentication for SSH Connections”

Other authentication methods - OpenSSH 5.6 or later

RDP, certificate authentication

Windows Server 2012 R2, 2016, 2019 (with the latest service packs and updates)

HTTPS (via Carrier component)

Stored credentials authentication. PrivX provides the credentials for target website on behalf of the user.

📘

Note

Other applications and users with access to PrivX hosts can gain potentially sensitive information from unprotected system memory. For best security we strongly recommend running PrivX on dedicated hosts.

Optional components

This section describes the system requirements and specifications for optional PrivX components

  • PrivX Extender
  • PrivX Carrier
  • PrivX Web Proxy

PrivX Extenders proxy connections to target hosts. They are needed for connecting to hosts not directly accessible from PrivX servers.

Extender server

System requirements

4 GB RAM, 2-core CPU, and 15 GB storage

Supported operating systems

Red Hat Enterprise Linux 7.4 or later 7.x, 8.x (x86-64)

CentOS 7.4 or later 7.x, 8.x (x86-64)

Network connectivity

Internet connectivity required

For installing dependant libraries during installation and upgrades

Default network ports in use

443 out: PrivX connection
22 out: SSH sessions
3389 out: RDP sessions
53 out: DNS
8443 in: Host deployment listener

PrivX Carriers provide web functionality. Needed if you want to connect to HTTP/HTTPS targets via PrivX.

Carrier server

System requirements

64 GB RAM, 16-core CPU, and 100 GB storage for < 50 concurrent web connections

Supported operating systems

Red Hat Enterprise Linux 7.4 or later 7.x, 8.x (x86-64)

CentOS 7.4 or later 7.x, 8.x (x86-64)

Network connectivity

Internet connectivity required

For installing dependant libraries during installation and upgrades

Default network ports in use

443 out: PrivX connection
18080, 18443, 18444 out: PrivX Web Proxy connections

PrivX Web Proxies and PrivX Carriers are both required to provide web functionality.

Web Proxy server

System requirements

4 GB RAM, 2-core CPU, and 15 GB storage for < 50 concurrent web connections

Supported operating systems

Red Hat Enterprise Linux 7.4 or later 7.x, 8.x (x86-64)

CentOS 7.4 or later 7.x, 8.x (x86-64)

Network connectivity

Internet connectivity required

For installing dependant libraries during installation and upgrades

Default network ports in use

18080, 18443, 18444 in: Carrier connection
80, 443 out: Target host connections
443 out: PrivX connection

📘

Note

For security purposes we recommend setting up all PrivX components on separate, dedicated hosts.

Web Carriers and Web Proxies cannot be installed on PrivX servers. Furthermore in production, Carrier and Proxy should be installed on separate machines (to ensure secure segregation between connection hosting and password/secret injection functions).

Expected system performance

A PrivX server that satisfies or exceeds the production requirements (8 GB of memory) is expected to support:

  • 100 000 PrivX users total, with 700 concurrent users.
  • Up to 1000 hosts added/deployed concurrently.
  • 20 000 target hosts scanned in 2 minutes.
  • Up to 50 concurrent RDP connections for performing typical user operations. Graphically intensive sessions (including video streaming) may reduce the number of supported concurrent connections.
    Expected memory usage for RDP sessions is 90 megabytes per connection. Adding multiple PrivX instances to HA setup will scale the number of concurrent users.

📘

Note

The PrivX microservice architecture supports multiprocessing and benefits from using multiple CPUs or multiple CPU cores.

Reserve enough space for the log data generated by PrivX. Also monitor the log-data growth periodically. In large deployments, PrivX may generate a considerable amount of log data over time. You may configure the PrivX machine to write its log data to an external logging server.

The enabled features and limitations can be viewed on the Administration→License page.

The maximum amount of concurrent SSH, RDP, and HTTPS connections depends on the type of PrivX license. Connections exceeding the maximum allowed connections are disconnected.

Database Requirements

For production environments we strongly recommend using an external database in your PrivX deployment.

  • Set up a PostgreSQL-database instance. We recommend you employ dedicated instances for PrivX.
    The PostgreSQL superuser (typically postgres) must have a valid password: During initial setup PrivX requires superuser permissions, for creating a PrivX database and a PrivX database user.
  • PrivX servers require access to the PostgreSQL database and the Redis server.
    For example with PostgreSQL on Unix, you will need to edit the pg_hba.conf, and insert entries similar to the following:
hostssl all all <privx_server_ip> md5
  • Connections to the external PostgreSQL database must be SSL-protected:
    • Enable SSL mode in your PostgreSQL configuration (ssl = true).
    • The PostgreSQL server must be configured with a server certificate where the SubjectAltName specifies the DNS and IP address(es) of the server.
  • PrivX servers should also be configured to trust the PostgreSQL-server certificate: On each PrivX server, add the PostgreSQL-server CA chain to the system trust anchors.
  • You can use either the previously-configured PostgreSQL database or an external Redis database to handle notifications between PrivX microservices. For improved security and ease of setup, we recommend using the PostgreSQL database.
    • If you opt for Redis, you must set up an external Redis database that is accessible by all the PrivX servers. Access to the Redis server may be password-protected.

NTP clock synchronization

Machines for PrivX servers must have access to a NTP service for synchronizing system clocks. We recommend using the same NTP service in your whole network.

Due to the just-in-time nature of the certificates issued by PrivX, clock skews greater than a few minutes may cause authorizations to fail.

High-Availability Installation Requirements

For HA deployments, set up a load balancer to distribute connections to PrivX servers. Your load balancer must satisfy the following requirements

  • Each PrivX session must be handled by one PrivX server; for example the load balancer could be configured to use sticky sessions. Round-robin algorithm is required if using additional PrivX components (PrivX Extender or PrivX Carrier)
  • If you need client-certificate authentication, or SSH/RDP-Bastion connectivity, the load balancer must support TCP-level load balancing.

Load balancer routing requirements

Traffic type

Default port on PrivX

Load balancing level

Load balancing method

HTTP user sessions

80

HTTP

sticky

HTTPS user sessions

443

HTTPS

sticky

HTTPS client-certificate authentication

8443

TCP

any

SSH Bastion

2222

TCP

hash

RDP Bastion

3389

TCP

hash

For an example load-balancer configurations on Nginx that satisfies the requirements, see the section called “Example nginx load balancer configuration".

❗️

Important

If the PrivX instance is deployed to a public internet, be sure to limit the traffic to port 3389 (if used) to known sources only. As 3389 is the default port for Windows RDP traffic, it attracts a lot of unwanted attention from bot networks and may cause extra traffic & load for the PrivX deployment.

HSM integration

For added security, the PrivX can be integrated with a Hardware Security Module (HSM). This allows storing cryptographic keys on HSM, and encrypting database/filesystem keys using a secret from HSM.

PrivX integrates to HSM providers using PKCS #11. For more information about setting up PrivX with HSM, see the Integration articles under HSM Providers.

📘

Note

Decide whether to use HSM before setting up PrivX. HSM support cannot be changed in existing PrivX deployments.

Keys stored in HSM

The following types of keys may be stored in HSM.

Asymmetric keys

  • CA for issuing just-in-time certificates when users connect using certificate authentication.
  • CA for signing server certificates.

Symmetric keys

  • Master key for encoding/decoding session recordings.
  • Session-authentication keys.
  • Keys for encrypting user and role data.

To store the default CA keys in HSM, your HSM must support the following key-pair-generation mechanisms:

Key type

Mechanism

Certificate Authority (CA) keys

CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_RSA_PKCS

Symmetric keys

CKM_GENERIC_SECRET_KEY_GEN
CKM_SHA_1_HMAC
CKM_SHA*_HMAC (256/384/512)
CKM_AES_KEY_GEN
CKM_AES_GCM

Keys not supported by the HSM are stored in the PrivX database/filesystem, but encrypted using the PKCS #11 instance secret located on the HSM.

Database/filesystem keys encrypted by HSM integration

Authentication-signing secrets and passphrases are stored in the PrivX database/filesystem. However when HSM integration is enabled, such keys are encrypted using the PKCS #11 instance secret located on the HSM.

GDPR compliance

Please note that as a PrivX handles user data, that data will be classified as personal information, or Personally Identifiable Information. You must ensure your GDPR compliance and inform your users of handling of their data.

Product limitations

  • Key-combinations using keys unavailable to UK or US keyboards (such as CTRL+Ä) do not work on Edge browsers.
  • You cannot transfer folders through file transfer.
  • Ctrl+W key-combination closes the open tab on Firefox.
  • With RDP and Web connections, the clipboard size is limited to 256 KB.
  • PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
  • When RDP certificate authentication fails but the RDP server allows the user to login using other accounts and credentials, then the subsequent authentication information will be lost because PrivX cannot detect what happens at the Windows login screen.

Did this page help you?