Setting up PrivX Components

This article describes setting up and maintaining PrivX components.

To get started with PrivX you will need to set up at least one PrivX server.

PrivX-Server Setup

PrivX servers provide PrivX services, such as the PrivX GUI and certificate-based authentication services.
Set up repositories for downloading PrivX packages and dependencies. Before installing PrivX, please update your host to ensure the latest packages:

yum update

To set up a PrivX server:

  1. Set up repositories for downloading PrivX packages and dependencies.

    • On Red Hat 8 or Rocky Linux 8:

      sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/rhel8/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install postgresql-server
      sudo yum install PrivX
      
    • On Red Hat 7:

      sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX
      
    • On CentOS 7:

      sudo yum install epel-release
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX
      
    • On Amazon Linux 2:

      sudo amazon-linux-extras install -y nginx1 epel
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/rhel8/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX
      
    • On Amazon Linux 2022:

      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/rhel8/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install postgresql14-server libxcrypt-compat
      sudo yum install PrivX
      

The application binaries are installed to the /opt/privx/bin/ directory. The configuration is installed to /opt/privx/etc/ directory. Utility scripts are found in the /opt/privx/scripts/ directory.

  1. To automate PrivX configuration, you may optionally define post-installation settings using environment variables. The post-installation script skips prompting for any settings found in environment variables.
    Environment variables for the post-installation script are listed in:
    /opt/privx/scripts/postinstall_env
    Export the environment variables with:

    sudo source /opt/privx/scripts/postinstall_env
    
  2. Run the post-installation script to configure the server:

    sudo /opt/privx/scripts/postinstall.sh
    

Unless specified in environment variables, you will be prompted for:

  • PKCS #11-keyvault settings. Enable and configure this only if using external HSM. For additional HSM-setup instructions, see the HSM articles from Deployment page
  • Number of load balancers in front of PrivX Servers. Set to 0 for single-server deployments.
  • The address of a NTP service.
  • DNS and IP address(es) of the server.
  • Database settings (if using an external database):
    • Address of the database in IP or DNS-name format. For example: database.example.com
    • Arbitrary name for the PrivX database.
    • Arbitrary name and password for the PrivX-database user.
    • Password of the PostgreSQL user postgres.
    • Notification back end to use: either the existing PostgreSQL database, or an external Redis database.
      • Address and password to the external Redis server (if using Redis).
  • Credentials for the initial superuser account.
  1. Install the PrivX license to enable product functionality. You can do this by browsing to the PrivX GUI located at (replace privx.example.com with the DNS or IP address of the PrivX server):
    https://privx.example.com/
    Log in using the superuser credentials.
    In the GUI, navigate to Settings → License in the PrivX UI, and provide your license code under Online license update. Click Update, PrivX automatically contacts the license server to obtain and install your license. For more detailed information about licenses, see License Management.

📘

Note

PrivX licenses provide a limited number of activations. When deactivating PrivX servers, also remember to free up activations according to instructions in License Management.

Unlicensed product does not allow adding hosts nor establishing SSH, RDP, or Web connections. For your license to be activated, ensure that the system time is set correctly.

You have now set up a PrivX server.

📘

Note

To avoid accidentally upgrading PrivX, you may disable the PrivX repository until you are ready to upgrade. For more information about disabling the PrivX repository, see Disable PrivX Repository.

  1. You may verify the status of the PrivX microservices on the status page, located at the following address (replace privx.example.com with the DNS or IP address of the PrivX server):
    https://privx.example.com/status.html

📘

Note

Particularly in large production deployments, PrivX may accumulate large amounts of log data over time. We recommend that you configure log rotation for syslog and the microservice logs to prevent PrivX servers from running out of disk space

Manual PrivX package installation

Instead of installing PrivX packages from the SSH product repository, you may install the PrivX package manually as follows:

  1. Obtain the PrivX RPM package. The PrivX RPM package is a file with a name like the following:
    PrivX-*.x86_64.rpm
    Where * is to be replaced with the product version.
  2. Copy the PrivX RPM to your target server.
  3. Install the PrivX RPM (replace `PrivX-.x86_64.rpm`* with the path of the PrivX RPM):
    yum install PrivX-*.x86_64.rpm
    

Setting Up Optional Components

This section provides setup instructions for optional PrivX components.

PrivX Extender Setup

PrivX Extenders relay host connections, allowing connections to target hosts that are inaccessible from PrivX servers.

To set up PrivX Extender:

  1. Obtain an Extender configuration. Either:

    • Create a new Extender configuration, or
    • Download an existing Extender configuration.

    You can create and download Extender configurations via the PrivX GUI at Administration→Deployment→Deploy PrivX VPC/VPN Extenders.

    📘

    Note

    In Extender configurations, Addresses and Subnets should only be set after you have verified successful connections via the Extender.

    If you plan to set up multiple Extenders for high-availability (HA), identify the HA clusters using the Routing prefix as described in High-Availability Deployment.

  2. Install the PrivX Extender software on the Extender host in either of the following ways:
    Install from the SSH product repository. To do this, set up the repository and install the software package:

    • On Red Hat or CentOS 7:

      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX-Extender
      
    • On Red Hat or Rocky Linux 8:

      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/rhel8/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX-Extender
      
    • Alternatively, you may manually obtain the RPM. To do this, go to Settings→Deployment→Deploy PrivX VPC/VPN Extenders and click Download PrivX Extender. Then copy the rpm to the Extender host and install it with (replace /path/to/PrivX-Extender.*.rpm with the path to which you placed the Extender package):

      yum install /path/to/PrivX-Extender-*.rpm
      
  3. Save the Extender configuration to the following path on the Extender host:
    /opt/privx/etc/extender-config.toml

  4. Run postinstall to complete the setup:

    sudo /opt/privx/scripts/extender-postinstall.sh
    

The PrivX Extender is now set up. You may verify back on the Settings→Deployment→Deploy PrivX VPC/VPN Extenders page that the Status is Registered.

If the Extender failed to register to PrivX, you may find additional troubleshooting information from the Extender host at /var/log/privx/privx-extender.log

  1. Configure the target host(s) for access via Extenders. For more information about accessing targets via Extenders, see the section called “Proxying Connections to Hosts”.

PrivX Carrier and Web Proxy Setup

This section provides setup instructions for PrivX Carriers and Web Proxies, which allow connecting to HTTP/HTTPS targets. The high-level workflow involves:

  1. Create or download a web-access-gateway configuration.
  2. Set up a PrivX Carrier.
  3. Set up a PrivX Web Proxy.

🚧

Caution

For best system security, you should set up Carrier and Web-Proxy components on separate hosts.

To Create and Download Carrier/Web-Proxy Configurations

  1. In the PrivX GUI navigate to Settings→Deployment→Deploy PrivX web-access gateways.

  2. Obtain a web-access-gateway configuration. Either:

    • Create a new configuration, or
    • Download an existing configuration.

    You can create and download Extender configurations via the PrivX GUI at Administration→Deployment→Deploy PrivX web-access gateways.

    📘

    Note

    In web-access-gateway configurations, Addresses and Subnets should only be set after you have verified successful connections via the Carrier and Web Proxy.

    If you plan to set up multiple Carriers and Web Proxies for high-availability (HA), identify the HA clusters using the Routing prefix as described in High-Availability Deployment.

    📘

    Note

    The Web Proxy address must be a valid IP or DNS address without schema headers and port numbers, pointing to the address of the server where the Web Proxy will be installed to. Loopback addresses are not allowed.

  3. Download the configurations (required later for setting up Carriers and Web Proxies). To do this, click next to your configuration, then click Download Carrier Config and Download Proxy Config.

To Set Up a PrivX Carrier

  1. Install the prerequisites and the Carrier package:

    • On Red Hat 8 or Rocky Linux 8:

      sudo yum config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
      sudo yum install docker-ce
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/rhel8/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX-Carrier
      
    • On Red Hat 7:

      sudo subscription-manager repos --enable rhel-7-server-extras-rpms
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX-Carrier
      
    • On CentOS 7:

      sudo yum install epel-release
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX-Carrier
      
    • On Amazon Linux 2:

      sudo yum install docker
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX-Carrier
      
    • On Amazon Linux 2022:

      sudo yum install docker
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/rhel8/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX-Carrier
      

    📘

    Note

    You may install the Carrier package via RPM obtained from Get PrivX software (instead of SSH repositories). This can be useful in environments without Internet access. Note that you will still need to install the prerequisites first.

  2. Copy your Carrier-configuration file to your Carrier machine, to the following path:
    /opt/privx/etc/carrier-config.toml

  3. To finalize setup and register the Carrier with PrivX, run:

    sudo /opt/privx/scripts/carrier-postinstall.sh
    

📘

Note

The Carrier machine must be able to connect to port 443 on the PrivX server.

To Set Up a PrivX Web Proxy

  1. Install prerequisites and the Web Proxy packace:

    • On Red Hat 8 or Rocky Linux 8:

      sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/rhel8/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX-Web-Proxy
      
    • On Red Hat 7:

      sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX-Web-Proxy
      
    • On CentOS 7:

      sudo yum install epel-release
      sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
      sudo curl https://product-repository.ssh.com/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
      sudo yum install PrivX-Web-Proxy
      

    📘

    Note

    You may install the Web-Proxy package via RPM obtained from Get PrivX software (instead of SSH repositories). This can be useful in environments without Internet access. Note that you will still need to install the prerequisites first.

  2. Copy the Web-Proxy configuration file to the machine, to the following location:
    /opt/privx/etc/web-proxy-config.toml

  3. Allow the Carrier host to access the Web-Proxy host (ports 18080 and 18443). You will need to add an access rule to the Squid configuration on the Web-Proxy host, at /opt/privx/etc/squid.conf (replace <carrier_address> with the address of your Carrier host in CIDR format):

...
acl localnet src fc00::/7
acl localnet src fe80::/10
acl localnet src <carrier_address>
...
  1. To finalize setup and register the Web Proxy with PrivX, run:
    sudo /opt/privx/scripts/web-proxy-postinstall.sh
    

📘

Note

Make sure the Web-Proxy host is able to connect to port 443 on the PrivX server. The host running the PrivX Carrier must also be able to connect to ports 18080 and 18443 on the Web-Proxy host.

After you have the required Carrier and Web-Proxy components, add target websites as known targets. To do this, go to Settings→Hosts and Add hosts with Web-type services. For more information about configuring Web-type services, see Web Targets.

For advanced configuration of PrivX Carrier and Web Proxy components, see Setting up PrivX Components.

PrivX-Agent Setup

This section provides instructions for installing PrivX agents, which allow PrivX users to connect using SSH native clients.

Unix setup

To set up native clients against PrivX for a user on a Unix workstation:

  1. Obtain the PrivX-agent software, available from Get PrivX software.
    Save the Agents.zip package to the workstation.

  2. Extract and install the PrivX agents to the workstation. For example (replace Agents.zip with the path to the agent-software package):

    unzip -j Agents.zip linux-amd64/privx-* -d /usr/local/bin/
    

The example command installs the PrivX agent, the agent utility, and the agent proxy to:
/usr/local/bin/privx-agent-unix
/usr/local/bin/privx-agent-ctl
/usr/local/bin/privx-nc
The following steps assume the PrivX agent and the agent utility to be in these locations.

  1. Enable PrivX agent to start automatically when the user logs into the workstation. You can do this by appending the following to the users' .profile file:
# Start PrivX Agent unless there is already an ssh-agent running                                                          
START_PRIVX_AGENT="yes"                                                                                                   
PRIVX_AGENT_UNIX="/usr/local/bin/privx-agent-unix"                                                                        
if [ -n "$START_PRIVX_AGENT" ] && [ -z "$SSH_AUTH_SOCK" ] && \
   [ -x "$PRIVX_AGENT_UNIX" ]; then                             
    PRIVX_AGENT_DIR=`mktemp -d /tmp/ssh-XXXXXXXX 2>/dev/null || \
    mktemp -d -t 'mytmpdir'`                                                     
    export PRIVX_AUTH_SOCK="$PRIVX_AGENT_DIR/agent.$$"                                                                                         
    export PRIVX_AGENT_PROXY="$PRIVX_AGENT_DIR/proxy.$$"                                                                                       
    setsid nohup $PRIVX_AGENT_UNIX -a $PRIVX_AUTH_SOCK -x $PRIVX_AGENT_PROXY \
    -config $HOME/.privx/agent.json > /dev/null 2>&1 &                       
    export PRIVX_AGENT_PID=$!                                                                                                                  
    export SSH_AUTH_SOCK="$PRIVX_AUTH_SOCK"                                                                                                    
    export SSH_AGENT_PID="$PRIVX_AGENT_PID"                                                                                                    
    trap 'test -n "$SSH_AGENT_PID" && kill $SSH_AGENT_PID' 0                                                                                   
fi

📘

Note

The provided example commands for agent startup are not run if another application sets the SSH_AUTH_SOCK variable (such as a default ssh agent), nor if the PrivX agent is installed to a custom location. You may have to adjust the agent-startup conditions to suit your environment.

The temporary-directory path /tmp/ssh-XXXXXXXX is used by the agent. Do not change this path.

  1. Add PrivX servers to the agent. To do this, log in to the workstation as the user who will be using native clients (in order to start the agent), then run the following (replace https://privx.example.com with the address of your PrivX server):
    privx-agent-ctl server probe https://privx.example.com
    
    Unless the PrivX server certificate is trusted on the workstation, you will be presented with additional information, such as the SHA checksums of the certificate.
PrivX server 'https://privx.example.com' certificate is untrusted
Server TLS certificate:
  Issuer        DC=com, DC=ssh, DC=fi, DC=hel, OU=QA, CN=MSCA-PKI-TEST2-ROOT-CA
  Subject       OU=PrivX Web Server, CN=privx.hel.fi.ssh.com
  Serial        2453081971937566630710942289116460769316175891
  Not Before    2018-03-28 09:00:15 +0000 UTC
  Not After     2028-03-28 09:10:15 +0000 UTC
  Fingerprints
    SHA1        B5 F3 70 E2 DB 61 56 D9 AC AE 03 4D AE DC 01 4C FB D2 AB C0
    SHA256      17 22 63 69 D1 AA 77 34 96 BD B7 90 69 83 E7 30 97 A2 78 10 \
                73 5C 93 D0 D6 01 99 5C 04 C5 55 B2

Would you like to add this server to trusted servers? Y/N:

You may ensure that these match to the checksums of the PrivX server certificate, which you can obtain by running the following on the PrivX server:

openssl x509 -noout -fingerprint -sha1 -in /etc/nginx/ssl/nginx.crt
openssl x509 -noout -fingerprint -sha256 -in /etc/nginx/ssl/nginx.crt

Once you have confirmed the server identity, enter Y to add the PrivX server.

  1. You may verify setup by running:
$ privx-agent-ctl status

PrivX SSH Agent Status
  PrivX Server          https://privx.example.com
  Login status          logged out

MacOS setup

To set up native clients against PrivX for a user on a MacOS workstation:

  1. Obtain the PrivX-agent software, available from Get PrivX software.
    Save the Agents.zip package to the workstation.

  2. Extract and install the PrivX agents to the workstation. For example (replace Agents.zip with the path to the agent-software package):

$ unzip Agents.zip darwin-amd64/*
$ cp darwin-amd64/privx-agent-unix /usr/local/bin/
$ cp darwin-amd64/privx-agent-ctl /usr/local/bin/
$ cp darwin-amd64/privx-agent-start.sh /usr/local/bin/
$ cp darwin-amd64/privx-nc /usr/local/bin/

The example commands install the PrivX agent, the agent utility, the agent-startup script, and the agent proxy to:
/usr/local/bin/privx-agent-unix
/usr/local/bin/privx-agent-ctl
/usr/local/bin/privx-agent-start.sh
/usr/local/bin/privx-nc
The following steps assume the PrivX agent, the agent utility, and the agent-startup script to be in these locations.

  1. Enable PrivX agent to start automatically when the user logs into the workstation. To do this, first install the agent launcher with:
$ cp darwin-amd64/com.privxagent.plist ~/Library/LaunchAgents/
$ launchctl load -w ~/Library/LaunchAgents/com.privxagent.plist
$ launchctl start ~/Library/LaunchAgents/com.privxagent.plist

Also append the following to the users' .bash_profile file:

# Register SSH_AUTH_SOCK & SSH_AGENT_PID to local environment
# if started by Launchd
if sock=$(launchctl getenv SSH_AUTH_SOCK); then
    export SSH_AUTH_SOCK=$sock
fi

if pid=$(launchctl getenv SSH_AGENT_PID); then
    export SSH_AGENT_PID=$pid
fi

Alternatively, users may manually start the PrivX agent with:

./privx-agent-unix bash
  1. Add PrivX servers to the agent. To do this, log in to the workstation as the user who will be using native clients (in order to start the agent), then run the following (replace https://privx.example.com with the address of your PrivX server):

    privx-agent-ctl server probe https://privx.example.com
    

Unless the PrivX server certificate is trusted on the workstation, you will be presented with additional information, such as the SHA checksums of the certificate.

PrivX server 'https://privx.example.com' certificate is untrusted
Server TLS certificate:
  Issuer        DC=com, DC=ssh, DC=fi, DC=hel, OU=QA, CN=MSCA-PKI-TEST2-ROOT-CA
  Subject       OU=PrivX Web Server, CN=privx.hel.fi.ssh.com
  Serial        2453081971937566630710942289116460769316175891
  Not Before    2018-03-28 09:00:15 +0000 UTC
  Not After     2028-03-28 09:10:15 +0000 UTC
  Fingerprints
    SHA1        B5 F3 70 E2 DB 61 56 D9 AC AE 03 4D AE DC 01 4C FB D2 AB C0
    SHA256      17 22 63 69 D1 AA 77 34 96 BD B7 90 69 83 E7 30 97 A2 78 10 \
                73 5C 93 D0 D6 01 99 5C 04 C5 55 B2

Would you like to add this server to trusted servers? Y/N:

You may ensure that these match to the checksums of the PrivX server certificate, which you can obtain by running the following on the PrivX server:

$ openssl x509 -noout -fingerprint -sha1 -in /etc/nginx/ssl/nginx.crt
$ openssl x509 -noout -fingerprint -sha256 -in /etc/nginx/ssl/nginx.crt

Enter Y to add the PrivX server.

  1. You may verify setup by running:
$ privx-agent-ctl status
This should output similarly to the following:
PrivX SSH Agent Status
  PrivX Server          https://privx.example.com
  Login status          logged out

Windows setup

To set up native clients against PrivX for a user on a Windows workstation:

  1. Ensure that the native clients on the workstation are in the system PATH.
  2. Obtain the PrivX-agent software, available from Get PrivX software.
    Save the Agents.zip package to the workstation.
  3. Extract the PrivX agents to the workstation. Navigate to the extracted folder, and in its windows-386 folder, run the privx-agent-windows.msi file to install the PrivX agent.
  4. Start the PrivX agent in Start Menu→SSH Communications Security→PrivX Windows Agent.

📘

Note

The PrivX agent may become blocked by other agent software (such as pageant) are running. In such cases, first close any blocking software, then try starting the PrivX agent.

👍

Tip

For easier access to the agent, you can pin the PrivX Windows Agent to Start, taskbar, or Quick Launch Menu.

  1. Configure the agent to connect to PrivX: In the system tray, right click the PrivX icon and then select Settings.
  • Enter the PrivX server URL. To verify the connection, click Test.
  • You may verify the PrivX-server certificate:
    • Click View to open the Certificate Properties.
    • Check the certificate details. You do not need to install the certificate to the system.
  • Click OK to save your settings.

📘

Note

If native-client paths change after setup, the PrivX agent has to be restarted to apply these path changes.

PrivX-Router Setup

A PrivX Router is a firewall/router component, required for accessing network targets. PrivX Routers are controlled by PrivX.

Setting up a PrivX Router involves the following:

  • Installing and configuring PrivX-Router software on the Router machine.
  • Registering the Router machine in PrivX.

The machine on which you set up PrivX Router must satisfy the following:

PrivX Router
System requirements- iptables and user-space tools
- SSH server allowing exec
- IP-packet forwarding
Network requirements- Ability to route network traffic between PrivX network and target network.
- Traffic from public/insecure networks must be secured with external solutions (such as VPN). Alternatively, configure the router to accept traffic from trusted sources only.
- To force all connections to go via PrivX, direct access from users to network targets may be blocked.

To set up the PrivX Router, perform the following on the Router machine:

📘

Note

These procedures are for generic Linux, and may need to be adapted for your chosen Router platform.

  1. Create a dedicated user for controlling the Router. This user needs permissions to run iptables, iptables6, and sysctl commands.

    First, to create the user and group:

    sudo useradd privx-router
    

    Then add the necessary permissions to /etc/sudoers.d/privx-router:

    %privx-router   ALL = NOPASSWD: /usr/sbin/iptables, /usr/sbin/ip6tables, /sbin/sysctl
    
  2. Obtain the Router-configuration package PrivX-Router-Linux-IPtables.zip, available from Get PrivX software. Then install with (replace PrivX-Router-Linux-IPtables.zip with the path to your Router-configuration package):

    sudo mkdir -p /opt/privx/
    sudo unzip PrivX-Router-Linux-IPtables.zip -d /opt/privx/
    sudo chown privx-router:privx-router -R /opt/privx
    sudo chmod u+rwX,go+rX,go-w -R /opt/privx
    
  3. To configure the Router, edit /opt/privx/etc/privx-router.env. You should at least define the accepted client addresses in RAC_IP_POOL or RAC_IP6_POOL. For more information about router configuration, see PrivX Router Configuration.

    Also configure the system to start the Router service on boot:

    sudo cp /opt/privx/systemd/privx-router.service /etc/systemd/system/privx-router.service
    

    Finally, start the Router service with:

    sudo su - privx-router
    /opt/privx/scripts/setup.sh up
    

    You may verify the Router status with:

    /opt/privx/scripts/setup.sh list
    

    This should display some PRIVX_* chains, similar to the following:

    Jump rules:
        0     0 PRIVX_FORWARD_TARGET  all  --  *      *       10.0.0.0/8           0.0.0.0/0           
        0     0 PRIVX_FORWARD_CLIENT  all  --  *      *       0.0.0.0/0            10.0.0.0/8          
    Client to target chain PRIVX_FORWARD_TARGET:
    Chain PRIVX_FORWARD_TARGET (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    Target to client chain PRIVX_FORWARD_CLIENT:
    Chain PRIVX_FORWARD_CLIENT (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    DNAT chain PRIVX_NAT_PREROUTING:
    Chain PRIVX_NAT_PREROUTING (1 references)
     pkts bytes target     prot opt in     out     source               destination         
    SNAT chain PRIVX_NAT_POSTROUTING:
    Chain PRIVX_NAT_POSTROUTING (1 references)
     pkts bytes target     prot opt in     out     source               destination 
    

Next, register the Router machine in PrivX:

  1. Create a role for Router operations, for example, a role named privx-router-role. You do not need to define any permissions or members for this role.

  2. Add the Router host to PrivX. The host entry must include:

    • Services must define the host's SSH server, along with any SSH host keys.
    • Accounts* must allow access from the Router role (privx-router-role in this example) to the host's Router user (privx-router in this example).

    📘

    Note

    You may use the host-deployment script to add the Router host (on supported operating systems). This comes with notable benefits:

    • Automatic SSH-server detection; no need to define the host's SSH server manually.
    • Router connections shall use certificate-based authentication.

    For the required access, you may specify --principals similarly to the following:

    --principals privx-router=privx-router-role
    

    For more information about the host-deployment script, including supported platforms and other options, see Script-Based Certificate-Authentication Setup.

  3. To register the Router, navigate to Administration→Settings→Network Access Manager and Edit the PrivX Router Configuration.

    Add the new Router to the array of Router objects in JSON format. For example:

    [
       {
         "type": "linux-iptables",
         "client_ip_pool": [
           "192.0.2.0/24"
         ],
         "username": "privx-router",
         "hostname": "10.0.0.10"
      },
      {another_router_configuration},
      ...
    ]
    

    In the example, replace the example values as follows:

    • client_ip_pool: Replace with acceptable client addresses, similar to what you put in RAC_IP_POOL/RAC_IP6_POOL earlier.
    • username: The name of the Router user.
    • hostname: The address of the Router machine.

    Save your changes to the settings. Back on the Administration→Settings page, Restart PrivX to apply your changes.

After restart, your PrivX Router is configured. Next up, you may now set up network targets via this Router, as described in Network Connections.

UEBA-Server Setup

UEBA servers allow PrivX to use machine learning to detect potentially anomalous connections. PrivX deployments support up to one UEBA server.

To set up a UEBA server:

  1. Ensure that your machine satisfies the requirements at User and Entity Behavioural Analytics (UEBA). Particularly, note that the default Docker version included with some OS distributions may need to be upgraded to support UEBA.

  2. Provide the UEBA-server details via the PrivX GUI: At Administration→Deployment→User Behavior Analytics, click Edit and provide at least the UEBA-server address and TLS trust anchor.

    📘

    Note

    If you don't see Administration→Deployment→User Behavior Analytics option, ensure that your PrivX license allows UEBA. You may enquire more about license details from the SSH licensing team at [email protected]

    Then on the same page, obtain the UEBA startup script by clicking Download UEBA Server Configuration.

  3. Gain root terminal access to the UEBA-server machine. Copy the UEBA startup script to this machine.

  4. Install UEBA-server software with:

    sudo chmod u+x ueba-startup.sh
    sudo ./ueba-startup.sh ueba-tls.crt ueba-tls.key
    

    In the previous commands, replace example values as follows:

    • ueba-startup.sh - path to the UEBA startup script
    • ueba-tls.crt - path to the UEBA-server TLS certificate
    • ueba-tls.key - path to the UEBA-server TLS key

    After successful setup you may verify the UEBA-server status on the PrivX GUI Home page, under Service Status.

Upgrading PrivX deployment

This section provides instructions for upgrading your PrivX deployment.

Single-Server-Deployment Upgrade

📘

Note

Ensure the PrivX database has enough free space before upgrade: Migrations during upgrade may temporarily triple the database size. If necessary, you may reduce the database size before upgrade with Data Retention settings.

To upgrade the PrivX server, gain root-terminal access to your PrivX server and run:

yum install PrivX

The system fetches and sets up the latest PrivX package. Upgrade is complete once the command completes.

If you haven't set up the PrivX product repository, obtain the latest version from available from Get PrivX software and run:

yum install PrivX-*.x86_64.rpm

📘

Note

PrivX services are automatically stopped during the rpm upgrade, then automatically restarted by postinstall.

High-availability deployment upgrade

For instructions about upgrading high-availability deployments, see PrivX high availability deployment.

Upgrading Optional Components

PrivX Extenders, Carriers, and Web Proxies can be upgraded after PrivX-server and database upgrade. The typical workflow for upgrading any of these components is:

  1. Install the latest software package.
  2. Run postinstall to complete setup.

The specific steps for each optional component are provided in the following subsections.

Upgrading PrivX Extenders

To upgrade PrivX Extenders, run these steps on all your Extender machines:

  1. Install the latest Extender package in either of the following ways:
  • If the PrivX repository is enabled on the machine. Install the package with:
yum install PrivX-Extender
  • Without the PrivX repository, go to Settings→Deployment→Deploy PrivX VPC/VPN Extenders and click Download PrivX Extender:
    Then copy the rpm to the Extender host and install it with (replace `/path/to/PrivX-Extender..rpm`* with the path to which you placed the Extender package):
yum install /path/to/PrivX-Extender-*.rpm
  1. You may need manually merge extender-config.toml changes
  2. Run postinstall to complete the upgrade:
/opt/privx/scripts/extender-postinstall.sh

Upgrading PrivX Carriers and PrivX Web Proxies

PrivX Carriers and Web Proxies together enable web connections, and should be upgraded together.

To upgrade PrivX Carriers:

  1. Install the latest Carrier package in either of the following ways:
  • If the PrivX repository is enabled on the machine. Install the package with:
yum install PrivX-Carrier
  • Without the PrivX repository, go to Settings→Deployment→Deploy PrivX web access gateways and click Download PrivX Web Access Gateway Components:
    Then copy the rpm to the Carrier host and install it with (replace `/path/to/PrivX-Carrier..rpm`* with the path to which you placed the Carrier package):
yum install /path/to/PrivX-Carrier-*.rpm
  1. You may need manually merge carrier-config.toml changes
  2. Run postinstall to complete the upgrade:
/opt/privx/scripts/carrier-postinstall.sh

To upgrade PrivX Web Proxies:

  1. Install the latest Web-Proxy package in either of the following ways:
  • If the PrivX repository is enabled on the machine. Install the package with:
yum install PrivX-Web-Proxy
  • Without the PrivX repository, go to Settings→Deployment→Deploy PrivX web access gateways and click Download PrivX Web Access Gateway Components:
    Then copy the rpm to the Web-Proxy host and install it with (replace `/path/to/PrivX-Web-Proxy..rpm`* with the path to which you placed the Web-Proxy package):
yum install /path/to/PrivX-Web-Proxy-*.rpm
  1. You may need manually merge web-proxy-config.toml changes
  2. Run postinstall to complete the upgrade:
/opt/privx/scripts/web-proxy-postinstall.sh

Uninstalling PrivX

This section provides steps for completely removing PrivX from a machine. These steps may be used in preparation for PrivX reinstallation.

To delete all PrivX related data from a PrivX server:

  1. Uninstall the PrivX package:

    sudo yum erase PrivX
    
  2. Remove the leftover PrivX installation directory (includes configurations and keyvault data):

    sudo rm -rf /opt/privx
    
  3. If using a local database, remove PostgreSQL and its data directory:

    sudo yum erase postgresql
    sudo rm -rf /var/lib/pgsql/
    
  4. Remove Nginx:

    sudo yum erase nginx
    

    Also remove the leftover Nginx server configuration and SSL-certificate files:

    sudo rm -rf /etc/nginx
    
  5. Finally remove the leftover privx-cert.json-file:

    sudo rm /tmp/privx-cert.json