Managing MAP servers
This section describes how MAP Servers can be added to Osirium PAM and how to create MAP Server groups.
- Introduction
- Prerequisites
- Adding the MAP Server
- MAP Server detail page
- Manage MAP Server groups
- Creating a MAP Server group
- MAP Server groups detail page
Introduction
A MAP Server is an Osirium PAM controlled Windows Server that runs the MAP Server service and allows remote applications to be launched from the UI.
This can be particularly useful where a tool requires a certain combination of a thick client i.e. .Net, Java, IE etc. Tools are assigned to a MAP Server group through a profile
Note
Multiple PAM Servers can use the same MAP Server(s).
Key benefits of using a MAP Server include:
- Control user access to individual management applications, as well as the traditional SSH and RDP.
- Centrally manage ‘thick’ management application installations.
- Dependencies become central not local, including old browsers.
- Single place to upgrade and maintain management tools.
- Multiple versions can co-exist with connections automatically routed to the correct MAP Server.
- Mitigates the risk of ‘Trojan’ management applications.
- Creates a ‘Secure Virtual Admin Workspace’, which Third Parties can also use.
MAP Server Architecture Overview
Prerequisites
We recommend first installing the MAP service on the MAP Server and then entering a shared secret of your choice that conforms to your company's policy. Make a note of the shared secret, as it will be required to add the MAP Server. Once the MAP service has been successfully installed, you can add a MAP Server to one or more PAM Servers.
When adding a MAP Server, you will need to be logged in as an administrator to the Windows Server where the MAP service will be installed.
Note
For more information, see the MAP Server Installation Guide.
When a new user connects to a thick client application through a MAP Server, the default behaviour is to create a local Windows user account and profile on the MAP Server for the session. This local user account will be used each time the user logs on.
As an alternative, you can configure to have the MAP Server use your Active Directory accounts. For more information, see the Osirium Support article: How to: Choose the right account for your MAP tool.
Adding the MAP Server
-
On the Manage MAP servers page, click the
NEW MAP SERVER
button.The New MAP server window appears.
-
On the Details tab, edit the following settings:
Heading Description Name MAP Server display name. Address Enter the IP Address of the MAP Server. Generate new shared secret Deselect to provide your shared secret in the space. As per our recommendation, the MAP service should already be installed and the shared secret noted.
Shared secret The shared secret assigned to the MAP Server during installation. Enabled Indicates if the MAP Server is enabled. Notes Additional information. MAP server group membership Select each MAP Server group you wish to add the MAP Server to. -
Click
NEXT
. -
On the Create MAP server tab, wait while a connection test is made. An API call is made to the MAP Server to gather/update the MAP Server information.
The connection test results will be displayed as follows:
Status Description Good An API call has been successfully made to the MAP Server. Error Unable to make an API call to the MAP Server. Note
To run the connection test again, click the
TEST
button. -
Click
CREATE
. The MAP Server is added to your PAM Server.Note
Apply the same process to add the MAP Server to multiple PAM Servers.
Note
To upgrade an existing MAP Server setup, see Osirium MAP server upgrade instructions.
If you switch from a generated shared secret to a entered shared secret then you will have to remove the existing MAP Server entry and readd as it is not possible to update the Shared Secret field in the Admin Interface.
MAP Server detail page
The MAP server detail page allows you to manage MAP Server configurations, check the connection status to the MAP Server and add it to MAP Server groups.
To view the MAP Server detail page:
-
From the left-hand menu, under Manage, click
MAP servers
. -
Within the MAP servers tab, click a MAP Server Name.
-
Click the icon to edit the following details:
Heading Description Name MAP Server display name. Address MAP Server IP address. Enabled Indicates if the MAP Server is enabled. Shared secret Hover over to view the shared secret. Press CTRL+C to copy. Notes Additional information. -
To save changes, click the icon.
Connection test
The Connection Test area provides details of the MAP Server and the number of user connections available.
The CHECK STATUS
button makes an API call from the PAM Server to the MAP Server and provides one of the following statuses:
Status | Description |
---|---|
Good | An API call has been successfully made to the MAP Server. |
Error | Unable to make an API call to the MAP Server. |
MAP Server groups
To add the MAP Server to MAP Server groups:
-
To the right of MAP server groups, click the
MANAGE
button. The Manager: MAP server groups window appears. -
Within the Manager: MAP server groups window, select the checkboxes for each MAP Server group to be Included in the MAP Server.
-
Click
SAVE CHANGES
.
Manage MAP Server groups
A MAP Server group is a collection of MAP Servers that the PAM Server uses to load-balance connections to tools. Each tool is assigned a MAP Server group when added to a profile.
A MAP Server group could be created to handle each tool or a selection of tools, negating the need to install each tool on every MAP Server.
Groups are also useful for situations where a tool might require a certain combination of a thick client, .NET, Java, IE or similar. The combination can be installed on a collection of MAP Servers, and they can all be added to the same group on the PAM Server.
Different groups can be created to handle combinations required by different tools.
To manage MAP Server groups:
-
On the left-hand menu, under Manage, click
MAP servers
. The Manage MAP servers screen appears. -
On the Manage MAP servers screen, click the
MAP server groups
tab.The information presented in the table includes:
Heading Description Name MAP Server group display name. Notes Additional information. Counts MAP servers: the number of MAP Servers in the group. Profiles: the number of profiles using the MAP Server group.
Creating a MAP Server group
To create a MAP Server group:
-
On the left-hand menu, under Manage, click
MAP servers
. The Manage MAP servers screen appears. -
Click the
MAP SERVER GROUP
button. The New MAP server group window appears. -
Fill in the following details:
Heading Description Name The MAP Server group display name Notes Additional information. -
Click
SAVE
.
MAP Server Groups detail page
The MAP server groups detail page allows you to configure and group MAP Servers.
To view the MAP server groups detail page:
-
On the left-hand menu, under Manage, click
MAP servers
. The Manage MAP servers screen appears. -
Click the
MAP server groups
tab. -
On the table, click a MAP Server group Name.
-
Click the icon to edit the following details:
Heading Description Name The MAP Server group display name. Notes Additional information. -
To save changes, click .
To add a MAP Server to the MAP Server group:
-
To the right of MAP Servers, click the
Manage
button. The Manager: MAP servers window appears. -
Within the Manager: MAP server groups window, select the checkboxes for each MAP Server group to be Included in the MAP Servers.
-
Click
SAVE CHANGES
.
Associated profiles
Lists all the profiles the MAP Server group has been used in. Clicking on a profile name will navigate you to the corresponding profile page.