Skip to content

Managing MAP servers

This section describes how MAP Servers can be added to Osirium PAM and how to create MAP Server groups.

Introduction

A MAP Server is an Osirium PAM controlled Windows Server that runs the MAP Server service and allows remote applications to be launched from the UI.

This can be particularly useful where a tool requires a certain combination of a thick client i.e. .Net, Java, IE etc. Tools are assigned to a MAP Server group through a profile

Note

Multiple PAM Servers can use the same MAP Server(s).

Key benefits of using a MAP Server include:

  • Control user access to individual management applications, as well as the traditional SSH and RDP.
  • Centrally manage ‘thick’ management application installations.
  • Dependencies become central not local, including old browsers.
  • Single place to upgrade and maintain management tools.
  • Multiple versions can co-exist with connections automatically routed to the correct MAP Server.
  • Mitigates the risk of ‘Trojan’ management applications.
  • Creates a ‘Secure Virtual Admin Workspace’, which Third Parties can also use.

MAP Server Architecture Overview

MAP Server Architecture

Prerequisites

We recommend first installing the MAP service on the MAP Server and then entering a shared secret of your choice that conforms to your company's policy. Make a note of the shared secret, as it will be required to add the MAP Server. Once the MAP service has been successfully installed, you can add a MAP Server to one or more PAM Servers.

When adding a MAP Server, you will need to be logged in as an administrator to the Windows Server where the MAP service will be installed.

Note

For more information, see the MAP Server Installation Guide.

When a new user connects to a thick client application through a MAP Server, the default behaviour is to create a local Windows user account and profile on the MAP Server for the session. This local user account will be used each time the user logs on.

Manage MAP Server groups

A MAP Server group is a collection of MAP Servers that the PAM Server uses to connect to MAP tools. Each tool is assigned a MAP Server group when added to a profile.

A MAP Server group could be created to handle each tool or a selection of tools, negating the need to install each tool on every MAP Server.

Groups are also useful for situations where a tool might require a certain combination of a thick client, .NET, Java, IE or similar. The combination can be installed on a collection of MAP Servers, and they can all be added to the same group on the PAM Server.

Different groups can be created to handle combinations required by different tools.

To manage MAP Server groups:

  1. On the left-hand menu, under Manage, click MAP servers. The Manage MAP servers screen appears.

  2. On the Manage MAP servers screen, click the MAP server groups tab.

    MAP server groups tab

    The information presented in the table includes:

    Heading Description
    Name MAP Server group display name.
    Notes Additional information.
    Counts MAP servers: the number of MAP Servers in the group.

    Profiles: the number of profiles using the MAP Server group.

Creating a MAP Server group

To create a MAP Server group:

  1. On the left-hand menu, under Manage, click MAP servers. The Manage MAP servers screen appears.

  2. Click the Add icon MAP SERVER GROUP button. The New MAP server group window appears.

    New MAP server Group

  3. Fill in the following details:

    Heading Description
    Name The MAP Server group display name
    Notes Additional information.
  4. Click SAVE.

MAP Server Groups detail page

The MAP server groups detail page allows you to configure and group MAP Servers.

To view the MAP server groups detail page:

  1. On the left-hand menu, under Manage, click MAP servers. The Manage MAP servers screen appears.

  2. Click the MAP server groups tab.

  3. On the table, click a MAP Server group Name.

    MAP server group detail page

  4. Click the Edit pencil icon to edit the following details:

    Heading Description
    Name The MAP Server group display name.
    Notes Additional information.
  5. To save changes, click Saveicon.

To add a MAP Server to the MAP Server group:

  1. To the right of MAP Servers, click the Manage button. The Manager: MAP servers window appears.

    MAP servers manage servers

  2. Within the Manager: MAP server groups window, select the checkboxes for each MAP Server group to be Included in the MAP Servers.

  3. If you wish to set a priority, click the Edit pencil icon icon, enter the required priority (0 - 99) and click Save icon the icon. See Priority based MAP Server failover.

    MAP servers manage servers

  4. Click SAVE CHANGES.

Associated profiles

Lists all the profiles the MAP Server group has been used in. Clicking on a profile name will navigate you to the corresponding profile page.

Adding the MAP Server

  1. On the Manage MAP servers page, click the Add icon NEW MAP SERVER button.

    The New MAP server window appears.
    New MAP server

  2. On the Details tab, edit the following settings:

    Heading Description
    Name MAP Server display name.
    Address Enter the IP Address of the MAP Server.
    Checked box Generate new shared secret Deselect to provide your shared secret in the space.

    As per our recommendation, the MAP service should already be installed and the shared secret noted.

    Shared secret The shared secret assigned to the MAP Server during installation.
    Checked box Enabled Indicates if the MAP Server is enabled.
    Notes Additional information.
    MAP server group membership Select each MAP Server group you wish to add the MAP Server to.
  3. Click NEXT.

  4. On the Create MAP server tab, wait while a connection test is made. An API call is made to the MAP Server to gather/update the MAP Server information.

    MAP server create

    The connection test results will be displayed as follows:

    Status Description
    Usable device Good An API call has been successfully made to the MAP Server.
    Unreachable device Error Unable to make an API call to the MAP Server.

    Note

    To run the connection test again, click the TEST button.

  5. Click CREATE. The MAP Server is added to your PAM Server.

    Note

    Apply the same process to add the MAP Server to multiple PAM Servers.

Note

To upgrade an existing MAP Server setup, see Osirium MAP server upgrade instructions.

If you switch from a generated shared secret to a entered shared secret then you will have to remove the existing MAP Server entry and readd as it is not possible to update the Shared Secret field in the Admin Interface.

MAP Server detail page

The MAP server detail page allows you to manage MAP Server configurations, check the connection status to the MAP Server and add it to MAP Server groups.

To view the MAP Server detail page:

  1. From the left-hand menu, under Manage, click MAP servers.

  2. Within the MAP servers tab, click a MAP Server Name.

    MAP server detail page

  3. Click the Edit pencil icon to edit the following details:

    Heading Description
    Name MAP Server display name.
    Address MAP Server IP address.
    Checked box Enabled Indicates if the MAP Server is enabled.
    Shared secret Hover over to view the shared secret. Press CTRL+C to copy.
    Notes Additional information.
  4. To save changes, click the Save icon icon.

Connection test

The Connection Test area provides details of the MAP Server and the number of user connections available.

The CHECK STATUS button makes an API call from the PAM Server to the MAP Server and provides one of the following statuses:

Status Description
Usable device Good An API call has been successfully made to the MAP Server.
Unreachable device Error Unable to make an API call to the MAP Server.

Add MAP Server to MAP Server group

To add the MAP Server to MAP Server groups:

  1. To the right of MAP server groups, click the MANAGE button. The Manager: MAP server groups window appears.

    MAP server manage groups

  2. Within the Manager: MAP server groups window, select the checkboxes for each MAP Server group to be Included in the MAP Server.

  3. Click SAVE CHANGES.

Priority based MAP Server failover

Priority levels can be set on MAP Servers to control the order in which a MAP Server within a MAP Server group is used to connect to the MAP tool.

When a user clicks on a MAP tool, PAM Server applies the following rules to select a MAP Server within a MAP Server group:

  1. Checks all MAP Servers in the groups and remembers only ones that are available; i.e. is 'Enabled' within the MAP Server details page, the connection test status is 'Good' and has at least 1 available RDP connection to the MAP Server.

  2. Selects the MAP Server with the highest priority (lowest number). If multiple MAP Servers have the same priority one will be picked at random.

  3. If a user’s previous MAP tool connection was made to a MAP Server with the same priority as the one selected, then the previously used MAP Server will be reused. If the priority does not match then it will continue to use the newly selected MAP Server.

To configure the priority of MAP Servers within the MAP Server groups detail screen:

  1. To the right of MAP Servers, click the Manage button. The Manager: MAP servers window appears.

  2. Within the Manager: MAP servers window, click the Edit pencil icon icon for the MAP Server you wish to set the priority.

    MAP servers manage servers

  3. Enter the required priority (0 - 99) and click Save icon the icon.

    MAP servers manage servers

    Note

    The lower the number the higher the priority.

  4. Click SAVE CHANGES.