This chapter describes the prerequisites of PrivX deployment.

Prerequisites for Installation

This section describes the system requirements and specifications for PrivX-system components.

GDPR Compliance

Please note that as a PrivX handles user data, that data will be classified as personal information, or Personally Identifiable Information. You must ensure your GDPR compliance and inform your users of handling of their data.

Mandatory Components

A PrivX deployment must include at least one PrivX server for running PrivX services.

Table 2.1. PrivX-Server Requirements and Specifications

Server
System Configuration

4 GB RAM, 2-core CPU, and 15 GB storage for < 10k users

8 GB RAM, 8-core CPU, and 100 GB storage for < 100k users

Supported architecturex86-64
Supported operating systems

Red Hat Enterprise Linux 7.4 or later 7.x, 8.x (x86-64)

CentOS 7.4 or later 7.x, 8.x (x86-64)

Supported databasesLocal or external PostgreSQL and Redis
Network Connectivity
Internet connectivity required
  • For installing dependant libraries during installation and upgrades

  • For PrivX-license activation and verification. License server address is:

    184.106.60.185:443

Default network ports in use
Web UI: Port 443 in
Client-certificate authentication: 8443 in
SSH sessions: Port 22 out
SSH Bastion: Port 2222 in
RDP sessions: Port 3389 out
RDP Bastion: Port 3389 in
Email notifications: Port 25, 465, or 587 out
CRL lists for RDP connections: Port 80 in
DNS: Port 53 out
External PostgreSQL: Port 5432 out
External Redis: Port 6379 out
NTP: 123 out
Target-host Authentication
Supported OpenSSH versions

Certificate-based authentication - OpenSSH 6.9 or later, see the section called “Enabling Certificate-Based Authentication for SSH Connections”

Other authentication methods - OpenSSH 5.6 or later

Supported platforms for Windows Domain Controller and Certificate Authority Server

Windows Server 2012 R2, 2016, 2019 (with the latest service packs and updates)

Client Experience
Supported browsers

Latest versions of:

  • Firefox

  • Chrome

  • Safari

  • Edge

System Security
HSM support

SafeNet Network HSM:

  • Luna SA 5


Note

Other applications and users with access to PrivX hosts can gain potentially sensitive information from unprotected system memory. For best security we strongly recommend running PrivX on dedicated hosts.

Optional Components

This section describes the system requirements and specifications for optional PrivX components:

  • PrivX Extender

  • PrivX Carrier

  • PrivX Web Proxy

PrivX Extenders proxy connections to target hosts. They are needed for connecting to hosts not directly accessible from PrivX servers.

Table 2.2. PrivX-Extender Requirements and Specifications

Extender
System Configuration

4 GB RAM, 2-core CPU, and 15 GB storage

Supported operating systems

Red Hat Enterprise Linux 7.4 or later 7.x, 8.x (x86-64)

CentOS 7.4 or later 7.x, 8.x (x86-64)

Network Connectivity
Internet connectivity requiredFor installing dependant libraries during installation and upgrades
Default network ports in use
PrivX connection: Port 443 out
SSH sessions to hosts: Port 22 out
DNS: Port 53 out
RDP sessions to hosts: Port 3389 out
Host-deployment listener: Port 8443 in

PrivX Carriers provide web functionality. Needed if you want to connect to HTTP/HTTPS targets via PrivX.

Table 2.3. PrivX-Carrier Requirements and Specifications

Carrier
System Configuration

64 GB RAM, 16-core CPU, and 100 GB storage for < 50 concurrent web connections

Supported operating systems

Red Hat Enterprise Linux 7.4 or later 7.x, 8.x (x86-64)

CentOS 7.4 or later 7.x, 8.x (x86-64)

Network Connectivity
Internet connectivity requiredFor installing dependant libraries during installation and upgrades
Default network ports in use
PrivX connection: Port 443 out
Web-proxy connection: Ports 18080, 18443, and 18444 out

Similar to carriers, PrivX Web Proxies also provide web functionality. Needed if you want to connect to HTTP/HTTPS targets via PrivX.

Table 2.4. PrivX-Web-Proxy Requirements and Specifications

Web Proxy
System Configuration

4 GB RAM, 2-core CPU, and 15 GB storage for < 50 concurrent web connections

Supported operating systems

Red Hat Enterprise Linux 7.4 or later 7.x, 8.x (x86-64)

CentOS 7.4 or later 7.x, 8.x (x86-64)

Network Connectivity
Internet connectivity requiredFor installing dependant libraries during installation and upgrades
Default network ports in use
Carrier connection: Ports 18080, 18443, and 18444 in
Target-host connections: Port 80 and 443 out
PrivX connection: Port 443 out
ICAP-listener: Port 1344 in
Supported login methods for autofill
Multi-part form
JSON
XML

Expected System Performance

A PrivX server that satisfies or exceeds the production requirements is expected to support:

  • 100 000 PrivX users total, with 700 concurrent users.

  • 25 000 target hosts total, with:

    • Up to 1000 hosts added/deployed concurrently.

    • 20 000 target hosts scanned in 2 minutes.

  • Up to 200 concurrent RDP connections for performing typical user operations. Graphically intensive sessions (including video streaming) may reduce the number of supported concurrent connections.

Note

The PrivX microservice architecture supports multiprocessing and benefits from using multiple CPUs or multiple CPU cores.

Reserve enough space for the log data generated by PrivX. Also monitor the log-data growth periodically. In large deployments, PrivX may generate a considerable amount of log data over time. You may configure the PrivX machine to write its log data to an external logging server.

Features Dependent on License

The enabled features and limitations can be viewed on the Settings → License page.

The maximum amount of concurrent SSH, RDP, and HTTPS connections depends on the type of PrivX license. Connections exceeding the maximum allowed connections are disconnected.

The standard PrivX license gives you all the PrivX features except the ones listed below:

  • PrivX Extender: For more information, see the section called “Proxying Connections to Hosts”.

  • Application restrictions through RDP connections: For more information, see the section called “Restricting Users' Access to Applications in RDP Connections”.

  • RDP-native-client connections: For more information, see the section called “RDP Connections with Native Clients”.

For more information about managing your PrivX license, see the section called “PrivX License Management”.

NTP Clock Synchronization

We strongly recommend enabling NTP clock synchronization for the system. Otherwise, please verify the system time and date manually before continuing with PrivX installation. We also recommend enabling time-server authentication for NTP connections.

The short-term user certificates issued by PrivX may be valid at incorrect times if system times are not synchronized correctly. Due to the just-in-time nature of the certificates issued by PrivX, even deviations of just a few minutes may cause authorizations to fail.

High-Availability Installation Requirements

If you plan to have multiple PrivX servers in your deployment (for high-availability and/or load balancing), you must set up an external PostgreSQL database and an external Redis server. You may also need to set up a load balancer to distribute connections to PrivX servers.

  • Set up a PostgreSQL-database instance and a Redis-server instance. We strongly recommend employing dedicated instances for PrivX.

    The PostgreSQL superuser (typically postgres) must have a valid password: During initial setup PrivX requires superuser permissions, for creating a PrivX database and a PrivX database user.

    Access to the Redis server may be password-protected.

  • PrivX servers require access to the PostgreSQL database and the Redis server.

    For example with PostgreSQL on Unix, you will need to edit the pg_hba.conf, and insert entries similar to the following:

    hostssl all all <privx_server_ip> md5
  • External-database connections must be SSL-protected:

    • Enable SSL mode in your PostgreSQL configuration (ssl = true).

    • The PostgreSQL server must be configured with a server certificate where the SubjectAltName specifies the DNS and IP address(es) of the server.

    PrivX servers should also be configured to trust the PostgreSQL-server certificate: On each PrivX server, add the PostgreSQL-server CA chain to the system trust anchors. For more information about adding trust anchors to PrivX servers, see the section called “Secure-Connection Setup”.

  • Select a load-balancer platform that satisfies the following requirements:

    • The requests from a PrivX session must be handled by one PrivX server; for example the load balancer could be configured to use either IP hashing or sticky sessions.

    • If you need certificate authentication to PrivX, or SSH/RDP-Bastion connectivity, the load balancer must support TCP-level load balancing.

    A possible load-balancer platform is Nginx. For example load-balancer configurations on Nginx, see Appendix A.

HSM Integration

For added security, the PrivX can be integrated with a Hardware Security Module (HSM). This allows storing cryptographic keys on HSM, and encrypting database/filesystem keys using a secret from HSM.

PrivX integrates to HSM providers using PKCS #11. For more information about setting up PrivX with HSM, see the Advanced Deployment articles from https://help.ssh.com/

Keys Stored in HSM

The following types of keys may be stored in HSM.

Asymmetric keys

  • CA for issuing just-in-time certificates when users connect using certificate authentication.

  • CA for signing server certificates.

Symmetric keys

  • Master key for encoding/decoding session recordings.

  • Session-authentication keys.

  • Keys for encrypting user and role data.

To store the default CA keys in HSM, your HSM must support the following key-pair-generation mechanisms:

Table 2.5. Required key-generation mechanisms for HSM storage

Key TypeMechanisms
CA keys
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_RSA_PKCS
Symmetric keys
CKM_GENERIC_SECRET_KEY_GEN
CKM_SHA_1_HMAC
CKM_SHA*_HMAC (256/384/512)
CKM_AES_KEY_GEN
CKM_AES_GCM

Keys not supported by the HSM are stored in the PrivX database/filesystem, but encrypted using the PKCS #11 instance secret located on the HSM.

Database/Filesystem Keys Encrypted by HSM Integration

Authentication-signing secrets and passphrases are stored in the PrivX database/filesystem. However when HSM integration is enabled, such keys are encrypted using the PKCS #11 instance secret located on the HSM.

Supported Key-Exhange Algorithms

curve25519-sha256@libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group14-sha1

Product Limitations

  • Key-combinations using keys unavailable to UK or US keyboards (such as CTRL+ ) do not work on Edge browsers.

  • You cannot transfer folders through file transfer.

  • Ctrl+W key-combination closes the open tab on Firefox.