RPAM Connector Configuration

the following steps should be read carefully to successfully install rpam connector on the regarding machine check the secure reboot enabled status before the installation by running the mokutil sb state command in case secure boot is enabled, it might cause an error during the wireguard installation please disable it to continue the installation! the firewall rules that must be configured on the network level firewall protecting the network segment where the rpam connector is deployed (for example perimeter firewall, dmz firewall, cloud network firewall) these following rules apply to the network firewall in front of the rpam connector, not to any host based firewall running on the rpam connector server itself required firewall rules on the network firewall protecting the rpam connector 1) wireguard tunnel traffic (udp) allow the rpam connector to initiate the wireguard tunnel to the remote access portal 2) forwarded traffic to pam server allow traffic forwarded by the rpam connector to reach the pam server stateful network firewall (recommended and most common) stateful firewall examples include enterprise and cloud firewalls such as palo alto networks, fortigate, check point, cisco asa/ftd, juniper srx, and aws security groups required rule stateless network firewall in stateless firewall environments, traffic is evaluated per packet and connection state is not tracked required rules 1 download the rpam connector’s installation script on the machine that will be used for rpam connector the support team can provide the installation script after downloading the script, unzip the installation script on the machine the user can use unzip command to extract the files from the installation script file linux cli \[root\@con ]# unzip rap onprem 1 4 0 zip if it becomes necessary to start the script again for any reason (such as because of a wrong input or a missing file etc…), please remove all installation files except the compressed rpam connector installation script, and unzip the compressed installation script file again after this you can execute the script we highly recommend this method since the extracted files might be modified after the script execution for the first time, and executing the script with modified files might cause the faulty installation! 2 navigate to the on prem directory linux cli \[root\@con ]# cd on prem/ 3 run the configuration script linux cli \[root\@on prem ]# sh configure sh in case the script fails to run because of insufficient file permissions, run the chmod +x configure sh command you need root privileges to run this script 4 the rpam connector’s installation script should be restarted after the forced reboot the installation script asks user either a for the first time installation on the premise, the whole rpam connector should be configured from scratch, thus, the first option should be selected by entering 1 and pressing the enter key the rpam connector’s installation script asks several configuration details o the wireguard ip address that will be assigned to rpam connector’s side, o public ip address of remote access portal (rap) environment, o the port number of wireguard, o the ip segment of wireguard, o the public ip address of kron pam, o the public ip address of rpam connector, o a public key generated by the remote access portal (rap)’s script below are the example values for the rpam connector configuration connector configuration descriptions example values wireguard ip address that will be assigned to the rpam connector’s side 10 0 0 2 p ublic ip address of remote access portal (rap) environment 54 173 245 231 the port number of wireguard 51820 the ip segment of wireguard 10 0 0 0/29 the public ip address of kron pam 10 20 42 129 the public ip address of rpam connector 10 20 42 17 a public key generated by the remote access portal (rap)’s script ftwteku3ge6yrhj8sswm279kdrkm/5l8isjajwyyeg0= after all information is filled in, press y to continue if you fail to fill in each field successfully (either missing or wrong info), you can press n to reenter information again once the rpam connector installation asks for the public key, if you don't know the public key generated by the remote access portal (rap)’s installation script yet, you can set a temporary public key for now (e g , 9lbf3tzer8t3reshotftb+srqd5jrqa0jhdnbizkvfa=) but please do not forget to set the public key by using the rpam connector’s script (please check 4 b of this section below), after the remote access portal (rap)’s script generates a public key at the end of rpam connector’s script, the public key generated by this script is ready to use on the remote access portal (rap) environment (e g , g1zi8fxmn0tgprf518mz7f/bk1npasnebspmbokd2ta=) please do not forget to add this info on the remote access portal (rap) environment by using remote access portal (rap)’s installation script (please check 6 b at the previous page) b once the rpam connector has been fully installed, only one configuration is missing here regarding public key that would be generated by the remote access portal (rap)’s installation script if the user executes the remote access portal (rap)’s installation script on the cloud (please, check 6 a at the previous page), it generates a public key which would be used in the rpam connector here, thus now this option can configure the secure tunnel configuration file with the generated public key from remote access portal (rap)’s side the user should select the second option by entering 2 and pressing the enter key set the public key data of the secure tunnel configuration file with a public key generated by the remote access portal’s installation script (e g , ftwteku3ge6yrhj8sswm279kdrkm/5l8isjajwyyeg0=)