Tenant Connector

term abbr multi tenant connector mtc privileged access management pam virtual private network vpn this document outlines the steps for deploying kron pam tenant connector (mtc) functionality even though the product name is multi tenant connector , the multitenancy license is not required as an initial, the product was tailored for multi tenant environments, but currently, non multi tenant environments can also use multi tenant connector moreover, multi tenant connector product might also be called tenant connector interchangeably the multi tenant connector is a lightweight component deployed within the customer’s (or tenant’s) remote environment, responsible for securely bridging kron pam with target resources that are not directly accessible communication between kron pam and the multi tenant connector is established over a wireguard based encrypted tunnel, ensuring confidentiality and integrity of all session traffic the multi tenant connector acts as a controlled access proxy when a target device is marked as “connector accessible” within kron pam web gui, the kron pam dynamically provisions port based forwarding rules on the connector these rules are implemented using iptables at the operating system level specifically, kron pam assigns a unique virtual port (starting from 40000 and incrementing sequentially, e g , 40001, 40002) for each mapped target resource incoming traffic from kron pam over the wireguard tunnel to these virtual ports is transparently forwarded by the multi tenant connector to the corresponding internal device ip and service port for both outbound and inbound built in vpn multi tenant connector (mtc), connector builtin vpn license should be active on the kron pam server there are two options for multi tenant connector (mtc) deployment · tenants who want to use kron pam’s secure connection can use the built in vpn option (either outbound or inbound) provided by kron pam the outbound built in vpn option handled by kron pam enables secure connection between the kronpam server and the multi tenant connector the outbound connection refers to the path that begins at kron pam and ends at the multi tenant connector outbound built in vpn required firewall rules on the network firewall protecting the kron pam server 1 1) stateful network firewall (recommended and most common) stateful firewall examples include enterprise and cloud firewalls such as palo alto networks, fortigate, check point, cisco asa/ftd, juniper srx, and aws security groups required rules 1 2) stateless network firewall in stateless firewall environments, traffic is evaluated per packet and connection state is not tracked required rules required firewall rules on the network firewall protecting the multi tenant connector 1 1) stateful network firewall (recommended and most common) stateful firewall examples include enterprise and cloud firewalls such as palo alto networks, fortigate, check point, cisco asa/ftd, juniper srx, and aws security groups required rules 1 2) stateless network firewall in stateless firewall environments, traffic is evaluated per packet and connection state is not tracked required rules note for the device mapping between the kron pam server and the multi tenant connector, the predefined tcp ports (starts with 40000) are used each device assigned to the multi tenant connector on the device page of kron pam web gui has an internal udp port that the connector routes with iptables toward the real connection port that is, when a request to access port 40000 comes to the multi tenant connector from kron pam server, the multi tenant connector forwards the request to ip address and the real connection port (e g , 22 or 3389) of the device by doing port forwarding thanks to iptables these tcp ports (starts with 40000) are internal mapping constructs and do not require firewall allowance the inbound built in vpn option is an alternative solution to the outbound built in vpn option handled by kron pam, which enables a secure connection between the kron pam server and the tenant connector the inbound connection refers to the path that begins from the tenant connector and ends at the kron pam inbound built in vpn required firewall rules on the network firewall protecting the kron pam server 1 1) stateful network firewall (recommended and most common) stateful firewall examples include enterprise and cloud firewalls such as palo alto networks, fortigate, check point, cisco asa/ftd, juniper srx, and aws security groups required rules 1 2) stateless network firewall in stateless firewall environments, traffic is evaluated per packet and connection state is not tracked required rules required firewall rules on the network firewall protecting the multi tenant connector 1 1) stateful network firewall (recommended and most common) stateful firewall examples include enterprise and cloud firewalls such as palo alto networks, fortigate, check point, cisco asa/ftd, juniper srx, and aws security groups required rules 1 2) stateless network firewall in stateless firewall environments, traffic is evaluated per packet and connection state is not tracked required rules note for the device mapping between the kron pam server and the multi tenant connector, the predefined tcp ports (starts with 40000) are used each device assigned to the multi tenant connector on the device page of kron pam web gui has an internal udp port that the connector routes with iptables toward the real connection port that is, when a request to access port 40000 comes to the multi tenant connector from kron pam server, the multi tenant connector forwards the request to ip address and the real connection port (e g , 22 or 3389) of the device by doing port forwarding thanks to iptables these tcp ports (starts with 40000) are internal mapping constructs and do not require firewall allowance