This document outlines the steps for deploying Kron PAM Tenant Connector (MTC) functionality.
The Tenant Connector provides secure remote data center connections to tenants who want to use Kron PAM’s features, such as preventing password theft and eliminating unsupervised access. They need a secure connection between their remote data centers and the central Kron PAM server.

Depending on the Tenant Connector (MTC) option, the respective licenses should be active on the Kron PAM server: 

 (for both Outbound and Inbound Built-in VPN).

There are three options for Tenant Connector (MTC) deployment:

If the customer has an OpenVPN license and configuration, and if the customer wants to use them for the Tenant Connector deployment, the

option should be selected on the Tenant Connector page of Kron PAM Web GUI. If the customer selects this option, the customer should have an OpenVPN username, password, and configuration file.

Tenants who do not have an OpenVPN license and want to use Kron PAM’s secure connection can use the Built-in VPN option (either outbound or inbound) provided by Kron PAM.
The

 option handled by Kron PAM enables a secure connection between the Kron PAM server and the tenant connector. The outbound connection refers to the path that begins from Kron PAM and ends at the tenant connector.

The ports that are used in Outbound Built-in VPN:

For the initial installation file transfer operation, the specific

port (e.g., 22) that is selected by the customer should be opened one-time at the connector node. After the installation, this TCP port might be closed.

The whole communication between the connector device and Kron PAM passes through

and utilizes the external IP address that is specified on the Tenant Connector page of the Kron PAM Web GUI.

 port should be opened at the Kron PAM’s node.

For device mapping between the Kron PAM server and the tenant connector, the 

 ports (starting with 40000) are used. Each device assigned to the tenant connector on the Device page of Kron PAM Web GUI has an internal UDP port that the connector routes with iptables toward the real connection port. That is, when a request to access port 40000 comes to the Connector from the Kron PAM server, the Connector forwards the request to the IP address and the real connection port (e.g., 22 or 3389) of the device by doing port forwarding thanks to iptables.

option is an alternative solution to the Outbound Built-in VPN option handled by Kron PAM, which enables a secure connection between the Kron PAM server and the tenant connector. The inbound connection refers to the path that begins from the tenant connector and ends at the Kron PAM.

The ports that are used in Inbound Built-in VPN:

The same ports are used as in the Outbound Built-in VPN, 

except for the file transfer TCP port (e.g., 22).

 In the case of the inbound option selected, the file transfer TCP port shouldn’t be opened since there is no initial installation file transfer operation in the inbound connection.

Update & Patch Installation

Tenant Connector

Tenant Connector Outbound Node For Replicated Kron PAM Environments

Tenant Connector Outbound Multiple Nodes Option

Tenant Connector Outbound Installation

Tenant Connector Inbound Installation

Installation

Kron PAM - Installation Guides

Kron PAM- Installation Guides

The steps for Kron PAM Server (within the Secure Zone) and Kron PAM Mobile App Server (on the DMZ)

Kron PAM 3.8.* Mobile App Server over DMZ