Centrify Agent For Windows Download ^HOT^
Christa Gulbransen
This chapter describes how to install Server Suite software on Windows computersin a production environment. It includes instructions for installing allidentity and privilege management, audit and monitoring service, andmulti-factor authentication components. It also describes how to install theAgent for Windows, and how to enable services on agent-managed Windowscomputers.
bNote: /bThe Authentication & Privilege components are therecommended first components to install so that Access Manager is availablefor you to use to create zones. At least one zone must be created before youcan enable the authentication and privilege elevation services on anagent-managed computer.
The installation, management database, and first audit store database are nowready to start receiving user session activity. Next, you should install thecollectors and, finally, the agents to complete the deployment of the audit andmonitoring service infrastructure.
After you have created a new installation, with an audit management database andat least one audit store and audit store database, you must add the collectorsthat will receive audit records from the agents and forward those records to theaudit store. For redundancy and scalability, you should have at least twocollectors. For more information about planning how many collectors to use andthe recommended hardware and network configuration for the collector computers,see Deciding Where to Install Collectors and Audit Stores.
When the installation finishes, the agent configuration panel launchesautomatically. You can configure the agent to enable Delinea services rightaway, or exit the configuration panel and configure the agent later. See Installing the Agent for Windows interactively using the setupprogram for details about this installation method.
Silently, by executing appropriate commands in a terminal window on eachcomputer. This method also requires you to configure the agent registrysettings on each computer. See Installing the Agent for Windowssilently on remote Windows computers for details about this installationmethod.
The procedure in this section describes how to use the agent installation wizardto install the agent on a Windows computer. After the agent is installed, youwill enable the agent to use one or more services that you installed earlier onthe main administrative computer as described in Installing Server Suite andupdating Active Directory.
By default, when you click Finish, the setup program opens the agentconfiguration panel. In the agent configuration panel, you can enable the agentto connect to Delinea services that are installed on the main administrativecomputer as described in Installing Server Suite and updating Active Directory.After a service is enabled, you can use the agent configuration panel toconfigure settings that define how the agent will interact with each service.
The first time the agent configuration panel opens, it does not display anyservices for you to enable. Services display in the agent configuration panelonly after you manually instruct the configuration panel to check for servicesand display those that are eligible to be enabled.
If you want to reconfigure agent settings for auditing on a Windows computerafter initially configuring them during enablement (or if you did not use theagent configuration panel when you enabled the service), you can open the agentconfiguration panel manually and configure the agent as described in thissection.
The agent checks the spool disk space by periodically running a backgroundprocess. By default, the background process runs every 15 seconds. Because ofthe delay between background checks, it is possible for the actual disk spaceavailable to fall below the threshold setting. If this were to occur, auditingwould stop at the next interval. You can configure the interval for thebackground process to run by editing the
If you want to reconfigure agent settings for the Identity Platform on aWindows computer after initially configuring them during enablement (or if youdid not use the agent configuration panel when you enabled the service), you canopen the agent configuration panel manually and configure the agent as describedin this section.
If you want to reconfigure agent settings for privilege elevation on a Windowscomputer after initially configuring them during enablement (or if you did notuse the agent configuration panel when you enabled the service), you can openthe agent configuration panel manually and configure the agent as described inthis section.
When you perform a silent installation, several registry settings specific tothe agent are configured by the default MSI file. In addition, a defaulttransform (MST) file is provided for you to use if you join the computer to azone as part of the installation procedure. When executed together, the defaultMSI and MST files ensure that the computer is joined to a zone, and that adefault set of agent-specific registry keys is configured.
The following table describes the agent-specific registry settings that areavailable for you to configure during installation (by using the MST file) orafter installation (by using the or the registry editor). Use the information inthis table if you need to configure registry settings differently than how theyare configured by the default MSI and MST files. Keep the following in mind asyou review the information in the table:
In the right pane, edit or add properties as necessary to configure registrykeys for your environment. See the table in Configuring Registry Settingsfor details about agent-specific properties that are typically set.
This section describes how to install the agent silently without joining thecomputer to a zone. This procedure includes configuring registry settingsmanually using the registry editor or a third-party tool.
Use the registry editor or a configuration management product to configurethe registry settings for each agent. See the table in Configuring Registry Settings for details about agent-specific registry keys that you can set.
bNote: /bJoining the computer to a domain is applicable only when youare enabling Authentication & Privilege features.
To install the agent without joining the computer to a zone duringinstallation, see Installing Silently Without Joining a Zone for moreinformation.
You can also choose to install the specify the option to retrieve the zonedata before the computer restarts. This option can be helpful in situationswhere you might lose connection to the domain after restarting, such as whenyou're using a VPN connection. To specify that the agent retrieves zone databefore the computer restarts, run the following command:
When you select a folder for the agent installer files, right-click andselect Share with > Specific people to verify that the folder is sharedwith Everyone or with appropriate users and groups.
By default, when computers in the selected domain or organizational unitreceive the next group policy update or are restarted, the agent will bedeployed and the computer will be automatically rebooted to complete thedeployment of the agent.
This chapter describes the recommended steps for deploying Server Suitesoftware on the nonWindows computers that you want to add to Active Directory.The chapter also describes the alternatives you can use to install agentpackages on non-Windows computers, including using native Linux installersto install Server Suite packages manually and automatically.
You can install agents from a mounted network volume using the install-bundle.sh script. Thisscript is available on the agent CD or ISO file that contains all of the supported agentplatforms in compressed format. The bundle installation script automatically determines theplatform required and extracts the contents of the appropriate TGZ file, then starts the normalinstallation process.
The centrify-suite.cfg file is used when you run install.sh with the --std-suite or --ent-suiteoptions. If you run install.sh --std-suite or install.sh --ent-suite with a customized version ofthe centrify-suite.cfg file, you can selectively install compatible add-on packages that donot have the same version number as the core Server Suite Agent.
If you want to specify values for the install.sh script to use, you should edit the samplecentrify-suite.cfg or centrifydc-install.cfg file in its default location before invokingthe install.sh script in silent mode.
You can also install Server Suite software using virtually any automated softwaredistribution framework. For example, you can use software delivery offeringsfrom HP OpsWare or IBM Tivoli, or features such as Apple Remote Desktop, orsoftware distribution in the Casper Suite to deliver Server Suite software to remotecomputers. You can also use any custom software delivery tools you have developedspecifically for your organization. If you use a commercial or custom softwaredistribution mechanism, review the release notes text file included with agentpackage for platform-specific installation details.
By default, the Centrify Agent for *NIX logs errors, warnings and informationalmessages in the UNIX syslog and /var/log/messages files along with other kerneland program messages. Although these files contain valuable information fortracking system operations and troubleshooting issues, occasionally you may findit useful to activate agent-specific logging and record that information in alog file.
Once you run this command, all of the Centrify Agent activity is written tothe /var/log/centrifydc.logfile. If the adclient process stops running whileyou have logging enabled, the addebug program records messages from PAM andNSS requests in the /var/centrifydc/centrify_client.log file. Therefore, youshould also check that file location if you enable logging.
9738318194