Password Safe Cloud RDS Server Architecture & Port Requirements

Hello Guys,

I’m new to BeyondTrust world but have fair understanding of PAM architecture.

I’m trying to understand the RDS server role in the Password Safe Cloud architecture. The current architecture shared by BT emphasises on Resource Broker and thats where I have clear understanding of Resource Broker from application & network perspective.

However, RDS Server is not covered in detailed in any document or article. I only understand that RDS Server is required for session management for non RDS/SSH connections. But, where does it fit in the architecture?

I assume the flow of Database session management may look like:

End user Workstation -→ Resource Broker (TCP/4489) -→ RDS Server (TCP/3389) --→ Database (e.g. TCP 1521/1433)

I’m keen to understand below points with respect to RDS Server:

Network requirements for RDS Server. Does it connect to any other component (PS Cloud) except Resource Broker & target system (DB etc.)
Does RDS Server store the session recording temporarily? if yes then how to calculate the disk storage based on the number of sessions?
Any detailed architecture including RDS server in it.

I have checked this link already:

https://beyondtrustcorp.service-now.com/csm?id=kb_article&sys_id=6cbde0af47ed5ed4b77b3ddbd36d4318&table=kb_knowledge

https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/cloud/security/architecture.htm

This may seem a silly question but here I’m :)

Thanks in advance!

Page 1 / 1

Yes, Microsoft RDS servers are used to launch Applications (RemoteApps) through Resource Broker servers. No other component of Password Safe Cloud has direct interaction with RDS servers except Resource Brokers.

Session recordings are stored in Resource Broker servers before uploading to Password Safe Cloud.

https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/deployment/remote-apps-deployment.htm

This articles below will help with some of your questions:

How do remote sessions (SSH and RDP) work when proxied via Password Safe
https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0017538

RDS server does not store session recordings. They are stored temporarily on Resource Broker. Refer to:

PS Cloud - Session recording does not open. Error: "Unable to open the session as the recording is not found."

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0016974

Average size of session recordings in BeyondInsight Password Safe - Large recording files

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0020693

Communication and port list for Password Safe Cloud Resource Brokers and tenant (instance)

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019381

Thank you @Prudhvi Keertipati & @GloriaB for your response!

I have better clarity now.

Would you please also let me know which ports does Resource Broker use to connect to RDS server to supply the password of privileged accounts?

As per the shared article 3389 port is used from Resource Broker to RDS server but does it have a separate secured protocol/port for sharing password with RDS server?

Regards,

Varun Sahu

Hi @Varuns29,

Password Safe logs into the system with the functional account to change the password. So 4489 from client machine to Resource brokers(RB) then port 3389 from RB server to RDS. Also if it is an AD account and not local windows account the AD ports listed in the communication list kb sent previously. These are default ports and can be changed.

How does Password Safe rotate or change passwords? What options are available in the Password Policy?

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0020555

Thank you for sharing the knowledge. I would say, I have got the fair understanding of the RDS Server.

Cheers