Bomgar Privileged Identity Supported Platforms and Systems

Supported Host Platforms

Management Console and Zone Processors

Supported Host Platforms
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows 10

Note: Core Editions are not supported as hosting platforms for the management console. Workstation-classified operating systems are supported for small testing environments only.

Virtualization

Supported Host Platforms
Hyper-V Server 2016
VMware ESX
VMware Workstation

Web Application and Web Service

Supported Host Platforms
IIS 10
IIS 8.5

Database (Program Data Store)

Supported Host Platforms
Microsoft Azure SQL Server
Microsoft SQL Server 2016
Microsoft SQL Server 2014

Microsoft SQL Server 2012

Note: Clustered databases are fully supported and recommended.

Note: Microsoft SQL Express editions are supported for proof of concepts and test environments. However, we do not recommend these editions for production environments.

Application Launcher

Supported Host Platforms
Windows Server 2016
Windows Server 2012 R2

Note: Core Editions are not supported as hosting platforms for the application launcher.

Authentication Providers

Supported Providers
Active Directory Federated Services (ADFS) (SAML)

Microsoft Active Directory (OAuth)

Microsoft Azure Active Directory
OKTA SAML

Multi-Factor Providers

Supported Providers
Certificates (Smart Cards, CAC/PIV, etc.)
DUO
OAuth (built-in)
OATH compliant (Yubico)
RADIUS (RSA, DUO, etc.)
RSA SecureID (v8.x and newer)
SafeNet

Supported Target Endpoints for Password Spinning and Discovery

Windows

Supported Versions Discovery Password Spinning

Windows Server 2016

Yes

Yes

Windows Server 2012 R2

Yes

Yes

Windows Server 2012

Yes

Yes

Windows Server 2008 R2

Yes

Yes

Windows Server 2008

Yes

Yes

Windows 10

Yes

Yes

Windows 8.1

Yes

Yes

Windows 7

Yes

Yes

Target Databases

Supported Databases Discovery Password Spinning
IBM DB2 10.x

Yes

Yes

Microsoft SQL Server 2016

Yes

Yes

Microsoft SQL Server 2014

Yes

Yes

Microsoft SQL Server 2012

Yes

Yes

Microsoft SQL Server 2008 R2

Yes

Yes

Microsoft Azure SQL

Yes

Yes

MySQL 6.x+

Yes

Yes

Oracle 12g

Yes

Yes

Oracle 12c

Yes

Yes

Oracle 11g

Yes

Yes

Oracle 10g

Yes

Yes

PostgreSQL

Yes

Yes

Note: Non-Microsoft databases require provider-specific drivers supplied by the manufacturer and cannot be shipped with Bomgar PI. Support for Oracle database versions also depends on the Oracle OLEDB provider.

Linux/SSH

Supported Vendors and Versions Discovery Password Spinning
Berkeley Software Distribution (BSD) 12.0 (free)

Yes

Yes

CentOS 6 and 7

Yes

Yes

HP/UX 1131

Yes

Yes

Mac OS 8-10

Yes

Yes

OpenBSD 6.2

Yes

Yes

Red Hat 7

Yes

Yes

Solaris 11 x86

Yes

Yes

Suse 11

Yes

Yes

Ubuntu 14 and 18

Yes

Yes

Note: SSH version 2.0 is required to access the system. Blowfish encryption is not supported.

Mainframes and Other Large-Scale Systems

Supported Vendors and Versions Discovery Password Spinning

AS/400

Yes

Yes

OS/390

Yes

Yes

z/OS

Yes

Yes

Hypervisors

Supported Vendors and Versions Discovery Password Spinning

Microsoft Hyper-V

Yes

Yes

VMware ESX (SSH)

Yes

Yes

VMware ESXi (native or SSH)

Yes

Yes

Routers and Switches

Supported Vendors and Versions Discovery Password Spinning

Checkpoint

Yes

Yes

Cisco

Yes

Yes

EMC

Yes

Yes

F5

Yes

Yes

Fortigate

Yes

Yes

Foundry

Yes

Yes

HP Procurve

Yes

Yes

Juniper

Yes

Yes

NetApp

Yes

Yes

Palo Alto

Yes

Yes

Riverbed

Yes

Yes

SSH-capable Printers

Yes

Yes

SSH-capable Network Infrastructure (Power Distribution Units)

Yes

Yes

Note: SSH version 2.0 is required to access the system. Blowfish encryption is not supported.

LDAP Directories

Supported Vendors and Versions Discovery Password Spinning

Apache LDAP Directory

Yes

Yes

Apple Open Directory

Yes

Yes

IBM Tivoli Directory

Yes

Yes

Microsoft Active Directory

Yes

Yes

Novell eDirectory

Yes

Yes

Open LDAP

Yes

Yes

Oracle Internet Directory

Yes

Yes

Sun One Directory Server

Yes

Yes

ViewDS Directory

Yes

Yes

IPMI/iLO Cards

Supported Vendors and Versions Discovery Password Spinning
DELL Chassis Management Controller (CMC)

Yes

Yes

DELL Remote Access Card (DRAC) 3-7

Yes

Yes

Generic Intelligent Platform Management Interface (IPMI)

Yes

Yes

HP Integrated Lights Out (iLO) 1-4

Yes

Yes

SuperMicro IPMI

Yes

Yes

Cloud Service Providers

Supported Vendors Discovery Password Spinning
Amazon Web Services

Yes

Yes

Microsoft Azure Active Directory

Yes

Yes

Rackspace Public Cloud

Yes

Yes

SalesForce

Yes

Yes

SoftLayer

Yes

Yes

Other Targets

Supported Targets Discovery Password Spinning

IBM WebSphere

Yes

Yes

McAfee ePolicy Orchestrator (ePO)

Yes

Yes

Oracle PeopleSoft

Yes

Yes

Oracle WebLogic

Yes

Yes

Xerox Phaser Printers (via SNMP)

Yes

Yes

Supported Subsystem Password Propagation

Supported Subsystems Discovery Password Spinning
.NET Config Cache

Yes

Yes

Arbitrary Processes

Yes

Yes

Auto-logon Accounts (domain and local)

Yes

Yes

Java Middleware

Yes

Yes

Logon Cache

Yes

Yes

SDK for Programmatic Use of Stored Credentials

Yes

Yes

Search String Replacement in Text or Binary Files

No

Yes

Windows: COM

Yes

Yes

Windows: DCOM

Yes

Yes

Windows: IIS 6-7 Application Pools (confirm app status is in the same state)

Yes

Yes

Windows: IIS 6-10 Network Credentials

Yes

Yes

Windows: IIS 6-10 Website/Virtual Directories

Yes

Yes

Windows: Scheduled Tasks

Yes

Yes

Windows: Scheduling Services ATM Account

Yes

Yes

Windows: Service - Clustered

Yes

Yes

Windows: Service - Standalone

Yes

Yes

Windows: Service - Status

Yes

Yes

Supported Integrations

Syslog

Supported Integrations
AlienVault

ARCSight (CEF)

Generic Syslog
QRadar (CEF)

RSA Envision

Splunk

Help Desk

Supported Integrations

BMC Remedy

CA Service Desk
HP Service Manager
JIRA
Microsoft System Center Service Manager (SCSM)

ServiceNow

Hardware Security Modules (HSMs)

Supported Integrations
SafeNet Aladdin

Thales nCipher

Utimaco

Third Parties

Supported Integrations
Balabit
Core Security
FireEye
FireMon
ObserveIT
Qualys
Rapid7
Raytheon

RSA Aveksa

SailPoint

Securonix

Specific Platform Considerations

In some cases, more information about certain Bomgar PI-supported platforms and systems is needed in order to properly discover and manage those systems. This section describes considerations for the management targets supported by Privileged Identity.

Amazon Web Services

Considerations Supported Details
Account Discovery

No

Authentication

Yes

Authentication to Amazon uses an Amazon account configured with an API certificate for validation.

The API certificate (including alternate name and password) is used for AWS management.

Password Management

Yes

Ports and Protocols

Yes

All management functions occur over an HTTPS connection.

If the Privileged Identity host cannot connect directly to the internet, a proxy server connection may need to be configured upon enrollment of the AWS instance.

AS400

Considerations Supported Details
Account Discovery

Yes

Authentication

Yes

When establishing an SSH session, authentication to AS400 hosts can occur using a certificate or password.

Users can originate from a local directory or from a central directory.

Telnet can support password authentication only.

While all scenarios are supported, each requires different considerations and planning, especially when using certificates. It is important to understand your system's authentication requirements.

Password Management

Yes

 
Ports and Protocols

Yes

If using SSH, take into consideration the requirements for the target SSH port, for encryption, and for HMAC algorithms.

If SSH is not used, the 5250 terminal is used instead. 5250 terminal emulation is supported through an add-on component provided by DN-Computing, dn-computing.com.

With or without SSL, 5250 terminals run over Telnet. It is important to note which port to use and if SSL is enabled.

Cisco Devices

Considerations Supported Details
Account Discovery

No

Authentication

Yes

When establishing an SSH session, authentication to a Cisco device can occur using a certificate or password.

Users can originate from a local directory or from a central directory.

While all scenarios are supported, each requires different considerations and planning, especially when using certificates. It is important to understand your system's authentication requirements.

Password Management

Yes

It is important to know which account will be managed and which account will manage it. It is also important to know the process to follow to perform that management. Management of passwords is performed using answer files.

An answer file identifies what input is given to the system and what output is expected from the command. Any deviation can cause the password change job to incorrectly report the final status of the operation.

Ports and Protocols

Yes

By default, Cisco devices are Telnet-enabled. However, SSH must be enabled. It is highly recommended you use SSH for all password management to avoid the transmission of clear text passwords.

SSH uses a single port, which defaults to TCP 22. If you use Telnet for any reason, the default port is 23, but this can be changed. Whether using SSH or Telnet, you must know the target port and if an alternate port has been configured for use.

Ports are configured in the answer files used for password management. If multiple systems are on different ports, multiple answer files are required.

If using Telnet, passwords cannot be programmatically passed. Answer files must include the management steps and the login process, meaning the Telnet portion of the answer file must be edited.

IBM DB2

Considerations Supported Details
Account Discovery

Yes

Authentication

Yes

Authentication to a DB2 database can be performed using any non-managed account. To make the connection, you must know the default database name.

Password Management

No

Password management for DB2 databases is not available because the accounts DB2 use comes from the local host or from a central directory.

Ports and Protocols

Yes

For most DB2 database installations, including clustered resources, there are no additional steps beyond installing the proper OLE DB provider on the Privileged Identity host performing the management.

By default, DB2 listens on port 50000; however, the port can be changed.

IBM WebSphere

Considerations Supported Details
Account Discovery

Yes

Account discovery is supported for target WebSphere instances and for accounts found in the core WebSphere product.

Authentication

Yes

Authentication to a WebSphere instance must use a local WebSphere account.

Password Management

Yes

Passwords for target WebSphere instances can be managed.

Ports and Protocols

Yes

The port requirements for WebSphere can vary based on installation and SSL use. With SSL, the default ports used are 9080 and 9443.

Note: An EAR file must be installed as an enterprise application to start the WebSphere instance.

IPMI (Integrated Lights Out)

Considerations Supported Details
Account Discovery

Yes

Authentication

Yes

Authentication to an IPMI device can occur using local credentials. The password for the management account must be known to Privileged Identity in order to begin management.

Password Management

Yes

Privileged Identity expects the login account to be defined upon enrollment of the IPMI device. This allows Bomgar RED Account Reset Management to read all IPMI properties and to change passwords.

Ports and Protocols

Yes

IPMI runs over UDP port 623.

IPMI over LAN must be enabled on the target device, and the target device must conform to IPMI v1.5 or 2.0 specifications. IPMI over LAN is not always automatically enabled and may require administrative configuration to be enabled.

By default, UDP port 623 is not open on routed segments protected by firewalls. You must contact your firewall administrator for assistance.

Note: HP iLO 2 devices require BIOS revision 2.05 to be compatible with IPMI specification.

LDAP

Considerations Supported Details
Account Discovery

Yes

Account discovery is supported by Privileged Identity for LDAP directories. To identify accounts, you must know the proper LDAP search filter and the object identifier property for your target LDAP directory.

Searches start at the base LDAP path.

Assuming the base LDAP path and search filter are correct, the search may still fail if the LDAP authentication record is configured to use paged queries. The directory cannot use paged queries (or vice versa).

Authentication

Yes

To authenticate to an LDAP directory, you need the following information:

  • Target server: The target server to query.
  • Base LDAP path: The base LDAP path from which to begin the query.
  • Authentication type/ Log In Name and Format: Be mindful of how the login username and password must be formatted (simple vs. not simple) as well as what authentication type is required (explicit, Integrated, etc.).
  • Port and Protocols

Password Management

Yes

Privileged Identity can perform password management for LDAP users, provided the login account has the ability to reset target user passwords.

Ports and Protocols

Yes

All management operations are performed via LDAP.

By default, LDAP listens on port 389, but directories can be configured for alternate LDAP ports or can be cofigured to use SSL.

LDAP with SSL defaults to port 636. Typically, the port configuration does not change. If it does change, SSL (or TLS) may be required when it is usually not required.

Note: There are four LDAP directory nodes defined in Privileged Identity. All four nodes operate the same way; however, the default search and attribute parameters can vary slightly. You may use any node for any LDAP- compliant directory you intend to discover and manage.

Linux/Unix

Considerations Supported Details
Account Discovery

Yes

Account discovery for Linux/Unix systems requires the ability to read from /etc/shadow and /etc/password.

Authentication

Yes

When establishing an SSH session, authentication to Linux/Unix hosts can occur using a certificate or password.

Users can originate from a local directory or from a central directory.

While all scenarios are supported, each requires different considerations and planning, especially when using certificates. It is important to understand your system's authentication requirements.

Password Management

Yes

It is important to know which account will be managed and which account will manage it. It is also important to know the process to follow to perform that management. Management of passwords is performed using answer files.

An answer file identifies what input is given to the system and what output is expected from the command. Any deviation can cause the password change job to incorrectly report the final status of the operation.

Ports and Protocols

Yes

Modern Linux/Unix systems use SSH as the default protocol for management operations.

SSH uses a single port, which defaults to TCP 22. If you use Telnet for any reason, the default port is 23, but this can be changed. Whether using SSH or Telnet, you must know the target port and if an alternate port has been configured for use.

Ports are configured in the answer files used for password management. If multiple systems are on different ports, multiple answer files are required.

If using Telnet, passwords cannot be programmatically passed. Answer files must include the management steps and the login process, meaning the Telnet portion of the answer file must be edited.

McAfee ePO

Considerations Supported Details
Account Discovery

Yes

Account discovery is supported for target McAfee ePO instances provided that the connection account has the ability to read from the ORION table.

Authentication

Yes

McAfee ePO password changes occur by directly manipulating information in the Orion table or the ePO database, which runs on a Microsoft SQL Server. Access to this database must be available to Privileged Identity.

Authentication to a Microsoft SQL Server can be performed using an explicit SQL account (e.g. sa) or a trusted account from the local Windows host or joined directory. When working with a SQL Server from a trusted domain, the account running the console or the scheduling service must be granted the appropriate permissions to the target SQL Server. Or, the SQL Server must permit access with a proper explicit SQL Server account.

If attempting to manage a SQL instance on an untrusted host, you are able to use an explicit SQL Server account only.

Password Management

Yes

Privileged Identity can manage passwords for target McAfee ePO instances provided the connection account has the the ability to write and update the Orion table.
Ports and Protocols

Yes

For most SQL Server installations, including clustered resources, no additional steps are needed. However, SQL Server does allow an SSL-protected connection to be configured. If the connection is enabled for SSL or TLS, management of ePO accounts is no longer possible.

By default, SQL Server listens on port 1433, but this port can be configured on a per-IP-address or SQL-instance-basis. Be mindful of any port changes to the SQL server or named instance.

Microsoft Azure Active Directory (AD)

Considerations Supported Details
Account Discovery

Yes

Authentication

Yes

Authentication to Microsoft Azure AD uses an Azure AD account supplied as an email address. The following information is also required:

  • Client ID
  • Tenant ID
  • Subscription ID
  • Management Certificate and Certificate Password (Optional): Used for discovering systems in the Azure instance

Password Management

Yes

Standard AD account management permissions apply.

Ports and Protocols

Yes

All management functions occur over an HTTPS connection.

If the Privileged Identity host cannot connect directly to the internet, a proxy server connection may need to be configured upon enrollment of the Azure instance.

Note: If using Microsoft Azure AD as an authentication source for logging into the web application, the application must also be configured in Microsoft Azure AD.

MySQL

Considerations Supported Details
Account Discovery

Yes

Authentication

Yes

Authentication to a MySQL database can be performed only when using an explicit account. Directory accounts are not supported for management of MySQL databases.

MySQL uses a scheme to identify the source of the login account. MySQL instances must be configured with an account allowing access from Privileged Identity host servers.

To make a connection, you must know the default database name.

Password Management

Yes

 
Ports and Protocols

Yes

For most MySQL database installations, including clustered resources, no additional steps are needed beyond installing the proper OLE DB provider on the Privileged Identity host performing the management.

By default, MySQL listens on port 3306; however, the port can be changed.

Oracle Databases

Considerations Supported Details
Account Discovery

Yes

Authentication

Yes

Authentication to an Oracle database can be performed only when using an explicit account. Directory accounts are not supported for management of Oracle databases.

Password Management

Yes

 
Ports and Protocols

Yes

For most Oracle database installations, including clustered resources, no additional steps are needed beyond installing the proper OLE DB provider on the Privileged Identity host performing the management.

By default, Oracle listens on port 1521, but this port can be configured based on service/SID name. Be aware of port changes as well as changes to the names configured in the listeners file on the target Oracle database host. It is helpful to obtain the listener file from the target Oracle database.

Note: Oracle restricts management of down-level database versions. For more information, please see the Oracle Help Center at https://docs.oracle.com/en/.

Oracle WebLogic

Considerations Supported Details
Account Discovery

Yes

Account discovery is supported for target WebLogic instances and for accounts found in the core WebLogic product.

Authentication

Yes

Authentication to WebLogic instances must use a local WebLogic account.

Password Management

Yes

 
Ports and Protocols

Yes

Ports for WebLogic can vary based on installation and the use of SSL. Without SSL, the default port is 7001. With SSL, the default port is 7002.

Note: An EAR file must be installed as an enterprise application to start the WebLogic instance.

OS390

Considerations Supported Details
Account Discovery

No

Authentication

Yes

When establishing an SSH session, authentication to an OS390 host can occur using a certificate or password.

 

Users can originate from a local directory or from a central directory.

 

While all scenarios are supported, each requires different considerations and planning, especially when using certificates. It is important to understand your system's authentication requirements.

Password Management

Yes

 
Ports and Protocols

Yes

If using SSH, take into consideration the requirements for the target SSH port, for encryption, and for HMAC algorithms.

If SSH is not used, the 3270 terminal is used instead. 3270 terminal emulation is supported through an add-on component provided by DN-Computing, dn-computing.com.

With or without SSL, 3270 terminals run over Telnet. It is important to know which port to use and if SSL is enabled.

SSH and Telnet

Considerations Supported Details
Account Discovery

Yes

Account discovery for SSH hosts requires the ability to read from /etc/shadow and /etc/password.

Authentication

Yes

When establishing an SSH session, authentication to an SSH host can occur using a certificate or password.

 

Users can originate from a local directory or from a central directory.

 

While all scenarios are supported, each requires different considerations and planning, especially when using certificates. It is important to understand your system's authentication requirements.

Password Management

Yes

It is important to know which account will be managed and which account will manage it. It is also important to know the process to follow to perform that management. Management of passwords is performed using answer files.

Ports and Protocols

Yes

Modern SSH systems use SSH as the default protocol for management operations.

SSH uses a single port, which defaults to TCP 22. If you use Telnet for any reason, the default port is 23, but this can be changed. Whether using SSH or Telnet, you must know the target port and if an alternate port has been configured for use.

Ports are configured in the answer files used for password management. If multiple systems are on different ports, multiple answer files are required.

If using Telnet, passwords cannot be programmatically passed. Answer files must include the management steps and the login process, meaning the Telnet portion of the answer file must be edited.

Note: Any permission or policy preventing Bomgar PI's login account from reading /etc/shadow and /etc/password will keep enumeration from properly functioning. Also, if the files do not exist in the /etc directory, enumeration will not occur.

Note: Prior to version 5.5.0, Bomgar PI would copy /etc/shadow and /etc/password from the SSH host using SCP to the local PI host for local parsing. Versions after 5.5.0 list the contents of the files within the session, allowing for faster operations. Also, low-powered accounts can use sudo to cat the files, specifically sudo cat /etc/shadow.

PostgreSQL

Considerations Supported Details
Account Discovery

Yes

Authentication

Yes

Authentication to a PostgreSQL database can be performed only when using an explicit account. Directory accounts are not supported for management of PostgreSQL databases.

PostgreSQL authentication does not allow remote connections from anywhere out-of-the-box, and rules must be established to allow communications from specific hosts or networks.

For the connection to be made, you must know the default database name.

Password Management

Yes

 
Ports and Protocols

Yes

For most PostgreSQL database installations, including clustered resources, no additional steps are needed beyond installing the proper OLE DB provider on the Privileged Identity host performing the management.

By default, PostgreSQL listens on port 5432; however, the port can be changed.

Rackspace Public Cloud

Considerations Supported Details
Account Discovery

Yes

Authentication

Yes

Authentication to Rackspace requires using an explicit username and password.

Password Management

Yes

 
Ports and Protocols

Yes

All management functions occur over an HTTPS connection.

If the Privileged Identity host cannot connect directly to the internet, a proxy server connection may need to be configured upon enrollment of the Rackspace instance.

Salesforce

Considerations Supported Details
Account Discovery

Yes

Account discovery is supported for Salesforce accounts enrolled with the Chatter service.

Authentication

Yes

Authentication to Salesforce uses an account supplied as an email address.

An application must be configured in Salesforce to allow connectivity. The Consumer Key and Consumer Secret are required.

Password Management

Yes

Privileged Identity can manage passwords for Salesforce accounts provided that the logged in user is permitted to change passwords. Also, the application must allow that sort of management.
Ports and Protocols

Yes

All management functions occur over an HTTPS connection.

If the Privileged Identity host cannot connect directly to the internet, a proxy server connection may need to be configured upon enrollment of the Salesforce instance.

Note: If using Salesforce as an authentication source for logging into the web application, the application must also be configured in Salesforce.

SAP

Considerations Supported Details
Account Discovery

Yes

Account discovery is supported for target SAP instances and for accounts found in the core SAP product.

Authentication

Yes

Authentication to an SAP instance can occur with a local SAP account or a trusted account from another directory.

If using a gateway, note the following:

  • HTTP or non-HTTP
  • URL path to the server
  • The NetWeaver add-on must be installed on the gateway host.

If a gateway is not used, note the following:

  • System Number
  • Client
  • Destination
  • Table Name (a default table name is USERLIST and column index is 0.)

Password Management

Yes

Privileged Identity can manage passwords for SAP accounts provided that the logged in user is permitted to change passwords. Also, the application must allow that sort of management.
Ports and Protocols

Yes

Ports vary based on whether you use the NetWeaver add-on or a direct connection

Note: Librfc32.dll must be provided and copied into the \Windows\system32 directory of the Privileged Identity host managing the SAP instance.

SoftLayer

Considerations Supported Details
Account Discovery

Yes

Authentication

Yes

Authentication to SoftLayer uses an explicit username and password.

Password Management

Yes

 
Ports and Protocols

Yes

All management functions occur over an HTTPS connection.

If the Privileged Identity host cannot connect directly to the internet, a proxy server connection may need to be configured upon enrollment of the SoftLayer instance.

SQL Databases

Considerations Supported Details
Account Discovery

Yes

Account discovery is supported for target SQL Server instances provided that the connection account has the Control Server permission or is a member of the sysadmin role.

Authentication

Yes

.Authentication to a Microsoft SQL Server can be performed using an explicit SQL account (e.g. sa) or a trusted account from the local Windows host or joined directory. When working with a SQL Server from a trusted domain, the account running the console or the scheduling service must be granted the appropriate permissions to the target SQL Server. Or, the SQL Server must permit access with a proper explicit SQL Server account.If attempting to manage a SQL instance on an untrusted host, you are able to use an explicit SQL Server account only.

Password Management

Yes

Privileged Identity can manage passwords for target SQL Server instances provided the connection account has the Control Server server permission or is a member of the sysadmin role.
Ports and Protocols

Yes

For most SQL Server installations, including clustered resources, no additional steps are needed. However, SQL Server does allow an SSL-protected connection to be configured. If the connection is enabled for SSL or TLS 1.0, no additional software is needed.

If the SQL Server instance is configured to require TLS 1.2, you need to install the latest SQL Server native client on any host managing a SQL Server instance.

By default, SQL Server listens on port 1433, but this port can be configured a per-IP-address or SQL-instanc- basis. Be mindful of any port changes to the SQL Server or named instance.

VMware ESX

Considerations Supported Details
Account Discovery

Yes

Authentication

Yes

Authentication to VMware ESX uses an explicit username and password.

Password Management

Yes

 
Ports and Protocols

Yes

All management functions occur over an HTTPS connection.

If the Privileged Identity host cannot connect directly to the internet, a proxy server connection may need to be configured upon enrollment of the VMware ESX instance.

Windows

Considerations Supported Details
Account Discovery

Yes

Local systems allow administrators to enumerate all accounts on a Windows system.

For Active Directory, if you are not an administrator, you may successfully refresh portions of Active Directory for which you have read access. However, a non-fatal error will be received during the refresh. Without administrative rights, you cannot refresh the domain controller system information.

Password Management

Yes

When changing a local account password, the change can occur by an administrative account or by the target account changing its own password. When performing an administrative password change, a password reset is actually being performed. When an account is used to change its own password, a change, not a reset, is being performed.

When changing a domain account,this change can occur by an administrative account, or by the target account changing its own password, or by a delegated reset.For an account to manage different domain account passwords, the rights required vary based on the domain account.

Ports and Protocols

Yes

Windows management occurs via various RPCs and over a range of ports, including port 445, 135, and ephemeral ports. Basic system refreshes and local password management occur over port 445 for all recent versions of Windows.

Ephemeral ports are used during account usage discovery and password propagation. The ephemeral port range varies by Windows distribution and can be controlled in the Windows registry. The default ephemeral port range is:

  • Windows 2008 and later = 49152 - 65535

This port range must be accounted for when configuring firewall rules for management of these hosts.

Xerox Phaser Printers

Considerations Supported Details
Account Discovery

No

Account discovery is not supported for Xerox Phaser printers because there is only one account.

Authentication

Yes

Authentication to a Xerox Phaser Printer occurs over SNMP via the administrator account. This account can be renamed, which means you must be aware of the current name of this account.

Password Management

Yes

Privileged Identity can perform password management for Xerox Phaser printers; however, the administrator accoun tis used to change its own password.
Ports and Protocols

Yes

All management operations are performed via SNMP. The default SNMP port is 161.

SNMP relies on a community name to aid in authentication. The default community name is public, and the name is subject to change during printer configuration.

SNMP with SSL is not supported at this time.