Password Safe Cloud Resource Broker Installation and Configuration Guide

This document explains how Password Safe Cloud uses resource brokers within resource zones to manage resources across segmented networks, and how to configure resource zones. By configuring resource zones effectively, you have centralized control over resource allocation, enhanced security, and the ability to meet compliance standards, providing you with peace of mind and a smoother resource management experience.

A resource zone is a group of resources on your network. You can have a maximum of 51 resource zones to meet the requirements for how your network is segmented; however, one zone for your entire network is sufficient. At least one resource zone is required. Password Safe Cloud creates a default resource zone called Default, which is a catch-all for all domains and workgroups in your network, and cannot be edited.

Password Safe Cloud uses resource brokers to communicate with the systems in your resource zones. A resource broker is a bundle of software that contains all of the services and components required for Password Safe Cloud to interact with your on-premises servers using TCP 443 for communication.

You must download the Resource Broker Installer from the Password Safe Cloud portal and install the broker on a Windows Server 2019 x64 or greater system in your network. Each resource zone must have at least one resource broker installed, but we recommend you install two or more for efficiency and redundancy of functionality. You may install up to 200 resource brokers across all of your zones. All 200 may be in one zone or dispersed across each of your zones. You cannot generate an install key or run the installer once this threshold is reached.

Installing a resource broker on Windows 2016 x64 is supported; however, Windows 2019 x64 is recommended.

A resource zone uses a collection of resource brokers to handle the following four core Password Safe functions. Azure uses a round-robin technique to communicate with the resource brokers within the zone to handle these functions.

  • Authentication against LDAP/Active Directory: Allows authentication into Password Safe against your local LDAP/Active Directory domains.
  • Asset and Account Discovery: Uses a discovery scanning agent to discover assets and accounts in your network.
  • Credential Management: Changes passwords or SSH keys on a scheduled or on-demand basis.
  • Session Proxy: Acts as a proxy to allow a standard user to open SSH or RDP sessions on systems in your network.

For more information on the services that are bundled with a resource broker, please see Troubleshoot Resource Broker Issues.