Application Launcher Installation and Deployment Considerations

Review the tasks required to install the application launcher and session recording software for Privileged Identity.

Installation Tasks

  1. Install and register the Privileged Identity management console, the web application, and web service.
  2. Make note of the web service URI. It is required for the application launcher and session recording to work properly.
  3. Understand the product requirements prior to installation.
  4. Install the application launcher and (optionally) the session recording software.
  5. Install streaming media services for IIS.
  6. Configure application launching settings via the management console.

Plan Your Session Recording Installation

The application launching capability of Privileged Identity is a licensed feature, which requires a jump server. An application launcher server needs to be a Windows Remote Desktop Services (RDS) machine which can proxy connections to specific target systems.

The general configuration for application launcher includes:

  • Installation of Privileged Identity
  • Jump server or multiple jump servers to launch applications

We recommend jump servers be hosted separately from your main BeyondTrust Privileged Identity instance.

When session recording is enabled, the following should be considered:

  • Recording: The session recording component on the jump server records the session and copies the resulting file(s) for video transcoding to the machine/folder, which functions as the video transcoder.
  • Transcoding: The video transcoding service compresses the raw video file and processes it for streaming.

We do not recommend installing the transcoding component on your jump server due to potential storage and CPU usage issues and instead recommend installing the component on a separate machine. However, a single server configuration is supported.

  • Storage: The transcoded file is moved to permanent storage. This could be the file system of the transcoder or another system providing access from the final files to the streaming media services machine.
  • Streaming - The media server component streams the video files for viewing on demand and requires access to the storage where the video files are located. This machine may be a shared machine or a separate machine.

High Availability Suggestions

High Availability (HA) is achieved by deploying multiple instances and configuring load balancing. A few examples and suggestions of how HA can be achieved are provided below:

  • Jump server: The application launcher relies on Microsoft Remote Desktop Services (RDS), and RDS uses Network Load Balancing (NLB) to achieve high availability.
  • Transcoding: If transcoding occurs on another machine separate from the jump server, you can deploy multiple transcoders and point to where the recorder will place the raw, non-transcoded files. If transcoding occurs on your jump server and the jump server is already configured as part of an NLB cluster, you can install the transcoder on each host.
  • Storage: To retain multiple live copies of recorded sessions, you can use a replicated storage solution like a Distributed File System (DFS) to replicate the data.
  • Streaming: To enable HA for streaming, you can maintain multiple instances of the media server configured as an NLB cluster and point to the same shared storage.

The recorded video files are located in the file system of the host operating machine. A simple backup strategy may be beneficial and may make the deployment process easier.

Potential Deployment Strategies

There are several ways to deploy the application launcher and the session recording software. If using the session recording component, your deployment strategy may be more complex.

Here are three potential deployment scenarios.

Deployment 1

Deployment Strategy 1

Place the recording, transcoding, and streaming components on the jump server.

 

Deployment 2

Deployment Strategy 2

Place the recording and transcoding components on the jump server, and the streaming component on the web server. If the CPU on the jump server is powerful enough and can quickly process raw video for streaming, this deployment model may be ideal.

This deployment model does not require IIS to be configured on the jump server.

 

Deployment 3

Deployment Strategy 3

Place the recording component on the jump server, and place the transcoding and streaming components on the web server. This model is recommended.

Before deployment, make sure your web server is appropriately sized to handle the output from the video transcoding service.