In this article, you will learn what the requirements are for the Privileged Account and Session Management (PASM) product and how to deploy it.
1. System requirements
2. Deploy Privileged Account and Session Management (PASM) on Hyper-V
3. Deploy Privileged Account and Session Management (PASM) on VirtualBox
4. Deploy Privileged Account and Session Management (PASM) on VMware Workstation Player
5. Deploy Privileged Account and Session Management (PASM) from the Azure Marketplace
6. Deploy Privileged Account and Session Management (PASM) on a VM in Google Cloud Platform
SYSTEM REQUIREMENTS
The minimum requirements for the PASM appliance to work are described below:
1. CPU - a minimum of 1-2 CPUs for basic setups with a few users (up to 5 RDP sessions). For a small deployment (5-10 concurrent sessions), we recommend 2-4 CPUs. For a medium deployment (10-50 concurrent sessions), we recommend 4-8 CPUs. For a large deployment (50+ concurrent sessions), we recommend 8-16+ CPUs. PASM is generally CPU-bound due to the nature of RDP and video coding. More concurrent sessions and higher resolutions (e.g., 1080p or 4K) will increase the CPU usage significantly.
2. RAM - the minimum RAM requirement is 4 GB for up to 5 concurrent sessions. For a small deployment (5-10 RDP sessions), we recommend 4-8 GB of RAM. For a medium deployment (10-50 RDP sessions), we recommend 8-16 GB of RAM. For a large deployment (50+ RDP sessions), we recommend 16-32 GB of RAM. Each session consumes additional memory, so scaling the RAM based on the expected session count is crucial.
3. Network - the minimum requirement is to have a 1 Gbps network for general use. For more users, especially those with high-bandwidth video or multiple users using PASM in Full HD or 4K resolutions, network speeds should scale upwards to 10 Gbps or higher, depending on the load.
4. Display and Keyboard input language - PASM currently supports only the language en-US. For a list of supported keystrokes, you can download the document here.
5. Recommended browsers - Chrome and Edge.
Privileged Account and Session Management (PASM) is deployed through a preconfigured virtual machine/appliance. The PASM virtual machine can be deployed on Hyper-V, VirtualBox, and VMWare. This approach simplifies the setup process as the VM comes with all necessary components and configurations. The PASM virtual appliances can be downloaded from the HEIMDAL Dashboard -> Guide section:
IP Addresses and Ports
PASM needs to be able to communicate with the HEIMDAL core service (see this article), Google's DNS (8.8.8.8, 8.8.4.4), and CloudFlare's DNS (1.1.1.1). It also needs the following open ports: 80 (HTTP), 123 (NTP), 443 (HTTPS), 389 (LDAP), 636 (LDAPS).
DEPLOY PRIVILEGED ACCOUNT AND SESSION MANAGEMENT (PASM) on Hyper-V
1. After downloading the Hyper-V virtual appliance, you need to extract it to a desired folder.
2. Open Hyper-V Manager (you need to have it installed if it's not installed already) and press Import Virtual Machine to import the PASM Virtual Machine:
3. After importing it, start the Virtual Machine and allow it to run. Once the operating system has been booted, you will get the local IP Address of the PASM portal.
4. To access the PASM setup page, open a browser on a computer that is in the same network as the PASM Virtual Machine and type in the IP Address that was shown on the PASM Virtual Machine interface.
5. You should be prompted to accept the EULA, enter a name for the PASM server, activate it with the HEIMDAL license key, create an admin user account, and set 2-factor Authentication for it:
DEPLOY PRIVILEGED ACCOUNT AND SESSION MANAGEMENT (PASM) on VirtualBox
1. After downloading the VirtualBox appliance, you need to import it to the Oracle VM VirtualBox Manager.
2. Open Oracle VM VirtualBox Manager, click File -> Import Appliance, and load the downloaded virtual appliance. Choose where to have the Machine Base Folder and press Finish.
3. After importing it, start the Virtual Machine and allow it to run. Once the operating system has been booted, you will get the local IP Address of the PASM portal.
4. To access the PASM setup page, open a browser on a computer that is in the same network as the PASM Virtual Machine and type in the IP Address that was shown on the PASM Virtual Machine interface.
5. You should be prompted to accept the EULA, enter a name for the PASM server, activate it with the HEIMDAL license key, create an admin user account, and set 2-factor Authentication for it:
DEPLOY PRIVILEGED ACCOUNT AND SESSION MANAGEMENT (PASM) on VMware Workstation Player
1. After downloading the VMware appliance, double-click the image to install it.
2. Once VMware Workstation 17 Player starts, give it a Name, choose a storage path, and press Import.
3. After importing it, you can start the Virtual Machine by hitting the Play virtual machine button, allowing it to run.
4. Once the operating system has been booted, you will get the local IP Address of the PASM portal.
5. To access the PASM setup page, open a browser on a computer that is in the same network as the PASM Virtual Machine and type in the IP Address that was shown on the PASM Virtual Machine interface.
6. You should be prompted to accept the EULA, enter a name for the PASM server, activate it with the HEIMDAL license key, create an admin user account, and set 2-factor Authentication for it:
DEPLOY PRIVILEGED ACCOUNT AND SESSION MANAGEMENT (PASM) from the Azure Marketplace
1. Log in to Microsoft Azure and access the Marketplace.
2. Search for Heimdal PASM.
3. You should find Heimdal Privileged Account and Session Management. You can press the Create dropdown button to select the Heimdal Privileged Account and Session Management BYOL plan.
4. Proceed with the VM's configuration and run it after finishing the configuration step.
5. Once the operating system has been booted, you will get the local IP Address of the PASM portal.
6. To access the PASM setup page, open a browser on a computer that is in the same network as the PASM Virtual Machine and type in the IP Address that was shown on the PASM Virtual Machine interface.
7. You should be prompted to accept the EULA, enter a name for the PASM server, activate it with the HEIMDAL license key, create an admin user account, and set 2-factor Authentication for it:
DEPLOY PRIVILEGED ACCOUNT AND SESSION MANAGEMENT (PASM) on a VM in Google Cloud Platform
1. First, you need to import the OVA image into the Google Cloud console. Although there’s no Import OVA action, you can still do it using the Compute Engine -> Buckets area.
2. In the Buckets area, create a new bucket (e.g., pasm_gcp_platform)
3. Upload your OVA file (heimdal-pasm-virtualbox.ova).
4. Once the image is uploaded, click the Cloud Shell icon (>_) at the top right of the Google Cloud Console.
5. Run the following from Cloud Shell (built into the web UI) to import the image (before this step, make sure you increase your SSD quota to 1 TB, as the PASM appliance inflates to more than 500 GB, and that the user has all permissions on the bucket):
gcloud compute instances import pasm-gcp --source-uri=gs://pasm-gcp/heimdal-pasm-virtualbox.ova --os=ubuntu-2204 --zone=europe-central2-a
This will:
• Unpack the OVA file
• Convert the VMDK to Google’s native format
• Create a GCE-compatible disk image
• Automatically deploy a running VM instance named pasm-gcp (pasm-gcp is the name of the bucket and the location where the OVA file is stored).
6. After the import finishes (5–10 min), go to Compute Engine -> VM Instances, and you’ll see the PASM appliance running. You can now stop/start it, create a custom image from it, share or duplicate it via the UI. From now on, that imported image will appear in: Compute Engine → Images → Custom images, and then you can select it as a Boot disk in future VMs.
IMPORTANT
Do not enable or select Open vSwitch (OVS) during the GCP image import process. The Google Daisy translator executes netplan apply in a restricted environment where the OVS daemon cannot run, which causes the import to fail. PASM uses the standard Linux networking stack and does not require OVS. Since PASM is delivered as a closed appliance and does not support OS-level modification during deployment, any attempt by the import workflow to interact with OVS components can lead to a failed conversion.
Setting up Privileged Account and Session Management (PASM) in a Secure Access Zone
Privileged Account and Session Management (PASM) can be deployed within a Secure Access Zone easily, with the recommendation to fulfill the prerequisites and recommended security measures below. While the Secure access zone deployment model provides an additional layer of network segmentation, strict adherence to the following conditions is mandatory to maintain a secure operating environment for PASM.
To ensure the security and integrity of the Heimdal PASM deployment in a Secure Access Zone, the following conditions must be met:
- Secure Communication Protocol (HTTPS with Certificate): PASM must be configured to use HTTPS as the sole communication protocol. This requires installing a valid, trusted SSL/TLS certificate on the PASM instance to encrypt all data transmitted between users and the module.
- Minimum Administrative User Count: The number of users provisioned with administrative privileges on the PASM platform must be kept to an absolute minimum necessary for system operation and maintenance. Strict adherence to the principle of Least Privilege is mandatory for all administrative accounts.
- Mandatory Two-Factor Authentication (2FA) for Users: All human accounts accessing the PASM interface must be configured and required to use Two-Factor Authentication (2FA) for login. This significantly mitigates the risk of credential compromise.
The following measures are strongly recommended (and in some cases, critical best practices) to further enhance the security posture of the Secure Access Zone deployment:
- Restrict Network Access (Port Restriction): All incoming and outgoing network ports to and from the PASM instance must be blocked at the Secure Access Zone firewall level, except for port 443 (HTTPS). This ensures that the only permitted communication is the secure, certificate-protected access to the PASM web interface.
- Enforce High Password Complexity: A strong password policy must be enforced for all accounts on the platform. Passwords should meet a minimum complexity standard (minimum length of 12 characters, including a combination of uppercase letters, lowercase letters, numbers, and special characters).
- Implement Scheduled Password Rotation: Configure and enforce a policy for regular and automatic password rotation for all user and service accounts accessing PASM (this is done manually by each user). This practice ensures that even compromised credentials have a limited lifespan.
Heimdal Security provides the PASM product with robust security features. However, the overall security of the deployment is dependent on the customer's adherence to the specified security configurations, network infrastructure, and operational policies.
IMPORTANT
In case you have a specific network infrastructure in which a DHCP Server is not set to automatically assign IP addresses to new joiners (the PASM host) automatically, you can log in to the PASM host using the credentials displayed after starting up the appliance and change the network settings according to your needs.
To do so, follow the steps below:
1. Log in to the PASM appliance (Ubuntu) using the heimdal-user and the password you see in between the parentheses, and press Enter.
2. Configure a static IP for the PASM host (the gateway and the DNS servers) by editing the network settings:
sudoedit /etc/netplan/99-heimdal-manual-config-eth0.yaml
Comment out all the lines and after changing the IP address, the gateway, and the DNS servers, press CTRL+X to Save and Yes (to save the modified buffer). Disregard the fact that the file is being saved in a temporary location.
3. After you have configured the desired network settings, run:
sudo netplan apply
4. The new IP address of the PASM host should be applied and made visible in the UI.
In case you want to change the password of the heimdal-user user account, you can use passwd. Rebooting the PASM host can be done by running sudo reboot, while a shutdown can be initiated by running sudo shutdown -h now.
Note: Please keep the 8.8.8.8 and 8.8.4.4. name server addresses, as the module will require them to update and function optimally.