Phone Number +1-202-802-9399 (US)

ThycoticCentrify is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Up, up and away: How Distributed Engine technology helps Thycotic scale privileged account management for large enterprises

Written by Ben Yoder

July 14th, 2015

Why Distributed Engine?

When you run Discovery, Password Changing, or Heartbeat in Thycotic Secret Server, all the work is queued up inside the web application. This requires no additional configuration and works well out of box. We strive to make Secret Server easy to configure and get working quickly, but also powerful enough that when new problems arise, they can be handled.

As customers scale out the use of Secret Server, and expand to remote networks, there is a need for a more robust architecture. Distributed Engine is a replacement for the Remote Agent that provides the scalability needed in large or disconnected environments. Distributed Engine adds two new enhancements for customers.

Scaling: A single Distributed Engine will provide a significant performance boost in Discovery and bulk password changing. However, there is a new option to split the work among multiple Distributed Engines. This means if Discovery isn’t fast enough, you can add one or more Distributed Engines to the site and see increased performance. Performance is also a security measure, the faster you can change passwords, the less time there is for an attacker to run attacks.

Remote Discovery: Today, Agent supports heartbeat and password changing on remote networks, but discovery is not available. Deploying a Distributed Engine to a remote network will allow you to run account discovery for all supported types. This eliminates the need for additional firewall rules or direct connect setups that were previously needed to run discovery on client or distributed environments.

What Will I Need To Do?

If you aren’t using Agents today, then there is nothing you need to immediately do when you upgrade. If you want to opt in to use Distributed Engine you will be able to migrate Secrets to use it.

If you are using Agents today, your Agents will be automatically upgraded, but you will need to configure a Site Connector Service. This can run on the same server as Secret Server or a different box. The Site Connector is what the each Distributed Engine actually connects to in order to get work assigned to it. For example, if you have 50 Agents running today, after the upgrade those Agent Services will be converted to 50 Distributed Engines.

Customers have two options for Site Connectors. The first is one that comes bundled with Secret Server, and will support up to 100 Sites called MemoryMQ. You can download the installer from the Secret Server Distributed Engine administration area and it doesn’t require any third party applications.

The other option is RabbitMQ, which is a free third party queuing and messaging system that is deployed in many enterprise environments today. It can support more sites, and can be clustered across servers for additional redundancy.

Something to Build On

Distributed Engine is a significant architecture improvement for Thycotic Secret Server, and will serve as a stepping stone as more and more features leverage it for performance or solving network connectivity problems.

Interested in learning more about Distributed Engine? Here’s your guide to getting started.



IT Admins: Our collection of free IT tools makes your life easy and your organization safer!


Like this post?

Get our top blog posts delivered to your inbox once a month.