Most SSH and RDP sessions launched from PAM take a long time before the connection is established. Network traces show that PAM first tries to connect to port 8550 on the target device and only 10 seconds later connects to the SSH or RDP port.

Port 8550 is used for communication between PAM & the Socket Filter Agent (SFA) that may be installed on the target device. When starting an SSH or RDP connection, PAM first checks for the existence of the SFA on the target device by attempting to connect to port 8550 and waits for a response. If no SFA is installed on the target, then the packet will not be picked up and replied to. There are 2 behaviors that may occur in that case, depending on firewall settings: dropping the packet or rejecting the packet.  When the packet is 'DROPPED', PAM has no idea whether it ever reached the device and will keep waiting for a response until the connection times out after 10 seconds.

If the SFA is installed and running on the target device then this delay will not occur, since the query packet would be responded to.

To speed up the connection initialization the best solution is to ensure that the 8550 query packet is 'REJECTED' instead of 'DROPPED'. When a packet is 'REJECTED' the sender is notified and will not keep waiting for a response until a timeout occurs.

Note: Don't implement rejection if the SFA is used on the target device.

The discussion above assumes the use of the default Socket Filter Agent (SFA) port 8550. If a different port is configured under Policy > Manage Policies > Manage Filters > Socket Filter Config > Agent Port: then you should REJECT that port instead.