CA PAM 4.0/ 4.0.x
Windows proxy may be used to manage local accounts on a server, server A and the ports it needs to have open are listed in the documentation. See for instance
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-1/protect-privileged-account-credentials/default-ports-for-credential-manager.html
If there is an account, account A, in server A which will be used in windows proxy to manage the rest of the accounts, it will have to be part of the local Administrators group in machine A, or at least have the right to change other accounts passwords.
Another possible use case is to use the account on server A to change the local accounts on server B, a remote server. To be able to do this, account A shoulc be a member of the local Administrators in server B or at least have rights to change the accounts passwords on server B. Besides, the password change in server B will be done through WMI, so port 445 for server B should at least be open for communications