Windows Proxy configuration with a CA PAM cluster with multiple network interfaces
search cancel

Windows Proxy configuration with a CA PAM cluster with multiple network interfaces

book

Article ID: 12523

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

Installation of the Windows Proxy requires entry of a CA PAM server name that the Proxy will use to connect to CA PAM on startup. When communicating with a CA PAM cluster, usually the virtual IP or host name is used in the Windows Proxy configuration. This way the proxy will be able to startup successfully as long as it can communicate with whichever cluster node owns the virtual IP at the time. In some environments there is a need to configure multiple network interfaces on each CA PAM cluster node with different Windows Proxy hosts connecting to different network interfaces depending on the subnet they belong to. Use of the virtual IP (VIP) or host name is only possible for the Proxies connecting to the interface the VIP belongs to.



How do we configure Windows Proxies on hosts that cannot connect to the interface on CA PAM cluster nodes that the cluster VIP belongs to?

Environment

Privileged Access Manager

Resolution

During the Windows Proxy installation provide the IP or host name of one of the CA PAM cluster nodes that is valid for the proxy host. Once the installation completes, go to the config folder under the Proxy installation folder, by default C:\cspm_agent\cloakware\cspmclient\config, edit file cspm_client_config.xml and add <cspmserver> and <cspmserver_port> entries for each of the remaining cluster nodes. If cluster nodes are added later on, it is prudent to add them to the configuration. However, a new cluster node should be able to connect to the running Proxy without having an entry in the configuration file. The Proxy service will startup successfully as long as it can communicate with one of the configured servers.

Note that the number of <cspmserver> entries must match the number of <cspmserver_port> entries and they will be paired depending on the sequence in the file. Also, when a cluster node is locked while the cluster is off, it will reject requests from the Windows Proxy. If all configured nodes are in that state, which is the default after turning the cluster off, the Proxy service will not start. If it is running already, it will continue to run.

 

Valid configuration example 1:

                <cspmserver>pamhost1.example.com</cspmserver>

                <cspmserver_port></cspmserver_port>            

                <cspmserver>pamhost2.example.com</cspmserver>

                <cspmserver_port></cspmserver_port>            

                <cspmserver>pamhost3.example.com</cspmserver>

                <cspmserver_port></cspmserver_port>            

 

 

Valid configuration example 2:

                <cspmserver>pamhost1.example.com</cspmserver>

                <cspmserver>pamhost2.example.com</cspmserver>

                <cspmserver>pamhost3.example.com</cspmserver>

                <cspmserver_port></cspmserver_port>            

                <cspmserver_port></cspmserver_port>            

                <cspmserver_port></cspmserver_port>            

 

 

Invalid configuration (Proxy will not start):

                <cspmserver>pamhost1.example.com</cspmserver>

                <cspmserver>pamhost2.example.com</cspmserver>

                <cspmserver>pamhost3.example.com</cspmserver>

                <cspmserver_port></cspmserver_port>