Setting up WINSCP as a TCP/UDP PAM Service


Article ID: 144432


Updated On:


CA Privileged Access Manager (PAM)


PAM allows the inclusion of several applications as TCP/UDP Services to be invoked from within its environment and control the access to the devices through these applications.
This document explains how to add WINSCP as a PAM service.


Layer 7 Privileged Access Management
Version 3.x


WinSCP can be added to PAM as a TCP/UDP Service.
To do so, fill up the fields in the TCP/UDP service definition window with the following information:

  Service Name: WINSCP
  Local IP: (the last byte can be other than 222, choose the proper one in your system)
  Port(s): 22
  Protocol: TCP
  Enable: <selected>
  Application Protocol: Disabled 
  Client Application: "C:\Program Files (x86)\WinSCP\WinSCP.exe" sftp://<User>:<Password>@<Local IP> <First Port>

Just like it is shown in the following screenshot (the 'Comment' field contains the full command for readability, as the 'Client Application' field is not showing the full contents):


For CA PAM 3.4.3, we have an option to select the File Transfer Protocol as well, with 3.4.3 the above screen would be as under.

Client Application: "C:\Program Files (x86)\WinSCP\WinSCP.exe" sftp://<User>:<Password>@<Local IP>:<First Port> /sessionname=<Device Name>

Then add this service to the device you want to connect to using WinSCP, as shown in the image:

And finally, create or modify a policy to access it:

And add the proper target account to perform the auto login to WINSCP:

Now the Access to the device should show the WINSCP service available:

Additional Information

Most of the external applications configured as PAM TCP/UDP services, do not support session recording.
For WINSCP the session recording is not supported.