Loopback Address configured in TCP/UDP service not honored by PAM when the access policy is defined with a socket filter

book

Article ID: 186922

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We are trying to set up an SSH tunnel to some target servers so that users can connect to them through their desired IDE.
For ease of use, our clients requested that they have either a static loopback address and port they could use instead of changing it every time they connect.
We configured TCP/UDP services with specific local IPs and static ports. But when the user launches the service from the access page, we see the service listens on a local IP 127.1.0.XX, not on the IP configured in the service. Our access policy includes a socket filter policy.

 

 

 

Cause

When socket filters are defined in an access policy, PAM uses pre-defined local IPs for services configured in the policy, rather than the IPs specified in the services. The IPs have format

127.<appliance id>.0.XX

<appliance id> is the ID configured as "Appliance ID" in the socket filter configuration (Policies > Manage Policy Filters > Socket Filters -> CONFIG) on the PAM node the user is connected to.The default is 1.
XX is a number near 10 that is not used by any other service.

Environment

This applies to all supported PAM releases as of March 2020, PAM 3.2.X and 3.3.X.

Resolution

This is a limitation in the current implementation. In order to have full control over which local IPs are used for a TCP/UDP service, do not configure socket filters in the policy.