PAM Proxy Behavior in Dual NIC System
Article ID: 191110
Updated On:
Products
CA Privileged Access Manager (PAM)
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager - Server Control (PAMSC)
Issue/Introduction
If a system has a setup of dual NIC installed and both are active, which NIC gets registered when the Proxy Service is turned on?
Environment
Release : 3.3 and higher versions as of October 2023
Component : PRIVILEGED ACCESS MANAGEMENT
Resolution
When the PAM Proxy starts up for the first time it registers with the PAM appliances which are configured in its cspm_client_config.xml
...
<cspmserver>...</cspmserver>
...
In this initial heartbeat various information about the host the Proxy runs on are transmitted.
In the PAM appliance an object for the Proxy host is being generated based on the heartbeat's payload and the IP address it came from.
Once registered, there is no way to change the IP address the PAM appliance communicates with the Proxy.
If the Proxy runs on a multi-homed box and several routes are available to the PAM appliance, the heartbeat is sent via the route with the least cost, according to the host's routing table.
The source IP of this route determines the IP address of the object for this Proxy in PAM.
...
<cspmserver>...</cspmserver>
...
In this initial heartbeat various information about the host the Proxy runs on are transmitted.
In the PAM appliance an object for the Proxy host is being generated based on the heartbeat's payload and the IP address it came from.
Once registered, there is no way to change the IP address the PAM appliance communicates with the Proxy.
If the Proxy runs on a multi-homed box and several routes are available to the PAM appliance, the heartbeat is sent via the route with the least cost, according to the host's routing table.
The source IP of this route determines the IP address of the object for this Proxy in PAM.
Feedback
Yes
No
Powered by
