The CA PAM Agent has been set up to use RDP services in the CA PAM machine: the goal is to connect a remote windows machine using the tunnel in PAM. Let's imagine the remote Windows machine has IP addres 22.214.171.124
Activating the RDP service in the agent, a message appears indicating that the service has been activated.
The way the CA PAM Agent works, when doing rdp to the endpoint (that is, RDP to 126.96.36.199:3389), the connection is redirected to a local loopback address and random port (e.g. 127.0.0.200:25432) which, in turn, creates a tunnel through PAM to the remote Window system. In this way, direct access to the remote system never happens.
For this particular use case, however, this does not work: if after activating the service, connection is done to the remote machine (e.g. RDP to 188.8.131.52:3389) we do not see connection established to the loopback address (e.g 127.0.0.200:25432), but directly to the remote system. Autologin does not work either, since connection is not going through PAM.
If we check the CA PAM Agent logs for the random port attributed to the service and we verify with netstat -an | findstr 127.0.0, we can see that indeed there is an active port listening on the address where the tunnel is established, and if we connect via RDP to that loopback address (e.g. RDP 127.0.0.200:25432) we really get access to the remote Windows system.
So what seems to fail is the redirection from the remote windows service address to the local loopback address.
Checking the local event viewer of the Windows client machine, we can see an error relative to the driver:
Since it complains about signature, disabling checking driver signature (bcdedit /set nointegritychecks on) this sees to work fine.
This is likely due to a problem with the certificate of the CA PAM Agent installed drivers and executables.
In particular check the certificate coming with
C:\Program Files\CA Technologies\CA PAM Agent\CAPAMAgent.exe
It must be a non-expired, valid certificate for the agent to work properly
Release : 3.3.X and 3.4.X
Component : PRIVILEGED ACCESS MANAGEMENT
If the certificate coming with your package and binaries therein is expired, try to download the CA PAM Agent again from the latest version of PAM available, after uninstalling it completely.
Should the issue persist and/or the binaries not be updated with the latest (or at least a valid) certificate, please report the issue to Broadcom Support.