When configuring a CA PAM system with, for instance, an f5 load balancer in front, it is necessary to know if once a tcp connection to a CA PAM system is established, a connection to a target device will originate a new connection or the original connection will be encapsulated in the existing one.
CA Privileged Access Manager, multiple versions
Clicking on the applet will create a new connection to PAM, and from PAM to the remote system.
Traffic passes through CA PAM to the remote system and in PAM one will see new connections established from the local workstation to the CA PAM machine.
A connection is also established from CA PAM to the remote system
Once one disconnects from PAM these connections are released.
For instance
PAM system <PAM_SERVER_IP>
Remote system <REMOTE_SERVER_IP>
Local workstation (with client): <LOCAL_WORKSTATION_SERVER_IP>
* Before connecting to <REMOTE_SERVER_IP>
netstat -an | findstr <PAM_SERVER_IP>
TCP <LOCAL_WORKSTATION_SERVER_IP>:1723 <PAM_SERVER_IP>:443 ESTABLISHED
TCP <LOCAL_WORKSTATION_SERVER_IP>:1783 <PAM_SERVER_IP>:443 ESTABLISHED
TCP <LOCAL_WORKSTATION_SERVER_IP>:1840 <PAM_SERVER_IP>:443 ESTABLISHED
TCP <LOCAL_WORKSTATION_SERVER_IP>:53839 <PAM_SERVER_IP>:443 ESTABLISHED
netstat -an | findstr <REMOTE_SERVER_IP> --> blank
* After connecting to <REMOTE_SERVER_IP> by using ssh applet
C:\>netstat -an | findstr <PAM_SERVER_IP>
TCP <IP_ADDRESS>:1723 <PAM_SERVER_IP>:443 ESTABLISHED
TCP <IP_ADDRESS>:1783 <PAM_SERVER_IP>:443 ESTABLISHED
TCP <IP_ADDRESS>:1840 <PAM_SERVER_IP>:443 ESTABLISHED
TCP <IP_ADDRESS>:2406 <PAM_SERVER_IP>:443 ESTABLISHED
TCP <IP_ADDRESS>:2409 <PAM_SERVER_IP>:443 ESTABLISHED
TCP <IP_ADDRESS>:53839 <PAM_SERVER_IP>:443 ESTABLISHED
netstat -an | findstr <REMOTE_SERVER_IP> --> blank
And in the endpoint
netstat -an | grep <PAM_SERVER_IP>
tcp4 0 96 <REMOTE_SERVER_IP>.22 <PAM_SERVER_IP>.20044 ESTABLISHED
netstat -an | grep <LOCAL_WORKSTATION_SERVER_IP> --> blank
So the connections are established through PAM and new connections from the local workstation to PAM are created once the applet is used.
For f5 that would mean session persistence should be enabled in order to avoid disconnections.
If an RDP or SSH proxy are used then the connection is made always to the local workstation and a tunnel is established through PAM, but of course a new tunnel every time (a new connection to PAM would not be seen, but rather to the local 127.0.0.X address and a random port)