Connections created when accessing a remote endpoint in CA PAM

book

Article ID: 210197

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When configuring a CA PAM system with, for instance, an f5 load balancer in front, it is necessary to know if once a tcp connection to a CA PAM system is established, a connection to a target device will originate a new connection or the original connection will be encapsulated in the existing one

 

Environment

CA Privileged Access Manager, multiple versions

Resolution

Clicking on the applet will create a new connection to PAM, and from PAM to the remote system.

Traffic passes through CA PAM to the remote system and in PAM one will see new connections established from the local workstation to the CA PAM machine.

A connection is also established from CA PAM to the remote system

Once one disconnects from PAM these connections are released.

For instance

PAM system 10.20.30.40 Remote system 10.50.60.70 Local workstation (with client): 10.80.90.100

* Before connecting to 10.50.60.70

netstat -an | findstr 10.20.30.40
  TCP    10.80.90.100:1723      10.20.30.40:443       ESTABLISHED
  TCP    10.80.90.100:1783      10.20.30.40:443       ESTABLISHED
  TCP    10.80.90.100:1840      10.20.30.40:443       ESTABLISHED
  TCP    10.80.90.100:53839    10.20.30.40:443       ESTABLISHED

netstat -an | findstr 10.50.60.70 --> blank 

* After connecting to 10.50.60.70 by using ssh applet

C:\Users\mg606625>netstat -an | findstr 10.20.30.40
  TCP    10.230.41.44:1723      10.20.30.40:443       ESTABLISHED
  TCP    10.230.41.44:1783      10.20.30.40:443       ESTABLISHED
  TCP    10.230.41.44:1840      10.20.30.40:443       ESTABLISHED
  TCP    10.230.41.44:2406      10.20.30.40:443       ESTABLISHED
  TCP    10.230.41.44:2409      10.20.30.40:443       ESTABLISHED
  TCP    10.230.41.44:53839    10.20.30.40:443       ESTABLISHED

netstat -an | findstr 10.50.60.70 --> blank 

And in the endpoint

netstat -an | grep 10.20.30.40

tcp4  0  96  10.50.60.70.22    10.20.30.40.20044       ESTABLISHED

netstat -an | grep 10.80.90.100 --> blank 

So  the connections are established through PAM and new connections from the local workstation to PAM are created once the applet is used.

For f5 that would mean session persistance should be enabled in order to avoid disconnections.

If an RDP or SSH proxy are used then the connection is made always to the local workstation and a tunnel is established through PAM, but of course a new tunnel every time (a new connection to PAM would not be seen, but rather to the local 127.0.0.X address and a random port)