Connections created when accessing a remote endpoint in CA PAM
search cancel

Connections created when accessing a remote endpoint in CA PAM

book

Article ID: 210197

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When configuring a CA PAM system with, for instance, an f5 load balancer in front, it is necessary to know if once a tcp connection to a CA PAM system is established, a connection to a target device will originate a new connection or the original connection will be encapsulated in the existing one.

Environment

CA Privileged Access Manager, multiple versions

Resolution

Clicking on the applet will create a new connection to PAM, and from PAM to the remote system.

Traffic passes through CA PAM to the remote system and in PAM one will see new connections established from the local workstation to the CA PAM machine.

A connection is also established from CA PAM to the remote system

Once one disconnects from PAM these connections are released.

For instance

PAM system <PAM_SERVER_IP> 
Remote system <REMOTE_SERVER_IP> 
Local workstation (with client): <LOCAL_WORKSTATION_SERVER_IP>

* Before connecting to <REMOTE_SERVER_IP>

netstat -an | findstr <PAM_SERVER_IP>
  TCP    <LOCAL_WORKSTATION_SERVER_IP>:1723      <PAM_SERVER_IP>:443       ESTABLISHED
  TCP    <LOCAL_WORKSTATION_SERVER_IP>:1783      <PAM_SERVER_IP>:443       ESTABLISHED
  TCP    <LOCAL_WORKSTATION_SERVER_IP>:1840      <PAM_SERVER_IP>:443       ESTABLISHED
  TCP    <LOCAL_WORKSTATION_SERVER_IP>:53839    <PAM_SERVER_IP>:443       ESTABLISHED

netstat -an | findstr <REMOTE_SERVER_IP> --> blank 

* After connecting to <REMOTE_SERVER_IP> by using ssh applet

C:\>netstat -an | findstr <PAM_SERVER_IP>
  TCP    <IP_ADDRESS>:1723      <PAM_SERVER_IP>:443       ESTABLISHED
  TCP    <IP_ADDRESS>:1783      <PAM_SERVER_IP>:443       ESTABLISHED
  TCP    <IP_ADDRESS>:1840      <PAM_SERVER_IP>:443       ESTABLISHED
  TCP    <IP_ADDRESS>:2406      <PAM_SERVER_IP>:443       ESTABLISHED
  TCP    <IP_ADDRESS>:2409      <PAM_SERVER_IP>:443       ESTABLISHED
  TCP    <IP_ADDRESS>:53839     <PAM_SERVER_IP>:443       ESTABLISHED

netstat -an | findstr <REMOTE_SERVER_IP> --> blank 

And in the endpoint

netstat -an | grep <PAM_SERVER_IP>

tcp4  0  96  <REMOTE_SERVER_IP>.22    <PAM_SERVER_IP>.20044       ESTABLISHED

netstat -an | grep <LOCAL_WORKSTATION_SERVER_IP> --> blank 

So  the connections are established through PAM and new connections from the local workstation to PAM are created once the applet is used.

For f5 that would mean session persistence should be enabled in order to avoid disconnections.

If an RDP or SSH proxy are used then the connection is made always to the local workstation and a tunnel is established through PAM, but of course a new tunnel every time (a new connection to PAM would not be seen, but rather to the local 127.0.0.X address and a random port)