Windows Proxy and A2A both have the ability to track the IP from which the traffic is originating. So when configuring a Windows Proxy (or an A2A client) and trying to register it in PAM, if the product has an external Load Balancer configured, it will see the traffic as originating from the external Load Balancer IP and it will register them as such.

In particular when registering a Proxy, he PAM server receives the request and determines the agent's host name and IP address by getting the originating IP from the HTTP request, specifically the X-Forwarded-For header:  If there is no X-Forwarded-For header found in the incoming request, then the front end web service will create one using the source IP of the incoming socket connection and that will the the Load Balancer.

Therefore PAM requires any load balancer or other network device along the route to either let the connection pass through, or set the X-Forwarded-For header to the IP address PAM should be using to connect to the agent.

However, if the LB is running with SSL-Bridge mode as recommended in

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-7/deploying/set-up-a-cluster/cluster-deployment-requirements.html#concept.dita_39ad946df6883d8f9ff154006bb2e1aaa094cc32_ELB

and the load balancer does not allow insertion of an X-forward-for header in this configuration (for instance if this is only possible if the LB is configured with SSL-Offloading / termination), then this issue will occur.

Please see the reference above where it is stated that A2A (and Proxy) require the X-Forward-Feature for autoregistration to work.

Once a Windows Proxy or A2A client is registered, the IP address will not change, so it is important to make sure they are being registered with the right IP addresses.

Follow the modifications for the cspm_client_config.xml file as per this article KB 12523

Make sure that the external load balancer IP is not mentioned in the cspm_client_config.xml file. This file can include the hostname/IP's of all the nodes that are part of the cluster configuration.

Avoiding adding of the external load balancer IP in the proxy config file bypasses it and allows CA PAM servers to establish communications with the Windows Proxy servers.