Configuring Symantec ZTNA and CA PAM to work together
search cancel

Configuring Symantec ZTNA and CA PAM to work together

book

Article ID: 368566

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Symantec ZTNA gateway is a product which enables seamless access from outside the enterprise by means of a gateway server to selected applications configured inside the enterprise.

This is achieved by creating a secure tunnel, whereby traffic to the final endpoint will be routed through the local loopback address to the final destination. Thus connection to the final application defined in ZTNA is made by connecting to the local loopback address 127.0.0.1 and specific port

It comes as an interesting combination to provide access through ZTNA to CA PAM client inside the enterprise and from there to the final applications managed by PAM

This would allow securized access to internal resources from external clients.

However as of the testing carried out for connections initiated from Windows workstations to ZTNA gateway and then to CA PAM has revealed an undesirable side effect whereby certain types of applications in CA PAM, like the Web Portal Services, seem to create a huge amount of TME_WAIT and CLOSE_WAIT connections in the local Windows workstation, eventually causing resource exhaustion and other related problems.

This has not been observed as of the testing when the local client is a MacIntosh computer.

So it is important to know if CA PAM and Symantec ZTNA can work together in some form

Cause

This is caused by Symantec ZTNA and CA PAM both using loopback address 127.0.0.1. Since ZTNA uses that loopback IP, and so does CA PAM, this breaks the internal flow of CA PAM leading it to leaving connections in waiting and trying to establish a new connection. Since this is sometimes achieved, eventually connectivity is observed. However, the connections not having completed will remain in TIME_WAIT or CLOSE_WAIT status for as long as the Windows timeout permits. By default  timeout value for improperly disconnected TCP/IP connections is two (2) hours). 

In MacOS the OS reacts to idle connections by gracefully closing the communication in both ends and hence the problem is not observed

Resolution

There is no resolution as of the present versions of CA PAM and Symantec ZTNA gateway. A possible workaround is to configure a local RDP jump server as the application to access from the outside or the enterprise network, and proceed with connection to CA PAM from there

Another possibility is to change the value of the timeout period for Windows. This may be achieved via the following registry modification

  1. “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters” key
  2. Locate the Value “KeepAliveTime”. If it does not exist, create a new REG_DWORD Value called “KeepAliveTime”
  3. Set the Value “KeepAliveTime” to decimal 120000

Nonetheless this will all TCP connections to the given server and hence it may not be desirable. Not to forget that this will certainly decrease the number of open connections but it will not eliminate the problem completely