CA PAM SFA Port requirements
Article ID: 437953
Updated On:
Products
CA Privileged Access Manager (PAM)
Issue/Introduction
Are the TCP port 8550 requirements for the CA PAM Socket Filter Agent (SFA) bi-directional or uni-directional? Also, what is the role of port 443 in the context of SFA
note: SFA - Socket Filter Agent
Environment
- Symantec Privileged Access Manager (PAM) 4.x
- Socket Filter Agent (SFA)
Resolution
The Socket Filter Agent (SFA) requires communication on two specific ports. While communication between the PAM Appliance and the SFA is conceptually bi-directional, each port has a specific direction of initiation:
| Port | Source (Initiator) | Destination | Note |
|---|---|---|---|
| TCP/8550 | PAM Appliance | Socket Filter Agent (SFA) | Uni-directional initiation: Required for the appliance to reach the agent on the target device. |
| TCP/443 | Socket Filter Agent (SFA) | PAM Appliance | Uni-directional initiation: Required for the agent to reach the appliance. |
Summary
- Port 8550: This must be opened at the firewall to allow traffic from the PAM Appliance to the Target Device. It is initiated by the appliance.
- Port 443: This must be opened to allow traffic from the Target Device to the PAM Appliance.
Important Notes:
- Both ports are mandatory for the SFA to function correctly. IP Addresses and Ports for Network Connectivity
- If Port 8550 is blocked or queries are delayed, it can result in significant delays when attempting to open SSH or RDP sessions through the agent. Port 8550 queries delaying SSH and RDP sessions
Feedback
Yes
No
Powered by
