When using the Windows Proxy service in CA PAM to manage local accounts on remote machines (Server B) from a different server (Server A), what ports (Primarily Windows Proxy port 27077) must be open, unidirectional or bidirectional and what permissions are required for the management account?

Product: CA Privileged Access Manager (PAM)

Version: 4.x (All versions)

Component: Windows Proxy

Primary Communication (Port 27077):

• Direction: Traffic flows from the PAM Appliance (Source) to the Windows Proxy (Destination).
• Configuration: This port is defined within the Windows Proxy configuration file (typically cspm_client_config.xml) under the variable daemonserver1_port).
  
  

Remote Management (Port 445):

• Direction: Traffic flows from the Windows Proxy (Server A) to the Remote Target (Server B).
• Purpose: Required for WMI-based password changes across the network.

• Port 27077: Must be open inbound on the Windows Proxy server to receive requests from the PAM appliance.
• Port 445: Must be open inbound on the remote target server (Server B) to allow the Proxy to perform administrative tasks.

• Local Management: Account A must be a member of the local Administrators group on its host server or have the right to change other accounts' passwords.
• Remote Management: To manage Server B, Account A must be a member of the local Administrators group on Server B or have explicit password-change rights on that remote machine.