What version of the CA eTrust Password Sync Agent should be install?
The Password Sync Agent is a standalone component that is implemented as a Windows Password Filter.
It intercepts incoming Password updates at the Domain Controller and will use ldap/ldaps to communicate with the Provisioning Server to propagate the Password change throughout the environment.
The newer versions of Password Sync Agent will send the same format of transactions so, yes, you could use a newer release of the Password Sync Agent against an older Identity Manager's Provisioning Server.
The Password Sync Agent can be downloaded as part of the "Identity Manager r14.# Provisioning components" for your specific version.
You should only attempt to use a Password Sync Agent that is the same, or a newer, version as the Identity Manager version. Attempting to use an older version of the Password Sync agent may not work against a newer version of Identity Manager due to security changes around the TLS cipher as you advance through the Java release versions.
We cannot guarantee an older version of Password Sync agent will work with a newer version of Identity Manager.