Why won't Windows Proxy work with all members of the cluster

Article Id: 5060

Status: Published

Updated On: 14-02-2018 08:12

Legacy Id: TEC1466307

Products:

CA Privileged Access Manager - Cloakware Password Authority (PA) , PAM SAFENET LUNA HSM , CA Privileged Access Manager (PAM) , CA Privileged Access Manager (PAM)

Issue/Introduction:

Windows Proxy is unable to manage Domain Accounts from all members of a CA PAM cluster.

Cause:

It turns out that CA PAM requires that port 389 be open on the Domain Controller to all CA PAM instances in the cluster. The documentation, the 2.7 and 2.8 CA PAM WIKIs, currently specify only port 636. This is not correct.

Environment:

A 2 node CA PAM 2.7.1 cluster in which Windows Proxy was being used to manage Domain Accounts. After adding additional nodes to the cluster Windows Proxy did not work with the new nodes.

Resolution:

Make sure that your firewalls allow port 389 to be open to all CA PAM instances in your cluster, in addition to 636. The documentation will be updated to reflect this requirement.