Kelly Wong

Tech Tip - CA Privileged Access Manager: RDP Application only works with default port 3389

Blog Post created by Kelly Wong Employee on Apr 28, 2017

CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 28th April 2017



By default, CA PAM establishes RDP connection to remote Target Host over port 3389 and RDP Application uses the same default port.



We can customize the RDP port for a specific Target Host in the device's properties, define in CA PAM.




RDP Application failed to launch as we change the default RDP port on Target Host and CA PAM.



RDP access uses the port defined in the respective device's properties but RDP application always uses port 3389.




  1. Update the following registry key in Target Host with the new RDP port -- 6901:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
  2. Disable the Windows Firewall Inboud Rule 'Remote Desktop (TCP-In)'
  3. Create a new Windows Firewall Inboud Rule to allow TCP port 6901
  4. Reboot the Target Host
  5. Update PAM device's properties > 'RDP' Access Methods to use port 6901 


RDP to Target server over port 6901 via CA PAM is working accordingly but the RDP application fails because Windows Firewall is not allowing inbound traffic from port 3389.



From the xcd_spfd.log, RDP application is still trying to connect via default port 3389:

2017-02-24 03:18:17 16629 INFO init: Trying to connect to ***.******.xx:3389
2017-02-24 03:18:17 16629 ERROR open: open: Cannot connect. (Connection refused)
2017-02-24 03:18:17 16629 ERROR init: Unable to open connection to BER ***.***.***.xx:3389
2017-02-24 03:18:17 16629 ERROR run: Traffic Handler did not initilize properly. Closing the connection.