Symantec Privileged Access Management

  • Private Community

  • 1.  CA PAM: How to connect to devices behind firewall

    Posted Sep 26, 2017 07:26 AM

    Hi Team,

     

    We have some of the devices/endpoints behind firewall and we want to manage privileged accounts for them from PAM appliance which is internal.
    How would we achieve this ?

     

    Quick response appreciated.

     

    ITSAT

    VOLVOCARS



  • 2.  Re: CA PAM: How to connect to devices behind firewall

    Broadcom Employee
    Posted Sep 27, 2017 02:26 PM

    Hi VOLVOCARS Team,

     

    It sounds like what you need to do is open ports on the firewall between PAM and the Target Device. The exact ports would depend on what you are connecting to and what you are trying to do, for example a Unix server would require 22 for both account management & SSH connections but if you are managing accounts on a windows domain you might need 636 to the domain controller for account management & 3389 to the Target Device for RDP access.

     

    If you provide some more specifics we may be able to provide a more specific answer.

     

    Hope this helps,

    -Christian Lutz



  • 3.  Re: CA PAM: How to connect to devices behind firewall

    Posted Sep 28, 2017 03:48 AM

    Hi That's correct,

     

    But we have many devices and opening firewall for all of the devices will not be feasible.

    Our PAM Appliance is in internal network and need to manage devices which are behind firewall.

    Please let me know if anything specific you would like to know.

     

    ITSAT

    VOLVOCARS



  • 4.  Re: CA PAM: How to connect to devices behind firewall
    Best Answer

    Broadcom Employee
    Posted Sep 28, 2017 08:18 AM

    Hi VOLVOCARS team,

     

    Depending on how your network environment is set up you may be able to use a second NIC card on the PAM Appliance to go around the firewall. What you would need to do is connect one of PAMs NICs to the network BEHIND the firewall (this way the traffic wont need to go 'through' it.). Then you would be able to set an "Additional Route" in PAM's network settings which would ensure that all traffic destined for the network behind the firewall is forced through the correct network interface.

     

    Please note that if you are using a VM it is currently not easy to add new NIC cards after the VM is already running and if you try to do so yourself it would likely destroy your PAM VM. If you need to add new NICs to a running VM please review the following tech doc link & contact support for assistance.

     

    Is it possible to add additional NIC cards to a virtual CA PAM appliance? 

     

    Hope this helps,

    -Christian Lutz