Symantec Privileged Access Management

  • Private Community

  • 1.  At what point should I install the Windows Proxy Agent

    Posted Mar 22, 2018 04:52 PM 
    Hello community

    make the implementation for 2 servers "CA PAM VirtualAppliance" and now
    i want to perform the installation of the agent for windows proxy. I wonder if this agent
    should install and address one of the 2 servers in the cluster or the installation made
    later pointing to the VIP once the cluster has been configured. I think that this question
    is valid for the case of Agent Socket filter and A2A 


    I appreciate your collaboration


  • 2.  Re: At what point should I install the Windows Proxy Agent
    Best Answer

    Broadcom Employee
    Posted Mar 22, 2018 06:04 PM

    Hi Julian, Please take a look at https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/implementing/add-and-run-credential-manager-a2a-requestors/configure-the-a2a-client-multi-home-feature

    This explains how to add multiple PAM server entries in the cspm_client_config.xml file post-install. It is valid for A2A clients and Windows Proxy agents, and the configuration file name is the same. Make sure to add "cspmserver” and "cspmserver_port” pairs as the doc states. The port default is 443 (PAM HTTPS port) and can be left blank. But you still need to have a port parameter for each server parameter. If you are only connecting to nodes in one cluster, it is ok to just use the cluster VIP. What you choose also depends on your network/firewall configuration, specifically whether the Windows proxy nodes are meant to connect to the PAM servers directly, or through an external load balancer, if you have one. The Windows Proxy service needs to be able to communicate with one PAM server on startup. Otherwise it will stop. Once running, any PAM server that has this proxy configured can communicate with it.