Symantec Privileged Access Management

  • 1.  WinScp with CA PAM

    Posted May 21, 2018 11:34 AM

    How to configure/integrate WinScp client with CA PAM? I tried doing it and was able to configure but if I disable application protocol at TCP services, in dash board user is getting additional popup with view credential option.



  • 2.  Re: WinScp with CA PAM

    Broadcom Employee
    Posted May 21, 2018 12:54 PM

    Bipin, What is the motivation for disabling the application protocol? This says that you want to use PAM just as a router for the connection. There would be no session recording. I can see that the additional link to the credentials in the case where you select Disabled as application protocol is a potential concern. But I would like to understand the use case first.



  • 3.  Re: WinScp with CA PAM

    Posted May 21, 2018 01:22 PM

    Use case is simple. Use WinScp via PAM to transfer files and session should get recorded.

    Which Protocol should I select from WinScp and what is the parameters I should put inside Client application path to launch winscp? I don't see SFTP or SCP protocols in application protocol drop down list. Please suggest.



  • 4.  Re: WinScp with CA PAM

    Broadcom Employee
    Posted May 21, 2018 02:06 PM

    Use Application Protocol SSH.



  • 5.  Re: WinScp with CA PAM

    Posted May 21, 2018 02:26 PM

    Thank you, Please tell me the client parameter value to put.

    C:\Test\WinSCP.exe ?



  • 6.  Re: WinScp with CA PAM

    Broadcom Employee
    Posted May 21, 2018 02:48 PM

    One example would be "C:\Test\WinSCP.exe" sftp://<Local IP>:<First Port> /sessionname=<Device Name>



  • 7.  Re: WinScp with CA PAM

    Posted May 21, 2018 02:58 PM

    I modified a little bit and it works fine, but I don't see the session is getting recorded, anything I'm missing here ?



  • 8.  Re: WinScp with CA PAM
    Best Answer

    Broadcom Employee
    Posted May 21, 2018 10:12 PM

    Hi Bipin, I have to correct myself. What I said worked in older releases, but in the latest releases we block secure file transfers using the SSH proxy. The options are as follows:

    - Enable SSH Terminal File Transfer in Global Settings. This will allow you to transfer files using the build-in SSH access method (Mindterm). Since the SSH access method includes auto-login, no credentials are needed by the user for file transfers.

    - Associate the sftpsftp service with a device and enable in a policy. This will open a port on a local IP address that you can connect your own file transfer client like WinSCP to. The popup showing local IP and Port will include a Credential link if an account is configured in policy for login. The user has to view the credential and use it for logon.

    - Define a TCP service like you described with application protocol Disabled. This is similar to the previous option except that PAM will launch your local client for you.

    - Associate the sftpsftpemb service with a device and enable in a policy. This is a mix of the previous two as it will use an embedded WinSCP client, see e.g. https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/provision-your-server/provisioning-devices/device-features

     

    At this time none of the options will record file transfers for you. There is one open idea on this topic: https://communities.ca.com/ideas/235737556-logging-file-transfer-transaction-for-ftp-service-on-ca-pam

     

    If you had users launching a WinSCP session from a Windows jump server, the RDP session recording would capture all file transfer activity of course.



  • 9.  Re: WinScp with CA PAM

    Posted May 22, 2018 09:32 AM

    Hi Ralf,

     

    Thank you for the detailed explanations. as you mentioned none of the methods supports session recording. we can use applet based built in SCP/SFTP features but there are so many issues we have seen with SSH applet. Many features are missing in SSH applet which are supported by Putty client. Reason we're leaning towards Putty client rather than using default applet.

    Is there any scope that FTP/SFTP support will be enabled in PAM later version with session recording support ? we can not rely on built in SSH until all the applet issues are resolved.

     

    Appreciate your help.

    Thanks



  • 10.  Re: WinScp with CA PAM

    Broadcom Employee
    Posted May 22, 2018 09:55 AM

    Hi Bipin, Please vote up the enhancement request I pointed you to, or create a new idea if you don't think the description matches what you are looking for.



  • 11.  Re: WinScp with CA PAM

    Posted May 22, 2018 10:03 AM

    I did voted and responded to the enhancement requests. thanks