Symantec Privileged Access Management

  • Private Community

  • 1.  Windows Proxy Remote Local Account

    Posted Sep 19, 2018 11:42 AM

    Hello everyone,

     

    What would be the port requirements to manage passwords of local accounts of other servers from Windows Proxy? I have read that only port 445 is required, but do we need any other ports as well?



  • 2.  Re: Windows Proxy Remote Local Account

    Broadcom Employee


  • 3.  Re: Windows Proxy Remote Local Account

    Posted Sep 19, 2018 03:52 PM

    Hi Ralf,

     

    Thank you for the quick reply. I have seen that, but i got conflicting information from CA Support that i need to open WMI ports as well to change the password of local accounts from windows proxy to other windows machines.

     

    But if that is true, then the requirements are the same as for Windows Remote target connector(open ports 135 and 49152 through 65535 or 1024 through 4999 towards Windows Endpoints). So i am confused in the end what ports do i need to open from Windows Proxy to manage local accounts on other Windows machine. Also, the SMB2 port was added after my case was opened, since it isn't included in any earlier versions of the documentation.



  • 4.  Re: Windows Proxy Remote Local Account

    Broadcom Employee
    Posted Sep 19, 2018 06:08 PM

    We tested this in the past with only port 445 open and it worked.



  • 5.  Re: Windows Proxy Remote Local Account

    Posted Sep 20, 2018 08:53 AM

    So this will mean that we can also discover local accounts on other windows servers if we open port 445 from windows proxy towards windows endpoints?



  • 6.  Re: Windows Proxy Remote Local Account

    Broadcom Employee
    Posted Sep 20, 2018 09:20 AM

    No, that's not what it means. We discussed password management here, not discovery. I did not check on the discovery part.



  • 7.  Re: Windows Proxy Remote Local Account
    Best Answer

    Broadcom Employee
    Posted Sep 21, 2018 07:15 AM

    Hello Nikola,

     

    As I already mentioned in the Support Case you opened for this spin off question:

     

    As per
    https://docops.ca.com/ca-privileged-access-manager/3-2-2/EN/implementing/protect-privileged-account-credentials/default-ports-for-credential-manager#DefaultPortsforCredentialManager-DefaultPortsforTargetConnectors

     

    Firewall ports needed for the PAM Proxy:
    – PAM to Proxy – port 27077
    – Proxy to PAM – port 443
    – Proxy to end-point – port 445

     

    Following:
    https://docops.ca.com/ca-privileged-access-manager/3-2-2/EN/implementing/protect-privileged-account-credentials/identify-target-applications-and-connectors/add-the-windows-proxy-connector/how-to-add-windows-proxy-target-applications-and-accounts

     

    I verified in my lab that no further open ports are needed to discover the local accounts on the PAM Proxy host.

     

    Account Discovery basically from Proxy to remote endpoints however is using WMI / RPC (port 135 + random ports).

     

    Normally you would not have a firewall between Proxy and endpoints since typically these are in the same LAN than the Proxy itself.



  • 8.  Re: Windows Proxy Remote Local Account

    Posted Sep 21, 2018 09:40 AM

    Thank you very much guys, i asked Miquel if it's possible to review the port requirements since there is a lot of information missing in the documentation for these things