Symantec Privileged Access Management

CA PAM protected endpoints/targets/devices, can they be reached via a routed/switched network or is it  mandatory that protected endpoints connect/live within a directly connected CA PAM appliance interface?

You can connect to any location on the network that CA PAM can actually reach. You can even connect to devices outside your network if CA PAM is allowed access. Depending on the layout of your network you may need to update your networking settings under Config > Network to add DNS servers or static routes to be able to reach other parts of the network.

You can test CA PAM's connection to devices using the tools located in Config > Tools.