We are using CA PAM 3.1.1 and we are trying to use Account Discovery funtionality on Windows 2012 R2 & 2016 servers. We are using agentless approach which is windows remote user (administrator) user method of connection.
2012 R2 servers are not added to domain, its standalone server. But 2016 server is added to domain.
From PAM, We are managing only local accounts, we dont manager domain accounts. So, we created a local user and assigned to administrators group on both 2012 and 2016 servers. Also, from Firewall, we have asked to open 135,139,445,3389 ports for PAM to communicate to the server.
In 2012 R2 server, the account discovery is working fine, able to fetch the accounts and shows in PAM discovery page.
In 2016 servers, the account discovery in PAM is not at all working - but other functionalities like Accessing to Server, Password management everything working fine except the account discovery.
We contacted CA support, after anlalyzing multiple logs from PAM, other tools, CA suspecting that WMI ports range 49152 to 65535 should be opened (which is 16383 no.of ports) which is huge number of ports. CA engineering says it is the root cause, where from PAM there is not packets sent to target server.
My question is : If that is the root cause, then how the account discovery works fine in Windows 2012 server where we have port opening for 4 ports only (135,139,445,3389). No other ports are open on this server.
But I didn't get an explanation from CA for this question.
First of all, My customer would not agree to open the huge range of ports.
Second without this range of ports open, account discovery already works in 2012 server. So customer will ask it works in 2012 and then why do you need port opening on 2016?
I just want to know and confirm, is this port range causing the issue or something else?
Kindly let me know if any one have faced this issue on 2016 or any other version of windows servers? and provide your expertise to see if something else causing the issue?
If you have firewalls / port restrictions between the CA PAM appliance and the (Windows) Target box which you want to manage local accounts on, you should really refrain from using the Windows Remote connector - as said it requires various communication ports open.
Instead consider using the Windows Proxy which is using a single communication port from PAM to the target.
For more info please review the documentation:
Windows Proxy Target Connector - CA Privileged Access Manager - 3.2 - CA Technologies Documentation