Symantec Privileged Access Management

Client is interested to know is it possible to connect Windows PowerShell shell for remoting as a service in CA PAM. I couldn't find any manual on docops.

Hello Dejan, Can you be more specific with your use case? Are you interested in a PAM service that launches the local power shell and connects it to a remote host so that you can run power shell commands on that remote host?

Hello Ralf, Yes use case is exactly just you wrote.

You were very precise, I have nothing to add.

Thanks

Hi Dejan, I didn't find any records of this having been done before. PAM doesn't specifically support the application protocol used by power shell. It would have to be a TCP service defined with Application Protocol = Disabled, in which case PAM basically just routes the connection. The Client Application could be a string for launch of a PS window, possibly invoking a PS script with command line arguments, or it could be empty and the user would launch PS on their own and then connect to the local IP and Port that the PAM client listens on for this service. The Ports field would be something like 5985:* or 5986:*, depending on whether the HTTP or HTTPS port is used, and when the PAM user launches the service a popup will show which local IP (as defined in the service) and which port to connect to. This will then be routed through PAM to the configured port on the target device. With command line arguments the local IP and local port could be passed into a PS script with parameters <Local IP> and <First Port>.

Thank you very much for the quick and detailed answer.

Sorry but i don't understand how this is possible...

We need to use remote ps to a target device  through PAM (jult like SSH) , with session logging and recording.

Can you please explain how this is possibile ?

thank you

Hi Patrizio, The option to use a TCP service with application protocol Disabled does not support session recording. The only option would be to use an RDP jump server, connect to it using the RDP applet, and use remote ps from the jump server. Feel free to raise an idea in this community to have PAM product management consider direct support of remote ps from the user workstation to target devices.