Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  About PAM Browser

    Posted Jul 13, 2022 01:08 AM
    Hi,

    We can use PAM Client and Browser to connect to PAM appliance.
    We would like to refuse login from the browser regardless of the Internet or intranet, and allow only the PAM client application to be started.
    Is there a setting that prohibits the use of the browser?

    Best regards,


  • 2.  RE: About PAM Browser

    Broadcom Employee
    Posted Jul 13, 2022 01:29 AM

    Hi Team,
    As far as i know and understand, we have an option to block specific IPs / IP range from being able to connect to the CA PAM server. 
    Maybe look at setting up such a filter in the firewall or in the external load balancer if you are using an external load balancer.
    Thanks,
    Reatesh.


    Original Message


  • 3.  RE: About PAM Browser

    Posted Jul 13, 2022 01:37 AM
    HI,

    Please let me ask you a question.
    If we block the PAM Server(appliance)'s IP, I think that we cannot connect to the PAM Server(appliance) via PAM client and Browser.
    I would like to block only PAM Browser.
    Is it possible?

    Best regards,


    Original Message


  • 4.  RE: About PAM Browser

    Broadcom Employee
    Posted Jul 13, 2022 08:33 AM
    Hello, Currently PAM has no such feature. The PAM server does have logic to check whether the connection is from the PAM client or from a native browser, but this is used for internal processing only, not to control user access. What is the use case behind this request? To have Product Management consider such a feature for future releases, you can raise an idea on the ideation page.
    Original Message


  • 5.  RE: About PAM Browser

    Broadcom Employee
    Posted Jul 14, 2022 11:05 AM

    You could probably do this using a firewall or similar solution that supports whitelisting and blocking based on user agent strings.  Obviously this is outside of scope of PAM and therefore would not be something we can support.

    I do think this is a worthwhile idea for a future feature.  Perhaps redirecting all non-client access to a client download page rather than the login page.


    Original Message