IT Process Automation

Expand all | Collapse all

Will a PAM agent work in a DMZ where the ports are open for communication, but there is no ICMP enabled in between the agent or server

  • 1.  Will a PAM agent work in a DMZ where the ports are open for communication, but there is no ICMP enabled in between the agent or server

    Posted 11-06-2014 09:40 AM

    We have a client that wants to put a PAM agent in the DMZ.  We know it will use HTTPS for communication with is great.  The problem is that they will block all ICMP traffic between the server and agent in both directions.  Will the agent still work?



  • 2.  Re: Will a PAM agent work in a DMZ where the ports are open for communication, but there is no ICMP enabled in between the agent or server

    Posted 11-06-2014 09:55 AM

    Craig,

    I do not believe this will be a problem, as far as I am aware PAM does not need the ICMP messages to function.

     

    You can find a list of the Ports that PAM is using in the Installation Guide of the newer releases. 

    For example 4.2.2:

    Installation Guide Service Pack 04.2.02

     

    Michael



  • 3.  Re: Will a PAM agent work in a DMZ where the ports are open for communication, but there is no ICMP enabled in between the agent or server

    Posted 11-06-2014 10:07 AM

    Probably a separate question, but I'll ask anyway....

     

    Does the PAM agent support NAT'd addresses on either side?



  • 4.  Re: Will a PAM agent work in a DMZ where the ports are open for communication, but there is no ICMP enabled in between the agent or server

    Posted 11-06-2014 04:47 PM

    I do not know this one Craig, and may depend on the type of NAT setup.

     

    If the IP address, and Associated hostname are always the same, and we always can communicate both ways, from orchestrator to agent and agent to orchestrators using the same addressing information every time, I would assume it would work, if any of the addressing information changes after the installation there would be problems.  For example if you install an agent on a server with multiple NIC cards and the IP address changes due to the bind order so that it does not match the IP the agent was installed under, that agent will not be able to communicate with the orchestrator.

     

    Maybe someone else has experience with this and can help here, but this maybe something you have to try out and let support assist in trying to get beyond any issues you run into.