We have PAM appliance in our internal network. So, PAM is able to connect to all the internal servers.
Now, if we want to connect to the servers which are behind the firewall(internet facing or in DMZ) then how can we use the same PAM appliance to connect to those endpoints.
I have checked the below link however that is what required in my case?
Is it possible to add additional NIC cards to a virtual CA PAM appliance?
How can we implement PAM to connect to external endpoints through internal network?
Hi Nikunj, I am not sure what you are looking for. In general, whether you PAM server is able to connect to devices outside your internal network or not depends on your network configuration and firewall settings, not by what you configure in PAM. What PAM provides is configuration of additional routes where you can specify the gateway that should be used for connections to a range of destination IPs, and also which interface should be used for the communication to these IPs if you have multiple network interfaces configured. Additional routes can be configured under Configuration > Network > Additional Routes.
Thanks for the reply.
Actually what I want is to connect to the endpoints(which are not in internal network) through PAM(which is in internal network). So configuring the NIC can help ?
Suppose our PAM appliance is internal network(.net domain) and we want to access endpoints which are in DMZ/external network(.biz domain). Now there is no direct connectivity from .net to .biz domain.
So, how to connect to .biz servers from PAM.
Hope this makes sense.
Hi, This is a question that your network team has to answer.
You may need to open a support case to get assistance in configuring your appliance(s) from multiple networks (NICs).
You have two options.
1. Open respective ports from PAM to the end device ie rdp/ssh/https etc and proxy ports for password management, exact port number can be found in docops site.
2. PAM has 8 physical ports or interface on physical appliances, you can connect these ports to the network where your device are residing for example DMZ. Same logic applies to virtual appliance.
Hope this helps.
Thanks for this. I have some more queries:
[Nikunj]: This doesn't seem to be feasible solution as suppose if we have 500 servers in DMZ then we have to configure firewall each time. Also, if new server is introduced in external network then need to change the firewall settings each time for each new servers. This will only increase the overhead. Although can consider as a last option.
[Nikunj]: This looks interesting. So, my query is if I configure the network address of .biz domain(which is external and behind the firewall), will this not need any firewall settings? Do PAM will be able to connect directly to external servers? How PAM will know from which port to connect ? I am confused. I am not getting this logically on how this can be implemented. Request you to please explain in detail about this point.
Thanks in advance.
If your PAM appliance is multi-homed, then the traffic may not need to traverse any firewalls when it leaves PAM… it goes out one interface for internal devices, and another for external, and both of those interfaces are connected to their respective networks. This adds a bit of risk, as PAM now becomes a potential ingress point for attackers who compromise a server in your DMZ, allowing them to bypass the firewall and gain access to your network (the whole point of a DMZ is prevent ingress in the event of a compromised public facing server). Of course, the likelihood of PAM getting compromised in such a way is very slim, I would argue that your firewall is less secure, but multi-homing PAM into your DMZ does increase your attack surface.