What would be the port requirements to manage passwords of local accounts of other servers from Windows Proxy? I have read that only port 445 is required, but do we need any other ports as well?
Hi Nikola, Yes, it's port 445, as documented at https://docops.ca.com/ca-privileged-access-manager/3-2-2/EN/implementing/protect-privileged-account-credentials/default-ports-for-credential-manager.
Thank you for the quick reply. I have seen that, but i got conflicting information from CA Support that i need to open WMI ports as well to change the password of local accounts from windows proxy to other windows machines.
But if that is true, then the requirements are the same as for Windows Remote target connector(open ports 135 and 49152 through 65535 or 1024 through 4999 towards Windows Endpoints). So i am confused in the end what ports do i need to open from Windows Proxy to manage local accounts on other Windows machine. Also, the SMB2 port was added after my case was opened, since it isn't included in any earlier versions of the documentation.
We tested this in the past with only port 445 open and it worked.
So this will mean that we can also discover local accounts on other windows servers if we open port 445 from windows proxy towards windows endpoints?
No, that's not what it means. We discussed password management here, not discovery. I did not check on the discovery part.
As I already mentioned in the Support Case you opened for this spin off question:
Firewall ports needed for the PAM Proxy:– PAM to Proxy – port 27077– Proxy to PAM – port 443– Proxy to end-point – port 445
I verified in my lab that no further open ports are needed to discover the local accounts on the PAM Proxy host.
Account Discovery basically from Proxy to remote endpoints however is using WMI / RPC (port 135 + random ports).
Normally you would not have a firewall between Proxy and endpoints since typically these are in the same LAN than the Proxy itself.
Thank you very much guys, i asked Miquel if it's possible to review the port requirements since there is a lot of information missing in the documentation for these things