Symantec Privileged Access Management

 View Only
  • 1.  PIM 12.9.2 with multiple IP addresses

    Posted Apr 22, 2019 03:31 AM

    Hi,

     

    Our environment:

    Windows 2008 R2 Server

    MS SQL 2008 R2

    MS IIS 7

     

    For network control, we have 2 x static IP addresses setup on the PIM server, namely:

    1. 10.1.9.10 (default)

    2. 10.1.9.20 (additional IP)

    There is only one network card (NIC).

     

    We defined DNS/localhost as follows:

    10.1.9.10 acme10.uat.local

    10.1.9.20 acme20.uat.local

     

    Before installation, we verified that we can the PIM server via both IP addresses.

    1. RDP --> 10.1.9.10 (successful)

    2. RDP --> 10.1.9.20 (successful)

    3. http://acme10.uat.local/ (successful)

    4. http://acme20.uat.local/ (successful)

     

    After we completed PIM 12.9sp2 installation, we saw connection issues with 10.1.9.20 / acme20.uat.local.

     

    We checked Windows IP configuration and there is no change.

    1. 10.1.9.10 (default)

    2. 10.1.9.20 (additional IP)

     

    We further checked the following:

    1. RDP --> 10.1.9.10 (successful)

    2. RDP --> 10.1.9.20 (failed, no response)

    3. http://acme10.uat.local/ (successful)

    4. http://acme20.uat.local/ (failed, no response)

     

    For troubleshooting, we also uninstalled PIM 12.9sp2.

     

    After un-installation, we could access the PIM server via both IP addresses again.

    1. RDP --> 10.1.9.10 (successful)

    2. RDP --> 10.1.9.20 (successful)

    3. http://acme10.uat.local/ (successful)

    4. http://acme20.uat.local/ (successful)

     

    It seems like with PIM 12.9sp2 installed, 10.1.9.20 became inaccessible.

     

    Questions:

    1. Which component of PIM 12.9sp2 controls this behavior?

    2. What can we do to PIM 12.9sp2 so that both 10.1.9.10 and 10.1.9.20 are accessible?

     

    Please advise from the field will be much appreciated.

     

    -MunFai



  • 2.  Re: PIM 12.9.2 with multiple IP addresses

    Broadcom Employee
    Posted May 03, 2019 05:56 PM

    MunFai

     

    The only component that could control this behavior would be SEOS itself. I don't see how the default rules would block anything like this though. I am not sure I understand the value of having 2 IPs on the same Nic but it should work fine. Did you do any testing to validate the local networking on the machine itself? Checking the route tables  before and after? Verify any log information in the event viewer or the local firewall? Maybe SEOS sees the incoming traffic coming in from IP 2 but trying to leave through the default route (IP 1) as some kind of a risk?

     

    If you have a need to make this work I would reinstall and open a support ticket to evaluate why communication is failing.

     

    Joe