Symantec Privileged Access Management

Hello, everyone

We had installed CA Agent and configured putty as TCP service. Connect from CA Client app is working fine (using this putty service).
However there are troubles with connection via CA Agent.
We followed steps as described documentation site: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/deploying/deploy-the-ca-pam-access-agent-for-windows.html:

1) configure TCP service (see screens in attachment)
2) assign policy
3) activate Service in CA Agent application
4) try to login with putty application to target system (target IP and target port)
5) auto-login doesn't work, no redirection was established

Has anyone some idea what what we are doing wrong?
Thanks!

Hello Lukas,

Please make sure the Target Account you have associated to the putty service (your picture "image0031) is synchronised with PAM - indicated by a green check mark in the list of target accounts.

Confirm the auto login with the putty service to the target is working using the PAM Client instead.

Should the above be positve but the issue remains in the PAM Agent, please enable debug logging on the PAM Agent, reproduce the issue once again and open a formal Support case with us for further investigations.

Regards,
Andreas
Original Message:
Sent: 11-06-2019 05:26 PM
From: Lukas Lences
Subject: CA PAM Agent with auto-login

Hello, everyone

We had installed CA Agent and configured putty as TCP service. Connect from CA Client app is working fine (using this putty service).
However there are troubles with connection via CA Agent.
We followed steps as described documentation site: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/deploying/deploy-the-ca-pam-access-agent-for-windows.html:

1) configure TCP service (see screens in attachment)
2) assign policy
3) activate Service in CA Agent application
4) try to login with putty application to target system (target IP and target port)
5) auto-login doesn't work, no redirection was established

Has anyone some idea what what we are doing wrong?
Thanks!

Lukas,

Just to confirm, you are trying to connect to the target device using the device IP address (not the putty service local IP address) right?

With the PAM agent, you don't use the service IP, you use the actual IP address as defined on the device and actual port (22) in this case.

Joe
Original Message:
Sent: 11-06-2019 05:26 PM
From: Lukas Lences
Subject: CA PAM Agent with auto-login

Hello, everyone

We had installed CA Agent and configured putty as TCP service. Connect from CA Client app is working fine (using this putty service).
However there are troubles with connection via CA Agent.
We followed steps as described documentation site: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/deploying/deploy-the-ca-pam-access-agent-for-windows.html:

1) configure TCP service (see screens in attachment)
2) assign policy
3) activate Service in CA Agent application
4) try to login with putty application to target system (target IP and target port)
5) auto-login doesn't work, no redirection was established

Has anyone some idea what what we are doing wrong?
Thanks!

Hi Joseph,
HI Andreas,

sure, I'm trying to connect to target device IP (10.60.4.54) as is captured on screen image004. No localhost address.

Target account is verified, all is configured as well. Connection via putty service from CA Client app works fine - auto-login takes place, there is no problem. Only if I try to connect from putty when Service in CA Agent is activated  - I think no redirection to CA PAM is made.
Original Message:
Sent: 11-08-2019 09:15 AM
From: Joseph Fry
Subject: CA PAM Agent with auto-login

Lukas,

Just to confirm, you are trying to connect to the target device using the device IP address (not the putty service local IP address) right?

With the PAM agent, you don't use the service IP, you use the actual IP address as defined on the device and actual port (22) in this case.

Joe
Original Message:
Sent: 11-06-2019 05:26 PM
From: Lukas Lences
Subject: CA PAM Agent with auto-login

Hello, everyone

We had installed CA Agent and configured putty as TCP service. Connect from CA Client app is working fine (using this putty service).
However there are troubles with connection via CA Agent.
We followed steps as described documentation site: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/deploying/deploy-the-ca-pam-access-agent-for-windows.html:

1) configure TCP service (see screens in attachment)
2) assign policy
3) activate Service in CA Agent application
4) try to login with putty application to target system (target IP and target port)
5) auto-login doesn't work, no redirection was established

Has anyone some idea what what we are doing wrong?
Thanks!

You might try setting a specific port in the service (22:2222) or just use port 22 and a different IP address.  I'm not sure if the agent works with a wildcard (22:*) in the port.
Original Message:
Sent: 11-08-2019 10:28 AM
From: Lukas Lences
Subject: CA PAM Agent with auto-login

Hi Joseph,
HI Andreas,

sure, I'm trying to connect to target device IP (10.60.4.54) as is captured on screen image004. No localhost address.

Target account is verified, all is configured as well. Connection via putty service from CA Client app works fine - auto-login takes place, there is no problem. Only if I try to connect from putty when Service in CA Agent is activated  - I think no redirection to CA PAM is made.
Original Message:
Sent: 11-08-2019 09:15 AM
From: Joseph Fry
Subject: CA PAM Agent with auto-login

Lukas,

Just to confirm, you are trying to connect to the target device using the device IP address (not the putty service local IP address) right?

With the PAM agent, you don't use the service IP, you use the actual IP address as defined on the device and actual port (22) in this case.

Joe
Original Message:
Sent: 11-06-2019 05:26 PM
From: Lukas Lences
Subject: CA PAM Agent with auto-login

Hello, everyone

We had installed CA Agent and configured putty as TCP service. Connect from CA Client app is working fine (using this putty service).
However there are troubles with connection via CA Agent.
We followed steps as described documentation site: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/deploying/deploy-the-ca-pam-access-agent-for-windows.html:

1) configure TCP service (see screens in attachment)
2) assign policy
3) activate Service in CA Agent application
4) try to login with putty application to target system (target IP and target port)
5) auto-login doesn't work, no redirection was established

Has anyone some idea what what we are doing wrong?
Thanks!