Symantec Privileged Access Management

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

PAM Proxy service automatically stopped

  • 1.  PAM Proxy service automatically stopped

    Posted Nov 25, 2019 09:55 PM
    Hi,

    I am trying to configure Windows Proxy connector to manage local account of one of the Windows 2016 server which is not in domain. I managed to install the Proxy setup in Server by following the KB. The problem is after we star the PAM Proxy service, it is running for some time and stopped automatically. I have tried to change the services recovery options in the server but still status is same. Has anyone faced issue like this before ?

    Thanks,


  • 2.  RE: PAM Proxy service automatically stopped

    Broadcom Employee
    Posted Nov 26, 2019 02:41 AM

    Hello Vijay,

     

    Please make sure you use the exact same version of the Proxy matching  the PAM appliance, e.g. for PAM r3.3.1 the Windows Proxy is r4.16.1.20

    (else there might be incompatibilities causing the behavior you describe)

     

    Confirm in its cspm_client_config.xml

    <cspmserver>x.x.x.x</cspmserver>

    is referencing the IP address of the PAM appliance itself.

     

    Should the issue remain, please open a formal Support Case with us and we will investigate further.

     

    Best Regards,

    Andreas

     




    Original Message


  • 3.  RE: PAM Proxy service automatically stopped

    Posted Nov 26, 2019 04:08 AM
    Hi Andreas,

    Our CA PAM is running v3.3 and Windows proxy version is 4.16.0. Also i have verified the PAM IP address and it is pointing to one of our HA member.

    I will raise a support case for this issue.

    Thanks,


    Original Message


  • 4.  RE: PAM Proxy service automatically stopped

    Posted Nov 26, 2019 09:32 AM
    Hi Vijay,


    When you run a telnet to the ip through port 443 can you connect? Change the trace level setting to FINE and verify if you get an answer when uploading the service.

    <logfile> e: \ cspm_agent \ cloakware \ cspmclient \ log \ cspm_client_log.txt </logfile>
    <! - Set to OFF / INFO / FINE / WARNING to see logs from cspmclient executable stub ->
    <c_loglevel> FINE </c_loglevel>
    Original Message


  • 5.  RE: PAM Proxy service automatically stopped

    Broadcom Employee
    Posted Nov 26, 2019 11:32 AM
    The <c_loglevel> setting would not help with this problem. The <loglevel> setting higher up in the configuration file is more useful.
    <loglevel>FINE</loglevel>
    Configuration changes kick in on the next service restart.
    Original Message


  • 6.  RE: PAM Proxy service automatically stopped
    Best Answer

    Broadcom Employee
    Posted Nov 26, 2019 11:30 AM
    Hi Vijay,
    this problem typically is observed when either port 443 is not open from the Windows Proxy host to the PAM appliance, or port 27077 is not open from the PAM appliances to the Windows Proxy host. See port requirements on page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/deploying/ip-addresses-and-ports-for-network-connectivity.html.
    Original Message


  • 7.  RE: PAM Proxy service automatically stopped

    Posted Nov 28, 2019 01:46 AM
    Hi Ralf,

    I have opened necessary firewall rules now and can run Proxy service without any issues but i am facing an another issue now. I am able to telnet from PAM to server using port 27077 and from server to PAM using 443. I have also enabled port 135 and 445

    "CSPMAgentServlet::doPost. Failed to authenticate CSPM server, abort.. "
    Original Message


  • 8.  RE: PAM Proxy service automatically stopped

    Posted Nov 28, 2019 04:00 AM
    Hi All,

    After i restart the PAM proxy services, now working without any issues. Thanks for all your suggestions. Closing TAC case as well.

    Thanks,
    VIjay
    Original Message


  • 9.  RE: PAM Proxy service automatically stopped

    Posted Nov 28, 2019 08:34 PM
    Hi All,

    One more question, currently i have given IP address of one of the HA member in PAM proxy configuration file. Is it possible to add both member IP addresses in configuration file or simply give VIP ?

    Thanks,
    Vijay
    Original Message


  • 10.  RE: PAM Proxy service automatically stopped

    Broadcom Employee
    Posted Nov 28, 2019 11:55 PM

    Hello Vijay,

    You can provide the VIP address or the VIP FQDN name if you have a DNS record with an FQDN for the VIP address.

    Thanks,

    Reatesh.



    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------

    Original Message


  • 11.  RE: PAM Proxy service automatically stopped

    Posted Nov 29, 2019 08:38 AM
    Hi Vijay

    You can modify the proxy configuration file and specify the different nodes of the CA PAM cluster, it would be something like:

    <preserveCacheBetweenRestarts> false </preserveCacheBetweenRestarts>
    <loglevel> FINE </loglevel>
    <cspmserver> node1 </cspmserver>
    <cspmserver_port> </cspmserver_port>
    <cspmserver> node2 </cspmserver>
    <cspmserver_port> </cspmserver_port>
    <cspmserver> node3 </cspmserver>
    <cspmserver_port> </cspmserver_port>
    <cspmserver> node4 </cspmserver>
    <cspmserver_port> </cspmserver_port>
    <! - Port the daemon listens to stubs on (for requests from client applications) ->
    <daemonserver1_port> 27077 </daemonserver1_port>
    <! - Port the daemon listens to Password Authority server on ->
    <daemonserver2_port> 28888 </daemonserver2_port>
    <logfile> e: \ cspm_agent \ cloakware \ cspmclient \ log \ cspm_client_log.txt </logfile>
    <! - Set to OFF / INFO / FINE / WARNING to see logs from cspmclient executable stub ->
    <c_loglevel> FINE </c_loglevel>

    Why do you require or configure the VIP?
    Original Message