Symantec Privileged Access Management

 View Only
Expand all | Collapse all

MAC OS Client Can't Access WebPortal & RDP Application

  • 1.  MAC OS Client Can't Access WebPortal & RDP Application

    Posted Oct 04, 2019 01:15 AM
    Hi,

    One of  my users can't access their devices using WebPortal & RDP Application, he can only access using SSH.
    here's the error he got:


    The weird thing is,
    his team which is got same Policy & Group can access all device normally
    his team also using MAC OS.

    thank you.


  • 2.  RE: MAC OS Client Can't Access WebPortal & RDP Application

    Broadcom Employee
    Posted Oct 04, 2019 02:06 AM
    Hello Dhani,

    Can you check for a few basic things from the CA PAM client of the user who is having a problem:

    - Is this user able to ping and resolve the target host names properly?
    - Does there exist any firewall or network rules specifically for the IP from which this user is connecting?
    - What happens if this users tries to connect to the same target hosts from a different Mac OS host?

    Thanks,
    Reatesh.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 3.  RE: MAC OS Client Can't Access WebPortal & RDP Application

    Posted Oct 04, 2019 03:11 AM
    Hello Reatesh,

    1. if what you mean the target host is the "Device" he's trying to access, then is a NO.
    we have disabled direct access, and everyone is connecting through PAM

    2. to connect through PAM they have to use VPN that can access PAM Ip's. and he's using office wifi.

    3. when he tried to access PAM using his PAM user on other device it's working fine.

    thank you.
    Dhani.


  • 4.  RE: MAC OS Client Can't Access WebPortal & RDP Application

    Broadcom Employee
    Posted Oct 04, 2019 04:36 AM
    Hello Dhani,

    The same user is able to access the target devices from other Mac host -- good to know.

    I am a bit confused, does the user who has problem connect to office network using VPN or is this user having a problem even when he /she is in office and using the Wifi connection?

    I would recommend to verify the security setting on the Mac OS since the same user is able to connect to the target hosts when using other Mac host.

    Thanks,
    Reatesh.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 5.  RE: MAC OS Client Can't Access WebPortal & RDP Application

    Posted Oct 04, 2019 06:19 AM
    Hello Reatesh,

    the rule is for all connection to their production they need to use RSA vpn so there's no direct access.
    so in office either they use the WiFi (which only access internet not their prod) or their own mobile connection.
    i hope i explain it clearly.

    he try turn off the Firewall setting on security setting, but still got the same error.

    does this error have any KB or something?

    thank you.



  • 6.  RE: MAC OS Client Can't Access WebPortal & RDP Application

    Posted Oct 11, 2019 05:42 AM
    Hello Reatesh,

    i've got another error from my customer,


    they say they got this error repeatedly when they login, change page, and restart session.
    and it's only happen on MAC OS Client

    what could be the solution about this and the previous error?
    please help.

    thank you.
    Dhani.


  • 7.  RE: MAC OS Client Can't Access WebPortal & RDP Application

    Broadcom Employee
    Posted Oct 11, 2019 06:56 AM
    Hello Dhani,

    This is quite a common message, we have a KB article on how to fix this pop-up message.

    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=47012

    Thanks,
    Reatesh.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 8.  RE: MAC OS Client Can't Access WebPortal & RDP Application

    Broadcom Employee
    Posted Oct 15, 2019 06:59 PM
    Reatesh,

    I would advise against using 127.0.0.1 in any service you create.  Essentially, this error comes up when the port is already in use, by PAM or another service on the system.  Because 127.0.0.1 is considered the local loopback IP, network services running on the client may be listening on this address. 

    For example, if someone enabled the SSH server on their Mac workstation, may get this error every time they log into PAM because it may be listening on port 22.  Or if they run a local webserver for development purposes, then 127.0.0.1:80 would be in use.

    If you create your services using any other 127.x.x.x address, the chance of a conflict are greatly reduced.

    That said, even if there is no service running on that IP/port, PAM will be using that port, and clicking restart session may generate that error since PAM client is already using it. 



  • 9.  RE: MAC OS Client Can't Access WebPortal & RDP Application

    Posted Oct 16, 2019 01:20 AM
    Hi Joseph,

    as you said, some of the client still get that error even though there's no service running on that IP/Port.
    which is why it still confused me as for why only this 1 mac OS client got the 2 error I've asking on my first question.

    I've tried searching for that error but got nothing,
    and i thought maybe it's because the IP loop back alert, but it's not.

    so is there any solution for this error?

    thank you.
    Dhani.


  • 10.  RE: MAC OS Client Can't Access WebPortal & RDP Application
    Best Answer

    Broadcom Employee
    Posted Oct 16, 2019 12:35 PM
    You also said that it only happened after doing a "Restart Session".  When PAM starts it binds the ports for any services assigned to the user.  If you do a "restart session" it attempts to rebind those ports.  You get the error after a restart session because PAM already has the port in use.

    You will also see this issue if you log into two PAM appliances in the same cluster, since the first one will have the ports bound.

    This should happen on Windows systems too... assuming the user has a policy for a service that creates a static ip/port mapping.

    If it happens all the time (not just on restart session) it may be this from the link Reatesh provided?:
    4) Mac systems have a limitation where these TCP/UDP ports must be above 1024 to work properly.





  • 11.  RE: MAC OS Client Can't Access WebPortal & RDP Application

    Broadcom Employee
    Posted Oct 16, 2019 04:50 PM
    Sorry to reply to myself.  A coworker informed me that restarting a session should release and then rebind the ports... so there should be no conflicts when doing a restart session with a single client.  I tested and can confirm this is not an issue on the Windows client, I cannot confirm on the Mac client.

    The rest of what I said stands.