Symantec Privileged Access Management

Expand all | Collapse all

PAM Agent and TCP/UDP Services (es MSSQL Server)

Jump to Best Answer
  • 1.  PAM Agent and TCP/UDP Services (es MSSQL Server)

    Posted 8 days ago

    Hi To all
    I'm using the PamAgent. I find it convenient to use my client e.g. MobaXterm to connect in SSH or RDP use the "real" IP of the devices.

    I would also like to use it for TCP / UDP services.

    So I created a TCP / UDP service on TCP port 1433 in this way




    I connected it to a device that hosts MSSQL Server

    When I enable the service from the pam agent it seems working: by telneting on the "true" ip of server on port 1433 I have the connection! (before enabling the service, it did not go).
    But when I try to connect with the SSMS client it doesn't work, I get a tiemout

    What am I doing wrong?

    Thanks in advance



  • 2.  RE: PAM Agent and TCP/UDP Services (es MSSQL Server)
    Best Answer

    Posted 7 days ago
    Edited by Joseph Fry an hour ago
    Depending on your MSSQL configuration, the SSMS client may need to connect on a another/different port.  According to the MS SQL server documentation, 1433 tcp would be adequate for  "connections to the default installation of the Database Engine, or a named instance that is the only instance running on the computer"  If you have multiple named instances, it uses 1433 udp to determine a dynamic port and connects using that (which would likely not work with PAM).  To get it to work in this scenario you would probably need to assign your named instances a static port and allow that port through the agent.

    If the above doesn't apply, then its possible it's just a limitation of the agent.  According to the documentation, the Agent has support for limited services (no mention of generic port mapping services): https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/deploying/deploy-the-ca-pam-access-agent-for-windows.html

    Its possible that the agent only allows specific types/format of data through the connection.  Because telnet is supported, it has no trouble establishing that connection, but it may not know how to handle the traffic from the SMSS client?

    The PAM agent is a new feature that will likely be improved in future releases; so if it doesn't work today, it may in a future release.  I suggest posting an ideation, just to let the developers know of your interest in this use case.