Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  PAM Agent and TCP/UDP Services (es MSSQL Server)

    Posted Jan 13, 2020 04:21 AM

    Hi To all
    I'm using the PamAgent. I find it convenient to use my client e.g. MobaXterm to connect in SSH or RDP use the "real" IP of the devices.

    I would also like to use it for TCP / UDP services.

    So I created a TCP / UDP service on TCP port 1433 in this way




    I connected it to a device that hosts MSSQL Server

    When I enable the service from the pam agent it seems working: by telneting on the "true" ip of server on port 1433 I have the connection! (before enabling the service, it did not go).
    But when I try to connect with the SSMS client it doesn't work, I get a tiemout

    What am I doing wrong?

    Thanks in advance



  • 2.  RE: PAM Agent and TCP/UDP Services (es MSSQL Server)
    Best Answer

    Broadcom Employee
    Posted Jan 14, 2020 11:21 AM
    Edited by Christopher Hackett Jan 21, 2020 05:59 PM
    Depending on your MSSQL configuration, the SSMS client may need to connect on a another/different port.  According to the MS SQL server documentation, 1433 tcp would be adequate for  "connections to the default installation of the Database Engine, or a named instance that is the only instance running on the computer"  If you have multiple named instances, it uses 1433 udp to determine a dynamic port and connects using that (which would likely not work with PAM).  To get it to work in this scenario you would probably need to assign your named instances a static port and allow that port through the agent.

    If the above doesn't apply, then its possible it's just a limitation of the agent.  According to the documentation, the Agent has support for limited services (no mention of generic port mapping services): https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/deploying/deploy-the-ca-pam-access-agent-for-windows.html

    Its possible that the agent only allows specific types/format of data through the connection.  Because telnet is supported, it has no trouble establishing that connection, but it may not know how to handle the traffic from the SMSS client?

    The PAM agent is a new feature that will likely be improved in future releases; so if it doesn't work today, it may in a future release.  I suggest posting an ideation, just to let the developers know of your interest in this use case.
    Original Message