Hi Nadja, 2 options which can remove the need for a VPN:
1. Provide a VDI/VM in your DMZ which your contractors can log into. The PAM client can be installed on those VMs and they can work on PAM from there.
2. Setup routing on an external IP address to forward port 443 to PAM on your internal network. That way they can browse to PAM's web console or connect with the java client.
443
|
Client workstations
|
Appliance
|
Required for HTTPS access to Appliance.
|
|
Appliance |
Users without installed Java can use the client instead of a browser. |
|
Appliance
|
Required for HTTPS access to Appliance.
|
Original Message:
Sent: 07-20-2019 05:18 AM
From: Nadja Kickinger
Subject: Access CA PAM from outside network
Could you please assist us with an architecture problem: Our current CA PAM setup is that it is only accessible from within our network. Now we want to make it accessible from the Internet as well (we have MFA enabled anyway) – as we have several service companies which need to access our environment. Currently they need to log in to our VPN and then to PAM. We want to get rid of VPN log on when we have MFA enabled in PAM anyway.
What is the best approach to realize this? Is there something like a CA PAM gateway we could put in our DMZ? How are other customers implementing this?
It would be great to receive feedback. I would have get in touch with your Broadcom architect who was helping us the last months, but apparently he is not working for your anymore.
Thanks
Nadja