Symantec Privileged Access Management

  • Private Community
 View Only

 About the access route to the server using PAM

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Jan 26, 2023 03:48 AM
Hi Team,

Our customer has the questions about PAM 4.0.2.

[Questions]
If we are using AD account to log in to the target server to connect to, we believe that we need to change the AD account password via PAM.
And in that case, we think the access route will be either Pattern-1 or Pattern-2 below.

Pattern-1: PAM server -> PAM Proxy (27077) -> Target server (445) and PAM server for changing domain account passwords -> AD server (636)
Pattern-2: PAM server -> PAM Proxy (27077) -> Target server (445) and PAM server for changing domain account passwords -> PAM Proxy(27077) -> AD server (445)

* ( nnn ) : nnn means the port number used.

Which is correct, Pattern-A or Pattern-B?

Best Regards,
Marubun Support
Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Jan 26, 2023 12:36 PM
Sorry, I can't make sense out of this. Your description muddles target device access with password management.
Password management of AD accounts should use the Active Directory target connector, which makes a direct connection from the PAM server to the AD controller(s) on port 636.
Target device access makes a direct connection from the PAM server to port 3389 on the RDP server.

PAM server -> PAM Proxy (27077) -> Target server (445) (nothing else)  would be the connection chain for a PAM Windows Proxy updating the password of a local account on a remote Windows server. It would apply to the use case you are describing, so the direct answer to your question is that neither pattern A nor pattern B is correct.
MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Jan 27, 2023 04:19 AM
Dear Ralf-san,

Thank you for your quick response.

I describe my understanding as MyUnderstanding-1 and MyUnderstanding-2 in relation to my question.

1. MyUnderstanding-1
If I select "Domain Controllers are on servers" for "Domain Account" in the "Windows Proxy tab" settings, I believe that the PAM server will access the AD server to change the password.
Is it correct?

2. MyUnderstanding-2
If my thinking is correct, the PAM server accesses the target server via PAM Proxy, and if the AD account password is changed at this time, the AD server is also accessed.
Is it correct?

I believe that if both MyUnderstanding-1 and MyUnderstanding-2 are correct, the access route will be either Patten-1 or Patten-2.
If my understanding is wrong, please point it out.


Best Regards,
MARUBUN SUPPORT
Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Jan 30, 2023 12:12 PM
Hello, If you use the PAM proxy to manage domain accounts, which should not be done, unless there are firewall restrictions preventing direct access of the domain controllers from the PAM server, the path is PAM server -> PAM Proxy (27077) -> Domain controller (636). For target server access the path is PAM server -> Target server (3389), as menioned before. The PAM Proxy is not involved in this path.
MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Jan 31, 2023 01:38 AM
Dear Ralf-san,

Thank you for your quick response.

Q1:
I would like to know about the following in your answer.
> If you use the PAM proxy to manage domain accounts, which should not be done,
> unless there are firewall restrictions preventing direct access of the domain controllers
> from the PAM server, the path is PAM server -> PAM Proxy (27077) -> Domain controller (636).

Please let me know what kind of problems will occur if the PAM Server directly accesses the domain controller in a system where the firewall does not prohibit direct access.
If the problem doesn't occur, does that mean I don't need to use the Windows Proxy connector unless the firewall prevents direct access?

Q2:
I couldn't find any description of "the path is PAM server -> PAM Proxy (27077) -> Domain controller (636)." connection route in "IP Addresses and Ports for Network Connectivity"(*1).
Please let me know if I can consider this route as a viable route.

*1:https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0-2/deploying/ip-addresses-and-ports-for-network-connectivity.html

Q3:
Currently, in the customer's network environment, PAM Server -> Domain controller (636) cannot be communicated, and an error has occurred in account authentication.
For this reason, in the case of "PAM Server -> PAM Proxy (27077) -> Domain controller(636)" connection route, please let me know if it is possible to change the AD account password correctly even if "PAM Server -> Domain controller(636)" cannot be communicated with.

Best Regards,
MARUBUN SUPPORT
Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Feb 02, 2023 12:48 PM
A1 - Documentation page Add a Windows Proxy Connector discusses what this connector should be used for and points to the Active Directory target connector for management of domain accounts. That's what most customers use and it's working.
A2 - Documentation page Default Ports for Credential Manager documents PAM Server -> PAM Proxy (27077) and PAM Proxy -> AD domain controllers (636) for management of domain accounts. The section about the Windows Proxy is not as clear as it could be, but there can hardly be a real question about what the connection should be. The proxy needs to connect to the port that the domain controllers are listening on. That shouldn't require further clarifications.
A3 - Yes, if direct communication from PAM to AD domain controllers is not allowed, then the Windows Proxy would have to be used. This is covered in previous updates here. An obvious alternative would be to open the firewall and let (only) PAM connect to the domain controllers directly.