Symantec Privileged Access Management

  • Private Community
 View Only

 Windows Proxy Port Requirement

Nikola Milosavljevic's profile image
Nikola Milosavljevic posted Sep 26, 2022 05:47 AM
Hello,

We are managing a local account through Windows Proxy connector and only ports TCP/3389 and TCP/445 are open towards the target Windows Server(as per the documentation here: default-ports-for-credential-manager   and  https://knowledge.broadcom.com/external/article?articleId=209959.

The errors that appear when trying to rotate the password is:
WindowsAgent: Error: 4662 : 1326-ERROR_LOGON_FAILURE
WindowsAgent: Error: 4674 : 1722-RPC_S_SERVER_UNAVAILABLE
2022-09-26T09:26:58.983+0000 SEVERE [TP9] com.cloakware.cspm.server.app.impl.UpdateTargetAccountCmd.invoke UpdateTargetAccountCmd.invoke 5067: 1722-RPC_S_SERVER_UNAVAILABLE

What are the requirements for password change?

Best regards,
Nikola
Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Sep 26, 2022 12:35 PM
Hello Nikola, Port 3389 would be irrelevant for the Windows Proxy, only port 445 needs to be open. Per KB 209957 you also need to make sure that SMB2 communication is allowed by the target server. You may need to check Windows event logs on the target server for other errors while the Windows Proxy is trying to verify or update the target account. If you are using a service account for the update, make sure that account has the required privileges on the target server.
Nikola Milosavljevic's profile image
Nikola Milosavljevic posted Sep 28, 2022 04:43 AM
Hi Ralf,

The issue happened once ports TCP/135 and 49152 through 65535
  -  1024 through 4999 were disabled and only TCP/445 was left enabled, before that we could verify account passwords and rotate them.

SMB2 is enabled, checked it using 
Get-SmbServerConfiguration | Select EnableSMB2Protocol
Which returns True on the target server. Are there any additional configurations that need to be performed for SMB2 to work with Windows Proxy? Or are ports 135 and others necessary as well?
Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Sep 28, 2022 09:59 AM
Hi Nikola, Not that I'm aware of. The Windows Remote target connector might be using those other ports, but for the Windows Proxy all communication should go through port 445. Did you find anything useful in the Windows Event logs on the target server? If you continue to have problems, please open a case with PAM Support.