Hi Joseph-San,
Thank you for your message.
I have re-summarized the question.
The customer is considering implementing multi-factor authentication with Azure AD Application Proxy as part of security enhancement.
The current approval/rejection flow at CA PAM is handled by clicking on a URL in an e-mail sent to the approver.
They would like to change this process so that when the URL is clicked, the Azure AD Application Proxy URL is displayed and multi-factor authentication is performed before approval or rejection.
Please let us know if this kind of processing is possible.
If so, please let us know the procedure.
Best Regards,
Marubun Support
Original Message:
Sent: Nov 30, 2022 12:51 AM
From: Joseph Fry
Subject: One Click Approval Server Host Name
I am not sure where a proxy comes into this question.
If I am understanding your question correctly, no, there is no other impact on other processes when changing the e IP address of "One Click Approval Server Host Name". This is simply used in the email templates to populate the "@ApprovalURL@" and "@DenialURL@" values (it appends the appropriate api calls to host name you specify).
To process approval/rejection requests, the "One Click Approval Server Host Name" field simply needs to contain a valid URL for the PAM server. It can be an IP address, or DNS FQDN that is resolvable from the systems that will be used to approve/reject such requests. It does not need to be the same as the FQDN/IP that users use to access PAM (but it does need to actually reach the PAM server).
Of course, the approval workflow involves an ssl connection, so you would want to make sure that the address used is in the SSL certificate as the subject or a subject alternative name.
I hope this helps... if not, please clarify the question.
Original Message:
Sent: Nov 29, 2022 01:34 AM
From: MARUBUN SUPPORT
Subject: One Click Approval Server Host Name
Our customer are considering changing the IP address of the proxy( an IP other than the one assigned to CA PAM ), referring to the contents of "Configure the Email Server from the UI".(https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0-1/implementing/protect-privileged-account-credentials/configure-email-preferences-for-password-view-policies.html)
Please answer the following questions so that they can consider the implementation.
Q1:
They configure the proxy side to include parameters and transfer them to the CA PAM server.
In this case, is it possible to correctly process the approval/rejection request?
If possible, if there are any point that need to be modify other than "One Click Approval Server Host Name", please let me know the modify and the procedure.
Please let me know if there is any impact on other processes when changing the IP address of "One Click Approval Server Host Name" (including other places that need to be changed).
Q2:
If not possible, is there a way to do something similar to Q1?