Symantec Privileged Access Management

 View Only
  • 1.  One Click Approval Server Host Name

    Posted Nov 29, 2022 01:34 AM
    Our customer are considering changing the IP address of the proxy( an IP other than the one assigned to CA PAM ), referring to the contents of "Configure the Email Server from the UI".(https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0-1/implementing/protect-privileged-account-credentials/configure-email-preferences-for-password-view-policies.html)

    Please answer the following questions so that they can consider the implementation.

    Q1:
    They configure the proxy side to include parameters and transfer them to the CA PAM server.
    In this case, is it possible to correctly process the approval/rejection request?

    If possible, if there are any point that need to be modify other than "One Click Approval Server Host Name", please let me know the modify and the procedure.

    Please let me know if there is any impact on other processes when changing the IP address of "One Click Approval Server Host Name" (including other places that need to be changed).

    Q2:
    If not possible, is there a way to do something similar to Q1?


  • 2.  RE: One Click Approval Server Host Name

    Broadcom Employee
    Posted Nov 30, 2022 12:52 AM

    I am not sure where a proxy comes into this question.

    If I am understanding your question correctly, no, there is no other impact on other processes when changing the e IP address of "One Click Approval Server Host Name".  This is simply used in the email templates to populate the "@ApprovalURL@" and "@DenialURL@" values (it appends the appropriate api calls to host name you specify).

    To process approval/rejection requests, the "One Click Approval Server Host Name" field simply needs to contain a valid URL for the PAM server.  It can be an IP address, or DNS FQDN that is resolvable from the systems that will be used to approve/reject such requests.  It does not need to be the same as the FQDN/IP that users use to access PAM (but it does need to actually reach the PAM server).

    Of course, the approval workflow involves an ssl connection, so you would want to make sure that the address used is in the SSL certificate as the subject or a subject alternative name.

    I hope this helps... if not, please clarify the question.




  • 3.  RE: One Click Approval Server Host Name

    Posted Dec 06, 2022 03:23 AM
    Hi Joseph-San,

    Thank you for your message.

    I have re-summarized the question.

    The customer is considering implementing multi-factor authentication with Azure AD Application Proxy as part of security enhancement.

    The current approval/rejection flow at CA PAM is handled by clicking on a URL in an e-mail sent to the approver.
    They would like to change this process so that when the URL is clicked, the Azure AD Application Proxy URL is displayed and multi-factor authentication is performed before approval or rejection.

    Please let us know if this kind of processing is possible.
    If so, please let us know the procedure.


    Best Regards,
    Marubun Support


  • 4.  RE: One Click Approval Server Host Name

    Broadcom Employee
    Posted Dec 06, 2022 11:04 AM
    Edited by Joseph Fry Dec 06, 2022 11:04 AM
    Interesting question.  Unfortunately I am not certain if this is possible or not.

    That said, you can put any IP/FQDN you wish in the "One Click Approval Server Host Name" field.  If you place the AWS application proxy URL there, then the one click approvals will go to that host (with additional properties in the URL).  In theory, if the AWS application proxy allows it, you could authenticate the user, then use the proxy to send/forward the API call to PAM with all of the additional properties intact to approve/reject the request.

    I am sure I could do that with our Layer7 API Gateway, but I don't know enough about the AWS Application Proxy to know what it is capable of.

    Perhaps someone else has seen/done this, however I suspect this will be something you will need to figure out on your own since this is more of an AWS function, than a PAM function.