Socket Filter Agent Support

Socket Filter Agents (SFAs) are components that you can deploy to restrict access to and from server-based devices. SFAs are installed on a remote target device. For information about downloading and installing Socket Filter Agent software, see .
capam32
HID_SocketFilterAgentStatusPanel
Socket Filter Agents (SFAs) are components that you can deploy to restrict access to and from server-based devices. SFAs are installed on a remote target device. For information about downloading and installing Socket Filter Agent software, see Install and Configure a Socket Filter Agent.
Socket filters apply rules that are used in access policies. These rules are specified by configuring socket filter lists from the
CA PAM
UI.
If an SFA is installed on a Windows system, the SFA filters do not get applied to VNC connections.
To configure SFA lists and policies, follow these procedures:
2
Create a Socket Filter List
A Socket Filter List (SFL) defines the sockets to which a Socket Filter Agent allows or denies access. An SFL can be a whitelist or a blacklist:
  • Blacklist:
     A blacklist
     
    denies access only to the listed services and ports.  A user can request access to a device with a policy that has this blacklist. Any user that requests a socket on this list is denied access
    The user is allowed access for sockets that are 
    not
     on the blacklist.
  • Whitelist:
     A whitelist
     
    allows access only to the specified servers and ports. A user can request access to a device with a policy that has a whitelist. Any user that requests a socket that is on this list is allowed access
    The user is denied access for sockets that are 
    not
     on the whitelist.
Create an SFL using one of the following methods:
  • Use the SFL template in the UI. Use the procedure in this topic.
  • Import a CSV file. For instructions on how to import a CSV file and create an SFL, see Import or Export Socket Filter Lists.
    To ensure proper performance, define no more than 8000 sockets in each SFL.
Follow these steps to create a filter list:
  1. From the
    CA PAM
    UI, select
    Policies
    ,
    Manage Policy Filters
    .
    The
    Policies
    page appears.
  2. Select the
    Socket Filters
    tab.
  3. Select the
    Add
    button.
    The
    Add Socket Filter
    window appears.
  4. Enter a
    Name
    for this socket filter list.
  5. Specify the type (blacklist or whitelist) in the 
    Type
     field.
    • When used against LDAP users, socket filter whitelists must also include IP addresses of the relevant domain controller or controllers. IP addresses can change in your environment, so whitelists can require active management. You might have to update the filters. 
    • For PKI smartcard users, socket filters must be actively managed.
  6. Select the plus sign to Add a New Host.
  7. Enter the IP Address and ports to filter. The
    Ports
    field is limited to 512 characters.
  8. Select 
    OK
     to save the settings.
The list is now effective, and available for inspection or editing with the
Socket Filters
list page.
Configure a Socket Filter Policy
Do not configure VNC access to log in to a Windows system installed with an SFA. This access method does not work with a Windows SFA.
Follow these steps:
  1. From the
    CA PAM
    UI, select
    Policy
    ,
    Manage Policy Filters
    .
  2. Select the
    Socket Filters
    tab.
  3. Select the
    Config
    button.
    The
    Socket Filter Config
    pane appears, populated with default values.
  4. On the
    Basic Info
    tab, inspect these settings: 
    • Agent Port 
      The agent port must match the port where the agents are listening. The default is 8550.
    • SFA Monitoring
      Select this box to enable monitoring socket filter agents. Agent status appears on the Devices, Socket Filter Agent page. Enable this option if policies disallow users to log in to a device if an agent is not running.
    • Appliance ID
      Set a unique number (from 1 to 254) for each physical appliance, especially in a cluster. This ID is required for using SFAs with Windows.
    • Log All Access
      Select this box to log all access activity, whether a device is on a whitelist or it is missing from a blacklist. Second-generation Socket Filter Agent installation is required.
  5. On the 
    Messages
    tab, inspect these settings:
    • Violation Message
      Customize the message ("Access is denied") that appears to the user when a policy is violated. The following strings (including brackets) are substituted as specified:
      [host]
      is Replaced by the IP address of the blocked host.
      [port]
      is Replaced by the port of the blocked connection.
    • Violation Additional e-mail Message
      Add text area for information that is sent to "super" if violations occur.
      Prerequisite:
      Administrator email must be configured.
    Double-byte characters are NOT permitted in email messages. They are permitted only in screen messages.
  6. On the
    Action
    tab, inspect these settings:
    • Number of Violations Before Action
      Set the number of violations that are permitted to occur. When the violation count matches this threshold, the action that is specified in Action After Limit Exceeded is taken. Set this value to zero (0) if no count should be enforced. The count of violations is persistent per user-device basis regardless of how many times the user connects. Thus a user is not permitted to reset the count by reconnecting and trying again.
    • Action After Limit Exceeded
      Select the appropriate action to comply with policy when the user exceeds the number of violations.
  7. Select
    OK
    to save the settings.
Enable Socket Filter Agent Monitoring
To enable monitoring of SFA Agents, follow these steps:
  1. Navigate to 
    Policies, Manage Policy Filters, Socket Filters
  2. Select 
    Config
    .
  3. Select the
     SFA Monitoring
    .
  4. Select 
    OK
     to save your settings.
View Socket Filter Agent Status
The appliance runs a scan at regular intervals to determine the status of all SFAs. After you enable SFA monitoring, you can view the status of the SFAs. 
To see the list of SFAs:
  1. Navigate to
    Devices, Socket Filter Agent
    . The Socket Filter List Status page displays. 
    You only see entries on this page if you enabled monitoring.
  2. Look at the
    Status
    column. The column shows one of the following values:
    • Active:
      The SFA is up and running. The appliance is able connect to the Agent on port 8550 of the remote host. 
    • Inactive:
      The SFA was active but not for the past few minutes. 
    • Unknown:
       The SFA was active but has not been active for an extended period of time. Reasons why the SFA might be unreachable are that the Agent is turned off, disabled, or uninstalled.