Deploy the CA PAM Access Agent for Windows

Describes the
PAM
Access Agent, a lightweight Windows alternative to the
PAM
Client.
3-4
HID_CAPAMAgent
The
PAM
Access Agent is a lightweight Windows alternative to the
PAM
Client. Only 64-bit Windows 10 is supported in version 3.4.
2
PAM
Access Agent Advantages
The
PAM
Access Agent has the following advantages:
  • It does not use Java or applets.
  • It tunnels through
    Privileged Access Manager
    to devices.
  • It does not require the configuration of loopback addresses.
  • It does not contain a browser, so it does not support
    Privileged Access Manager
    administration.
  • It has a much smaller installer, storage footprint, and memory requirement.
  • It uses Services instead of Access Methods
  • It allows viewing of credentials
PAM
Access Agent Feature Support
Service
Network Redirection
Auto-Login
Session Recording
Command Filters
Socket Filters
SSH
Yes
Yes
Yes
Yes
Yes
SSH Transparent Login
Yes
Yes
Yes
No
No
RDP
Yes
Yes
Yes
No
Yes
RDP Applications
No
No
No
No
No
RDP Applications with Transparent Login
No
No
No
No
No
Web Portal*
Yes
No
No
No
No
VNC
Yes
No
Yes
No
No
Telnet
Yes
Yes
Yes
Yes
Yes
TN3270 / SSL
Yes
Yes
Yes
Yes
Yes
TN5250 / SSL
Yes
Yes
Yes
Yes
Yes
*Web Portal does not support the
PAM
Browser.
Authentication Method
Support
Local
Yes
LDAP / AD
Yes
RADIUS / TACACS+
Yes
LDAP+RADIUS
Yes
LDAP+RSA
Yes
SAML
No
CA Single Sign-On
No
PIV/CAC / Smart Card
No
Retrospective Approval Not Supported
Retrospective Approval (Break Glass) for Password View Requests is a new feature that is not supported yet in the
PAM
Access Agent.
How the Agent Works
You activate a service in the agent, then network traffic to the target device for that service is redirected and tunneled through
PAM
. The new agent Universal Port (UP) for Windows provides the service connection capability into
PAM
. For each activated service and target device, the UP generates the ephemeral port number on which the UP is listening for connections. Client applications (such as PuTTY) work seamlessly using the same public IP address and port they typically use for that connection. Once the service is deactivated, the client application is available for use with targets that are not protected by
PAM
.
PAM Access Agent Architecture
CA PAM Access Agent Architecture
Download the Agent Software
Download the
PAM
Access Agent for Windows from the browser-based UI login page. To install the
PAM
Access Agent for Windows, the user needs the same user rights or permissions as any other application that you install.
Follow these steps:
  1. From your client workstation, open a browser and go to the URL for the PAM Server
  2. Below the login screen fields, select the arrow next to
    CA PAM Agent
    .
  3. For the
    Platform
    field, select the OS for your local workstation then select
    Download
    .
  4. Save the installer file locally to your workstation.
Install the Agent
Installation Requirements:
Only 64-bit Windows 10 is supported in version 3.4.
After you download the installer file, run the agent installer. You need local administrator rights to install the agent, but not to run it. Follow the installation wizard, noting the following instructions:
  • License Agreement:
    To accept the license agreement, scroll through the license text to the bottom of the panel.
  • Destination Folder:
    Accept the default or select
    Change
    to find a folder.
    The
    PAM
    Access Agent does not support installation in directories whose names include Japanese characters. If you install the
    PAM
    Access Agent on a Japanese-language computer, enter a folder with no Japanese characters.
  • When the installation is complete, a
    Launch
    PAM
    Agent
    checkbox appears. Select it and then Finish to close the installation and log in with the agent.
Open the Agent
As a user, all you need is the Fully Qualified Domain Name (FQDN) or IP address of your
Privileged Access Manager
instance, and your user name and password.
Follow these steps:
  1. Open the
    PAM
    Access Agent.
  2. Select the
    Options
    menu to set the log level, certificates, and proxy, if necessary. See Optional Settings for details.
  3. In the
    PAM Server/IP
    field, enter the IP address or the assigned fully qualified domain name of the
    PAM
    Server or cluster VIP.
  4. Select
    Connect
    .
  5. You may receive a
    Verify Certificate
    window before the login screen appears. If you approve of the certificate, select the
    Import this certificate permanently
    checkbox. Select
    Continue
    .
    Once it is trusted, you should not see the certificate warning any more.
  6. If an agent update is available, a dialog appears. If you select
    Yes
    , an installation dialog appears. Select
    Yes
    to upgrade the agent. Upgrading the agent is not mandatory.
  7. When the login screen appears, enter the
    User Name
    and
    Password
    .
  8. Select the
    Authentication Type
    .
  9. Select
    Login
    .
    The Available Services tab appears, listing devices that you have permission to access. A Filter panel appears above the list allowing you to reduce the number of listed services.
Optional Settings
An
Options
menu allows you to configure optional settings that might be required for your particular environment:
Logging
Use this option to select the amount of application messaging:
  • Info:
    Default setting, including error, and informational messages; medium amount of information 
  • Debug:
    All messages, including warnings, errors, informational messages; most information
  • Error:
    Only log errors; least information
Certificates
The Certificate Authorities (CA) window lists CAs that are trusted by the PAM Access Agent. You can perform the following actions:
  • Import:
    Use this button to import your own certificates.
  • Export:
    Use this button to export a certificate to a location on your local computer.
  • Remove:
    Use this button to remove any certificates that you do not want.
Proxy
Indicate whether the
PAM
Access Agent is connecting to the
PAM
server through a proxy server. Select one of the following options for your deployment:
  • No Proxy
    (default): The agent connects directly to the
    PAM
    Server.
  • Auto-detect proxy settings for this network:
    For a network-managed proxy. The agent executes the script that is retrieved from
    http://wpad/wpad.dat
    to determine which proxy server to use.
  • Use system proxy settings:
    For workstation OS-managed proxy. On Windows, you can configure it using the
    netsh winhttp set proxy
    command.
  • Manual Proxy Configuration:
    For a custom target device as the proxy
    • Enter the
      Host
      and
      Port
      of the Proxy server.
      The agent cannot use most well-known ports. See Ports Not Allowed for the Client for the full list.
    • Enter IP addresses to
      Bypass
      , such as 127.0.0.1 or 192.168.*
      To enter more than one address, separate each address with a comma, such as 127.0.0.1, 192.168.*
  • Automatic proxy configuration URL:
    for a web server-supplied proxy. The agent executes the Proxy Auto-Configuration (PAC) script that is retrieved from the URL to determine which proxy server to use.
Timeouts
Specify timeout values for receiving a response to requests to the
PAM
Server:
  • Receive Timeout
    : Specifies the timeout (in seconds) for receiving a response to requests to the
    PAM
    Server. The default value is 5 seconds.
  • 3rd Party Authentication Timeout
    : Specifies the timeout (in seconds) for receiving a response to requests to the
    PAM
    Server when third-party authentication (for example, Radius, RSA, and so on) is required. This value is used instead of
    Receive Timeout
    for such requests because third-party authentication generally takes longer. The default value is 90 seconds.
Activate a Service and Connect to a Device
The
PAM
Access Agent uses Services instead of Access Methods. The agent ignores the
Client Application
field in a TCP/UDP Service configuration. The Agent does not open the client application for you.
The
PAM
Access Agent displays three tabs: Available Services, Activated Services, and Credentials.
Available Services
lists devices that you have permission to access. You can select the column headings to sort the rows in ascending order by that field. Select a second time to sort in descending order.
  • Device Name:
    The device name
  • Address:
    The IP address of the device
  • Port
    to connect to the service
  • Operating System
    of the Device
  • Service:
    The name of the service
Activated
Services
displays any service which is activated for use by a local application.
  • Device Name:
    The device name
  • Address:
    The IP address of the device
  • Port
    to connect to the service
  • Operating System
    of the Device
  • Service:
    The name of the service
  • Credential:
    The credential that you have selected to use with this service.
The
Credentials
tab lists the credentials available for you to view. There can be multiple credential rows for each device.
  • Account Name:
    Target account for connecting to the listed device, and password viewing, if applicable.
  • Application Name:
    Target application for connecting to the listed device, and password viewing, if applicable.
  • Device Name:
    The device name
  • Address:
    The IP address of the device
  • Status:
    Dual-authentication status, such as Pending or Approved
  • Action:
    Select
    View Password
    to view the password for this account.
To connect to a device, follow these steps:
  1. On the Available Services tab, double-click the Device row to activate the device connection. You can also enter or right-click to activate a service.
  2. If there are multiple available credentials, the
    Select
    Credential
    window appears.
  3. Select the
    Credential
    to use, and then
    OK
    .
  4. Open the application that you use to connect to the device.
  5. Enter the FQDN or IP Address of the device and port in the native application.
    The native application connects to the device.
    You might receive a security alert the first time that you try to connect using a native application with the agent activated. For example, PuTTY expects to connect to the target device, but the agent is redirecting traffic to
    Privileged Access Manager
    , where PuTTY obtains the key fingerprint. Therefore, it warns of a "potential security breach."
  6. At the login prompt, hit Enter. The account name is automatically sent.
    If credentials are configured, they are also automatically sent.
  7. When you are done using the PAM-managed device, right-click its row on the Activated Services tab and select
    Deactivate Service
    .
  8. When you are done,
    Log Out
    from the
    PAM
    Access Agent.
If a Service or Credential has become available since you logged on, select the
Refresh
button on the
PAM
Access Agent to display it.
View Passwords
Use the
Credentials
tab to select a credential to view. There can be multiple credential rows for each device.
Select
View Password
to view the password for an account.
Silent Installation
To install the
PAM
Access Agent in silent mode from a Command Prompt (as Administrator), use the following command:
CAPAMAgentInstall.exe /s /v"/qn"
To change the default installation directory, use this command:
CAPAMAgentInstall.exe /s /v"/qn INSTALLDIR=
path_to_install_directory
"
Troubleshooting
Network Error
If you receive a "Network error" such as "Permission denied" or "Connection refused", you probably have a network redirection failure. You can resolve this error in several different ways:
  • Run
    CAPAMAgent.exe
    as Administrator from a Command Prompt.
  • Run the
    CAPAMAgentCleanup
    utility:
    1. Log out from
      PAM
      Access Agent.
    2. Run
      CAPAMAgentCleanup.exe
      (found in the installation folder) as Administrator from a Command Prompt.
      Any network redirectors are removed.
DNS Resolution
A Target Server Address can be defined in
Privileged Access Manager
using a DNS host name rather than an IP address. If the
PAM
Access Agent does not have access to an appropriate DNS server, it cannot resolve the host name.
Language Mismatch
PAM
Access Agent does not support using a different language than the locale of the
PAM
Server. If the server is set to Japanese, and the agent computer is English, server communication tries to render in Japanese, but it shows non-Kanji symbols. The agent user interface would be English, but dynamically generated drop-downs, such as password view reasons, and error messages, would be symbols. If both server and agent are the same language, whether English or Japanese, this problem does not occur.
Uninstall the Agent
Use one of the following methods to remove the agent:
  • Remove the
    PAM
    Access Agent from the
    Windows Control Panel
    ,
    Programs and Features
    .
  • Open the
    PAM
    Access Agent installer and select the
    Remove
    option.