How to Install a Windows Proxy for Credential Manager
The Windows Proxy is a software component of Credential Manager. Install it to enable updating Windows-based account passwords, and updating Windows service and scheduled task login account passwords. For basic information about the Windows Proxy, see .
The Windows Proxy is a software component of
Privileged Access ManagerCredential Manager. Install it to enable updating Windows-based account passwords, and updating Windows service and scheduled task login account passwords. For basic information about the Windows Proxy, see Add a Windows Proxy Connector.
This topic contains the following sections:
About Windows Accounts
The following table describes the various Windows user accounts. Windows service accounts allow system administrators to control the permission level that is granted to a Windows service. Windows services that access network resources might require a restart when the associated user account password is changed.
Windows account types
Who can change the password?
Local administrator account
An account with local system privileges on a Windows system that a user accesses.
A network-based user account. Domain user accounts provide users with access to network resources. A domain user account is authenticated against Active Directory.
A local administrator account has administrator privileges on the local system, but does not have Network Administrator privileges. A local administrator cannot change domain user account passwords.
A domain administrator account has administrator privileges throughout the domain. A domain administrator requires local administrator privileges to update local accounts.
By default, when a system joins the domain, the domain administrator is given local administrator access.
Windows Proxy Configuration
The configuration of the Windows Proxy depends on the type of accounts you are managing and whether your network is part of a domain.
You can install as many Windows Proxies as you need. You must install a minimum of one Windows Proxy for each domain or workgroup. The Windows Proxy service must run as a domain administrator or local administrator. By default, the Windows Proxy installs with local service permissions. You must update the local service permissions to manage passwords over a network connection.
The following table lists the target host and target account registration notes associated with the various Windows Proxy installation options.
Windows Proxy service runs as:
Target user account type
Target host configuration notes
Target Account Registration notes
The domain administrator must have local administrator privileges on the target host.
When adding the target account, select the option Use Proxy credentials to change password.
The account being managed (on the target host) must have Log in local user rights.
When adding the target account, the account that is selected to manage passwords must have Local Administrator privileges.
When adding the target account, the account that is selected to manage passwords must have local administrator privileges.
Privileged Access Managermanages the administrator account that the Windows Proxy service runs as, do
notconfigure this account to change its own password. The Windows service cannot restart itself after a password change. Instead, use a second Windows Proxy running as a different account to manage the service account. Use a separate target application that only uses the remote proxy. When you configure the Windows target account for the Windows Proxy, discover the proxy service and set the
Start/Restartoption. This option allows
Privileged Access Managerto restart the service on a password change.
The accounts that are associated with the two Windows Proxy services must be in the Administrators group on their proxy hosts. The proxies can then manage other accounts on either host, or on remote hosts with target applications that have selected both proxies for high availability.
When verifying the passwords of Windows Proxy target applications, Credential Manager connects to target servers using the Windows Proxy.
When adding a domain controller target server, use the domain controller NetBIOS name as the target server host name.
You can register the Windows Proxies in Credential Manager manually or automatically. Upon receipt of the Windows Proxy login, the server automatically adds the Windows Proxy in an inactive state and flags the request in the UI.
A Windows Proxy is not configured as a managed object device, so the proxy does not appear in the Device list. However, this same host can still be the target of a
Privileged Access Managermanaged object. The same host can be used for access or password management as a device.
Privileged Access Managerserver sends sensitive information to a Windows Proxy, that information is encrypted using the Windows Proxy key. The key is unique for each Windows Proxy. The UI provides a button to update the Windows Proxy key.
Windows Proxy Requirements
This section details the hardware and software requirements for the Windows Proxy.
The Windows Proxy requires 128 MB of RAM and 180 MB of hard drive space. The Windows Proxy log file requires 50 MB.
Operating System Requirements
The following table details the supported platforms and their associated requirements for the Windows Proxy.
Windows Proxy Platform Operating System
Minimum Patch Level
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2016
Installing more than one Windows Proxy on the same host is not supported. Installing into the same directory overwrites the Windows Proxy already installed in that directory. Always uninstall an existing Windows Proxy before installing a newer version.
Prepare for Windows Proxy Installation
Complete the following tasks to prepare to install thge Windows Proxy:
- Verify that firewalls do not block necessary communication ports. See Default Ports for Credential Manager.
- Verify that DNS resolution of the Windows Proxy host succeeds on thePrivileged Access Managerserver. If DNS resolution of the server fails on the Windows Proxy host, the Windows Proxy hosts file (C:\Windows\System32\drivers\etc\hosts) requires an entry for the server.
- Verify that DNS resolution of thePrivileged Access Managerserver succeeds on the Windows Proxy host.
- Disable Windows Simple File Sharing on all Windows servers that have accounts being managed through the Windows Proxy.Follow these steps:
- SelectMy Computer.
- SelectOrganizeorView, depending upon your Windows version.
- SelectOptionsandFolder and Search Options, depending upon your Windows version.
- Select theViewtab.
- At the bottom ofAdvanced Settings, disableUse Sharing Wizard (Recommended).
- If the Guest account in the domain or on the target server is enabled, the Windows Proxy Connector appears to verify the password. However, that target account password does not exist on the target server. Disable the guest account in the domain or on the target server to avoid this false password verification.
You can install the Windows Proxy and an A2A Client on the same Windows host. Do not use the same installation folder for both the Windows Proxy and the A2A Client. The installation of either component overwrites the Credential Manager component that is already installed in that folder.
The default values for Network Security on Windows systems allow Windows Proxy to function. If certain settings are set too restrictively, the Windows Proxy can fail. Verify these settings in the Group or Local Policy Security Options:
- Network security: Restrict NTLM: Incoming NTLM trafficAllow all, orNot Defined
- Network security: Restrict NTLM: NTLM authentication in this domainDisable,Not Defined, orDeny for domain accounts
Download the Windows Proxy Software
- From the target system, log in to the Download Center at the following link: https://support.ca.com/us/download-center.html
- In the Search by Product Name field, begin enteringuntil you can select it from the list.A box with available product downloads and solutions appears. Below this box, thePrivileged Access ManagerProduct Downloadstab is open by default.
- In theFilter Search Resultsfield, begin typingto filter the results and then select the corresponding entry.Privileged Access ManagerDEBIAN
- In the top-right corner of the page, select the appropriate release from theReleasedrop-down list.Ignore theRELEASEandSERVICE PACKcontrols above the list of product components.
- Select the download link (a cloud icon) that is associated with theWindows Proxyentry.
- Select a download method and download the .zip file to local storage.
- Unzip the installation package.
Install the Windows Proxy Software
The wizard installs the Windows Proxy software.
The wizard fails when you execute it from an account that contains special characters. To avoid this error, start the installation by right-clicking on the executable file and selecting the
Run Asoption. The
Run Asdialog opens and prompts for an alternate username and password to use for the installation. Specify the account credentials and continue with the installation.
Follow these steps:
- Navigate to the location where you unzipped the installation package.
- Start thesetup_windows_agent.exeinstallation wizard.
- In the Introduction window, selectNext.
- InChoose Install Folderwindow, enter, or select the folder where you want to install the proxy, and selectNext.We recommend that you do not use a space character in the root folder, the name of the installation location, or the folder name.
- In theServer Informationwindow, enter the Fully Qualified Domain Name (FQDN) of thePrivileged Access Managerserver in theServer Namefield and selectNext.
- In thePre-Installation Summarywindow, validate the installation information then selectInstall.
- When the installation finishes and the Install Complete window appears, selectDone.
Start the Windows Proxy Service
To start the Windows service (
PAM Proxy) on a Windows server, complete
oneof the following procedures:
- Open a command window and enter the following text:net start "PAM Proxy"
- Start thePAM Proxyservice using the Services Administrative tool:The steps to start the service using the Windows Services Administrative tool depend on your Windows platform. For example, to start the service with Windows 7, select Start, Control Panel, Administrative Tools, Services. Then selectPAM Proxyin the Services list and then selectStart.
Activate the Windows Proxy
After the Windows service is running on the Windows server, active the Windows Proxy from the
Follow these steps:
- From the UI, go to Credentials, Manage Targets, Proxies.
- Select the new proxy entry and selectUpdate.
- Select theActivecheckbox then select OK.
Stop the Windows Proxy
oneof the following steps:
- Stop thePAM Proxyservice using the Services Administrative tool.Stopping the service using the Windows Services Administrative tool depends on your Windows platform. For example, to stop the service with Windows 7, select Start, Control Panel, Administrative Tools, Services, selectPAM Proxyin the Services list, and then select Stop.
- Open a command line window and type the following command:net stop "PAM Proxy"