How to Install a Windows Proxy for Credential Manager

The Windows Proxy is a software component of  Credential Manager. Install it to enable updating Windows-based account passwords, and updating Windows service and scheduled task login account passwords. For basic information about the Windows Proxy, see . 
capam33
The Windows Proxy is a software component of 
Privileged Access Manager
 Credential Manager. Install it to enable updating Windows-based account passwords, and updating Windows service and scheduled task login account passwords. For basic information about the Windows Proxy, see Add a Windows Proxy Connector
This topic contains the following sections:
2
About Windows Accounts
The following table describes the various Windows user accounts. Windows service accounts allow system administrators to control the permission level that is granted to a Windows service. Windows services that access network resources might require a restart when the associated user account password is changed.
Windows account types
Who can change the password?
Description
Local user
Local user
Local administrator account
An account with local system privileges on a Windows system that a user accesses.
Domain user
Domain user
Domain administrator
A network-based user account. Domain user accounts provide users with access to network resources. A domain user account is authenticated against Active Directory.
Local administrator
Local administrator
A local administrator account has administrator privileges on the local system, but does not have Network Administrator privileges. A local administrator cannot change domain user account passwords.
Domain administrator
Domain administrator
A domain administrator account has administrator privileges throughout the domain. A domain administrator requires local administrator privileges to update local accounts.
By default, when a system joins the domain, the domain administrator is given local administrator access.
Windows Proxy Configuration
The configuration of the Windows Proxy depends on the type of accounts you are managing and whether your network is part of a domain.
You can install as many Windows Proxies as you need. You must install a minimum of one Windows Proxy for each domain or workgroup. The Windows Proxy service must run as a domain administrator or local administrator. By default, the Windows Proxy installs with local service permissions. You must update the local service permissions to manage passwords over a network connection.
The following table lists the target host and target account registration notes associated with the various Windows Proxy installation options.
Windows Proxy service runs as:
Target user account type
Target host configuration notes
Target Account Registration notes
Domain administrator
Domain
The domain administrator must have local administrator privileges on the target host.
When adding the target account, select the option Use Proxy credentials to change password.
Domain administrator
Local
(target host)
The account being managed (on the target host) must have Log in local user rights.
When adding the target account, the account that is selected to manage passwords must have Local Administrator privileges.
Local administrator
(Proxy host)
Domain
Not recommended
Not recommended
Local administrator
(Proxy host)
Local
(target host)
None
When adding the target account, the account that is selected to manage passwords must have local administrator privileges.
If 
Privileged Access Manager
 manages the administrator account that the Windows Proxy service runs as, do 
not
 configure this account to change its own password. The Windows service cannot restart itself after a password change. Instead, use a second Windows Proxy running as a different account to manage the service account. Use a separate target application that only uses the remote proxy. When you configure the Windows target account for the Windows Proxy, discover the proxy service and set the 
Start/Restart
 option. This option allows 
Privileged Access Manager
 to restart the service on a password change.
The accounts that are associated with the two Windows Proxy services must be in the Administrators group on their proxy hosts. The proxies can then manage other accounts on either host, or on remote hosts with target applications that have selected both proxies for high availability.
When verifying the passwords of Windows Proxy target applications, Credential Manager connects to target servers using the Windows Proxy.
When adding a domain controller target server, use the domain controller NetBIOS name as the target server host name.
You can register the Windows Proxies in Credential Manager manually or automatically. Upon receipt of the Windows Proxy login, the server automatically adds the Windows Proxy in an inactive state and flags the request in the UI.
A Windows Proxy is not configured as a managed object device, so the proxy does not appear in the Device list. However, this same host can still be the target of a 
Privileged Access Manager
 managed object.  The same host can be used for access or password management as a device. 
When the 
Privileged Access Manager
 server sends sensitive information to a Windows Proxy, that information is encrypted using the Windows Proxy key. The key is unique for each Windows Proxy. The UI provides a button to update the Windows Proxy key.
Windows Proxy Requirements
This section details the hardware and software requirements for the Windows Proxy.
Hardware Requirements
The Windows Proxy requires 128 MB of RAM and 180 MB of hard drive space. The Windows Proxy log file requires 50 MB.
Operating System Requirements
The following table details the supported platforms and their associated requirements for the Windows Proxy.
Windows Proxy Platform Operating System
Minimum Patch Level
Windows 7
6.1.7600
Windows Server 2008 R2
6.0.6001
Windows 8.1
Any level
Windows Server 2012 R2
Any level
Windows 10
Any level
Windows Server 2016
Any level
Installing more than one Windows Proxy on the same host is not supported. Installing into the same directory overwrites the Windows Proxy already installed in that directory. Always uninstall an existing Windows Proxy before installing a newer version.
Prepare for Windows Proxy Installation
Complete the following tasks to prepare to install thge Windows Proxy:
  • Verify that firewalls do not block necessary communication ports. See Default Ports for Credential Manager
  • Verify that DNS resolution of the Windows Proxy host succeeds on the 
    Privileged Access Manager
     server. If DNS resolution of the server fails on the Windows Proxy host, the Windows Proxy hosts file (
    C:\Windows\System32\drivers\etc\hosts
    ) requires an entry for the server. 
  • Verify that DNS resolution of the 
    Privileged Access Manager
     server succeeds on the Windows Proxy host.
  • Disable Windows Simple File Sharing on all Windows servers that have accounts being managed through the Windows Proxy.
    Follow these steps:
    1. Select 
      Start
      .
    2. Select 
      My Computer
      .
    3. Select 
      Organize
       or 
      View
      , depending upon your Windows version.
    4. Select 
      Options
       and 
      Folder and Search Options
      , depending upon your Windows version.
    5. Select the 
      View
       tab.
    6. At the bottom of 
      Advanced Settings
      , disable 
      Use Sharing Wizard (Recommended)
      .
    If you enable the sharing wizard, the Windows Proxy cannot synchronize and update accounts, and the Windows Proxy error log returns a 1326-ERROR_LOGON_FAILURE message.
  • If the Guest account in the domain or on the target server is enabled, the Windows Proxy Connector appears to verify the password. However, that target account password does not exist on the target server. Disable the guest account in the domain or on the target server to avoid this false password verification.
You can install the Windows Proxy and an A2A Client on the same Windows host. Do not use the same installation folder for both the Windows Proxy and the A2A Client. The installation of either component overwrites the Credential Manager component that is already installed in that folder.
The default values for Network Security on Windows systems allow Windows Proxy to function. If certain settings are set too restrictively, the Windows Proxy can fail.  Verify these settings in the Group or Local Policy Security Options:
  •  
    Network security: Restrict NTLM: Incoming NTLM traffic 
    Allow all
    , or 
    Not Defined
     
  •  
    Network security: Restrict NTLM: NTLM authentication in this domain 
    Disable
    Not Defined
    , or 
    Deny for domain accounts
     
Download the Windows Proxy Software
  1. From the target system, log in to the Download Center at the following link: https://support.ca.com/us/download-center.html 
  2. In the Search by Product Name field, begin entering 
    Privileged Access Manager
     
    until you can select it from the list.
    A box with available product downloads and solutions appears. Below this box, the 
    Product Downloads
     tab is open by default.
  3. In the 
    Filter Search Results 
    field, begin typing 
    Privileged Access Manager
     DEBIAN 
    to filter the results and then select the corresponding entry.
  4. In the top-right corner of the page, select the appropriate release from the 
    Release
     drop-down list.
    Ignore the 
    RELEASE
     and 
    SERVICE PACK
     controls above the list of product components.
  5. Select the download link (a cloud icon) that is associated with the 
    Windows Proxy
     entry.
  6. Select a download method and download the .zip file to local storage.
  7. Unzip the installation package.
Install the Windows Proxy Software
The wizard installs the Windows Proxy software.
The wizard fails when you execute it from an account that contains special characters. To avoid this error, start the installation by right-clicking on the executable file and selecting the 
Run As
 option. The
 Run As
 dialog opens and prompts for an alternate username and password to use for the installation. Specify the account credentials and continue with the installation.
 
Follow these steps:
 
  1. Navigate to the location where you unzipped the installation package.
  2. Start the 
    setup_windows_agent.exe
     installation wizard.
  3. In the Introduction window, select 
    Next
    .
  4. In 
    Choose Install Folder
     window, enter, or select the folder where you want to install the proxy, and select 
    Next
    .
    We recommend that you do not use a space character in the root folder, the name of the installation location, or the folder name.
  5. In the 
    Server Information
     window, enter the Fully Qualified Domain Name (FQDN) of the 
    Privileged Access Manager
     server in the 
    Server Name
     field and select 
    Next
    .
  6. In the 
    Pre-Installation Summary
     window, validate the installation information then select 
    Install
    .
  7. When the installation finishes and the Install Complete window appears, select 
    Done
    .
Start the Windows Proxy Service
To start the Windows service (
PAM Proxy
) on a Windows server, complete 
one
 of the following procedures:
  • Open a command window and enter the following text: 
    net start "PAM Proxy" 
     
  • Start the 
    PAM Proxy
     service using the Services Administrative tool:
    The steps to start the service using the Windows Services Administrative tool depend on your Windows platform. For example, to start the service with Windows 7, select Start, Control Panel, Administrative Tools, Services. Then select 
    PAM Proxy
     in the Services list and then select  
    Start
Activate the Windows Proxy
After the Windows service is running on the Windows server, active the Windows Proxy from the 
PAM
 UI.
 
Follow these steps:
 
  1. From the UI, go to Credentials, Manage Targets, Proxies.
  2. Select the new proxy entry and select  
    Update
  3. Select the 
    Active
     checkbox then select OK.
Stop the Windows Proxy
Do 
one
 of the following steps:
  • Stop the 
    PAM Proxy
     service using the Services Administrative tool.
    Stopping the service using the Windows Services Administrative tool depends on your Windows platform. For example, to stop the service with Windows 7, select Start, Control Panel, Administrative Tools, Services, select 
    PAM Proxy
     in the Services list, and then select Stop.
  • Open a command line window and type the following command: 
    net stop "PAM Proxy" 
     
Related Topics