What ports are used for Privileged Account Manager?

  • 7018265
  • 14-Nov-2016
  • 21-Jul-2017

Environment

NetIQ Privileged Account Manager

Situation

What ports are used for Privileged Account Manager?
A quick reference guide for ports

Resolution

443/https (tcp/udp)
Accessing the Framework Manager Console (Administration) or the User Console (MyAccess) from a browser requires port 443 for https communication. The following are the URLs for these Consoles:
https://<IP address of the Framework Manager>
https://<IP address of the Framework Manager>/myaccess


29120/pam (tcp)
This port is used for all communications among the Framework managers and the agents. It is also used for communications among the Framework agents. The port is specified when the agent is registered with the Framework Manager. For more information, please refer to Opening Firewall Ports from the Installation Guide.

2222/ssh-pam (tcp)
SSH Relay listens on port 2222 (SSH Relay Agent module, sshrelay package). In a default installation, this will be on the framework manager server, but this package can be configured for other "jump" hosts, etc. Of note, clients use random ports to connect to port 2222. Defined SSH ports must also be available from the Relay Agent server to the target servers.

3389/direct-rdp (tcp)
Users connect directly to the Windows server via the standard RDP TCP port 3389 from a remote desktop connection client.
Note: For more details, please refer to Direct Remote Desktop Connection.

13389/rdp-relay-pam (tcp)
With RDP-Relay, a workstation with a browser connects the User Console (MyAccess) and can launch an RDP session from the browser, which relays the Remote Desktop session through the PAM Server to a Windows server with Remote Desktop Enabled.
  • The PAM Server needs to have TCP port 13389 open and available for users to connect to from MyAccess.
  • The target Windows Server needs to have the standard Windows RDP TCP port 3389 open and available for the PAM RDP-Relay server.
Note: For more details, please refer to Remote Desktop Protocol Relay.

(conditional)/Database Monitoring (tcp)
A database connector acts as a proxy between the user’s database client and the database server (oracle, mssql, etc). Since any number of database connectors can be added to any agent with the required dbaudit module configured, the ports required for this will vary due to relevant configurations. In summary, clients must be able to connect to the relevant database connector on the PAM server and the PAM server must be able to connect to the destination database address and port. For more details, please refer to Managing Database Connectors.

1434/SQL Server Browser Service (udp)
For more details, please refer to the Microsoft SQL Server database in Managing Database Connectors. According to Microsoft, "The SQL Server Browser service listens for incoming connections to a named instance and provides the client the TCP port number that corresponds to that named instance. Normally the SQL Server Browser service is started whenever named instances of the Database Engine are used. The SQL Server Browser service does not have to be started if the client is configured to connect to the specific port of the named instance" (See Configure the Windows Firewall to Allow SQL Server Access).

(conditional)/Password Checkout
Password Checkout can be configured for various application and database endpoints in order to Manage Shared Accounts. These ports must be available for the PAM server to communicate through to the target server.

Status

Top Issue