Working with PAM360 Agent


Notes:

  1. From build 5711 onwards, PAM360 will no longer support the 32 and 64-bit versions of the C++ agent for Windows and Windows Domain systems and the C Agent for Linux. However, the C and C++ agents will still be functional in the older versions of PAM360 past this date. But, we highly recommend using the C# agent for Windows and Windows Domain machines and the Go agent for Linux machines, as they support additional features, such as password reset listeners, dynamic account filtering, self-service privilege elevation, and Zero Trust. Refer to the forum post to learn more about the end-of-support announcement.
  2. Click here to learn how to install and uninstall agents in bulk using a script file invoked via the Windows GPO.
  3. PAM360 agent will work only on Redhat versions up to 7.9, and CentOS.
  4. For Go agent, from build 5301, the AMD64 version is supported for Ubuntu, CentOs, RedHat, Debian, and other Linux flavors, and the ARM64 version is supported for Redhat.


PAM360 Agent - Overview

By deploying the PAM360 agent, you can establish connection with remote resources that are not connected to the PAM360 server and manage them from PAM360. PAM360 agent is available for Windows, Windows domain, and Linux servers. The agent package is available for download in the PAM360 web interface and it contains the necessary executable/configuration files, and an SSL certificate to use for the HTTPS communication between the agent and the PAM360 web server. During installation, you must supply a unique Agent Key (copied from the PAM360 UI) for each agent in the target machine. You can also keep an Agent Key active for a specified number of hours and use it for multiple installations.

The PAM360 agent is useful in the following cases:
  • When PAM360 server runs in a Linux system and password reset has to be carried out for a Windows machine.
  • If the target systems are in a Demilitarized Zone(DMZ) or a different network to which PAM360 server does not have direct connectivity.
  • If the required administrative credentials are not stored locally in the PAM360 server to execute remote password resets.
  • To change the password of domain accounts without the domain controller's admin credentials.

Communication between the PAM360 Server and the PAM360 Agent

All password-related communication between the PAM360 server and the agent is carried out securely over HTTPS. Since the agent always initiates the connection, the communication is one-way. The agent residing in the target machines only needs access to the PAM360 web interface, thereby only the PAM360 web server needs to be available for the agent. Since the agent uses the outbound traffic to reach the login page of PAM360, there is no need to punch firewall holes or create VPN paths to allow inbound traffic for the server to reach all the deployed agents.

The agent will periodically ping the PAM360 web server through HTTPS to check if any operation is pending for execution. By default, the agent pings the server once every 60 seconds but the interval can be changed according to requirements. Once the agent contacts the PAM360 web server, the server will trigger the list of tasks to be carried out by the agent in the remote resource. Once the tasks have been executed, the agent will notify the results to the PAM360 web server.

Note: Since the tasks are triggered by the web server only upon contact from the agent, the time taken for successful task execution will depend on how quickly the agent can connect with the PAM360 web server.


See also:

Top