Cannot run pmrun commands from machine in the dmz. This article is to describe additional setup that may be needed.
When the agent and policy server are on different sides of a firewall, Privilege Manager needs a number of ports to be kept open. By default, Privilege Manager can use ports in the 600 to 31024 range, but when using a firewall, you may want to limit the ports that can be used
For each Privilege Manager session the client (pmrun) and agent (pmlocald) will each use one port from both the reserved and non-reserved ranges. The policy server (pmmasterd) will use one port from its non-reserved range. Each agent can use the same port ranges as they are on separate machines and need only be large enough to support the maximum number of concurrent sessions on that agent. The policy server on the other hand needs a port range large enough to support all sessions across all agents (minimum of one non-reserved port per session)
You can restrict the TCP/IP port numbers on which responses to pmrun commands are returned. You may want to do this if the commands involve communication through a firewall, for instance. We recommend that a minimum of six ports are assigned to Privilege Manager in the reserved ports range (600 to 1023) and twice that number of ports are assigned in the non-reserved ports range (1024 to 31024). The more Agents you have, the more ports you will need.
To set the reserved port range, add the following line to the /etc/opt/quest/qpm4u/pm.settings file: setReservePortRange lowportnumber highportnumber where lowportnumber is first port in the range and highportnumber is the last port in the range. lowportnumber and highportnumber must be port numbers between 600 and 1023. To set the non-reserved port range, add the following settings to the /etc/opt/quest/qpm4u/pm.settings file: setNonReservePortRange lowportnumber highportnumber lowportnumber and highportnumber must be port numbers between 1024 and 65535.
setReservePortRange 600 612
setNonReservePortRange 31000 65535
Additionally, if you are using Privilege Manager for Sudo then the sudo plugins use svn over ssh to keep the local cached version of the sudoers policy up to date. For this, port 22 will also need to be opened for this ssh traffic between the sudo plugin hosts and the policy servers.