Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Privilege Manager Port Usage

For each Privilege Manager session, the client (pmrun) and agent (pmlocald) use one port from both the reserved and non-reserved ranges. The policy server (pmmasterd) uses one port from its non-reserved range. Each agent can use the same port ranges as they are on separate machines and need only be large enough to support the maximum number of concurrent sessions on that agent. On the other hand, the policy server needs a port range large enough to support all sessions across all agents (minimum of one non-reserved port per session).

This diagram shows the minimum port ranges required for a single Privilege Manager session:

Figure 10: Privilege Manager for Unix Port Usage

NOTE: Connection 4 is used only to send back the exit status if I/O logging is not enabled.

Restricting Port Numbers for Command Responses

Advanced Privilege Manager for Unix Configuration > Configuring Firewalls > Restricting Port Numbers for Command Responses

If commands involve communication through a firewall, you can restrict the TCP/IP port numbers on which responses to pmrun commands are returned.

Quest recommends that you assign a minimum of six ports to Privilege Manager in the reserved ports range (600 to 1023) and twice that number of ports in the non-reserved ports range (1024 to 65535). The more agents you have, the more ports you need.

To set the reserved port range

  1. Add the following line to the /etc/opt/quest/qpm4u/pm.settings file:
    setreserveportrange lowportnumberhighportnumber

    where lowportnumber is first port in the range and highportnumber is the last port in the range.

    lowportnumber and highportnumber must be port numbers between 600 and 1023. For example:

    setreserveportrange 600 612

To set the non-reserved port range

  1. Add the following line to the /etc/opt/quest/qpm4u/pm.settings file:
    setnonreserveportrange lowportnumberhighportnumber

    lowportnumber and highportnumber must be port numbers between 1024 and 65535. For example:

    setnonreserveportrange 31000 65535

See PM Settings Variables for more information about modifying the Privilege Manager configuration settings.

Configuring pmtunneld

pmtunneld adds an additional layer of security by acting as a proxy for pmrun. Communication sent from pmlocald is transmitted using port number 12347, by default, and received by pmtunneld. pmtunneld then transmits the data to pmrun.

In the following example, the firewall is configured to allow the following connections:

  • One incoming connection from external host (EXT1) reserved port range (600 - 612) to internal host (INT1) port 12345.
  • One outgoing connection from internal host (INT1) non-reserved port range (31000 -31024) to external host (EXT1) port 12347.

Figure 11: pmtunneld Configuration

To configure pmtunneld, in the /etc/opt/quest/qpm4u/pm.settings file, specify the host(s) that require pmlocald to use a fixed port when communicating with pmrun and the fixed port that pmlocald uses when communicating with pmrun.

In this example, you configure the external host (EXT1) by adding these lines to the /etc/opt/quest/qpm4u/pm.settings file:

tunnelport 12347 
pmtunneldenabled yes

In this example, you configure the internal host (INT1) by adding these lines to the pm.settings file:

tunnelrunhosts EXT1 
tunnelport 12347

NOTE: tunnelrunhosts can contain wild cards, such as, *.mydomain.com.

To allow commands to run on the external host, EXT1 in this example, create a firewall rule to allow pmmasterd to connect from the non-reserved port range to the pmlocald port on the external agent.

See PM Settings Variables for more information about modifying the Privilege Manager configuration settings.

Configuring Network Address Translation (NAT)

Advanced Privilege Manager for Unix Configuration > Configuring Firewalls > Configuring Network Address Translation (NAT)

To configure Privilege Manager to allow the use of Network Address Translation (NAT), you must add both the external and internal IP address of the firewall to tunnelrunhosts list in the /etc/opt/quest/qpm4u/pm.settings file.

See PM Settings Variables for more information about modifying the Privilege Manager configuration settings.

Related Documents