-
Title
PSM Session traffic flow when using a DPA -
Description
When using a Distributed Processing Appliance (DPA), what is the Privileged Session Management (PSM) flow of communication from start to finish?
-
Resolution
List of network port requirements
Ports 22, 443 and 9443 are required to be open between the TPAM Console appliances and the DPA.
For older versions, The DPAs use SSH over TCP/22 for PSM session startup and for pushing PSM recordings back to the Console appliances. From 2.5.916, the DPAs communicate back to the TPAM console appliances on TCP/9443 for PSM session initiation, heartbeat, and file transfer. TCP/443 is used for the Gossip protocol and resource allocation for PSM sessions from the Console appliances to the DPA.
The port requirement between the DPA and the target system will depend on platform. Windows systems require port 3389 for RDP connections, Unix / Linux systems require 22 by default. Other types of systems will vary. A PSM Connection profile can be created to use custom ports.- Workstation (Defined as user’s workstation)
- TPAM (Defined as the Primary TPAM appliance)
- DPA (Defined as the Distributed Processing Appliance hosting the session)
- Server (Defined as the target system to which the user is establishing the session)
Traffic Flow Example For Windows RDP using a DPA
Workstation -> TPAM (Workstation initiates request to TPAM via HTTPS/443)TPAM -> DPA (TPAM notifies the DPA of the session request using SSH over port 22 / 443)
DPA -> TPAM (DPA communicates back to TPAM over port 9443)
Workstation (when user clicks “Connect”) -> DPA (Applet begins and creates a tunnel over port 22 from the Workstation to the DPA)
DPA -> Server (DPA Appliance initiates the final connection to the Server over port 3389)
Server -> DPA (RDP Traffic is sent back to the DPA over port 3389)
DPA -> Workstation (DPA Sends display directly to the end user over SSH on port 22)
Traffic Flow Example For Unix / Linux SSH using a DPA
Workstation -> TPAM (Workstation initiates request to TPAM via HTTPS/443)TPAM -> DPA (TPAM notifies the DPA of the session request using SSH over port 22 / 443)
DPA -> TPAM (DPA communicates back to TPAM over port 9443)
Workstation (when user clicks “Connect”) -> DPA (Applet begins and creates a tunnel over port 22 from the Workstation to the DPA)
DPA -> Server (DPA Appliance initiates the final connection to the Server over SSH using port 22)
Server -> DPA (SSH Traffic is sent back to the DPA over port 22)
DPA -> Workstation (DPA Sends display directly to the end user over SSH on port 22)
-
Additional Information
In some cases CRL Checks are done during the start of PSM Sessions. If the CRL Check can't be completed users will not be able to start a PSM Session, even though the ports mentioned above are already opened.