Double-Hop SSH and RDP Proxy Configuration

Configuring PAM for Double-Hop Remote SSH Proxy, SSH Tunnel and RDP Proxy Sessions.

In order to configure PAM to support a double-hop SSH or RDP Proxy, you will need to deploy more than just a single Session Manager component to your remote server.

Please review the article Deployment Architecture to Scale Session Manager that discusses the reasons to deploy remote session manager nodes.

Additional components are required for a successful SSH Proxy, SSH Tunnel or RDP Proxy remote connection.

Configuring components

This article describes the process of deploying and configuring PAM components to setup this Double-Hop scenario.

  1. On the remote Session Manager node server only, run the PAM Setup Installer (Windows or Linux) and select the following components only:
    • Internal Database

    • Directory Service

    • Job Engine

  2. Choose the same Destination Folder where PAM is currently deployed on this server. We will be adding components to your existing deployment, not creating a new instance.

  3. Enter a password for your new pamadmin account on this remote node. It is not required, but if you happen to know the password of this account from your main node(s), then you can use the same here. Otherwise, create a new password and be sure to save it somewhere safe.

  4. Do not enable a Federated Connection (“Enable SSO”) when asked.

  5. Establishing an Active Directory integration with this node is not required. Simply leave it blank and continue.

  6. Save all the installation and password details to a file in save location and Finish the installation.

  7. The new required components are now installed to your existing node. Next, we will need to enter the new parameters to your remote Session Manager’s configuration file.

    1. On this remote Session Manager node, open the $PAM_HOME/web/conf/catalina.properties file in a text editor and add the following (or confirm the parameters if they already exist):

      • xtam.http.proxy=true

      • xtam.http.proxy.port=8081

        • The proxy port defined above, 8081, should match the value in Administration > Settings > Parameters > HTTP Proxy Port on the main PAM node. If you have different value, use that one.

        • Please note that this port will need to be opened between the main node and your remote node just as the standard 4822 port is currently configured for remote sessions.

      • cas.tgc.crypto.signing.key=<THE VALUE OF THIS KEY FROM THE MAIN NODE>

        • The value of cas.tgc.crypto.signing.key should be the same as the value of this key in the main node’s $PAM_HOME/web/conf/catalina.properties file. This parameter might already exist in the remote node file. In this case change its value to match with the value on the main node. Watch for trailing and leading spaces that should be removed. This is the shared key for service authentication.

    2. Save and close the catalina.properties file on the Session Manager node.

    3. Restart the new PamManagement / pammanager service running on this remote node.

    4. Once the remote node is back online (about 3-5 mins), test your SSH/RDP Proxy or Tunnel session.

Troubleshooting Steps

  1. Check that the port (default: 8081) defined in the catalina.properties file on the remote node matches the value in the in Administration > Settings > Parameters > HTTP Proxy Port on the main PAM node.
  2. Check that the port (default: 8081) defined in the catalina.properties file on the remote node is accessible from the main PAM node (telnet from main PAM node to check).
  3. Check that Proximity group on the main node GUI for the destination server matches the address on the remote node.
  4. Check the value of cas.tgc.crypto.signing.key property in $PAM_HOME/web/conf/catalina.properties matches between main and remote nodes.