Suspicious Incoming Connection

Document ID : KB000016880
Last Modified Date : 06/06/2018
Show Technical Document Details
Introduction:

This technical document explains how we receive a pop-up dialogue box when we are using CA PAM, especially on the Access page.

Question:

Why do I receive an alert entailing CA PAM has received suspicious incoming connections?

 Suspicious.PNG

Answer:

These are ephemeral ports, they would be different every time. When you have the client running and you launch an RDP or SSH session you will see socket connections between local IPs.

Our client (web browser or PAM client) opens local listener ports that applets connect to when an access session is started.  A listener port in general can be accessed to be any other process on the same running system.  So, if multiple users have a client session going, user A in theory could connect to a listener port created for user B and thus get access to a target device to which user B has access.  To protect against that we added a check on the process tree.  If the process trying to connect is a child of the client process, it is fine.  If not, we spit out this warning.

Clicking cancel or OK will not effect your session, but we suggest to press Cancel to prevent any other users fro tampering with your CA PAM client session and possibly hijacking a session/connection using the same service you are binding to.