WatchGuard Technologies SSL VPN manual For Agent type, select UNIX Agent

Using RSA SecurID for Authentication

The Firebox SSL VPN Gateway supports RSA ACE/Server Version 5.2 and higher. The Firebox SSL VPN Gateway also supports replication servers. Replication server configuration is completed on the RSA ACE/Server and is part of the sdconf.rec file that is uploaded to the Firebox SSL VPN Gateway. If this is configured on the RSA ACE/Server, the Firebox SSL VPN Gateway attempts to connect to the replication servers if there is a failure or network connection loss with the primary server.

Note

If you are running a RADIUS server on an RSA server, configure RADIUS authentication as described in “Using RADIUS Servers for Authentication and Authorization” on page 69.

If a user is not located on the RSA ACE/Server or fails authentication on that server, the Firebox SSL VPN Gateway checks the user against the user information stored locally on the Firebox SSL VPN Gateway, if

the check box Use the local user database on the Access Gateway is checked on the Settings tab.

The Firebox SSL VPN Gateway supports Next Token Mode. If a user enters three incorrect passwords, the Secure Access Client prompts the user to wait until the next token is active before logging on. If a user logs on too many times with an incorrect password, the RSA server might disable the user’s account. To contact the RSA ACE/Server, the Firebox SSL VPN Gateway must include a copy of the ACE Agent Host sdconf.rec configuration file that is generated by the RSA ACE/Server. The following procedures describe how to generate and upload that file.

Note

The following steps describe the required settings for the Firebox SSL VPN Gateway. Your site might have additional requirements. Refer to the RSA ACE/ Server documentation for more information.

If the Firebox SSL VPN Gateway needs to be imaged again, see “Resetting the node secret” on page 82.

To generate a sdconf.rec file for the Firebox SSL VPN Gateway

1On the computer where your RSA ACE/Server Administration interface is installed, go to Start > Programs > RSA ACE Server > Database Administration - Host Mode.

2In the RSA ACE/Server Administration interface, go to Agent Host > Add Agent Host (or, if you are changing an Agent Host, Edit Agent Host).

3In the Name field, enter a descriptive name for the Firebox SSL VPN Gateway (the Agent Host for which you are creating a configuration file).

4In the Network address field, enter the internal Firebox SSL VPN Gateway IP address.

5 For Agent type, select UNIX Agent.

6Make sure that the Node Secret Created check box is clear and inactive when you are creating an Agent Host. The RSA ACE/Server sends the Node Secret to the Firebox SSL VPN Gateway the first time that it authenticates a request from the Firebox SSL VPN Gateway. After that, the Node Secret Created check box is selected. By clearing the check box and generating and uploading a new configuration file, you can force the RSA ACE/Server to send a new Node Secret to the Firebox SSL VPN Gateway.

7Indicate which users can be authenticated through the Firebox SSL VPN Gateway through one of the following methods:

•To configure the Firebox SSL VPN Gateway as an open Agent Host, click Open to All Locally Known Users and then click OK.

•To select the users to be authenticated, click OK, go to Agent Host > Edit Agent Host, select the Firebox SSL VPN Gateway host, and then click OK. In the dialog box, click the User Activations button and select the users.