WatchGuard Technologies SSL VPN Configuring RSA Settings for a Cluster, Resetting the node secret

Using RSA SecurID for Authentication

Configuring RSA Settings for a Cluster

If you have two or more appliances configured as a cluster, the sdconf.rec file needs to contain the FQDNs of all the appliances. The sdconf.rec file is installed on one Access Gateway and then published. This allows all of the appliances to connect to the RSA server.

You can also limit connections to the RSA server from user connections. For example, you have three appliances in your cluster. If the FQDNs of the first and second appliances are included in the sdconf.rec file and the third appliance is not, users can connect only to the RSA server using the first two appli- ances.

Resetting the node secret

If you reimaged the Firebox SSL VPN Gateway, giving it the same IP address as before, and restored your configuration, you must also reset the node secret on the RSA ACE/Server. Because the Firebox SSL VPN Gateway was reimaged, the node secret no longer resides on it and an attempt to authenticate with the RSA ACE/Server fails.

After you reset the server secret on the RSA ACE/Server, the next authentication attempt prompts the RSA ACE/Server to send a node secret to the Firebox SSL VPN Gateway.

To reset the node secret on the RSA ACE/Server

1On the computer where your RSA ACE/Server Administration interface is installed, go to Start > Programs > RSA ACE Server > Database Administration - Host Mode.

2In the RSA ACE/Server Administration interface, go to Agent Host > Edit Agent Host.

3 Select the Firebox SSL VPN Gateway IP address from the list of agent hosts. 4 Clear the Node Secret Created check box and save the change.

5The RSA server sends the node secret on the next authentication attempt from the Firebox SSL VPN Gateway.

Configuring Gemalto Protiva Authentication

Protiva is a strong authentication platform that was developed to use the strengths of Gemalto’s smart card authentication. With Protiva, users log on with a user name, password, and one-time password generated by the Protiva device. Similar to RSA SecurID, the authentication request is sent to the Protiva Authentica- tion Server and the password is either validated or rejected.

To configure Gemalto Protiva to work with the Access Gateway, use the following guidelines:

•Install the Protiva server.

•Install the Protiva Internet Authentication Server (IAS) agent plug-in on a Microsoft IAS RADIUS server. Make sure you note the IP address and port number of the IAS server

•Configure a realm on the Access Gateway to use RADIUS authentication and enter the settings of the Protiva server.

To configure a Gemalto Protiva realm

1In the Administration Tool, click the Authentication tab.

2Under Add an Authentication Realm, in Realm name, type a name.

3 Select One Source and then click Add.