WatchGuard Technologies SSL VPN Benutzerhandbuch
Using RSA SecurID for Authentication
82
Firebox SSL VPN Gateway
Configuring RSA Settings for a Cluster
If you have two or more appliances configured as a cluster, the sdconf.rec file needs to contain the
FQDNs of all the appliances. The sdconf.rec file is installed on one Access Gateway and then published.
This allows all of the appliances to connect to the RSA server.
You can also limit connections to the RSA server from user connections. For example, you have three
appliances in your cluster. If the FQDNs of the first and second appliances are included in the sdconf.rec
file and the third appliance is not, users can connect only to the RSA server using the first two appli-
ances.
FQDNs of all the appliances. The sdconf.rec file is installed on one Access Gateway and then published.
This allows all of the appliances to connect to the RSA server.
You can also limit connections to the RSA server from user connections. For example, you have three
appliances in your cluster. If the FQDNs of the first and second appliances are included in the sdconf.rec
file and the third appliance is not, users can connect only to the RSA server using the first two appli-
ances.
Resetting the node secret
If you reimaged the Firebox SSL VPN Gateway, giving it the same IP address as before, and restored your
configuration, you must also reset the node secret on the RSA ACE/Server. Because the Firebox SSL VPN
Gateway was reimaged, the node secret no longer resides on it and an attempt to authenticate with the
RSA ACE/Server fails.
After you reset the server secret on the RSA ACE/Server, the next authentication attempt prompts the
RSA ACE/Server to send a node secret to the Firebox SSL VPN Gateway.
configuration, you must also reset the node secret on the RSA ACE/Server. Because the Firebox SSL VPN
Gateway was reimaged, the node secret no longer resides on it and an attempt to authenticate with the
RSA ACE/Server fails.
After you reset the server secret on the RSA ACE/Server, the next authentication attempt prompts the
RSA ACE/Server to send a node secret to the Firebox SSL VPN Gateway.
To reset the node secret on the RSA ACE/Server
1
On the computer where your RSA ACE/Server Administration interface is installed, go to Start >
Programs > RSA ACE Server > Database Administration - Host Mode.
Programs > RSA ACE Server > Database Administration - Host Mode.
2
In the RSA ACE/Server Administration interface, go to Agent Host > Edit Agent Host.
3
Select the Firebox SSL VPN Gateway IP address from the list of agent hosts.
4
Clear the Node Secret Created check box and save the change.
5
The RSA server sends the node secret on the next authentication attempt from the Firebox SSL VPN
Gateway.
Gateway.
Configuring Gemalto Protiva Authentication
Protiva is a strong authentication platform that was developed to use the strengths of Gemalto’s smart card
authentication. With Protiva, users log on with a user
authentication. With Protiva, users log on with a user
name, password, and one-time password generated
by the Protiva device. Similar to RSA SecurID, the authentication request is sent to the Protiva Authentica-
tion Server and the password is either validated or rejected.
tion Server and the password is either validated or rejected.
To configure Gemalto Protiva to work with the Access Gateway, use the following guidelines:
• Install the Protiva server.
• Install the Protiva Internet Authentication Server (IAS) agent plug-in on a Microsoft IAS RADIUS server.
• Install the Protiva Internet Authentication Server (IAS) agent plug-in on a Microsoft IAS RADIUS server.
Make sure you note the IP address and port number of the IAS server
• Configure a realm on the Access Gateway to use RADIUS authentication and enter the settings of the
Protiva server.
To configure a Gemalto Protiva realm
1
In the Administration Tool, click the Authentication tab.
2
Under Add an Authentication Realm, in Realm name, type a name.
3
Select One Source and then click Add.