WatchGuard Technologies Water Heater SSL VPN Manuale Utente
Using RSA SecurID for Authentication
80
Firebox SSL VPN Gateway
The Firebox SSL VPN Gateway supports RSA ACE/Server Version 5.2 and higher. The Firebox SSL VPN
Gateway also supports replication servers. Replication server configuration is completed on the RSA
ACE/Server and is part of the sdconf.rec file that is uploaded to the Firebox SSL VPN Gateway. If this is
configured on the RSA ACE/Server, the Firebox SSL VPN Gateway attempts to connect to the replication
servers if there is a failure or network connection loss with the primary server.
Gateway also supports replication servers. Replication server configuration is completed on the RSA
ACE/Server and is part of the sdconf.rec file that is uploaded to the Firebox SSL VPN Gateway. If this is
configured on the RSA ACE/Server, the Firebox SSL VPN Gateway attempts to connect to the replication
servers if there is a failure or network connection loss with the primary server.
Note
If you are running a RADIUS server on an RSA server, configure RADIUS authentication as described in
“Using RADIUS Servers for Authentication and Authorization” on page 69.
“Using RADIUS Servers for Authentication and Authorization” on page 69.
If a user is not located on the RSA ACE/Server or fails authentication on that server, the Firebox SSL VPN
Gateway checks the user against the user information stored locally on the Firebox SSL VPN Gateway, if
the check box Use the local user database on the Access Gateway is checked on the Settings tab.
Gateway checks the user against the user information stored locally on the Firebox SSL VPN Gateway, if
the check box Use the local user database on the Access Gateway is checked on the Settings tab.
The Firebox SSL VPN Gateway supports Next Token Mode. If a user enters three incorrect passwords, the
Secure Access Client prompts the user to wait until the next token is active before logging on. If a user
logs on too many times with an incorrect password, the RSA server might disable the user’s account.
To contact the RSA ACE/Server, the Firebox SSL VPN Gateway must include a copy of the ACE Agent Host
sdconf.rec configuration file that is generated by the RSA ACE/Server. The following procedures
describe how to generate and upload that file.
Secure Access Client prompts the user to wait until the next token is active before logging on. If a user
logs on too many times with an incorrect password, the RSA server might disable the user’s account.
To contact the RSA ACE/Server, the Firebox SSL VPN Gateway must include a copy of the ACE Agent Host
sdconf.rec configuration file that is generated by the RSA ACE/Server. The following procedures
describe how to generate and upload that file.
Note
The following steps describe the required settings for the Firebox SSL VPN Gateway. Your site might
have additional requirements. Refer to the RSA ACE/ Server documentation for more information.
have additional requirements. Refer to the RSA ACE/ Server documentation for more information.
If the Firebox SSL VPN Gateway needs to be imaged again, see “Resetting the node secret” on page 82.
To generate a sdconf.rec file for the Firebox SSL VPN Gateway
1
On the computer where your RSA ACE/Server Administration interface is installed, go to Start >
Programs > RSA ACE Server > Database Administration - Host Mode.
Programs > RSA ACE Server > Database Administration - Host Mode.
2
In the RSA ACE/Server Administration interface, go to Agent Host > Add Agent Host (or, if you are
changing an Agent Host, Edit Agent Host).
changing an Agent Host, Edit Agent Host).
3
In the Name field, enter a descriptive name for the Firebox SSL VPN Gateway (the Agent Host for
which you are creating a configuration file).
which you are creating a configuration file).
4
In the Network address field, enter the internal Firebox SSL VPN Gateway IP address.
5
For Agent type, select UNIX Agent.
6
Make sure that the Node Secret Created check box is clear and inactive when you are creating an
Agent Host. The RSA ACE/Server sends the Node Secret to the Firebox SSL VPN Gateway the first
time that it authenticates a request from the Firebox SSL VPN Gateway. After that, the Node Secret
Created check box is selected. By clearing the check box and generating and uploading a new
configuration file, you can force the RSA ACE/Server to send a new Node Secret to the Firebox SSL
VPN Gateway.
Agent Host. The RSA ACE/Server sends the Node Secret to the Firebox SSL VPN Gateway the first
time that it authenticates a request from the Firebox SSL VPN Gateway. After that, the Node Secret
Created check box is selected. By clearing the check box and generating and uploading a new
configuration file, you can force the RSA ACE/Server to send a new Node Secret to the Firebox SSL
VPN Gateway.
7
Indicate which users can be authenticated through the Firebox SSL VPN Gateway through one of
the following methods:
• To configure the Firebox SSL VPN Gateway as an open Agent Host, click Open to All Locally
the following methods:
• To configure the Firebox SSL VPN Gateway as an open Agent Host, click Open to All Locally
Known Users and then click OK.
• To select the users to be authenticated, click OK, go to Agent Host > Edit Agent Host, select the
Firebox SSL VPN Gateway host, and then click OK. In the dialog box, click the User Activations
button and select the users.
button and select the users.