Using RSA SecurID for Authentication
82
Firebox SSL VPN Gateway
Configuring RSA Settings for a Cluster
If you have two or more appliances configured as a cluster, the sdconf.rec file needs to contain the
FQDNs of all the appliances. The sdconf.rec file is installed on one Access Gateway and then published.
This allows all of the appliances to connect to the RSA server.
You can also limit connections to the RSA server from user connections. For example, you have three
appliances in your cluster. If the FQDNs of the first and second appliances are included in the sdconf.rec
file and the third appliance is not, users can connect only to the RSA server using the first two appli-
ances.
Resetting the node secret
If you reimaged the Firebox SSL VPN Gateway, giving it the same IP address as before, and restored your
configuration, you must also reset the node secret on the RSA ACE/Server. Because the Firebox SSL VPN
Gateway was reimaged, the node secret no longer resides on it and an attempt to authenticate with the
RSA ACE/Server fails.
After you reset the server secret on the RSA ACE/Server, the next authentication attempt prompts the
RSA ACE/Server to send a node secret to the Firebox SSL VPN Gateway.
To reset the node secret on the RSA ACE/Server
1
On the computer where your RSA ACE/Server Administration interface is installed, go to
Start >
Programs > RSA ACE Server > Database Administration - Host Mode
.
2
In the RSA ACE/Server Administration interface, go to
Agent Host > Edit Agent Host
.
3
Select the Firebox SSL VPN Gateway IP address from the list of agent hosts.
4
Clear the
Node Secret Created
check box and save the change.
5
The RSA server sends the node secret on the next authentication attempt from the Firebox SSL VPN
Gateway.
Configuring Gemalto Protiva Authentication
Protiva is a strong authentication platform that was developed to use the strengths of Gemalto’s smart card
authentication. With Protiva, users log on with a user
name, password, and one-time password generated
by the Protiva device. Similar
to RSA SecurID, the authentication request is sent to the Protiva Authentica-
tion Server and the password is either validated or rejected.
To configure Gemalto Protiva to work with the Access Gateway, use the following guidelines:
•
Install the Protiva server.
•
Install the Protiva Internet Authentication Server (IAS) agent plug-in on a Microsoft IAS RADIUS server.
Make sure you note the IP address and port number of the IAS server
•
Configure a realm on the Access Gateway to use RADIUS authentication and enter the settings of the
Protiva server.
To configure a Gemalto Protiva realm
1
In the Administration Tool, click the
Authentication
tab.
2
Under
Add an Authentication Realm
, in
Realm name
, type a name.
3
Select
One Source
and then click
Add
.
Summary of Contents for SSL 1000
Page 1: ...WatchGuard Firebox SSL VPN Gateway Administration Guide Firebox SSL VPN Gateway...
Page 40: ...Using the Firebox SSL VPN Gateway 30 Firebox SSL VPN Gateway...
Page 118: ...Setting the Priority of Groups 108 Firebox SSL VPN Gateway...
Page 146: ...Managing Client Connections 136 Firebox SSL VPN Gateway...
Page 168: ...Generating Trusted Certificates for Multiple Levels 158 Firebox SSL VPN Gateway...
Page 190: ...180 Firebox SSL VPN Gateway...
Page 198: ...188 Firebox SSL VPN Gateway...