Configure RSA Authentication Manager as a Secure Proxy Server for the Cloud Authentication Service

You can use RSA Authentication Manager as a secure proxy server that sends authentication requests to the Cloud Authentication Service. This configuration supports cloud-based authentication for REST protocol authentication agents, such as RSA Authentication Agent 8.0 or later for PAM, MFA Agent 2.0 for Microsoft Windows, and RSA Authentication Agent 2.0 or later for Microsoft AD FS.

Procedure 

1. Perform the steps in Configure the RSA SecurID Authentication API for Authentication Agents.
2. Connect Authentication Manager to the Cloud Authentication Service. For instructions, see the following:
   • If you are using identity routers on other platforms in your on-premises network or in the Amazon Web Services cloud, see Connect RSA Authentication Manager to the Cloud Authentication Service.
   • To connect with an embedded identity router, see Configure an Embedded Identity Router.

   Note:  While connecting, do not clear the Send Multifactor Authentication Requests to the Cloud checkbox.

   You can connect to the Cloud Authentication Service with RSA Authentication Manager 8.4 Patch 4 or later, and then upgrade to version 8.5, or you can run the wizard after installing or upgrading to version 8.5. By default, RSA Authentication Manager 8.5 is configured to act as a secure proxy server when it is connected to the Cloud Authentication Service. To use high availability with this feature, you must connect again after upgrading from version 8.4 Patch 4 or later.

3. In the Cloud Administration Console, create an access policy for the authentication agents that are connected to the Cloud Authentication Service, or plan to use an existing access policy. For instructions, see Planning Resource Protection with Access Policies and Access Policies.
4. Configure your authentication agents to direct authentication requests to Authentication Manager using the REST protocol and the Cloud Authentication Service access policy. For instructions, see the administrator's documentation for your supported agents.

   Some newer authentication agents, such as the RSA MFA Agent 2.0 for Microsoft Windows, can automatically download offline emergency access codes for users who access the authentication agent. Users can continue to authenticate if the connection to Authentication Manager or the Cloud Authentication Service is not available. For more information, see Emergency Tokencode.

After you finish 

• Authentication Manager automatically downloads offline data day files that some newer authentication agents, such as the RSA MFA Agent 2.0 for Microsoft Windows, can use for uninterrupted authentication to the Cloud Authentication Service. For instructions, see your agent documentation.
• Users can access RSA SecurID protected resources with Authenticate Tokencode when RSA Authentication Manager cannot communicate with the Cloud Authentication Service. For the steps to deploy the high availabilty tokencodes feature, see Configure High Availability Tokencodes.