000026209 - How to configure RSA ACE/Agent and Authentication Agent through firewalls using Network Address Translation (NAT) and ALIAS

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026209
Applies ToRSA ACE/Server
RSA Authentication Manager6.1.2 AM 7.1 SP4
RSA ACE/Agent RSA Authentication Agen
Multiple NICs multiple IP addresses on AM Server alias IP address alternate IP address
sdopts.rec; sdconf.rec
Network Address Translation (NAT)
IssueHow to configure RSA ACE/Agent and Authentication Agent through firewalls using Network Address Translation (NAT) and ALIAS
ResolutionAM 7.1 SP4 instructions
Use the following information to configure RSA ACE/Agent and Authentication Agent that uses the Agent Protocol:
The Agent Host can connect to its Servers through firewalls if the alternate IP addresses (aliases) for those servers are either specified in the Agent's configuration record file (sdconf.rec), or are provided by a Ace Server or Authentication manger upon request by the Agent. The Agent automatically checks the alias IP address information before using those aliases to send its authentication requests to the servers. You can also indicate additional firewall IP addresses to be used to contact servers. Finally, you can specify an overriding IP address for the Agent Host if that host is a multi-homed server or have a Natted IP. These depend on settings that you specify in an optional, flat text file named sdopts.rec.
Use any text editor to create or modify an sdopts.rec file. After you set up the sdopts.rec file, save the file into the correct directory for your Agent Host platform. On Windows, store the file in %SYSTEMROOT%\system32. On UNIX, store the file in the /var/ace directory (or in the directory being pointed to by the $VAR_ACE system variable).
To protect the file from unintended changes, change the permission settings on your sdopts.rec file so that only administrators can modify it. Share the sdopts.rec file information for your Agent with the Server administrators. They will want to know about increased demand made on the Servers because of Agent sdopts.rec settings.
Each time that you modify the sdopts.rec file, you must restart the Agent to acknowledge your changes.
Note: No more than 11 actual Server IP addresses should be specified concurrently by the sdconf.rec and sdopts.rec files. Make certain that you specify IP addresses correctly in the sdopts.rec file.
You can place comments in the file if you begin each comment line with a semicolon. The following keywords and values are used for aliasing:
ALIAS=ip_address, alias_ip_address_1[, alias_ip_address_2, alias_ip_address_3]: Specifies one or more alternate IP addresses (aliases) for a Server. Aliases for a Server can be specified in the Agent sdconf.rec file. Use the ALIAS keyword to specify the IP addresses of up to three additional firewalls through which the specified Server can be contacted by the Agent. The value for the ALIAS keyword must consist of the Server?s actual IP address, followed by up to three alias IP addresses for that Server. The Agent will send its timed requests to both the actual and the alias IP addresses.
Only the actual IP address specified by the ALIAS keyword must be known to the Server that is being specified. In addition, the actual IP address must be included on any Server list received by the Agent. The Server list provides actual and alias IP address information about all known Servers in the realm, and the Agent receives the Server list from a 5.0 Server after the Server validates an authentication request.
ALIASES_ONLY: Specifies that the Agent should send its timed requests only to Servers that have alias IP addresses assigned to them. If you use this keyword, make certain that at least one Server has an alias IP address specified for it either in sdconf.rec or in sdopts.rec. This keyword cannot be used at the same time as the IGNORE_ALIASES keyword. If both keywords are present in the file, the one not being used must be preceded by a semicolon.
IGNORE_ALIASES: Specifies that all alias IP addresses found in the sdopts.rec file, the sdconf.rec file, or on the Server list provided by Servers will be ignored. Use this keyword if you want only actual IP addresses, not alias addresses, to be used by the Agent when contacting RSA ACE/Servers. You should use IGNORE_ALIASES when all Servers used by the Agent are local Servers, not Servers on the other side of a firewall. This keyword cannot be used at the same time as the ALIASES_ONLY keyword. If both keywords are present in the file, the one not being used must be preceded by a semicolon.
You can put the settings in the file in any order, but each setting must be listed separately in the file, one setting per line. Here is an example featuring only keywords related to Server alias addresses:
;Any line of text preceded by a semicolon is ignored as a comment
;Do not put a blank space between a keyword an it's equal sign
;Blank spaces are permitted after the equal sign, after the IP address, and after the comma that
;separates an IP address from other IP addresses.
ALIAS=999.999.999.1,  999.999.999.11, 999.999.999.12, 999.999.999.13
ALIAS=999.999.999.2,  999.999.999.222
ALIAS=999.999.999.3,  999.999.999.33, 999.999.999.333
;The ALIASES_ONLY and IGNORE_ALIASES keywords cannot be used together.
;Do not enable either keyword unless it is appropriate for your site.
The Server with the actual IP address 999.999.999.1 has three alias addresses specified for it, while Servers 999.999.999.2 has only one alias, and Server 999.999.999.3 has two alias addresses specified for it. The aliases specified by the ALIAS keywords are provided in addition to any aliases specified in sdconf.rec or on the Server list. Neither the ALIASES_ONLY nor the IGNORE_ALIASES keywords are enabled, which means that both actual and alias IP addresses will be used by the Agent when it attempts to communicate with Servers.
Note: You can use the USESERVER and ALIAS keywords together in the sdopts.rec file, just as you can include whichever keywords defined for use in the file as you like. However, USESERVER keywords do not affect the alias addresses used to connect to Servers, and ALIAS keywords have no effect on which Servers are specified for use.
How the Agent Uses sdopts.rec File Information - If you create an sdopts.rec file for your Agent, the file is put into effect during the Agent startup process. How it is put into effect depends on two other files present on the Agent Host: the Agent configuration record file (sdconf.rec) and status file (sdstatus).
How to manually control Agent Host load balancing
File information of sdconf.rec, sdopts.rec, and sdstatus.12
How to set overriding IP address for RSA ACE/Agent and RSA Authentication Agent
WorkaroundThe RSA ACE/Agent and Authentication Agent protocol is designed to be much easier to pass through a firewall via 5500/UDP. Certain firewall issues can be eliminated by upgrading the ACE/Server and ACE/Agent to latest supported version.
Legacy Article IDa2752