000019451 - How to configure 2 ACE/Agents using identical IP addresses to authenticate to the same ACE/Server

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000019451
Applies ToRSA ACE/Server
UNIX
Microsoft Windows
2 separate networks are using the same IP addressing scheme

Unable to add Agent host into database because one with the same IP already exists
IssueHow to configure 2 ACE/Agents using identical IP addresses to authenticate to the same ACE/Server
Resolution

For this to work the identical IP addresses will need to be NAT'ed to unique IP's when they are on the same network. Having the same IP's on the same network is just not valid. Some things to consider:

1. The Agent machine is going to encrypt the authentication using was it believes is its primary IP
2. The Server is going to decrypt the authentication using the IP address used to define the Agent Host in the ace server database

To make this work in this situation, we need to force the client to use the IP the server recognizes (NAT) for encryption. To do this use the following solution:

How to set an IP address override for an RSA ACE/Agent and RSA Authentication Agent

Make the IP address the NAT'ed address. Then restart the service you are protecting. For instance, if you are protecting a Web server, stop and start the Web services. Again, when you are done, the IP address in the sdopts.rec file and the primary IP address that defines the Agent host in the ACE/Server database should match AND it will be the NAT address.

NOTE: This will only work if the client has a file system; 3rd-party products like some VPN's are not always configurable.

Legacy Article IDa19837

Attachments

    Outcomes