000025535 - Cross realm with a firewall between the two Primary ACE/Servers

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000025535
Applies ToRSA Authentication Manager
RSA ACE/Server
Cross realm
Firewall     
Ports
Microsoft Windows
UNIX (AIX, HP-UX, Solaris)
IssueCross realm with a firewall between the two Primary ACE/Servers
CauseAuthenticating across the realms requires dynamically allocated UDP ports. The UDP ports are used for communication between the remote realm and the user's home realm and for certain types of internal communication on the RSA ACE/Server. There must be at least one available UDP port for each process (aceserver_be.exe on Windows and  _aceserver_be on UNIX) running on the RSA ACE/Server.

If there is a firewall between the realms, in addition to 5500/udp a range of at least 11 UDP ports should be opened from which the required port can be allocated during cross-realm authentication. Both the Master Servers (in two realms) and Slave Servers if any, should be configured  to use the same range of port numbers by setting the maximum and minimum port number in the Windows registry (if ACE/Server is on Windows) or as environment variables (if  ACE/Server is running on UNIX). The maximum port number must be ten greater than the minimum port number. By default the minimum port number is set to 0 (which means that the first available port will be used for communication, and the maximum port number is set to 65535). If there is no firewall between the realms, it is not necessary to constrain the range of port numbers that the RSA ACE/Server uses for communication between realms.

Each backend ACE/Server process claims a static port on which to communicate. Either a random port or a port from a range of ports is chosen. The range must be at least 11 ports. However, the ACE/Server backend process will use the next available port in the range, starting from the lowest numbered port in the range. For example:

MINIMUM_BE_PORT=10000
MAXIMUM_BE_PORT=10010

If there are two backend processes, ports 10000 and 10001 will be used unless one of the ports is tied up by another process.
ResolutionIf RSA Authentication Manager or RSA ACE/Server for Windows:

1. Start > Run > Regedt32 > HKEY_LOCAL_MACHINE >SOFTWARE >
   SDTI > ACESERVER > CurrentVersion.
2. Add the values to:

   MinimumBEPort:REG_SZ:10000
   MaximumBEPort:REG_SZ:10010

   (This example uses the port numbers 10000-10010.   However, any ports within
    the range of 1025-65535 will work.)

If RSA Authentication Manager or RSA ACE/Server for UNIX:

1. Make sure that no ACE/Server processes are running.
2. Edit the file aceserver ( /ace/prog/aceserver ) and set the environment
   variables. Include the lines in the section of the startup script that sets the
   values for VAR_ACE, USR_ACE, and DLC. For example, if you wanted the
   minimum port to be 10000 and the maximum port to be 10010, include the
   following lines:

   MINIMUM_BE_PORT=10000
   export MINIMUM_BE_PORT
   MAXIMUM_BE_PORT=10010
   export MAXIMUM_BE_PORT

   If you do not set the variables, the default values (1000-9999) are used.
   On the firewall, the above destination ports should be opened in both the
   directions.

WARNING: Make sure that the required range of port numbers is available at all times. If the RSA ACE/Server cannot bind to a port, a fatal exit will occur. Configure the correct range of port numbers, and then restart the Server.

NOTE: If the ACE/Server is reinstalled, the minimum and maximum ports will be set to the default values.

Reset the minimum and maximum values to reflect the range of ports that you want to use.

You can also How to limit the number of authentication back-end processes started by RSA Authentication Manager (ACE/Server) on multi-processor platforms to run on the ACE/Server and thereby reduce the number of required ports, however, this will affect the authentication rate possible with ACE/Server.

Network traffic for cross-realm with the above configuration is shown below where:

local is the server receiving the client request
dir is the direction of traffic
home is the server for the home realm of the user

local         dir        home
10000         ->        5500
10001         ->        5500
10000         <->        10000
10000         <->        10001
10001         <->        10000
10001         <->        10001
Legacy Article IDa161

Attachments

    Outcomes