|Applies To||RSA ACE/Server 5.0.3 (no longer supported as of 8-15-2004)|
RSA ACE/Agent 4.4.3
Microsoft Windows 2000
Check Point Firewall-1 NG Feature Pack 3
Check Point ClusterXL
Check Point ClusterXL is a software-based load sharing and high availability solution for Check Point gateway deployments. Click here for more information.
|Issue||How to set up Check Point Firewall-1 using Check Point ClusterXL High Availability software to authenticate to RSA ACE/Server|
Both Firewalls have an ACE/Agent installed on them
Both Firewalls share 1 main Virtual (Cluster) IP Address and hostname
Also both Firewalls have their own host IP addresses and names:
Firewall Machine 1:
Firewall Machine 2:
RSA ACE/Server can only see the firewall's internal NIC's
|Resolution||Follow these steps to implement this solution:|
1. Define an Agent Host in the RSA ACE/Server database with the Cluster details (virtual name and IP address) as the Primary. Then add Secondary nodes for the other NIC's.
2. On both firewalls, add the Cluster IP address into the 'IP Address Override' field so the ACE/Agent will use this IP address for node secret creation. For further info on how to do this, please see the solution titled How to override the primary address with RSA ACE/Agent 4.4 for Windows NT.
3. Perform a successful authentication going through the primary firewall
4. Copy the whole 'ACECLIENT' registry entry from 'HKEY_LOCAL_MACHINE/SOFTWARE/SDTI' on the primary firewall machine to 'HKEY_LOCAL_MACHINE/SOFTWARE/SDTI' on the secondary firewall machine
5. Reboot the secondary firewall machine to ensure the registry changes are committed
You can now test this by stopping the Check Point Firewall services on the Primary machine and then authenticating with the Secondary machine.
|Legacy Article ID||a15360|