000025607 - Remote Administration to server through a firewall doing Network Address Translation

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025607
Applies ToRSA ACE/Server
RSA Authentication Manager 6.1
Sun Solaris / SPARC
Cisco PIX Firewall
IssueRemote Administration to server through a firewall doing Network Address Translation
ACE/Server does not have a public IP address.
ACE/Server is on a high-security LAN behind the firewall. The IP address of the ACE/Server is non-routable, and cannot be seen from outside the firewall. User wants to perform remote administration through the firewall because the database administrators are coming from Internet to the remote admin machine. User does not want to give ACE/Server a public IP address. How can this be achieved?
Resolution

To do remote administration to a server with a non-routable IP address, perform the following steps:

1. Generate sdconf.rec file with a valid externally resolvable IP address (IP address A). This address must be added to replica table as alias.

sdrepmgmt list

sdrepmgmt modify

Enter the Primary server name. Enter the translated IP address as alias Ip address

2. Copy this file to the remote admin machine

3. On the ACE/Server config management, change the IP address to the internal, non-routable private IP address (IP address B)

4. On the PIX firewall, make sure there is a 1 to 1 static NAT entry for any packets that are destined for the ACE/Server. For example, if a packet comes in on the outside Interface 1 as XXX.168.0.1, make sure it always leaves the inside Interface 2 as YYY.168.0.2. Basically, make sure the ACE/Server will always receive the same IP address from the firewall.

5.  On the firewall, open up the following range of ports to allow traffic to flow from the Remote Administration machine to the ACE/Server machine:

   Destination Port: 5550/tcp
   Source Port:        1024-65535

   Destination Port: 5520/tcp
   Source Port:        1024-65535

   Destination Port: 5530/tcp
   Source Port:        1024-65535

In addition to the above mentioned ports, two random ports are opened by each remote administration session. In order to reduce the range of random ports opened by remote admin, the -minport/-maxport switches are available in the Progress database.

6. On the ACE/Server, in ace/rdbms32 (on NT) or ace/rdbms (on UNIX) directory, edit the startup.pf  file:

   -minport ####    (see below for explanation)
   -maxport ####         

NOTE 1: The minport value cannot be less than 3000 (the default minport is 3000)

NOTE 2: The minimum port that will be used for connection equals minport value plus 1. For example, if port to be used is 3001, then -minport 3000.

NOTE 3: The maximum port that will be used for connection equals maxport. For example, if port to be used is 3020, then -maxport 3020.

NOTE 4: Two random ports are needed for each remote administration connection. For 10 remote connections, 20 random ports are required. Total number = 20 port range + (plus one for minport +  Number of remote administration sessions). For example:

    -minport 3000
    -maxport 3020  # provides ports 3001 through 3020

NOTE: This solution is not applicable to a Raptor/Axent firewall since the source port of the packet will change going into and coming out of the firewall

NOTE: You must add the External IP address of the ACE/Server as an "Alias" in the Replica Table


1. Stop the RSA Ace/Server: 

  Windows:  go to Start, Settings, Control Panel, RSA Ace Server, click 'Stop'. 

  UNIX:  execute the /ace/prog/aceserver stop and sdconnect shutdown commands

 

2.  Add an Alias to the Primary and Replica in the Replica Database: 

   Windows: Start, Programs, RSA Ace/Server, Configuration Tools, Replication Management

-click on the Primary Ace/Server, click on 'Details'

-go down to 'Alias information' in the middle of the page

-type in the Secondary IP address, then click 'Add', then click ok at the bottom of the page

-repeat the process for any Replicas that have more than 1 ip address

-restart the Ace/Server: go to Start, Settings, Control Panel, RSA Ace Server, click 'Start'

   UNIX:

- sdrepmgmt modify

- provide the name of the ACE/Server

- add the secondary IP address for the Primary when you get to the 'Alias1 []:' prompt; 
When adding the Replica Ace/Server back in, add the  secondary IP address for the
Replica when you get to the 'Alias1 []:' prompt.


-restart the Ace/Server:  execute the /ace/prog/sdconnect start and aceserver start commands

3.  After performing the above, you will end up with the following when you view the Replica Database (Windows: Start, Programs, RSA Ace/Server, Configuration Tools, Replication Management, click on the Primary, then click 'Details', click on the Replica, then click 'Details';  UNIX:  /ace/prog/sdrepmgmt list): 

Replica 0:      <name of the Primary Ace Server>

                IP Address:                      <primary ip address of the Ace Server>

                Replica Service Name:                    securidprop_00

                Service Port Number:                     5505

                Startup Delay Interval:                  0

                Replication Interval:                    100

                Enabled:                                 1

                Primary:                                 1

                Connected:                               0

                Replica Marked For Unconditional Push:   0

                Replica Sequence Number:                 9

                Alias 1:                                 <secondary IP address of the Ace Server>

                Alias 2:                                

                Alias 3:                                


Replica 1:      <name of the Replica Ace Server>

                IP Address:                      <primary ip address of the Replica Ace Server>

                Replica Service Name:                    securidprop_01

                Service Port Number:                     5506

                Startup Delay Interval:                  10

                Replication Interval:                    100

                Enabled:                                 1

                Primary:                                 0

                Connected:                               0

                Replica Marked For Unconditional Push:   0

                Replica Sequence Number:                 20

                Alias 1:                                 <secondary IP address of the Ace Server>

                Alias 2:                                

                Alias 3:                                

Legacy Article ID6.0.372895.2621673

Attachments

    Outcomes