000034238 - How to configure High Availability (HA) on multiple RSA Authentication Agents for Citrix StoreFront with Risk Based Authentication (RBA)

Document created by RSA Customer Support Employee on Nov 9, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000034238
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Citrix StoreFront
RSA Version/Condition:  1.0
IssueThis article reviews steps to configure the RSA Authentication Agent for Citrix StoreFront when configured in a deployment of RBA.
TasksTasks to complete are:
  1. Add a single authentication agent in the RSA Security Console, which uses one of the Citrix StoreFront IP addresses as the agent's primary IP, and the other StoreFront IP address(es) are listed as alternate or secondary IP addresses.
  2. Generate a single node secret for the Citrix StoreFront agent.
  3. Use the agent_nsload utility to load this node secret on each StoreFront agent in the HA cluster.
Resolution

Create an agent entry in Authentication Manager


  1. Login to the Security Console.  
  2. Navigate to Access > Authentication Agent and choose Manage Existing or Add New.
  3. Create a  new agent or edit the existing Citrix StoreFront agent, and enter one of the four IP addresses in the IP Address box so it is the main IP address.
  4. In the Alternate IP Addesses box, enter the other three Citrix StoreFront IPs as alternate IP addresses.
  5. Enter them one at a time and click Add.
SC-Access-Agents-Citrix

  1. When done, click Save.

Generate a single node secret for the Citrix StoreFront agent


This single agent will need a node secret that can be shared on all four Citrix StoreFront agents. 
  1. From Authentication Agents page, click the dropdown on this newly edited Citrix agent and click Manage Node Secret.
  2. Check the option to create a new random node secret, and export the node secret to a file.  
  3. Create an encryption password and confirm it.  Note this password for later use.
SC_Access_Agents_NodeSecret_Create

  1. Click Save.  
  2. When the <agent_name>_NodeSecret.zip is ready, click Download Now.
  3. Inside the .zip will be a password-protected file named nodesecret.rec.  Note:  While the nodesecret.rec file is password protected, the zip file is not.
NS Password

Load the node secret


  1. Make sure that agent_nsload.exe and the nodesecret.rec file are on the agent machine, in the ..\Program Files\Common Files\RSA Shared\Auth API directory.
agent_nsload_Auth_API

  1. Run the following command.  You may need to Run as Admin to do this, even for the command prompt, then the syntax is
C:\Program Files\Common Files\RSA Shared\Auth API> agent_nsload  -f .\nodesecret.rec  -d  "..\Auth Data"
Enter PASSWORD:  <enter the password created above>
Loading node secret . . . .
The Node Secret is successfully loaded

  1. The node secret is a file named securid that will be in the C:\Program Files\Common Files\RSA Shared\Auth Data directory, with the sdconf.rec file.
 agent_nsload_Auth_Data_verify

  1. Do a test or two from the RSA Control Center on the Citrix StoreFront to verify successful authentication.
LAC_TestAuth

  1. Repeat steps 1 through 4 on the other StoreFront servers in the HA cluster.

Attachments

    Outcomes