I'm not an F5-guy, so take this for what its worth... my Network guys are telling me that our internet-facing F5 is configured with a "SNAT pool" consisting of three IP addresses. Traffic from the F5 to the WebTier server can come in from any of these three IP addresses. However, RSA only allows me to configure TWO IP addresses.
This results in some very inconsistent behavior in the WebTier self-service console, and tons of log errors in the WebTier like:
Caused by: com.rsa.common.SystemException: Access denied. The authentication request was routed through a load balancer/Proxy server that is not recognized by the system.
[[ We're also having high-CPU spikes on the WebTier server (which may be unrelated to the load balancer config) which cause our primary AuthMgr to lock-up on occasion. ]]
Is anyone else having similar issues? Know of any work-arounds that DON'T require re-doing load balancer configurations across the enterprise?
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
Unfortunately for now the Load Balancer IPs that can be configured are maximum of two. If more than that it will give the error of authenticating from an unknown IP.
Although a workaround is to use DNS round robin instead of IPs. Although this is not the most recommended way, but it can be used in exchange of configuring those 3 IPs on the AM server. You basically add the host name only and the DNS resolves to any of those IP consecutively as a round robin. But the recommended way is to limit the LB to two IPs that are configured on the AM Operations Console.
As for the CPU spike is probably because of the unhanded requests that are coming from that extra IP. But we might need extra info so if it is a persistent issue, consider opening a Technical Support ticket then, through web portal or email or phone
Two things that might come into play, if your F5 needs to terminate the User SSL connection, you will want to get the private key exported from RSA so you can import into F5. There is not Security or Operations Console option to do this, but there is a Knowledge Base article that should be searchable here on Link or just see the attached one.
Also, we did run into some F5 specific problems when using On Demand authentication, ODA. ODA requires that you enter a PIN, then wait for your On Demand TokenCode to be delivered via email or SMS text. The attached KB explains some problems we saw due to how F5 was doing the load balance, which include a NAT translation. What we saw was if the TokenCode was entered 30 seconds after the PIN, certain versions of F5 had timed out the NAT connection, built a new one, but it had a different source port, which made the RSA Authentication manager think the ODA TokenCode was not related to the PIN, and did not consider the ODT valid. granted, this was a somewhat rare situation, and then next version of F5 inceased the timeout to 60 seconds, so many users never saw this, just the slow typers.
For best performance of Webtier instance via a F5 load balancer, ask your network team to configure the virtual server to use SNAT Automap instead of a SNAT pool, and then to provide you with the floating self-ip that traffic sent to your webtier node would originate from.
I have two RSA AM 8.2 deployments behind F5 load balancers, and we have very little problems with this configuration.