This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
RichardGresham
Beginner
Beginner
‎2020-03-17 02:44 PM

Token codes via Self-Service portal

Anyone have experience implementing the Self-Service portal in a DMZ to issue token codes via SMS?  Trying to get a feel for level of effort to implement, security concerns, so on.

Labels (1)
Labels
0 Likes
Reply
7 Replies
EdwardDavis
Employee
Employee
‎2020-03-17 02:52 PM

Do you mean like this ?

 

This is my webtier, and using a special URL that just goes directly to asking for userid and ODA pin, then a code is delivered. Once delivered, you log into protected resource with the ODApin+new code (type pin and code together like a passcode)

 

[excuse my custom logo...lab testing]

 

pastedImage_1.png

 

To do this I simply spun up a webtier on RHEL, and enabled On-demand for a user.

 

All that is needed is tcp port 7022 between webtier on DMZ and Auth Manager primary internal, and of course a server to run the webtier.

 

I chose custom port 8008 for 'the world' to access, but the default is 443, or any port you want.

Reply
RichardGresham
Beginner
Beginner
In response to EdwardDavis
‎2020-03-17 02:57 PM

Thank you.  We have the full Authentication Manager 8.4 up and running.  Do you have a feel for the level of effort needed to bring up the Self-Service portal in the DMZ?

0 Likes
Reply
JayGuillette
Valued Contributor Valued Contributor
Valued Contributor
‎2020-03-17 03:06 PM

Self Service and Admin Security Consoles both use TCP port 7004 as part of their URL, so you do not want to expose the Self Service Console to the Internet directly.  You could deploy your own proxy server in the DMZ, but the RSA solution would be a Web Tier, which is basically a proxy app that can be deployed on either a windows or Red Hat server in your DMZ, which presents a URL to the Internet and aggregates these requests for access to the Self Service console over TCP port 7022

AM_FireWall_Ports.png

You can also deploy more than one web tier as a virtual host to your users on the Internet, and place load balancers in front of them.  You can restrict Web Tier access to just Self Service, Just Token download via CTKip encryption, or both

Reply
EdwardDavis
Employee
Employee
In response to RichardGresham
‎2020-03-17 03:09 PM

Well, I've done it a bunch of times, so for me it takes 20 minutes or less to set up a new webtier, make DNS entries, open firewall... Level of effort depends on specifics to your unique network and situation, but overall this is super simple to implement. Assuming DNS and networking is 100% and all that background IT setup is good. 

Reply
RichardGresham
Beginner
Beginner
In response to EdwardDavis
‎2020-03-17 03:12 PM

That's encouraging.  Thank you.

0 Likes
Reply
RichardGresham
Beginner
Beginner
In response to JayGuillette
‎2020-03-17 03:12 PM

Thank you.  I'll pass this along to our network folk.

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to RichardGresham
‎2020-03-17 04:33 PM

NOTE: that same URL works to the AM Primary or any Replica, just change the name, and port to 7004, keep the rest intact. But yes a webtier is what you want on the DMZ facing the 'world' as that makes your actual Primary removed from any attack vector.

Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.