Offline Authentication Refresh over Internet
We have users using local Windows Authenticator with Offline Authentication enabled. However, some of these users are off-site for extended periods of time ( >8 months). We use Microsoft Direct Access as our VPN system and support has indicated that the offline refresh is unable to occur over Direct Access. Question is, how safe would it be to open port 5580 to the Internet and be able to allow Offline Refreshes over the Internet? Another question would be, is there any harm in having an Offline Authentication policy with the number of days offline some high amount like 365 days.
- Auth Agent
- Authentication Agent
- Community Thread
- Forum Thread
- offline authentication
- RSA SecurID
- RSA SecurID Access
Offline Days can be downloaded through a VPN, but there have been several different offline day download failure bugs over the last 2 years, so your options, best first, are:
1. Open a support case and ask for Windows agent build 7.3.3 or later. This really will fix your problems, automatically!
2. Download the Windows agent build 7.3.3 from RSA Link, and when your users connect through VPN to your network, have them do at least one of the following;
a) Lock and then unlock the Screen with a PassCode (not quick PIN only or Password unload GPO) with the token that you want offline days for
b) Open the RSA Control Center and perform a successful [Test Authentication] with the token that you want offline days for
c) Open the RSA Control Center and click refresh offline days
But you really want build 7.3.3 or later, I believe there is now a build  that just came out with some other fixes
We were given 7.3.3 by support in an effort to resolve this issue. It didn't affect it at all. We use Microsoft Direct Access as the VPN technology. Direct Access works more on DNS than traditional IP-based VPN (hosts in a given DNS zone are tunneled). So it seems to revolve around the agent connecting to an IP address versus a hostname. If that IP address was accessible over the Internet, it could refresh directly.
The Windows agent would need to be able to reach TCP port 5580 on an Authentication Manager Primary or Replica for offline days to download (in addition to UDP port 5500 for online Authentication). A simple test would be from a browser on your Windows PC, https://<PrimaryNameOrIP>:5580 - if you get the Certificate warning for RSA self signed Cert, then TCP port 5580 is open and reachable and up, if you immediately get Page cannot be displayed, then TCP 5580 is not up or reachable or is blocked.
But there are a lot of reasons an Offline Day download could fail, so you should enable verbose logging on the Windows PC and reproduce the problem, i.e. connect through VPN and see if OA days download, if not try the steps above, save the logs, open a support case for help reading those logs.
To enable agent verbose logging in the RSA Control Center,
I would suggest do not allow port 5580 open to the internet. A bad actor might try to stuff that port and the could create a lot of incomplete tcp connections and time_waits and negatively affect performance.
To follow-up on this... The Microsoft Direct Access system does NOT work at the IPv4 layer. If you are not using DNS lookups that resolve to IPv6 addresses, it will not tunnel that traffic across. Even if the ultimate destination is an IPv4 interface, the Direct Access server does a 6to4 translation on the server side. However, the client has to resolve any request to go over the tunnel to an IPv6 address. Similarly, you can't ping/telnet/connect to an explicit IPv4 address (like 10.10.10.10) over Direct Access. By performing a WireShark packet trace, it appears that the Offline Refresh stores and attempts to connect to the explicit internal IPv4 addresses (does not do a DNS lookup) of the RSA appliances. Due to these reasons it appears that the RSA client is incompatible with the growing use of Microsoft Direct Access. Does RSA have any customers successfully able to refresh offline days over Direct Access? If not, is there any plan enable this functionality over Direct Access?
Realizing it is quite a bit to put together for just one purpose. Would building a replica appliance on the DMZ with a public address exclusively for the purpose of allowing the offline days refresh be an option? Any performance impact would be limited to that one appliance. The issue is that while we have offline days set to 100 days, we have users that NEVER come into the office and will eventually run out of offline days. It appears that Microsoft Direct Access style of VPN and the RSA client (from a offline days refresh perspective) are incompatible at this time. So we need some way for these users to get their offline days refreshed.