SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

Authentication via NAT

Our developers are trying to integrate Java Authentication Agent code into an application but are struggling because traffic appears to be being sent to the incorrect address.


This image shows an outline of the network topology in place.  Simply put, we have an RSA Authentication Manager installed in an IPV4 LAN with a 10.0.0.x/24 address space and authentication agents both on the same LAN and externally, with the intention that they could reach the RSA AM Primary server via a NAT address.


NAT Translation issues.png


As above, some agents will be installed into the same LAN as the RSA AM Primary server (like RSA Agent #2 in the image), and some need to be on a different network and must use NAT translation to reach the RSA AM server (like RSA Agent #1 for example).


The problem we are having is that “external” (non-LAN) hosts are sending traffic to the LAN IP address and not to the external NAT address as needed.  The external NAT address has been configured in Security Console---Setup---System Settings--Alternative Instance IP Addresses and shows up in the Windows Authentication Agent software 7.1 as an Alternate IP.


How can Agents be forced to send requests to this alternate IP instead of the primary address?  Please also see the log file attached.



Labels (1)
1 Reply

You can try this, see if this works. either USESERVER or ALIAS directives in the sdopts.rec file you create by hand.


Find the directory where the sdconf.rec lives (Auth Data typically).

Create a plain text file called sdopts.rec.


The auth_agent_install_admin_guide has a section describing options you can use in the sdopts.rec file.

For example: this document

Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide 


Study the section about sdopts.rec and what directives it can use.


All RSA authentication agents look for the sdopts.rec file when someone authenticates.

If it exists, it looks inside for instructions, if it doesn't exist, it doesn't care and moves on.