Availability Monitoring - query regarding allowing pings
As part of the solution for a refreshed RSA Authentication Manager I am
confirming the design for Availability Monitoring
I've found a guide for SNMP from https://community.rsa.com/docs/DOC-36986
For our availability monitoring, could someone confirm whether the
appliance allow pings?
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
Ping is kind of a very low level test, I have seen Windows NT workstations that display a Blue Screen but still respond to a Ping. Also, if RSA services were down,, the Ping would only tell you that the Appliance was connected to the Network and Powered on.
A full Logon test that is repeatable cannot be done with a PassCode, unless you plan to have someone to manually enter a Passcode and click Logon every x number of minutes. Could get expensive, so most testing in this way involves a Fixed Passcode, and still can get complicated with developing your own API agent.
A good, easy compromise is a TCP port test, which most SNMP applications have supported for decades. I would configure a test for one of the common Authentication Manager ports, either TCP 5580 or TCP 5550. If these ports are up, then RSA services are probably running. Combine with Critical Event Notifications for LDAP and replication in the AM Security Console and your have a pretty good up check for AM primary and replica.
What I would do (if it was my setup) is use a auth testing tool that
a) does a radius login every 1 minute to each rsa server
b) uses a username with a fixed passcode
this username has no access to anything else in the enterprise
this username sole purpose is test auths
and the user name is in active directory so I can test ad connection at same time
c) set up a radius test tool (like radlogin4) and have it do an auth
test to my primary and each replica on a 1 minute cycle. if it
fails 3 times in a row (or whatever) , then (radlogin4) can notify me via email
or other notification