SecurID^® Discussions

skarayil · ‎2022-08-29

Hi, The SecurID setup is deployed and operational. I am looking to extend SecurID MFA to Windows servers that are isolated and don't have internet access. If Token access is via CAS for the clients, how can we setup the isolated Windows servers for MFA. Any suggestions/recommendations are very much appreciated.

Thanks

SK

SeanDoyle · ‎2022-08-29

If you have RSA Authentication Manager.. 8.6+ connect it to the cloud then use AM as a secure cloud proxy by configuring the MFA agents to connect via the REST API .. the communication with the cloud will be securely proxied to the cloud seamlessly. HA mode will work seamlessly as well if the cloud is unavailable reverting to authenticate tokencodes as needed.

skarayil · ‎2022-08-30

Thanks Sean. There are 2 AM(s) in 2 clusters(1 AM in each cluster) but HA is not enabled and there is cloud integration to CAS. On-prem servers include AM (ver 8.5) and IDRs(ver 12.15) with WTI in DMZ.

The goal is to enable the servers for MFA with RSA tokens. These servers do not have internet access at all and are totally isolated. So in this scenario would your recommendation still work?

Thanks

SK

SeanDoyle · ‎2022-08-30

Yes it will. The question I have is do you want to use CAS policy to govern MFA access or just AM.. because if only use AM features you don't need to proxy to CAS you can just authenticate against AM via the REST API. The difference is for CAS proxy mode you include a policy name in the GPO.. for AM only don't include a policy but reference an agent name.

skarayil · ‎2022-08-31

Thanks Sean. The current setup for Internet accessible servers is via GP with the URL pointing to CAS for MFA. So, if using CAS proxy mode as you suggested, the AM needs to be 8.6+ and enable/configure CAS proxy and it should work, right?

Is there any reference document for this setup?

Thanks

SK

SecurID® Discussions

Deploying SecurID to Servers that have no internet connectivity at all

SecurID^® Discussions