Deploying SecurID to Servers that have no internet connectivity at all
Hi, The SecurID setup is deployed and operational. I am looking to extend SecurID MFA to Windows servers that are isolated and don't have internet access. If Token access is via CAS for the clients, how can we setup the isolated Windows servers for MFA. Any suggestions/recommendations are very much appreciated.
If you have RSA Authentication Manager.. 8.6+ connect it to the cloud then use AM as a secure cloud proxy by configuring the MFA agents to connect via the REST API .. the communication with the cloud will be securely proxied to the cloud seamlessly. HA mode will work seamlessly as well if the cloud is unavailable reverting to authenticate tokencodes as needed.
Thanks Sean. There are 2 AM(s) in 2 clusters(1 AM in each cluster) but HA is not enabled and there is cloud integration to CAS. On-prem servers include AM (ver 8.5) and IDRs(ver 12.15) with WTI in DMZ.
The goal is to enable the servers for MFA with RSA tokens. These servers do not have internet access at all and are totally isolated. So in this scenario would your recommendation still work?
Yes it will. The question I have is do you want to use CAS policy to govern MFA access or just AM.. because if only use AM features you don't need to proxy to CAS you can just authenticate against AM via the REST API. The difference is for CAS proxy mode you include a policy name in the GPO.. for AM only don't include a policy but reference an agent name.