SecurID^® Discussions

RalphZimmermann · ‎2016-08-02

RSA Authentication Manager primary and replica operation over a WAN link

Hello,

hope anyone will be able to answer my question or give advise or experience. Many thanks to all of you in advance.

The story:

We're running two sites, one in Germany the other one in Nigeria they are connected by a WAN link that experiences latency and packet loss several times a day.

Both site are terminating client-vpn and shall use 2-facts for authentication

The German site has 120 users, the other one only 15(!).

The users belong to local AD domains at each site that do not have a trust relationsship, but belong to the same root domain. RSA SID700 and SID820 token shall be used.

The setup:

I'd like to run a primary RSA Authentication Manager in Germany and use a replica at Nigeria. Both devices need to be able to use both, the German and the Nigerian AD domains. Nigerian shall use the local replica for authentication not the primray.

My questions:

1. Will the setup work along to my description?

2. If the WAN links fail, primary and replica won't be able to synchronize. What needs to done after the WAN link is restablished?

3. Whats the worst case scenario?

Many thanks for your support,

Ralph.

MHelmy · ‎2016-08-02

Hi Ralph,

The above scenario is pretty much possible without needing any modifications or special configurations done neither on agent nor server side.

Regarding Agent configuration

For SecurID agents:

The agent will automatically do the load balancing between available servers (primary and replica) and most probably choose the fastest one to reply. It will also do an automatic fail over to the other instance if say the preferred instance becomes unreachable.

For RADIUS clients:

You most probably manually specify the RADIUS server IP addresses at the RADIUS client side. In that case you can manually control which AM server is the top priority RADIUS server for each of you RADIUS clients based on location.

Regarding Replication

Depending on how long the WAN link goes down and how much changes have been done during that downtime, the behaviour is different:

Sometimes just as soon as the link comes up again, the replica would pickup all changes automatically.
Sometimes it may require just restarting the Replica and/or Primary services.
Worst case scenario is that we need to manually re-sync the Replica, which is also a pretty simple and straight forward process.
We have seen issues where if the link is really unstable, the manual re-sync would fail. This has been addressed in 8.1 SP1 P3, where the some network configurable parameters have been added to increase values such as timeouts and number of retries.

_EricaChalfin · ‎2016-08-02

Ralph,

To follow on to Mostafa Helmy's comment, I wanted to add that if you want your users in Nigeria to authenticate only to the replica in Nigeria, that can be done by configuring a file on the agent machine called sdopts.rec. See this article on how to control agent host load balancing manually for more information (https://community.rsa.com/docs/DOC-46997).

Note that server priorities can be set between 0 and 10, where weighting is used to determine which server will process the authentication requests.

Regards,

Erica

LukaKodric · ‎2016-10-17

We have seen issues where if the link is really unstable, the manual re-sync would fail. This has been addressed in 8.1 SP1 P3, where the some network configurable parameters have been added to increase values such as timeouts and number of retries.

Can you tell me which are those parameters and how to configure them?

Regards

SecurID® Discussions

RSA Authentication Manager primary and replica operation over a WAN link

RSA Authentication Manager

SecurID^® Discussions