RSA External Servers
Are the RSA External servers actually used in the connection process or are they JUST for the Self Service portal? If we don't use the portal, can these machines be turned off?
- hardware tokens
- on-demand tokens
- PIN management
- self-service console
- software tokens
- Web Tier
Hi Dave - can't see your image there for some reason but thank-you for clarifying.
The Web Tier provides two services, one that you've observed for user self-service of software, hardware and on-demand tokens. It also provides self-service for token PIN management.
Secondly the Web Tier also provides a CT-KIP provisioning endpoint for secure 'over the air' provisioning of a software token. The CT-KIP URL exists in the Auth Manager appliance however the Web Tier provides a proxy for this service, as CT-KIP protocol requires the mobile phone to connect to an externally available URL. So, if your organisation is using the key agreement technology provided in the CT-KIP protocol, the Web Tier is necessary to make this happen without exposing the Auth Manager primary to external users (via edge network).
If those aspects are not being used by your organisation then no, the Web Tier is not needed.
Excellent, thanks for the information!!! Very appreciated. I will look today to see if I can determine if using the key agreement technology provided in the CT-KIP protocol.
Hi Dave - there are a few video samples on my YT channel about token provisioning using the self-service console. Here's one example among a few:
This stuff is really old (you can tell by the dates from the videos). Have you looked at the SecurID Cloud? Self-service, built-in. QR scan, built-in. No seed records. Device binding, automatic. Dynamically provisioned just like I'm showing in the video. Modern MFA push methods. Token licences don't expire as it's just a subscription. And it works with everything protected by Auth Manager with no adjustments to whatever apps you're protecting. Anyway, that's a better way IMHO but ultimately up to you sir.