AnsweredAssumed Answered

How do I configure RSA AuthMgr WebTier behind F5 loadbalancer SNAT pool?

Question asked by Robert Gorichanaz on Aug 5, 2016
Latest reply on Mar 7, 2017 by Jay Guillette

Like • Show 0 Likes0
Comment • 4

I'm not an F5-guy, so take this for what its worth... my Network guys are telling me that our internet-facing F5 is configured with a "SNAT pool" consisting of three IP addresses. Traffic from the F5 to the WebTier server can come in from any of these three IP addresses. However, RSA only allows me to configure TWO IP addresses.

This results in some very inconsistent behavior in the WebTier self-service console, and tons of log errors in the WebTier like:

com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR

Caused by: com.rsa.common.SystemException: Access denied. The authentication request was routed through a load balancer/Proxy server that is not recognized by the system.

[[ We're also having high-CPU spikes on the WebTier server (which may be unrelated to the load balancer config) which cause our primary AuthMgr to lock-up on occasion. ]]

Is anyone else having similar issues? Know of any work-arounds that DON'T require re-doing load balancer configurations across the enterprise?

Jay Guillette

Mar 7, 2017 3:51 PM

Correct Answer

There is a KB on this,

000033954 - How to configure more than two IP addresses for an RSA Authentication Manager 8.2 Web Tier Virtual Host

It's a file hack to add the third IP address for the F5 SNAT. Chris Salvati figured this one out

See the reply in context

No one else had this question

Outcomes

Peter George

Aug 9, 2016 9:27 AM

Hello Robert,

Unfortunately for now the Load Balancer IPs that can be configured are maximum of two. If more than that it will give the error of authenticating from an unknown IP.

Although a workaround is to use DNS round robin instead of IPs. Although this is not the most recommended way, but it can be used in exchange of configuring those 3 IPs on the AM server. You basically add the host name only and the DNS resolves to any of those IP consecutively as a round robin. But the recommended way is to limit the LB to two IPs that are configured on the AM Operations Console.

As for the CPU spike is probably because of the unhanded requests that are coming from that extra IP. But we might need extra info so if it is a persistent issue, consider opening a Technical Support ticket then, through web portal or email or phone

Best Regards,

Peter

Actions

Jay Guillette

@ Peter George on Mar 7, 2017 3:51 PM

There is a KB on this,

000033954 - How to configure more than two IP addresses for an RSA Authentication Manager 8.2 Web Tier Virtual Host

It's a file hack to add the third IP address for the F5 SNAT. Chris Salvati figured this one out

1 person found this helpful

Actions

Jay Guillette

Aug 21, 2016 4:44 PM

Two things that might come into play, if your F5 needs to terminate the User SSL connection, you will want to get the private key exported from RSA so you can import into F5. There is not Security or Operations Console option to do this, but there is a Knowledge Base article that should be searchable here on Link or just see the attached one.

Also, we did run into some F5 specific problems when using On Demand authentication, ODA. ODA requires that you enter a PIN, then wait for your On Demand TokenCode to be delivered via email or SMS text. The attached KB explains some problems we saw due to how F5 was doing the load balance, which include a NAT translation. What we saw was if the TokenCode was entered 30 seconds after the PIN, certain versions of F5 had timed out the NAT connection, built a new one, but it had a different source port, which made the RSA Authentication manager think the ODA TokenCode was not related to the PIN, and did not consider the ODT valid. granted, this was a somewhat rare situation, and then next version of F5 inceased the timeout to 60 seconds, so many users never saw this, just the slow typers.

Attachments

1 person found this helpful

Actions

Josh Becigneul Mar 7, 2017 1:13 PM

For best performance of Webtier instance via a F5 load balancer, ask your network team to configure the virtual server to use SNAT Automap instead of a SNAT pool, and then to provide you with the floating self-ip that traffic sent to your webtier node would originate from.

I have two RSA AM 8.2 deployments behind F5 load balancers, and we have very little problems with this configuration.

1 person found this helpful

Actions

4 Replies

Peter George Aug 9, 2016 9:27 AM
Mark Correct
Correct Answer
Hello Robert,

Unfortunately for now the Load Balancer IPs that can be configured are maximum of two. If more than that it will give the error of authenticating from an unknown IP.
Although a workaround is to use DNS round robin instead of IPs. Although this is not the most recommended way, but it can be used in exchange of configuring those 3 IPs on the AM server. You basically add the host name only and the DNS resolves to any of those IP consecutively as a round robin. But the recommended way is to limit the LB to two IPs that are configured on the AM Operations Console.

As for the CPU spike is probably because of the unhanded requests that are coming from that extra IP. But we might need extra info so if it is a persistent issue, consider opening a Technical Support ticket then, through web portal or email or phone

Best Regards,
Peter
Like • Show 1 Like1
Actions
- Jay Guillette @ Peter George on Mar 7, 2017 3:51 PM
  Unmark Correct
  Correct Answer
  There is a KB on this,
  000033954 - How to configure more than two IP addresses for an RSA Authentication Manager 8.2 Web Tier Virtual Host
  It's a file hack to add the third IP address for the F5 SNAT. Chris Salvati figured this one out
  1 person found this helpful
  Like • Show 1 Like1
  Actions
Jay Guillette Aug 21, 2016 4:44 PM
Mark Correct
Correct Answer
Two things that might come into play, if your F5 needs to terminate the User SSL connection, you will want to get the private key exported from RSA so you can import into F5. There is not Security or Operations Console option to do this, but there is a Knowledge Base article that should be searchable here on Link or just see the attached one.
Also, we did run into some F5 specific problems when using On Demand authentication, ODA. ODA requires that you enter a PIN, then wait for your On Demand TokenCode to be delivered via email or SMS text. The attached KB explains some problems we saw due to how F5 was doing the load balance, which include a NAT translation. What we saw was if the TokenCode was entered 30 seconds after the PIN, certain versions of F5 had timed out the NAT connection, built a new one, but it had a different source port, which made the RSA Authentication manager think the ODA TokenCode was not related to the PIN, and did not consider the ODT valid. granted, this was a somewhat rare situation, and then next version of F5 inceased the timeout to 60 seconds, so many users never saw this, just the slow typers.
Attachments
- 000032627-How_to_export_AM_8.1_SP1_Web_Tier_Virtual_Host_Private_Key_to_PFX.pdf338.8 KB
- 000029764-AM8.1-F5withNAT_authentication_failure_but_nothing_in_AM_logs.pdf427.7 KB
1 person found this helpful
Like • Show 1 Like1
Actions
Josh Becigneul Mar 7, 2017 1:13 PM
Mark Correct
Correct Answer
For best performance of Webtier instance via a F5 load balancer, ask your network team to configure the virtual server to use SNAT Automap instead of a SNAT pool, and then to provide you with the floating self-ip that traffic sent to your webtier node would originate from.

I have two RSA AM 8.2 deployments behind F5 load balancers, and we have very little problems with this configuration.
1 person found this helpful
Like • Show 1 Like1
Actions