AnsweredAssumed Answered

How do I configure RSA AuthMgr WebTier behind F5 loadbalancer SNAT pool?

Question asked by Robert Gorichanaz on Aug 5, 2016
Latest reply on Mar 7, 2017 by Jay Guillette


I'm not an F5-guy, so take this for what its worth... my Network guys are telling me that our internet-facing F5 is configured with a "SNAT pool" consisting of three IP addresses.  Traffic from the F5 to the WebTier server can come in from any of these three IP addresses.  However, RSA only allows me to configure TWO IP addresses.

 

This results in some very inconsistent behavior in the WebTier self-service console, and tons of log errors in the WebTier like:

 

com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR

  Caused by: com.rsa.common.SystemException: Access denied. The authentication request was routed through a load balancer/Proxy server that is not recognized by the system.

 

[[ We're also having high-CPU spikes on the WebTier server (which may be unrelated to the load balancer config) which cause our primary AuthMgr to lock-up on occasion. ]]

 

Is anyone else having similar issues?  Know of any work-arounds that DON'T require re-doing load balancer configurations across the enterprise?

Outcomes