Since the AM primary and replicas are security devices, you will notice that only the FQDN works for the Security Console, and that there is an immediate redirect to make sure https is used and to isolate the bookmarked https://<FQDN>:7004/console-ims from brute force password quess attempts

If your reverse proxy or Firewall cannot or won't handle this redirect from https://<FQDN>:7004/console-ims, to https://<FQDN>:7004//IMS-AA-IDP/InitialLogonDispatch.do https://%3Cfqdn%3E:7004/console-ims then you cannot put your Security console behind it and expect Administrators to be able to access it, you will be forced to limit Admin Access to PCs on the Server side.

We have seen similar situations to this, but between the internal network and the Internet, not within the internal network. Auth manager has something called a Web Tier, which sits in a DMZ and allows access to Internet users to an obscured Self Service console, which also uses TCP port 7004. However this Web Tier never allows access to the Administration of the AM server on https://<FQDN>:7004/console-ims

See the reply in context

No one else had this question

Outcomes

Jay Guillette

Feb 21, 2017 9:34 AM

Actions

CkNuJCrxOhWPX5V1aCA6rR8Aok8DnBxBGqYTFc5hsM8= Feb 23, 2017 2:20 PM

It works now with the reverse proxy. As we have to be authenticated, to use the proxy, when will it be possible to logon to the Security Console with a SAML token?

Actions

Jay Guillette

@ CkNuJCrxOhWPX5V1aCA6rR8Aok8DnBxBGqYTFc5hsM8= on Feb 5, 2019 10:12 AM

Request for Enhancement, RFE is what you need here.

I do not think anyone has even tried that yet, but you might want to investigate the SecurID Cloud Access Server, which is part of the SecurID Access family - the other part from Authentication Manager, which can be used to protect applications that support SAML, but the Authentication Manager consoles only support authentication thouogh RSA Passwords for Internal Database users, LDAP Passwords for Users in external Identity Sources, Native SecurID Tokens, and On Demand Authentication.

Actions

Ted Barbour

@ Jay Guillette on Feb 5, 2019 11:08 AM

Hi Daniel - you can create an Authentication Manager enhancement request at RSA Ideas.

As Jay Guillette points out the SecurID Access Cloud Authentication Service provides SAML Identity Provider capabilities but the AM Security Console does not currently support SAML.

Thanks,

Ted

Actions

4 Replies

Jay Guillette Feb 21, 2017 9:34 AM
Unmark Correct
Correct Answer
Since the AM primary and replicas are security devices, you will notice that only the FQDN works for the Security Console, and that there is an immediate redirect to make sure https is used and to isolate the bookmarked https://<FQDN>:7004/console-ims from brute force password quess attempts

If your reverse proxy or Firewall cannot or won't handle this redirect from https://<FQDN>:7004/console-ims, to https://<FQDN>:7004//IMS-AA-IDP/InitialLogonDispatch.do https://%3Cfqdn%3E:7004/console-ims then you cannot put your Security console behind it and expect Administrators to be able to access it, you will be forced to limit Admin Access to PCs on the Server side.

We have seen similar situations to this, but between the internal network and the Internet, not within the internal network. Auth manager has something called a Web Tier, which sits in a DMZ and allows access to Internet users to an obscured Self Service console, which also uses TCP port 7004. However this Web Tier never allows access to the Administration of the AM server on https://<FQDN>:7004/console-ims
Like • Show 0 Likes0
Actions
CkNuJCrxOhWPX5V1aCA6rR8Aok8DnBxBGqYTFc5hsM8= Feb 23, 2017 2:20 PM
Mark Correct
Correct Answer
It works now with the reverse proxy. As we have to be authenticated, to use the proxy, when will it be possible to logon to the Security Console with a SAML token?
Like • Show 0 Likes0
Actions
- Jay Guillette @ CkNuJCrxOhWPX5V1aCA6rR8Aok8DnBxBGqYTFc5hsM8= on Feb 5, 2019 10:12 AM
  Mark Correct
  Correct Answer
  Request for Enhancement, RFE is what you need here.
  I do not think anyone has even tried that yet, but you might want to investigate the SecurID Cloud Access Server, which is part of the SecurID Access family - the other part from Authentication Manager, which can be used to protect applications that support SAML, but the Authentication Manager consoles only support authentication thouogh RSA Passwords for Internal Database users, LDAP Passwords for Users in external Identity Sources, Native SecurID Tokens, and On Demand Authentication.
  Like • Show 0 Likes0
  Actions
  - Ted Barbour @ Jay Guillette on Feb 5, 2019 11:08 AM
    Mark Correct
    Correct Answer
    Hi Daniel - you can create an Authentication Manager enhancement request at RSA Ideas.
    As Jay Guillette points out the SecurID Access Cloud Authentication Service provides SAML Identity Provider capabilities but the AM Security Console does not currently support SAML.
    
    Thanks,
    Ted
    Like • Show 0 Likes0
    Actions

Security Console and Reverse Proxy

Outcomes

Related Content

Recommended Content