My company currently has a straight forward RSA Authentication Manager deployment at the moment. We have 1 x AM Primary and 1 x AM Replica on our internal network, and all of our clients (so far) are RSA Windows Agents installed on user laptops. The problem we have with this implementation is that users must use offline authentication, which can be very slow, while not on the internal network. We want remote users (not on our internal network, could be coming from any IP) to be able to authenticate against our AM servers using the Windows Agent client.
I've had a couple of calls with technical consultants from RSA and received different answers from "this is not possible" to "just put a replica in AWS and expose it to the remote workers". The latter is not as simple as it sounds if reading through other similar discussions on here (read: how to access self-service interface using public IP address) are any indication, if even possible.
First: is it even possible? Could I securely expose port 7004 on a replica in AWS, and configure FQDNs, DNS etc. in such a way that the replica is fully functional and accessible by remote workers?
Second: if not, is adding a web tier a viable solution to our problem? It's not self-service I'm interested in, it's authentication. The web tier documentation states that a web tier can handle RBA authentication - is this different from the authentication requests that my RSA Windows Agents would send?
We currently have a base license, but we're open to upgrading to get access to other features such as the risk engine if it would help us solve this problem.