Anyone have experience implementing the Self-Service portal in a DMZ to issue token codes via SMS? Trying to get a feel for level of effort to implement, security concerns, so on.
Do you mean like this ?
This is my webtier, and using a special URL that just goes directly to asking for userid and ODA pin, then a code is delivered. Once delivered, you log into protected resource with the ODApin+new code (type pin and code together like a passcode)
[excuse my custom logo...lab testing]
To do this I simply spun up a webtier on RHEL, and enabled On-demand for a user.
All that is needed is tcp port 7022 between webtier on DMZ and Auth Manager primary internal, and of course a server to run the webtier.
I chose custom port 8008 for 'the world' to access, but the default is 443, or any port you want.
Thank you. We have the full Authentication Manager 8.4 up and running. Do you have a feel for the level of effort needed to bring up the Self-Service portal in the DMZ?
Well, I've done it a bunch of times, so for me it takes 20 minutes or less to set up a new webtier, make DNS entries, open firewall... Level of effort depends on specifics to your unique network and situation, but overall this is super simple to implement. Assuming DNS and networking is 100% and all that background IT setup is good.
That's encouraging. Thank you.
NOTE: that same URL works to the AM Primary or any Replica, just change the name, and port to 7004, keep the rest intact. But yes a webtier is what you want on the DMZ facing the 'world' as that makes your actual Primary removed from any attack vector.
Self Service and Admin Security Consoles both use TCP port 7004 as part of their URL, so you do not want to expose the Self Service Console to the Internet directly. You could deploy your own proxy server in the DMZ, but the RSA solution would be a Web Tier, which is basically a proxy app that can be deployed on either a windows or Red Hat server in your DMZ, which presents a URL to the Internet and aggregates these requests for access to the Self Service console over TCP port 7022
You can also deploy more than one web tier as a virtual host to your users on the Internet, and place load balancers in front of them. You can restrict Web Tier access to just Self Service, Just Token download via CTKip encryption, or both
Thank you. I'll pass this along to our network folk.
Retrieving data ...