I have a basic question about using the Auto-registration feature in the Windows Agent. If you add those capabilities to a Windows agent when it is installed is it still necessary to go into the Security Console of the RSA Authentication Manager and add that system directly as an agent to the system? I was hoping that Windows Auto-registration did all that for you but now I am wondering if that is true. Am I taking the term Auto-registration a tad too literally?
Thanks -
Mike
Edward:
Thanks so much for this. I have made sure that iptables isn't running on my AM server and with telnet I can talk to port 5550 on the system so I know it isn't blocked. However, when I try to test the connection between the Win 10 client and the server in the RSA Control Center it fails. The reason listed in the "Authentication Monitor" is "Authentication agent not found".
One other thing I have noticed is that if I go into RSA Control Center and look at the Server Environment it says the protocol is UDP and the port is 5500. I thought I was installing the newer rest agent.
Thanks -
Mike
REST uses port 5555 and TCP.
UDP agent uses UDP for authentication, and TCP for autoregistration and offline days.
AM server needs to have the REST config page Saved (apply settings) then it will open the port 5555 in iptables.
By default it is closed off. A onetime 'apply settings' opens it up. Need to do it on replicas too.
IIRC the current windows MFA agent 1.2.1 does not autoregister yet. Only the classic windows agent can do that.
Edward:
Again my thanks -
I'd like to pull your response apart if that is ok?
"UDP agent uses UDP for authentication, and TCP for autoregistration and offline days."
Here I am assuming you mean:
Security Console -> Setup -> System Settings -> Authentication Settings -> Agents -> put a check mark in the box before "Agent Auto-Registration" and click on Save to apply settings.
"IIRC the current windows MFA agent 1.2.1 does not autoregister yet. Only the classic windows agent can do that."
We have been installing from "RSA_Authentication_Agent_7.4.3.zip" - is this correct? What is the latest Agent version that can do auto-registration?
Again thanks!
Mike
Auto-registration allows a new agent the Security Console has never seen before punch itself into the config automagically. It uses the server.cer file and sdadmreg.exe to do this. The concept is whenever the tcp/ip stack changes on the agent, the autoregistration component tries to reach an RSA server and update it's IP to the current one (in DHCP or VPN IP pool scenarios), or register itself as a new agent. It requires port 5550/tcp connectivity. Manually running sdadmreg -r will attempt a registration right then, so you can test this from command line and watch what occurs if you are troubleshooting.