Hi, Also, make a successful authentication to the first node, then copy the sdconf.rec, sdopts.rec and securid file to /var/ace on the second node that participate in the cluster. Then run a cpstop / cpstart on the second node and fail over to this node. RSA authentication will then work for this node as well.
On the RSA server itself you need to configure only one agent host with the cluster ip as ip address. As far as I know the sdconf.rec file "only" contains information about where the RSA server is, and the securid file (which is generated on the first successful login) is the file the ACE agent on the node used to authenticate to the RSA server. The RSA server only see the cluster ip (provided you use CLIENT_IP=x.x.x.x in sdopts.rec, case is important btw) so you don't need to define secondary hosts on the one agent host defined on the RSA Server. And this is why you can tar the /var/ace directory and use scp to copy it to the second node and unpack it there. Good luck, // Børge -----Opprinnelig melding----- Fra: FWAdmin [mailto:[EMAIL PROTECTED] Sendt: 3. mai 2007 09:31 Til: [email protected] Emne: Re: [FW-1] RSA Autentication Manager + NGX Cluster Hi there, sometimes it's not clear which IP the RSA agent uses to connect to the RSA server. If you need to fix this, you have to create a file named sdopts.rec in the /var/ace directory and put a line CLIENT_IP=x.x.x.x in it. This will force the RSA authentication agent to use this Source-IP. Regards Torsten Gödicke > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of > Matthew Odendaal > Sent: Thursday, May 03, 2007 8:52 AM > To: [email protected] > Subject: Re: [FW-1] RSA Autentication Manager + NGX Cluster > > > Hi there > > Check Point has a built-in RSA SecurID authentication agent. > All it needs is the sdconf.rec file to point it to the right server. > You just have to put it into the right directory. > > You need to create the /var/ace directory yourself (also make sure the > directory is writable, as the firewall needs to write the node secret > files there the first time it establishes communication with the RSA > server). Make sure that you create 2 separate sdconf.rec files (one > for each > module) and also make sure that the traffic between the cluster and > the SecurID server does not get hidden behind the cluster IP address > (that will cause the authentication to fail unless configured > differently). > > Once you place the sdconf.rec files into the /var/ace directories, > Check Point will automatically use the RSA server for authentication. > Please note that this only works for FireWall-1 authentication > (SecuRemote/Client, SNX, Client/Session/User Auth). For authentication > to the OS itself, you will have to integrate it slightly differently. > > > Matthew Odendaal > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf > Of Erick Fortin > Sent: 03 May 2007 06:59 AM > To: [email protected] > Subject: [FW-1] RSA Autentication Manager + NGX Cluster > > Hi, > > I´m traying to install a RSA SecureID tokens on a checkpoint cluster > environment, I was reading the documentation and I found that > you have to > make some configurations on the modules, it says that you > have to place the > file sdconf.rec on the /var/ace directory on splat, but I > cant find if you > have to create that folder or you need to install some > software or agent in > the splat modules. Does anybody know how to configure the modules. > > Your help will be appreciated > > > Atte. > > Erick Fortin > > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
