Hi Erick,
For a good explanation see "Checkpoint Solution ID: #sk30992" (Integrating RSA ACE server with NG with AI R55 gateway cluster, for SecurID authentication) Example1: 1) If you do NOT source nat SecurID traffic, you have to create an independant agent host for each firewall in the cluster, then you would include only each gateway's routable IP (routable to the SecurID server) in the sdopts.rec Example2: 2) However, if you are source natting your SecurID traffic (which is what happens anyway with "cluster hide & cluster fold"), you would only have to create one agent host (for the cluster), then you would include only the cluster's routable IP (routable to the SecurID server) in the sdopts.rec Best regards Andrew -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Erick Fortin <[EMAIL PROTECTED]> Sent by: Mailing list for discussion of Firewall-1 <[email protected]> 03/05/2007 18:52 Please respond to Mailing list for discussion of Firewall-1 <[email protected]> To [email protected] cc Subject Re: [FW-1] SV: [FW-1] RSA Autentication Manager + NGX Cluster Hi Andrew, On the sixth step, in /var/ace/sdopts.rec the CLIENT_IP=x.x.x.x must be the Cluster ip address? Or the module ip address?. Thanks a lot. -----Mensaje original----- De: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] En nombre de Andrew W Barkley Enviado el: Jueves, 03 de Mayo de 2007 05:38 a.m. Para: [email protected] Asunto: Re: [FW-1] SV: [FW-1] RSA Autentication Manager + NGX Cluster Hi Erick et al ... Configure as folllows: NOTE: Create NAT rule to NOT nat cluster gateways > SecurID server 1) Create Agent Host for each gateway (SecurID administration) Agent Type = Unix Agent i.e. Unix/Linux etc ... Agent Type = Communication Server i.e. Cisco/Nokia etc ... 2) Modify user auth = SecurID 3) Add each gateway to SecurID server /etc/hosts 4) Ensure SecurID ports open between gateways & SecurID server 5) Create /var/ace (root)(rw) on each gateway, generate sdconf.rec, copy to /var/ace/ 6) Create /var/ace/sdopts.rec, enter CLIENT_IP="your gateway source IP" (routable to SecurID server) 7) Restart each gateway (cpstop && cpstart) 8) Tail SecurID logs whilst logging into gateways (SecurID) for any errors etc Cheers Andrew ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------------------ This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------------------ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
