The estimated reading time for this post is 5 minutes
Risk Based Authentication
3 Days RSA Authentication Manager Consultancy – version 8.1 with Risk Based Authentication
Scope of Work
- Installation of Primary RSA Authentication Manager version 8.1 Appliance on to an ESXi 4.x/5.x Environment
- Installation of Replica RSA Authentication Manager version 8.1 Appliance on to an ESXi 4.x/5.x Environment
- Integrate RSA with Active Directory
- Configure RSA for Webtier Configuration
- Installation of web Tier Components
- Integrate Netscaler Virtual server to Load Balance Web Tier Servers
- Integrate Netscaler Access Gateway to provide Risk Based Authentication
- Provide skills transfer
- Day 1 – BACK END
- Initial build of Primary & Replica RSA version 8 servers on VMWare
- Configure Replication between RSA version 8 Servers
- Integration to Active Directory
- Configure RSA servers ready for web tier integration
- Day 2 – FRONT END
- Install web tier components
- Configure Netscaler as a Load Balancer for webtier
- Configure Netscaler for Risk Based Authentication
- Day 3 – TESTING
- Test web tier components & external authentication
- Admin Console Configuration
- Skills Transfer to admin staff
VMWare ESXi Requirements
- Full access to VMware Vsphere client to access suitable ESXi 4.x/5.x host or VCenter Server Consoles in order to install setup RSA OVA File.
- Installation of Primary RSA Authentication Manager version 8.1 already installed by customer onto an ESXi 4.x/5.x Environment
- Installation of Replica RSA Authentication Manager version 8.1 already installed by customer onto an ESXi 4.x/5.x Environment
- ESXi host to meet minimum requirements: 100 GB (Thick-provisioned storage when deploying the virtual appliance), 4 GB of memory (preferably 8GB RAM), At least one virtual CPU. Note: By default, each Authentication Manager instance is deployed with 8 GB of memory and two virtual CPUs.
- Customer is responsible for VMware host environment and any tasks related to changes on VMware.
- The virtual appliance only supports the E1000 virtual network adapter. Do not change the default network adapter or add a new virtual network adapter to the virtual appliance.
- For additional hardware requirements for the physical server hosting the virtual appliances, see your VMware documentation.
- VMware snapshots may be required at various stages in deployment – adequate disk space must be available to do this.
- Customer to supply RSA version 8.1 Software & licenses
- License file may need to be downloaded from RSA Download Central at https://download.rsasecurity.com if not already obtained
- Use the credentials and the license serial number that RSA e-mailed to you to log on to the site and download the license file. If you did not receive an e-mail with the logon credentials, contact the RSA Exceptions (support) Desk by sending an e-mail with your contact information and license serial number (provided in your order confirmation) to firstname.lastname@example.org or contacting 01344 781100
- Further details on the process are available in a 5 min youtube video here: http://www.youtube.com/watch?v=5e9tawZ8JfU
- The location of the license file before running the appliance Quick Setup Process
- The network information for each appliance must be provided: the fully qualified domain name (FQDN), static IP address, subnet mask, default gateway, and DNS server IP addresses
- RSA Servers will need fully qualified Hostnames configured in DNS (forward & reverse lookups)
- RSA servers will need to be synced to an NTP time source – it is assumed that this is the same time source as previous installation – differences in time can impact user authentications
- Any Firewalls must be configured to allow all RSA & other components to communicate with one another
- TCP 7004 & 7072 Ports required for Administration Consoles – these must be allowed through Firewalls from wherever administration performed on network
- TCP 7002, 1812 & 1813 Ports are required for Replication – these must be allowed through Firewalls for replication to work
Web tier & Citrix Netscaler Load Balancer
- 2 web tier servers will be built
- Minimum Requirements for Web Tier Servers: Hard drive: 2 GB for web tier installation, 4 GB-20 GB free space for logs and updated component downloads. RAM: 2 GB.
- External Firewall Requirements: The following ports are required through the firewall: 443 HTTPS (TCP), DMZ: 443 HTTPS (TCP), Internal Firewall: 7022 T3S (TCP)
- Operating System Requirements: Red Hat Enterprise Linux 5/6 Server (64-bit) or Windows Server 2008 R2 (64-bit)
- Web Tier will be built with a Netscaler load balancer as recommended for use with Risk Based Authentication
- 2 Individual public web-tier hostnames and a shared virtual hostname must be provided and be addressable from the public side of the web tier.
- The Netscaler load balancer must meet the following requirements:
- User persistence. The load balancer must send a client to the same server repeatedly during a session. The load balancer must send the client to the same Authentication Manager instance or web-tier server, depending on your deployment scenario, during an authentication session.
- X-Forwarded-For headers. Load balancers in the application layer cause all requests to appear to come from the load balancer. You must configure load balancers to send the original client IP address in the “X-Forwarded-For” header. This is the default for most application layer load balancers.
- HTTPS Redirection. The load balancer must be able to redirect HTTPS requests to another URL. This allows users to use the load balancer hostname to access the Self-Service Console.
- The web tier must be accessible by HTTPS from the public side of the web tier. Certificates will be needed for the servers.
- The web tier must be able to communicate with the RSA servers over port TCP 7022 – this port must be open through any firewalls.
- The date and time on the web-tier server match the date and time on the instance with which the web tier will be associated (primary or replica) within one minute.
- An administrator account must be used during installation
Citrix Netscaler Risk Based Authentication Integration
- Integration with Citrix Netscaler will be configured based on supported configuration as determined by documentation at https://gallery.emc.com/servlet/JiveServlet/download/1609-25-4730/Citrix_NetScalerGateway10.1_AuthMan8.0.pdf
- The Netscaler versions should be as listed in the guide above. The version supported is version 10.1 – other versions may work and will be done on a best endeavours basis.
- The Netscaler will require a script to be uploaded to the device
- Customer is responsible for any integrated 3rd party products.
- Note: In order for Risk Based Authentication to work – the Responder feature must be licensed on the Netscaler gateway
- LDAP configuration details will be required to configure integration with Active Directory – a System Admin Account must be provided for communication.
- Current Active directory support is for Microsoft Active Directory 2008 R2 (other versions may work but will be unsupported by RSA)
- Basic Skills transfer as time allows to Admin staff
- Software & Hardware Tokens
- Trusted Realm Deployments
- Documentation – Basic screenshots of installation process can be done as time allows if required
- Any other RSAconsultancy requirements and RSA features not discussed in scope of work & caveats are outside agreed scope of consultancy – and may be done as time allows