If your site uses an RSA ACE/Server and RSA SecurID for authentication, you can configure the Access Gateway to authenticate user access with the
RSA ACE/Server. The Access Gateway acts as an RSA Agent Host,
authenticating on behalf of the users who use Citrix Access Gateway Plug-in to log on. Multiple RSA realms can be configured on the Access Gateway. Each RSA realm must use the same sdconf.rec file and point to one RSA ACE/Server.
The Access Gateway supports RSA ACE/Server Version 5.2 and higher. The Access Gateway also supports replication servers. Replication server
configuration is completed on the RSA ACE/Server and is part of the sdconf.rec file that is uploaded to the Access Gateway. If this is configured on the RSA ACE/Server, the Access Gateway attempts to connect to the replication servers if there is a failure or network connection loss with the primary server.
Note: If you are running a RADIUS server on an RSA server, configure RADIUS authentication as described in “Configuring RADIUS Authentication and Authorization” on page 77.
If a user is not located on the RSA ACE/Server or fails authentication on that server, the Access Gateway checks the user against the user information stored locally on the Access Gateway if the check box Use the local user database on the Access Gateway is checked on the Settings tab.
The Access Gateway supports Next Token Mode. If a user enters three incorrect passwords, the Access Gateway Plug-in prompts the user to wait until the next token is active before logging on. The RSA server can be configured to disable a user’s account if a user logs on too many times with an incorrect password.
To contact the RSA ACE/Server, the Access Gateway must include a copy of the ACE Agent Host sdconf.rec configuration file that is generated by the RSA ACE/Server. The following procedures describe how to generate and upload that file.
Note: The following steps describe the required settings for the Access Gateway. Your site might have additional requirements. Refer to the RSA ACE/ Server product documentation for more information.
When creating the sdconf.rec file, use the following information as a guideline for the settings:
• Create an Agent Host.
• Create a descriptive name for the Access Gateway, which is the Agent Host for which you are creating the configuration file.
• Use the internal Access Gateway IP address for the the network address.
• The agent type is UNIX Agent.
• When you are creating the Agent Host, make sure that the Node Secret Created check box on the RSA ACE/Server is cleared. The RSA ACE/
Server sends the Node Secret to the Access Gateway the first time that it authenticates a request from the Access Gateway. After that, the Node
Secret Created check box is selected. By clearing the check box and generating and uploading a new configuration file, you can force the RSA ACE/Server to send a new Node Secret to the Access Gateway.
• There are two ways you can indicate which users can be authenticated through the Access Gateway:
• Configure the Access Gateway as an open Agent Host that is open to all locally known users
• Select the users to be authenticated by editing the Agent Host and selecting the users to be activated
After you have created the settings on the RSA server, create the sdconf.rec file.
The file that you generate (sdconf.rec) is uploaded to the Access Gateway.
For more information about configuring settings on the RSA server, see the manufacturer’s documentation.
To configure RSA SecurID authentication 1. Click the Authentication tab.
2. Under Add an Authentication Realm, in Realm Name, type a name to identify the RSA ACE/Server.
3. Select One Source and click Add.
Note: If you want the Default realm to use RSA authentication, remove the Default realm as described in “To remove and create a Default realm”
on page 65.
4. In the Select Authentication Type dialog box, in Authentication type, select RSA SecurID authentication and click OK.
Caution: If an invalid sdconf.rec file is uploaded to the Access Gateway, it might cause the Access Gateway to send out messages to non-existent IP addresses. This might be flagged by a network monitor as network
spamming.
5. To upload the sdconf.rec file that you generated in the previous procedure, on the Authentication tab, click Upload sdconf.rec File and navigate to the file, and then click Open.
The sdconf.rec file is typically written to ace\data\config_files and to windows\system32.
• The file status message indicates whether or not an sdconf.rec file was uploaded. If one was uploaded and you need to replace it, click Upload sdconf.rec file. Navigate to the file and click Open to upload the file.
• The first time that a user is successfully authenticated, the RSA ACE/Server writes some configuration files to the Access Gateway. If you subsequently change the IP address of the Access Gateway, click Remove ACE Configuration Files, restart when prompted, and then upload a new sdconf.rec file. The files that are removed are sdconf.rec, securid, and sdstatus.
6. Click Submit.
You can use the following authorization types with RSA SecureID authentication:
• RADIUS authorization
• Local authorization
• LDAP authorization
• No authorization