SecurID Agent-Server through proxy firewall

[Martin Bishop <martybishop () yahoo com>]

Hi everyone!

A customer of mine is planning to launch a public web server for
online electronic commerce. The system is already built and already in
use internally for three months now so it has been adequately tested
before external users start using it. Users are all authenticated with
SecurID tokens, which is implemented with a SecurID Agent running on
the web server. The web server and ACE servers are at the moment in
the same (internal) subnet without even a router between them and all
works fine.

Now, as we go public, we will move the web server from internal
network to a DMZ (if you will -:). We have already decided to use an
application gateway firewall and that the web server will reside on
its third network interface. If you are using a fixed-width font, you
might see the following (fairly simplified) picture:


                      +-------------+
                      ! Application !
Internet  ------------+ Gateway     +----- Internal network
(e-commerce users)    ! Firewall    !      (with ACE servers)
                      +------+------+
                             !
                             !
                             !
                      +------+------+
                      !             !
                      ! Web server  !
                      ! (ACE agent) !
                      +-------------+

While testing, we successfully managed to move the web server to the
desired location (3rd interface), but we are having serious problems
with SecurID authentication that we can't seem to solve.
The problem is that, the _first_ SecurID authentication works fine but
all subsequent authentication attempts fail. If we want it to work
again, we have to remove the "securid" file from the web server
(actually from the ACE agent) and uncheck "Secret Already Sent" (or
something similar) on the ACE server. When we do this, the next
authentication attempt will succeed, but again the subsequent ones
will fail.

Another interesting thing is that all these subsequent authentication
attempts that the ACE Agent sees as unsuccessful (and tells that to
our web application) are described as SUCCESSFUL in ACE server logs.
So it would be logical to conclude that somehow the response from ACE
server is either changed (probably by the firewall generic proxy) or
misinterpreted by the ACE Agent for some reason.
Furthermore, due to the fact that ACE Agent and Server exchange the
"secret" value along with the first authentication attempt it could be
that this value (that is used for encrypting subsequent auth.
requestst) is somehow corrupted.

Unfortunately, we don't have enough insight into the SecurID
Agent-Server communication protocol to figure out how to solve this
problem but I'm sure that we're not the first ones who would want to
set up a system like that. So if any of you know any answers, your
suggestions will be highly appreciated. If you reply to the list,
_please_ reply to me personally also.

Thanks for your time and best regards,

Marty Bishop




_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com