Using RSA SecurID for Authentication80 Firebox SSL VPN GatewayThe Firebox SSL VPN Gateway supports RSA ACE/Server Version 5.2 and higher. The Firebox SSL VPNGateway also supports replication servers. Replication server configuration is completed on the RSAACE/Server and is part of the sdconf.rec file that is uploaded to the Firebox SSL VPN Gateway. If this isconfigured on the RSA ACE/Server, the Firebox SSL VPN Gateway attempts to connect to the replicationservers if there is a failure or network connection loss with the primary server.NoteIf you are running a RADIUS server on an RSA server, configure RADIUS authentication as described in“Using RADIUS Servers for Authentication and Authorization” on page 69.If a user is not located on the RSA ACE/Server or fails authentication on that server, the Firebox SSL VPNGateway checks the user against the user information stored locally on the Firebox SSL VPN Gateway , ifthe check box Use the local user database on the Access Gateway is checked on the Settings tab.The Firebox SSL VPN Gateway supports Next Token Mode. If a user enters three incorrect passwords, theSecure Access Client prompts the user to wait until the next token is active before logging on. If a userlogs on too many times with an incorrect password, the RSA server might disable the user’s account.To contact the RSA ACE/Server, the Firebox SSL VPN Gateway must include a copy of the ACE Agent Hostsdconf.rec configuration file that is generated by the RSA ACE/Server. The following proceduresdescribe how to generate and upload that file.NoteThe following steps describe the required settings for the Firebox SSL VPN Gateway. Your site mighthave additional requirements. Refer to the RSA ACE/ Server documentation for more information.If the Firebox SSL VPN Gateway needs to be imaged again, see “Resetting the node secret” on page 82.To generate a sdconf.rec file for the Firebox SSL VPN Gateway1 On the computer where your RSA ACE/Server Administration interface is installed, go to Start >Programs > RSA ACE Server > Database Administration - Host Mode.2 In the RSA ACE/Server Administration interface, go to Agent Host > Add Agent Host (or, if you arechanging an Agent Host, Edit Agent Host).3 In the Name field, enter a descriptive name for the Firebox SSL VPN Gateway (the Agent Host forwhich you are creating a configuration file).4 In the Network address field, enter the internal Firebox SSL VPN Gateway IP address.5 For Agent type, select UNIX Agent.6 Make sure that the Node Secret Created check box is clear and inactive when you are creating anAgent Host. The RSA ACE/Server sends the Node Secret to the Firebox SSL VPN Gateway the firsttime that it authenticates a request from the Firebox SSL VPN Gateway. After that, the Node SecretCreated check box is selected. By clearing the check box and generating and uploading a newconfiguration file, you can force the RSA ACE/Server to send a new Node Secret to the Firebox SSLVPN Gateway.7 Indicate which users can be authenticated through the Firebox SSL VPN Gateway through one ofthe following methods:• To configure the Firebox SSL VPN Gateway as an open Agent Host, click Open to All LocallyKnown Users and then click OK.• To select the users to be authenticated, click OK, go to Agent Host > Edit Agent Host, select theFirebox SSL VPN Gateway host, and then click OK. In the dialog box, click the User Activationsbutton and select the users.