RSA SecurID VPN
RSA SecurID VPN





Create RSA Agent Host
Remove node_secret on Firewall
Configure RSA Agent Host
o Create Node Secret File
o Assign Acting Servers
o Remove Node Secret Created
o Configure Authentication Options
Firewall Configuration
o Auth Server Definition
o Address Book Entries
o Auth Users and Groups - Method 1
o Scalable Auth Users and Groups - Method 2
o VPN Phase 1 Configuration
o Phase 1 Auth Settings
o VPN Phase 2 Configuration
o Policy Configuration
Netscreen-Remote Configuration
o Virtual IP Preparation
o Proxy-ID Settings
o My Identity Settings
o Security Policy Settings
o Phase 1 Proposal
o Phase 2 Proposal

Result
Create RSA Agent Host


Login to the RSA web console - https://<your.RSA.server>:8098
Choose the 'Agent Hosts' tab
In this example we have already defined an Agent Host
Let's look at the details for this definition:
Nothing too controversial here although you must make sure that the RSA appliance can lookup the
hostname of the Agent via DNS if you use a hostname in the 'Agent hostname' field
Remove node_secret on Firewall
If you are testing an RSA setup or if you replace the RSA appliance you will need to clear the node secret
from the firewall.
The node secret is used to allow the RSA appliance and the firewall to share information.
Commands Below
Following this procedure will reboot the firewall. Plan accordingly!
On the firewall CLI:
delete node_secret
reset
Existing Authentication Policies
Any policies that you have created on the firewall that use authentication such as Web AUTH policies
will be reset to use local authentication as a result of this action. We are not using Web AUTH in this
procedure but you should be aware if you have any Web AUTH policies on your firewall and those
polices use the RSA server
Configure RSA Agent Host
Netscreen Cluster
If you are using RSA with a Netscreen cluster you will need to perform this step for each Netscreen
cluster node


RDP into the RSA server (either in the web console or directly)
Start > Programs > RSA Security > RSA Authentication Manager Host Mode
Choose Agent Host > Edit Agent Host
Double click the name of the agent host to modify (i.e. our Netscreen firewall)
RSA Agent
Do not modify the Agent Host that has the same hostname as the RSA appliance
We have a few steps that we need to perform. Perform each step atomically which means perform the
action and click 'OK' until you are back at the RSA Authentication Manager Host Mode screen.
This is tedious but it ensures that you will perform the steps properly and completely which will save you
pain and aggravation later in terms of troubleshooting.
Create Node Secret File
Netscreen Cluster
If you are using RSA with a Netscreen cluster you will need to perform this step for each Netscreen
cluster node


Click 'Create Node Secret File'
Assign a password to the node secret file and confirm
Click 'OK' until you are back at the RSA Authentication Manager Host Mode screen