Symantec Firewall + RSA/ACE

Hi,

I have a server in a DMZ off of my Symantec Enterprise Firewall v7.04. On this server I've installed the new RSA/Agent for Windows v6.0. My RSA/Ace 6.0 server is behind the private interface of my firewall in a different subnet. When I do the "direct authentication test" via the RSA test tool on the DMZ server, I can contact the ACE server fine, however the authentication keeps failing with "Invalid passcode" (ACE log). Some background:

- The DMZ server has been added to the list of agent hosts

- The token and user are both set up correctly

- Currently the firewall is allowing ALL protocols back and forth from the DMZ and production network

- I CAN successfully authenticate from another agent server in the same private network as the ACE server, so there is no problem with the ACE server

- When I look at the ACE logs, it shows my FIREWALL as the originating agent host, not my DMZ server. When I saw this, I added my firewall as an agent host on ACE just for the heck of it, still no go

- The DMZ server and ACE server is on correct UTC time

- The firewall is on normal time, NOT UTC (even when I switched it to UTC it didnt work)

My question: Why is ACE seeing the request as coming from the firewall's internal interface and how can I make it show the DMZ server's info instead? Is this even the cause of my authentication problem? I was under the impression that the firewall just proxies information back and forth from the DMZ and prod network and doesnt modify the initial packet information?

If I cant get my ACE server to see the original DMZ server as the requestor, does that mean I have to install the RSA agent on my firewall too (and also change to UTC time) for everything to work?? This would cause me unthinkable pain and I dont think is an option for me. Any information or pointers on where to look would be great...

Thanks, Rob

Reply to
Rob Y.
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.