Documentation

 

 

Introduction

SecureAuth IdP appliances running version 7.5 and higher must communicate with the SecureAuth Cloud Transaction service. This service validates the license and is required for proper operation of the appliance. Should the appliance be unable to communicate with the cloud, error messages will begin to appear on the administrative interface and, if unable to communicate for an extended period, the user facing interface as well. This document will describe how to properly configure a SecureAuth appliance to communicate the transaction service and thus remove the license error messages.

Applies to

SecureAuth IdP appliance version 7.5 - 8.x

Background Information
Known Issues
  • If a SecureAuth Appliance is disconnected from the cloud for an extended period of time due to incorrect proxy settings, you may lose access to the administrative interface. Unfortunately, without the administrative interface, there is no obvious way to update the proxy settings. If you are encountering this issue contact SecureAuth Support for assistance. (SecureAuth staff, the internal technical document Manually Changing Proxy Settings to Resolve License Errors will guide you through the process of assisting the customer.)
  • In certain situations, even after the license file issue has been resolved, the administrative interface may still display incorrectly. This is caused by the browser having cached corrupt interface elements. To resolve this issue, see the section Clear the Browser Cache for steps to troubleshoot the problem.
  • If you receive an HTTP 417 (Expectation Failed) error, it means the proxy server does not support 100-continue responses. 100-Continue is documented in RFC 2616 Section 10.1.1 and is part of the HTTP /1.1 specification. To resolve this issue, you can either request the proxy administrator enable 100-continue functionality or add the following code to the SecureAuth0 web.config file:
<system.net>
    <settings>
        <servicePointManager expect100Continue="false" />
    </settings>
</system.net>
Prerequisites

Work with your organization's infrastructure team(s) to ensure the sites listed below are accessible by the SecureAuth appliance:

URLIPPort
http://cloud.gosecureauth.com209.134.48.130TCP/80
http://x509.multifactortrust3.com208.74.30.105TCP/80
Configuration Instructions

Follow the instructions below to properly configure your SecureAuth IdP appliance for communicating with the cloud transaction service.

1. Validate Proxy Configuration (if applicable)

If your facility uses a proxy server, contact SecureAuth Support for assistance to ensure the SecureAuth0 realm is properly configured for use with your web proxy(SecureAuth staff, the internal technical document Configure a SecureAuth Realm for Operation with a Web Proxy Server will guide you through the process of assisting the customer.)

2. Verify the date (month, day and year), time and time zone are correctly set

SecureAuth IdP appliances use the Windows Communication Foundation (WCF) protocol to ensure communications between the appliance and cloud environment are secure. The underlying technologies used by WCF are sensitive to date & time discrepancies and will fail if the appliance clock is five or more minutes off. In real world use we have seen intermittent issues start with a clock drift of three minutes. If an appliance is not joined to the domain we recommend that you configure it to use a reliable (S)NTP server to keep the clock disciplined. To verify the time on your appliance and, if necessary configure NTP, please see the Microsoft support document Set the Clock.  

3. Validate Windows Firewall is not blocking communications to the SecureAuth Cloud

If you are using Windows Firewall on the SecureAuth IdP appliance, ensure it's configured properly for access to the SecureAuth cloud.

If you are running a SecureAuth IdP appliance with Windows Server 2008 R2

a) Click Start, click All Programs, click Administrative Tools, and then click Windows Firewall with Advanced Security.

b) If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

c) Select Outbound Rules in the left column of the Windows FireWall with Advanced Security window.

d) Locate the SecureAuth HTTP OUTBOUND policy and double-click.

e) In the SecureAuth HTTP Outbound Properties window navigate to the Scope tab.

f) In the Remote IP address section confirm there is an entry for the following IPv4 addresses:

    • 208.74.30.105
    • 209.134.48.130

If one or more of the entries is missing, follow the steps below to add them:

    • Click the Add button in the Remote IP Address section.
    • In the IP Address window in the field This IP address or subnet enter the missing IPv4 address and click the OK button.
    • In the SecureAuth HTTP Outbound Properties window, click OK.

If you are running a SecureAuth IdP appliance with Windows Server 2012

a) Point to the lower-left corner of the screen, move your mouse all the way into the corner, and then click  Start .

b) Click Administrative Tools, and then double-click Windows Firewall with Advanced Security.

c) If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

d) Select Outbound Rules in the left column of the Windows FireWall with Advanced Security window.

e) Locate the SecureAuth HTTP OUTBOUND policy and double-click.

f) In the SecureAuth HTTP Outbound Properties window navigate to the Scope tab.

g) In the Remote IP address section confirm there is an entry for the following IPv4 addresses:

    • 208.74.30.105
    • 209.134.48.130

If one or more of the entries is missing, follow the steps below to add them:

    • Click the Add button in the Remote IP Address section.
    • In the IP Address window in the field This IP address or subnet enter the missing IPv4 address and click the OK button.
    • In the SecureAuth HTTP Outbound Properties window, click OK.

4. Validate an Enterprise Firewall or Intrusion Detection System (IDS) is not blocking communications to the SecureAuth Cloud

In addition to the Windows Advanced Firewall on the SecureAuth IdP appliance, ensure that all firewalls between the appliance and the Internet are configured to allow communications to the SecureAuth cloud environment. The protocol used by SecureAuth appliances to communicate with the cloud environment is known to cause issues with some IDS products. If an IDS is present you should allow all SecureAuth appliances in the environment. 

5. Ensure SecureAuth0 is using the proper certificates.

a) Open the SecureAuth administrative interface.

b) In the navigation bar click the Admin Realm link.

c) Select SecureAuth0 and then navigate to the System Info tab

d) In the WSE 3.0 / WCF Configuration Section locate the Service Cert Serial Nbr option and click the Select Certificate link immediately below it.

  • Locate the selected certificate and ensure the date listed in the To column is not expired.
  • If the certificate is expired please contact SecureAuth support at +1  949 777 6959 Option 2 for assistance
  • If the certificate is not expired, click the Back button.

e) In the WSE 3.0 / WCF Configuration Section locate the Client Cert Serial Nbr option and click the Select Certificate link immediately below it.

  • Locate the selected certificate and ensure the date listed in the To column is not expired.
  • If the certificate is expired please contact SecureAuth support at +1  949 777 6959 Option 2 for assistance
  • If the certificate is not expired, click the Back button.

f) In the License Info Section locate the Cert Serial Nbr option and click the Select Certificate link immediately below it.

  • Locate the selected certificate and ensure the date listed in the To column is not expired.
  • If the certificate is expired please contact SecureAuth support at +1  949 777 6959 Option 2 for assistance
  • If the certificate is not expired, click the Back button.
Test the Configuration

Once the SecureAuth appliance is configured correctly, you will want to ensure the IdP appliance can reach the SecureAuth Cloud Transaction Service. To accomplish this, follow the instructions below.

1. Open the SecureAuth administrative interface.

2. In the navigation bar, click the Admin Realm link.

3. Select SecureAuth0 and then navigate to the System Info tab.

4. Locate WSE 3.0 / WCF Configuration section > Trx Log Service URL field.


5. Click the Test button to initiate a test to the SecureAuth Cloud Transaction Service.

6. If proper communications could be established, you will see the message "Succeed!". If communication was unable to be established you will see the message "Failed! Exception:" followed by a descriptive error message.

In SecureAuth IdP 7.5.1 there is a bug present in the testing routine. For that version, if you receive the message "Failed!", then the test was successful. If you receive the message "Failed! Exception:" followed by a descriptive message of the error, then the test has truly failed. This issue was fixed in SecureAuth IdP 8.0.0.  

7. If your test was successful, follow the directions below to ensure the license key is built correctly. If the test failed after following the instructions presented in the Configuration Instructions section, contact SecureAuth Support for further assistance.

Create the License Key

Now that you have configured and tested the SecureAuth IdP appliance for communication with the cloud, you will want to create or update the key file. The easiest way to accomplish this task is to use the Update WebConfig option present in the SecureAuth administrative interface. Please follow the instructions below to perform this task.

1. Open the SecureAuth administrative interface.

2. Click the Update Webconfig button.

 


3. In the Update WebConfig screen, click the Update button.

 


4. After the Update process is complete, click the continue button. This will return you to the main administrative interface.

 


5. If you were receiving license errors before, they should no longer be displayed. If the license errors are still appearing in the SecureAuth administrative interface, please contact the SecureAuth Support team for further assistance.

6. If the license errors have gone away but the SecureAuth Admin GUI displaying incorrectly, proceed to the instructions below to clear your browser cache.

Clear the Browser Cache

If you were receiving license errors previously there may still be some issues with the administrative interface even after resolving the license key issue. To resolve this problem you simply need to clear the cache on the browser you are using to display the SecureAuth administrative interface. Select your browser below for instructions on how to clear the cache.