Load balancing RSA SecurID

Application Management Published on 2 mins Last updated

When the friendly folk down at RSA contacted me requesting a test load balancer for a new project the dollar signs in my eyes were glowing for all to see.

RSA SecurID is widely accepted as the strongest authentication system on the market. With almost every big company in the world utilizing SecurID (and the pertinent Authentication Manager software) the opportunity to become RSA's recommended vendor for customers configuring Authentication Manager with multiple Web Tiers was truly exciting.

As one of the longest serving VMware load balancer partners, and with both RSA and VMware operating under the same parent company of EMC, it came as no surprise that Loadbalancer.org were approached with this opportunity.

Initial discussions with the RSA EMEA lab clarified that both Authentication Manager 8.0 and Authentication Manager Express are commonly configured to use multiple Web Tiers and many customers would require a solid load balancer solution in front of this.

This solid load balancer solution would distribute authentication requests and facilitate failover between multiple Web Tier Servers. Adding a load balancer to a SecureID deployment provides the following benefits:

  • The load balancer distributes Risk Based Authentication (RBA) requests between the primary and the replica Web Tiers.
  • The load balancer can be configured to forward Self-Service Console requests coming through the HTTPS port to the Web Tier or the primary instance hosting the Self-Service Console. If the primary instance is not functioning and a replica instance is promoted to take its place, users can continue to use the same URL for the Self-Service Console.
  • The load balancer provides failover if one of the Authentication Manager instances or Web Tiers experiences downtime.

To load balance the Web Tier, a single Virtual IP (VIP) is required (as shown below). Clients then connect to the VIP on the load balancer rather than connecting directly to one of the Web Tier servers. These connections are then load balanced across the Web Tier servers with requests being distributed according to the load balancing algorithm selected.

For RSA SecureID customers, load balancing is achieved by utilizing Layer 7 SNAT mode. Layer 7 load balancing uses a proxy (HAProxy) at the application layer. Inbound requests are terminated on the load balancer and HAProxy generates a new request to the chosen server, with return traffic passing via the load balancer. Since Layer 7 works as a proxy, there is no need to set the appliance as the gateway. This method is non-transparent, i.e. the load balancer proxies the application traffic to the Web Tier Servers so that the source IP address of all traffic is the load balancer.

Whilst the load balancer can be deployed as a single unit, Loadbalancer.org strongly advise the deployment of a clustered pair for resilience & high availability. Otherwise you are simpy moving the single point of failure from your servers to the load balancer.

The EMEA RSA team were extremely happy with the interoperability of our product which culminated in the authorship of an RSA Authentication Manager/Loadbalancer.org Deployment Guide. This document soon made the short trip across the pond and was welcomed with open arms by the US lab. The global success of the Loadbalancer.org - RSA interoperability has seen Loadbalancer.org join the EMC Community Network (ECN), with this highly popular document now published in the MC Community Network Labs.

Now that news of this solution is spreading globally, RSA customers using SecurID with multiple Web Tiers are able to deploy a cost-effective high-availability solution with ease...And the metaphoric 'dollar signs in my eyes' are continuing their conversion into tangible cold hard cash ;-)