HA deployment of IAG, using CLB

I spent the last couple of days in Wakefield, helping out a reseller with a high available deployment of Celestix WSA appliances using Celestix Load Balancers. Thanks for the company David!! :)

We started by configuring the Celestix Load Balancer (also known as CLB), after configuring the solution we were informed that the internet lines would be a number of weeks away, and we would not know whether the IPs that would be provided would be either external internet facing IP addresses, or NAT'd internal addresses. Why would this be an issue?

Well the customer wanted four IAG portals to be created, and as each portal would have to be created on both appliances. With the CLB in front of the IAG appliances, the way the IP addresses are presented will impact on how to deploy the solution.

If the addresses are external facing, we would need 12 external IP address, three for each portal (one on each appliance, and one for the virtual IP). If the addresses are NAT'd, then there would only be a need for one external address as the virtual IP on each portal.

We only configured one IAG appliance, and then backed up and restored the configuration on the second IAG appliance. Obviously the IP addressing needs to be changed, and the certificate information to be modified, but that was pretty much it.

We were deploying OWA, Sharepoint, Citrix, Mapped Drives, File Access, RDP and an IIS based intranet site.

From an authentication perspective, we looked at AD, AD & HOTPin, AD & Vasco Middleware (RADIUS) and just HOTPin. As expected the authentication methods were straight forward and I got a chance to use HOTPin a bit more. We configured HOTPin on the primary box, and had the secondary box referencing the primary box. You only have to allow port 10000 access between the appliances, and using local administration credentials is fine. The only pain was HOTPin not scanning AD correctly in subtrees, which means each OU would need to be defined when importing users, but I'll let Celestix know about that.

We also encoutered the Java issue, so that was resolved using the fix from one of my previous blog posts.

We can only complete the deployment, once we know how the IPs will be presented.... which will also impact the way we can balance the load (do we use DSR or not, VRRP, Loopback adapter configuration, etc, etc).... Let's see!

HOTPin.... two factor authentication from Celestix

As you may have a gathered I do a lot of work with the Celestix WSA appliance, deploying numerous solutions as well as carrying out proof of concepts and web demonstrations.

I've been trailing Celestix HOTPin for a little while on my demo Celestix WSA applaince. What is Celestix HOTPin?

Celestix HOTPin is a two factor authentication solution. Just to reitterate what different factors of authenication there are, we can provide:

• Something you know - Passwords, PINs, etc.
• Something you are given - One time passwords, tokens, etc.
• Something you are - Fingerprint, iris scan, etc.

To have a two factor authenication solution, you should ensure that your users utilise two of these methods as authenication.

Celestix HOTPin is a one time password (OTP) solution, but rather than use the traditional method of hardware tokens, the passwords are generated on soft tokens. A soft token, is a piece of code that can run on other hardware, rather than require a dedicated piece of hardware such as a token.

Celestix HOTPin will run on Blackberry, iPhone and Smartphone/Windows Mobile devices, as well as 32-bit Windows machine. The software can be protected with a PIN, so even if your mobile telephone or laptop is found, the PIN should protect the OTP from being generated.

If you have an SMS gateway (a device that can send text messages from your network) then OTP can be generated by Celestix HOTPin and SMS'd over to the mobile device. A great back up solution, which does not require software to be loaded on a mobile device, but no so great is your are in a reception blackhole unable to get a mobile signal!!

The Celestix HOTPin software currently integrates with the Celestix WSA appliance, which saves the need to additional hardware to run this solution. The software is managed centrally on the Celestix WSA appliance, via a very familiar interface if you are use to the Celestix products.

As mentioned before I have been running this on my trial appliance, where I have deployed both the 32-bit Windows client, and the Blackberry client. Both of them do exactly what you expect, they generate a OTP!!

In my demostration environment, I check for a number of items at the login page, including:

• Windows AD Username
• Windows AD Password
• Celestix HOTPin (PIN & OTP)
• CAPTCHA

I'm so happy with how easy it is to install and manage, I will be deploying this into my live environment that we use at e92plus.

If you want to see a demostration of the Celestix WSA appliance with the various authentication methods running, please contact www.e92plus.com and we organise a web demo.