This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
BillHagen
Beginner
Beginner
‎2016-04-22 07:22 PM

Physical locations of primary and replica instances

Jump to solution

Page 118 of the RSA Authentication Manager 8.1 Administrator's Guide shows the following graphic:

1.png

I would like to install the Authentication Manager Primary Instance and LDAP Directory Server 1 in the Headquarters building, and the Secondary Instance and LDAP Directory Server 2 in the DR building, physically and geographically separated...then make the above connections.

2.png

 

Does this work? Does it make sense? I'm scared senseless that all of IT will be using a passcode with key fobs, and then AD turns to mush...and we can't get logged in to fix it. I'm hoping the above scenario will fix that?

 

Thoughts?

0 Likes
Reply
1 Solution

Accepted Solutions
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2016-04-25 12:25 PM

Jump to solution

Yes, we're on same page.  Normally you want to go local for information requests whenever possible in your network design, so it makes sense for a replica at a separate Replica site to be configured to ask the local replica site Domain Controller for User info, instead of have the same configuration of the Primary.  I've seen more than a few sites where copying the Primary configuration to the replica slows things down and causes problems, because the Replica at a different location is configured to first go to the Domain Controller next to the Primary, across a WAN.

View solution in original post

0 Likes
Reply
5 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2016-04-22 11:28 PM

Jump to solution

Both the Primary and the Replica need access to an LDAP external Identity Source like AD, so if they have local access, performance and reliability should be better.  Something like this, basic but local.

LDAPFailover.png

Preview file
4659 KB
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2016-04-22 11:29 PM

Jump to solution

Both the Primary and the Replica need access to an LDAP external Identity Source like AD, so if they have local access, performance and reliability should be better.  Something like this, basic but local.

LDAPFailover.png

Preview file
4659 KB
Reply
BillHagen
Beginner
Beginner
In response to JayGuillette
‎2016-04-25 12:19 PM

Jump to solution

Thanks for the PPT, that actually answered some other questions I had.

As for this specific question, it seems we're on the same page:

3.png

 

Correct? Primary instance pointing to local AD/LDAPS with offisite AD/LDAPS as failover, and offsite Replica pointing to offsite AD/LDAPS (that's on the same LAN) with offiste AD/LDAPS as failover.

 

Primary: onsite. Replica: offsite. Acceptable?

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2016-04-25 12:25 PM

Jump to solution

Yes, we're on same page.  Normally you want to go local for information requests whenever possible in your network design, so it makes sense for a replica at a separate Replica site to be configured to ask the local replica site Domain Controller for User info, instead of have the same configuration of the Primary.  I've seen more than a few sites where copying the Primary configuration to the replica slows things down and causes problems, because the Replica at a different location is configured to first go to the Domain Controller next to the Primary, across a WAN.

0 Likes
Reply
BillHagen
Beginner
Beginner
In response to JayGuillette
‎2016-04-25 12:35 PM

Jump to solution

Thanks Jay; this gives me confidence to go ahead with my install as planned.

0 Likes
Reply
© 2022 RSA Security LLC or its affiliates. All rights reserved.