RSA Authentication and APM
Before I get to the question - let me give a short, quick overview of how this was designed to work by our architects.
Our APM is configured as a Shared Device in a MS environment. One of those services we offer is RSA and the APM.
We have one Virtual Server - One Access Policy pointing to that Virtual Server with all internal and external customer connections going through one access policy.
For customers and internal users - our Shared RSA and AD functions without an issue. The bulk of the customers take advantage of this…however.
We have 2 customers where we manage their RSA in their environment. We have both Production and Management IP’s to work with.
I have the RSA Agent Host configured to use the Floating IP with the Secondary IP’s as the APM Pairs (we have 4 sites). I have created the AAA server to point to that Floating IP associated with the Agent Host.
The AD is also managed in the customer environment - and will be used for nothing more than query for the various Network Tunnels that are to be assigned to their employees, but those are also setup.
Now for the APM - Each customer gets their own separate VLAN - bank of /29 IP’s. We use individual route domains/routes/floating and self IP’s.
My issue - and I have been banging my head on this for about 2 months…I can authenticate from inside the APM to the RSA - however when attempting via the URL for the customer - it shows as no traffic leaving the APM.
My argument back to the architects (for the last 2 months) is that each of our "external" customers will require their own Virtual Server/Policy Editor configuration with their own set of "private" (for lack of a better term) IP's in order for RSA to see the traffic from the APM.
Has anyone ever encountered this issue - Fire away with questions, I will answer as best I can, as I may have missed something in my wordy description.
Thanks!
DJL