Gateways
A Gateway is a grouping of Gateway Instances that share the same configuration. To ensure high availability, Entrust recommends that you add at least two instances to your gateway.
Once deployed, each Gateway Instance contains the following agents:
-
Password Agent—Performs Active Directory password authentication, password reset, password change requests, and sends requests to the Certification Authority (CA) Gateway.
-
RADIUS Agent—Performs RADIUS authentication for services such as VPN.
RADIUS agent supports the following authentication protocols:
-
Password authentication protocol (PAP)
-
Challenge-Handshake Authentication Protocol (CHAP)
-
Microsoft Challenge Handshake Authentication Protocol version 1 (MSCHAPv1)
-
Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2)
CHAP and MSCHAP are not supported by Active Directory (AD) Password authenticators. OTP and Token (including Entrust Soft Token Push) authenticators support all of the above RADIUS authentication protocols.
-
-
Identity Enterprise Agent—Allows existing Entrust Identity Enterprise integrations and other clients to use Identity as a Service in place of Entrust Identity Enterprise.
-
Directory Sync Agent—Syncs Active Directory users and groups with Identity as a Service.
-
Management Agent—Handles gateway upgrade requests launched from Identity as a Service.
-
SIEM Agent—Communicates the Enterprise Service Gateway to the SIEM system.
An Identity as a Service Gateway is hardened as required by the CIS Hardening Standards Level 1. See the Center for Internet Security for more information about the standards.
For Enterprise Service Gateways that connect to IDaaS, you must configure your firewall to allow connections to your IDaaS account. IDaaS uses HTTPS on port 443.
Identity as a Service Gateway port information
- The Identity as a Service Gateway and its agents connect to Identity as a Service on port 443.
- A VPN uses the UDP protocol to connect a RADIUS agent within the Identity as a Service Gateway. The RADIUS agent uses port 1812 by default.
- The Entrust Identity Enterprise application connects to the Entrust Identity Enterprise Agent over TCP. The Entrust Identity Enterprise application must be configured to use port 8443 over TLS.
Topics in this section
Create and configure a Gateway Instance
The first time you create a Gateway, you must download the Enterprise Service Gateway image file and register it with Identity as a Service.
Add a Gateway Instance
For high availability, add additional Gateway Instances to your exiting Gateway.
Enable and disable Gateways, Gateway Instances, and Gateway agents
Once you have configured a Gateway Instance, you can see the status of the Gateway agents. If required, you can disable an agent. This might be useful in order to better manage the traffic on your network. You can also delete a Gateway. When you delete a Gateway, you also delete every Gateway Instance and all configurations associated with the Gateway.
Set Gateway Advanced Gateway settings
Advanced Gateway settings control traffic over your VPN network using worker threads to manage password authentication requests to the Password Agent, and client rate limiting to manage authentication requests to the RADIUS Agent from the same client IP address.
Upgrade a Gateway Instance
Before upgrading a Gateway Instance, take a snapshot of the Enterprise Service Gateway image. In the event of a failure, the upgrade logs should be captured and the appliance rolled back to the snapshot. Once rolled back, reactivate the Gateway Instance following the instructions in Create and configure a Gateway.
Enable SSH on an Enterprise Service Gateway
You can modify the settings of your Enterprise Service Gateway so that users can log in over Secure Shell (SSH).
Manage Gateway certificates
By default, a Gateway Instance on Identity as a Service contains a self-signed SSL certificate that you can download. You can replace the self-signed certificate with one signed by a certificate authority (CA). The CA can be a public CA such as Entrust Certificate Services (ECS) or a private CA.