Resilience

SecurAccess

Each SecurAccess Agent or Radius Client can be configured for up to 2 Security Servers

Each Security Server can be configured for up to two LDAP servers

The following diagram illustrates a typical resilient design with two VPN Servers (Radius Clients)

For most large user deployments, only 2 servers are required. Additional servers are only required where limited network connectivity exists to the Radius Client.

Resilient Security Server

SMS Gateway Resilience

When two security servers are installed with one SMS phone gateway modem or one SMS Web Gateway on each server, the following failover logic occurs:

If one of the web gateways or phone modem fails to connect, this server will failover incoming authentication requests to the next configured security server and it’s working SMS gateway. The failed SMS gateway will be polled every 60 seconds to see if the fault has cleared. Once the fault has been resolved, the gateway will automatically detect that the web or modem is now working and allow authentication requests.

If the Phone SMS gateway and Web SMS gateway are both installed on the same security server then priority can be given to the phone or web gateways and if one of them fails the other gateway service will automatically become enabled.

Setting up Multiple Security Servers

Advanced Configuration - Additional Servers

Multiple security servers must share the same security encryption key (config.db)

To Install additional security servers do the following:-

  1. Run the Security Servers setup.exe install program on the next required server,
  2. Select "Additional server

 

2 Press the “Upload config.db” button and browse to the config.db file on the first security server you installed, default location for this file is for

32 bit installations C:\Program Files\Bomgar\Security Server\ And 64 bit installations And 64 bit installations C:\Program Files (x86)\Bomgar\Security Server\

Carry out the same task for the "server.ini" file.

Note: Each Bomgar Verify security server will use a local.ini file and a server.ini file, this has been created to assist deployments, where multiple Bomgar Verify servers exist. The local.ini file stores data regarding local configuration details. The server.ini file stores data that are global configuration details

3. Start the Admin GUI on this new server and select the menu “config”.

Match any changes made so that all servers have the same configuration settings.

Additional servers MUST share the same Bomgar Verify administration account for each domain they manage

The Batch server start times must be set to start at the same time allowing for any local time zone changes.

Multiple batch server processes must run within 10 minutes of each other or multiple day codes may be sent to end users.

Note: Additional servers MUST share the same Bomgar Verify administration account for each domain they manage

Resilience (Batch Server Logic)

Bomgar Verify Batch Server

This Windows service is only required for SecurAccess, SecurMail Product and SecurPassword.

It handles users set to TMP MODE and DAY MODE and carries out an absolute license count check.

Every 24 hours at a defined time, it checks all users in LDAP and if required sends them the next required passcode. In the case of TMP MODE, it counts down the number of days this user is allowed to be in TMP MODE. When zero is reached, the user is automatically switched back to ONE TIME CODE and sent a new passcode.

The Batch Server can also delete any Emails that have resided upon the SecurMail server. If the email message is older than defined limit, it will be deleted. (Controlled in x days)

Multiple Batch Server Logic

Multiple security servers that have more than one batch server running has additional logic built into the operation. It works in the following description. Each server first checks the last run date from the LDAP attribute PrimaryTelexNumber for the Admin user’s account.

If a server has not run in the last 15 minutes it then requests a lock by generating a unique 8 digit lock code and writing it to the above LDAP attribute for the Admin user. It then waits a 30 second period to allow Active Directory (LDAP) to replicate completely. If the same lock code is read back then the batch server runs, if it reads a different lock code than one of the other servers has also requested a lock and will run instead.

Multiple Batch Server Pre-requisites

All Batch Server's that manage the same domain and search base of users MUST have the same run time and period set.

The clock's time of these servers should not be more that 10 minutes adrift between them.

Resilience (RADIUS

Bomgar Verify Radius Server

To provide resilience for RADIUS clients, the NAS folder can be copied from the first Bomgar Verify server to each subsequent Bomgar Verify server that is deployed. Make sure that each RADIUS client is updated with the correct IP address of each Bomgar Verify replica server.

The NAS folder can be located at the following location:

    For 32 bit installations:
    Open the file Program Files\Bomgar\Security Server\Data\RADIUS\DICT\RADIUS\NAS
    For 64 bit installations:
    Open the file Program Files(x86)\Bomgar\Security Server\Data\RADIUS\DICT\RADIUS\NAS

Resilience (Server.ini)

Server.ini - Global settings

If any configuration changes are made upon one of the Bomgar Verify servers, it may be necessary that these changes are replicated around each of the Bomgar Verify servers that are deployed.

One example is if a new domain was added into the configuration.

As the server.ini file only holds global information, this allows the file to be copied to each Bomgar Verify server.

Note: All Bomgar Verify servers should be at the same software revision level

The server.ini file is located at:

    For 32 bit installations:
    Open the file Program Files\Bomgar\Security Server\
    For 64 bit installations:
    Open the file Program Files(x86)\Bomgar\Security Server\

The configuration changes are automatically detected and used.

Automated server.ini sync between Bomgar Verify servers

The software now has the functionality to dynamically update the server.ini file to all Bomgar Verify Security servers if any changes are made to it. To enable this functionality the below line needs to be set to true in the server.ini (C:\Program Files (x86)\Bomgar\Security Server) file. By default this setting is configured to False.

    # Automatically copy server.ini to all replica servers, Version above MUST be the same on all servers (True or False)
    # Make sure this server can browser all replicas (http://my_replica_host_name/secrep should download server.ini)
    SyncServerINI=True

Once this setting has been updated on the master server, the server.ini needs to be manually copied to each Bomgar Verify server one last time so that each server has this setting configured to True. All servers must have the same version of the software installed.

Once configured, the server.ini will update across all servers regardless of whether the changes are made on the master or a replica.

Resilience (Gateway.ini)

New Installation

Bomgar Verify SMS/Voice Gateway

To provide resilience for SMS/Voice Gateway providers.

This can be easily added by copying the gateway.ini file from one Bomgar Verify server to another.

The gateway.ini file exists in the following paths:

    For 32 bit installations:
    Open the file Program Files\Bomgar\Security Server\gateway.ini
    For 64 bit installations:
    Open the file Program Files(x86)\Bomgar\Security Server\gateway.ini

Recommend that the Bomgar Verify Web SMS Gateways service is restarted

If a replica server or upgrade is carried out, the gateway.ini file can be added at time of installation, see diagram.