Manage Gateways

A Gateway is a grouping of Gateway Instances that share the same configuration. To ensure high availability, Entrust recommends that you add at least two instances to your gateway. Once deployed, each Gateway Instance contains the following agents:

• Password Agent—Performs Active Directory password authentication, password reset, password change requests, and sends requests to the Certification Authority (CA) Gateway.

• RADIUS Agent—Performs RADIUS authentication for services such as VPN. RADIUS agent supports the following authentication protocols: – Password authentication protocol (PAP) – Challenge-Handshake Authentication Protocol (CHAP) – Microsoft Challenge Handshake Authentication Protocol version 1 (MSCHAPv1) – Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) CHAP and MSCHAP are not supported by Active Directory (AD) Password authenticators. OTP and Token (including Entrust Soft Token Push) authenticators support all of the above RADIUS authentication protocols.

• IdentityGuard Agent—Allows existing Entrust IdentityGuard integrations and other clients to use Identity as a Service in place of Entrust IdentityGuard.

• Directory Sync Agent—Syncs Active Directory users and groups with Identity as a Service.

• Management Agent—Handles gateway upgrade requests launched from Identity as a Service.

• SIEM Agent—Communicates the Enterprise Service Gateway to the SIEM system.

  Note: An Identity as a Service Gateway is hardened as required by the CIS Hardening Standards Level 1. See the Center for Internet Security for more information about the standards.

Prerequisites

• You must be an administrator with Enterprise Gateway and Agents Management permission to administer Gateways. See Create and assign roles for more information.

• For Enterprise Service Gateways that connect to IDaaS, you must configure your firewall to allow connections to your IDaaS account. IDaaS uses HTTPS on port 443.

Identity as a Service Gateway port information

• The Identity as a Service Gateway and its agents connect to Identity as a Service on port 443.

• A VPN uses the UDP protocol to connect a RADIUS agent within the Identity as a Service Gateway. The RADIUS agent uses port 1812 by default.

• The Entrust IdentityGuard application connects to the Entrust IdentityGuard agent over TCP. The Entrust IdentityGuard application must be configured to use port 8443 over TLS.

Topics in this section:

• Create and Configure a Gateway Instance

• Add a Gateway Instance

• Enable and disable Gateways, Gateway Instances, and Gateway agents

• Upgrade a Gateway Instance

• Enable SSH on an Enterprise Service Gateway

• Manage Gateway certificates