VIP Enterprise Gateway Business Continuity

VIP Enterprise Gateway

What is Business Continuity Mode?

Automatic Business Continuity (ABC) is an option in the Validation Server settings for monitoring connectivity to VIP user authentication services (https://userservices-auth.vip.symantec.com) . When enabled, multi-factor authentications 'fail open' if connectivity is lost or interrupted. 

How does it work?

If VIP authentications fail due to loss of VIP Cloud connectivity:

• The Validation Server signals the VIP Health Check service to begin monitoring VIP Cloud connectivity every second.
• If connectivity is re-established within the Health Check threshold settings, the Health Check service responds that ABC mode is not necessary and no further action is taken. 
• If connectivity is not re-established within the Health Check threshold settings, the Health Check service triggers the Validation Server to activate ABC mode. VIP Cloud connectivity is continuously monitored.
• VIP MFA continues to function for end-users as if everything is normal. 
• When connectivity is re-established, the VIP Health Check service signals the Validation Server to exit ABC mode. Full VIP authentications with the VIP Cloud resume.

While a Validation Server is in ABC mode due to loss of connectivity:

• The Validation Server continues to perform 1st-factor LDAP lookups (if User Store lookup is enabled). 
• 2nd-factor authentication accepts any 6-digit security code entered by the end-user and responds with an ACCEPT-ACCEPT. End-users are unaware of this condition.
• VIP PUSH and Out-Of-Band (OOB) features require cloud connectivity. User that typically receive a PUSH or receive a code via SMS, Voice or Email will be prompted to manually enter a 6-digit code. 
• ABC mode is not triggered if LDAP connectivity lost. Loss of LDAP connectivity indicates a broader network issue. 
• VIP JavaScript integration with Enterprise Gateway 9.8.4 or later in your application will accept any six-digit code. JavaScript validations =< 9.8.3 will fail. 
• Idle VIP Validation Servers will not enter ABC mode.

How to set Business Continuity Mode to Automatic on VIP Enterprise Gateway

1. Log in to the Enterprise Gateway console
2. Enable and configure VIP Health Check settings.
3. Configure SMTP Server Settings for ABC email notifications. 
4. Click the Validation tab. Click Edit under the Action column.
5. Scroll down the page to find the section titled Business Continuity.
6. Click the option for Automatic. ('Enabled' turns ABC mode on permanently)
   
7. Select Notify Only to notify the administrator by email when Business Continuity mode is activated, without actually switching into BC mode. 
8. Then click Submit.
9. Restart the validation server for the change to take effect.  
   
   Note: By default, Disabled is selected. When set to Automatic, if the Validation Server detects connectivity issues, it activates the VIP Health Check service, which sends a signal to enter ABD mode if connectivity isn't established if the retry/timeout setting in the Health Check settings is exceeded. The Validation Server monitors connectivity switches to the Business Continuity mode until connectivity is re-established. Select Enabled to force Business Continuity mode on (for testing only). To configure email notifications business continuity, go to Settings > Health Check Settings and configure the email template. 

How to set Business Continuity Mode mode for ADFS (requires separate module installation)

1. Log on to the Primary ADFS server.
2. Open the VIP Integration Settings application.
3. Click the Enable Automatic Business Continuity Mode check box.
   
4. Click OK and then open Services.msc.
5. Find Active Directory Federation Services and then restart the service. Note: This will reset all ADFS connections for all hosted SSO applications.
6. If you have multiple ADFS farm machines the same steps will need to be followed for all servers in the cluster.
7. To return to non-BC mode, open the VIP Integration Settings application and uncheck the Enable Automatic Business Continuity check box. Click OK.
8. Open Services.msc.
9. Repeat step 5.
10. Verify that users can log in.

How to test Business Continuity Mode

To manually test, set Automatic Business Continuity to Enabled in the VIP Validation Server settings. Save the changes and restart the VIP Validation Server. Revert any changes when testing is complete.

To test automatic switching between normal mode and Automatic Business Continuity mode:

• Set Automatic Business Continuity to Automatic in the VIP Validation Server settings. Save the changes and restart the VIP Validation Server.
• Interrupt connectivity between the VIP Enterprise Gateway to https://userservices-auth.vip.symantec.com.
• Begin sending multiple RADIUS authentication requests to the VIP Validation Server. ABC mode will activate when the VIP Health Check service threshold settings are exceeded. 
• Allow connectivity to https://userservices-auth.vip.symantec.com. ABC mode will deactivate when the VIP Health Check service detects connectivity and signals normal validation mode. 
• Revert any change and restart the validation service when testing is complete.

Need More Information?

Additional information on monitoring the availability of the VIP cloud platform and handling service degradation to allow business continuity is available in the attached PDF document.