What is Business Continuity Mode?

Automatic Business Continuity (ABC) is an optional feature that allows 2-factor transactions to 'fail open' while connectivity to the VIP user authentication service (userservices-auth.vip.symantec.com) is unreachable. 

How does it work?

The VIP RADIUS Validation Server communicates with the VIP service to complete the authentication. If the VIP service is unreachable, the transaction will fail and user access is denied. When the ABC option is set to automatic and the VIP Service is unreachable, the VIP Validation Server signals the VIP Health Check service to immediately begin monitoring VIP Service connectivity. If connectivity is not established within the time threshold in the Health Check setting, a signal is sent to the Validation Server to enter ABC mode. When the VIP Service connection is re-established, the VIP Health Check service signals the Validation Server to resume normal mode. 

While ABC mode is active, the VIP Validation Server will continue to perform 1st-factor LDAP lookups (if applicable) and will send an ACCESS-ACCEPT for any 6-digit code from the end-user. End-users will continue to use the 6-digit code from their VIP credential as they normally do, unaware that ABC mode is active.

While ABC mode is active:

• VIP PUSH and Out-Of-Band (OOB) features are unavailable. Users will need to manually enter a 6-digit security code.
• Loss of VIP Service does not affect User Store LDAP connectivity. Connectivity loss to LDAP and VIP Services indicates a broader network issue.
• VIP JavaScript with Enterprise Gateway 9.8.4 or later in your application will accept any six-digit code. JavaScript validations using the Enterprise Gateway 9.8.3 or earlier will fail. 
• ABC mode is activated by user transactions unable to reach VIP services. Idle VIP Validation Servers will not enter ABC mode until transactions are received. 

How to set Business Continuity Mode to Automatic on VIP Enterprise Gateway

1. Log in to the Enterprise Gateway console
2. Configure the VIP Health Check settings to set connection timeouts and notification messages.
3. Configure SMTP Server Settings for ABC email notifications. 
4. (optional) Configure 
5. Click the Validation tab.
   
6. Under the Action column, click Edit for the validation server you want to enable Business Continuity mode on.
   
7. Scroll down the page to find the section titled Business Continuity.
8. Click the option for Automatic.
   
9. Then click Submit.
10. The validation server must be restarted for the change to take effect.  
    
    Note: By default, Disabled is selected. Select Automatic to enable Business Continuity in automatic mode. In this mode, the Validation server detects the connectivity issues automatically. If it cannot reach the VIP Authentication Service, the Validation Server switches to the Business Continuity mode until connectivity is re-established. Select Enabled to force Business Continuity mode on (for testing only). To configure email notifications business continuity, go to Settings > Health Check Settings and configure the email template. 

How to set Business Continuity Mode mode for ADFS ( requires separate BC mode module installation)

1. Log on to the Primary ADFS server.
2. Open the VIP Integration Settings application.
3. Click the Enable Automatic Business Continuity Mode check box.
   
4. Click OK and then open Services.msc.
5. Find Active Directory Federation Services and then restart the service. Note: This will reset all ADFS connections for all hosted SSO applications.
6. If you have multiple ADFS farm machines the same steps will need to be followed for all servers in the cluster.
7. To return to non-BC mode, open the VIP Integration Settings application and uncheck the Enable Automatic Business Continuity check box. Click OK.
8. Open Services.msc.
9. Repeat step 5.
10. Verify that users can log in.

How to test Business Continuity Mode

To manually test, set Automatic Business Continuity to Enabled in the VIP Validation Server settings. Save the changes and restart the VIP Validation Server. Revert the settings and restart when testing is complete.

To test automatic switching between normal mode and Automatic Business Continuity mode:

• Set Automatic Business Continuity to Automatic in the VIP Validation Server settings. Save the changes and restart the VIP Validation Server.
• Interrupt connectivity between the VIP Enterprise Gateway to https://userservices-auth.vip.symantec.com.
• Begin sending multiple RADIUS authentication requests to the VIP Validation Server. ABC mode will activate when the VIP Health Check service threshold settings are exceeded. 
• Allow connectivity to https://userservices-auth.vip.symantec.com. ABC mode will deactivate when the VIP Health Check service detects connectivity and signals normal validation mode. 
• Revert any change and restart the validation service when testing is complete.

Need More Information?

Detailed information on monitoring the availability of the VIP cloud platform and handling service degradation to allow business continuity is available in the attached PDF document.