VIP Enterprise Gateway Business Continuity

VIP Enterprise Gateway

What is Business Continuity Mode?

Automatic Business Continuity (ABC) is an optional feature that allows 2-factor transactions to 'fail open' while connectivity to the VIP user authentication service (https://userservices-auth.vip.symantec.com) is unreachable.

How does it work?

If VIP authentications fail due to loss of VIP Cloud connectivity:

• The Validation Server signals the VIP Health Check service to begin monitoring VIP Cloud connectivity.
• If connectivity is re-established within the Health Check threshold settings, the Health Check service responds that ABC mode is not necessary. No further action is taken. 
• If connectivity is not re-established within the Health Check threshold settings, the Health Check service responds to activate ABC mode. VIP Cloud connectivity is continuously monitored.
• End-users continue to authenticate, unaware that ABC mode is active.
• When connectivity is re-established, the VIP Health Check service signals the Validation Server to exit ABC mode and resume normal authentications with the VIP Cloud.

While ABC mode is activated due to loss of connectivity:

• The Validation Server performs 1st-factor LDAP username and password lookups as expected (if enabled). 
• 2nd-factor authentication accepts any 6-digit security code entered by the end-user and responds with an ACCEPT-ACCEPT. 
• VIP PUSH and Out-Of-Band (OOB) features require cloud connectivity and are unavailable while in ABC mode. Users are prompted to manually enter a 6-digit code.  
• LDAP connectivity lost does not activate ABC mode. Loss of LDAP connectivity indicates a broader network issue. 
• VIP JavaScript integration with Enterprise Gateway 9.8.4 or later in your application will accept any six-digit code. JavaScript validations =< 9.8.3 will fail. 
• Idle VIP Validation Servers will not enter ABC mode.

How to set Business Continuity Mode to Automatic on VIP Enterprise Gateway

1. Log in to the Enterprise Gateway console
2. Enable and configure VIP Health Check settings.
3. Configure SMTP Server Settings for ABC email notifications. 
4. Click the Validation tab.
   
5. Under the Action column, click Edit for the validation server you want to enable Business Continuity mode on.
   
6. Scroll down the page to find the section titled Business Continuity.
7. Click the option for Automatic. ('Enabled' turns ABC mode on permanently)
   
8. Then click Submit.
9. The validation server must be restarted for the change to take effect.  
   
   Note: By default, Disabled is selected. When set to Automatic, if the Validation Server detects connectivity issues, it activates the VIP Health Check service, which sends a signal to enter ABD mode if connectivity isn't established if the retry/timeout setting in the Health Check settings is exceeded. The Validation Server monitors connectivity switches to the Business Continuity mode until connectivity is re-established. Select Enabled to force Business Continuity mode on (for testing only). To configure email notifications business continuity, go to Settings > Health Check Settings and configure the email template. 

How to set Business Continuity Mode mode for ADFS (requires separate module installation)

1. Log on to the Primary ADFS server.
2. Open the VIP Integration Settings application.
3. Click the Enable Automatic Business Continuity Mode check box.
   
4. Click OK and then open Services.msc.
5. Find Active Directory Federation Services and then restart the service. Note: This will reset all ADFS connections for all hosted SSO applications.
6. If you have multiple ADFS farm machines the same steps will need to be followed for all servers in the cluster.
7. To return to non-BC mode, open the VIP Integration Settings application and uncheck the Enable Automatic Business Continuity check box. Click OK.
8. Open Services.msc.
9. Repeat step 5.
10. Verify that users can log in.

How to test Business Continuity Mode

To manually test, set Automatic Business Continuity to Enabled in the VIP Validation Server settings. Save the changes and restart the VIP Validation Server. Revert the settings and restart when testing is complete.

To test automatic switching between normal mode and Automatic Business Continuity mode:

• Set Automatic Business Continuity to Automatic in the VIP Validation Server settings. Save the changes and restart the VIP Validation Server.
• Interrupt connectivity between the VIP Enterprise Gateway to https://userservices-auth.vip.symantec.com.
• Begin sending multiple RADIUS authentication requests to the VIP Validation Server. ABC mode will activate when the VIP Health Check service threshold settings are exceeded. 
• Allow connectivity to https://userservices-auth.vip.symantec.com. ABC mode will deactivate when the VIP Health Check service detects connectivity and signals normal validation mode. 
• Revert any change and restart the validation service when testing is complete.

Need More Information?

Additional information on monitoring the availability of the VIP cloud platform and handling service degradation to allow business continuity is available in the attached PDF document.