WatchGuard Authentication fails with AuthPoint Gateway lower than version 5.1.5

What is the problem?
AuthPoint Gateway software must be updated to the latest available version, v5.1.5 before the week of 10 October 2019. If you do not update your AuthPoint Gateway before 10 October, it is likely that all authentication will fail for your AuthPoint user base.

When must I update my AuthPoint Gateway?
If you use AuthPoint Gateway software v5.1.3.158 or lower, you must update your Gateway software to v5.1.5 as soon as possible. If you update your Gateway software before the dates referenced below, this issue will not impact you.

  • For AuthPoint users in the APAC cloud region – 10 October 2019
  • For AuthPoint users in the EMEA cloud region – 16 October 2019
  • For AuthPoint users in the AMER cloud region – 17 October 2019

How do I find my cloud region?
In WatchGuard Cloud, select Administration > My Account. You can see your cloud region below the Data Zone heading. Click here for more information.

Why do I need to update my AuthPoint Gateway?
AuthPoint and WatchGuard Cloud are built on an Amazon Web Services (AWS) infrastructure. AWS recently notified of urgent changes being made to their infrastructure. Because of this AWS infrastructure update, you must update your AuthPoint Gateway so it can successfully connect to WatchGuard Cloud. If AuthPoint cannot connect to the cloud, authentication will fail.

How do I update my AuthPoint Gateway?
It takes only a few minutes to update an AuthPoint Gateway. You do not need to uninstall your existing AuthPoint Gateway before you update. Click here for instructions to complete the update. 

What happens if I do not update my AuthPoint Gateway?
If you do not update your AuthPoint Gateway by the dates referenced above, and it is installed on a computer with Java JDK/JRE v8u212 or higher, the AuthPoint Gateway will no longer be able to connect to the WatchGuard Cloud AWS infrastructure and all Active Directory-based authentication will fail. At that point, you must update your AuthPoint Gateway immediately. You must manually uninstall the previous Gateway software and use these instructions to install and register a new AuthPoint Gateway. 

Do I need to make other configuration changes?
If you use Firebox Content Inspection in your network, it includes predefined exceptions for the AWS IoT addresses required for AuthPoint. Before you update your AuthPoint Gateway, you must add an additional Content Inspection Exception for these new domains that will be used going forward. 
 
If your AuthPoint cloud region is set to APAC, add this exception:
     aidd27s0p51l6-ats.iot.ap-northeast-1.amazonaws.com

If your AuthPoint cloud region is set to EMEA, add this exception:
     aidd27s0p51l6-ats.iot.eu-central-1.amazonaws.com
 
If your AuthPoint cloud region is set to AMER, add this exceptions:      
     aidd27s0p51l6-ats.iot.us-west-2.amazonaws.com

For information on how to add a Content Inspection exception, see Help

Background
WatchGuard recently received notification from AWS that, in early October, they will switch the WatchGuard AWS IoT endpoints from their (now) legacy endpoints to the Amazon Trust Services (ATS) endpoint. The legacy endpoints used certificates issued by Symantec CAs. Oracle has updated the Java JDK/JRE in v8u212 to distrust new certificates issued by these CAs. The current certificates used by AWS for these endpoints will expire in October, requiring an urgent change of their infrastructure. Any AuthPoint Gateway running in an environment with Java JDK/JRE v8u212 or higher will no longer be able to connect to the AWS infrastructure of WatchGuard Cloud and authentication will fail. 

Leave a Reply

Your email address will not be published. Required fields are marked *