Configuring two-factor authentication

Use the page Global Settings > General > Two-Factor Auth to manage the use of two-factor authentication for administrator logons.

Note: Only Global Security Administrators can access this page.

Two-factor authentication requires administrators to provide two forms of identification when logging on to the Security Manager.

Note: If the Single Sign-On is enabled, the user cannot configure or edit the two-factor authentication. To enable the two-factor authentication, you must first disable the Single Sign-On from Global settings > General.

Access to Forcepoint Mobile Security is not covered by two-factor authentication; you must log on to the cloud-based console using your regular user name and password.

The following methods are available:

  • RSA SecurID® authentication (see How RSA SecurID authentication works).
  • Certificate authentication (see How certificate authentication works). If you choose to enable RSA SecurID authentication:
  • Use RSA Authentication Manager 6.1.2 or higher.
  • Create a custom agent for the Forcepoint Security Manager in the RSA Authentication Manager (see Creating a custom agent for RSA SecurID authentication).
  • Certificate authentication is automatically disabled. If you have previously enabled certificate authentication, and then enable RSA SecurID authentication, a warning message appears.

If your Forcepoint management server has more than one network interface controller (NIC), use the following steps to configure RSA authentication to use the proper IP address for communicating with the RSA Authentication Manager:

  1. Open rsa_api.properties located at \Websense\EIP Infra\tomcat\ wbsnData\rsaSecurID.
  2. Locate the line RSA_AGENT_HOST=
  3. Add the IP address of the server that is configured for the installation:
    1. RSA_AGENT_HOST=x.x.x.x
    2. x.x.x.x=IP address for management server
  4. Save the rsa_api.properties file.
  5. Restart the Websense TRITON Unified Security Center service in

To set up Security Manager RSA SecurID authentication:

  1. In the section RSA SecurID Authentication, mark the check box Authenticate administrators using RSA SecurID authentication.
  2. Enter a valid User name and Passcode for RSA SecurID logon.

    The user must be able to authenticate with RSA Authentication Manager but does not have to be a Security Manager administrator.

  3. Click Test Connection to RSA Manager.

    The connection test must be successful before the Security Manager allows changes to be saved on this page. The results of the test are displayed next to the Test Connection button; for more information on these results, see Test connection to RSA Manager results.

  4. To allow administrators to log on to the Security Manager if RSA authentication is unavailable, mark the check box Fall back to other authentication mechanisms.

    This means that any administrators configured on the page General > Administrators can log on using their local or network credentials as a fallback. If you do not select this option, RSA authentication is the only option for all administrators except the “admin” account created during installation.

  5. Click OK.

    The settings are saved.

To set up Security Manager certificate authentication:

  1. In the section Certificate Authentication, mark the check box Authenticate administrators using client certificate authentication.
  2. To enable attribute matching, in the section Certificate Matching, mark the check box Use attribute matching as a fallback method and select whether it applies to all administrators or only to administrators without certificates in the Security Manager.

    To configure the attributes used for matching, click Configure Attribute Matching, then see Setting up attribute matching.

  3. To import certificates from your user directory for network administrators, click Import Administrator Certificates.

    When certificates are successfully imported, a success message is displayed at the top of the page. If any of the certificates are not imported correctly, you can upload a certificate for each network administrator on the page General > Administrators > Edit Network Account.

  4. In the section Root Certificates, click Add to add a root certificate for signature verification. There must be at least one root certificate in the Security Manager for two-factor authentication to operate.
    • Browse to the location of the root certificate file, then click Upload Certificate.
  5. Whenever a root certificate is added or changed, create a new master certificate file and copy it to the “Websense TRITON Web Server” service. Click Create Master Certificate File to create the new file, then see Deploying the master certificate file for further information.
  6. In the section Password Authentication, to enable password authentication as a fallback method, mark the check box Allow password authentication to log on to the Security Manager for: and select whether it applies to all administrators or only to administrators without certificates in the Security Manager.
    Note: The “admin” account created during installation can always log on from the Forcepoint management server machine using password-based authentication.
  7. Click OK.

    The settings are saved.