How to configure your software token clients to route internal users to an external domain.

Often, internal users on the LAN cannot access the external IP addresses used as domain identifiers. This document demonstrates how to use an internal DNS entry and a WiKID configuration file so new two-factor authentication users can be validated on the LAN.

Typically, users need two-factor authentication for remote access. However, it is often easiest and perhaps most secure to configure and enable your users for two-factor authentication inside the firewall. Networking issues can crop up, though, if you do not allow internal ip addresses to access the external IP address that is the basis for the WiKID domain identifier. This document will show how to use your internal DNS and the jw.properties file to get the WiKID software token to access the external domain.

Download a WiKID software token and the jw.properties file. Version 3.0.11 or later of the token client is required for this functionality. The jw.properties file is only three lines. The default file is:

domainSuffix=wikidsystems.net
useIpBeforeDns=false
debug=false
The domainSuffix is the default DNS system that the token client will check. Each domain is identified by either it's direct IP address (zero-padded) or by an entry in DNS. The WiKID Extranet domain identifier is 222222222222, which is not an IP address of a WiKID server. When the token client sees that it is not an IP address, it tries 22222222222.wikidsystems.net and that allows it to connect to the appropriate WiKID server. By changing the domainSuffix to your internal DNS server and adding an entry pointing your external domain identifier to the internal IP address of the WiKID server, your internal clients will be able to access the WiKID server.

The useIpBeforeDns variable tells the WiKID software token to use the IP address before checking DNS. The default is false. You will want to set this to true. Then, your users' tokens will first check the IP address and when that doesn't work, they will check DNS. So, when on the outside, the IP address will work. When on the inside DNS will work.

Here is an example of a jw.properties configured to allow internal clients access to the external domain:

domainSuffix=wikidsystems.net
useIpBeforeDns=true
debug=false
And here is the entry in our DNS server
074172021165    IN      A       10.0.3.3
Where 074172021165 corresponds to the external WiKID domain identifier and 10.0.3.3 is the WiKID servers' internal IP address.
Ever since deploying WiKID, we  have  secured our Production systems from unauthorized access and maintained PCI compliance