本地MFA澄清! [英] On-Prem MFA Clarification!
问题描述
您好专家
我有一个想要在内部部署MFA服务器的客户端.他用两个MFA服务器(一个主服务器和一个从属服务器)进行了实验室.因此,现在的问题是这些服务器位于不同的环境中(产品和测试).现在,
1)他想知道每个服务器将联系哪个DC来同步用户/配置?我们可以配置它与特定的DC通信吗?
2)这些MFA服务器之间将共享哪些数据/配置?主机和从机之间应打开哪些端口?
期待您的来信.
谢谢
最好的问候,
CrededHameed
CreedHameed
1.仅主服务器将与DC联系以导入用户.如果配置了同步,它将仅以固定的时间间隔与DC通信.你可以检查一下 doc 了解配置它的步骤.
它将使用标准的DCLocator进程来标识DC,从该DC可以执行LDAP查询来拉动用户.您也无法将其配置为与特定的DC通信.
2.MFA主服务器具有PhoneFactor.pfdata数据库的可写副本.从属/从属服务器将具有PhoneFactor.pfdata数据库的复制的只读副本. MFA服务器使用远程过程调用(RPC)复制信息. 所有MFA服务器都必须一起加入域或独立地复制信息.您需要打开标准的RPC端口才能成功进行同步.您可以在此找到有关如何配置高可用性的更多详细信息. doc .
Hello Experts,
I have a client who want to deploy MFA server On-prem. And he made a lab with two MFA servers (One master and one slave). So now the twist is these servers are in different environments (Prod & test). Now,
1) He wants to know which DC each server will contact for syncing the users/config? Can we configure it to talk to specific DC?
2) What data/config will be shared between these MFA servers? What ports should be opened between master and slave?
Looking forward to hear from you.
Thank you,
Best Regards,
CreedHameed
CreedHameed
1. Only the Master server will contact the DC to import users. It will only talk to DC at regular intervals if you configure the synchronization. You can check this doc for steps to configure it.
It will use the standard DCLocator process to identify a DC from where it can do a LDAP query to pull the users. You cannot configure it to talk to a specific DC as well.
2. The master MFA server has a writable copy of the PhoneFactor.pfdata database. Slave/subordinate servers will have a replicated read-only copy of the PhoneFactor.pfdata database. MFA servers replicate information using Remote Procedure Call (RPC). All MFA Severs must collectively either be domain joined or standalone to replicate information. You need to have the standard RPC ports open for synchronization to be successful. You can find more details about how to configure high availability in this doc.
这篇关于本地MFA澄清!的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
