WatchGuard Support Center

Knowledge Base - Article

000012434
 Authentication fails with AuthPoint Gateway lower than v5.1.5

Information
What is the problem?
AuthPoint Gateway software must be updated to v5.1.5 before mid-October 2019 (see specific dates for your region below). If you do not update your AuthPoint Gateway to v5.1.5 or higher, it is likely that all authentication will fail for your AuthPoint user base. If you have also use a Firebox configured for Content Inspection, there are additional steps you must take. Please read this entire article carefully. 

When must I update my AuthPoint Gateway?
If you use AuthPoint Gateway software v5.1.4.x or lower, you must update your Gateway software to v5.1.5 or higher. If you update your Gateway software before the dates referenced below, this issue will not impact you.
  • For AuthPoint users in the APAC cloud region - 10 October 2019
  • For AuthPoint users in the EMEA cloud region - 16 October 2019
  • For AuthPoint users in the AMER cloud region - 17 October 2019

How do I find my cloud region?
In WatchGuard Cloud, select Administration > My Account. You can see your cloud region below the Data Zone heading. Click here for more information.

Why do I need to update my AuthPoint Gateway?
AuthPoint and WatchGuard Cloud are built on an Amazon Web Services (AWS) infrastructure. AWS recently notified us of urgent changes being made to their infrastructure. Because of this AWS infrastructure update, you must update your AuthPoint Gateway so it can successfully connect to WatchGuard Cloud. If AuthPoint cannot connect to the cloud, authentication will fail.

How do I update my AuthPoint Gateway?
It takes only a few minutes to update an AuthPoint Gateway. You do not need to uninstall your existing AuthPoint Gateway before you update. Click here for instructions to complete the update. 

What happens if I do not update my AuthPoint Gateway?
If you do not update your AuthPoint Gateway by the dates referenced above, and it is installed on a computer with Java JDK/JRE v8u212 or higher, the AuthPoint Gateway will no longer be able to connect to the WatchGuard Cloud AWS infrastructure and all Active Directory-based authentication will fail. At that point, you must update your AuthPoint Gateway immediately. You must manually uninstall the previous Gateway software and use these instructions to install and register a new AuthPoint Gateway. 

Note: You will experience issues if you cancel an AuthPoint Gateway upgrade during the upgrade process. See this article for more information. 

Do I need to make other configuration changes?
If you use Firebox Content Inspection in your network, it includes predefined exceptions for the AWS IoT addresses required for AuthPoint. Before you update your AuthPoint Gateway, you must add an additional Content Inspection Exception for these new domains that will be used going forward. 
 
If your AuthPoint cloud region is set to APAC, add this exception:
     aidd27s0p51l6-ats.iot.ap-northeast-1.amazonaws.com

If your AuthPoint cloud region is set to EMEA, add this exception:
     aidd27s0p51l6-ats.iot.eu-central-1.amazonaws.com
 
If your AuthPoint cloud region is set to AMER, add this exceptions:      
     aidd27s0p51l6-ats.iot.us-west-2.amazonaws.com

For information on how to add a Content Inspection exception, see Help

Background
In early October 2019, AWS switched the WatchGuard AWS IoT endpoints from their (now) legacy endpoints to the Amazon Trust Services (ATS) endpoint. The legacy endpoints used certificates issued by Symantec CAs. Oracle has updated the Java JDK/JRE in v8u212 to distrust new certificates issued by these CAs. The current certificates used by AWS for these endpoints expired in October, requiring an urgent change of their infrastructure. Any AuthPoint Gateway running in an environment with Java JDK/JRE v8u212 or higher will no longer be able to connect to the AWS infrastructure of WatchGuard Cloud and authentication will fail.