Pre-Amble:
I've worked with Nick for a few years and played with the Wikid Auth 2-Factor system for a while. I really wanted to get it working on my own network again. Unfortunately, I only have one IP address and a few sites that run on port 80 - Of course, the clients for Wikid all use port 80 as well (don't assume this is bad!)
What is Wikid Auth:
The WiKID Strong Authentication System is a patented dual-source, software-based two-factor authentication system designed to be less expensive and more extensible than hardware tokens.
What Is MikroTik RouterBoard:
Mikrotik develops high performance routers and wireless ISP systems, providing both hardware and software for most countries around the world.
Steps:
Previously, I had already setup my routerboard to act as a reverse proxy - You can follow these instructions to get that working: http://wiki.mikrotik.com/wiki/Multiple_Web_Servers
From here I needed to re-direct the Wikid Authentication requests to my new server.
Originally, I attempted to use the normal domain setup - by using the external IP address that the clients would use - however, this failed to work with the reverse proxy since it would have no domain name to look up in the local DNS system.
Fortunately, Wikid provides (for enterprise licences) a domain key server using [custom domain].wikidsystems.net - that custom key would be entered into the client and be mapped via DNS to the IP address as required. This domain is also used in the client HOST code for the web request. Thus, we can now use our reverse proxy in the routerboard router.
Step 1 - Request your custom domain key from the Wikid Staff - You should already be an enterprise customer - http://www.wikidsystems.com/company/company/contact-us
Step 2 - Ensure your Reverse proxy is configured (See above link)
Step 3 - Because the Client caches the IP address, if you move between internal dns and external DNS alot, you need to make sure the routerboard doesn't accept the incoming port 80 request (Firewall rule) - I don't use the web console, and I have a default deny all, so this is covered by that. YMMV.
Step 4 - Set the proxy to allow connections to the Domain Key address assigned by the Wikid team - We're adding a path of "/wikid/*" so that only the client communications is accepted.
/ip proxy access
add action=allow disabled=no dst-host=[Domain Key].wikidsystems.net dst-port=80 path=/wikid/*
Step 5 - Make an internal DNS record for the Domain Key address to point to your internal Wikid Server IP address
/ip dns static
add address=[Internal IP] disabled=no name=[Domain Key].wikidsystems.net ttl=1d
Step 6 - Enjoy.
You'll probably have some got-cha's if you use your routerboard as DNS server for your network - especially if the wikid client caches the internal IP address and move to an external area.
