Step 3: Test with Your Identity Source and All Applications

Document created by RSA Information Design and Development on Feb 17, 2020
Version 1Show Document
  • View in full screen mode

If you have completed What You Get With the Trial and optionally Step 2: Test with Your Users and Your SAML or RADIUS Applications, and still want to do more with the trial, do the following:

  1. Select Applications to Protect
  2. Plan Your Trial Environment
  3. Set Up Your Trial Environment

Select Applications to Protect

To do more with the trial, you need to deploy an identity router. The identity router is a virtual appliance that securely connects your on-premises resources, such as Active Directory, to the Cloud Authentication Service.When you deploy an identity router, you initially select a deployment type that is based on the type of applications that you want to protect.

Select the deployment type from the table below.

                       
What You Want to ProtectDeployment Type
RADIUS clients such as VPNs in environments that do not support outbound RADIUS communicationRADIUS
SAML applications and third-party SSO solutionsRelying Party
SAML, HTTP Federation Proxy, or Trusted Headers applications and RSA SecurID Access single sign-on for all applicationsSSO Agent

Plan Your Trial Environment

There are a few things you need to plan to deploy an identity router in your environment.

What You Need to Have

                           
ItemDescription

Virtual appliance infrastructure

Hardware requirements:

  • VMware or Hyper-V

    • Disk space: 54 GB

    • Memory: 8 GB

    • Virtual CPUs: 4

    • Network interface:
      • VMware: One E1000 virtual network adapter for RADIUS or relying party deployment. Two for SSO Agent deployment.
      • Microsoft Hyper-V: One synthetic network adapter for RADIUS or relying party deployment. Two for SSO Agent deployment.

  • Amazon Virtual Server Instance
    • Family: General purpose
    • Type: t2.large
    • vCPUs: 2
    • Memory: 8 GB

Software requirements:

  • VMware
    • VMware Platform: VMware ESXi 5.5 or later (currently 6.x series)
    • VMware vSphere Client: Any version that works with the supported ESXi deployments
  • Hyper-V 2012 R2

  • AWS cloud
    • Access to t2.large or better instance types
    • Virtual Private Cloud with private and public subnets
    • Route Tables, Security Groups, and Network ACLs that allow traffic between the identity router and all other components in your deployment
    • DHCP Option Sets that specify all DNS servers required for your deployment
    • Elastic IP addresses (if your organization manages its own DNS service)

Microsoft Active Directory 2008 or 2012 or LDAPv3 directory server

Create a group of a limited number of users (for example, RSA SecurID Access Test Group) to synch and test with.

SSO Agent only:

Private key, public certificate, and certificate chain for SSL protection for the RSA SecurID Access Application Portal

  • Generate the private key using your own infrastructure. The private key, in RSA format, is 2048-bit or greater and is not password-protected.
  • Submit a certificate signing request (CSR) to a trusted Certificate Authority (CA) to obtain the public certificate and certificate chain. The certificate and certificate chain files are in x509 PEM format.

    For more information, see https://community.rsa.com/docs/DOC-89364.

A mobile device or Windows PC
  • iOS 11.0 or later
  • Android 6.0 or later
  • Windows 10 Version 1511 or later

What You Need to Know

RSA SecurID Access uses a hybrid architecture that consists of two components:

  • The Cloud Authentication Service is a cloud service that provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.
  • The identity router is a virtual appliance that securely connects your on-premises resources, such as Active Directory, to the Cloud Authentication Service. You can deploy the identity router in your on-premises VMware or Hyper-V environment, or in the Amazon Web Services (AWS) cloud.

    In RADIUS and relying party deployments with VMware or Hyper-V, the identity router has one network interface. Place this interface in a private network where it can reach your LDAP directory. For more information about configuring your system to use these interfaces, see https://community.rsa.com/docs/DOC-54091.

    In SSO Agent deployments with VMware or Hyper-V, the identity router has two network interfaces. Place one interface in a public-facing network and the other in a private network where it can reach your LDAP directory.

    In all deployments with AWS, the identity router has one network interface to which you assign public and private IP addresses and connect other network resources from the internet or your private network.

Additional information is available in the Planning Guide.

Add your values to the following worksheet. You will use this information in the next section and during setup.

                                                                 

Item

Your Values

Cloud Administration Console and

Cloud Authentication Service

Current values:

  • US region:<authentication_service_domain>, access.securid.com, na2.access.securid.com, or na3.access.securid.com (191.237.22.167, 104.42.197.125)

  • EMEA region: <authentication_service_domain>, access-eu.securid.com (104.40.223.169, 40.127.204.94)

  • ANZ region:<authentication_service_domain>, access-anz.securid.com (20.36.34.174, 20.36.64.73)

Your authentication service domain appears in the Cloud Administration Console on the Platform > Identity Router > Registration page when you add an identity router.

SSO Agent only:

Protected domain name

This is a unique subdomain prepended to your registered domain name and is used by all traffic managed by the identity router, for example, sso.example.com. For more information, see https://community.rsa.com/docs/DOC-79572.

 

 

 

LDAP directory server

  • IP address
  • FQDN
  • Base DN of users (the root where users will be synchronized from, for example, DC=company, DC=com)
  • Administrator account credentials that RSA SecurID Access can use to connect to the directory server
 

DNS servers IP addresses

For DNS configuration requirements, see https://community.rsa.com/docs/DOC-54152.

 
NTP server IP address 
Backups server IP address 
Internal user subnet IP address 

RADIUS only:

RADIUS client IP address

 
Required only for VMware and Hyper-V identity router deployments:

Identity router management interface (private, required for all deployments)

  • IP address
  • Netmask
  • Gateway
  • Short hostname
  • FQDN
 

Identity router proxy interface (public, required for SSO Agent deployments with on-premises identity router)

  • IP address
  • Netmask
  • Gateway
  • Short hostname
  • FQDN

 

Required only for Amazon Web Services identity router deployments:

Identity router

  • Private IP Address
    (Used for communication with internal resources in the same VPC, another VPC, or your on-premises network.)
  • Public Elastic IP Address
    (Used for communication with public resources over the internet if the identity router is in a public subnet. Not required if a NAT/load balancer with a public IP address manages traffic to the identity router.)
  • Short hostname
  • FQDN

Note:  For identity routers in AWS, netmask and gateway information is obtained automatically during instance launch, according to the VPC subnet settings.

 

AWS environment configuration details

  • VPC
  • Private subnet
  • Public subnet
  • DHCP options set
  • Route tables
  • Security groups
  • Network ACLs
 

 

Connectivity Requirements

Replace the values in the table below with your values from the worksheet above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. If you deploy the identity router in the Amazon cloud, the route tables, security groups, and network ACLs in your AWS environment must also allow these connections. Update your connectivity settings before continuing with the next step.

                                                                                 

Source

Destination Protocol and PortPurpose

0.0.0.0/0

 

Cloud Authentication Service

TCP 443

TCP 80, 443

External user access to Cloud Authentication Service, application portal, and applications

SSO Agent only:

<Your internal (corp network) end users>

 

 

Both Cloud Authentication Service environments

TCP 80, 443

Internal user access to Cloud Authentication Service, application portal, and applications

< Your administrators>

 

For on-premises identity routers:


<Your identity router management interface IP address>

For identity routers in the Amazon cloud:
<Your identity router private IP address>

On-premises (two network interfaces):

TCP 443

One network interface or Amazon:

TCP 9786

Identity Router Setup Console

For on-premises identity routers (one network interface):

<Your identity router management interface IP address>

For on-premises identity routers (two network interfaces):

<Your identity router proxy interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

Cloud Administration Console and Cloud Authentication Service

Cloud Administration Console and both Cloud Authentication Service environments

Note:  If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and the Cloud Authentication Service IP addresses for your region are whitelisted.

TCP 443Identity router registration

For on-premises identity routers (one network interface):

<Your identity router management interface IP address>

For on-premises identity routers (two network interfaces):

<Your identity router proxy interface IP address>

For identity routers in the Amazon cloud:

<Your identity router public IP address>

<Your protected resource> TCP 443 or custom portApplication integration

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

<Your LDAP directory server IP address>

TCP 389

TCP 636

LDAP directory user authentication and authorization

For on-premises identity routers:

<Your identity router proxy interface IP address or identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

<Your DNS server IP address>

 

UDP 53DNS

RADIUS only:

<Your RADIUS client IP address>

 

 

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

UDP 1812RADIUS

RADIUS only:

<Your RADIUS client IP address>

 

 

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

UDP 1812

(Optional) RADIUS

For on-premises identity routers:

<Your identity router proxy interface IP address or identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

<Your NTP server IP address> UDP 123Network time server synchronization
<Your administrator computer>

 

 

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

TCP 22

(Optional) SSH for troubleshooting

For more information, see https://community.rsa.com/docs/DOC-75833.

After You Finish

Set Up Your Trial Environment

 

 

We want your feedback! Tell us what you think of this page.

You are here
Table of Contents > Contents > Step 3: Test with Your Identity Source and All Applications

Attachments

    Outcomes