Deployment Planning Checklist

Document created by RSA Information Design and Development Employee on Mar 9, 2020Last modified by Joyce Cohen on Oct 28, 2020
Version 10Show Document
  • View in full screen mode

Use these checklists when planning your deployment.

 

 

Note:  This information does not apply to planning deployments that use the embedded identity router in RSA Authentication Manager 8.5 or later. See Configure an Embedded Identity Router.

 

What You Need to Have

 

ItemDescription
Sign-in credentials to the Cloud Administration Console

Sign-in credentials are emailed to you after you request an environment from RSA Sales or your partner or complete the trial form.

Be sure that the email address that you provide to RSA is for a real user in your LDAP directory and not, for example, a group alias or general account.

For browser requirements for the Cloud Administration Console, see https://community.rsa.com/docs/DOC-81615.

Virtual appliance infrastructure

Required only for identity router deployment on-premises in a VMware or Hyper-V environment

Hardware requirements for image file:

  • Disk space: 54 GB

  • Memory: 8 GB

    For SSO Agent deployments, consider 16 GB for high availability architectures.

  • Virtual CPUs: 4

Network interface for RADIUS and Relying Party deployments:

  • VMware: One E1000 virtual network adapter
  • Microsoft Hyper-V: One synthetic network adapter

Network interface for SSO Agent deployments:

  • VMware: Two E1000 virtual network adapters
  • Microsoft Hyper-V: Two synthetic network adapters

Software requirements:

  • VMware or
    • VMware Platform: VMware ESXi 5.5 or later (currently 6.x series)
    • VMware vSphere Client: Any version that works with the supported ESXi deployments
  • Hyper-V 2012 R2

Amazon Web Services (AWS) account

Required only for identity router deployment in an Amazon Web Services cloud environment

Note:  To deploy an identity router in the Amazon cloud, you must be familiar with the following concepts as they relate to AWS:

Elastic Compute Cloud (EC2)
Amazon Machine Image (AMI)
Elastic IP Address
Security Groups
Virtual Private Cloud (VPC)
Subnets
Route Tables
Network Access Control Lists (ACL)
DHCP Option Sets
Internet Gateway
NAT Gateway
Virtual Private Gateway
VPN Connection
VPC Peering

Amazon Virtual Server Instance hardware requirements:

  • Family: General purpose
  • Type: t2.large
  • vCPUs: 2
  • Memory: 8 GB

AWS cloud environment requirements:

  • Access to t2.large or better instance types
  • Virtual Private Cloud with private and public subnets
  • Route Tables, Security Groups, and Network ACLs that allow traffic between the identity router and all other components in your deployment
  • DHCP Option Sets that specify all DNS servers required for your deployment
  • Elastic IP addresses (if your organization manages its own DNS service)

Microsoft Active Directory 2008 or 2012 or LDAPv3 directory server

Create a group of a limited number of users (for example, RSA SecurID Access Test Group) to synch and test with.
SSL/TLS certificate from your LDAP directory server

Used for an encrypted connection (LDAPS) to your directory server.

Download the SSL/TLS certificate from your directory server. If your directory server does not have a certificate, install one.

For more information, see https://community.rsa.com/docs/DOC-89364.

SSO Agent only:

Private key, public certificate, and certificate chain for SSL protection for the RSA SecurID Access Application Portal

  • Generate the private key using your own infrastructure. The private key, in RSA format, is 2048-bit or greater and is not password-protected.
  • Submit a certificate signing request (CSR) to a trusted Certificate Authority (CA) to obtain the public certificate and certificate chain. The certificate and certificate chain files are in x509 PEM format.

    For more information, see https://community.rsa.com/docs/DOC-89364.

SSO Agent only:

Load balancer

Supported load balancers:

  • CISCO ACE family
  • F5 Big-IP family
  • Citrix Netscaler
  • Barracuda Load Balancers

For additional requirements, see https://community.rsa.com/docs/DOC-54090.

A mobile device or Windows PC
  • iOS 11.0 or later
  • Android 6.0 or later
  • Windows 10 Version 1511 or later

 

What You Need to Know

 

RSA SecurID Access uses a hybrid architecture that consists of two components:

 

  • The Cloud Authentication Service is a cloud service that provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.
  • The identity router is a virtual appliance that securely connects your on-premises resources, such as Active Directory, to the Cloud Authentication Service. You can deploy the identity router in your on-premises VMware or Hyper-V environment, or in the Amazon Web Services (AWS) cloud.

    In RADIUS and relying party deployments with VMware or Hyper-V, the identity router has one network interface. Place this interface in a private network where it can reach your LDAP directory. For more information about configuring your system to use these interfaces, see https://community.rsa.com/docs/DOC-54091.

    In SSO Agent deployments with VMware or Hyper-V, the identity router has two network interfaces. Place one interface in a public-facing network and the other in a private network where it can reach your LDAP directory.

    In all deployments with AWS, the identity router has one network interface to which you assign public and private IP addresses and connect other network resources from the internet or your private network.

    Note:  After an identity router is registered in a deployment, it cannot be reused in another deployment. For example, suppose you registered an identity router with Company A for a trial deployment, and you want to use the same identity router with Company A in a production deployment. You must add a new identity router (virtual machine) to the production deployment.

 

Add your values to the following worksheet. You will use this information in the next section and during setup.

 

Item

Your Values

Cloud Administration Console and

Cloud Authentication Service

  • US region:<authentication_service_domain>, *.access.securid.com, (52.188.41.46, 52.160.192.135)

  • ANZ region:<authentication_service_domain>, *.access-anz.securid.com (20.37.53.30, 20.39.99.202 beginning March 20, 2020)

  • EMEA region: <authentication_service_domain>, *.access-eu.securid.com (51.105.164.237, 52.155.160.141)

Your authentication service domain appears in the Cloud Administration Console on the Platform > Identity Router > Registration page when you add an identity router.

For instructions on checking the status of your Cloud connections, see https://community.rsa.com/docs/DOC-54079.

To test access to the IP addresses, follow these instructions: https://community.rsa.com/docs/DOC-79579.

SSO Agent only:

Protected domain name

This is a unique subdomain prepended to your registered domain name and is used by all traffic managed by the identity router, for example, sso.example.com. For more information, see https://community.rsa.com/docs/DOC-79572.

 

 

SSO Agent only:

Load balancer

  • DNS name (virtual IP)
  • Public IP address
  • Private IP address
 

LDAP directory server

  • IP address
  • FQDN
  • Base DN of users (the root where users will be synchronized from, for example, DC=company, DC=com)
  • Administrator account credentials that RSA SecurID Access can use to connect to the directory server
 

SSO Agent and POC only:

DNS servers IP addresses

For DNS configuration requirements, see https://community.rsa.com/docs/DOC-54152.

 
NTP server IP address 
Backups server IP address (SSO Agent only) 
Internal user subnet IP address (SSO Agent only) 

RADIUS only:

RADIUS client IP address

 
Required only for VMware and Hyper-V identity router deployments:

Identity router management interface (private, required for all deployments)

  • IP address
  • Netmask
  • Gateway
  • Short hostname
  • FQDN
 

Identity router portal interface (public, required for SSO Agent deployments with on-premises identity router)

  • IP address
  • Netmask
  • Gateway
  • Short hostname
  • FQDN

 

Required only for Amazon Web Services identity router deployments:

Identity router

  • Private IP Address
    (Used for communication with internal resources in the same VPC, another VPC, or your on-premises network.)
  • Public Elastic IP Address
    (Used for communication with public resources over the internet if the identity router is in a public subnet. Not required if a NAT/load balancer with a public IP address manages traffic to the identity router.)
  • Short hostname
  • FQDN

Note:  For identity routers in AWS, netmask and gateway information is obtained automatically during instance launch, according to the VPC subnet settings.

 

AWS environment configuration details

  • VPC
  • Private subnet
  • Public subnet
  • DHCP options set
  • Route tables
  • Security groups
  • Network ACLs
 

 

Connectivity Requirements

 

Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. If you deploy the identity router in the Amazon cloud, the route tables, security groups, and network ACLs in your AWS environment must also allow these connections. Update your connectivity settings before continuing with the next step.

 

Source

DestinationProtocol and PortPurpose

0.0.0.0/0

For RADIUS and Relying Party deployments: Both Cloud Authentication Service environments

For SSO Agent: Both Cloud Authentication Service environments and <Your load balancer public IP address>

For RADIUS and Relying Party: TCP 443

FOR SSO Agent: TCP 80, 443

For RADIUS and Relying Party deployments: External user access to Cloud Authentication Service

For SSO Agent: External user access to Cloud Authentication Service, application portal, and applications

SSO Agent only:

<Your internal (corp network) end users>

 

Both Cloud Authentication Service environments and

<Your load balancer private IP address>

TCP 80, 443

Internal user access to Cloud Authentication Service, application portal, and applications

< Your administrators>

For on-premises identity routers:


<Your identity router management interface IP address>

For identity routers in the Amazon cloud:
<Your identity router private IP address>

On-premises (two network interfaces):

TCP 443

One network interface or Amazon:

TCP 9786

Identity Router Setup Console

For on-premises identity routers (one network interface):

<Your identity router management interface IP address>

For on-premises identity routers (two network interfaces):

<Your identity router portal interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

Cloud Administration Console and both Cloud Authentication Service environments

Note:  If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and the Cloud Authentication Service IP addresses for your region are whitelisted. Also, confirm that you can access both environments. For instructions, see https://community.rsa.com/docs/DOC-79579.

TCP 443Identity router registration

SSO Agent Only:

For on-premises identity routers (one network interface):

<Your identity router management interface IP address>

For on-premises identity routers (two network interfaces):

<Your identity router portal interface IP address>

For identity routers in the Amazon cloud:

<Your identity router public IP address>

<Your protected resource>TCP 443 or custom portApplication integration

SSO Agent only:

<Your load balancer private IP address>

<Your identity router portal interface IP address>

TCP 80, 443Load balancer traffic to pool members

SSO Agent only:

<Your load balancer private IP address>
<Your identity router management interface IP address>TCP 443Load balancer health check of pool members

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

<Your LDAP directory server IP address>

TCP 636

LDAP directory user authentication and authorization

For on-premises identity routers:

<Your identity router portal interface IP address or identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

<Your DNS server IP address>

UDP 53DNS

RADIUS only:

<Your RADIUS client IP address>

 

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

UDP 1812RADIUS

For on-premises identity routers:

<Your identity router portal interface IP address or identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

<Your NTP server IP address>UDP 123Network time server synchronization
<Your administrator computer>

 

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

TCP 22

(Optional) SSH for troubleshooting

For more information, see https://community.rsa.com/docs/DOC-75833.

 

 

 

 

 

 

 

 

 

 

 

You are here

Table of Contents > Identity Routers > Planning Your Identity Router Deployment > Deployment Planning Checklist

Attachments

    Outcomes