000024531 - Which firewall ports need to be open for RSA SecurID 5.2-6.1 to work properly?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024531
Applies ToRSA Authentication Manager
RSA ACE/Server
RSA ACE/Agent
RSA SecurID Web Express
RSA ACE/Server Quick Admin
Microsoft Windows
All UNIX Platforms
IssueWhich firewall ports need to be open for RSA SecurID to work properly?
Which firewall ports need to be open for RSA RADIUS to work properly?
Firewall is blocking traffic
Which ports are used for DAC and DAC?
Resolution

NOTE: When specifying ports to open through a firewall, these are only the destination ports; the firewall will also need to be configured to allow return traffic on the random source port.

Replication
Ports to have open between the Primary and Replicas. NOTE: We recommend that you follow the section on Administration, since you may eventually promote a Replica to be a Primary.
securidprop_00        5505/tcp        # acesyncd for primary, replica 0
securidprop_01        5506/tcp        # acesyncd for replica 1
securidprop_02        5507/tcp        # acesyncd for replica 2
securidprop_03        5508/tcp        # acesyncd for replica 3
securidprop_04        5509/tcp        # acesyncd for replica 4
securidprop_05        5510/tcp        # acesyncd for replica 5
securidprop_06        5511/tcp        # acesyncd for replica 6
securidprop_07        5512/tcp        # acesyncd for replica 7
securidprop_08        5513/tcp        # acesyncd for replica 8
securidprop_09        5514/tcp        # acesyncd for replica 9
securidprop_10        5515/tcp        # acesyncd for replica 10
sdlog                5520/tcp        # ACE Log Database
sdserv                5530/tcp        # ACE User Database
sdlockmgr        5560/tcp        # ACE Lock Manager
sdoad              5580/tcp        #Authentication Manager Offline daemon
(no service name)       1812/tcp         # RSA RADIUS Server replication control Port
NOTE: RADIUS replication must be open between a RADIUS Primary and and RADIUS Replicas you have

Authentication


 

  

securid                      


  

  

5500/udp


  

  

# authentication listener port


  

  

sdoad


  

  

5580/ TCP


  

  

# Offline data & sdstatus.12 update


  

  

radius                       


  

  

1645/udp


  

  

# Legacy RADIUS (only if used)


  

  

radacct 


  

  

1646/udp


  

  

# Legacy RADIUS Accounting (only if used)


  

  

TACACS


  

  

49/tcp 


  

  

# IETF RADIUS (only if used)


  

  

radius  


  

  

1812/udp


  

  

# IETF RADIUS (only if used)


  

  

radacct  


  

  

1813/udp


  

  

# IETF RADIUS Accounting (only if used)


  

  

**if using agent auto registration**


  

  

sdadmind                      


  

  

5550/tcp


  

  

# used by auto registration


  

 


 


Cross Realm Authentication
Securid                5500/udp        # Authentication listener port
* A range of UDP ports

Administration
sdlog                5520/tcp        # ACE Log database
sdserv                5530/tcp        # ACE User Database
sdadmind        5550/tcp        # ACE Remote Administration
sdcommd        5570/tcp         # ACE Web Communications Daemon
(no service name)      1813/tcp     # Steel-Belted RADIUS Administrator port

                                 8098/tcp    # Web GUI for RSA Appliance only


                                 8198/tcp   # RDP for RSA Appliance only



** A range of UDP ports
NOTE 1: sdadmind must be opened between Remote Administration systems and the RSA server
NOTE 2: 1813/tcp must be opened between RSA RADIUS Server and RSA server/Remote Administration

RSA SecurIDfor Windows Communication the following ports need to be open for the following communication paths
DAC ?DAH            Any DAC in the Forest to Any DAH in the same.


2335/tcp
sdoad
     
5580/tcp


DAH ?DAC            All DAHs to any and all DACs in the forest.


2334/TCP


DAH ?AM              ALL DAHs to All Authentication Managers


SecurID 5500/UDP
sdoad
 
 5580/tcp



- On Windows-based ACE/Server (for Ace Server versions 5.2 and 6.0):
1. Start -> Run -> Regedt32 -> HKEY_LOCAL_MACHINE -> SOFTWARE -> SDTI -> ACESERVER -> CurrentVersion


 


(for 6.1 server Start -> Run -> Regedt32 -> HKEY_LOCAL_MACHINE -> SOFTWARE -> RSA Security  ->RSA Authentication Manager -> CurrentVersion)
2. Add the values to the following:
   MinimumBEPort:REG_SZ:10000
   MaximumBEPort:REG_SZ:10010
NOTE: This example uses the port numbers 10000-10010; however, any ports within the range of 1025-65535 will work

- On UNIX-based ACE/Server:
1. Make sure that no ACE/Server processes are running
2. Edit the file aceserver ( ?path?/ace/prog/aceserver ) and set the environment variables. Include the lines in the section of the startup script that sets the values for VAR_ACE, USR_ACE, and DLC. For example, if you wanted the minimum port to be 10000 and the maximum port to be 10010, include the following lines:
    MINIMUM_BE_PORT=10000
    export MINIMUM_BE_PORT
    MAXIMUM_BE_PORT=10010
    export MAXIMUM_BE_PORT
If you do not set the variables, the default values (1000-9999) are used. On the firewall, the above destination ports should be opened in both the directions.
WARNING: Ensure the required range of port numbers is available at all times; if the RSA ACE/Server cannot bind to a port, a fatal exit will occur. Configure the correct range of port numbers and restart the Server.
NOTE: If the ACE/Server is reinstalled, the minimum and maximum ports will be set to the default values
3. Reset the minimum and maximum values to reflect the range of ports that you want to use.

NOTE: As part of remote administration, the ACE/Server will need to initiate a connection with the client to transfer information (e.g. logs). By default, this is random UDP, but when setting rules, it is of course desirable to limit the ports. To do so, use these steps:
1. Stop the ACE/Server and brokers busing the control panel applet (NT) or ?path?/ace/prog/aceserver stop and ?path?/ace/prog/sdconnect shutdown (UNIX)
2. In the ace\rdbms32 directory (Windows NT) or ?path?/ace/rdbms (UNIX), make a backup copy of the startup.pf file. Rename it startup.old.
3. Open the startup.pf file in a text editor, and add the following lines to the end of the file:
   -minport minimum port number
   -maxport maximum port number
TCP does not use the port specified as the minimum port number. The first port used is always one greater than the specified minimum port number, so the range of ports specified must always include one more port than needed. If there are 10 remote connections, 20 ports are needed and a range of 21 ports must be specified. For example, to use ports 3001 through 3020, add the following lines:
    -minport 3000
    -maxport 3020
NOTE: Make sure the range of port numbers specified does not include port numbers used by other services. Also, Windows requires the port number be 3000 and higher.
4. Restart the RSA ACE/Server using the control panel applet (Windows) or ?path?/ace/prog/sdconnect start and ?path?/ace/prog/aceserver start (UNIX)
5. Open up the firewall ports defined in the startup.pf file in addition to the 55xx ports (see above)
6. Also note that ACE/Server 5.x versions will require that external IP addresses of ACE/Servers will need to be added as "Aliases" to Replica tables. For more information, see the solution regarding When running RSA ACE/Server on Solaris which ports are used for Remote Administration to go through a firewall?

Legacy Article IDa18128

Attachments

    Outcomes