Before setting up an identity router virtual appliance or cloud-based instance, you must add an identity router record to the Cloud Authentication Service using the Cloud Administration Console. When performing this task, you obtain a unique Registration Code, which is required to connect the identity router to the Cloud Administration Console.
- Sign into the Cloud Administration Console.
- Click Platform > Identity Routers.
- On the Identity Routers page, click Add an Identity Router.
- From the Where do you want to deploy the identity router? drop-down menu, select the virtual machine or cloud-based computing service that will host the identity router.
- In the Name field, enter the Identity Router FQDN value for this identity router from your Quick Setup Guide. For on-premises identity routers, use the FQDN for the proxy interface. Using the FQDN guarantees that each identity router record has a unique name, and acts as a simple method to identify the corresponding identity router appliance on your network. If your company deploys FIDO Tokens and you change the FQDN after you add the identity router, all users who previously registered their tokens must register again.
- (Optional) In the Description field, describe this identity router. Include the IP address and domain name of the identity router in the description field so that you can identify the corresponding identity router appliance on your network.
- In the Portal Hostname field, enter the Identity Router FQDN value for this identity router from your Quick Setup Guide. For on-premises identity routers, use the FQDN for the proxy interface.
Note: This value must match the hostname you specify when you install and configure the identity router virtual appliance. The hostname must be within the protected domain for your network environment, and must be configured in your DNS server to point to the identity router IP address. For identity routers in the Amazon cloud, point to the public Elastic IP address. For on-premises identity routers, point to the proxy interface IP address.
For more information, see Identity Router DNS Requirements.
- From the Cluster drop-down menu, select the cluster to which this identity router belongs. RSA SecurID Access creates a default cluster that you must select when you add the first identity router. You can edit and rename the default cluster after you deploy at least one identity router. If your deployment already has multiple clusters, be sure to select the correct cluster.
- In the Timeout (seconds) field, specify the length of time the Cloud Authentication Service attempts to communicate with an unresponsive identity router before logging an error and updating the connection status indicator.
- Click Next Step.
- (Optional) Configure one or more firewall rules to allow connections from specific IP addresses to specific ports on the identity router. For example, you can add a firewall rule to allow a load balancer to access the identity router status servlet on port 8080.
See your Quick Setup Guide for the list of firewall rules required for your deployment.
Note: For identity routers in the Amazon cloud, you must also configure security groups in your Amazon Web Services environment to allow connections for the required ports and IP addresses.
- From the Connection Method drop-down menu, select the connection method to allow.
- From the Protocol drop-down menu, select the protocol to allow.
- In the Port Range/Message Type field, enter the port or port range to open for the connection.
- In the Source Network field, enter the network address/prefix pair for the source network where the allowed connections will originate.
- (Optional) Click ADD. Repeat steps a through d to add each firewall rule.
- (Optional) Configure one or more static routes if your company network requires the identity router to connect through specific network paths to access specific network resources. For example, you can add a static route to allow the identity router to access the Cloud Authentication Service through a specific gateway.
Note: Static route configuration is not available for identity routers in the Amazon cloud. Configure route tables in your Amazon Web Services environment to direct traffic from internal and external network resources through the appropriate gateway in your VPC.Static routes are not required if all network resources are accessible through the default gateway connected to the identity router network interfaces.
Note: Make sure the static route you enter is correct. The Cloud Authentication Service cannot validate the route before the identity router is registered. You can initiate validation by returning to this page after registration and clicking Save and Next Step.
- In the IP Address field, enter the IP address of the network resource.
- In the Network Mask field, enter the network mask of the network resource. For example, 255.255.255.0.
- In the Gateway field, enter the gateway address for the static route.
- From the Device drop-down menu, select the device type for the static route. The device type specifies whether the static route applies for connections to the proxy interface (Public) or the management interface (Private) of the identity router.
- (Optional) Click ADD. Repeat steps a through d to add each static route.
- (Optional) Configure one or more static DNS entries if you need to enable this identity router to resolve specific hostnames that are not provided by the DNS server.
- In the IP Address field, enter the IP address for the static DNS entry.
- In the Aliases field, enter one or more hostname aliases for the static DNS entry, separated by a space.
- (Optional) Click ADD. Repeat steps a and b to add each static DNS entry.
Click Save and Next Step.
- Under Registration Details, copy the Registration Code and Authentication Service Domain to a location where you can access them when you install and configure the identity router.
- Click Close.
After you finish