Before installing an identity router virtual appliance, you must add an identity router record to the Cloud Authentication Service using the Cloud Administration Console. When performing this task, you obtain a unique Registration Code, which is required to connect the identity router virtual appliance to the Cloud Administration Console.
- Sign into the Cloud Administration Console.
- Click Platform > Identity Routers.
- On the Identity Routers page, click Add an Identity Router.
- In the Name field, enter the Identity Router Proxy Interface FQDN value for this identity router from the RSA SecurID Access Solution Architecture Workbook. Using the FQDN guarantees that each identity router record has a unique name, and acts as a simple method to identify the corresponding identity router appliance on your network. If your company deploys FIDO Tokens and you change the FQDN after you add the identity router, all users who previously registered their tokens must register again.
- (Optional) In the Description field, describe this identity router. Include the IP address and domain name of the identity router in the description field so that you can identify the corresponding identity router appliance on your network.
- In the Portal Hostname field, enter the Identity Router Proxy Interface FQDN value for this identity router from the RSA SecurID Access Solution Architecture Workbook. This value must match the hostname you specify when you install and configure the identity router virtual appliance. The hostname must be within the protected domain for your network environment, and must be configured in your DNS server to point to the identity router proxy IP address.
For more information, see Identity Router DNS Requirements.
- From the Cluster drop-down menu, select the cluster to which this identity router belongs. RSA SecurID Access creates a default cluster that you must select when you add the first identity router. You can edit and rename the default cluster after you deploy at least one identity router. If your deployment already has multiple clusters, refer to the diagram of your deployment in the RSA SecurID Access Solution Architecture Workbook to determine which cluster to select.
- In the Timeout (seconds) field, specify the length of time the Cloud Authentication Service attempts to communicate with an unresponsive identity router before logging an error and updating the connection status indicator.
- Click Next Step.
- (Optional) Configure one or more firewall rules to allow connections from specific IP addresses to specific ports on the identity router. See the Connectivity Requirements section of the RSA SecurID Access Solution Architecture Workbook for the list of firewall rules required for your deployment. For example, you can add a firewall rule to allow a load balancer to access the identity router status servlet on port 8080.
- From the Connection Method drop-down menu, select the connection method to allow.
- From the Protocol drop-down menu, select the protocol to allow.
- In the Port Range/Message Type field, enter the port or port range to open for the connection.
- In the Source Network field, enter the network address/prefix pair for the source network where the allowed connections will originate.
- (Optional) Click ADD. Repeat steps a through d to add each firewall rule.
- (Optional) Configure one or more static routes if your company network requires the identity router to connect through specific network paths to access specific network resources. For example, you can add a static route to allow the identity router to access the Cloud Authentication Service through a specific gateway. Static routes are not required if all network resources are accessible through the default gateway connected to the identity router network interfaces.
- In the IP Address field, enter the IP address of the network resource.
- In the Network Mask field, enter the network mask of the network resource. For example, 255.255.255.0.
- In the Gateway field, enter the gateway address for the static route.
- From the Device drop-down menu, select the device type for the static route. The device type specifies whether the static route applies for connections to the proxy interface (Public) or the management interface (Private) of the identity router.
- (Optional) Click ADD. Repeat steps a through d to add each static route.
- (Optional) Configure one or more static DNS entries if you need to enable this identity router to resolve specific hostnames that are not provided by the DNS server.
- In the IP Address field, enter the IP address for the static DNS entry.
- In the Aliases field, enter one or more hostname aliases for the static DNS entry, separated by a space.
- (Optional) Click ADD. Repeat steps a and b to add each static DNS entry.
Click Save and Next Step.
- Under Registration Details, copy the Registration Code and Authentication Service Domain to a location where you can access them when you install and configure the identity router.
- Click Close.
After you finish