Identity Router Network Interfaces and Default Ports

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Nov 16, 2018
Version 32Show Document
  • View in full screen mode
  

The identity router uses the ports and protocols specified in the tables below for incoming and outgoing traffic by default, and has different network interface configurations depending on whether it is deployed on-premises or in the Amazon Web Services (AWS) cloud.

Note:  If your service uses a custom port, then you must open that port instead of the default port.

Network Interfaces for On-Premises Identity Routers

When deployed as a virtual appliance on your network using VMware or Microsoft Hyper-V, each identity router contains two active network interfaces: proxy and management. You assign each interface an IP address and a domain name. The proxy interface is used for all interaction between users and protected applications. The management interface is used for interaction between the identity router and all other on-premises or cloud-based network components that are part of the RSA SecurID Access deployment. RSA recommends that the proxy and management interfaces are located on separate subnets for security reasons. The identity router does not bridge traffic between the two interfaces.

You must configure incoming traffic to connect to either the management interface or the proxy interface as specified in the Network Interface for On-Premises Identity Routers column in the Identity Router Incoming Traffic table below. Outgoing traffic for on-premises identity routers is managed as follows:

  • Any destination hosts on the same subnet as an identity router interface are reached through that interface. For example, if the identity source is on the same subnet as the mgmt interface, then the LDAP service uses the mgmt interface. A default gateway is not used.

  • You may configure static routes to force specific traffic to use the mgmt interface. For example, if the RSA Authentication Manager server is in a different subnet from both identity router interfaces, you can add a static route for Authentication Manager to use the mgmt interface.

  • All other traffic is routed through the default gateway specified for the proxy interface.

Network Interface for Identity Routers in the Amazon Cloud

When deployed in the AWS cloud, the identity router has only one virtual network interface to which you assign a domain name, a private IP address, and, optionally, a public Elastic IP address. The private address is accessible only from your network, while the public Elastic IP address is accessible from the internet. You must configure security groups, route tables, and network access control lists in your AWS environment to allow either public or private network access for each service, depending on how the other network components in your deployment will connect to the identity router, and the requirements specified in the Network Accessibility for Amazon Identity Routers column in the following tables.

Identity Router Incoming Traffic

                                                                   

Service

Description

Network Interface for On-Premises Identity Routers

Network Accessibility for Amazon Identity Routers

Protocol and Port

Deployment

SSH

(Optional) SSH for identity router troubleshooting

This port is not open by default.

Mgmt

Private

TCP 22

All

HTTPS

Traffic related to the Identity Router Setup Console, identity router status servlet, and RSA Authentication Manager integration.

Mgmt

Private

On-premises:TCP 443

Amazon:
TCP 9786

All

HTTPS

Load balancer and end-user web browser traffic for connections to the application portal and applications.

Proxy

Private and/or Public

TCP 443

SSO Agent

RADIUS

RADIUS traffic

This port is not opened by default.

Mgmt

Private

UDP 1812

RADIUS for Cloud Authentication Service

Identity router synchronization

Synchronization traffic among identity routers in a cluster

Mgmt

Private

TCP 7900 and 7902

SSO Agent

Cluster synchronization

Synchronization traffic between clusters

Proxy

Private

TCP 7910

SSO Agent

Identity Router Outgoing Traffic

                                                                                           

Service

Destination

Network Interface for On-Premises Identity Routers

Network Accessibility for Amazon Identity Routers

Protocol and Port

Deployment

SFTP

(Optional) SFTP backup server IP address for user profile data (keychain) backup

Proxy

Note:   RSA recommends adding a static route to use the mgmt interface.

Private

TCP 22

SSO Agent

HTTP for HFED

 

SaaS and on-premise application server IP addresses that require HTTP.

RSA does not recommend this configuration.

Proxy

Private

TCP 80

SSO Agent

DNS lookups

DNS server IP address

Proxy

Note:   RSA recommends using the mgmt interface. To do this, ensure that both DNS and NTP are on the same subnet as the mgmt interface, or add a static route.

Public or Private

UDP 53

All

NTP synchronization

NTP server IP addresses

Proxy

Note:   RSA recommends using the mgmt interface. To do this, ensure that both NTP and DNS are on the same subnet as the mgmt interface, or add a static route.

Public or Private

UDP 123

All

LDAP

LDAP directory server IP address for unencrypted LDAP directory server user authentication and authorization.

RSA does not recommend using this port.

Proxy

Note:   RSA recommends adding a static route to use the mgmt interface.

Private

TCP 389

(may vary depending on your LDAP server configuration)

All

LDAP (SSL)

LDAP directory server IP address for LDAP directory server user authentication and authorization

Proxy

Note:   RSA recommends adding a static route to use the mgmt interface.

Private

TCP 636

(may vary depending on your LDAP server configuration)

All

HTTPS for HFED and secure connection to the Cloud Authentication Service and Cloud Administration Console

 

securid.com, SaaS and on-premise application server IP addresses, optional custom portal server IP address

Proxy

Public or Private

TCP 443

All

Audit logging (syslog)

(Optional) Syslog server IP address for audit log aggregation

Proxy

Note:  RSA recommends adding a static route to use the mgmt interface.

Private

UDP 514

All

RSA Authentication Manager

(Optional) RSA Authentication Manager server IP address

Proxy

Note:  RSA recommends adding a static route to use the mgmt interface.

Private

TCP 5500

All

 

 

You are here
Table of Contents > Identity Routers > Planning Your Identity Router Deployment > Identity Router Network Interfaces and Default Ports

Attachments

    Outcomes