Identity Router Network Interfaces and Default Ports

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Feb 18, 2020
Version 46Show Document
  • View in full screen mode
  

This topic describes the network interface configurations required for different types of deployments. It also provides the default ports and protocols used for incoming and outgoing identity router traffic.

For more information, see:

Network Interface Requirements and Recommendations

RSA recommends using two network interfaces for SSO Agent deployments with an on-premises identity router. All other deployments, including RADIUS, Relying Party, and Amazon Cloud, require one, as described in the following table.

                       
Network InterfacePurpose Deployment Type

Proxy

Used for external traffic between users and protected applications.Recommended for SSO Agent deployments with on-premises identity routers
ManagementUsed for internal traffic between the identity router and all other on-premises or cloud-based network components in the deployment.Required for all deployments.

For on-premises identity routers, these interfaces are configured on the virtual appliance and connected to your network. You assign each interface an IP address and a domain name. RSA recommends that each interface be located on a separate subnet for security reasons. The identity router does not bridge traffic between the two interfaces.

Note:  After you deploy an identity router with one network interface, you cannot change the configuration to support two network interfaces. You must deploy a new identity router with two network interfaces.

Incoming Traffic for On-Premises Identity Routers

You must configure incoming traffic to connect to either the management interface or the proxy interface as specified in Ports for Identity Router Incoming Traffic .

Outgoing Traffic for On-Premises Identity Routers

Outgoing traffic for on-premises identity routers is managed as follows:

  • Any destination hosts on the same subnet as an identity router interface are reached through that interface. For example, if the identity source is on the same subnet as the management interface, then the LDAP service uses the management interface. A default gateway is not used.

  • You may configure static routes to force specific traffic to use the management interface. For example, if the RSA Authentication Manager server is in a different subnet from both identity router interfaces, you can add a static route for traffic to Authentication Manager to use the management interface.

  • In deployments with two network interfaces, all other traffic is routed through the default gateway specified for the proxy interface.

Network Interface for Identity Routers in the Amazon Cloud

When deployed in the AWS cloud, the identity router has only one virtual network interface to which you assign a domain name, a private IP address, and, optionally, a public Elastic IP address. The private address is accessible only from your network, while the public Elastic IP address is accessible from the internet. You must configure security groups, route tables, and network access control lists in your AWS environment to allow either public or private network access for each service, depending on how the other network components in your deployment will connect to the identity router, and the requirements specified in the Network Accessibility for Amazon Identity Routers column in the following tables.

Ports for Identity Router Incoming Traffic

                                                                      
ServiceDescriptionDeploymentOne Network Interface Two Network Interfaces
Management Interface (eth0)

Proxy Interface (eth1)

SSHSSH for identity router troubleshooting. This port is not open by default. All (optional)TCP 22TCP 22  
HTTPSTraffic related to the Identity Router Setup Console, and RSA Authentication Manager integration.AllTCP 9786TCP 443  
HTTPSLoad balancer and end-user web browser traffic for connections to the application portal and applications. Includes status servlet.SSO AgentTCP 443 TCP 443
RADIUSRADIUS traffic. This port is not opened by default. RADIUSUDP 1812 UDP 1812 
Identity router synchronizationSynchronization traffic among identity routers in a cluster.

SSO Agent (high availability)

TCP 7900 and TCP 7902

TCP 7900 and TCP 7902

 

Cluster synchronizationSynchronization traffic between clusters.SSO Agent with multiple clustersTCP 7910 TCP 7910

 

Ports for Identity Router Outgoing Traffic

Note:  All deployments with an on-premises identity router with one network interface should use the management interface.

 

                                                                                                                   
 

Service

 

Description

 

Deployment

Connection Initiated From 

Hyper-V or VMware Identity Router with Two Network Interfaces*

Hyper-V or VMware Identity Router with One Network InterfaceAmazon Identity Router

Destination Protocol and Port

SFTP

(Optional) SFTP backup server IP address for user profile data (keychain) backup

SSO Agent

Proxy

Note:   RSA recommends adding a static route to use the management interface.

ManagementPrivate

TCP 22

DNS lookups

Enable the identity router to look up the IP addresses of the hostnames to which it will connect, including the Cloud Authentication Service and identity sources.

All

Proxy

Note:   RSA recommends using the management interface. To do this, ensure that both DNS and NTP are on the same subnet as the management interface, or add a static route.

ManagementPublic or Private

UDP 53

NTP synchronization

NTP server IP addresses

All

Proxy

Note:   RSA recommends using the management interface. To do this, ensure that both NTP and DNS are on the same subnet as the management interface, or add a static route.

ManagementPublic or Private

UDP 123

LDAP

LDAP directory server IP address for unencrypted LDAP directory server user authentication and authorization.

RSA does not recommend using this port.

All

Proxy

Note:   RSA recommends adding a static route to use the management interface.

ManagementPrivate

TCP 389

(may vary depending on your LDAP server configuration)

LDAP (SSL/TLS)

LDAP directory server IP address for LDAP directory server user authentication and authorization

All

Proxy

Note:   RSA recommends adding a static route to use the management interface.

ManagementPrivate

TCP 636

(may vary depending on your LDAP server configuration)

HTTP for HFED

 

On-premises application server IP addresses that require HTTP.

RSA does not recommend this configuration.

SSO Agent

Proxy

ManagementPrivate

TCP 80 or application-specific port

HTTPS for HFED

 

On-premises application server IP addresses, optional custom portal server IP address

SSO Agent

Proxy

ManagementPublic or Private

TCP 443 or application-specific port

Secure connection from the identity router to the Cloud Authentication Service and Cloud Administration Console

securid.com, optional custom portal server IP address. For current Cloud Authentication Service IP adresses see Test Access to Cloud Authentication Service.

All

Proxy

ManagementPublic or PrivateTCP 443 or application-specific por

Audit logging (syslog)

(Optional) Syslog server IP address for audit log aggregation

All

Proxy

Note:  RSA recommends adding a static route to use the management interface.

ManagementPrivate

UDP 514

RSA Authentication Manager

(Optional) RSA Authentication Manager server IP address

 

Proxy

Note:  RSA recommends adding a static route to use the management interface.

ManagementPrivate

TCP 5500

 

 

We want your feedback! Tell us what you think of this page.

You are here
Table of Contents > Identity Routers > Planning Your Identity Router Deployment > Identity Router Network Interfaces and Default Ports

Attachments

    Outcomes