Identity Router Network Interfaces and Default Ports

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Nov 15, 2019
Version 43Show Document
  • View in full screen mode
  

This topic describes the network interface configurations required for different types of deployments. It also provides the default ports and protocols used for incoming and outgoing identity router traffic.

Note:  If your service uses a custom port, then you must open that port instead of the default port.

For more information, see:

Network Interface Requirements

SSO Agent deployments with an on-premises identity router require two network interfaces. All other deployments, including RADIUS, Relying Party, and Amazon Cloud, require one, as described in the following table.

                       
Network InterfacePurpose Deployment Type
ProxyUsed for external traffic between users and protected applications.Recommended for SSO Agent deployments with on-premises identity routers
ManagementUsed for internal traffic between the identity router and all other on-premises or cloud-based network components in the deployment.Required for all deployments.

For on-premises identity routers, these interfaces are deployed as a virtual appliance on your network using VMware or Microsoft Hyper-V. You assign each interface an IP address and a domain name. RSA recommends that each interface be located on a separate subnet for security reasons. The identity router does not bridge traffic between the two interfaces.

Incoming Traffic for On-Premises Identity Routers

You must configure incoming traffic to connect to either the management interface or the proxy interface as specified in the Network Interface for On-Premises Identity Routers column in Identity Router Incoming Traffic table.

Outgoing Traffic for On-Premises Identity Routers

Outgoing traffic for on-premises identity routers is managed as follows:

  • Any destination hosts on the same subnet as an identity router interface are reached through that interface. For example, if the identity source is on the same subnet as the management interface, then the LDAP service uses the management interface. A default gateway is not used.

  • You may configure static routes to force specific traffic to use the management interface. For example, if the RSA Authentication Manager server is in a different subnet from both identity router interfaces, you can add a static route for Authentication Manager to use the management interface.

  • In deployments with two network interfaces, all other traffic is routed through the default gateway specified for the proxy interface.

Network Interface for Identity Routers in the Amazon Cloud

When deployed in the AWS cloud, the identity router has only one virtual network interface to which you assign a domain name, a private IP address, and, optionally, a public Elastic IP address. The private address is accessible only from your network, while the public Elastic IP address is accessible from the internet. You must configure security groups, route tables, and network access control lists in your AWS environment to allow either public or private network access for each service, depending on how the other network components in your deployment will connect to the identity router, and the requirements specified in the Network Accessibility for Amazon Identity Routers column in the following tables.

Identity Router Incoming Traffic

                                                                   

Service

Description

Network Interfaces for On-Premises Identity Routers

Network Accessibility for Amazon Identity Routers

Protocol and Port

Deployment

SSH

(Optional) SSH for identity router troubleshooting

This port is not open by default.

Mgmt

Private

TCP 22

All

HTTPS

Traffic related to the Identity Router Setup Console, and RSA Authentication Manager integration.

Mgmt

Private

Two network interfaces, on-premises: management TCP 443

One network interface (including Amazon): TCP 9786

All

HTTPS

Load balancer and end-user web browser traffic for connections to the application portal and applications. Includes status servlet.

Proxy

Private and/or Public

TCP 443

SSO Agent

RADIUS

RADIUS traffic

This port is not opened by default.

Mgmt

Private

UDP 1812

RADIUS for Cloud Authentication Service

Identity router synchronization

Synchronization traffic among identity routers in a cluster.

Mgmt

Private

TCP 7900 and 7902

SSO Agent

Cluster synchronization

Synchronization traffic between clusters.

Proxy

Private

TCP 7910

SSO Agent

Identity Router Outgoing Traffic

Note:  All deployments with an on-premises identity router with one network interface should use the management interface.

                                                                                           

Service

Destination

Network Interface for On-Premises Identity Routers

Network Accessibility for Amazon Identity Routers

Protocol and Port

Deployment

SFTP

(Optional) SFTP backup server IP address for user profile data (keychain) backup

Proxy

Note:   RSA recommends adding a static route to use the mgmt interface.

Private

TCP 22

SSO Agent

HTTP for HFED

 

SaaS and on-premise application server IP addresses that require HTTP.

RSA does not recommend this configuration.

Proxy

Private

TCP 80

SSO Agent

DNS lookups

DNS server IP address

Proxy

Note:   RSA recommends using the mgmt interface. To do this, ensure that both DNS and NTP are on the same subnet as the mgmt interface, or add a static route.

Public or Private

UDP 53

All

NTP synchronization

NTP server IP addresses

Proxy

Note:   RSA recommends using the mgmt interface. To do this, ensure that both NTP and DNS are on the same subnet as the mgmt interface, or add a static route.

Public or Private

UDP 123

All

LDAP

LDAP directory server IP address for unencrypted LDAP directory server user authentication and authorization.

RSA does not recommend using this port.

Proxy

Note:   RSA recommends adding a static route to use the mgmt interface.

Private

TCP 389

(may vary depending on your LDAP server configuration)

All

LDAP (SSL)

LDAP directory server IP address for LDAP directory server user authentication and authorization

Proxy

Note:   RSA recommends adding a static route to use the mgmt interface.

Private

TCP 636

(may vary depending on your LDAP server configuration)

All

HTTPS for HFED and secure connection to the Cloud Authentication Service and Cloud Administration Console

 

securid.com, SaaS and on-premise application server IP addresses, optional custom portal server IP address

Proxy

Public or Private

TCP 443

All

Audit logging (syslog)

(Optional) Syslog server IP address for audit log aggregation

Proxy

Note:  RSA recommends adding a static route to use the mgmt interface.

Private

UDP 514

All

RSA Authentication Manager

(Optional) RSA Authentication Manager server IP address

Proxy

Note:  RSA recommends adding a static route to use the mgmt interface.

Private

TCP 5500

All

 

 

We want your feedback! Tell us what you think of this page.

You are here
Table of Contents > Identity Routers > Planning Your Identity Router Deployment > Identity Router Network Interfaces and Default Ports

Attachments

    Outcomes