Identity Router Default Ports and Interfaces

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Oct 20, 2017
Version 22Show Document
  • View in full screen mode
  

The identity router uses the following default ports and identity router interfaces for incoming and outgoing traffic. If your service uses a custom port, then you must open this port instead of the default port.

Incoming Traffic to the Identity Router

                                                                  

Service

Description

Identity Router Interface

Protocol and Port

Deployment

SSH

(Optional) SSH for identity router troubleshooting

This port is not open by default.

Mgmt

TCP 22

All

HTTP

Only needed if an HFED or Trusted Headers application is configured to connect to an application server over HTTP, and the proxy web server configuration is not set to Enable HTTPS communication between user and identity router. (This setting is specified when you add the application.)

Proxy

TCP 80

SSO Agent

HTTPS

Traffic related to the Identity Router Setup Console, identity router status servlet, and RSA Authentication Manager integration.

Mgmt

TCP 443

All

HTTPS

Load balancer and end-user web browser traffic for connections to the application portal and applications.

Proxy

TCP 443

SSO Agent

RADIUS

RADIUS traffic

This port is not opened by default.

Mgmt

UDP 1812

RADIUS for Cloud Authentication Service

Identity router synchronization

Synchronization traffic among identity routers in a cluster

Mgmt

TCP 7900 and 7902

SSO Agent

Cluster synchronization

Synchronization traffic between clusters

Proxy

TCP 7910

SSO Agent

Outgoing Traffic from the Identity Router

The identity router's outgoing traffic is routed as follows:

  • Any destination hosts on the same subnet as an identity router interface are reached through that interface. For example, if the identity source is on the same subnet as the mgmt interface, then the LDAP service uses the mgmt interface. A default gateway is not used.

  • You may configure static routes to force specific traffic to use the mgmt interface. For example, if the RSA Authentication Manager server is in a different subnet from both identity router interfaces, you can add a static route for Authentication Manager to use the mgmt interface.

  • All other traffic is routed through the default gateway specified for the proxy interface.

                                                                                

Service

Destination

Identity Router Interface

Protocol and Port

Deployment

SFTP

(Optional) SFTP backup server IP address for user profile data (keychain) backup

Proxy

Note:   RSA recommends adding a static rule to use the mgmt interface.

TCP 22

SSO Agent

HTTP for HFED

 

SaaS and on-premise application server IP addresses that require HTTP.

RSA does not recommend this configuration.

Proxy

TCP 80

SSO Agent

DNS lookups

DNS server IP address

Proxy

Note:   RSA recommends adding a static rule to use the mgmt interface.

UDP 53

All

NTP synchronization

NTP server IP addresses

Proxy

UDP 123

All

LDAP

LDAP directory server IP address for unencrypted LDAP directory server user authentication and authorization.

RSA does not recommend using this port.

Proxy

Note:   RSA recommends adding a static rule to use the mgmt interface.

TCP 389

All

LDAP (SSL)

LDAP directory server IP address for LDAP directory server user authentication and authorization

Proxy

Note:   RSA recommends adding a static rule to use the mgmt interface.

TCP 636

All

  • HTTPS for HFED
  • Secure connection to the Cloud Authentication Service and Cloud Administration Console

 

securid.com, SaaS and on-premise application server IP addresses, optional custom portal server IP address

Proxy

TCP 443

All

Audit logging (syslog)

(Optional) Syslog server IP address for audit log aggregation

Proxy

Note:  RSA recommends adding a static rule to use the mgmt interface.

UDP 514

All

RSA Authentication Manager

(Optional) RSA Authentication Manager server IP address

Proxy

Note:  RSA recommends adding a static rule to use the mgmt interface.

TCP 5500

All

 

 

You are here
Table of Contents > Identity Routers > Identity Router Default Ports

Attachments

    Outcomes