Identity Router Network Interfaces and Default Ports

Document created by RSA Information Design and Development Employee on Jul 14, 2016Last modified by RSA Information Design and Development Employee on Jan 19, 2021
Version 58Show Document
  • View in full screen mode
  

This topic describes the network interface configurations required for different types of deployments. It also provides the default ports and protocols used for incoming and outgoing identity router traffic. For more information, see:

Network Interface Requirements and Recommendations

The identity router can be deployed as either standalone or embedded within RSA Authentication Manager.

Standalone Identity Router

A standalone identity router is installed on the VMWare, Hyper-V, or Amazon Web Services cloud platform. It can be deployed with one or two network interfaces.

                   
Number of Network Interfaces Description
One
  • All services including the application portal share the same interface.

  • Used for all traffic to and from the identity router (including the application portal, Cloud RADIUS, and so on).

Two

One interface is designated as portal, the other as management.

  • The portal interface is used by the application portal. It is usually connected to an Internet-facing network segment, such as the DMZ.

  • The management interface is used by all other services. It is usually attached to an internal network segment, such as the Local Area Network (LAN).

For identity routers installed on VMWare or Hyper-V, network interfaces are configured on the virtual appliance and connected to your network. You assign each interface an IP address and a domain name. RSA recommends that each interface be located on a separate subnet for security reasons. The identity router does not bridge traffic between the two interfaces.

Note:  After you deploy an identity router with one network interface, you cannot change the configuration to support two network interfaces. You must deploy a new identity router with two network interfaces.

Embedded Identity Router in RSA Authentication Manager

An embedded identity router:

  • Shares the host Authentication Manager network interface and its configuration (including the IP address, DNS servers, static routes, and so on).

  • Is used for identity source and cloud tenant traffic.

Incoming Traffic for Identity Routers

You must configure incoming traffic to connect to either the management interface or the portal interface as specified in Ports for Identity Router Incoming Traffic .

Outgoing Traffic for Identity Routers

Outgoing traffic for identity routers is managed as follows:

  • Any destination hosts on the same subnet as an identity router interface are reached through that interface. For example, if the identity source is on the same subnet as the management interface, then the LDAP service uses the management interface. A default gateway is not used.

  • You may configure static routes to force specific traffic to use the management interface. For example, if the RSA Authentication Manager server is in a different subnet from both identity router interfaces, you can add a static route for traffic to Authentication Manager to use the management interface.

  • In deployments with two network interfaces, all other traffic is routed through the default gateway specified for the portal interface.

Network Interface for Identity Routers in the Amazon Cloud

When deployed in the AWS cloud, the identity router has only one virtual network interface to which you assign a domain name, a private IP address, and, optionally, a public Elastic IP address. The private address is accessible only from your network, while the public Elastic IP address is accessible from the internet. You must configure security groups, route tables, and network access control lists in your AWS environment to allow either public or private network access for each service, depending on how the other network components in your deployment will connect to the identity router, and the requirements specified in the Network Accessibility for Amazon Identity Routers column in the following tables.

Ports for Identity Router Incoming Traffic

                                                                      
ServiceDescriptionDeploymentOne Network Interface Two Network Interfaces
Management Interface (eth0)

Portal Interface (eth1)

SSHSSH for identity router troubleshooting. This port is not open by default. All (optional)TCP 22TCP 22  
HTTPSTraffic related to the Identity Router Setup Console, and RSA Authentication Manager integration.AllTCP 9786TCP 443  
HTTPSLoad balancer and end-user web browser traffic for connections to the application portal and applications. Includes status servlet.SSO AgentTCP 443 TCP 443
RADIUSRADIUS traffic. This port is not opened by default. RADIUSUDP 1812 UDP 1812 
Identity router synchronizationSynchronization traffic among identity routers in a cluster.

SSO Agent (high availability)

TCP 7900 to TCP 7902

TCP 7900 to TCP 7902

 

Cluster synchronizationSynchronization traffic between clusters.SSO Agent with multiple clustersTCP 7910 TCP 7910

Ports for Identity Router Outgoing Traffic

Note:  All deployments with a standalone identity router with one network interface should use the management interface.

                                                                                                                   
 

Service

 

Description

 

Deployment

Connection Initiated From 

Hyper-V or VMware Identity Router with Two Network Interfaces*

Hyper-V or VMware Identity Router with One Network InterfaceAmazon Identity Router

Destination Protocol and Port

SFTP

(Optional) SFTP backup server IP address for user profile data (keychain) backup

SSO Agent

Portal

Note:   RSA recommends adding a static route to use the management interface.

ManagementPrivate

TCP 22

DNS lookups

Enable the identity router to look up the IP addresses of the hostnames to which it will connect, including the Cloud Authentication Service and identity sources.

All

Portal

Note:   RSA recommends using the management interface. To do this, ensure that both DNS and NTP are on the same subnet as the management interface, or add a static route.

ManagementPublic or Private

UDP 53

NTP synchronization

NTP server IP addresses

All

Portal

Note:   RSA recommends using the management interface. To do this, ensure that both NTP and DNS are on the same subnet as the management interface, or add a static route.

ManagementPublic or Private

UDP 123

LDAP

LDAP directory server IP address for unencrypted LDAP directory server user authentication and authorization.

RSA does not recommend using this port.

All

Portal

Note:   RSA recommends adding a static route to use the management interface.

ManagementPrivate

TCP 389

(may vary depending on your LDAP server configuration)

LDAP (SSL/TLS)

LDAP directory server IP address for LDAP directory server user authentication and authorization

All

Portal

Note:   RSA recommends adding a static route to use the management interface.

ManagementPrivate

TCP 636

(may vary depending on your LDAP server configuration)

HTTP for HFED

 

On-premises application server IP addresses that require HTTP.

RSA does not recommend this configuration.

SSO Agent

Portal

ManagementPrivate

TCP 80 or application-specific port

HTTPS for HFED

 

On-premises application server IP addresses, optional custom portal server IP address

SSO Agent

Portal

ManagementPublic or Private

TCP 443 or application-specific port

Secure connection from the identity router to the Cloud Authentication Service and Cloud Administration Console

securid.com, optional custom portal server IP address. For current Cloud Authentication Service IP adresses see Test Access to Cloud Authentication Service.

All

Portal

ManagementPublic or PrivateTCP 443 or application-specific por

Audit logging (syslog)

(Optional) Syslog server IP address for audit log aggregation

All

Portal

Note:  RSA recommends adding a static route to use the management interface.

ManagementPrivate

UDP 514

RSA Authentication Manager

(Optional) RSA Authentication Manager server IP address

 

Portal

Note:  RSA recommends adding a static route to use the management interface.

ManagementPrivate

TCP 5500

 

 

 

You are here
Table of Contents > Identity Routers > Planning Your Identity Router Deployment > Identity Router Network Interfaces and Default Ports

Attachments

    Outcomes