Identity Router DNS Requirements

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Oct 20, 2017
Version 19Show Document
  • View in full screen mode
  

You must configure your company Domain Name System (DNS) server with the address (A), pointer (PTR), and canonical name (CNAME) records necessary to support your deployment. Work with your network administrator to determine which specific DNS records to configure, based on the load balancers, identity routers, applications, and application portal you are deploying.

 

For more information, see the RSA SecurID Access Cloud Authentication Service Planning Guide.

 

External DNS Records

The following table describes the external DNS records used to support your deployment. External records correspond to public addresses accessible from the internet.

                                  
Record Type and Description When Used Example
An A record to the public IP address that corresponds to the virtual IP address (VIP) of the load balancer through Network Address Translation (NAT). Add this type of DNS entry for each network load balancer in your deployment. If your deployment has only one identity router, and does not use a load balancer, point this record to the proxy interface IP address of the identity router. portal.dmz.example.com
A wildcard CNAME record to the VIP (portal.dmz.example.com). Users use names matching this wildcard entry to access reverse proxy resources, including the custom portal and any HFED applications. Add this type of DNS entry if your deployment uses a custom portal or HFED web applications. This record enables DNS resolution for the custom portal and all HFED applications whose domain names match the wildcard syntax you specify. If you add this wildcard record, you do not need to add specific CNAME records for the custom portal or individual HFED applications.*.dmz.example.com
A CNAME record to the VIP (portal.dmz.example.com). Users use this name to access the custom portal. Add this type of DNS entry if your deployment uses a custom portal. You do not need to add this entry if you added the wildcard CNAME record described above. sign-in.dmz.example.com
A CNAME record to the VIP (portal.dmz.example.com). Users use this name to access a specific application through HTTP Federation (HFED). Add this type of DNS entry for each web application that uses HFED. You do not need to add this entry for individual HFED applications if you added the wildcard CNAME record described above. webapp.dmz.example.com
 

Internal DNS Records

The following table describes the internal DNS records used to support your deployment. Internal entries correspond to private addresses accessible from within your network.

                                                 
Record Type and Description When Used Example
An A record to the identity router proxy interface IP address. Add this type of DNS entry for each identity router in your deployment. idrouter1.dmz.example.com
An A record to the identity router management interface IP address. This record resolves the hostname to the IP address for standard DNS lookup. RSA Authentication Manager uses this name to access the identity router for tokencode authentication. Add this type of DNS entry for each identity router if you use RSA Authentication Manager in your deployment. idrmgmt1.dmz.example.com
A PTR record to the identity router management interface hostname. This record resolves the IP address to the hostname for reverse DNS lookup between the identity router and RSA Authentication Manager. Add this type of DNS entry for each identity router if you use RSA Authentication Manager in your deployment. 192.168.2.32
An A record to the private IP address that corresponds to the VIP of the load balancer. Add this type of DNS entry for each network load balancer in your deployment. If your deployment has only one identity router, and does not use a load balancer, point this record to the proxy interface IP address of the identity router. portal.dmz.example.com
A wildcard CNAME record to the VIP (portal.dmz.example.com). Users use names matching this wildcard entry to access reverse proxy resources, including the custom portal and any HFED applications. Add this type of DNS entry if your deployment uses a custom portal or HFED web applications. This record enables DNS resolution for the custom portal and all HFED applications whose domain names match the wildcard syntax you specify. If you add this wildcard record, you do not need to add specific CNAME records for the custom portal or individual HFED applications. *.dmz.example.com
A CNAME record to the VIP (portal.dmz.example.com). Users use this name to access the custom portal. Add this type of DNS entry if your deployment uses a custom portal. You do not need to add this entry if you added the wildcard CNAME record described above. sign-in.dmz.example.com
A CNAME record to the VIP (portal.dmz.example.com). Users use this name to access a specific application through HFED. Add this type of DNS entry for each web application that uses HFED. You do not need to add this entry for individual HFED applications if you added the wildcard CNAME record described above. webapp.dmz.example.com

 

 

You are here
Table of Contents > Identity Routers > Identity Router DNS Requirements

Attachments

    Outcomes