The RSA Authentication Manager instance has an internal firewall that limits traffic to specific ports. The internal firewall restricts inbound traffic to the hosts and services that provide product functionality. Outbound traffic is not restricted. RSA recommends that you deploy the instance in a subnet that also has an external firewall to segregate it from the rest of the network.
The following table lists ports used by the Authentication Manager instance. Note the following:
-
These ports are configured to be able to accept network traffic from remote systems. You should configure these ports for access on your local network.
-
Authentication Manager uses other, internal network connections for communication between processes. Remote access to these ports is blocked by the internal firewall configured on the appliance.
-
When blocking external access to ports on web-tier servers, do not block connections and traffic from services on the same system. For example, you can use a firewall to block external access to ports 7030, TCP, and 7036, TCP, but you must allow connections on the external NIC if the connections are from the same web-tier server.
-
All ports support IPv4 only, unless IPv6 support is specified in the description.
Port Number and Protocol | Function | Source | Description |
22, TCP | SSH client | Disabled by default. SSH can be enabled in the Operations Console. SSH allows the operating system account (rsaadmin) to access the operating system. | |
49, TCP | TACACS authentication | TACACS client | This port is closed unless TACACS is configured. Used to receive authentication requests from a Network Access Device (NAD). |
80, TCP | Quick Setup Operations Console, Security Console | Administrator’s browser | Used for Quick Setup. After Quick Setup is complete, the appliance redirects connections from this port to the appropriate console. |
161, UDP | SNMP | SNMP client | Used by the Authentication Manager SNMP agent to listen for GET requests and send responses to a Network Management System (NMS). This port is closed, unless SNMP is enabled. It can be configured in the Security Console. |
443, TCP | Quick Setup Operations Console, Security Console, Self-Service Console | Administrator’s browser | Used for Quick Setup. After Quick Setup is complete, the appliance redirects connections from this port to the appropriate console. |
1645, UDP | RADIUS authentication (legacy port) | RADIUS client | This port receives authentication requests from a RADIUS client. For more information, see Required RSA RADIUS Server Listening Ports. |
1646, UDP | RADIUS accounting (legacy port) | RADIUS client | This port receives inbound accounting requests from a RADIUS client. For more information, see Required RSA RADIUS Server Listening Ports. |
1812, TCP | RADIUS replication port | Another RADIUS server | This port is used for communication between primary RADIUS and replica RADIUS services. If you do not use RSA RADIUS, but you have replica instances, you must allow connections between Authentication Manager instances on this port. You should restrict connections from other systems that are not Authentication Manager instances. For more information, see Required RSA RADIUS Server Listening Ports. |
1812, UDP | RADIUS authentication | RADIUS client | This port receives authentication requests from a RADIUS client. If you do not plan to use RSA RADIUS authentication, you can close this port. |
1813, TCP | RADIUS administration | RADIUS server | This port is used to administer RADIUS from the Security Console over the protected RADIUS remote administration channel. If you do not use RSA RADIUS, but you have replica instances, you must allow connections between Authentication Manager instances on this port. You should restrict connections from other systems that are not Authentication Manager instances. For more information, see Required RSA RADIUS Server Listening Ports. |
1813, UDP | RADIUS accounting | RADIUS client | This port receives accounting requests from a RADIUS client. If you do not plan to use RSA RADIUS authentication, you can close this port. |
5500, TCP | Agent authentication | RSA SecurID Authentication protocol agents | Accepts requests from TCP-based authentication agents and sends replies. Required for RSA SecurID and on-demand authentication (ODA). This port supports both IPv4- and IPv6-compliant agents. |
5500, UDP | Agent authentication | RSA SecurID Authentication protocol agents | Accepts requests from UDP-based authentication agents and sends replies. Required for RSA SecurID, ODA and risk-based authentication (RBA). This port only supports IPv4-compliant agents. |
5550, TCP | Agent auto-registration | RSA agents | Used for communication with authentication agents that are attempting to register with Authentication Manager. |
5555, TCP | Agent authentication | RSA SecurID Authentication API agents | Accepts requests from REST-based authentication agents and sends replies. Required for RSA SecurID and on-demand authentication (ODA). This port supports both IPv4- and IPv6-compliant agents. |
5580, TCP | Offline authentication service | RSA agents | Used to receive requests for additional offline authentication data, and send the offline data to agents. Also used to update server lists on agents. This can be closed if offline authentications are not in use and no agents in your deployment use the Login Password Integration API. |
7002, TCP SSL-encrypted | Authentication Manager | Another appliance | Used for communication between an Authentication Manager primary and replica instances and for communication between replica instances (for replay detection). Used by the RSA application programming interface (API). Enable if you have at least one replica instance. |
7002, TCP SSL-encrypted | RSA Token Management snap-in for the Microsoft Management Console (MMC) | Microsoft Management Console | Enable this port if you plan to use the RSA Token Management snap-In to manage users and authenticators from MMC. |
7004, TCP SSL-encrypted | Security Console | Administrator’s browser | Required for administering your deployment from the Security Console. Accepts requests for Security Console functions. |
7004, TCP SSL-encrypted | Self-Service Console and RBA | User’s browser | Required for using the Self-Service Console or RBA. Accepts requests for Self-Service Console functions and RBA authentication. |
7004, TCP SSL-encrypted | Cryptographic Token-Key Initialization Protocol (CT-KIP) | User’s browser | Required for using dynamic seed provisioning. |
7022, TCP SSL-encrypted | Authentication Manager, trusted realm network access point, RBA, or the web tier | Another appliance, trusted realm, or the web tier and another appliance | Used for communication between Authentication Manager primary and replica instances and for communication between replica instances (for replay detection). Used to communicate with trusted realms and for RBA. Allows communication between the appliance and its web tier. |
7072, TCP SSL-encrypted | Operations Console | Super Admin’s browser | Required for administering your deployment from the Operations Console. Accepts requests for Operations Console functions. |
7082, TCP SSL-encrypted | RADIUS Configuration SSL | Authentication Manager instance | Used for configuring RADIUS and restarting the RADIUS service from the Operations Console. |
8443, TCP SSL-encrypted | Authentication Manager patches and service packs | Administrator’s browser | Access to this port is required for real-time status messages when applying Authentication Manager patches and service packs. During a product update, the appliance opens this port in its internal firewall. The appliance closes this port when the update is complete. If an external firewall blocks this port, the browser displays an inaccessible or blank web page, but the update can successfully complete. |
9786, TCP SSL-encrypted | Embedded identity router | Authentication Manager | Used for communication between Authentication Manager and the embedded identity router for multifactor authentication (MFA) token verification over the Authentication Manager-identity router channel. |