Ports for the RSA Authentication Manager Instance

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

The RSA Authentication Manager instance has an internal firewall that limits traffic to specific ports. The internal firewall restricts inbound traffic to the hosts and services that provide product functionality. Outbound traffic is not restricted. RSA recommends that you deploy the instance in a subnet that also has an external firewall to segregate it from the rest of the network.

The following table lists ports used by the Authentication Manager instance. Note the following:

  • These ports are configured to be able to accept network traffic from remote systems. You should configure these ports for access on your local network.

  • Authentication Manager uses other, internal network connections for communication between processes. Remote access to these ports is blocked by the internal firewall configured on the appliance.

  • All ports support IPv4 only, unless IPv6 support is specified in the description.

                                                                                                                                                               

Port Number and Protocol

Function

Source

Description

22, TCP

Secure Shell (SSH)

SSH client

Disabled by default. SSH can be enabled in the Operations Console. SSH allows the operating system account (rsaadmin) to access the operating system.

49, TCP

TACACS authentication

TACACS client

This port is closed unless TACACS is configured. Used to receive authentication requests from a Network Access Device (NAD).

80, TCP

Quick Setup

Operations Console, Security Console

Administrator’s browser

Used for Quick Setup. After Quick Setup is complete, the appliance redirects connections from this port to the appropriate console.

161, UDP

SNMP

SNMP client

Used by the Authentication Manager SNMP agent to listen for GET requests and send responses to a Network Management System (NMS).

This port is closed, unless SNMP is enabled. It can be configured in the Security Console.

443, TCP

Quick Setup

Operations Console, Security Console, Self-Service Console

Administrator’s browser

Used for Quick Setup. After Quick Setup is complete, the appliance redirects connections from this port to the appropriate console.

1645, UDP

RADIUS authentication (legacy port)

RADIUS client

This port receives authentication requests from a RADIUS client.

For more information, see Required RSA RADIUS Server Listening Ports.

1646, UDP

RADIUS accounting (legacy port)

RADIUS client

This port receives inbound accounting requests from a RADIUS client.

For more information, see Required RSA RADIUS Server Listening Ports.

1812, TCP

RADIUS replication port

Another RADIUS server

This port is used for communication between primary RADIUS and replica RADIUS services.

If you do not use RSA RADIUS, but you have replica instances, you must keep this port open. For more information, see Required RSA RADIUS Server Listening Ports.

1812, UDP

RADIUS authentication

RADIUS client

This port receives authentication requests from a RADIUS client.

If you do not plan to use RSA RADIUS authentication, you can close this port.

1813, TCP

RADIUS administration

RADIUS server

This port is used to administer RADIUS from the Security Console over the protected RADIUS remote administration channel.

If you do not use RSA RADIUS, but you have replica instances, you must keep this port open. For more information, see Required RSA RADIUS Server Listening Ports.

1813, UDP

RADIUS accounting

RADIUS client

This port receives accounting requests from a RADIUS client.

If you do not plan to use RSA RADIUS authentication, you can close this port.

5500, TCP

Agent authentication

RSA SecurID Authentication protocol agents

Accepts requests from TCP-based authentication agents and sends replies. Required for RSA SecurID and on-demand authentication (ODA). This port supports both IPv4- and IPv6-compliant agents.

5500, UDP

Agent authentication

RSA SecurID Authentication protocol agents

Accepts requests from UDP-based authentication agents and sends replies. Required for RSA SecurID, ODA and risk-based authentication (RBA). This port only supports IPv4-compliant agents.

5550, TCP

Agent auto-registration

RSA agents

Used for communication with authentication agents that are attempting to register with Authentication Manager.

5580, TCP

Offline authentication service

RSA agents

Used to receive requests for additional offline authentication data, and send the offline data to agents. Also used to update server lists on agents.

This can be closed if offline authentications are not in use and no agents in your deployment use the Login Password Integration API.

7002, TCP

SSL-encrypted

Authentication Manager

Another appliance

Used for communication between an Authentication Manager primary and replica instances and for communication between replica instances (for replay detection).

Used by the RSA application programming interface (API).

Enable if you have at least one replica instance.

7002, TCP

SSL-encrypted

RSA Token Management snap-in for the Microsoft Management Console (MMC)

Microsoft Management Console

Enable this port if you plan to use the RSA Token Management snap-In to manage users and authenticators from MMC.

7004, TCP

SSL-encrypted

Security Console

Administrator’s browser

Required for administering your deployment from the Security Console. Accepts requests for Security Console functions.

7004, TCP

SSL-encrypted

Self-Service Console and RBA

User’s browser

Required for using the Self-Service Console or RBA. Accepts requests for Self-Service Console functions and RBA authentication.

7004, TCP

SSL-encrypted

Cryptographic Token-Key Initialization Protocol (CT-KIP)

User’s browser

Required for using dynamic seed provisioning.

7022, TCP

SSL-encrypted

Authentication Manager, trusted realm network access point, or the web tier

Another appliance, trusted realm, or the web tier and another appliance

Used for communication between Authentication Manager primary and replica instances and for communication between replica instances (for replay detection).

Used to communicate with trusted realms.

Allows communication between the appliance and its web tier.

7072, TCP

SSL-encrypted

Operations Console

Super Admin’s browser

Required for administering your deployment from the Operations Console. Accepts requests for Operations Console functions.

7082, TCP

SSL-encrypted

RADIUS Configuration SSL

Authentication Manager instance

Used for configuring RADIUS and restarting the RADIUS service from the Operations Console.

8443, TCP

SSL-encrypted

Authentication Manager patches and service packs

Administrator’s browser

Access to this port is required for real-time status messages when applying Authentication Manager patches and service packs.

During a product update, the appliance opens this port in its internal firewall. The appliance closes this port when the update is complete.

If an external firewall blocks this port, the browser displays an inaccessible or blank web page, but the update can successfully complete.

 

 


Attachments

    Outcomes