Configure a Static Route to RSA Authentication Manager

For on-premises identity routers deployed in your VMware or Hyper-V environment, the Super Admin for CAS must configure static routes to restrict communication between a specific Authentication Manager server or network of servers and one identity router.

You must configure a static route when you initially configure CAS to communicate with Authentication Manager, as well as each time an Authentication Manager instance is added or removed from the deployment.

You can configure either of the following:

• If Authentication Manager servers are on different networks, configure a static route for each identity router in your deployment to each Authentication Manager server.
• If all Authentication Manager servers are on the same network, configure one static route for each identity router in your deployment going to that network to restrict the connections for the entire Authentication Manager deployment.

Note:  This method for static route configuration is not available for identity routers deployed in the Amazon cloud. Instead, you must configure route tables in your Amazon Web Services environment to enable each identity router in your VPC to reach Authentication Manager. Refer to your Amazon Web Services documentation for instructions.

The following graphic shows how the example IP addresses from the procedure are used to configure a static route from an identity router to the Authentication Manager appliance(s).

1. In the Cloud Administration Console, click Platform > Identity Routers.
2. Next to the identity router name, select Edit.
3. Click Next Step to access the Settings page.
4. In the Static Routes section, do the following.
   • To restrict an individual Authentication Manager server to the identity router management interface, enter these settings:
     • IP Address:<Authentication Manager Server IP Address>

       For example, 192.168.20.7

     • Network Mask: 255.255.255.255
     • Gateway:<Default Gateway for Identity Router Management Interface>

       For example: 10.10.10.1

       Device: Private

   • To restrict a network containing all Authentication Manager servers, use these settings:
     • IP Address:<Authentication Manager Server Network>

       For example, 192.168.20.0

     • Network Mask:<Network Mask for Authentication Manager Server Network>

       For example, 255.255.255.128

     • Gateway:<Default Gateway for Identity Router Management Interface>

       For example: 10.10.10.1

       Device: Private

5. Click Add.
6. Click Next Step.
7. Click Save and Finish.
8. Repeat step 2 through step 6 for each identity router in your deployment.
9. Click Publish Changes.

After you finish 

A Super Admin for Authentication Manager must generate the Authentication Manager configuration file.