Cloud Access Service POC Quick Setup Guide - Step 1: Plan

a month ago

Cloud Access Service POC Quick Setup Guide - Step 1: Plan

There are a few things you need to plan to deploy your system.

What You Need to Have

Item	Description
Sign-in credentials to the Cloud Administration Console	Sign-in credentials are emailed to you after you request an environment from RSA Sales or your partner or complete the trial form. Be sure that the email address that you provide to RSA is for a real user in your Active Directory and not, for example, a group alias or general account. Be sure that the email address that you provide to RSA is for a real user in your LDAP directory and not, for example, a group alias or general account. For browser requirements, see Supported Browsers for the Cloud Administration Console.
Virtual appliance infrastructure Required only for identity router deployment on-premises in a VMware or Hyper-V environment	Hardware requirements for image file: Disk space: 54 GB Memory: 8 GB Consider 16 GB for high availability architectures. Virtual CPUs: 4 Network interface: Two E1000 virtual network adapters Network interface: VMware: One E1000 virtual network adapter (two if using the SSO Agent) Microsoft Hyper-V: One synthetic network adapter (two if using the SSO Agent) Network interface: VMware: Two E1000 virtual network adapters Microsoft Hyper-V: Two synthetic network adapters For additional guidance, see Network Interface Requirements and Recommendations. VMware software requirements: VMware Platform: VMware ESXi 5.5 or later (currently 6.x series) VMware vSphere Client: Any version that works with the supported ESXi deployments Software requirements: VMware or VMware Platform: VMware ESXi 5.5 or later (currently 6.x series) VMware vSphere Client: Any version that works with the supported ESXi deployments Hyper-V 2012 R2
Amazon Web Services (AWS) account Required only for identity router deployment in an Amazon Web Services cloud environment Note: To deploy an identity router in the Amazon cloud, you must be familiar with the following concepts as they relate to AWS: Elastic Compute Cloud (EC2) Amazon Machine Image (AMI) Elastic IP Address Security Groups Virtual Private Cloud (VPC) Subnets Route Tables Network Access Control Lists (ACL) DHCP Option Sets Internet Gateway NAT Gateway Virtual Private Gateway VPN Connection VPC Peering	Amazon Virtual Server Instance hardware requirements: Family: General purpose Type: t2.large vCPUs: 2 Memory: 8 GB AWS cloud environment requirements: Access to t2.large or better instance types Virtual Private Cloud with private and public subnets Route Tables, Security Groups, and Network ACLs that allow traffic between the identity router and all other components in your deployment DHCP Option Sets that specify all DNS servers required for your deployment Elastic IP addresses (if your organization manages its own DNS service)
Microsoft Active Directory 2008 or 2012 Microsoft Active Directory 2008 or 2012 or LDAPv3 directory server	Create a group of a limited number of users (for example, RSA Test Group) to synch and test with.
SSL/TLS certificate from your LDAP directory server	Used for an encrypted connection (LDAPS) to your directory server. Download the SSL/TLS certificate from your directory server. If your directory server does not have a certificate, install one. See Cloud Access Service Certificates.
SSO Agent only: Private key, public certificate, and certificate chain for SSL protection for the RSA Application Portal	Generate the private key using your own infrastructure. The private key, in SecurID format, is 2048-bit or greater and is not password-protected. Submit a certificate signing request (CSR) to a trusted Certificate Authority (CA) to obtain the public certificate and certificate chain. The certificate and certificate chain files are in x509 PEM format. See Cloud Access Service Certificates
SSO Agent only: Load balancer	Supported load balancers: CISCO ACE family F5 Big-IP family Citrix Netscaler Barracuda Load Balancers See Load Balancer Requirements.
A mobile device or Windows PC	iOS 11.0 or later Android 6.0 or later Windows 10 Version 1511 or later

Item

Description

Sign-in credentials to the Cloud Administration Console

Sign-in credentials are emailed to you after you request an environment from RSA Sales or your partner or complete the trial form.

Be sure that the email address that you provide to RSA is for a real user in your Active Directory and not, for example, a group alias or general account.

Be sure that the email address that you provide to RSA is for a real user in your LDAP directory and not, for example, a group alias or general account.

For browser requirements, see Supported Browsers for the Cloud Administration Console.

Virtual appliance infrastructure

Required only for identity router deployment on-premises in a VMware or Hyper-V environment

Hardware requirements for image file:

Disk space: 54 GB
Memory: 8 GB
Consider 16 GB for high availability architectures.
Virtual CPUs: 4
Network interface: Two E1000 virtual network adapters
Network interface:
- VMware: One E1000 virtual network adapter (two if using the SSO Agent)
- Microsoft Hyper-V: One synthetic network adapter (two if using the SSO Agent)
Network interface:
- VMware: Two E1000 virtual network adapters
- Microsoft Hyper-V: Two synthetic network adapters

For additional guidance, see Network Interface Requirements and Recommendations.

VMware software requirements:

VMware Platform: VMware ESXi 5.5 or later (currently 6.x series)
VMware vSphere Client: Any version that works with the supported ESXi deployments

Software requirements:

VMware or
- VMware Platform: VMware ESXi 5.5 or later (currently 6.x series)
- VMware vSphere Client: Any version that works with the supported ESXi deployments
Hyper-V 2012 R2

Amazon Web Services (AWS) account

Required only for identity router deployment in an Amazon Web Services cloud environment

Note: To deploy an identity router in the Amazon cloud, you must be familiar with the following concepts as they relate to AWS:

Elastic Compute Cloud (EC2)
Amazon Machine Image (AMI)
Elastic IP Address
Security Groups
Virtual Private Cloud (VPC)
Subnets
Route Tables
Network Access Control Lists (ACL)
DHCP Option Sets
Internet Gateway
NAT Gateway
Virtual Private Gateway
VPN Connection
VPC Peering

Amazon Virtual Server Instance hardware requirements:

Family: General purpose
Type: t2.large
vCPUs: 2
Memory: 8 GB

AWS cloud environment requirements:

Access to t2.large or better instance types
Virtual Private Cloud with private and public subnets
Route Tables, Security Groups, and Network ACLs that allow traffic between the identity router and all other components in your deployment
DHCP Option Sets that specify all DNS servers required for your deployment
Elastic IP addresses (if your organization manages its own DNS service)

Microsoft Active Directory 2008 or 2012

Microsoft Active Directory 2008 or 2012 or LDAPv3 directory server

Create a group of a limited number of users (for example, RSA Test Group) to synch and test with.

SSL/TLS certificate from your LDAP directory server

Used for an encrypted connection (LDAPS) to your directory server.

Download the SSL/TLS certificate from your directory server. If your directory server does not have a certificate, install one.

See Cloud Access Service Certificates.

SSO Agent only:

Private key, public certificate, and certificate chain for SSL protection for the RSA Application Portal

Generate the private key using your own infrastructure. The private key, in SecurID format, is 2048-bit or greater and is not password-protected.
Submit a certificate signing request (CSR) to a trusted Certificate Authority (CA) to obtain the public certificate and certificate chain. The certificate and certificate chain files are in x509 PEM format.
See Cloud Access Service Certificates

SSO Agent only:

Load balancer

Supported load balancers:

CISCO ACE family
F5 Big-IP family
Citrix Netscaler
Barracuda Load Balancers

See Load Balancer Requirements.

A mobile device or Windows PC

iOS 11.0 or later
Android 6.0 or later
Windows 10 Version 1511 or later

What You Need to Know

RSA uses a hybrid architecture that consists of two components:

Cloud Access Service (CAS) is a cloud service that provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.
The identity router is an on-premises virtual appliance that securely connects your on-premises resources, such as Active Directory, to CAS. This VM has two network interfaces. Place one interface in a public-facing network and the other in a private network where it can reach your Active Directory.
The identity router is a virtual appliance that securely connects your on-premises resources, such as Active Directory, to CAS. You can deploy the identity router in your on-premises VMware or Hyper-V environment, or in the Amazon Web Services (AWS) cloud.

Note: After an identity router is registered in a deployment, it cannot be reused in another deployment. For example, suppose you registered an identity router with Company A for a trial deployment, and you want to use the same identity router with Company A in a production deployment. You must add a new identity router (virtual machine) to the production deployment.

Planning Network Interfaces for the Identity Router

Relying party deployments support both standalone and embedded identity routers. For details on planning network interfaces, see Identity Router Network Interfaces and Default Ports.

RADIUS services are available in standalone identity routers that are deployed with one or two network interfaces. If the identity router is deployed with two network interfaces, the RADIUS service listens on the management interface. For details on planning network interfaces, see Identity Router Network Interfaces and Default Ports.

SSO Agent deployments require a standalone identity router. The identity router can be deployed with with one or two network interfaces. If the identity router is deployed with two network interfaces, the SSO agent will be available from the portal interface. For details on planning network interfaces, see Identity Router Network Interfaces and Default Ports.

In all deployments with AWS, the identity router has one network interface to which you assign public and private IP addresses and connect other network resources from the internet or your private network.

Planning Worksheet

Add your values to the following worksheet. You will use this information in the next section and during setup.

Item	Your Values
Cloud Administration Console and CAS	US deployment: <authentication_service_domain> (Base authentication domain: .auth.securid.com), .access.securid.com, (52.188.41.46, 52.160.192.135) Regions: useast, uswest ANZ deployment:<authentication_service_domain> (Base authentication domain: .auth-anz.securid.com), .access-anz.securid.com (20.37.53.30, 20.39.99.202) Regions: auc, auc2 EMEA deployment: <authentication_service_domain> (Base authentication domain: .auth-eu.securid.com), .access-eu.securid.com (51.105.164.237, 52.155.160.141) Regions: euwest, eun Federal deployment: <authentication_service_domain> (Base authentication domain: .auth.securidgov.com), .access.securidgov.com (20.140.188.86, 52.244.104.80) Regions: govva, govaz India deployment: <authentication_service_domain> (Base authentication domain: .auth-in.securid.com), .access-in.securid.com (20.198.118.36, 104.211.224.21) Regions: inc, ins Japan deployment: <authentication_service_domain> (Base authentication domain: .auth-jp.securid.com), .access-jp.securid.com (20.222.126.85, 20.89.231.15) Regions: jpe, jpw Canada deployment: <authentication_service_domain> (Base authentication domain: .auth-ca.securid.com), .access-ca.securid.com (52.237.25.141, 52.235.45.88) Regions: cac, cae Singapore deployment: <authentication_service_domain> (Base authentication domain: .auth-sg.securid.com), .access-sg.securid.com (20.247.160.143, 20.11.115.116) Regions: sea, aue The following are example URLs using the region-specific domain names: US deployment tenantName-idr-useast.auth.securid.com tenantName-idr-useast.access.securid.com ANZ deployment tenantName-idr-auc.auth-anz.securid.com tenantName-idr-auc.access-anz.securid.com EMEA deployment tenantName-idr-euwest.auth-eu.securid.com tenantName-idr-euwest.access-eu.securid.com Federal deployment tenantName-idr-govva.auth.securidgov.com tenantName-idr-govva.access.securidgov.com India deployment tenantName-idr-inc.auth-in.securid.com tenantName-idr-inc.access-in.securid.com Japan deployment tenantName-idr-jpe.auth-jp.securid.com tenantName-idr-jpe.access-jp.securid.com Canada deployment tenantName-idr-cac.auth-ca.securid.com tenantName-idr-cac.access-ca.securid.com tenantName-idr-cae.auth-ca.securid.com tenantName-idr-cae.access-ca.securid.com Singapore deployment tenantName-idr-sea.auth-sg.securid.com tenantName-idr-sea.access-sg.securid.com tenantName-idr-aue.auth-sg.securid.com tenantName-idr-aue.access-sg.securid.com Make sure to whitelist the wildcard base authentication and access domain names if you are using DNS firewall rules so that identity routers can connect to the Cloud using the region-specific domain names. Your authentication service domain appears in the Cloud Administration Console on the Platform > Identity Router > Registration page when you add an identity router. Note: A set of one or more DNS servers must be configured for each identity router (IDR). The set of DNS server(s) must be able to resolve internal and external domain names, including the securid.com names used by CAS. For instructions on checking the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console. To test access to the IP addresses, see Test Access to Cloud Access Service
SSO Agent only: Protected domain name This is a unique subdomain prepended to your registered domain name and is used by all traffic managed by the identity router, for example, sso.example.com. For more information, see Protected Domain Name.
SSO Agent only: Load balancer DNS name (virtual IP) Public IP address Private IP address
Active Directory server LDAP directory server IP address FQDN Base DN of users (the root where users will be synchronized from, for example, DC=company, DC=com) Administrator account credentials that RSA can use to connect to the directory server
DNS server IP address DNS servers IP addresses See Identity Router DNS Requirements.
NTP server IP address
Backups server IP address
Internal user subnet IP address
RADIUS only: RADIUS client IP address
Required only for VMware and Hyper-V identity router deployments:
Identity router management interface (private, required for all deployments) IP address Netmask Gateway Short hostname FQDN
Identity router portal interface (public, required for IDR SSO Agent deployments with on-premises identity router) IP address Netmask Gateway Short hostname FQDN
Required only for Amazon Web Services identity router deployments:
Identity router Private IP Address (Used for communication with internal resources in the same VPC, another VPC, or your on-premises network.) Public Elastic IP Address (Used for communication with public resources over the internet if the identity router is in a public subnet. Not required if a NAT/load balancer with a public IP address manages traffic to the identity router.) Short hostname FQDN Note: For identity routers in AWS, netmask and gateway information is obtained automatically during instance launch, according to the VPC subnet settings.
AWS environment configuration details VPC Private subnet Public subnet DHCP options set Route tables Security groups Network ACLs

Connectivity Requirements

Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. If you deploy the identity router in the Amazon cloud, the route tables, security groups, and network ACLs in your AWS environment must also allow these connections. Update your connectivity settings before continuing with the next step.

Source	Destination	Protocol and Port	Purpose
0.0.0.0/0	CAS Both CAS environments Both CAS environments and <Your load balancer public IP address>	TCP 443 TCP 80, 443	External user access to CAS External user access to CAS, application portal, and applications
SSO Agent only: <Your internal (corp network) end users>	Both CAS environments and <Your load balancer private IP address>	TCP 80, 443	Internal user access to CAS, application portal, and applications
< Your administrators>	For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	On-premises (two network interfaces): TCP 443 One network interface or Amazon: TCP 9786	Identity Router Setup Console
For on-premises identity routers (one network interface): <Your identity router management interface IP address> For on-premises identity routers (two network interfaces): <Your identity router portal interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	Cloud Administration Console and CAS Cloud Administration Console and both CAS environments Note: If your company uses URL filtering, be sure that .access.securid.com, .auth.securid.com, and CAS IP addresses for your region are whitelisted. Note: If your company uses URL filtering, be sure that .access.securid.com, .auth.securid.com, and CAS IP addresses for your region are whitelisted. Also, confirm that you can access both environments. For instructions, see Test Access to Cloud Access Service.	TCP 443	Identity router registration
For on-premises identity routers (one network interface): <Your identity router management interface IP address> For on-premises identity routers (two network interfaces): <Your identity router portal interface IP address> For identity routers in the Amazon cloud: <Your identity router public IP address>	<Your protected resource>	TCP 443 or custom port	Application integration
SSO Agent only: <Your load balancer private IP address>	<Your identity router portal interface IP address>	TCP 80, 443	Load balancer traffic to pool members
SSO Agent only: <Your load balancer private IP address>	<Your identity router management interface IP address>	TCP 443	Load balancer health check of pool members
For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	<Your Active Directory server IP address> <Your LDAP directory server IP address>	TCP 389 TCP 636	LDAP directory user authentication and authorization
For on-premises identity routers: <Your identity router portal interface IP address or identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	<Your DNS server IP address>	UDP 53	DNS
RADIUS only: <Your RADIUS client IP address>	For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	UDP 1812	RADIUS
RADIUS only: <Your RADIUS client IP address>	For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	UDP 1812	(Optional) RADIUS
For on-premises identity routers: <Your identity router portal interface IP address or identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	<Your NTP server IP address>	UDP 123	Network time server synchronization
<Your administrator computer>	For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	TCP 22	(Optional) SSH for troubleshooting See Access SSH for Identity Router Troubleshooting.

Cloud Access Service POC Quick Setup Guide - Step 2: Deploy the Identity Router

Cloud Access Service POC Quick Setup Guide

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Cloud Access Service POC Quick Setup Guide - Step 1: Plan

What You Need to Have

What You Need to Know

Planning Network Interfaces for the Identity Router

Planning Worksheet

Connectivity Requirements

Related Articles

Trending Articles