Test Access to Cloud Access Service

RSA maintains two Cloud Access Service (CAS) environments. When one environment becomes unavailable for any reason, your deployment automatically switches to the other environment. RSA recommends that you test access to both environments before it is needed to ensure a smooth transition during unexpected downtime.

You need to use your tenant-specific authentication and access domain names when performing connectivity tests. Each tenant-specific domain resolves to a service IP address within your assigned region. Although your tenant will typically resolve to a consistent IP address, the service may use any IP address allocated to that region. If you enforce outbound firewall rules by using IP allowlisting, you need to allow all published IP addresses for your deployment region, not only the IP address currently returned by DNS.

Note:  Additional IP addresses may be introduced as the service expands. You need to ensure your firewall policies are updated accordingly.

After your deployment is switched to another environment, the following events occur:

• Authentication services and the Cloud Administration Console are restored as quickly as possible.

• Domain Name Services (DNS) redirects the Cloud Administration Console and your identity routers to the new URLs for your deployment (for example, US). Make sure to whitelist the base authentication and access domain names if you are using DNS firewall rules so that identity routers can connect to the Cloud using the region-specific domain names.

• A message is posted to the RSA SecurID Access status page with details about the event.

Before you begin

• Confirm that your firewall rules allow access to both IP addresses for your deployment.

  Deployment Name	Region Names	IP Addresses	Region-Specific Authentication and Access Domain Names
  US	useast	52.188.41.46 74.235.253.208 4.246.203.246 172.191.102.97 172.190.17.38 172.206.202.209	tenantName-idr-useast.auth.securid.com, tenantName-idr-useast.access.securid.com
  	uswest	52.160.192.135 172.185.53.10 20.245.58.8 52.159.239.7 13.93.233.99 172.185.24.253	tenantName-idr-uswest.auth.securid.com, tenantName-idr-uswest.access.securid.com
  EMEA	euwest	51.105.164.237 51.144.147.62 4.180.40.79	tenantName-idr-euwest.auth-eu.securid.com, tenantName-idr-euwest.access-eu.securid.com
  	eun	52.155.160.141 134.149.74.112 4.210.104.40	tenantName-idr-eun.auth-eu.securid.com, tenantName-idr-eun.access-eu.securid.com
  ANZ	auc	20.37.53.30 20.28.63.15	tenantName-idr-auc.auth-anz.securid.com, tenantName-idr-auc.access-anz.securid.com
  	auc2	20.39.99.202 20.167.149.76	tenantName-idr-auc2.auth-anz.securid.com, tenantName-idr-auc2.access-anz.securid.com
  India	inc	20.198.118.36	tenantName-idr-inc.auth-in.securid.com, tenantName-idr-inc.access-in.securid.com
  	ins	104.211.224.21	tenantName-idr-ins.auth-in.securid.com, tenantName-idr-ins.access-in.securid.com
  Japan	jpe	20.222.126.85	tenantName-idr-jpe.auth-jp.securid.com, tenantName-idr-jpe.access-jp.securid.com
  	jpw	20.89.231.15	tenantName-idr-jpw.auth-jp.securid.com, tenantName-idr-jpw.access-jp.securid.com
  Singapore	sea	20.247.160.143	tenantName-idr-sea.auth-sg.securid.com, tenantName-idr-sea.access-sg.securid.com
  	aue	20.11.115.116	tenantName-idr-aue.auth-sg.securid.com, tenantName-idr-aue.access-sg.securid.com
  Canada	cac	52.237.25.141	tenantName-idr-cac.auth-ca.securid.com, tenantName-idr-cac.access-ca.securid.com
  	cae	52.235.45.88	tenantName-idr-cae.auth-ca.securid.com, tenantName-idr-cae.access-ca.securid.com

• If your company uses URL filtering, be sure that both IP addresses for your deployment are whitelisted.

Procedure 

1. To test access for your identity routers, on an identity router, do the following:

   1. Enable SSH on an identity router. For instructions, see Access SSH for Identity Router Troubleshooting.

   2. To test connectivity for both auth and access domains, you can use the following example with your tenant name:

      openssl s_client -connect tenantName.auth.securid.com

      openssl s_client -connect tenantName.access.securid.com

   3. To test the connectivity with region-specific domain names, you can use the following example authentication domain name:

      openssl s_client -connect tenantName-idr-useast.auth.securid.com:443

      This domain name is for the useast region of the US deployment. Enter the domain name for your deployment.

      Note:  You can obtain the tenantName from the Cloud Administration Console.

      You receive information back about the certificate chain and other details. If you are unable to reach the environment, the command eventually times out and you see SSL-related error messages.

   4. Repeat this for one identity router in each data center (or different firewall settings) in your deployment.

2. To test access for your internal users, on an internal machine, do the following:

   1. Enter the following URL in your browser: https://tenantName.auth.securid.com.

      The domain tenantName.auth.securid.com is the US deployment domain dedicated to your tenant. Replace tenantName with the actual tenant name for your deployment.

   2. View details about the connection and confirm that *auth.securid.com is included in the certification path.

      For example, on Google Chrome, click the Not secure warning in the address bar. Then click the certificate and confirm that it is issued to *auth.securid.com.

   3. Repeat this for one internal machine in each data center (or different firewall settings) in your deployment.

3. If you are unable to access one of the environments, confirm that you have the correct firewall and whitelist settings. For more information, see the "Connectivity Requirements" section in your Quick Setup Guide. To download a Quick Setup Guide that is appropriate for your deployment, see Cloud Access Service Planning and Configuration.