Change the Replica Instance IPv4 Network SettingsChange the Replica Instance IPv4 Network Settings

You can change the replica instance IPv4 network settings, such as the subnet mask, default gateway, hostname or IP address. There are several reasons why you might need to change the network settings. For example, you might need to change the IP address to resolve an IP address conflict with another resource, you might need to change the subnet mask when the network is reorganized, or you might need to change network settings when you move an appliance from one data center to another.

Before you begin

• Users cannot authenticate on this instance while you perform this procedure, and some administrative features are not available. Plan to perform this procedure at a time when the absence of authentication service is minimally disruptive.

• You must be a Super Admin.

• If the replica instance is deployed in Amazon Web Services (AWS), you must first change the IP address on the AWS instance. For instructions, see Change the IP Address of a Primary or Replica Instance in Amazon Web Services.

• If the replica instance is deployed is deployed in Azure, check for an available private IP address. For instructions, see your Azure documentation.

Procedure

1. On the replica instance, log on to the Operations Console.

2. Click Administration > Network > Appliance Network Settings.

3. Under Global Settings, configure the following:

   • In the Fully Qualified Domain Name field, modify the fully qualified domain name (FQDN).

   • For DNS Servers, add, update or remove an IP address from the list of IP addresses for DNS servers.

     • To add an IP address, enter the IP address in the DNS Server IP Address field and click Add.

     • To update an IP address, select the IP address from the list, modify the IP address in the DNS Server IP Address field and click Update.

     • To remove an IP address, select the IP address form the list and click Remove.

     • To change the order in which the DNS servers are used, select an IP address and click the up or down arrow.

     You may enter multiple IP addresses, and specify the order. Authentication Manager submits DNS lookup queries to the DNS servers in the order listed.

   • For DNS Search Domains, add, update or remove a a domain from the list of DNS search domains.

     • To add a search domain, enter the name of the domain in the DNS Search Domain field and click Add.

     • To update a search domain, select the name of the domain from the list, modify the name in the DNS Search Domain field and click Update.

     • To remove a search domain, select the domain from the list and click Remove.

     • To change the order in which the domains are searched, select the domain and click the up or down arrow.

     You may enter multiple search domains, and specify the order. Authentication Manager uses the search domains in the order listed.

4. For each network interface card (NIC) that you want to use, configure the following:

   1. In the IPv4 Address field, modify the IP address. Each NIC supports one IP address.

   2. In the IPv4 Subnet Mask field, modify the subnet mask.

   3. In the IPv4 Default Gateway field, modify the IP address.

      Note: Configure IPv6 Settings only if your deployment contains authentication agents that use the IPv6 protocol. The IPv6 settings contain an additional field, IPv6 Prefix Length, instead of the Subnet Mask field.

5. To configure an additional NIC, select the Enabled checkbox under the name of the NIC, and configure the settings. For a virtual appliance, the Appliance Network Settings page displays an additional NIC only after you add the NIC on the virtual machine hosting the appliance.

   Authentication Manager supports dual network interface card (NIC) configurations on the hardware appliance, the Amazon Web Services virtual appliance, the Hyper-V virtual appliance, and the VMware virtual appliance. The Azure virtual machine supports one NIC, and one IP address for the NIC. Features that require more than one NIC are not available on the Azure virtual machine.

   Note: Both NICs cannot share an IP address. RSA recommends using a different subnet for each NIC. If two NICs share the same subnet and one NIC becomes unavailable, then Authentication Manager services will not be available on either NIC.

   All Authentication Manager services are available on both NICs. You can configure your network to use NIC1 or NIC2 for specific types of traffic, but failover is only provided for agent authentication.

   If you want agents to communicate with the IP address of an additional NIC, you must configure the IP address of the additional NIC as an alternate IP address. For more information, see Add Alternative IP Addresses for Instances.

6. Click Next. The Operations Console displays a review page.

7. Review the changes you made, highlighted in bold and italic. Click Change Network Settings to accept the changes, click Back to make additional changes, or click Cancel.

8. Select Yes, change network settings, and click Change Network Settings.

   To apply the changes, Authentication Manager restarts the system-level networking service. If you changed the hostname or IP address, Authentication Manager restarts additional services. After the services are running, the Operations Console and the Security Console are available at the new hostname and IP address.

9. (Optional). You can download a text file that contains the updated network settings for the replica instance. You can refer to this information if you need to restore the original system image on a hardware appliance or if you need to replace a virtual appliance. Do the following:

   1. On the replica instance, log on to the Operations Console.

   2. Click Administration > Network > Appliance Network Settings.

   3. Under Download Network Settings, click Download network settings.

   4. Save the FQDN_backupOfNetworkSettings.txt file in an external location where it is available for convenient reference.

After you finish

Complete these tasks after changing your replica instance hostname or IP address. If you change both the hostname and the IP address, you must perform all of the tasks that apply to your deployment. Changes to other network settings, such as the subnet mask, do not require these additional tasks.

Task	Hostname Change Requirement	IP Address Change Requirement
For an Azure virtual appliance hostname change, perform the steps in Change the Hostname of a Primary or Replica Instance in Azure.	Yes	No
For an Azure virtual appliance IP address change, make sure to update the IP address on the Azure virtual machine: Log on to the Azure Portal. On the Services tab, search for Virtual Machines. Navigate to the RSA Authentication Manager virtual machine. Stop the virtual machine. Create a new NIC that uses the new IP address that was configured in the Operations Console. Attach the new NIC to the Authentication Manager virtual machine. Remove the original NIC. Start the virtual machine.	No	Yes
Update the DNS server with the new hostname or IPv4 address. The Amazon Web Services (AWS) appliance requires you to configure a DNS server in the Virtual Private Cloud (VPC). For instructions, see DNS Server Configuration on the Amazon Web Services Virtual Private Cloud. The Azure appliance requires you to configure a DNS server in the virtual network or use the DNS server provided by Azure. Any on-premises Authentication Manager primary instance or replica instances must use the DNS server that is configured in the virtual network.	Yes	Yes
Verify that the hostname used to access the Consoles (Operations Console, Security Console, and the Self-Service Console) resolves to the new IP address.	No	Yes
For the Azure virtual appliance, in a replicated deployment, make sure the primary instance can communicate with the replica instance. After changing the replica instance IP address, edit the hosts file on the primary instance. For instructions, see Edit the Appliance Hosts File.	No	Yes
If you installed an SSL certificate that is signed by a third-party certificate authority (CA), changing the hostname causes the deployment to revert to the SSL certificate signed by the Authentication Manager CA that is enabled when the instance is deployed. To install a new SSL certificate, import a new SSL certificate that is signed by the third-party certificate authority and whose common name (CN) is the new hostname. For instructions, see Replacing the Console Certificate.	Yes	No
Configure authentication agents to communicate with the new IP address. Generate a new configuration file, sdconf.rec, and deploy it to all authentication agents. For instructions see Generate the Authentication Manager Configuration File. If you want agents to communicate with the IP address of an additional NIC, you must configure the IP address of the additional NIC as an alternate IP address. For more information, see Edit an Authentication Agent.	No	Yes
Repair any trusted realm relationships. For instructions, see Repair a Trust Relationship with a Version 8.0 or Later Realm.	Yes	No
Wait five minutes for the web tier to update. You can then make additional hostname changes as needed. In a replicated deployment, the web tier obtains the replica instance hostname from the primary instance. The waiting period allows the web tier to maintain communication with the Authentication Manager instances.	Yes	No
Update any other external clients, such as RADIUS and SNMP, to use the new IP address. Changing the IP address for the replica instance also updates the RADIUS IP address. Reconfigure RADIUS clients so that they send requests to the new IP address.	No	Yes
Update any external clients, such as RADIUS clients and SNMP, to use the new hostname.	Yes	No
Check the replication status for the replica instance, and synchronize the replica instance if necessary. For instructions, see Synchronize a Replica Instance.	Yes	Yes