Identity Router Network Interfaces and Default Ports
This topic describes the network interface configurations required for different types of deployments. It also provides the default ports and protocols used for incoming and outgoing identity router traffic.
This topic describes the network interface configurations required for different types of deployments. It also provides the default ports and protocols used for incoming and outgoing identity router traffic. For more information, see:
A standalone identity router is installed on the VMWare, Hyper-V, or Amazon Web Services cloud platform. It can be deployed with one or two network interfaces.
Number of Network Interfaces
All services including the application portal share the same interface.
Used for all traffic to and from the identity router (including the application portal, Cloud RADIUS, and so on).
One interface is designated as portal, the other as management.
The portal interface is used by the application portal. It is usually connected to an Internet-facing network segment, such as the DMZ.
The management interface is used by all other services. It is usually attached to an internal network segment, such as the Local Area Network (LAN).
For identity routers installed on VMWare or Hyper-V, network interfaces are configured on the virtual appliance and connected to your network. You assign each interface an IP address and a domain name. RSA recommends that each interface be located on a separate subnet for security reasons. The identity router does not bridge traffic between the two interfaces.
Note:After you deploy an identity router with one network interface, you cannot change the configuration to support two network interfaces. You must deploy a new identity router with two network interfaces.
Embedded Identity Router in RSA Authentication Manager
An embedded identity router:
Shares the host Authentication Manager network interface and its configuration (including the IP address, DNS servers, static routes, and so on).
Is used for identity source and cloud tenant traffic.
Outgoing traffic for identity routers is managed as follows:
Any destination hosts on the same subnet as an identity router interface are reached through that interface. For example, if the identity source is on the same subnet as the management interface, then the LDAP service uses the management interface. A default gateway is not used.
You may configure static routes to force specific traffic to use the management interface. For example, if the RSA Authentication Manager server is in a different subnet from both identity router interfaces, you can add a static route for traffic to Authentication Manager to use the management interface.
In deployments with two network interfaces, all other traffic is routed through the default gateway specified for the portal interface.
Network Interface for Identity Routers in the Amazon Cloud
When deployed in the AWS cloud, the identity router has only one virtual network interface to which you assign a domain name, a private IP address, and, optionally, a public Elastic IP address. The private address is accessible only from your network, while the public Elastic IP address is accessible from the internet. You must configure security groups, route tables, and network access control lists in your AWS environment to allow either public or private network access for each service, depending on how the other network components in your deployment will connect to the identity router, and the requirements specified in the Network Accessibility for Amazon Identity Routers column in the following tables.