Identity Router Network Interfaces and Default Ports

This topic describes the network interface configurations required for different types of deployments. It also provides the default ports and protocols used for incoming and outgoing identity router traffic. For more information, see:

Network Interface Requirements and Recommendations

The identity router can be deployed as either standalone or embedded within RSA Authentication Manager.

Standalone Identity Router

A standalone identity router is installed on the VMWare, Hyper-V, or Amazon Web Services cloud platform. It can be deployed with one or two network interfaces.

Number of Network Interfaces Description
One
  • All services including the application portal share the same interface.

  • Used for all traffic to and from the identity router (including the application portal, Cloud RADIUS, and so on).

Two

One interface is designated as portal, the other as management.

  • The portal interface is used by the application portal. It is usually connected to an Internet-facing network segment, such as the DMZ.

  • The management interface is used by all other services. It is usually attached to an internal network segment, such as the Local Area Network (LAN).

For identity routers installed on VMWare or Hyper-V, network interfaces are configured on the virtual appliance and connected to your network. You assign each interface an IP address and a domain name. RSA recommends that each interface be located on a separate subnet for security reasons. The identity router does not bridge traffic between the two interfaces.

Note: After you deploy an identity router with one network interface, you cannot change the configuration to support two network interfaces. You must deploy a new identity router with two network interfaces.

Embedded Identity Router in RSA Authentication Manager

An embedded identity router:

  • Shares the host Authentication Manager network interface and its configuration (including the IP address, DNS servers, static routes, and so on).

  • Is used for identity source and cloud tenant traffic.

Incoming Traffic for Identity Routers

You must configure incoming traffic to connect to either the management interface or the portal interface as specified in Ports for Identity Router Incoming Traffic .

Outgoing Traffic for Identity Routers

Outgoing traffic for identity routers is managed as follows:

  • Any destination hosts on the same subnet as an identity router interface are reached through that interface. For example, if the identity source is on the same subnet as the management interface, then the LDAP service uses the management interface. A default gateway is not used.

  • You may configure static routes to force specific traffic to use the management interface. For example, if the RSA Authentication Manager server is in a different subnet from both identity router interfaces, you can add a static route for traffic to Authentication Manager to use the management interface.

  • In deployments with two network interfaces, all other traffic is routed through the default gateway specified for the portal interface.

Network Interface for Identity Routers in the Amazon Cloud

When deployed in the AWS cloud, the identity router has only one virtual network interface to which you assign a domain name, a private IP address, and, optionally, a public Elastic IP address. The private address is accessible only from your network, while the public Elastic IP address is accessible from the internet. You must configure security groups, route tables, and network access control lists in your AWS environment to allow either public or private network access for each service, depending on how the other network components in your deployment will connect to the identity router, and the requirements specified in the Network Accessibility for Amazon Identity Routers column in the following tables.

Ports for Identity Router Incoming Traffic

Service Description Deployment One Network Interface Two Network Interfaces
Management Interface (eth0)

Portal Interface (eth1)

SSH SSH for identity router troubleshooting. This port is not open by default. All (optional) TCP 22 TCP 22
HTTPS Traffic related to the Identity Router Setup Console, and RSA Authentication Manager integration. All TCP 9786 TCP 443
HTTPS Load balancer and end-user web browser traffic for connections to the application portal and applications. Includes status servlet. SSO Agent TCP 443 TCP 443
RADIUS RADIUS traffic. This port is not opened by default. RADIUS UDP 1812 UDP 1812
Identity router synchronization Synchronization traffic among identity routers in a cluster.

SSO Agent (high availability)

TCP 7900 to TCP 7902

TCP 7900 to TCP 7902

Cluster synchronization Synchronization traffic between clusters. SSO Agent with multiple clusters TCP 7910 TCP 7910

Ports for Identity Router Outgoing Traffic

Note: All deployments with a standalone identity router with one network interface should use the management interface.

Service

Description

Deployment

Connection Initiated From

Hyper-V or VMware Identity Router with Two Network Interfaces*

Hyper-V or VMware Identity Router with One Network Interface Amazon Identity Router

Destination Protocol and Port

SFTP

(Optional) SFTP backup server IP address for user profile data (keychain) backup

SSO Agent

Portal

Note: RSA recommends adding a static route to use the management interface.

Management Private

TCP 22

DNS lookups

Enable the identity router to look up the IP addresses of the hostnames to which it will connect, including the Cloud Authentication Service and identity sources.

All

Portal

Note: RSA recommends using the management interface. To do this, ensure that both DNS and NTP are on the same subnet as the management interface, or add a static route.

Management Public or Private

UDP 53

NTP synchronization

NTP server IP addresses

All

Portal

Note: RSA recommends using the management interface. To do this, ensure that both NTP and DNS are on the same subnet as the management interface, or add a static route.

Management Public or Private

UDP 123

LDAP

LDAP directory server IP address for unencrypted LDAP directory server user authentication and authorization.

RSA does not recommend using this port.

All

Portal

Note: RSA recommends adding a static route to use the management interface.

Management Private

TCP 389

(may vary depending on your LDAP server configuration)

LDAP (SSL/TLS)

LDAP directory server IP address for LDAP directory server user authentication and authorization

All

Portal

Note: RSA recommends adding a static route to use the management interface.

Management Private

TCP 636

(may vary depending on your LDAP server configuration)

HTTP for HFED

On-premises application server IP addresses that require HTTP.

RSA does not recommend this configuration.

SSO Agent

Portal

Management Private

TCP 80 or application-specific port

HTTPS for HFED

On-premises application server IP addresses, optional custom portal server IP address

SSO Agent

Portal

Management Public or Private

TCP 443 or application-specific port

Secure connection from the identity router to the Cloud Authentication Service and Cloud Administration Console

securid.com, optional custom portal server IP address. For current Cloud Authentication Service IP adresses see Test Access to Cloud Authentication Service.

All

Portal

Management Public or Private TCP 443 or application-specific por

Audit logging (syslog)

(Optional) Syslog server IP address for audit log aggregation

All

Portal

Note: RSA recommends adding a static route to use the management interface.

Management Private

UDP 514

RSA Authentication Manager

(Optional) RSA Authentication Manager server IP address

Portal

Note: RSA recommends adding a static route to use the management interface.

Management Private

TCP 5500