Multiple IDRs without a load balancer.
Current working setup:
On-premise RSA Authentication Manager 8.5 with primary and secondary
On-premise standalone Identity Router (VMWare), software version 188.8.131.52.6, OS version SLES11 SP4 (portal.sso.company.com) assigned to the default cluster within RSA SecurID Access Cloud.
Deploy two new on-premise Identity Routers (VMware) using the latest OS version SLES12 SP5. Hostnames will be portal1.sso.company.com and portal2.sso.company.com and assigned to the default cluster within RSA SecurID Access with a Load Balancer DNS Name of portal.sso.company.com. SSL certificate (wildcard for *.company.com) is configured for portal.sso.company.com with additional subject alternate names of portal1.sso.company.com and portal2.sso.company.com.
My question, or better yet my confusion, is how to configure the hostname, DNS records, and certificates to support the future configuration without a network load balancer. My understanding of the documentation is to configure host entries on the RSA Authentication Manager within the Operations Console. However, the way the documentation reads: “Hostname for the identity routers. You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses” So, the host entries would be associated with the management interfaces of the Identity Routers and not the portal interfaces. The installed certificate on the Identity router is used for both the web GUI of the management interface as well as the web GUI of the portal interface.
Would I create DNS records for idr.company.com, idr1.company.com and idr2.company.com to be used by the management interfaces, add those as additional subject alternate names to the certificate as well? Then configure the host entries on Authentication Manager as specified in the documentation, pointing idr.company.com to the IPs of idr1 and idr2?
Any advise on a HA setup of the IDRs without a load balancer would be greatly appreciated. Thanks in advanced.
Reference - https://community.rsa.com/docs/DOC-84670#Step3
- Cloud Auth
- Cloud Authentication
- Cloud Authentication Service
- Community Thread
- Forum Thread
- idr configuration
- RSA SecurID
- RSA SecurID Access
Why would you use with without load balancer? you can setup HA with LB with zero cost.. just use HAproxy. If you want two load balancers in HA you can use keepalived with float IP That's how I set it up.
Anyway back to your question. Yes you can setup DNS names for management interfaces eg: idr1.company.com idr2.company.com...
There are two interfaces on IDRs management and SSO/Portal/RADIUS one.
I've installed *.company.com wildcard cert which is CA trusted on all IDRs and it works fine.