Deployment Planning Checklist

Use these checklists when planning your deployment.

Note: This information does not apply to planning deployments that use the embedded identity router in Authentication Manager 8.5 or later. See Quick Setup - Connect SecurID Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router.

What You Need to Have

Item Description
Sign-in credentials to the Cloud Administration Console

Sign-in credentials are emailed to you after you request an environment from SecurID Sales or your partner or complete the trial form.

Be sure that the email address that you provide to SecurID is for a real user in your LDAP directory and not, for example, a group alias or general account.

For browser requirements for the Cloud Administration Console, see Browser requirements.

Virtual appliance infrastructure

Required only for identity router deployment on-premises in a VMware or Hyper-V environment

Hardware requirements for image file:

  • Disk space: 54 GB

  • Memory: 8 GB

    For SSO Agent deployments, consider 16 GB for high availability architectures.

  • Virtual CPUs: 4

Network interface for RADIUS and Relying Party deployments:

  • VMware: One E1000 virtual network adapter
  • Microsoft Hyper-V: One synthetic network adapter

Network interface for SSO Agent deployments:

  • VMware: Two E1000 virtual network adapters
  • Microsoft Hyper-V: Two synthetic network adapters

For more information, see Identity Router Network Interfaces and Default Ports.

Software requirements:

  • VMware or
    • VMware Platform: VMware ESXi 5.5 or later (currently 6.x series)
    • VMware vSphere Client: Any version that works with the supported ESXi deployments

  • Hyper-V 2012 R2

Amazon Web Services (AWS) account

Required only for identity router deployment in an Amazon Web Services cloud environment

Note: To deploy an identity router in the Amazon cloud, you must be familiar with the following concepts as they relate to AWS:

Elastic Compute Cloud (EC2)
Amazon Machine Image (AMI)
Elastic IP Address
Security Groups
Virtual Private Cloud (VPC)
Subnets
Route Tables
Network Access Control Lists (ACL)
DHCP Option Sets
Internet Gateway
NAT Gateway
Virtual Private Gateway
VPN Connection
VPC Peering

Amazon Virtual Server Instance hardware requirements:

  • Family: General purpose
  • Type: t2.large
  • vCPUs: 2
  • Memory: 8 GB

AWS cloud environment requirements:

  • Access to t2.large or better instance types
  • Virtual Private Cloud with private and public subnets
  • Route Tables, Security Groups, and Network ACLs that allow traffic between the identity router and all other components in your deployment
  • DHCP Option Sets that specify all DNS servers required for your deployment
  • Elastic IP addresses (if your organization manages its own DNS service)

Microsoft Active Directory 2008 or 2012 or LDAPv3 directory server

 Create a group of a limited number of users (for example, SecurID Test Group) to synch and test with.
SSL/TLS certificate from your LDAP directory server

Used for an encrypted connection (LDAPS) to your directory server.

Download the SSL/TLS certificate from your directory server. If your directory server does not have a certificate, install one.

For more information, see SSL/TLS certificate from your LDAP directory server .
Determine the security levels and identity router connection ciphers

Determine the security levels that include encryption protocols and cipher requirements that the identity router enforces when connecting to users and components in your SecurID deployment. See Security Levels and Identity Router Connection Ciphers.

SSO Agent only:

Private key, public certificate, and certificate chain for SSL protection for the SecurID Application Portal
  • Generate the private key using your own infrastructure. The private key, in RSA format, is 2048-bit or greater and is not password-protected.

  • Submit a certificate signing request (CSR) to a trusted Certificate Authority (CA) to obtain the public certificate and certificate chain. The certificate and certificate chain files are in x509 PEM format.

    For more information, see Generate and Download a Certificate Bundle.

SSO Agent only:

Load balancer

Supported load balancers:

  • CISCO ACE family
  • F5 Big-IP family
  • Citrix Netscaler
  • Barracuda Load Balancers

For additional requirements, see Load Balancer Requirements.
A mobile device or Windows PC
  • iOS 11.0 or later
  • Android 6.0 or later
  • Windows 10 Version 1511 or later

What You Need to Know

SecurID uses a hybrid architecture that consists of two components:

  • The Cloud Authentication Service is a cloud service that provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.

  • The identity router is a virtual appliance that securely connects your on-premises resources, such as Active Directory, to the Cloud Authentication Service. You can deploy the identity router in your on-premises VMware or Hyper-V environment, or in the Amazon Web Services (AWS) cloud.

    In RADIUS and relying party deployments with VMware or Hyper-V, the identity router has one network interface. Place this interface in a private network where it can reach your LDAP directory. For more information about configuring your system to use these interfaces, see RADIUS.

    In SSO Agent deployments with VMware or Hyper-V, the identity router has two network interfaces. Place one interface in a public-facing network and the other in a private network where it can reach your LDAP directory.

    In all deployments with AWS, the identity router has one network interface to which you assign public and private IP addresses and connect other network resources from the internet or your private network.

    Note: After an identity router is registered in a deployment, it cannot be reused in another deployment. For example, suppose you registered an identity router with Company A for a trial deployment, and you want to use the same identity router with Company A in a production deployment. You must add a new identity router (virtual machine) to the production deployment.

Add your values to the following worksheet. You will use this information in the next section and during setup.

Item

 Your Values

Cloud Administration Console and

Cloud Authentication Service

  • US region:<authentication_service_domain>, *.access.securid.com, (52.188.41.46, 52.160.192.135)

  • ANZ region:<authentication_service_domain>, *.access-anz.securid.com (20.37.53.30, 20.39.99.202 beginning March 20, 2020)

  • EMEA region: <authentication_service_domain>, *.access-eu.securid.com (51.105.164.237, 52.155.160.141)

  • Federal region: <authentication_service_domain>, *.access.securidgov.com (20.140.188.86, 52.244.104.80)

  • India region: <authentication_service_domain>, *.access-in.securid.com (20.198.118.36, 104.211.224.21)

Your authentication service domain appears in the Cloud Administration Console on the Platform > Identity Router > Registration page when you add an identity router.

For instructions on checking the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console.

To test access to the IP addresses, follow these instructions: Test Access to Cloud Authentication Service.

SSO Agent only:

Protected domain name

This is a unique subdomain prepended to your registered domain name and is used by all traffic managed by the identity router, for example, sso.example.com. For more information, see Protected domain name.

SSO Agent only:

Load balancer

  • DNS name (virtual IP)
  • Public IP address
  • Private IP address

LDAP directory server

  • IP address
  • FQDN
  • Base DN of users (the root where users will be synchronized from, for example, DC=company, DC=com)
  • Administrator account credentials that SecurID can use to connect to the directory server

SSO Agent and POC only:

DNS servers IP addresses

For DNS configuration requirements, see Identity Router DNS Requirements.
NTP server IP address
Backups server IP address (SSO Agent only)
Internal user subnet IP address (SSO Agent only)

RADIUS only:

RADIUS client IP address
Required only for VMware and Hyper-V identity router deployments:

Identity router management interface (private, required for all deployments)

  • IP address
  • Netmask
  • Gateway
  • Short hostname
  • FQDN

Identity router portal interface (public, required for IDR SSO Agent deployments with on-premises identity router)

  • IP address
  • Netmask
  • Gateway
  • Short hostname
  • FQDN

Required only for Amazon Web Services identity router deployments:

Identity router

  • Private IP Address
    (Used for communication with internal resources in the same VPC, another VPC, or your on-premises network.)
  • Public Elastic IP Address
    (Used for communication with public resources over the internet if the identity router is in a public subnet. Not required if a NAT/load balancer with a public IP address manages traffic to the identity router.)
  • Short hostname
  • FQDN

Note: For identity routers in AWS, netmask and gateway information is obtained automatically during instance launch, according to the VPC subnet settings.

AWS environment configuration details

  • VPC
  • Private subnet
  • Public subnet
  • DHCP options set
  • Route tables
  • Security groups
  • Network ACLs

Connectivity Requirements

Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. If you deploy the identity router in the Amazon cloud, the route tables, security groups, and network ACLs in your AWS environment must also allow these connections. Update your connectivity settings before continuing with the next step.

Source

 Destination Protocol and Port Purpose

0.0.0.0/0

For RADIUS and Relying Party deployments: Both Cloud Authentication Service environments

For SSO Agent: Both Cloud Authentication Service environments and <Your load balancer public IP address>

For RADIUS and Relying Party: TCP 443

FOR SSO Agent: TCP 80, 443

For RADIUS and Relying Party deployments: External user access to Cloud Authentication Service

For SSO Agent: External user access to Cloud Authentication Service, application portal, and applications

SSO Agent only:

<Your internal (corp network) end users>

Both Cloud Authentication Service environments and

<Your load balancer private IP address>

TCP 80, 443

Internal user access to Cloud Authentication Service, application portal, and applications

< Your administrators>

For on-premises identity routers:


<Your identity router management interface IP address>

For identity routers in the Amazon cloud:
<Your identity router private IP address>

On-premises (two network interfaces):

TCP 443

One network interface or Amazon:

TCP 9786

 Identity Router Setup Console

For on-premises identity routers (one network interface):

<Your identity router management interface IP address>

For on-premises identity routers (two network interfaces):

<Your identity router portal interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

Cloud Administration Console and both Cloud Authentication Service environments

Note: If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and the Cloud Authentication Service IP addresses for your region are whitelisted. Also, confirm that you can access both environments. For instructions, see Test Access to Cloud Authentication Service.

 TCP 443 Identity router registration

SSO Agent Only:

For on-premises identity routers (one network interface):

<Your identity router management interface IP address>

For on-premises identity routers (two network interfaces):

<Your identity router portal interface IP address>

For identity routers in the Amazon cloud:

<Your identity router public IP address>

 <Your protected resource> TCP 443 or custom port Application integration

SSO Agent only:

<Your load balancer private IP address>

<Your identity router portal interface IP address>

TCP 80, 443 Load balancer traffic to pool members

SSO Agent only:

<Your load balancer private IP address>

<Your identity router management interface IP address> TCP 443 Load balancer health check of pool members

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

<Your LDAP directory server IP address>

TCP 636

 LDAP directory user authentication and authorization

For on-premises identity routers:

<Your identity router portal interface IP address or identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

<Your DNS server IP address>

UDP 53 DNS

RADIUS only:

<Your RADIUS client IP address>

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

 UDP 1812 RADIUS

For on-premises identity routers:

<Your identity router portal interface IP address or identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

 <Your NTP server IP address> UDP 123 Network time server synchronization
<Your administrator computer>

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

 TCP 22

(Optional) SSH for troubleshooting

For more information, see Access SSH for Identity Router Troubleshooting.