Identity Router DNS Requirements

You must configure your company Domain Name System (DNS) server with the address (A), pointer (PTR), and canonical name (CNAME) records necessary to support your deployment. Work with your network administrator to determine which specific DNS records to configure, based on the load balancers, identity routers, applications, and application portal you are deploying.

Note: This information applies to all identity routers except for those embedded in Authentication Manager 8.5 or later.

For more information, see your Quick Setup Guide.

External DNS Records

The following table describes the external DNS records used to support your deployment. External records correspond to public addresses accessible from the internet.

Record Type and Description When Used Example
A record to the public IP address that corresponds to the virtual IP address (VIP) of the load balancer through Network Address Translation (NAT).

Add this type of DNS entry for each network load balancer in your deployment.

If your deployment has only one identity router, and does not use a load balancer, point this record to the IP address of the identity router. For identity routers in the Amazon cloud, use the public Elastic IP address. For on-premises identity routers, use the portal interface IP address.

portal.dmz.example.com
A wildcard CNAME record to the VIP (portal.dmz.example.com). Users use names matching this wildcard entry to access reverse proxy resources, including the custom portal and any HFED applications. Add this type of DNS entry if your deployment uses a custom portal or HFED web applications. This record enables DNS resolution for the custom portal and all HFED applications whose domain names match the wildcard syntax you specify. If you add this wildcard record, you do not need to add specific CNAME records for the custom portal or individual HFED applications. *.dmz.example.com
A CNAME record to the VIP (portal.dmz.example.com). Users use this name to access the custom portal. Add this type of DNS entry if your deployment uses a custom portal. You do not need to add this entry if you added the wildcard CNAME record described above. sign-in.dmz.example.com
A CNAME record to the VIP (portal.dmz.example.com). Users use this name to access a specific application through HTTP Federation (HFED). Add this type of DNS entry for each web application that uses HFED. You do not need to add this entry for individual HFED applications if you added the wildcard CNAME record described above. webapp.dmz.example.com

Internal DNS Records

The following table describes the internal DNS records used to support your deployment. Internal entries correspond to private addresses accessible from within your network.

Record Type and Description When Used Example

An A record to the IP address for the identity router. For identity routers in the Amazon cloud, use the private IP address. For on-premises identity routers, use the portal interface IP address. If your Cloud Authentication Service deployment is integrated with SecurID Authentication Manager 8.4 Patch 3 or earlier, Authentication Manager uses this name to access Amazon cloud-based identity routers for tokencode authentication.

Add this type of DNS entry for each identity router in your deployment.

 idrouter1.dmz.example.com
An A record to the identity router management interface IP address. This record resolves the hostname to the IP address for standard DNS lookup. If your Cloud Authentication Service deployment is integrated with SecurID Authentication Manager 8.4 Patch 3 or earlier, Authentication Manager uses this name to access on-premises identity routers for tokencode authentication.

If you use Authentication Manager 8.4 Patch 3 or earlier, add this type of DNS entry for each on-premises identity router.

Note: This entry is not required for identity routers in the Amazon cloud.

 idrmgmt1.dmz.example.com
A PTR record to the identity router hostname. For on-premises identity routers, use the management interface hostname. This record resolves the IP address to the hostname for reverse DNS lookup between the identity router and Authentication Manager 8.4 Patch 3 or earlier. Add this type of DNS entry for each identity router if you use Authentication Manager 8.4 Patch 3 or earlier in your deployment. 192.168.2.32
An A record to the private IP address that corresponds to the VIP of the load balancer.

Add this type of DNS entry for each network load balancer in your deployment.

If your deployment has only one identity router, and does not use a load balancer, point this record to the IP address of the identity router. For identity routers in the Amazon cloud, use the private IP address. For on-premises identity routers, use the portal interface IP address.

portal.dmz.example.com
A wildcard CNAME record to the VIP (portal.dmz.example.com). Users use names matching this wildcard entry to access reverse proxy resources, including the custom portal and any HFED applications. Add this type of DNS entry if your deployment uses a custom portal or HFED web applications. This record enables DNS resolution for the custom portal and all HFED applications whose domain names match the wildcard syntax you specify. If you add this wildcard record, you do not need to add specific CNAME records for the custom portal or individual HFED applications. *.dmz.example.com
A CNAME record to the VIP (portal.dmz.example.com). Users use this name to access the custom portal. Add this type of DNS entry if your deployment uses a custom portal. You do not need to add this entry if you added the wildcard CNAME record described above. sign-in.dmz.example.com
A CNAME record to the VIP (portal.dmz.example.com). Users use this name to access a specific application through HFED. Add this type of DNS entry for each web application that uses HFED. You do not need to add this entry for individual HFED applications if you added the wildcard CNAME record described above. webapp.dmz.example.com