Identity Router Network Interfaces and Default PortsIdentity Router Network Interfaces and Default Ports
This topic describes the network interface configurations required for different types of deployments. It also provides the default ports and protocols used for incoming and outgoing identity router traffic. For more information, see:
Network Interface Requirements and RecommendationsNetwork Interface Requirements and Recommendations
The identity router can be deployed as either standalone or embedded within Authentication Manager.
Standalone Identity RouterStandalone Identity Router
A standalone identity router is installed on the VMWare, Hyper-V, or Amazon Web Services cloud platform. It can be deployed with one or two network interfaces.
| Number of Network Interfaces | Description |
|---|---|
| One |
|
| Two |
One interface is designated as portal, the other as management.
|
For identity routers installed on VMWare or Hyper-V, network interfaces are configured on the virtual appliance and connected to your network. You assign each interface an IP address and a domain name. SecurID recommends that each interface be located on a separate subnet for security reasons. The identity router does not bridge traffic between the two interfaces.
Note: After you deploy an identity router with one network interface, you cannot change the configuration to support two network interfaces. You must deploy a new identity router with two network interfaces.
Embedded Identity Router in Authentication ManagerEmbedded Identity Router in Authentication Manager
An embedded identity router:
-
Shares the host Authentication Manager network interface and its configuration (including the IP address, DNS servers, static routes, and so on).
-
Is used for identity source and cloud tenant traffic.
Incoming Traffic for Identity RoutersIncoming Traffic for Identity Routers
You must configure incoming traffic to connect to either the management interface or the portal interface as specified in Ports for Identity Router Incoming Traffic .
Outgoing Traffic for Identity RoutersOutgoing Traffic for Identity Routers
Outgoing traffic for identity routers is managed as follows:
-
Any destination hosts on the same subnet as an identity router interface are reached through that interface. For example, if the identity source is on the same subnet as the management interface, then the LDAP service uses the management interface. A default gateway is not used.
-
You may configure static routes to force specific traffic to use the management interface. For example, if the Authentication Manager server is in a different subnet from both identity router interfaces, you can add a static route for traffic to Authentication Manager to use the management interface.
-
In deployments with two network interfaces, all other traffic is routed through the default gateway specified for the portal interface.
Network Interface for Identity Routers in the Amazon CloudNetwork Interface for Identity Routers in the Amazon Cloud
When deployed in the AWS cloud, the identity router has only one virtual network interface to which you assign a domain name, a private IP address, and, optionally, a public Elastic IP address. The private address is accessible only from your network, while the public Elastic IP address is accessible from the internet. You must configure security groups, route tables, and network access control lists in your AWS environment to allow either public or private network access for each service, depending on how the other network components in your deployment will connect to the identity router, and the requirements specified in the Network Accessibility for Amazon Identity Routers column in the following tables.
Ports for Identity Router Incoming Traffic Ports for Identity Router Incoming Traffic
| Service | Description | Deployment | One Network Interface | Two Network Interfaces | |
|---|---|---|---|---|---|
| Management Interface (eth0) |
Portal Interface (eth1) |
||||
| SSH | SSH for identity router troubleshooting. This port is not open by default. | All (optional) | TCP 22 | TCP 22 | |
| HTTPS | Traffic related to the Identity Router Setup Console, and SecurID Authentication Manager integration. | All | TCP 9786 | TCP 443 | |
| HTTPS | Load balancer and end-user web browser traffic for connections to the application portal and applications. Includes status servlet. | SSO Agent | TCP 443 | TCP 443 | |
| RADIUS | RADIUS traffic. This port is not opened by default. | RADIUS | UDP 1812 | UDP 1812 | |
| Identity router synchronization | Synchronization traffic among identity routers in a cluster. |
IDR SSO Agent (high availability) |
TCP 7900 to TCP 7902 |
TCP 7900 to TCP 7902 |
|
| Cluster synchronization | Synchronization traffic between clusters. | SSO Agent with multiple clusters | TCP 7910 | TCP 7910 | |
Ports for Identity Router Outgoing Traffic Ports for Identity Router Outgoing Traffic
Note: All deployments with a standalone identity router with one network interface should use the management interface.
| Service |
Description |
Deployment |
Connection Initiated From | |||
|---|---|---|---|---|---|---|
|
Hyper-V or VMware Identity Router with Two Network Interfaces* |
Hyper-V or VMware Identity Router with One Network Interface | Amazon Identity Router |
Destination Protocol and Port |
|||
|
SFTP |
(Optional) SFTP backup server IP address for user profile data (keychain) backup |
IDR SSO Agent |
Portal Note: SecurID recommends adding a static route to use the management interface. |
Management | Private |
TCP 22 |
|
DNS lookups |
Enable the identity router to look up the IP addresses of the hostnames to which it will connect, including the Cloud Authentication Service and identity sources. |
All |
Portal Note: SecurID recommends using the management interface. To do this, ensure that both DNS and NTP are on the same subnet as the management interface, or add a static route. |
Management | Public or Private |
UDP 53 |
|
NTP synchronization |
NTP server IP addresses |
All |
Portal Note: SecurID recommends using the management interface. To do this, ensure that both NTP and DNS are on the same subnet as the management interface, or add a static route. |
Management | Public or Private |
UDP 123 |
|
LDAP |
LDAP directory server IP address for unencrypted LDAP directory server user authentication and authorization. SecurID does not recommend using this port. |
All |
Portal Note: SecurID recommends adding a static route to use the management interface. |
Management | Private |
TCP 389 (may vary depending on your LDAP server configuration) |
|
LDAP (SSL/TLS) |
LDAP directory server IP address for LDAP directory server user authentication and authorization |
All |
Portal Note: SecurID recommends adding a static route to use the management interface. |
Management | Private |
TCP 636 (may vary depending on your LDAP server configuration) |
|
HTTP for HFED
|
On-premises application server IP addresses that require HTTP. SecurID does not recommend this configuration. |
IDR SSO Agent |
Portal |
Management | Private |
TCP 80 or application-specific port |
|
HTTPS for HFED
|
On-premises application server IP addresses, optional custom portal server IP address |
IDR SSO Agent |
Portal |
Management | Public or Private |
TCP 443 or application-specific port |
| Secure connection from the identity router to the Cloud Authentication Service and Cloud Administration Console |
securid.com, optional custom portal server IP address. For current Cloud Authentication Service IP adresses see Test Access to Cloud Authentication Service. |
All |
Portal |
Management | Public or Private | TCP 443 or application-specific por |
|
Audit logging (syslog) |
(Optional) Syslog server IP address for audit log aggregation |
All |
Portal Note: SecurID recommends adding a static route to use the management interface. |
Management | Private |
UDP 514 |
|
Authentication Manager |
(Optional) Authentication Manager server IP address |
Portal Note: SecurID recommends adding a static route to use the management interface. |
Management | Private |
TCP 5500 |
|
