SecurID® Community Blog

Subscribe to the official SecurID Community blog for information about new product features, industry insights, best practices and more.

Deploying an RSA SecurID Access IDR in vCloud Air

2 0 15.9K

We were testing out deploying an IDR in vCloud Air to ensure the setup and configuration worked without any issues. Here is the process we ran through to successfully deploy an IDR in vCloud Air.


Import IDR OVA into vCloud Air Catalog


After you login into you vCloud Air Private Cloud you can create a VM within your VDC (Virtual Data Center). You can click on the Virtual Machines Tab and you will see the following:


Click on Create your first virtual machine and you will see the new vm wizard:


If you click on My Catalog it might be empty:


At this point you can click on Create My Virtual Machine from Scratch and it will take your vCloud instance:


From here you can upload the OVA into the default-catalog  (this inside vCloud Director under Catalogs -> default_catalog -> Upload) so you can use it as a template for multiple deployments:


Create a SNAT in vCloud Air

By default, most of the traffic is blocked and no NAT is configured so you can't reach the external network. To fix this first let's get a public IP. In vCloud air go to Gateways -> GATEWAY ON VDC1 -> Public IPs and initially it will look like this:


Then click on Add IP Address and it will warn you about getting charged and after that it will allocate the IP. Now let's create the SNAT, so any machine can reach the internet. Go to Gateways -> GATEWAY ON VDC1 -> NAT Rules -> Add a NAT Rule and fill out the following (make sure it matches your environment):


The firewall is pretty restrictive as well, so go to Gateways -> GATEWAY ON VDC1 -> Firewall Rules and the following basic rules:


Adding a second Organization Network

vCloud Director offers many different networking options, most of them are covered in vApp Design Considerations . By default there is Direct – External Organization Virtual Datacenter Network (Routed) network created, from the same page: Direct – External Organization Virtual Datacenter Network (Routed)
If the same example vApp with three virtual machines is connected to an organization virtual datacenter network that has a routed connection to an external network, the vApp is connected to an organization virtual datacenter network and is deployed there with the organization virtual datacenter network’s IP addressing. The Edge Gateway device then provides a routed connection between the organization virtual datacenter network and the external network. This scenario is shown in the following figure.

Figure 11. Direct Connection to a Routed External Organization Virtual Datacenter Network


And it looks like this in vCloud Director (Navigate to Administration -> Virtual Datacenters -> VCD1 -> Org VDC Networks😞


So let's another routed network which will be our mgmt network (The IDR comes with two network interfaces, portal and mgmt). So click the green + and it will start the wizard. Choose the routed option:


I then added the following network details on the next page:


And after that you will have two networks:


I will use to be the portal/DMZ (defaulted-routed-network) network and as the mgmt/internal (routed-network-2) network.

DNAT for the Portal Interface

Since we want the portal to be reached external let's add a DNAT (or a port forward) from Public IP port 443 to the Internal portal IP port 443. So in vCloud Air navigate to Gateways -> GATEWAY ON VDC1 -> NAT Rules -> Add a NAT Rule and add the following DNAT:


On the next page if you are really organized you can also add a similar rule for 80:


Also don't forget to allow the firewall to access port 80 and 443 on the public IP and the internal network. I ended up created the following rules to allow that traffic:



Firewall and NAT Rules prior to Registration

As a sanity check here is a table of my NAT Rules:



Original IP

Original Port

Translated IP

Translated Port




The bottom one (DNAT from 8443 to MGMT_IP 443) is to allow access to the setup.jsp page and can be removed after registration. And the Firewall rules look like this:







The bottom ALLOW_INTERNAL_HTTPS_IN rule can be changed after registration to only allow 443 to the portal interface network ( and not any internal IP. And the Bottom rule can also be removed, since that allows for the port forward from 8443 to the MGMT_IP 443 , if setup.jsp access is no longer required.

Configure IPs on the IDR

First let's assign the vNics of the VM to the appropriate networks (management to default-routed-network and portal to routed-network-2). Click on the VM and then go to Networks:


Then click Add a Network and assign the NICs accordingly:


Then go back to the main VM screen and power on the IDR VM :


Then click on the VM and it will take you the properties page of the VM and you can click on Open Virtual Machine Console:



After applying the network settings I was able to access reach the 8443 port without problems:


Establishing the IPSec Tunnel To Local Environment

There is a pretty good KB on the process from VMware: Configuring IPsec VPN within VMware vCloud Air to a remote network and there is a pretty good diagram that represents all the networks:


My local networks is the mgmt network which is the network and my peer networks is the network which allow access to the AD in my internal network. So to start this configuration from vCloud Air go to  Gateways -> GATEWAY ON VDC1, then click on Manage in vCloud director:


Once in vCloud Director to Administration -> Virtual Datacenters -> VCD1 -> Edge Gateways and right click on the default GW to choose Edge Gateway Services:


Then go to the VPN tab and click Enable VPN and then Add:


After clicking Add, the wizard will start and you can configure your VPN settings. The settings depend on your environment, but here are the options broken down:





Local Network10.10.10.0/24This is the vCloud network (Mgmt Network) we want the remote site to have access to
Peer Networks10.210.0.0/16This is the network we want to access at the remote site
Local Endpoint107.189.120.76 (drop down)This is the Public IP of the Local End Point
Local ID107.189.120.76This can be anything, but it helps to set the IP to keep track of the configuration
Peer ID10.210.0.248This can be anything as well, but they recommend to either set it to the Public IP of the Remote End Point or the Private IP of the Remote End Point
Peer IPX.X.X.XThis is the Public IP of the Remote End Point
Encryption ProtocolAESYou can use AES 256, 3DES, or AES
Shared KeyLeft it as the generated oneWe will have to use that key on the remote VPN side to ensure we can authenticate with each end point to establish the VPN Tunnel
MTU1500Left the Default

Firewall Configuration in vCloud for VPN Connections

I ended up adding the following rules to ensure the VPN connection is established and to allow traffic from and to the internal networks across the VPN tunnel:







ALLOW_IP_SEC_ESP_AH_UDPX.X.X.X/32:Any107.189.120.76/32:AnyANYThis is so we can establish the IPSec Tunnel between the two endpoints
The following is necessary:
  • IP Protocol ID 50 (ESP)
  • IP Protocol ID 51 (AH)
  • UDP Port 500 (IKE)
  • UDP Port 4500

Since the only IP protocol allowed in the vCloud UI is ICMP, I decided to use Any to make sure I cover all of the above

ALLOW_VPN_TRAFFIC_L_TO_R10.210.0.0/16:Any10.10.10.0/24:AnyANYThis might be overkill but I am allowing anything from the Internal network to the vCloud MGMT network.
ALLOW_VPN_TRAFFIC_R_TO_L10.10.10.0/24:Any10.210.0.0/16:80ANYThis might be overkill but I am allowing anything from the vCloud MGMT network to the Remote Internal network. For my test, I could've just allowed 389 for the AD connection. But if you are planning to connect to internal webapps then 80 and 443 should be added here


After all the above is done, if you go back to vCloud Director you will see the VPN connection is good:

vcd-vpn-established (1).png

After all the above settings, we were able to connect to the AD server and login into the web portal issues.