This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
KhwajaZiaulHasa
Beginner
Beginner
‎2016-12-06 02:50 AM

Do we require public IP with RSA SecurID Access (Identity Router)

Jump to solution

Hello,

 

I am planning to evaluate RSA SecurID Access (SSO Features) for which I am looking for it's NFR Kit. Is this the part number which will fulfill my requirements "VIA-AC-S-NFR" or do I need to buy any other SKU as well.

 

My second question is that for the demo purposes my company cannot provide me public ip, and we need a url of identity router, to be communicated with the cloud (as this is what I have understood from the documentation). So do we have any alternative for this. Like if I use some Dynamic DNS and perform my evaluation. Will that work?

 

Please let me know on this.

 

Thanking You

Zia

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
AlexanderCoco
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to KhwajaZiaulHasa
‎2016-12-07 10:21 AM

Jump to solution

You need to be connected to the internet, which obviously means there must be a public IP address (and outbound NAT) somewhere in the path between your on-premises  IDR (private network) and RSA Hosted Tenant (public internet).  However you don't need a static public IP address or an inbound NAT/Firewall rule to register to the cloud or otherwise maintain communications to the cloud. As long as the IDR can reach the internet (outbound traffic) on TCP port 443 and UDP port 1194, the IDR will be able to register and maintain a connection to the cloud services even if the outbound NAT address changes.  In the event the public IP address changes at the NAT boundary, communications between the IDR and the Hosted Tenant will experience a brief interruption while a new encrypted session is established on UDP 1194 using the certificates exchanged during registration. 

 

All of this presumes you have a persistent on-premises environment where the IDR will be running and able to reach the internet continuously (minor service interruptions notwithstanding).  It is not recommended or supported to deploy the IDR into a non-persistent environment as long lived service interruptions will likely prevent the IDR from receiving updates from the cloud and if the IDR fails to receive critical updates it will not longer be able to connect to the RSA hosted service.

View solution in original post

Reply
4 Replies
AlexanderCoco
Frequent Contributor Frequent Contributor
Frequent Contributor
‎2016-12-06 02:45 PM

Jump to solution

Hello Zia,

 

VIA-AC-S-NFR is the correct SKU for a SecurID Enterprise Edition NFR.

 

As long as your test users/browsers are coming from an internal network a public IP address is not required.  SAML assertions are passed through the browser between the IDR and the application; there is no direction communication between the application and the IDR.  The only time a public IP address is necessary for the IDR is when a user/browser is coming from the internet to obtain a SAML assertion.

 

Thank you,

-alex

Reply
KhwajaZiaulHasa
Beginner
Beginner
In response to AlexanderCoco
‎2016-12-07 02:16 AM

Jump to solution

Hello Alex,

 

Thanks for clarifying on the part number.

 

Regarding the public IP, won't I  need it to connect to the RSA SecurID Access Hosted Service on the Cloud?

 

Regards

Zia

0 Likes
Reply
AlexanderCoco
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to KhwajaZiaulHasa
‎2016-12-07 10:21 AM

Jump to solution

You need to be connected to the internet, which obviously means there must be a public IP address (and outbound NAT) somewhere in the path between your on-premises  IDR (private network) and RSA Hosted Tenant (public internet).  However you don't need a static public IP address or an inbound NAT/Firewall rule to register to the cloud or otherwise maintain communications to the cloud. As long as the IDR can reach the internet (outbound traffic) on TCP port 443 and UDP port 1194, the IDR will be able to register and maintain a connection to the cloud services even if the outbound NAT address changes.  In the event the public IP address changes at the NAT boundary, communications between the IDR and the Hosted Tenant will experience a brief interruption while a new encrypted session is established on UDP 1194 using the certificates exchanged during registration. 

 

All of this presumes you have a persistent on-premises environment where the IDR will be running and able to reach the internet continuously (minor service interruptions notwithstanding).  It is not recommended or supported to deploy the IDR into a non-persistent environment as long lived service interruptions will likely prevent the IDR from receiving updates from the cloud and if the IDR fails to receive critical updates it will not longer be able to connect to the RSA hosted service.

Reply
KhwajaZiaulHasa
Beginner
Beginner
In response to AlexanderCoco
‎2016-12-08 01:26 AM

Jump to solution

Thanks Alex, I got the response, that I can proceed with the NFR kit.

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.