This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
SAMADAMS
Beginner
Beginner
‎2020-12-10 11:08 AM

Multiple IDRs without a load balancer.

Current working setup:

On-premise RSA Authentication Manager 8.5 with primary and secondary

On-premise standalone Identity Router (VMWare), software version 12.11.0.0.6, OS version SLES11 SP4 (portal.sso.company.com) assigned to the default cluster within RSA SecurID Access Cloud.

 

Future setup:

Deploy two new on-premise Identity Routers (VMware) using the latest OS version SLES12 SP5. Hostnames will be portal1.sso.company.com and portal2.sso.company.com and assigned to the default cluster within RSA SecurID Access with a Load Balancer DNS Name of portal.sso.company.com. SSL certificate (wildcard for *.company.com) is configured for portal.sso.company.com with additional subject alternate names of portal1.sso.company.com and portal2.sso.company.com.  

 

My question, or better yet my confusion, is how to configure the hostname, DNS records, and certificates to support the future configuration without a network load balancer. My understanding of the documentation is to configure host entries on the RSA Authentication Manager within the Operations Console. However, the way the documentation reads: “Hostname for the identity routers. You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses” So, the host entries would be associated with the management interfaces of the Identity Routers and not the portal interfaces. The installed certificate on the Identity router is used for both the web GUI of the management interface as well as the web GUI of the portal interface.

 

Would I create DNS records for idr.company.com, idr1.company.com and idr2.company.com to be used by the management interfaces, add those as additional subject alternate names to the certificate as well? Then configure the host entries on Authentication Manager as specified in the documentation, pointing idr.company.com to the IPs of idr1 and idr2?

 

Any advise on a HA setup of the IDRs without a load balancer would be greatly appreciated. Thanks in advanced.

 

Reference - https://community.rsa.com/docs/DOC-84670#Step3

Labels (1)
0 Likes
Reply
1 Reply
LukaKodric
Trusted Contributor
Trusted Contributor
‎2020-12-10 11:59 AM

Why would you use with without load balancer? you can setup HA with LB with zero cost.. just use HAproxy. If you want two load balancers in HA you can use keepalived with float IP That's how I set it up.

 

Anyway back to your question. Yes you can setup DNS names for management interfaces eg:  idr1.company.com idr2.company.com...

 

There are two interfaces on IDRs management and SSO/Portal/RADIUS one.

 

I've installed *.company.com wildcard cert which is CA trusted on all IDRs and it works fine.

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.