SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

Multiple IDRs without a load balancer.

Current working setup:

On-premise RSA Authentication Manager 8.5 with primary and secondary

On-premise standalone Identity Router (VMWare), software version, OS version SLES11 SP4 ( assigned to the default cluster within RSA SecurID Access Cloud.


Future setup:

Deploy two new on-premise Identity Routers (VMware) using the latest OS version SLES12 SP5. Hostnames will be and and assigned to the default cluster within RSA SecurID Access with a Load Balancer DNS Name of SSL certificate (wildcard for * is configured for with additional subject alternate names of and  


My question, or better yet my confusion, is how to configure the hostname, DNS records, and certificates to support the future configuration without a network load balancer. My understanding of the documentation is to configure host entries on the RSA Authentication Manager within the Operations Console. However, the way the documentation reads: “Hostname for the identity routers. You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses” So, the host entries would be associated with the management interfaces of the Identity Routers and not the portal interfaces. The installed certificate on the Identity router is used for both the web GUI of the management interface as well as the web GUI of the portal interface.


Would I create DNS records for, and to be used by the management interfaces, add those as additional subject alternate names to the certificate as well? Then configure the host entries on Authentication Manager as specified in the documentation, pointing to the IPs of idr1 and idr2?


Any advise on a HA setup of the IDRs without a load balancer would be greatly appreciated. Thanks in advanced.


Reference -

Labels (1)
1 Reply
Trusted Contributor
Trusted Contributor

Why would you use with without load balancer? you can setup HA with LB with zero cost.. just use HAproxy. If you want two load balancers in HA you can use keepalived with float IP That's how I set it up.


Anyway back to your question. Yes you can setup DNS names for management interfaces eg:


There are two interfaces on IDRs management and SSO/Portal/RADIUS one.


I've installed * wildcard cert which is CA trusted on all IDRs and it works fine.