This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
GiuseppeDispinz
Occasional Contributor
Occasional Contributor
ā€Ž2020-11-11 04:55 PM

RSA AM Replica - Other Country

Hello together,

I want to know if it is possible to deploy a replica instance in a other country?

Just for information what I want to do:

I have an RSA AM 8.5 instance located in Europe in combination with a Citrix Netscaler. Now we want deploy an RSA Replica with another Citrix NetScaler in a location in USA. Where the Netscaler should use the RSA Replica for 2FA.

The two site are connected with an vpn. What I have to note?

Furthermore how react the replica if it is in a different subnet? It is so that If the replica don't reach the RSA Primary and it fails the assistent on the replica will ask to put in the ip address of the primary instance ?

Thanks in advance

Kind regards
Giuseppe

Labels (1)
0 Likes
Reply
3 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
ā€Ž2020-11-11 05:10 PM

The Primary and Replica need to be able to communicate with each other over TCP port 7002 (AM replication) and 1812 and 1813 (RADIUS replication).  The replica also needs to be able to communicate to other replicas over 7002.  With any site to site VPN between the primary and replica, the firewall rules would need to reflect this.

 

The AM Planning Guide has a section of what ports need to be open for communication between AM servers, between Help Desk Admin browsers and AM servers, and between agents and AM servers.  There's a good picture that summarizes this a this post

https://community.rsa.com/message/912893?commentID=912893#comment-912893 

Reply
JochenHoffmann
Occasional Contributor
Occasional Contributor
ā€Ž2020-11-12 03:29 AM

Hi Giuseppe, 

it's no problem to run a AM Replica in another country and / or subnet, we have this configuration since many years. Our Primary and two Replicas are in EMEA and there's one Replica in US. As Jay already said, you need to make sure, the communication between the instances is established successfully. 

 

When it comes to Citrix ADC (fka NetScaler): there, you configure the AuthMgr w/ RADIUS authentication and set the AM server _nearest_ to the individual ADC as preferred with your RADIUS Authentication Policies or configure the RADIUS Load Balancing vServer accordingly. You don't need to swap any IP addresses or similar. 

0 Likes
Reply
EdwardDavis
Employee
Employee
ā€Ž2020-11-12 08:09 AM

The most critical thing is that UTC is the same on all servers....pick accurate NTP sources

and whatever timezone you prefer....

so when you do

date -u

 

On command line, all AM servers are within seconds of each other or better.

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.