SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
Occasional Contributor
Occasional Contributor

RSA AM Replica - Other Country

Hello together,

I want to know if it is possible to deploy a replica instance in a other country?

Just for information what I want to do:

I have an RSA AM 8.5 instance located in Europe in combination with a Citrix Netscaler. Now we want deploy an RSA Replica with another Citrix NetScaler in a location in USA. Where the Netscaler should use the RSA Replica for 2FA.

The two site are connected with an vpn. What I have to note?

Furthermore how react the replica if it is in a different subnet? It is so that If the replica don't reach the RSA Primary and it fails the assistent on the replica will ask to put in the ip address of the primary instance ?

Thanks in advance

Kind regards

Labels (1)
3 Replies
Apprised Contributor Apprised Contributor
Apprised Contributor

The Primary and Replica need to be able to communicate with each other over TCP port 7002 (AM replication) and 1812 and 1813 (RADIUS replication).  The replica also needs to be able to communicate to other replicas over 7002.  With any site to site VPN between the primary and replica, the firewall rules would need to reflect this.


The AM Planning Guide has a section of what ports need to be open for communication between AM servers, between Help Desk Admin browsers and AM servers, and between agents and AM servers.  There's a good picture that summarizes this a this post 

Occasional Contributor
Occasional Contributor

Hi Giuseppe, 

it's no problem to run a AM Replica in another country and / or subnet, we have this configuration since many years. Our Primary and two Replicas are in EMEA and there's one Replica in US. As Jay already said, you need to make sure, the communication between the instances is established successfully. 


When it comes to Citrix ADC (fka NetScaler): there, you configure the AuthMgr w/ RADIUS authentication and set the AM server _nearest_ to the individual ADC as preferred with your RADIUS Authentication Policies or configure the RADIUS Load Balancing vServer accordingly. You don't need to swap any IP addresses or similar. 


The most critical thing is that UTC is the same on all servers....pick accurate NTP sources

and whatever timezone you prefer....

so when you do

date -u


On command line, all AM servers are within seconds of each other or better.