AnsweredAssumed Answered

Multiple IDRs without a load balancer.

Question asked by SAM ADAMS on Dec 10, 2020
Latest reply on Dec 10, 2020 by Luka Kodric

Current working setup:

On-premise RSA Authentication Manager 8.5 with primary and secondary

On-premise standalone Identity Router (VMWare), software version 12.11.0.0.6, OS version SLES11 SP4 (portal.sso.company.com) assigned to the default cluster within RSA SecurID Access Cloud.

 

Future setup:

Deploy two new on-premise Identity Routers (VMware) using the latest OS version SLES12 SP5. Hostnames will be portal1.sso.company.com and portal2.sso.company.com and assigned to the default cluster within RSA SecurID Access with a Load Balancer DNS Name of portal.sso.company.com. SSL certificate (wildcard for *.company.com) is configured for portal.sso.company.com with additional subject alternate names of portal1.sso.company.com and portal2.sso.company.com.  

 

My question, or better yet my confusion, is how to configure the hostname, DNS records, and certificates to support the future configuration without a network load balancer. My understanding of the documentation is to configure host entries on the RSA Authentication Manager within the Operations Console. However, the way the documentation reads: “Hostname for the identity routers. You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses” So, the host entries would be associated with the management interfaces of the Identity Routers and not the portal interfaces. The installed certificate on the Identity router is used for both the web GUI of the management interface as well as the web GUI of the portal interface.

 

Would I create DNS records for idr.company.com, idr1.company.com and idr2.company.com to be used by the management interfaces, add those as additional subject alternate names to the certificate as well? Then configure the host entries on Authentication Manager as specified in the documentation, pointing idr.company.com to the IPs of idr1 and idr2?

 

Any advise on a HA setup of the IDRs without a load balancer would be greatly appreciated. Thanks in advanced.

 

Reference - https://community.rsa.com/docs/DOC-84670#Step3

Outcomes