RSA^® MFA Agent for Microsoft Windows Documentation

Yes

If you have completed What You Get With the Trial and optionally Step 2: Test with Your Users and Your SAML or RADIUS Applications, and still want to do more with the trial, do the following:

Select Applications to Protect

To do more with the trial, you need to deploy an identity router. The identity router is a virtual appliance that securely connects your on-premises resources, such as Active Directory, to the Cloud Authentication Service.When you deploy an identity router, you initially select a deployment type that is based on the type of applications that you want to protect.

Select the deployment type from the table below.

What You Want to Protect	Deployment Type
RADIUS clients such as VPNs in environments that do not support outbound RADIUS communication	RADIUS
SAML applications and third-party SSO solutions	Relying Party
SAML, HTTP Federation Proxy, or Trusted Headers applications and RSA SecurID Access single sign-on for all applications	SSO Agent

Plan Your Trial Environment

There are a few things you need to plan to deploy an identity router in your environment.

What You Need to Have

Item	Description
Virtual appliance infrastructure	Hardware requirements: VMware or Hyper-V Disk space: 54 GB Memory: 8 GB Virtual CPUs: 4 Network interface: VMware: One E1000 virtual network adapter for RADIUS or relying party deployment. Two for SSO Agent deployment. Microsoft Hyper-V: One synthetic network adapter for RADIUS or relying party deployment. Two for SSO Agent deployment. Amazon Virtual Server Instance Family: General purpose Type: t2.large vCPUs: 2 Memory: 8 GB Software requirements: VMware VMware Platform: VMware ESXi 5.5 or later (currently 6.x series) VMware vSphere Client: Any version that works with the supported ESXi deployments Hyper-V 2012 R2 AWS cloud Access to t2.large or better instance types Virtual Private Cloud with private and public subnets Route Tables, Security Groups, and Network ACLs that allow traffic between the identity router and all other components in your deployment DHCP Option Sets that specify all DNS servers required for your deployment Elastic IP addresses (if your organization manages its own DNS service)
Microsoft Active Directory 2008 or 2012 or LDAPv3 directory server	Create a group of a limited number of users (for example, RSA SecurID Access Test Group) to synch and test with.
SSO Agent only: Private key, public certificate, and certificate chain for SSL protection for the RSA SecurID Access Application Portal	Generate the private key using your own infrastructure. The private key, in RSA format, is 2048-bit or greater and is not password-protected. Submit a certificate signing request (CSR) to a trusted Certificate Authority (CA) to obtain the public certificate and certificate chain. The certificate and certificate chain files are in x509 PEM format. For more information, see https://community.rsa.com/docs/DOC-89364.
A mobile device or Windows PC	iOS 11.0 or later Android 6.0 or later Windows 10 Version 1511 or later

What You Need to Know

RSA SecurID Access uses a hybrid architecture that consists of two components:

The Cloud Authentication Service is a cloud service that provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.
The identity router is a virtual appliance that securely connects your on-premises resources, such as Active Directory, to the Cloud Authentication Service. You can deploy the identity router in your on-premises VMware or Hyper-V environment, or in the Amazon Web Services (AWS) cloud.

In RADIUS and relying party deployments with VMware or Hyper-V, the identity router has one network interface. Place this interface in a private network where it can reach your LDAP directory. For more information about configuring your system to use these interfaces, see https://community.rsa.com/docs/DOC-54091.

In SSO Agent deployments with VMware or Hyper-V, the identity router has two network interfaces. Place one interface in a public-facing network and the other in a private network where it can reach your LDAP directory.

In all deployments with AWS, the identity router has one network interface to which you assign public and private IP addresses and connect other network resources from the internet or your private network.

Additional information is available in the Planning Guide.

Add your values to the following worksheet. You will use this information in the next section and during setup.

Item	Your Values
Cloud Administration Console and Cloud Authentication Service	Current values: US region:<authentication_service_domain>, access.securid.com, na2.access.securid.com, or na3.access.securid.com (191.237.22.167, 104.42.197.125) EMEA region: <authentication_service_domain>, access-eu.securid.com (104.40.223.169, 40.127.204.94) ANZ region:<authentication_service_domain>, access-anz.securid.com (20.36.34.174, 20.36.64.73) Your authentication service domain appears in the Cloud Administration Console on the Platform > Identity Router > Registration page when you add an identity router.
SSO Agent only: Protected domain name This is a unique subdomain prepended to your registered domain name and is used by all traffic managed by the identity router, for example, sso.example.com. For more information, see https://community.rsa.com/docs/DOC-79572.
LDAP directory server IP address FQDN Base DN of users (the root where users will be synchronized from, for example, DC=company, DC=com) Administrator account credentials that RSA SecurID Access can use to connect to the directory server
DNS servers IP addresses For DNS configuration requirements, see https://community.rsa.com/docs/DOC-54152.
NTP server IP address
Backups server IP address
Internal user subnet IP address
RADIUS only: RADIUS client IP address
Required only for VMware and Hyper-V identity router deployments:
Identity router management interface (private, required for all deployments) IP address Netmask Gateway Short hostname FQDN
Identity router proxy interface (public, required for SSO Agent deployments with on-premises identity router) IP address Netmask Gateway Short hostname FQDN
Required only for Amazon Web Services identity router deployments:
Identity router Private IP Address (Used for communication with internal resources in the same VPC, another VPC, or your on-premises network.) Public Elastic IP Address (Used for communication with public resources over the internet if the identity router is in a public subnet. Not required if a NAT/load balancer with a public IP address manages traffic to the identity router.) Short hostname FQDN Note: For identity routers in AWS, netmask and gateway information is obtained automatically during instance launch, according to the VPC subnet settings.
AWS environment configuration details VPC Private subnet Public subnet DHCP options set Route tables Security groups Network ACLs

Connectivity Requirements

Replace the values in the table below with your values from the worksheet above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. If you deploy the identity router in the Amazon cloud, the route tables, security groups, and network ACLs in your AWS environment must also allow these connections. Update your connectivity settings before continuing with the next step.

Source	Destination	Protocol and Port	Purpose
0.0.0.0/0	Cloud Authentication Service	TCP 443 TCP 80, 443	External user access to Cloud Authentication Service, application portal, and applications
SSO Agent only: <Your internal (corp network) end users>	Both Cloud Authentication Service environments	TCP 80, 443	Internal user access to Cloud Authentication Service, application portal, and applications
< Your administrators>	For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	On-premises (two network interfaces): TCP 443 One network interface or Amazon: TCP 9786	Identity Router Setup Console
For on-premises identity routers (one network interface): <Your identity router management interface IP address> For on-premises identity routers (two network interfaces): <Your identity router proxy interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	Cloud Administration Console and Cloud Authentication Service Cloud Administration Console and both Cloud Authentication Service environments Note: If your company uses URL filtering, be sure that .access.securid.com, .auth.securid.com, and the Cloud Authentication Service IP addresses for your region are whitelisted.	TCP 443	Identity router registration
For on-premises identity routers (one network interface): <Your identity router management interface IP address> For on-premises identity routers (two network interfaces): <Your identity router proxy interface IP address> For identity routers in the Amazon cloud: <Your identity router public IP address>	<Your protected resource>	TCP 443 or custom port	Application integration
For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	<Your LDAP directory server IP address>	TCP 389 TCP 636	LDAP directory user authentication and authorization
For on-premises identity routers: <Your identity router proxy interface IP address or identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	<Your DNS server IP address>	UDP 53	DNS
RADIUS only: <Your RADIUS client IP address>	For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	UDP 1812	RADIUS
RADIUS only: <Your RADIUS client IP address>	For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	UDP 1812	(Optional) RADIUS
For on-premises identity routers: <Your identity router proxy interface IP address or identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	<Your NTP server IP address>	UDP 123	Network time server synchronization
<Your administrator computer>	For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address>	TCP 22	(Optional) SSH for troubleshooting For more information, see https://community.rsa.com/docs/DOC-75833.

After You Finish

Set Up Your Trial Environment

We want your feedback! Tell us what you think of this page.

Previous Topic:Step 2: Test with Your Users and Your RADIUS or SAML Applications

Next Topic:Set Up Your Trial Environment

You are here

Table of Contents > Contents > Step 3: Test with Your Identity Source and All Applications

RSA^® MFA Agent for Microsoft Windows Documentation

Product Resources

Step 3: Test with Your Identity Source and All Applications

Select Applications to Protect

Plan Your Trial Environment

What You Need to Have

What You Need to Know

Connectivity Requirements

After You Finish

Trial Information

On this page

RSA® MFA Agent for Microsoft Windows Documentation

Product Resources

Step 3: Test with Your Identity Source and All Applications

​Select Applications to Protect

​Plan Your Trial Environment

What You Need to Have

What You Need to Know

Connectivity Requirements

After You Finish

Trial Information

On this page

RSA^® MFA Agent for Microsoft Windows Documentation

Select Applications to Protect

Plan Your Trial Environment