Before setting up an identity router virtual appliance or cloud-based instance, you must add an identity router record to the Cloud Authentication Service using the Cloud Administration Console. When performing this task, you obtain a unique Registration Code, which is required to connect the identity router to the Cloud Administration Console.

Note: This procedure applies to identity routers deployed on the VMware, Hyper-V, or Amazon Web Services cloud platforms. If you are deploying an identity router that is embedded in Authentication Manager, see Add an Identity Router Embedded in RSA Authentication Manager.

Note: After an identity router is registered in a deployment, it cannot be reused in another deployment. For example, suppose you registered an identity router with Company A for a trial deployment, and you want to use the same identity router with Company A in a production deployment. You must add a new identity router (virtual machine) to the production deployment.

1. Sign into the Cloud Administration Console.

2. Click Platform > Identity Routers.

3. On the Identity Routers page, click Add an Identity Router.

4. From the Where do you want to deploy the identity router? drop-down menu, select the platform that will host the identity router.

5. By default, one network interface is enabled. If you are configuring an IDR SSO Agent deployment with an on-premises identity router, SecurID recommends that you select Enable two network interfaces. This setting must match the same setting configured in the Identity Router VM Console. Amazon Web Services always requires one network interface.

6. In the Name field, enter the Identity Router FQDN value for this identity router from your Quick Setup Guide. For on-premises identity routers, use the FQDN for the portal interface.
   Using the FQDN guarantees that each identity router record has a unique name, and acts as a simple method to identify the corresponding identity router appliance on your network. If your company deploys FIDO authenticators and you change the FQDN after you add the identity router, all users who previously registered their authenticators must register again.
7. (Optional) In the Description field, describe this identity router. Include the IP address and domain name of the identity router in the description field so that you can identify the corresponding identity router appliance on your network.
8. In the Portal Hostname field, enter the Identity Router FQDN value for this identity router from your Quick Setup Guide. For on-premises identity routers, use the FQDN for the portal interface.

   Note: This value must match the hostname you specify when you install and configure the identity router virtual appliance. The hostname must end with your company domain name and must be configured in your DNS server to point to the identity router IP address. For identity routers in the Amazon cloud, point to the public Elastic IP address. For on-premises identity routers, point to the portal interface IP address. For more information, see Identity Router DNS Requirements.

9. From the Cluster drop-down menu, select the cluster to which this identity router belongs.
   SecurID creates a default cluster that you must select when you add the first identity router. You can edit and rename the default cluster after you deploy at least one identity router. If your deployment already has multiple clusters, be sure to select the correct cluster.

10. In the Timeout (seconds) field, specify the length of time the Cloud Authentication Service attempts to communicate with an unresponsive identity router before logging an error and updating the connection status indicator.

11. Click Next Step.

12. (Optional) Configure one or more firewall rules to allow connections from specific IP addresses to specific ports on the identity router. For example, you can add a firewall rule to allow a load balancer to access the identity router status servlet on port 8080.
    See your Quick Setup Guide for the list of firewall rules required for your deployment.
    

    Note: For identity routers in the Amazon cloud, you must also configure security groups in your Amazon Web Services environment to allow connections for the required ports and IP addresses.

    1. From the Connection Method drop-down menu, select the connection method to allow.

    2. From the Protocol drop-down menu, select the protocol to allow.

    3. In the Port Range/Message Type field, enter the port or port range to open for the connection.

    4. In the Source Network field, enter the network address/prefix pair for the source network where the allowed connections will originate.

    5. (Optional) Click ADD. Repeat steps a through d to add each firewall rule.

13. (Optional) Configure one or more static routes if your company network requires the identity router to connect through specific network paths to access specific network resources. For example, you can add a static route to allow the identity router to access the Cloud Authentication Service through a specific gateway.

    The following information applies:

    • Static routes are not required if all network resources are accessible through the default gateway connected to the identity router network interfaces.

    • Static route configuration is not available for identity routers in the Amazon cloud. Configure route tables in your Amazon Web Services environment to direct traffic from internal and external network resources through the appropriate gateway in your VPC.

    Note: After you register and publish the identity router, the static route you specify on this page always overwrites the static routes specified in the Identity Router Setup Console. If you need to update static routes after registration, always use the Cloud Administration Console. Use the Identity Router Setup Console only before registration or when the identity router cannot communicate with the Cloud Administration Console.

    Perform these steps:

    1. In the IP Address field, enter the IP address of the network resource.

    2. In the Network Mask field, enter the network mask of the network resource. For example, 255.255.255.0.

    3. In the Gateway field, enter the gateway address for the static route.

    4. If your deployment has two network interfaces, from the Device drop-down menu, select the device type for the static route. The device type specifies whether the static route applies for connections to the portal interface (Public) or the management interface (Private) of the identity router.

       If your deployment has one network interface, one device type is available.

    5. (Optional) Click ADD. Repeat steps a through d to add each static route.

       Note: Make sure the static route you enter is correct. The Cloud Authentication Service cannot validate the route before the identity router is registered. You can initiate validation by returning to this page after registration and clicking Save and Next Step.

14. (Optional) Configure one or more static DNS entries if you need to enable this identity router to resolve specific hostnames that are not provided by the DNS server.

    1. In the IP Address field, enter the IP address for the static DNS entry.

    2. In the Aliases field, enter one or more hostname aliases for the static DNS entry, separated by a space.

    3. (Optional) Click ADD. Repeat steps a and b to add each static DNS entry.

15. Click Save and Next Step.

16. Under Registration Details, copy the Registration Code and Authentication Service Domain to a location where you can access them when you install and configure the identity router.
    

17. Click Close.