Template SoW: RSA 6.1 to 8.1 Single Hardware Appliance Migration with Citrix Access Gateway

Scope of works:


1 Days RSA Authentication Manager Consultancy

  • Installation RSA 130 Appliance
  • Migration of data from version 6.1 to version 8.1

 Scope of Work

 Installation of Primary RSA 130 Appliance

  • Integrate with Citrix Access Gateway – 4.5
  • Confirm migration by testing authentication
  • Provide skills transfer as time allows


RSA Installation

  • Customer to supply RSA version 8.1 Appliance, Tokens, token seed Files & licenses
  • 8.1 License file may need to be downloaded from RSA Download Central at https://download.rsasecurity.com if not already obtained
  • Use the credentials and the license serial number  that RSA e-provided to you to log on to the site and download the license file. If you did not receive an e-mail with the logon credentials, contact the RSA Exceptions (support) Desk by sending an e-mail with your contact information and license serial number (provided in your order confirmation) to support@rsa.com or contacting 01344 781100
  • Further details on the process are available in a 5 min youtube video here: http://www.youtube.com/watch?v=5e9tawZ8JfU
  • The location of the license file before running the appliance Quick Setup Process
  • The network information for each appliance must be provided: the fully qualified domain name (FQDN), static IP address, subnet mask, default gateway, and DNS server IP addresses
  • RSA Servers will need fully qualified Hostnames configured in DNS (forward & reverse lookups)
  • RSA server will need to be synced to an NTP time source – it is assumed that this is the same time source as previous installation – differences in time can impact user authentications
  • Any Firewalls must be configured to allow all RSA & other components to communicate with one another
    • HTTPS, TCP 7004 & 7072 Ports required for Administration Consoles – these must be allowed through Firewalls from wherever administration performed on network
    • UDP 5500, 1812, 1813 required for RSA Authentication from Citrix
  • A test Agent can also optionally be installed to Windows PC to test Authentication of system prior to migration of 6.1 Data if required – the agent is freely downloaded from the RSA website here: http://uk.emc.com/security/rsa-securid/rsa-authentication-agents/windows.htm

Third Party Product integration

  • Integration with Citrix Access Gateway will be configured based on supported configuration as determined by documentation at https://www.rsasecured.com
  • The versions of third party agents are assumed to be versions listed in the guides on the https://www.rsasecured.com site.
  • Number of 3rd party product testing post migration will be as time allows – unless exact number is determined before consultancy.
  • Customer is responsible for any integrated 3rd party products.

Migration of 6.1 Data

  • Current RSA version is Authentication Manager 6.1.2 with a Primary & Replica – version 8.1 will only be installed on single purchased appliance
  • Existing version must be already installed & working correctly
  • Full connectivity to 6.1 Installed RSA systems and Administrative Access to be supplied
  • Downtime to stop RSA 6.1 Server to take database dump files – 15minutes
    • Migrating Log data is optional
    • Migrating any replica Server data is optional
  • Ability to copy dump files & other required files between 6.1 & 8.1
  • Migration of data is assumed to be migration of agents, user accounts, tokens, PINS and associated user data only – other configuration may require manual setup post migration.
  • If integrated with Active Directory – Usernames used in 6.1 environment must match those in Active Directory in order for migration to succeed to 8.1 if transferring a static user list to an Active Directory user list

Citrix Access Gateway integration

  • New Appliance to be integrated with Citrix Access Gateway Appliance via either a change to Citrix Access Gateway Configuration or by using previous RSA Appliance IP addresses

Post Implementation

  • Basic Skills transfer as time allows

Outside Scope

  • Advanced features such as:
    • 8.1 Webtier components – for external published access to Self-Service Console, use of Risk Based Authentication, Dynamic Seed Provisioning of Software Tokens (Most customers rarely use/need these components)
    • Self-Service Console can be used for internal use only
    • User Self service Token Provisioning component
    • Trusted Realm Deployments
    • Any other RSA consultancy requirements and RSA features not discussed in scope of work & caveats are outside agreed scope of consultancy.
    • Documentation
      • Basic screenshots of installation process can be done as time allows if required


  • 1 Day consultancy
  • All work done as time allows and assumed no time consuming change control process on the days involved impacting changes