Prerequisites for deploying Access Gateway

This page outlines the required information that must be completed prior to installing Okta Access Gateway in a customer environment. Access Gateway requirements include:

AreaRequirement
Hardware requirementsThe underlying hardware which hosts the Access Gateway virtual appliance must meet certain instruction set requirements.
Okta org account requirementsThe account used to manage Access Gateway must meet certain minimum requirements.
Firewall and access requirementsAccess Gateway uses various ports and protocols. This section details those requirements.
Front end load balancer requirementsAccess Gateway is typically fronted by a load balancer, which must meet certain requirements.

See Supported technologies for more information on supported applications and technologies.

Hardware requirements

Okta Access Gateway was built to use the SSE4.2 extensions to the x64 instruction set, which were made available with the Intel® Nehalem and AMD Bulldozer microarchitectures. The server that runs Access Gateway virtual appliance must support thisinstruction set at minimum.

Okta org account requirements

The Access Gateway configuration process requires a super admin account to configure your tenant as the identity provider.

See Configure your Okta tenant as an Identity Provider.

Firewall and access requirements

Ports and protocols

Access Gateway requires various ports and protocols to be open for use.
The following table describes all required accesses.

Description Inbound/
Outbound
Protocol Port

Comments

Okta tenant API access Outbound TCP/HTTPS 443

Your Okta tenant IP addresses could change. If you require specific IP address ranges to use as part of your firewall ACL, please see Implementation details.

Access Gateway updates Outbound TCP/HTTPS 443

If you require finer controls to yum.oag.okta.com, you can be configure access via IP address.

IP Addresses may be determined using a tool such as NSLookup.

Caution

Okta reserves the right to change the IP address(es) associated with Access Gateway updates, vpn and similar services at any time. It is recommended that you confirm specific IP addresses with Okta support.

Integrated applications Outbound TCP/HTTPS <application ports> Access Gateway communication to the protected application.
Access Gateway Admin UI console and apps Inbound TCP/HTTPS 443 All end users must be able to access Access Gateway directly using port 443 if it's acting as an internet-facing reverse proxy or deployed in the DMZ.
SSH management Inbound/
Outbound
TCP/SSH 22 OPTIONAL – Internal SSH access to each node for access to the Access Gateway Management console.
By default, access to the management console is only allowed via the virtual environment console.
It is highly discouraged to open port 22 to general internet traffic.
Access Gateway High Availability Inbound/
Outbound
TCP/SSH 22 Internal bi-directional communication between Access Gateway nodes for configuration replication.
Access Gateway High Availability Worker to admin TCP/HTTPS 443 During initial configuration of high availability Access Gateway worker instances communicate using HTTPS over port 443 to the Access Gateway admin.
NTP Outbound TCP 123 Network time and date synchronization.
Support connection Outbound TCP 443 If you require finer controls to vpn.oag.okta.com and support.oag.okta.com, you can be configure access via IP address.

IP Addresses may be determined using a tool such as NSLookup.

Caution

Okta reserves the right to change the IP address(es) associated with Access Gateway updates, vpn and similar services at any time. It is recommended that you confirm specific IP addresses with Okta support.

Syslog Outbound Syslog TCP Customer supplied Event log forwarding to a Syslog or similar solution.
Access Gateway to the Key Distribution Center (KDC) Outbound TCP/UDP 88  
Access Gateway to DNS Outbound TCP/UDP 53  

Application specific access

Depending on applications Access Gateway may require the following access:

Description Inbound/
Outbound
Protocol Port

Access Gateway to Data store

Outbound

LDAP/ODBC

Customer supplied (For example: 389/636)

Oracle E-Business Rapid SSO

Outbound

TCP/JDBC/SQL

Customer supplied (For example: 1521)

General Site Accessibility

In general, the following must be reachable from Access Gateway appliance:

URL Description

vpn.oag.okta.com

Support VPN

yum.oag.okta.com

Update support

www.okta.com

Network testing

{client tenant}.okta.com

Client specific Okta tenant

Front end load balancer requirements

If the Access Gateway is installed in a high availability configuration, your organization must provide a load balancer. The load balancer can balance traffic using the Source Network Address Translation (SNAT) or Dynamic Network Address Translation (DNAT) and should be configured to balance through a hash of the source port and IP address. See Example architecture and About load balancers.