About Access Gateway components
Access Gateway has a number of architectural components and tiers.
The following diagram shows a detailed hypothetical architecture overview of Access Gateway, along with ports and protocols used.
In the topmost tier is traditional internet access, typically exposed using a load balancer. Users access the load balancer using application specific URLs, which then direct them to an Access Gateway worker node in a high availability cluster.
The middle tier contains the Access Gateway cluster, running within a Virtual environment such as Amazon EC2, Microsoft Azure, VMWare, and others.
An Access Gateway Cluster is composed of:
The following is the minimum recommended configuration for a high availability Access Gateway cluster.
- A load balancer, visible to the external internet and the Access Gateway cluster.
- Anadmin node, managing all application definitions, supporting infrastructure such as data stores and other configuration.
- Three or more worker nodes, managing all application requests, interacting with an Okta tenant for authorization, providing fine-grained access controls and other behaviors. While Access Gateway can function with fewer than three worker nodes, for high availability the recommended minimum cluster size is three (plus an admin node).
The Access Gateway cluster is typically behind a firewall and accessible only to the Okta tenant, the load balancer, supporting services, and the underlying protected web application resources.
In addition, Access Gateway must also be able to access certain well-defined sites such as:
- www.okta.com - Used for initial configuration and network testing.
- yum.oag.okta.com - Used for upgrading Access Gateway.
- vpn.oag.okta.com - Used for support and troubleshooting. and,
- Other ports as required for DNS, Kerberos and Syslog access.
Administrators need to be able to access the Learn about the Access Gateway command line management console using secure shell (SSH) over port 22 and the Admin Console using HTTPS over port 443. Typically these tools are used exclusively by Admins inside the firewall. Care should be taken not to open port 22 outside the firewall.
Protected web applications, typically running within a client data center, represent the lowest tier in the architecture. These applications must be accessible to Access Gateway, but should NOT be accessible to the outside world. Separation of the applications is typically handled using a split DNS mechanism where internal resources (protected web applications, databases, and other required support) are visible only to Access Gateway and required data center resources. Additionally, a firewall typically separates Access Gateway from the application tier load balancer.
Access Gateway supports the use of additional network interfaces which can be used to separate differing aspects of data center to Access Gateway traffic.
- About load balancers
- About network interfaces
- About application data stores
- Prerequisites for deploying Access Gateway
- Supported technologies