Prerequisites for deploying Access Gateway

This page outlines the required information that must be completed prior to installation of Okta Access Gateway in a customer environment.

For information about supported, applications, supported technologies such as TLS versions and similar information see: Supported technologies.




Underlying Hardware

Okta Access Gateway was built to use the SSE4.2 extensions to the x64 instruction set, which were made available with the Intel® Nehalem and AMD Bulldozer microarchitectures. The server that runs Access Gateway must, at a minimum, support that instruction set.

Okta org

The Access Gateway configuration process requires a super adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. account to configure your tenant as the identity provider. See Configure your Okta tenant as Identity Provider for details of configuring your Okta tenant as the idPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. for Access Gateway.

Firewall and Access Requirements

Ports and Protocols

Access Gateway requires various ports and protocols be open for use.
The following table describes all required access.

Description Inbound/
Protocol Port


Okta Tenant API access Outbound TCP/HTTPS 443


Access Gateway Updates Outbound TCP/HTTPS 443


Integrated applications Outbound TCP/HTTPS 443


Access Gateway Admin UI and Apps.




All end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. must to be able to access Access Gateway directly using port 443 if it's acting as an internet-facing reverse proxy or deployed in the DMZ.

SSH Management, Configuration Replication




SSH is only used between instances of Access Gateway and to access the Access Gateway command line. It is highly discouraged to open port 22 to general internet traffic.

Support connection







Syslog TCP

Customer supplied


Application Specific Access

Depending on applications Access Gateway may require the following access:

Description Inbound/
Protocol Port
Access Gateway to the Key Distribution Center (KDC) Outbound TCP/UDP 88
Access Gateway to DNS Outbound TCP/UDP 53

Access Gateway to Data store


LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services./ODBC

Customer supplied (For example: 389/636)

Oracle E-Business Rapid SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.



Customer supplied (For example: 1521)

General Site Accessibility

In general the following must be reachable from Access Gateway appliance

URL Description

Support VPN

Update support

Network testing

{clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. tenant}

Client specific Okta tenant

Load Balancer

If the Access Gateway is being installed in a high availability configuration, your organization must provide a load balancer. The load balancer can balance traffic via Source Network Address Translation (SNAT) or Dynamic Network Address Translation (DNAT) and should be configured to balance through a hash of the source port and IP address. Also see Example architecture.