Prerequisites for deploying Access Gateway

This page outlines the required information that must be completed prior to installing Okta Access Gateway in a customer environment.

See Supported technologies for more information on supported applications and technologies.

 

Topics:

 

Underlying hardware

Okta Access Gateway was built to use the SSE4.2 extensions to the x64 instruction set, which were made available with the Intel® Nehalem and AMD Bulldozer microarchitectures. The server that runs Access Gateway must support that instruction set at least.

Okta org

The Access Gateway configuration process requires a super admin account to configure your tenant as the identity provider.

See Configure your Okta tenant as an Identity Provider.

Firewall and access requirements

Ports and protocols

Access Gateway requires various ports and protocols to be open for use.
The following table describes all required accesses.

Description Inbound/
Outbound
Protocol Port

Comments

Okta tenant API access Outbound TCP/HTTPS 443

 

Access Gateway updates Outbound TCP/HTTPS 443

 

Integrated applications Outbound TCP/HTTPS 443

 

Access Gateway Admin UI console and apps

Inbound

TCP/HTTPS

443

All end users must be able to access Access Gateway directly using port 443 if it's acting as an internet-facing reverse proxy or deployed in the DMZ.

SSH management, configuration replication

Inbound/
Outbound

TCP/SSH

22

SSH is only used between instances of Access Gateway and to access the Access Gatewaycommand line. It is highly discouraged to open port 22 to general internet traffic.

Support connection

Outbound

TCP

443

 

Syslog

Outbound

Syslog TCP

Customer supplied

 

Application specific access

Depending on applications Access Gateway may require the following access:

Description Inbound/
Outbound
Protocol Port
Access Gateway to the Key Distribution Center (KDC) Outbound TCP/UDP 88
Access Gateway to DNS Outbound TCP/UDP 53

Access Gateway to Data store

Outbound

LDAP/ODBC

Customer supplied (For example: 389/636)

Oracle E-Business Rapid SSO

Outbound

TCP/JDBC/SQL

Customer supplied (For example: 1521)

General Site Accessibility

In general, the following must be reachable from Access Gateway appliance:

URL Description

vpn.oag.okta.com

Support VPN

yum.oag.okta.com

Update support

www.okta.com

Network testing

{client tenant}.okta.com

Client specific Okta tenant

Load balancer

If the Access Gateway is installed in a high availability configuration, your organization must provide a load balancer. The load balancer can balance traffic using the Source Network Address Translation (SNAT) or Dynamic Network Address Translation (DNAT) and should be configured to balance through a hash of the source port and IP address. See Example architecture.