Access Gateway Support VPN
The purpose of document is to describe the Access Gateway Support VPN and how its configured and used.
What’s covered in this guide
The Support VPN is:
- A mechanism used by Okta to access a clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. Access Gateway appliance.
- Can only be used by select members of Okta support, professional services, and Access Gateway engineering teams.
- Requires that client firewalls allow outgoing TCP traffic on port 443.
See Prerequisites for Deploying Access Gateway for a complete list of all ports and protocols used by Access Gateway.
- Is enabled by default.
The Support VPN is used to access client appliance instances using a support only VPN and public key/private key encryption.
When connected to a client, Access Gateway appliance, Okta has three forms of access:
- Administer - Okta support staff can login and execute operations using the AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. ui to perform normal administration activities.
- Command line - Okta support staff can use an ssh-like tool to connect to, and execute commands to enhance , diagnose or correct instance issues.
- File transfer - Okta support staff can copy files to and from the Access Gateway appliance to upload and capture configuration, logs and similar information.
While enabled by default, customers have the capability of disabling the support VPN.
Care should be taken when disabling the Support VPN. When disabled, Okta cannot:
- Provide enhanced support or other professional services.
- Troubleshoot, repair or examine a client appliance.
- Download logs, configuration files, or logs
The Support VPN can be disabled and enabled on demand using the Admin UI and Command line consoles. It is possible to enable the Support VPN on demand.
The Support VPN is enabled by default, but may be disabled or re-enabled using the Admin UI.
To enable or disable the Support VPN:
Log in to the Access Gateway Admin Console
- Select the Support tab.
- Use the Allow Support Connection toggle, to enable or disable the support connection.
Changes to VPN connection occur immediately on change. The VPN support connection can be enabled on demand to allow Okta Support access to a Access Gateway instance.
The Support VPN can also be enabled or disabled using the command line interface. See Access Gateway Command Line Management Console Reference for more information.
- Configure application behaviors. For more information see Administer Behaviors.
- Use attributes in applications. For more information see Application Attributes.
- Extend Access Gateway using data stores. For more information see Administer DataStores.
- For a complete list of HTTP status codes and explanations see HTTP Status Codes