Example Architecture

Access Gateway solution is implemented within a customer’s infrastructure, and can be deployed in the cloud, on-premise, or within a hybrid solution. It’s provided by Okta as an Open Virtual Appliance (.ova) file

Sample Architecture

Example Architectures

High Availability

High availability is achieved through the use of a load balancer. We recommend that the Access Gateway replication information for the load balancer use DNAT and session persistence via a hash of source IP address and source port. Additionally, the load balancer should perform health checks via ICMP or HTTPS with HTTP keepalives enabled for a duration that exceeds the health check interval.
Access Gateway uses the term node to refer to instances of the gateway with the same configuration. Access Gateway nodes typically serve as fallbacks for each other. A group of Access Gateway instances within a given infrastructure is referred to as a cluster. In order for the Access Gateway instances to properly replicate their configuration all instances within the cluster must be able to communicate with each other. Okta Access Gateway cluster members communicate using port 22. See the Firewall Rules section in Prerequisites for Deploying Access Gateway for details about ports etc.

Please contact Okta Support if you require any additional details or information on load balancing and high availability techniques.

Disaster Recovery

Disaster recovery (DR) can be achieved by leveraging Global Server Load Balancing (GSLB) or modifying public and private IP address assignments in the event of a disaster recovery scenario. Please note that protected applications must be available as part of the disaster recovery solution and that the Access Gateway must have access to the protected disaster recovery applications.

External Access

All external (internet-based) end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. must have access to both the primary production and disaster recovery solutions. It is recommended that DNAT be leveraged to increase the ability of the Access Gateway to provide accurate audit logs on the correct origins of the user.

Admin Console Considerations

The adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console hostname should not be resolvable via public DNS; it should only be resolvable through internal DNS (such as split DNS).

Top