The Access Gateway solution is implemented within a customer’s infrastructure, and can be deployed in the cloud, on-premise, or within a hybrid solution. It’s provided by Okta as an Open Virtual Appliance (.ova) file..
High availability is achieved through the use of a load balancer. We recommend that the Access Gateway replication configuration for the load balancer use DNAT and session persistence via a hash of source IP address and source port. Additionally, the load balancer should perform health checks via ICMP or HTTPS with HTTP keepalives enabled for a duration that exceeds the health check interval.
Access Gateway uses the term node to refer to instances of the gateway with the same configuration. Access Gateway nodes typically serve as fallbacks for each other. A group of Access Gateway instances within a given infrastructure is referred to as a cluster. In order for the Access Gateway instances to properly replicate their configuration all instances within the cluster must be able to communicate with each other. Okta Access Gateway cluster members communicate using port 22. See the Firewall Rules section in Prerequisites for Deploying Access Gateway for details about ports etc.
Please contact Okta Support if you require any additional details or information on load balancing and high availability techniques.
Disaster recovery (DR) can be achieved by leveraging Global Server Load Balancing (GSLB) or modifying public and private IP address assignments in the event of a disaster recovery scenario. Please note that protected applications must be available as part of the disaster recovery solution and that the Access Gateway must have access to the protected disaster recovery applications.
All external (internet-based) end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. must have access to both the primary production and disaster recovery solutions. It is recommended that DNAT be leveraged to increase the ability of the Access Gateway to provide accurate audit logs on the correct origins of the user.
Admin Console Considerations
The adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console hostname should not be resolvable via public DNS; it should only be resolvable through internal DNS (such as split DNS).Top