Prerequisites for deploying Access Gateway

Okta Access Gatewayis built and designed to run in an on-premise or in a customer IaaS environment. There are several networking ports that must be enabled to Allow Access Gatewayto accept incoming requests, proxy those requests to applications, provide administrative interfaces and to allow Access Gatewayto communicate with Okta, and Syslog Servers.

This page outlines the required information that must be completed prior to installing Okta Access Gateway in a customer environment.

See Supported technologies for more information on supported applications and technologies.

Topics:

 

Underlying hardware

Okta Access Gateway was built to use the SSE4.2 extensions to the x64 instruction set, which were made available with the Intel® Nehalem and AMD Bulldozer microarchitectures. The server that runs Access Gateway must support that instruction set at least.

Okta org

The Access Gateway configuration process requires a super admin account to configure your tenant as the identity provider.

See Configure your Okta tenant as an Identity Provider.

Firewall and access requirements

Ports and protocols

Access Gateway requires various ports and protocols to be open for use.
The following table describes all required accesses.

Description Inbound/
Outbound
Protocol Port

Comments

Okta tenant API access Outbound TCP/HTTPS 443

Your Okta tenant IP addresses could change. If you require specific IP address ranges to use as part of your firewall ACL, please see Implementation.

Access Gateway updates Outbound TCP/HTTPS 443

If you require finer controls to yum.oag.okta.com, you can be configure access via IP address.

IP Addresses may be determined using a tool such as NSLookup.

Caution

Okta reserves the right to change the IP address(es) associated with Access Gateway updates, vpn and similar services at any time. It is recommended that you confirm specific IP addresses with Okta support.

Integrated applications Outbound TCP/HTTPS <application ports>

Access Gateway communication to the protected application.

Access Gateway Admin UI console and apps

Inbound

TCP/HTTPS

443

All end users must be able to access Access Gateway directly using port 443 if it's acting as an internet-facing reverse proxy or deployed in the DMZ.

SSH management

Inbound/
Outbound

TCP/SSH

22

OPTIONAL – Internal SSH access to each node for access to the Access Gateway Management console.
By default, access to the management console is only allowed via the virtual environment console.
It is highly discouraged to open port 22 to general internet traffic.

Access Gateway High Availability

Inbound/
Outbound

TCP/SSH

22

Internal bi-directional communication between Access Gateway nodes for configuration replication.

Access Gateway High Availability

Worker to admin

TCP/HTTPS

443

During initial configuration of high availability Access Gateway worker instances communicate using HTTPS over port 443 to the Access Gateway admin.

NTP

Outbound

TCP

123

Network time and date synchronization.

Support connection

Outbound

TCP

443

If you require finer controls to vpn.oag.okta.com and support.oag.okta.com, you can be configure access via IP address.

IP Addresses may be determined using a tool such as NSLookup.

Caution

Okta reserves the right to change the IP address(es) associated with Access Gateway updates, vpn and similar services at any time. It is recommended that you confirm specific IP addresses with Okta support.

Syslog

Outbound

Syslog TCP

Customer supplied

Event log forwarding to a Syslog or similar solution.

Access Gateway to the Key Distribution Center (KDC) Outbound TCP/UDP 88

 

Access Gateway to DNS Outbound TCP/UDP 53

 

Application specific access

Depending on applications Access Gateway may require the following access:

Description Inbound/
Outbound
Protocol Port

Access Gateway to Data store

Outbound

LDAP/ODBC

Customer supplied (For example: 389/636)

Oracle E-Business Rapid SSO

Outbound

TCP/JDBC/SQL

Customer supplied (For example: 1521)

General Site Accessibility

In general, the following must be reachable from Access Gateway appliance:

URL Description

vpn.oag.okta.com

Support VPN

yum.oag.okta.com

Update support

www.okta.com

Network testing

{client tenant}.okta.com

Client specific Okta tenant

Load balancer

If the Access Gateway is installed in a high availability configuration, your organization must provide a load balancer. The load balancer can balance traffic using the Source Network Address Translation (SNAT) or Dynamic Network Address Translation (DNAT) and should be configured to balance through a hash of the source port and IP address. See Example architecture.