Deploy Access Gateway

Deployment is the process of downloading and installing the Access Gateway Virtual application. Typically, Access Gateway is deployed using an architecture similar to that shown in the Access Gateway Architecture diagram. However the use of high availability is not required. Note that Access Gateway instances must be hosted in a virtual environment.

Access Gateway High Availability architecture

Before deploying an instance of the Access Gateway OVA, review the following:

  • Prerequisites - Ensure all prerequisite requirements are met before deploying an instance of Access Gateway.
  • - Select from the supported Virtual Machine Environments.
  • Deploy Access Gateway - Deploy Access Gateway to the selected environment. Deployment involves the download, configuration and deployment of the Access Gateway Virtual Appliance into a select Virtual Machine environment.


Ensure that:

  • You review all Prerequisites for deploying Access Gateway.
  • Access Gateway is resolvable using DNS and is required to have a hostname assigned in DNS.
  • The static IP Address - Access Gateway requires a static IP address and does not leverage DHCP.
  • You have a DNS Server and DNS Hostname (FQDN). Access Gateway must be resolvable using a DNS solution that end users leverage. If end users originate from the internet, the Access Gateway solution must be publicly resolvable. It is recommended that split DNS be leveraged so that internal users connect to an internal IP address and external users connect to a public IP address.


The FQDNs for all applications integrated with the Access Gateway must be resolvable in DNS.


Deploy to VMWare vSphere

In this section, we examine the process for deploying Access Gateway to Deploy to VMWare vSphere
Access Gateway can be deployed to any of the environments described in the Supported deployment environments list.

Download the latest OVA image

To download the latest Okta Access Gateway OVA Image:

  1. Sign in to your Okta Org as an admin.

  2. Download the Okta Access Gateway image from the Settings > Downloads page.

  3. When prompted save the OVA file to an appropriate location.

To Import to VMWare ESXi/vSphere:



Older versions of VMWare ESXi (before 6.5), vSphere, and vSphere Client don't support SHA-256OVF files.
To convert from SHA256 to SHA1

$ ovftool --shaAlgorithm=SHA1 /path/to/the/original/ova_file.ova /path/to/the/new/ova/file-SHA1.ova
  1. Download and install VMware vSphere Client from the ESXi/vSphere server.

  2. Open VMware vSphere Client.

  3. Enter the server name or IP address and credentials in the respective fields and click Login.


  4. In the vSphere Client window, select File > Deploy OVF Template.


  5. In the Deploy OVF Template window, click Browse.

  6. Select the Okta-Access Gateway OVA file, and click Open.


  7. Click Next.

  8. Review the template details provided, and click Next.

  9. When prompted to accept the Access Gateway License agreement, click Accept and then click Next.

  10. Enter a name for the Access Gateway template and click Next.


  11. On the next page, select a storage location and click Next.


  12. Select the appropriate disk format option based on your requirements and click Next.


  13. Click Finish.

    vSphere Client begins the deployment process.

  14. Click Close when the deployment is complete.

  15. In the vSphere Client window, click Inventory.


  16. Select the Virtual Machines tab to display the VMs that are currently deployed to the server.

  17. Select the Access Gateway VM and click Power On (symbolized by a play icon) in the toolbar.


  18. Right-click the VM and click Open Console to sign in to the VM.


Perform required post deployment configuration tasks

All Access Gateway deployments require a set of common tasks:

Task Description Related Topics

First sign in

Reset the Access Gateway Management console password.
Reset the virtual appliance at the command line.

[Optional but recommended]
Specify the hostname

Access Gateway defaults to a known gateway hostname which can be changed.

[Optional] Specify a fixed IP address

Many installations require Access Gateway to use a fixed known IP address.

[Optional] Specify DNS servers

Many installations use a split DNS process where multiple DNS servers are required.

[Optional] Specify proxy

Some installations require a proxy server for Access Gateway

Determine the IP Address assigned and configure DNS Determine Access Gateway IP address.

Configure required /etc/hosts admin entry.
Configure required DNS entries.
Initialize Access Gateway

Initialize the cookie domain and instance hostname.

Configure an identity provider

Configure Okta tenant as an identify provider.

Configure SAML access to Access Gateway from your Okta tenant

Configure Okta tenant to allow access to Access Gateway using SAML.

Important Note


When creating a set of Access Gateway nodes for use in a high availability cluster, ensure that nodes are named appropriately.
Also, node names must be resolvable between Access Gateway instances before configuring high availability.

Supported deployment environments