Deploy Access Gateway

Deployment is the process of downloading and installing the Access Gateway Virtual application. Typically, Access Gateway is deployed using an architecture similar to that shown in the Access Gateway Architecture diagram. However the use of high availability is not required. Note that Access Gateway instances must be hosted in a virtual environment.

Access Gateway High Availability architecture


Ensure that:

  • You review all Prerequisites for deploying Access Gateway.
  • Access Gateway is resolvable using DNS and is required to have a hostname assigned in DNS.
  • The static IP Address - Access Gateway requires a static IP address and does not leverage DHCP.
  • You have a DNS Server and DNS Hostname (FQDN). Access Gateway must be resolvable using a DNS solution that end users leverage. If end users originate from the internet, the Access Gateway solution must be publicly resolvable. It is recommended that split DNS be leveraged so that internal users connect to an internal IP address and external users connect to a public IP address.


The FQDNs for all applications integrated with the Access Gateway must be resolvable in DNS.


Deploy to VMWare vSphere

In this section, we examine the process for deploying Access Gateway to Deploy to VMWare vSphere
Access Gateway can be deployed to any of the environments described in the Supported deployment environments list.

Download the latest OVA image

To download the latest Okta Access Gateway OVA Image:

  1. Sign in to your Okta Org as an admin.

  2. Download the Okta Access Gateway image from the Settings > Downloads page.

  3. When prompted save the OVA file to an appropriate location.

To Import to VMWare ESXi/vSphere:



Older versions of VMWare ESXi (before 6.5), vSphere, and vSphere Client don't support SHA-256OVF files.
To convert from SHA256 to SHA1

$ ovftool --shaAlgorithm=SHA1 /path/to/the/original/ova_file.ova /path/to/the/new/ova/file-SHA1.ova
  1. Download and install VMware vSphere Client from the ESXi/vSphere server.

  2. Open VMware vSphere Client.

  3. Enter the server name or IP address and credentials in the respective fields and click Login.


  4. In the vSphere Client window, select File > Deploy OVF Template.


  5. In the Deploy OVF Template window, click Browse.

  6. Select the Okta-Access Gateway OVA file, and click Open.


  7. Click Next.

  8. Review the template details provided, and click Next.

  9. When prompted to accept the Access Gateway License agreement, click Accept and then click Next.

  10. Enter a name for the Access Gateway template and click Next.


  11. On the next page, select a storage location and click Next.


  12. Select the appropriate disk format option based on your requirements and click Next.


  13. Click Finish.

    vSphere Client begins the deployment process.

  14. Click Close when the deployment is complete.

  15. In the vSphere Client window, click Inventory.


  16. Select the Virtual Machines tab to display the VMs that are currently deployed to the server.

  17. Select the Access Gateway VM and click Power On (symbolized by a play icon) in the toolbar.


  18. Right-click the VM and click Open Console to sign in to the VM.


Perform required post deployment configuration tasks

All Access Gateway deployments require a set of common tasks:

Task Description Related Topics

First sign in

  • Reset the Access Gateway Management console password.
  • Reset the virtual appliance at the command line.

[Optional but recommended]
Specify the hostname

  • Access Gateway defaults to a known gateway hostname which can be changed.

[Optional] Specify a fixed IP address

  • Many installations require Access Gateway to use a fixed known IP address.

[Optional] Specify DNS servers

  • Many installations use a split DNS process where multiple DNS servers are required.

[Optional] Specify proxy

  • Some installations require a proxy server for Access Gateway
Determine the IP Address assigned and configure DNS
  • Determine Access Gateway IP address.

  • Configure required /etc/hosts admin entry.
  • Configure required DNS entries.

First login to the Access Gateway Admin UI console

  • Connect to the Access Gateway Admin UI console and reset the default password.

  • First sign in to Access Gateway Admin UI console
Initialize Access Gateway
  • Initialize the cookie domain and instance hostname.
Configure an identity provider
  • Configure Okta tenant as an identify provider.

Configure SAML access to Access Gateway from your Okta tenant

  • Configure Okta tenant to allow access to Access Gateway using SAML.

Review security best practices

  • Examine and execute a set of common Access Gateway security best practices.

Important Note


When creating a set of Access Gateway nodes for use in a high availability cluster, ensure that nodes are named appropriately.
Also, node names must be resolvable between Access Gateway instances before configuring high availability.

Supported deployment environments