Deploy Access Gateway

Deployment is the process of downloading and installing the Access Gateway Virtual application. Typically Access Gateway is deployed using an architecture similar to that shown in the Access Gateway Architecture diagram. However the use of High Availability is not required. Note that Access Gateway instances must be hosted in a virtual environment.

Access Gateway High Availability architecture

Before deploying an instance of the Access Gateway OVA, review the following:

  • Prerequisites - Ensure all prerequisite requirements are met before deploying an instance of Access Gateway.
  • Virtual Environments - Select from the supported Virtual Machine Environments.
  • Deploy Access Gateway - Deploy Access Gateway to the selected environment. Deployment involves the download, configuration and deployment of the Access Gateway Virtual Appliance into a select Virtual Machine environment.

Prerequisites

  • You have reviewed all Prerequisites for deploying Access Gateway.
  • Access Gateway must be resolvable via DNS and is required to have a hostname assigned in DNS.
  • Static IP Address - Access Gateway requires a static IP address and does not leverage DHCP.
  • DNS Server and DNS Hostname (FQDN) - Access Gateway must be resolvable via a DNS solution that end users leverage. If end users will be originating from the internet, the Access Gateway solution must be publicly resolvable. It is recommended that split DNS be leveraged so that internal users connect to an internal IP address and external users connect to a public IP address.
Info

Note

The FQDNs for all applications integrated with the Access Gateway must be resolvable in DNS.

 

Deploy to VMWare vSphere

In this section, we examine the process for deploying Access Gateway to Deploy to VMWare vSphere
Access gateway can be deployed to any of the environments described in the Supported deployment environments list.

Download the latest OVA image

To download the latest Okta Access Gateway OVA Image:

  1. Login to your Okta Org as Admin.

  2. Download the Okta Access Gateway image from the Settings > Downloads page.

  3. When prompted save the OVA file to an appropriate location.

To Import to VMWare ESXi/vSphere:

Note: Older versions (before 6.5) of VMWare ESXi, vSphere and vSphere Client do not support SHA-256OVF Files.
To Convert from SHA256 to SHA1

$ ovftool --shaAlgorithm=SHA1 /path/to/the/original/ova_file.ova /path/to/the/new/ova/file-SHA1.ova

  1. Download and install VMware vSphere Client from the ESXi/vSphere server.

  2. Open VMware vSphere Client.

  3. Enter the server name or IP address and credentials in the respective fields, and click Login.

    spgw-setup-using-ovf-07.png

  4. In the vSphere Client window, select File > Deploy OVF Template.

    spgw-setup-using-ovf-08.png

  5. In the Deploy OVF Template window, click Browse.

  6. Select the Okta-Access Gateway OVA file, and click Open.

    spgw-setup-using-ovf-10.png

  7. Click Next.

  8. Review the template details provided, and click Next.

  9. When prompted to accept the Access Gateway License agreement. Click Accept and then click Next.

  10. Enter a name for the Access Gateway template, and click Next.

    spgw-setup-using-ovf-14.png

  11. On the next page, select a storage location, and click Next.

    spgw-setup-using-ovf-15.png

  12. Select the appropriate disk format option based on your requirements, and click Next.

    spgw-setup-using-ovf-16.png

  13. Click Finish.

    vSphere Client will begin the deployment process.

  14. Click Close in the confirmation dialog box when the deployment is complete.

  15. In the vSphere Client window, click Inventory.

    spgw-setup-using-ovf-20.png

  16. Select the Virtual Machines tab to display the VMs that are currently deployed to the server.

  17. Select the Access Gateway VM, and click Power On (symbolized by a green play icon) in the toolbar.

    spgw-setup-using-ovf-21.png

  18. Right-click the VM, and click Open Console to log in to the VM.

    spgw-setup-using-ovf-22.png

Perform required post deployment configuration tasks

All deployments of Access Gateway require a set of common tasks including:

Task Description Related Topic(s)

First Login

Reset the Access Gateway Management console password.
Reset the virtual appliance at the command line.

First login to Command Line Console
Initialize Access Gateway Command line

Determine the IP Address assigned and configure DNS Determine Access Gateway IP address.

Configure required /etc/hosts admin entry
Configure required DNS entries.
Determine Access Gateway IP address, for non-AWS instances.
Configure Admin /etc/hosts entry
Configure Access Gateway DNS
Initialize Access Gateway

Initialize the cookie domain and instance hostname.


Initialize Access Gateway Console
Configure an identity provider

Configure Okta tenant as identify provider

Setup SAML Access.

Configure your Okta tenant as an Identity Provider

Configure SAML access to Access Gateway from your Okta tenant

Configure Okta Tenant to allow access to Access Gateway using SAML.

Configure Administration Access using SAML

Important Note

Important

When creating a set of Access Gateway nodes, for use in a High Availability Cluster, care should be taken to name the nodes appropriately.
Note also, node names must be resolvable between Access Gateway instances before configuring High Availability.

Supported deployment environments