Prerequisites for Deploying Access Gateway

This section outlines the required information that must be completed prior to installation of Okta Access Gateway in a customer environment.

Okta org

The Access Gateway configuration process requires a super adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. account to configure your tenant as the identity provider. See Configure your Okta tenant as an Identity Provider for details of configuring your Okta tenant as the idPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. for Access Gateway.

Firewall Rules

Access Gateway requires networking access to the applications to which it is integrated. Additionally, end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. require networking access to the Access Gateway on TCP 443 (HTTPS).

Access Gateway to Okta

Outbound HTTPS / Port 443, your IDaaS DomainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https).

Access Gateway Update

Outbound HTTPS / Port 443

Access Gateway to Applications

Outbound HTTPS / Port 443

Access Access Gateway

Inbound TCP / Port 443

Info

Note

All end users must to be able to access Access Gateway directly using port 443 if it's acting as an internet-facing reverse proxy or deployed in the DMZ.

Management, Configuration Replication

TCP 22

Support Connection

Outbound TCP 443

 

Appliance Virtual Hardware Specifications

This section outlines the suggested virtual hardware specifications allocated for the Access Gateway. Each sub-section details different specifications depending on the use case and requirements for the Access Gateway.

To help with sizing, the following details should be gathered for each protected application and discussed with your deployment partner to help determine the proper appliance size.

  • Application Name
  • Estimated number of users per day
  • Estimated total number of users
  • Application Usage, for example, Light / Moderate / Heavy
  • High Availability Required? Yes / No
  • Disaster Recovery Required? Yes / No
  • Estimated average authentication requests per day
  • Estimated peak authentication requests per day
  • Estimated average session duration
  • Is there a time of year when usage peaks?
  • If yes, when and approximately how many authentications per hour?
  • Project user number increase

 

On-Premise (Self-hosted virtualization)

POC Installation

Cores

2

NIC

Single 1 Gbps NIC

Memory

4 GB

Storage

20 GB

Minimal Installation

Cores

2

NIC

Single 1 Gbps NIC

Memory

8 GB

Storage

20 GB

Medium Installation

Cores

4

NIC

Single 1 Gbps NIC

Memory

8 GB

Storage

40 GB

Large Installation

Cores

8

NIC

Single 1 Gbps NIC

Memory

16 GB

Storage

40 GB

Amazon Web Services (AWS) Instance Sizing

POC Installation

InstanceAn instance, or computer instance, is a virtual machine (VM) or individual physical computer, used to host a software appliance. Type

t2.medium

Minimal Installation

Instance Type

t2.medium

Medium Installation

Instance Type

m4.large

Large Installation

Instance Type

m4.xlarge

Load Balancer

If the Access Gateway is being installed in a high availability configuration, your organization must provide a load balancer. The load balancer can load balance via SNAT or DNAT and should be configured to load balance through a hash on the source port and IP address. Also see Example Architecture.

Top