Prerequisites for Deploying Access Gateway

This section outlines the required information that must be completed prior to installation of Okta Access Gateway in a customer environment.

Okta org

Access Gateway installation process requires your Okta OrgThe Okta container that represents a real-world organization. name and API token for installation.

  • Okta Org name
  • API token

The Okta org name is used to connect to your Okta Org instance to automatically provision applications that are created within the Access Gateway AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. UI.

The API token value is used to securely authenticate to your Okta Org.

Networking

Access Gateway must be resolvable via DNS and is required to have a hostname assigned in DNS.

  • Static IP Address
  • DNS Server
  • DNS Hostname (FQDN)

Access Gateway requires a static IP address and does not leverage DHCP.

Access Gateway must be resolvable via a DNS solution that end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. leverage. If end users will be originating from the internet, the Access Gateway solution must be publicly resolvable. It is recommended that split DNS be leveraged so that internal users connect to an internal IP address and external users connect to a public IP address.

Note

All applications integrated with the Access Gateway will be served on the domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). that constitutes the FQDN.

Firewall Rules

Access Gateway requires networking access to the applications to which it is integrated. Additionally, end users require networking access to the Access Gateway on TCP 443 (HTTPS).

Access Gateway to Okta

Outbound HTTPS / Port 443, your IDaaS Domain

Access Gateway to Private Okta Yum Repos

Outbound HTTPS / Port 443

Access Gateway to Applications

Outbound HTTPS / Port 443

Browser to Access Gateway

Inbound TCP / Port 443

Management, Configuration Replication

TCP 22

Support Connection

Outbound TCP 443

 

Access Gateway Appliance Deployment

Access Gateway is designed to be a soft appliance, and Okta professional services or your deployment partner will provide you with information that will be used to deploy the Access Gateway. DHCP is required for the initial installation.

Appliance Virtual Hardware Specifications

This section outlines the suggested virtual hardware specifications allocated for the Access Gateway. Each sub-section details different specifications depending on the use case and requirements for the Access Gateway.

To help with sizing, the following details should be gathered for each protected application and discussed with your deployment partner to help determine the proper appliance size.

  • Application Name
  • Estimated number of users per day
  • Estimated total number of users
  • Application Usage, for example, Light / Moderate / Heavy
  • High Availability Required? Yes / No
  • Disaster Recovery Required? Yes / No
  • Estimated average authentication requests per day
  • Estimated peak authentication requests per day
  • Estimated average session duration
  • Is there a time of year when usage peaks?
  • If yes, when and approximately how many authentications per hour?
  • Project user number increase

 

On-Premise (Self-hosted virtualization)

POC Installation

Cores

2

NIC

Single 1 Gbps NIC

Memory

4 GB

Storage

20 GB

Minimal Installation

Cores

2

NIC

Single 1 Gbps NIC

Memory

8 GB

Storage

20 GB

Medium Installation

Cores

4

NIC

Single 1 Gbps NIC

Memory

8 GB

Storage

40 GB

Large Installation

Cores

8

NIC

Single 1 Gbps NIC

Memory

16 GB

Storage

40 GB

Amazon Web Services (AWS) Instance Sizing

POC Installation

Instance Type

t2.medium

Minimal Installation

Instance Type

t2.medium

Medium Installation

Instance Type

m4.large

Large Installation

Instance Type

m4.xlarge

Access Gateway Deployment in Amazon Web Services (AWS)

If you are installing the Access Gateway in Amazon Web Services (AWS), please share your AWS account number with Okta Professional Services or your delivery partner. Okta or your delivery partner will then share the AWS AMI image with your organization.

Load Balancer

If the Access Gateway is being installed in a high availability configuration, your organization must provide a load balancer. The load balancer can load balance via SNAT or DNAT and should be configured to load balance through a hash on the source port and IP address. Also see Example Architecture.

Top