Protected application reference architectures

When integrating applications with Access Gateway there are a number of ways to ensure that back end resources are not only protected but also inaccessible from the normal external internet. The following architectures describe different methods that can be used to ensured that protected web resources are not accessible from the internet.

Approach

When integrating applications into Access Gateway the following should be considered:

  • DNS - how will DNS be served to Access Gateway?
  • How will firewalls be implemented.
  • Are their specific IP address restrictions?
  • Are there any other integration specific requirements.

 

Protected application architectures

Access Gateway application integrations installations can be deployed in any number of possible combinations. In all architectures the URL used to access the application is the same.  That is both internal network and external network accesses rely on the same application name (app.example.com).

Common application integration protection architectures include:

None Initial starting point for all protected web application architectures. By definition provides little or no protection for external access to protected web resource.
Masked DNS An expansion of the None architecture which adds a secondary internal DNS server, used by Access Gateway, which resolves the name of the protected web resource but is different than the external applications URL.
Firewall An expansion of the Split DNS architecture which places firewalls in strategic places denying routing of requests for IP addresses on the internal use internet.
Protected IP An expansion of the Firewall architecture, Protected (or restricted) IP, adds IP address based restrictions allowing or denying access to resources based on requester IP address.

Architectures are broken down into the following functional areas:

External internet The external internet represents clients that access applications, as well as including your Okta Org.
DMZ The DMZ houses an Access Gateway cluster, and associated components, to allow access to applications from the external internet.
Internal The internal network houses the applications being protected by Access Gateway as well as other components required to make these applications widely available.

Note that in all architecture diagrams, dotted lines represent paths around Access Gateway, which are meant to be denied. Each architecture details the process used to deny these paths.

The none protected application Access Gateway really isn't an protected architecture at all, as it represents a baseline or a starting point after an application is integrated with Access Gateway but before any steps are taking to significantly deny direct access to the backing protected web resource.
In this architecture, a single application, referred to as protected web resource, is served to requesting clients using Access Gateway. All URLs (Access Gateway and the backing protected web resource) are typically resolvable using a single DNS server and accessible to all.

This architecture meets the following requirements:

  • No specialized configuration.
  • URLs (Access Gateway and application) are entered into DNS but no further action is taken.
  • Can be used as a baseline for testing and development.

Benefits and drawbacks

Benefits Drawbacks
  • Simple installation
  • Baseline for testing, proof of concept etc
  • Little or no protecting for direct access to protected web resource
  • Protected web resource reachable from the external internet by name or IP
  • Protected web resource reachable from the internal internet by name or IP

Architecture

In this architecture, external clients can access the application directly if they know the internal URL/IP. Likewise internal network clients can also access the application directly. Represented by neither dotted access path being blocked.

Components

Location

Component Description

External internet

 

 

 

External URL External URL used by clients to access Access Gateway on behalf of the protected web resource.

DNS

DNS server providing DNS resolution for both the external URL and the internal (protected web resource

DMZ

Access Gateway Access Gateway cluster, located in the DMZ is used to provide access to applications used by external internet clients.
Typically hosted in a virtual environment such as Amazon Web Services, MS Azure, Oracle OCI or something similar. See Manage Access Gateway deployment.

Internal network

Internal URL

Internal URL, represented by protected web resource in Access Gateway.

Application Protected web resource (application)

The Masked DNS protected application Access Gateway architecture is the first step in isolating a protected web resource from the external internal.
In this architecture the protected web resource internal URL and the external URL are served by different DNS, effectively hiding or masking the actually application URL. In addition, the internal DNS server is isolated from the external web. Application users, in both the internal and external cases, use the same URL, which is directed to Access Gateway. The protected web application is then 'masked' in that only Access Gateway accesses the protected web application by its internal, or 'masked' DNS name.

Benefits and drawbacks

BenefitsDrawbacks
  • Simple
  • Internal application URL not resolvable externally
  • Protected web resource reachable from the external internet and internal network by name or IP
  • Requires secondary (internal) DNS server

Architecture

Note that while hidden or masked, the protected web resource is still accessible by name or IP, from both the internal and external networks, if the masked DNS name or IP address is known.

Components

Location

ComponentDescription

External internet

 

 

 

External URLExternal URL used by clients to access Access Gateway on behalf of the protected web resource.
DNSDNS server providing DNS resolution for external URL.

DMZ

Access GatewayAccess Gateway cluster, located in the DMZ, uses multiple DNS servers to resolve internal and external URLs.

Internal network

Internal DNS and URL

Internal DNS server serving internal URL representing protected web resource in Access Gateway.

ApplicationProtected web resource (application)

The Firewall protected application Access Gateway architecture extends the Masked DNS architecture to add firewalls between the external internal/DMZ and DMS/internal network.

In this architecture the application, the protected web resource internal URL and the external URL are served by different DNS with the internal DNS server isolated from the external.

This architecture meets the following requirements:

  • Protects the protected web resource by hiding the internal URL from external clients.
  • Firewalls protected unauthorized requests.

Benefits and drawbacks

BenefitsDrawbacks
  • External access denied
  • Internal application URL not resolvable externally
  • Completely isolates the protected web resource from unauthorized access
  • Requires multiple firewalls (External/DMZ and DMZ/internal)
  • Requires internal (app zone) specific firewall between internal network and network zone housing the protected web resource.
  • Requires secondary (internal) DNS server

Architecture

In the firewall architecture, external access to the protected web application is defined by the external network/DMZ firewall. Additionally, internal access to the application is denied by the internal/app zone firewall. This architecture effectively shields all unauthorized access to the protected web resource.

Components

Location

ComponentDescription

External internet

 

 

 

External URLExternal URL used by clients to access Access Gateway on behalf of the protected web resource.
DNSDNS server providing DNS resolution for external URL.

Between external internet and DMZ

Firewall

Firewall separating DMZ housing Access Gateway and the external internet.

DMZ

Access GatewayAccess Gateway cluster, located in the DMZ, uses multiple DNS servers to resolve internal and external URLs.

Between internal internet and DMZ

Firewall

Firewall separating DMZ housing Access Gateway and the internal internet.

Internal network

App zone

A internal network zone where the protected web resource is housed.

App zone firewall

An internal firewall separating the app zone from the rest of the internal network.

Internal DNS and URL

Internal DNS server serving internal URL representing protected web resource in Access Gateway.

ApplicationProtected web resource (application)

The Protected IP protected application Access Gateway architecture extends the Firewall architecture to add IP specific address restrictions.
In this architecture the application is only accessible by specific IP addresses or machine names.  For example, members of the Access Gateway cluster.

This architecture meets the following requirements:

  • Protects the protected web resource by hiding the internal URL from external clients.
  • Firewalls protected unauthorized requests.
  • Routing and IP address restrictions protect against unauthorized internal access.

Benefits and drawbacks

BenefitsDrawbacks
  • External access denied
  • Internal application URL not resolvable externally
  • Application can be accessed only from select hosts. For example Access Gateway
  • Requires multiple firewalls (External/DMZ and DMZ/internal)
  • Requires secondary (internal) DNS server
  • Requires routing and IP address rules to allow or deny access to protected web resource

Architecture

In this architecture unauthorized protected web application access is denied by a combination of firewall (external access) and IP address restrictions (internal access).

 

Components

Location

ComponentDescription

External internet

 

 

 

External URLExternal URL used by clients to access Access Gateway on behalf of the protected web resource.
DNSDNS server providing DNS resolution for external URL.

Between external internet and DMZ

Firewall

Firewall separating DMZ housing Access Gateway and the external internet.

DMZ

Access GatewayAccess Gateway cluster, located in the DMZ, uses multiple DNS servers to resolve internal and external URLs.

Between internal internet and DMZ

Firewall

Firewall separating DMZ housing Access Gateway and the internal internet.

Internal network

Router/bridge with rules

Routing rules and IP access rules allowing, or disallowing access to a specific resource (protected web application)

Internal DNS and URL

Internal DNS server serving internal URL representing protected web resource in Access Gateway.

ApplicationProtected web resource (application)