Cloud Deployment Guides for Advanced Server Access

With Advanced Server Access, Admins can deploy cloud servers as well as on-premise servers for their projects and teams. Each Cloud Provider has certain features that are supported with Advanced Server Access, so use the following tables below for guides on deploying cloud servers and as a reference for what features are supported with their respective environments.

Amazon Web Services Deployment Guides

Deploy an Ubuntu/Debian Server for AWS with User Data and a Linked Cloud Account

Deploy an Ubuntu/Debian Server for AWS with User Data and an Enrollment Token

Deploy an Ubuntu/Debian Server for AWS with Terraform and an Enrollment Token

Google Cloud Platform Deployment Guides

Deploy an Ubuntu/Debian Server for GCP with Terraform and an Enrollment token

Deploy an Ubuntu/Debian Server for GCP with Userdata and an Enrollment token

Deploy an Ubuntu/Debian Server for GCP with Userdata and a Linked Cloud Account

Azure Deployment Guides

 

Supported Features with Advanced Server Access

Environment

  • An environment is a Cloud Provider for virtual machines.

Auto-Enrollment

  • Auto Enrollment is the process of enrolling the virtual machines you've created within an Environment with your Advanced Server Access team.

IP Configuration

  • IP Configuration is the method of setting a concrete IP address for your team's servers.

De-Duplication

  • De-Duplication is the method of differentiating between new servers that are cloned from existing servers.

Note: Each Project within your Advanced Server Access team has a default limit of 10 linked Cloud Accounts. Contact Support if you want to override this limit for your Advanced Server Access projects.

Environment Auto Enrollment IP Configuration De-Duplication
AWS Servers automatically enroll using an AWS account retrieved from EC2 Metadata Service and correlate with Advanced Server Access Platform configurations In the absence of an explicit configuration in the Agent's sftd.yaml file with either AccessAddress or AccessInterface, the EC2 VPC ID and their associated IP addresses are collected by the AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. from EC2 Metadata and provided to the ASA Platform. This means that when a SSH/RDP hop to a target server occurs from an SSH bastion, the ASA Platform can use the VPC IP specifically -
GCP

A Scaleft-enrollment-token is used as an instance or as project metadata that contains and enrollment token (instead of it being in a file)

Must be either explicitly configured or selected by heuristic

-
Azure - Must be either explicitly configured or selected by heuristic Cloned Virtual Machines are deduplicated using VMID. If the VMID is changed by an action, we will detect it as a new machine. If the VMID is the same, it is considered as the same machine.
On-Premise - Must be either explicitly configured or selected by heuristic -
Top

© 2020 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.