Access Gateway security best practices

Access Gateway is a hardened appliance that supports robustly secure deployments. The following checklist describes common security best practices to follow when you deploy Okta Access Gateway.

Checklist

Deploy Access Gateway following the appropriate reference architecture with these goals in mind:

Deploy Access Gateway admin node on the internal network. Where possible deploy the Access Gateway admin node internally and separate from worker nodes, such that the admin node is unreachable from the public Internet.

Create a secure Okta token for use with Access Gateway using service account.

Create a service account and security token for use with Access Gateway See Configure an Identity Provider in Access Gateway for more information.

Configure the Access Gateway Admin UI console console app and appropriate group. Configure the Access Gateway app and create a specific group whose members will perform administration operations. Avoid use of the default Admin UI console account as much as possible.
Change passwords for the Access Gateway Management console user and Access Gateway Admin UI console admin user. Always reset the Admin UI and Management console default passwords. See the command line console Management console and Admin UI password sections.
Consider using a password manager to generate, securely store, and manage these passwords.
Use a firewall to block all non-HTTP traffic to worker nodes from the public Internet. See Firewall and access requirements in Access Gateway deployment prerequisites. Limit traffic to and from Access Gateway worker nodes to the protocols and ports specifically required.
Implement log forwarding to your Security Information and Event Management (SIEM) solution. Always define a log forwarding receiver so that log messages can be captured and viewed in real time.
Create and execute a schedule for upgrading Access Gateway. Access Gateway releases updates on a monthly cadence and regular upgrades will keep your systems running with the most secure code.
Review policies for applications to ensure protected paths are protected. Take precautions to secure and test for alternative paths to applications that might be able to bypass Access Gateway. In addition, regularly examine the content being served by Access Gateway and ensure that links and redirects are being properly re-written, only containing the public names
Use public SSL certificates for end users to access applications. Certificates can be handled the pre Access Gateway load balancer, or from within Access Gateway itself. See Manage certificates for more information.