Prerequisites for deploying Access Gateway
Okta Access Gatewayis built and designed to run in an on-premise or in a customer IaaS environment. There are several networking ports that must be enabled to Allow Access Gatewayto accept incoming requests, proxy those requests to applications, provide administrative interfaces and to allow Access Gatewayto communicate with Okta, and Syslog Servers.
This page outlines the required information that must be completed
prior to installing Okta Access Gateway in a customer environment. Access Gateway requirements include:
| Area | Requirement |
|---|---|
| Hardware requirements | The underlying hardware which hosts the Access Gateway virtual appliance must meet certain instruction set requirements. |
| Okta org account requirements | The account used to manage Access Gateway must meet certain minimum requirements. |
| Firewall and access requirements | Access Gateway uses various ports and protocols. This section details those requirements. |
| Front end load balancer requirements | Access Gateway is typically fronted by a load balancer, which must meet certain requirements. |
See Supported technologies for more information on supported applications and technologies.
Hardware requirements
Okta Access Gateway was built to use the SSE4.2 extensions to the x64 instruction set, which were made available with the Intel® Nehalem and AMD Bulldozer microarchitectures. The server that runs Access Gateway virtual appliance must support thisinstruction set at minimum.
Okta org account requirements
The Access Gateway configuration process requires a super admin account to configure your tenant as the identity provider.
See Configure your Okta tenant as an Identity Provider.
Firewall and access requirements
Ports and protocols
Access Gateway requires various ports and protocols to be open for use.
The following table describes all required accesses.
| Description | Inbound/ Outbound |
Protocol | Port |
Comments |
|---|---|---|---|---|
| Okta tenant API access | Outbound | TCP/HTTPS | 443 |
Your Okta tenant IP addresses could change. If you require specific IP address ranges to use as part of your firewall ACL, please see Okta IP address allow listing. |
| Access Gateway updates | Outbound | TCP/HTTPS | 443 |
If you require finer controls to yum.oag.okta.com, you can be configure access via IP address. IP Addresses may be determined using a tool such as NSLookup. Okta reserves the right to change the IP address(es) associated with Access Gateway updates, vpn and similar services at any time. It is recommended that you confirm specific IP addresses with Okta support. |
| Integrated applications | Outbound | TCP/HTTPS | <application ports> | Access Gateway communication to the protected application. |
| Access Gateway Admin UI console and apps | Inbound | TCP/HTTPS | 443 | All end users must be able to access Access Gateway directly using port 443 if it's acting as an internet-facing reverse proxy or deployed in the DMZ. |
| SSH management | Inbound/ Outbound |
TCP/SSH | 22 | OPTIONAL – Internal SSH access to each node for access to the Access Gateway Management console. By default, access to the management console is only allowed via the virtual environment console. It is highly discouraged to open port 22 to general internet traffic. |
| Access Gateway High Availability | Inbound/ Outbound |
TCP/SSH | 22 | Internal bi-directional communication between Access Gateway nodes for configuration replication. |
| Access Gateway High Availability | Worker to admin | TCP/HTTPS | 443 | During initial configuration of high availability Access Gateway worker instances communicate using HTTPS over port 443 to the Access Gateway admin. |
| NTP | Outbound | TCP | 123 | Network time and date synchronization. |
| Support connection | Outbound | TCP | 443 | If you require finer controls to vpn.oag.okta.com and support.oag.okta.com, you can be configure access via IP address. IP Addresses may be determined using a tool such as NSLookup. Okta reserves the right to change the IP address(es) associated with Access Gateway updates, vpn and similar services at any time. It is recommended that you confirm specific IP addresses with Okta support. |
| Syslog | Outbound | Syslog TCP | Customer supplied | Event log forwarding to a Syslog or similar solution. |
| Access Gateway to the Key Distribution Center (KDC) | Outbound | TCP/UDP | 88 | |
| Access Gateway to DNS | Outbound | TCP/UDP | 53 |
Application specific access
Depending on applications Access Gateway may require the following access:
| Description | Inbound/ Outbound |
Protocol | Port |
|---|---|---|---|
|
Access Gateway to Data store |
Outbound |
LDAP/ODBC |
Customer supplied (For example: 389/636) |
|
Oracle E-Business Rapid SSO |
Outbound |
TCP/JDBC/SQL |
Customer supplied (For example: 1521) |
General Site Accessibility
In general, the following must be reachable from Access Gateway appliance:
| URL | Description |
|---|---|
|
vpn.oag.okta.com |
Support VPN |
|
yum.oag.okta.com |
Update support |
|
www.okta.com |
Network testing |
|
{client tenant}.okta.com |
Client specific Okta tenant |
Front end load balancer requirements
If the Access Gateway is installed in a high availability configuration, your organization must provide a load balancer. The load balancer can balance traffic using the Source Network Address Translation (SNAT) or Dynamic Network Address Translation (DNAT) and should be configured to balance through a hash of the source port and IP address. See Example architecture and About load balancers.