Deploy Access Gateway

Deployment is the process of downloading and installing the Access Gateway Virtual application. Typically, Access Gateway is deployed using an architecture similar to that shown in the Access Gateway Architecture diagram. However the use of high availability is not required. Access Gateway instances must be hosted in a virtual environment.

Access Gateway High Availability architecture


Ensure that:

  • You review all Prerequisites for deploying Access Gateway.
  • Access Gateway is resolvable using DNS and is required to have a hostname assigned in DNS.
  • The static IP Address - Access Gateway requires a static IP address and does not leverage DHCP.
  • You have a DNS Server and DNS Hostname (FQDN). Access Gateway must be resolvable using a DNS solution that end users leverage. If end users originate from the internet, the Access Gateway solution must be publicly resolvable. It is recommended that split DNS be leveraged so that internal users connect to an internal IP address and external users connect to a public IP address.

The FQDNs for all applications integrated with the Access Gateway must be resolvable in DNS.

Deploy to VMWare vSphere

In this section, we examine the process for deploying Access Gateway to Deploy to VMWare vSphere
Access Gateway can be deployed to any of the environments described in the Supported deployment environments list.

Download the latest OVA image

To download the latest Okta Access Gateway OVA Image:

  1. Sign in to your Okta Org as an admin.

  2. Download the Okta Access Gateway image from the Settings > Downloads page.

  3. When prompted save the OVA file to an appropriate location.

To Import to VMWare ESXi/vSphere:

VMWare ESXi, vSphere, and vSphere Client version 6.5 and later support SHA-256OVF files.

To convert from SHA256 to SHA1:

$ ovftool --shaAlgorithm=SHA1 /path/to/the/original/ova_file.ova /path/to/the/new/ova/file-SHA1.ova

  1. Download and install VMware vSphere Client from the ESXi/vSphere server.

  2. Open VMware vSphere Client.

  3. Enter the server name or IP address and credentials in their respective fields and click Login.

  4. In the vSphere Client window, select File > Deploy OVF Template.

  5. In the Deploy OVF Template window, click Browse.

  6. Select the Okta-Access Gateway OVA file, and click Open.

    Okta-Access Gateway OVA file in Windows Explorer

  7. Click Next.

  8. Review the template details provided, and click Next.

  9. When prompted to accept the Access Gateway License agreement, click Accept and then click Next.

  10. Enter a name for the Access Gateway template and click Next.

  11. Select a storage location and click Next.

  12. Select the appropriate disk format option based on your requirements and click Next.

  13. Click Finish. vSphere Client begins the deployment process.

  14. Click Close when the deployment is complete.

  15. In the vSphere Client window, click Inventory.

  16. Select the Virtual Machines tab to display the VMs that are currently deployed to the server.

  17. Select the Access Gateway VM and click Power On (symbolized by a play icon) in the toolbar.

  18. Right-click the VM and click Open Console to sign in to the VM.

Perform required post deployment configuration tasks



Set Access Gateway instance hostname Set a hostname for Access Gateway.
Optional. Set Access Gateway instance IP address Configure a fixed IP address for Access Gateway.
Optional. Set Access Gateway DNS Servers Configure Access Gateway to use a split DNS process where multiple DNS servers are used.
Optional. Set Access Gateway proxy server Configure Access Gateway to use with a proxy server.
Determine Access Gateway IP address

Add admin entry to hosts file

Configure Access Gateway DNS

Determine Access Gateway IP address for non-AWS instances.

Configure required admin entry in local hosts file.

Configure required DNS entries.

Initialize Access Gateway Admin UI console Initialize the cookie domain and instance hostname.
Configure your Okta tenant as an Identity ProviderConfigure your Okta tenant as an identity provider Configure Okta tenant as an identify provider.
Configure SAML access to from your Okta tenant Configure Okta tenant to allow access to Access Gateway using SAML.
Review security best practices Examine and execute a set of common Access Gateway security best practices.

Ensure that you appropriately name your Access Gateway nodes when you create them for use in a high availability cluster. These names must be resolvable between Access Gateway instances before you configure high availability.

Supported deployment environments