Prerequisites for Access Gateway deployment
Okta Access Gateway is designed to run in an on-premises or in a customer IaaS environment. Several networking ports must be enabled to allow Access Gateway to accept incoming requests, proxy those requests to applications, provide administrative interfaces, and enable Access Gateway to communicate with Okta and Syslog servers.
Okta Access Gateway requires that you meet the following requirements before installing it in a customer environment. These requirements include:
| Area | Requirement |
|---|---|
| Hardware requirements | The hardware that hosts the Access Gateway virtual appliance must meet certain instruction set requirements. |
| Okta org account requirements | The Okta org account that manages Access Gateway must meet certain minimum requirements. |
| Firewall and access requirements | Access Gateway uses certain ports and protocols. |
| Front-end load balancer requirements | Access Gateway is fronted by a load balancer, which must meet certain requirements. |
See Supported technologies.
Hardware requirements
Okta Access Gateway uses the SSE4.2 extensions to the x64 instruction set, which were made available with the Intel® Nehalem and AMD Bulldozer microarchitectures. The server that runs Access Gateway virtual appliance must support this instruction set.
Okta org account requirements
The Access Gateway configuration process requires a super admin account to configure your tenant as the identity provider.
See Configure your Okta org as an Identity Provider.
Firewall and access requirements
Ports and protocols
Access Gateway requires various ports and protocols to be open for use. The following table describes all required accesses.
| Description | Inbound/ Outbound |
Protocol | Port |
Comments |
|---|---|---|---|---|
| Okta tenant API access | Outbound | TCP/HTTPS | 443 |
Your Okta tenant IP addresses could change. See Allow access to Okta IP addresses if you require specific IP address ranges to use as part of your firewall ACL. |
| Access Gateway updates | Outbound | TCP/HTTPS | 443 |
If you require finer controls to yum.oag.okta.com, you can configure access by IP address. IP Addresses may be determined using a tool such as NSLookup. Okta reserves the right to change the IP address(es) associated with Access Gateway updates, vpn and similar services at any time. It is recommended that you confirm specific IP addresses with Okta support. |
| Integrated applications | Outbound | TCP/HTTPS | <application ports> | Access Gateway communication to the protected application. |
| Access Gateway Admin UI console and apps | Inbound | TCP/HTTPS | 443 | All end users must be able to access Access Gateway directly using port 443 if it's acting as an internet-facing reverse proxy or deployed in the DMZ. |
| SSH management | Inbound/ Outbound |
TCP/SSH | 22 |
Optional. Internal SSH access to each node for access to the Access Gateway Management console. By default, access to the management console is only allowed using the virtual environment console. |
| Access Gateway High Availability | Inbound/ Outbound |
TCP/SSH | 22 | Internal bi-directional communication between Access Gateway nodes for configuration replication. |
| Access Gateway High Availability | Worker to admin | TCP/HTTPS | 443 | During initial configuration of high availability Access Gateway worker instances communicate using HTTPS over port 443 to the Access Gateway admin. |
| NTP | Outbound | TCP | 123 | Network time and date synchronization. |
| Support connection | Outbound | TCP | 443 | If you require finer controls to vpn.oag.okta.com and support.oag.okta.com, you can be configure access via IP address. IP Addresses may be determined using a tool such as NSLookup. Okta reserves the right to change the IP address(es) associated with Access Gateway updates, vpn and similar services at any time. It is recommended that you confirm specific IP addresses with Okta support. |
| Syslog | Outbound | Syslog TCP | Customer supplied | Event log forwarding to a Syslog or similar solution. |
| Access Gateway to the Key Distribution Center (KDC) | Outbound | TCP/UDP | 88 | |
| Access Gateway to DNS | Outbound | TCP/UDP | 53 |
Application specific access
Depending on applications Access Gateway may require the following access:
| Description | Inbound/ Outbound |
Protocol | Port |
|---|---|---|---|
|
Access Gateway to Data store |
Outbound |
LDAP/ODBC |
Customer supplied (For example: 389/636) |
|
Oracle E-Business Rapid SSO |
Outbound |
TCP/JDBC/SQL |
Customer supplied (For example: 1521) |
General Site Accessibility
In general, the following must be reachable from Access Gateway appliance:
| URL | Description |
|---|---|
|
vpn.oag.okta.com |
Support VPN |
|
yum.oag.okta.com |
Update support |
|
www.okta.com |
Network testing |
|
{client tenant}.okta.com |
Client specific Okta tenant |
Front-end load balancer requirements
If the Access Gateway is installed in a high availability configuration, your organization must provide a load balancer. The load balancer can balance traffic using the Source Network Address Translation (SNAT) or Dynamic Network Address Translation (DNAT) and should be configured to balance through a hash of the source port and IP address. See Example architecture and Load balancers.