1.1 Access Manager Component Deployment

The components of Access Manager include Administration Console, Identity Server, and Access Gateway.

Administration Console: Manages Identity Server and Access Gateway.

Identity Server: Provides authentication functionality for the users and it uses the back-end LDAP servers to validate the user credentials.

Access Gateway: Access Gateway protects Web servers and contacts Identity Server for users authentication. It also gets user attributes from Identity Server and passes on to the Web servers.

The following diagram illustrates how the Access Manager components are integrated with each other:

The recommended number of components nodes that are required are based on the concurrent user sessions. For more information, see Performance and Sizing Guidelines.

The following are the recommended configurations for the Access Manager components:

Enable Sticky-Bit on the Layer 4 (L4) switch.

Each L4 switch has a slightly different method and terminology for the sticky bit or persistence bind. This bit allows a client that has established a session to be directed to the same Identity Server or Access Gateway for all requests sent during the session. This minimizes the need to forward session information between Access Gateways or between Identity Servers and thus maximizes performance.
L4 health check recommendations:
- Heartbeat URL checks should occur every 30 seconds.
- The Access Manager devices should be removed from the service after three failures.
  
  For more information, see Configuration Tips for the L4 Switch in the NetIQ Access Manager 4.3 Administration Guide.
Ensure that the LDAP time out setting in Identity Server, Active Directory (if using it as a user store), Web servers, and the L4 switch are all set to the same value. Based on an average user session, the recommended value is 15-20 seconds.
To improve the performance of Identity Servers, ensure that Identity Server can perform a reverse lookup on the LDAP user store’s IP address. If the LDAP user store’s IP addresses are not part of the DNS server, make an entry in the hosts file of Identity Server.
Set the TCP idle time in Access Gateway lower than the LDAP time out to clear the connection table in Access Gateway. If this time is not set, Linux fills the connection table making it almost impossible to login if the sessions are not cleared.