1.5 Recommended Installation Scenarios

The following scenarios provide an overview of the flexibility built into Access Manager. Use them to design a deployment strategy that fits the needs of your company.

1.5.1 Basic Setup

You need to protect the Administration Console from Internet attacks. It should be installed behind your firewall. For a basic Access Manager installation, you can install the Identity Server and the Access Gateway outside your firewall. Figure 1-5 illustrates this scenario:

Figure 1-5 Basic Installation Configuration

  1. Install the Administration Console.

    The Administration Console and the Identity Server are bundled in the same download file or ISO image.

  2. If your firewall is set up, open the ports required for the Identity Server and the Access Gateway to communicate with the Administration Console: TCP 1443, TCP 8444, TCP 1289, TCP 1290, TCP 524, TCP 636.

    For more information about these ports, see Section 1.7, Setting Up FirewallsSection 1.7, Setting Up Firewalls.

  3. Run the installation again and install the Identity Server on a separate server.

    Log in to the Administration Console and verify that the Identity Server installation was successful.

  4. Install the Access Gateway.

    Log in to the Administration Console and verify that the Access Gateway imported successfully.

  5. Install Analytics Server.

    Log in to Administration Console to verify that Analytics Server is imported successfully.

  6. Configure the Identity Server, Analytics Server, and the Access Gateway. See Configuring Access Manager in the NetIQ Access Manager 4.3 Administration Guide.

    In this configuration, the LDAP server is separated from the Identity Server by the firewall. Make sure you open the required ports. See Section 1.7, Setting Up Firewalls.

For information about setting up configurations for fault tolerance and clustering, see High Availability and Fault Tolerance in the NetIQ Access Manager 4.3 Administration Guide.

Firewall protects the LDAP server and the Administration Console, both of which contain a permanent store of sensitive data. Web servers are also installed behind the firewall for added protection. The Identity Server is not much of a security risk, because it does not permanently store any user data. NetIQ has tested and recommends this configuration. We have also tested this configuration with an L4 switch in place of the router so that the configuration can support clusters of Identity Servers and Access Gateways.

1.5.2 High Availability Configuration with Load Balancing

Figure 1-6 illustrates a deployment scenario where Web resources are securely accessible from the Internet. The scenario also provides high availability because both Identity Servers and Access Gateways are clustered and have been configured to use an L4 switch for load balancing and fault tolerance.

Figure 1-6 Clustering Configuration for High Availability

You can configure end users to communicate with Identity Servers and Access Gateways through HTTP or HTTPS. You can configure Access Gateways to communicate with Web servers through HTTP or HTTPS. Multiple Administration Consoles provide administration and configuration redundancy.

This configuration is scalable. As the number of users increase and the demands for Web resources increase, you can easily add another Identity Server or Access Gateway to handle the load, then add the new servers to the L4 switch. When the new servers are added to the cluster, they are automatically sent the cluster configuration.