3.2.3 Managing Access Gateways Settings

Viewing and Modifying Gateway Settings

  1. Click Devices > Access Gateways.

  2. Select one of the following options:

    Option

    Description

    New Cluster

    To create a new cluster of Access Gateways. A cluster can be one or more Access Gateways. See Creating a New Cluster.

    Stop

    To stop an Access Gateway Appliance, select the appliance, then click Stop. You must have physical access to Access Gateway Appliance machine to start it again. To stop an Access Gateway Service, select the service, then click Stop. You can use the Restart option to start Access Gateway Service.

    Restart

    To reboot an Access Gateway Appliance, select the appliance, then click Restart. Access Gateway Appliance is stopped, the operating system is rebooted, then the appliance is started. To stop and start an Access Gateway Service, select it, then click Restart. If Access Gateway Service is already stopped, use Restart to start it.

    Refresh

    To update the list of Access Gateways and the status columns, click Refresh.

  3. Select an Access Gateway, and then select one of the following options:

    Option

    Description

    Assign to Cluster

    To add the selected Access Gateway to a cluster, select Assign to Cluster, then select the cluster. This Access Gateway is reconfigured with the configuration of the primary cluster server.

    An Access Gateway Appliance can only be added to a cluster of Access Gateway Appliances. An Access Gateway Service can only be added to a cluster of Access Gateway Services.

    Remove from Cluster

    To remove the selected Access Gateway from a cluster, select Remove from Cluster. Access Gateway retains its configuration from the cluster, but no traffic is sent to it until it is reconfigured. You can assign it to a different cluster and have it updated with this cluster’s configuration, or you can delete all of its reverse proxies and start a new configuration.

    Delete

    To remove a selected Access Gateway from the list of servers that can be managed from this Administration Console, select Delete. If Access Gateway is a member of a cluster, you must first remove it from the cluster before deleting it.

    IMPORTANT:When an Access Gateway is deleted from Administration Console, you cannot manage it. To access it again, manually trigger an auto-import.

    Scheduled Restart

    To schedule when a selected Access Gateway must be stopped and then started, select Schedule Restart. On an Access Gateway Appliance, a restart stops the operating system, then starts the operating system and Access Gateway. On an Access Gateway Service, a restart stops Access Gateway Service, then starts it. For information about how to schedule this command, see Scheduling a Command.

    Scheduled Stop

    To schedule when a selected Access Gateway or cluster must be stopped, select Schedule Stop.

    • When you stop an Access Gateway Appliance, you shut down Access Gateway Appliance and the operating system. You must have physical access to the machine to start it again.

    • When you stop an Access Gateway Service, you stop just Access Gateway Service. You can use the Restart option to start it again.

    For more information, see Scheduling a Command

    Purge List Now

    Click this to purge all objects in the current purge list from the cache of the selected server or cluster.

    Purge All Cache

    Click this to purge the server cache for the selected server or cluster. All cached content is cleared.

    When you change certain configuration such as updating or changing certificates, changing the IP addresses of web servers, or modifying the rewriter configuration, you are prompted to purge the cache. The cached objects must be updated for users to see the effects of configuration changes. If Access Gateways are in a cluster, you need to manage the purge process so your site remains accessible to your users. You must apply configuration changes to one member of a cluster. When its status returns to healthy and current, issue the command to purge its cache. Then apply the changes to the next cluster member.

    IMPORTANT:Do not issue a purge cache command when an Access Gateway has a pending configuration change. Wait until the configuration change is complete.

    Update Health from Server

    Click this to send a request to the server for updated health information. If you have selected multiple servers, a request is sent to each one. The health status changes to an animated circle until the reply returns.

    Service Provider

    • Start Service Provider: Starts Embedded Service Provider (ESP) associated with the selected Access Gateway. ESP is the module within Access Gateway that communicates with Identity Server.

      You must restart ESP whenever you enable or modify logging on Identity Server.

    • Stop Service Provider: Stops ESP associated with the selected Access Gateway.

      When Access Gateway does not function correctly, stop and start ESP before stopping and starting Access Gateway.

    • Restart Service Provider: Restarts ESP associated with the selected Access Gateway.

      When an Access Gateway does not function correctly, restart ESP before stopping and starting Access Gateway.

  4. Use the following links to manage a cluster or an Access Gateway:

    Option

    Description

    Name

    Displays a list of Access Gateways and clusters that you can manage from this Administration Console.

    • To view or modify details of a particular server, click the server name.

    • To view or modify details of a cluster, click the cluster namer.

    Status

    Indicates the configuration status of the clusters and Access Gateways. For more information, see Status Options.

    Health

    Indicates whether a cluster or an Access Gateway is functional. Click the icon to view additional information about the operational status of an Access Gateway.

    Alerts

    Indicates whether any alerts have been sent. If the alert count is non-zero, click the count to view more information.

    Commands

    Indicates the status of the last executed command and whether any commands are pending. Click the link to view more information. For more information, see Section 25.2, Viewing the Command Status of Access Gateway.

    Statistics

    Provides a link to the statistic pages.

    Edit

    Provides a link to the configuration page. If the server belongs to a cluster, the Edit link appears on the cluster row. Otherwise, the link is on the server row. See Section 3.2.1, Configuration Overview.

Status Options

  1. Click Devices > Access Gateways.

  2. View Status and make changes as necessary.

    Status

    Description

    Current

    Indicates that all configuration changes have been applied.

    Update

    Indicates that a configuration change has been made, but not applied.

    To apply the changes, click Update, and then select one of the following options:

    • All Configuration: Access Gateway reads complete configuration file and restarts ESP.

      The configuration update causes logged-in users to lose their connections unless the server is a member of a cluster. When the server is a member of a cluster, the users are sent to another Access Gateway and they experience no interruption of service.

    • Logging Settings: This option is available when the ESP logging settings have been modified on Identity Server. This option causes no interruption in services. When you modify Access Gateway logging settings, this option is not available because they are considered as configuration settings.

    • Policy Settings: If a policy is modified for a protected resource of Access Gateway and the policy change is the only modification that has occurred, the update option for Policy Settings is available. This option causes no interruption in services.

    • Rewriter Profile Changes: When an administrator changes the rewriter profile, a purge cache command is issued to a Gateway from Administration Console, the connection is lost and the service is interrupted for a few seconds. Similar experience is observed during the rewriter profile configuration change, as this internally triggers the purge cache command.

    • Changing Certificates: When a certificate configuration is changed from Administration Console, the service is interrupted due to the Tomcat restart.

    Update All

    This link is available when a server belongs to a cluster. You can select to update all the servers at the same time, or you can select to update them one at a time. If the modification is a policy or a logging change, then use Update All. If the modification is a configuration change, we recommend that you update the servers one at a time.

    • When you select Update All for a configuration change, users experience an interruption of service.

    • When you update servers one at a time for a configuration change, users experience no interruption of service.

    When you make the following configuration changes, the Update All option is the only option available and your site will be unavailable while the update occurs:

    • Identity Server configuration that is used for authentication is changed (Access Gateways > Edit > Reverse Proxy/Authentication, then select a different value for the Identity Server Cluster option).

    • A different reverse proxy is selected to be used for authentication (Access Gateways > Edit > Reverse Proxy/Authentication, then select a different value for the Reverse Proxy option).

    • The protocol or port of the authenticating reverse proxy is modified (Access Gateways > Edit > Reverse Proxy/Authentication > [Name of Reverse Proxy], then change the SSL options or the port options).

    • The published DNS name of the authentication proxy service is modified (Access Gateways > Edit > Reverse Proxy/Authentication > [Name of Reverse Proxy] > [Name of First Proxy Service], then modify the Published DNS Name option).

    For more information, see Applying Changes to Access Gateway Cluster Members.

    Update

    If the configuration update contains a configuration error, the Update link is disabled and the Configuration Error icon is displayed. Click the icon to discover which objects have been misconfigured. You need to fix the error by canceling or modifying the changes before you perform an update.

    Update All

    If the configuration update contains a configuration error, the Update All and the member Update links are disabled and the Configuration Error icon is displayed. Click the icon to discover which objects have been misconfigured. You need to fix the error by canceling or modifying the changes before you perform an update.

    Pending

    Indicates that the server is processing a configuration change, but has not completed the process.

    Locked

    Indicates that another administrator is making configuration changes. Before you proceed with any configuration changes, you need to coordinate with this administrator and wait until Access Gateway has been updated with the other administrator’s changes.

Impact of Configuration Changes

NOTE:Do not push the configuration from Administration Console to devices during peak system usage times.

Devices > Access Gateways

  • Purge List Now/ Purge Cache: Causes a process level restart and terminates all the existing connections and downloads. The users do not need to reauthenticate, but issuing a purge list or cache command might result in a higher load on the service provider. If there is a single gateway, issuing a purge list or cache command can cause temporary service disruption for users.

  • Stop: Stops the proxy component in Access Gateway Appliance, makes it unavailable for user requests and terminates all the existing connections and downloads. The users do not need to reauthenticate, but stopping the proxy component can result in a higher load on the identity provider and other gateway cluster members.

  • Restart: Triggers a restart of the operating system of Access Gateway Appliance, where all existing connections and downloads are terminated. The users do not need to reauthenticate, but restarting the operating system can result in a higher load on the identity provider and other gateway cluster members.

  • Service Provider > Restart: Causes the ESP and proxy to clear the user session information and refresh the policy information. Access might be denied to protected resources and resources that need policy evaluation during the restart process.

  • Service Provider > Stop: Causes the ESP and proxy to clear the user session information. You cannot access the protected resources and resources that need policy evaluation.

Devices > Access Gateways > < your gateway/cluster> Services

  • Rewriter Profile Change: Changing the rewriter profile causes Administration Console to issue a purge cache command to Access Gateway. Issuing a purge cache command causes a process level restart and terminates all the existing connections and downloads.

  • Accelerated Web Service Change: Changing the accelerated web server details causes Administration Console to issue a purge cache command to Access Gateway. Issuing a purge cache command causes a process level restart and terminates all the existing connections and downloads

  • Service Creation: If your gateway cluster is behind an L4 switch, ensure that you review or modify the L4 configuration to reflect any new service that you can create.

  • TCP Connect Options: Increasing the Data Read Timeout values or the Idle Timeout values impacts the user experience if the web servers are unreachable. Disabling the persistent connections also impacts the user experience.

System Settings

  • Date and Time: Changing date and time or the NTP server configuration impacts the existing user session timeout values. It is critical to keep the time settings in Access Gateways and Identity Servers synchronized in order to prevent authentication failures and unexpected session times out. There is no other impact than authentication failures and unexpected session times out.

Monitoring

  • Audit Configuration Changes or Audit Server Health: If the audit server is busy or unreachable, it causes a delay in browsing, including Administration Console access. There is no other impact than delay in browsing and accessing Administration Console.

Network Settings

  • Network Related Changes: Be cautious in making changes to the network parameters like Adapter, IP address, Netmask, Gateways, DNS, Hosts, and Route. The users can be impacted by these changes because the connections are reset; however, user reauthentication might not be required. Incorrect configuration leads to system inaccessibility on the network and you cannot access Access Gateway Service.

Security Settings

You must not change security setting options during the peak system usage hours.

  • Signing: Before changing it, ensure that Identity Server trust store contains the root CA certificate and possible intermediate CA certificates to complete the trust chain.

  • Trust Store: Before changing it, ensure that you have all the root CA certificates and possible intermediate CA certificates to complete the trust chain to trust any certificates used by Identity Server.

Content Settings

  • Cache Options: Be cautious in making changes to the cache options. Changing cache options can impact the performance of your Access Manager system. You might see an increase or decline in Access Gateway performance, depending on the changes made to the cache options.

Scheduling a Command

  1. Click Devices > Access Gateways.

  2. (Conditional) To schedule a shutdown or restart, select a server, then click Actions > Schedule Restart or Schedule Stop. Continue with Step 4.

  3. (Conditional) To schedule an upgrade for Access Gateway Appliance, click [Name of Server] > Upgrade > Schedule Upgrade.

  4. Specify the following details:

    Field

    Description

    Name Scheduled Command

    Specify a name for this command. This name is used in log files.

    Description

    (Optional) Specify a reason for the command.

    Date & Time

    Select the day, month, year, hour, and minute when the command must execute.

    The following fields display information about the command you are scheduling:

    Type: Displays the type of command that is being scheduled, such as Access Gateway Shutdown, Access Gateway Restart, or Access Gateway Upgrade.

    Server: Displays the name of the server that the command is being scheduled for.

  5. Click OK.