15.2 Deployment Procedure

Identity Manager components can be deployed on a private or a public network based on your requirement. Figure 15-1 illustrates a sample deployment that is used in the subsequent sections.

Figure 15-1 Identity Manager Deployment on Microsoft Azure

Identity Manager components can be deployed on Microsoft Azure in different combinations depending on how the components are distributed on different servers. However, the deployment procedure is the same for all scenarios.

The deployment procedure consists of the following steps:

15.2.1 Creating a Resource Group

NetIQ recommends you to create a resource group and add the required resources to the group to use with Identity Manager. Perform the following steps to create a new resource group:

  1. Log in to the Azure portal.

  2. Click Resource groups.

  3. Click Create.

  4. In the Basics tab:

    1. Select your Subscription from the drop-down list.

    2. Enter a new resource group name.

    3. Select the location from the Region drop-down list. For example, Central India.

    4. Click Next : Tags >.

  5. In the Tags tab, click Next : Review + Create >.

  6. In the Review + create tab, click Create.

15.2.2 Creating a Virtual Network and Subnet

  1. Log in to the Azure Portal.

  2. Type virtual network in the search.

  3. Under Services, select Virtual networks.

  4. Click Create.

  5. In the Basics tab, specify the following details:

    Field

    Description

    Subscription

    Select your Subscription from the drop-down list.

    Resource Group

    Select the existing resource group from the drop-down.

    Name

    Specify the name for virtual network.

    Region

    Select the location from the drop-down list. For example, Central India.

    1. Click Next : IP Addresses >.

  6. In the IP Addresses tab, click Add subnet.

    1. Click Add subnet.

      1. Specify the subnet name. For example, default.

      2. Specify the subnet address range. For example, 10.1.0.0/24.

      3. Click Add.

    2. Click Next : Security >.

  7. In the Security tab, keep the default values for all the fields, then click Next : Tags >.

  8. In the Tags tab, click Next : Review + create >.

  9. In the Review + create tab, review your settings, then click create.

15.2.3 Creating an Application Gateway

  1. Log in to the Azure portal.

  2. Click Create a Resource.

  3. Go to Categories > Networking > Application Gateway.

  4. In the Basics tab, specify the following details:

    Field

    Description

    Subscription

    Select your Subscription from the drop-down list.

    Resource Group

    Select the existing resource group from the drop-down.

    Application gateway name

    Specify the Application gateway name.

    Region

    Select the location from the drop-down list. For example, Central India.

    Tier

    Select the required tier. For example, Standard V2.

    Minimum instance count

    Specify the value 0.

    Maximum instance count

    Specify the value 10.

    Virtual Network

    Select the virtual network and corresponding subnet that is already created. See Creating a Virtual Network and Subnet.

    1. Keep the default values for the rest of the fields then click Next : Frontends >.

  5. In the Frontends tab:

    1. Select Public.

    2. Under Public IP address, click Add new.

      1. Specify public IP address name. For example, idmgateway.centralindia.cloudapp.azure.com.

      2. Click OK.

    3. Click Next : Backends >

  6. In the Backends tab:

    1. Click Add a backend pool.

      1. Specify backend pool name.

      2. Select Yes to add a backend pool without targets.

      3. Click Add.

    2. Click Next : Configuration >.

  7. In the Configuration tab:

    1. Under Routing rules, click Add a routing rule.

    2. Specify the Rule name.

    3. In the Listener tab, specify the following details:

      Field

      Description

      Listener Name

      Specify the Listener name.

      Frontend IP

      Select Public from the drop-down.

      Protocol

      Select HTTP.

      Port

      Specify the value 80.

    4. Keep the default values for the rest of the fields.

    5. In the Backend targets tab, specify the following details:

      Field

      Description

      Backend target

      Select the backend target from the drop-down.

      HTTP Settings

      Click Add new, specify the HTTP settings name. Keep the default values for all the fields, then click Add.

      1. Click Add.

    6. Click Next : Tags >.

  8. In the Tags tab, click Next : Review + create >.

  9. In the Review + create > tab, review your settings, then click Create.

NOTE:For more information related to configuring the application gateway, see Configuring the Application Gateway.

15.2.4 Creating a Virtual Machine Instance

Create a separate virtual machine to host the Identity Manager components.

  1. Log in to the Azure portal.

  2. Type virtual machines in the search.

  3. Under Services, select Virtual machines.

  4. Click Create, then select Virtual machine.

  5. In the Basics tab:

    1. Select your Subscription from the drop-down list.

    2. Select the existing resource group from the drop-down list (see Creating a Resource Group).

    3. Specify the Virtual machine name.

    4. Select the location from the Region drop-down list. For example, Central India.

    5. Select the required Windows Server from the Image drop-down list. For example, Windows Server 2019.

    6. Select the virtual machine size from the Size drop-down list.

    7. Specify Username, Password, and Confirm password.

    8. Under Licensing, select Windows Server License, then select eligible Windows Server License with Software Assurance to confirm.

    9. Keep the default values for the rest of the fields.

    10. Click Next : Disks >.

  6. In the Disks tab:

    1. Select the disk type from the OS disk type drop-down list. For example, Premium SSD.

    2. Select the required Encryption type from the drop-down list.

    3. Click Next : Networking >.

  7. In the Networking tab:

    1. Select the virtual network and corresponding subnet that is already created. See, Creating a Virtual Network and Subnet.

    2. Under network security group, select Advanced.

    3. Select the existing network security group from the drop-down list.

      1. (Conditional) If network security group is not available, click Create new.

      2. Specify network security group name.

      3. Click Add an inbound role, specify the required details.

      4. Click Add an outbound role, specify the required details.

      5. Click OK.

    4. Keep the default values for the rest of the fields.

    5. Click Next : Management >.

  8. In the Management tab, keep the default values for all the fields, then click Next : Advanced >.

  9. In the Advanced tab, keep the default values for all the fields, then click Next : Tags >.

  10. In the Tags tab, keep the default values for all the fields, then click Next : Review + create >.

  11. In the Review + create tab, review your settings, then click Create.

15.2.5 Updating host entries in VM

You can access the Identity Manager components using the public DNS name of the application gateway or the alias DNS record set. To allow Identity Manager components to communicate with one another, edit the hosts files on each VM and add an entry to resolve its hostname.

Table 15-1 Updating host entries

Components

Description

Identity Engine

Navigate to hosts file in Identity engine VM. For example,

C:\Windows\System32\drivers\etc\hosts

Modify the hosts file with the following entry:

<IP address of Identity engine VM> <Private DNS Name of Identity engine VM>

For example:

10.0.1.1 identityengine.example.com

<IP address of Identity applications VM> <Public DNS Name of application gateway>

For example:

10.0.1.2 idmgateway.centralindia.cloudapp.azure.com

Identity Applications

Navigate to hosts file in Identity engine VM. For example,

C:\Windows\System32\drivers\etc\hosts

Modify the hosts file with the following entry:

<IP address of Identity engine VM> <Private DNS Name of Identity engine VM>

For example:

10.0.1.1 identityengine.example.com

<IP address of Identity applications VM> <Public DNS Name of application gateway>

For example:

10.0.1.2 idmgateway.centralindia.cloudapp.azure.com

To update the host entries for Identity Reporting and iManager, see Identity Applications in Table 15-1.

NOTE:For the installation of Identity Manager components, see Installation Procedures.

15.2.6 Setting Up Designer

  1. On a public subnet, launch a Virtual Machine instance. See, Creating a Virtual Machine Instance.

    For the Windows security group, use rdesktop port only. For example 3389.

  2. Install Designer. Refer to Section IV, Installing Designer.

15.2.7 Configuring the Application Gateway

Configure the application gateway to allow external networks to use Identity Manager components that are hosted on the virtual machines.

  1. Configure a separate backend pool for Identity Manager components such as iManager, Identity Applications, forms and Identity Reporting.

    1. In Backend pools, click Add.

    2. Specify the following details:

      Field

      Description

      Name

      Specify the name of a backend pool to identify the Identity Manager component.

      Type

      Specify the type in one of the following ways:

      • IP address or FQDN: Specify the IP address or FQDN of the required Identity Manager component.

      • Virtual Machine: Select the Virtual Machine that is hosting the required Identity Manager component.

    3. Click OK.

    Repeat this step to configure additional backend pools.

  2. Configure separate HTTP settings for Identity Manager components such as iManager, Identity Applications, forms and Identity Reporting.

    NOTE:Ensure that you have exported the public certificate for the required Identity Manager components.

    1. In HTTP Settings, click Add.

    2. Specify the following details:

      Field

      Description

      Name

      Specify the name of an HTTP setting to identify the Identity Manager component.

      Protocol

      Select HTTPS.

      Port

      Specify the port of the Identity Manager Component.

      For example:

      • iManager: 8443

      • Identity Applications: 8543

      • Forms: 8600

      • Identity Reporting: 8643

      Backend Authentication Certificates

      1. Select Create new.

      2. Specify the name of the certificate.

      3. Browse and upload the exported public certificate for the corresponding Identity Manager component.

      4. Click Add Certificate.

    3. Click OK.

    Repeat this step to configure additional HTTP settings.

  3. Configure a separate listener for each Identity Manager component such as iManager, Identity Applications, forms and Identity Reporting.

    NOTE:Ensure that you have exported the .PFX certificate from the Identity Vault.

    1. In Listeners, click Basic.

    2. Specify the following details:

      Field

      Description

      Name

      Specify the name of the listener to identify the Identity Manager component.

      Frontend IP configuration

      1. Select the Virtual Network and subnet that is created earlier. See, Creating a Virtual Network and Subnet.

      2. Specify the Name and Port number of the application. For example:

        iManager: 8443

        Identity Applications: 8543

        Forms: 8600

        Identity Reporting: 8643

      Protocol

      Select HTTPS.

      Certificate

      1. Browse and upload the PFX certificate.

      2. Specify the Name and Password of the certificate.

    3. Click OK.

    Repeat this step to configure additional listeners.

  4. Create a basic rule for Identity Manager components such as iManager, Identity Applications, forms and Identity Reporting and associate this rule with the respective backend pool, Listener, and HTTP setting.

    1. In Rule, click Add.

    2. Specify the following details:

      Field

      Description

      Name

      Specify the name of a rule that helps in identifying the Identity Manager component.

      Listener

      Select the respective listener that is created in Step 3.

      Backend Pool

      Select the respective backend pool that is created in Step 1.

      HTTP setting

      Select the respective HTTP setting that is created in Step 2.

    3. Click OK.

    Repeat this step to configure additional rules.