Identity Manager components can be deployed on a private or a public network based on your requirement. Figure 15-1 illustrates a sample deployment that is used in the subsequent sections.
Figure 15-1 Identity Manager Deployment on Microsoft Azure
Identity Manager components can be deployed on Microsoft Azure in different combinations depending on how the components are distributed on different servers. However, the deployment procedure is the same for all scenarios.
The deployment procedure consists of the following steps:
NetIQ recommends you to create a resource group and add the required resources to the group to use with Identity Manager. Perform the following steps to create a new resource group:
Log in to the Azure portal.
Click Resource groups.
Click Create.
In the Basics tab:
Select your Subscription from the drop-down list.
Enter a new resource group name.
Select the location from the Region drop-down list. For example, Central India.
Click Next : Tags >.
In the Tags tab, click Next : Review + Create >.
In the Review + create tab, click Create.
Log in to the Azure Portal.
Type virtual network in the search.
Under Services, select Virtual networks.
Click Create.
In the Basics tab, specify the following details:
Field |
Description |
---|---|
Subscription |
Select your Subscription from the drop-down list. |
Resource Group |
Select the existing resource group from the drop-down. |
Name |
Specify the name for virtual network. |
Region |
Select the location from the drop-down list. For example, Central India. |
Click Next : IP Addresses >.
In the IP Addresses tab, click Add subnet.
Click Add subnet.
Specify the subnet name. For example, default.
Specify the subnet address range. For example, 10.1.0.0/24.
Click Add.
Click Next : Security >.
In the Security tab, keep the default values for all the fields, then click Next : Tags >.
In the Tags tab, click Next : Review + create >.
In the Review + create tab, review your settings, then click create.
Log in to the Azure portal.
Click Create a Resource.
Go to Categories > Networking > Application Gateway.
In the Basics tab, specify the following details:
Field |
Description |
---|---|
Subscription |
Select your Subscription from the drop-down list. |
Resource Group |
Select the existing resource group from the drop-down. |
Application gateway name |
Specify the Application gateway name. |
Region |
Select the location from the drop-down list. For example, Central India. |
Tier |
Select the required tier. For example, Standard V2. |
Minimum instance count |
Specify the value 0. |
Maximum instance count |
Specify the value 10. |
Virtual Network |
Select the virtual network and corresponding subnet that is already created. See Creating a Virtual Network and Subnet. |
Keep the default values for the rest of the fields then click Next : Frontends >.
In the Frontends tab:
Select Public.
Under Public IP address, click Add new.
Specify public IP address name. For example, idmgateway.centralindia.cloudapp.azure.com.
Click OK.
Click Next : Backends >
In the Backends tab:
Click Add a backend pool.
Specify backend pool name.
Select Yes to add a backend pool without targets.
Click Add.
Click Next : Configuration >.
In the Configuration tab:
Under Routing rules, click Add a routing rule.
Specify the Rule name.
In the Listener tab, specify the following details:
Field |
Description |
---|---|
Listener Name |
Specify the Listener name. |
Frontend IP |
Select Public from the drop-down. |
Protocol |
Select HTTP. |
Port |
Specify the value 80. |
Keep the default values for the rest of the fields.
In the Backend targets tab, specify the following details:
Field |
Description |
---|---|
Backend target |
Select the backend target from the drop-down. |
HTTP Settings |
Click Add new, specify the HTTP settings name. Keep the default values for all the fields, then click Add. |
Click Add.
Click Next : Tags >.
In the Tags tab, click Next : Review + create >.
In the Review + create > tab, review your settings, then click Create.
NOTE:For more information related to configuring the application gateway, see Configuring the Application Gateway.
Create a separate virtual machine to host the Identity Manager components.
Log in to the Azure portal.
Type virtual machines in the search.
Under Services, select Virtual machines.
Click Create, then select Virtual machine.
In the Basics tab:
Select your Subscription from the drop-down list.
Select the existing resource group from the drop-down list (see Creating a Resource Group).
Specify the Virtual machine name.
Select the location from the Region drop-down list. For example, Central India.
Select the required Windows Server from the Image drop-down list. For example, Windows Server 2019.
Select the virtual machine size from the Size drop-down list.
Specify Username, Password, and Confirm password.
Under Licensing, select Windows Server License, then select eligible Windows Server License with Software Assurance to confirm.
Keep the default values for the rest of the fields.
Click Next : Disks >.
In the Disks tab:
Select the disk type from the OS disk type drop-down list. For example, Premium SSD.
Select the required Encryption type from the drop-down list.
Click Next : Networking >.
In the Networking tab:
Select the virtual network and corresponding subnet that is already created. See, Creating a Virtual Network and Subnet.
Under network security group, select Advanced.
Select the existing network security group from the drop-down list.
(Conditional) If network security group is not available, click Create new.
Specify network security group name.
Click Add an inbound role, specify the required details.
Click Add an outbound role, specify the required details.
Click OK.
Keep the default values for the rest of the fields.
Click Next : Management >.
In the Management tab, keep the default values for all the fields, then click Next : Advanced >.
In the Advanced tab, keep the default values for all the fields, then click Next : Tags >.
In the Tags tab, keep the default values for all the fields, then click Next : Review + create >.
In the Review + create tab, review your settings, then click Create.
You can access the Identity Manager components using the public DNS name of the application gateway or the alias DNS record set. To allow Identity Manager components to communicate with one another, edit the hosts files on each VM and add an entry to resolve its hostname.
Table 15-1 Updating host entries
Components |
Description |
---|---|
Identity Engine |
Navigate to hosts file in Identity engine VM. For example, C:\Windows\System32\drivers\etc\hosts Modify the hosts file with the following entry: <IP address of Identity engine VM> <Private DNS Name of Identity engine VM> For example: 10.0.1.1 identityengine.example.com <IP address of Identity applications VM> <Public DNS Name of application gateway> For example: 10.0.1.2 idmgateway.centralindia.cloudapp.azure.com |
Identity Applications |
Navigate to hosts file in Identity engine VM. For example, C:\Windows\System32\drivers\etc\hosts Modify the hosts file with the following entry: <IP address of Identity engine VM> <Private DNS Name of Identity engine VM> For example: 10.0.1.1 identityengine.example.com <IP address of Identity applications VM> <Public DNS Name of application gateway> For example: 10.0.1.2 idmgateway.centralindia.cloudapp.azure.com |
To update the host entries for Identity Reporting and iManager, see Identity Applications in Table 15-1.
NOTE:For the installation of Identity Manager components, see Installation Procedures.
On a public subnet, launch a Virtual Machine instance. See, Creating a Virtual Machine Instance.
For the Windows security group, use rdesktop port only. For example 3389.
Install Designer. Refer to Section IV, Installing Designer.
Configure the application gateway to allow external networks to use Identity Manager components that are hosted on the virtual machines.
Configure a separate backend pool for Identity Manager components such as iManager, Identity Applications, forms and Identity Reporting.
In Backend pools, click Add.
Specify the following details:
Field |
Description |
---|---|
Name |
Specify the name of a backend pool to identify the Identity Manager component. |
Type |
Specify the type in one of the following ways:
|
Click OK.
Repeat this step to configure additional backend pools.
Configure separate HTTP settings for Identity Manager components such as iManager, Identity Applications, forms and Identity Reporting.
NOTE:Ensure that you have exported the public certificate for the required Identity Manager components.
In HTTP Settings, click Add.
Specify the following details:
Field |
Description |
---|---|
Name |
Specify the name of an HTTP setting to identify the Identity Manager component. |
Protocol |
Select HTTPS. |
Port |
Specify the port of the Identity Manager Component. For example:
|
Backend Authentication Certificates |
|
Click OK.
Repeat this step to configure additional HTTP settings.
Configure a separate listener for each Identity Manager component such as iManager, Identity Applications, forms and Identity Reporting.
NOTE:Ensure that you have exported the .PFX certificate from the Identity Vault.
In Listeners, click Basic.
Specify the following details:
Field |
Description |
---|---|
Name |
Specify the name of the listener to identify the Identity Manager component. |
Frontend IP configuration |
|
Protocol |
Select HTTPS. |
Certificate |
|
Click OK.
Repeat this step to configure additional listeners.
Create a basic rule for Identity Manager components such as iManager, Identity Applications, forms and Identity Reporting and associate this rule with the respective backend pool, Listener, and HTTP setting.
In Rule, click Add.
Specify the following details:
Field |
Description |
---|---|
Name |
Specify the name of a rule that helps in identifying the Identity Manager component. |
Listener |
Select the respective listener that is created in Step 3. |
Backend Pool |
Select the respective backend pool that is created in Step 1. |
HTTP setting |
Select the respective HTTP setting that is created in Step 2. |
Click OK.
Repeat this step to configure additional rules.