Access Manager Appliance is a new deployment model introduced in NetIQ Access Manager 3.2. It includes all major components such as Administration Console, Identity Server, and Access Gateway in a single soft appliance. This solution differs from the other Access Manager model where all the components can be installed on separate servers. Access Manager Appliance enables organizations to rapidly deploy and secure Web and enterprise applications. This simplifies access to any application.
You can find Access Manager Appliance documentation here: https://www.netiq.com/documentation/netiqaccessmanager4_appliance/
The following table lists differences between Access Manager and Access Manager Appliance:
|
Features |
Access Manager Appliance |
Access Manager |
|---|---|---|
|
Installation |
All the components, such as the Identity Server and Access Gateway are installed on a single server. |
Each Access Manager component such as the Identity Server and Access Gateway can be installed on different machines. To deploy the existing solution in a cluster mode, at least 6 machines are required. |
|
Time to Value |
During installation and configuration of Access Manager Appliance, several steps are automated to quickly set up the system. |
Installation and configuration of Access Manager requires more time because the components are on different servers. |
|
User Input Required during Installation |
Access Manager Appliance is a software appliance that takes only a few basic parameters as input. Several options assume default values. |
With Access Manager, you have more flexibility during installation in terms of selectable parameters. |
|
Installation and Configuration Phases |
The installation program takes care of configuration for each component. The product is ready for use after it is installed. |
Separate installation and configuration phases for each component. After installation, each Access Manager component is separately configured. |
|
Host Operating System |
A soft appliance that includes a pre-installed and configured SUSE Linux operating system. Both the operating system and Access Manager patches are maintained by NetIQ through the patch update channel. |
The operating system choice is more flexible. Install Administration Console, Identity Server and Access Gateway on a supported operating system (SUSE, Red Hat, or Windows). The patch update channel maintains the patches for Access Manager. You must purchase, install, and maintain the underlying operating system. |
|
Component Installation Flexibility |
Access Manager components such as Administration Console, Identity Server, and Access Gateway cannot be selectively installed or uninstalled. |
Each Access Manager component such as Administration Console, Identity Server, and Access Gateway are installed on independent host servers. Although the ability to install multiple components on a single host server exists, it is very limited and generally not recommended. A typical highly available deployment requires 6-8 or more virtual or physical servers (two Administration Consoles, two Identity Servers, and two Access Gateways). |
|
Administration Console Access |
The Administration Console is installed on Access Manager Appliance along with all other components. If you use two network interfaces, access to the Administration Console can be limited to the private IP network bound to the internal network. The public interface is bound to an externally accessible network. |
The Administration Console can be installed on an independent host inside your private network but can still securely manage Access Manager components that reside in your DMZ or external network. |
|
Scalability and Performance |
The Access Manager Appliance scales vertically on adding CPU and memory resources to each node. For more information, see Performance and Sizing Guidelines. |
The Access Manager scales both vertically and horizontally on adding nodes. For more information, see Performance and Sizing Guidelines. |
|
Mode of release |
Access Manager is delivered as a software appliance. |
Access Manager is delivered in the form of multiple operating system- specific binaries. |
|
Networking: Port Details |
The Administration Console and Identity Server are accelerated by Access Gateways. Only HTTPS port 443 is required in the firewall to deploy Access Manager Appliance. |
Multiple ports need to be opened for deployment. |
|
Networking: General |
The Administration Console can be in a DMZ or in a private network. If Administration Console is in a DMZ, restrict access through the private interface. |
Because the Administration Console is a separate component, access can be restricted or the Administration Console can be placed in an internal network. |
|
Certificate Management |
Certificate management is simplified. All certificates and key stores are stored in one place making replacing or renewing certificates easier. The same certificate is used for all communication. (Signing, encryption, and transport). |
Changes are required in multiple places to replace or renew certificates. Because there are multiple key stores, you can configure different certificates for the communication. |
|
Signing Certificates for Service Providers |
Associating different signing certificates for each service provider is not supported. |
A unique signing certificate can be assigned to each service provider. In environments with a large number of trust relationships, this feature eases the process of replacing expiring certificates. |
|
Associating Different Certificates to Identity Server |
This capability is not applicable because the Identity Server is accelerated by the Access Gateway. |
This capability is supported. The Identity Server can be behind the Access Gateway or can be placed separately in the DMZ. |
|
Sample Portal |
After a successful installation, a sample Web portal is deployed for the administrator’s reference. The administrator can access the sample portal by using the http://hostname URL. This portal provides detailed example of Access Manager Appliance usage and policy configuration. |
A sample portal is not available. |
|
Ready-made Access Manager |
The following configuration steps are automatically completed when Access Manager Appliance is installed:
|
Each component is manually configured and set up before Web applications can be federation enabled, accelerated and protected. |
|
64-bit Support |
For better performance and scalability, a 64-bit support has been provided for all components. |
Not all components provide 64-bit support. |
|
Upgrade |
You can upgrade from one version of Access Manager Appliance to another version. Upgrading from Access Manager to Access Manager Appliance is not supported. |
You can upgrade from one version of Access Manager to another version. Upgrading from Access Manager Appliance to Access Manager is not supported. |
|
Migration between Models |
During migration from Access Manager Appliance to Access Manager, the policies can be exported but the rest of the configuration should be done manually. |
During migration from Access Manager to Access Manager Appliance, the policies can be exported but the rest of the configuration should be done manually. |
|
NIC Bonding |
IP address configuration is done through the Administration Console. So, NIC bonding is not supported. |
NIC bonding can be done through the operating system and Access Manager uses this configuration |
|
Updating Kernel with Security Patches |
Access Manager Appliance supports installation of the latest SLES operating system security patches. |
You are fully responsible for all operating system maintenance including patching. |
|
Clustering |
For additional capacity and for failover, cluster a group of NetIQ Access Manager Appliances and configure them to act as a single server. You can cluster any number of Identity Servers, Access Gateways, and up to three Administration Consoles. The first three nodes of Access Manager Appliance contain the Administration Console, Identity Server, and Access Gateway. For the fourth installation onwards, the node has all components except for the Administration Console. |
For additional capacity and for failover, cluster a group of Identity Servers and configure them to act as a single server. You can create a cluster of Access Gateways and configure them to act as a single server. Fault tolerance can be achieved by installing up to two secondary consoles. To deploy the existing solution in a cluster mode, at least 6 systems are required. |
|
NOTE:Clustering is not supported between Access Manager components and Access Manager Appliance. |
||