The following scenarios provide an overview of the flexibility built into Access Manager. Use them to design a deployment strategy that fits the needs of your company.
For a basic Access Manager installation, you can install the Identity Server and the Access Gateway outside your firewall. Figure 2-1 illustrates this scenario:
Figure 2-1 Basic Installation Configuration
Install the Administration Console.
The Administration Console and the Identity Server are bundled in the same download file or ISO image.
If your firewall is set up, open the ports required for the Identity Server and the Access Gateway to communicate with the Administration Console: TCP 1443, TCP 8444, TCP 289, TCP 524, TCP 636.
Run the installation again and install the Identity Server on a separate server.
Log in to the Administration Console and verify that the Identity Server installation was successful.
Install the Access Gateway.
Log in to the Administration Console and verify that the Access Gateway imported successfully.
In this configuration, the LDAP server is separated from the Identity Server by the firewall. Make sure you open the required ports. See Novell Access Manager 3.1 SP5 Setup Guide.
The firewall protects the LDAP server and the Administration Console, both of which contain a permanent store of sensitive data. The Web servers are also installed behind the firewall for added protection. The Identity Server is not much of a security risk, because it does not permanently store any user data. This is a configuration that Novell has tested and can recommend. We have also tested this configuration with an L4 switch in place of the router so that the configuration can support clusters of Identity Servers and Access Gateways.
Figure 2-2 illustrates a deployment scenario where Web resources are securely accessible from the Internet. The scenario also provides high availability because both the Identity Servers and the Access Gateways are clustered and have been configured to use an L4 switch for load balancing and fault tolerance.
Figure 2-2 Clustering Configuration for High Availability
End users can be configured to communicate with the Identity Servers and Access Gateways through HTTP or HTTPS. The Access Gateways can be configured to communicate with the Web servers through HTTP or HTTPS. The multiple Administration Consoles provide administration and configuration redundancy.
This configuration is scalable. As the number of users increase and the demands for Web resources increase, you can easily add another Identity Server or Access Gateway to handle the load, then add the new servers to the L4 switch. When the new servers are added to the cluster, they are automatically sent the cluster configuration.