Chat now with support
Chat with Support

Cloud Access Manager 8.1.1 - Security and Best Practice Guide

STS hosts

For a production environment, we recommend that each Security Token Service (STS) host has 8GB of physical memory and 8 processor cores. For example, two quad core processors giving a total of 8 cores spread over two processors.
CPU and memory usage varies between the different authentication methods. Our stress testing has shown a single STS host can support between 12,000 and 18,000 users authenticating over a 30 minute period. Our recommended maximum of 15,000 is an average of the two. No special configuration is required on the STS hosts to support this number of users.

Preventing direct access to applications protected by Cloud Access Manager

When you have added an application to Dell™ One Identity Cloud Access Manager, you can make sure that users only access the application using Cloud Access Manager. This may be required if you are using Cloud Access Manager to enforce strong authentication for the application, or want to use Cloud Access Manager’s auditing features to monitor application usage. The procedure described below is only required for non-federated applications, that is, those not using SAML or WS-Federation.
* 
NOTE: To prevent direct access to an application, we recommend that you use the firewall on the application’s host. For example, you need to update the HTTP/HTTPS firewall rules to only allow access from the internal IP addresses of the Cloud Access Manager proxy hosts.
To configure the Windows Firewall to prevent direct access to the application
Perform the following steps on the application’s host.
* 
NOTE: If the application is installed on multiple hosts, repeat these steps on each host running the application.
1
From the Start menu, open Windows Firewall with Advanced Security.
2
Ensure the firewall is turned on.
3
Locate the Inbound Firewall rule for Secure HTTP (HTTPS) requests. For applications using Internet Information Services (IIS), this is called World Wide Web Services (HTTPS Traffic-In).
4
Ensure the rule is enabled.
5
Click Properties.
6
Select the Scope tab.
7
In the Remote IP address section, select These IP addresses: and add the internal IP address of each proxy host.
8
Repeat Step 3 through Step 7 for the HTTP firewall rule.
9
Using a browser on another host, verify that you cannot directly access the application running on this host.
When you have updated the firewall configuration on each host running the application, verify that users can still access the application using Cloud Access Manager.
* 
NOTE: If the host running the application contains multiple applications and you do not wish to prevent direct access to all of them, you can configure the Web Server to restrict access to the proxy hosts on a per application basis. Please refer to http://support.microsoft.com/kb/324066 for instructions on how to configure IIS to use the IP Address and Domain Restrictions feature.
 

Operations
Backup
Fallback
Shared secret
Proxy mapping and URL rewriting
Choosing the right SSL certificate
Single sign-on methods
Backup
It is strongly recommended that you take a backup of your Dell™ One Identity Cloud Access Manager environment at regular intervals, and immediately prior to upgrading or carrying out maintenance. Please refer to the Dell™ One Identity Cloud Access Manager Installation Guide for full instructions to backup and restore Cloud Access Manager.

Fallback

The Dell™ One Identity Cloud Access Manager fallback administration account allows you to bypass the directory-based authentication mechanism to:
Configure Cloud Access Manager for the first time
Investigate issues with directory-based authentication
Perform certain activities such as setting up certificate-based authentication.
We recommend you choose a password for the fallback administration account which is complex enough that it cannot be guessed, and that you change it regularly. You can change the fallback password using the Cloud Access Manager administration interface.
* 
IMPORTANT: We recommend that you keep a hardcopy of the fallback password in a secure place, accessible only to staff with the authority to configure Cloud Access Manager. There is no reset facility for the fallback password. If you forget the password, you will need to completely re-install Cloud Access Manager.
In addition, fallback administration is not automatically exposed by the reverse proxy, so access to this user interface is restricted to internal connections.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating