Cloud Access Manager 8.1.4 - Installation Guide

Installation

Topics:

This guide will take you through the steps required to deploy a typical two host production installation of Cloud Access Manager. Once completed, Cloud Access Manager will allow employees to securely Single Sign-On (SSO) to internal and external web-based applications from within the company network and remotely, without the need for a virtual private network (VPN). This example uses two separate hosts, one for the Proxy and the other for the Secure Token Service (STS). The diagram below represents a typical Cloud Access Manager deployment, and shows the proxy host deployed within the DMZ area of the network and the STS host on the internal network.

Figure 1: Two host Cloud Access Manager deployment

Prerequisites

Make sure the following prerequisites are met before you attempt to install Cloud Access Manager, please refer to Proxy host and STS host for component specific requirements.

NOTE: Please be aware that domain controllers are not valid Cloud Access Manager hosts.

Browser
Table 1: Browser requirements
Platform Browser

Windows

  • Microsoft Internet Explorer (version 10 and above)1
  • Google Chrome browser (latest)
  • Mozilla Firefox (latest)1

Mac

  • Safari (latest)

iOS

  • Safari (latest)

Android

  • Google Chrome (latest)

1 Supported for Integrated Windows Authentication (IWA).

Proxy host

Ensure the following prerequisites are met before installation:

Deployment location

To support the scenario illustrated in Two host Cloud Access Manager deployment where you need to expose internal applications to external users, the host should be deployed within the DMZ network.

Hardware

Ensure that the following hardware requirements are met:

Table 2: Hardware
Hardware Requirement
CPU Min. 2 multi-core processors
Memory Min. 4 GB
Disk Space Min. 25 GB
Operating system

Ensure that the following operating system requirements are met with the latest Microsoft Hotfixes applied.

Table 3: Operating system
Hardware

Microsoft Windows Server 2008 R2

Microsoft Windows Server 2008 R2 Server Core

or

Microsoft Windows Server 2012

Microsoft Windows Server 2012 Server Core

or

Microsoft Windows Server 2012 R2

Microsoft Windows Server 2012 R2 Server Core

Name resolution

You must configure the host to use the internal Domain Name System (DNS) server(s) so that it can resolve the hostnames of the internal web applications that will be configured. In addition to the internal DNS, Cloud Access Managerrequires a public DNS record for the proxy host and an additional public DNS record for each internal application.

Each of these DNS records must be resolvable to the proxy’s public IP address from outside of your corporate network. To avoid the need to create a new DNS record each time a new application is added to Cloud Access Manager, we recommend that you create a new wildcard DNS subdomain for Cloud Access Manager to resolve any name within the new subdomain to the public IP address of the proxy.

IP addressing

The host must be assigned a private IP address which is accessible from the internal network. For external access a public IP address is required. This is typically assigned to an internet facing router where destination network address translation (DNAT) or port forwarding is performed to route traffic destined for ports 80 and 443 on a public IP address to the private IP address of the proxy host.

Wildcard DNS subdomain

Domain hosting companies typically allow the creation of a wildcard subdomain by adding a new DNS A (Host) record for your domain in the format *.subdomain, where subdomain is the name of the new subdomain you want to create for the Cloud Access Manager Proxy. Point the new DNS record to the public IP address used by the Cloud Access Manager Proxy so that any hostname in the new subdomain resolves to the proxy’s public IP address.

For example, adding a new A record *.webapps to a domain called company.com would allow the Cloud Access Manager Proxy to use hostnames such as:

  • portal.webapps.company.com
  • webmail.webapps.company.com
  • sharepoint.webapps.company.com

Essentially <anything>.webapps.company.com, this allows each internal application to have its own internet resolvable hostname.

To create a wildcard subdomain within the Microsoft DNS server you must first add a new subdomain (zone) and then add a single A (Host) record within the subdomain with the name *. As with the previous instructions, the new DNS record should be pointed to the public IP address used by the Cloud Access Manager Proxy so that any hostname in the new subdomain resolves to the proxy’s public IP address.

Wildcard SSL certificate

A signed wildcard Secure Sockets Layer (SSL) certificate is required to cover the wildcard DNS subdomain used by the Cloud Access Manager Proxy. The wildcard SSL certificate must be obtained using the Certificate Signing Request (CSR) generated by Cloud Access Manager during configuration. For example, if you created a wildcard DNS subdomain called webapps within your domain company.com, then you would need to obtain a signed wildcard SSL certificate for *.webapps.company.com for full instructions, please refer to Managing your SSL Certificate in the One Identity Cloud Access Manager Configuration Guide.

Firewall configuration

Access to TCP ports 80 and 443 on the host should be permitted from both the internal and external network. The host should also be permitted to access the internal web applications through the ports they use, typically TCP port 80 and 443.

Port 8553

Port 8553 is the admin port used to configure the Cloud Access Manager Proxy. The proxy host downloads its configuration and then locally uses port 8553 to load the configuration. Ensure that port 8553 is not already being used by another application. If port 8553 is already in use, enter an alternative port number in the Cloud Access Manager proxy Installation Wizard. This port does not need to be open on the proxy host for Cloud Access Manager to function.

Smart card authentication

If you enable smart card authentication you will need to open the configured port. The default is port 8443.

STS host

Deployment location

The host should be deployed within the internal network.

Hardware

Ensure that the following hardware requirements are met:

Table 4: Hardware requirements
Hardware Requirements
CPU Min. 8 multi-core processors
Memory Min. 8 GB
Disk Space Min. 50 GB
Operating System

Any of the following:

  • Microsoft Windows Server 2008 R2 (with latest updates applied)
  • Microsoft Windows Server 2008 R2 Server Core (with latest updates applied)
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 Server Core
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2012 R2 Server Core
Domain membership

If Active Directory will be used to source users for SSO, the Security Token Service (STS) host must be a member of the Active Directory domain containing these users. Cloud Access Manager can also use federated identities from third party domains using SAML 2.0 or WS-Federation.

Name resolution

You must configure the host to use the internal Domain Name System (DNS) server(s) so that it can resolve the hostnames of the internal web applications that will be configured.

Database

Ensure that the following database requirements are met:

Table 5: Database specifications
Database  
Database Server Microsoft SQL Server 2008-2017
Disk space (guideline, assuming typical usage) 200MB + 2K per user + 2K per user per day (audit)

Cloud Access Manager requires an instance of Microsoft SQL Server 2008-2017, to store its configuration, audit and session data. Microsoft SQL Server Express can also be used for small deployments, for example, where high availability of the database is not required.

Cloud Access Manager can either create its database within a new dedicated instance of Microsoft SQL Server installed directly on the Security Token Service (STS) host, or in an existing remote instance of Microsoft SQL Server deployed within your internal network.

NOTE: If you choose to use a dedicated instance of Microsoft SQL Server on the STS host, ensure that it is installed before you run the Cloud Access Manager installer.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents