3.6 Access Gateway Requirements

The Access Gateway can be installed as an appliance (the operating system is installed with the Access Gateway software) or as a service (the Access Gateway software is installed on a machine with an existing operating system). These Access Gateways have the following requirements:

In additional to evaluating the differences in software and hardware requirements when you decide whether to install a Gateway Appliance or a Gateway Service, you should also evaluate the minor functional differences between the two. See Section 3.6.5, Access Gateway Feature Comparison.

3.6.1 Access Gateway Appliance Requirements

The Linux Access Gateway Appliance runs on SLES 11, 32-bit operating system on x86-32 and x86-64 hardware. You install it on a separate machine because it clears the hard drive and sets up a soft appliance environment.

The Access Gateway Appliance requires the following hardware:

  • 4 GB RAM.

  • Dual CPU or Core (3.0 GHz or comparable chip).

  • 100 GB hard disk.

    This amount is recommended to ensure ample space for logging in a production environment. This disk space must be local and not remote.

  • A static IP address for your Access Gateway server and an assigned DNS name (host name and domain name)

For a list of hardware that is supported by SLES 11 for x86-32 and x86-64 hardware, see the YES CERTIFIED Bulletin, and search for SLES 11 and your other hardware requirements.

The Access Gateway Appliance has no software requirements. The installation program re-images the hard drive, embeds the Linux operating system, then configures the embedded operating system for optimal performance.

For installation instructions, see Section 6.0, Installing the Linux Access Gateway Appliance.

3.6.2 Linux Access Gateway Service Requirements

The Linux Access Gateway Service is installed on an existing Linux system. This machine must meet the following requirements:

  • SLES 11 or SLES 11 SP1, 64-bit operating system on x86-64 hardware.

  • Because of library update conflicts, you cannot install Access Manager on a Linux User Management machine.

  • 4 GB RAM.

  • Dual CPU or Core (3.0 GHz or comparable chip).

  • 2-10 GB per reverse proxy that requires caching and for log files. The amount varies with rollover options and logging level that you configure.

  • Configured with a static IP address and a DNS name. The ActiveMQ module of the Access Gateway Service must be able to resolve the machine’s IP address to a DNS name. If the module can’t resolve the IP address, the module fails to start.

  • Other Access Manager components should not be installed on the same machine.

3.6.3 Windows Access Gateway Service Requirements

The Windows Access Gateway Service is installed on an existing Windows system. This machine must meet the following requirements:

  • Windows 2008 R2 Server, 64-bit operating system on 64-bit hardware, in either Standard or Enterprise Edition, with the latest patches applied

  • 4 GB RAM.

  • Dual CPU or Core (3.0 GHz or comparable chip).

  • 2-10 GB per reverse proxy that requires caching and for log files. The amount varies with rollover options and logging level that you configure.

  • Configured with a static IP address and a DNS name. The ActiveMQ module of the Access Gateway Service must be able to resolve the machine’s IP address to a DNS name. If the module can’t resolve the IP address, the module fails to start.

  • Other Access Manager components should not be installed on the same machine.

3.6.4 Client Access Requirements

Clients can use any browser or operating system when accessing resources protected by the Access Gateway.

3.6.5 Access Gateway Feature Comparison

Access Manager includes an Access Gateway Appliance and an Access Gateway Service. The Gateway Appliance is a dedicated machine that installs its own embedded Linux operating system. The Gateway Service runs on top of an existing installation of a Linux or Windows operating system. Both types of gateways support the same major functionality, but they differ slightly in the way some of these features are supported. For example, both types can be configured for the following features:

  • Protecting Web resources with contracts, Authorization policies, Form Fill, and Identity Injection policies.

  • Providing fault tolerance by clustering multiple gateways of the same type.

  • Providing fault tolerance by grouping multiple Web servers, so that if one Web server goes down, the content can be retrieved from another server in the group.

  • Rewriting URLs so that the names and IP addresses of the Web servers are hidden from the users making requests.

  • Generating alert, audit, and logging events with notify options.

Most differences between the Gateway Appliance and the Gateway Service result from the differences required for an appliance and for a service. An appliance can know, control, and configure many features of the operating system. A service that runs on top of an operating system can query the operating system for some information, but it cannot configure or control the operating system. For the service, operating system utilities must be used to configure system parameters and hardware. For the appliance, the operating system features that are important to the appliance, such as time, DNS servers, gateways, and network interface cards, can be configured in the Administration Console.

Table 3-1 describes the differences between the Access Gateway Appliance and the Access Gateway Service. Only your network and Web server configurations can determine whether the differences are significant.

Table 3-1 Differences between the Gateway Appliance and the Gateway Service

Feature

Gateway Appliance

Gateway Service

Network configuration

  • DNS servers

  • Gateways

  • Network interface cards

  • Host names

Can be done from the Administration Console.

Configurable with standard operating system utilities.

Date and time

Can be done from the Administration Console.

Configurable with standard operating system utilities.

Rewriter: number of URLs that can be rewritten

There is a set limit, although the limit has been increased.

No limit.

Rewriter: profiles

Can do word pattern matches in Word profiles and Character profiles.

Can only do word pattern matches in Character profiles.

Rewriter: Word profiles

Case sensitive.

Case insensitive.

Rewriter: Special tokens for Word profiles

Not supported.

Supports the [w]. [ow], [ep], [ew], and [oa] options.

Rewriter: webcal

Unsupported.

Supported.

Cache directory

Separate protected partition (COS).

Uses Apache-caching. The cached files are stored in clear text. The operating system must be configured to protect this directory.

For more information on the Apache model, see “Caching Guide”.

Cache freshness configuration options

Fully supported.

Limited support.

Custom cache control headers

Supported.

Unsupported.

Caching behavior

For more information, see Configuring Caching Options in the Novell Access Manager 3.1 SP2 Access Gateway Guide.

X-Forwarded-For header

Configurable from the Administration Console

Hard coded by Apache to send the X-Forwarded-For header as well as the X-Forwarded-Host and X-Forwarded-Server headers.

Via header

Includes the device ID.

Does not include the device ID. Apache sets the information in the Via header.

NTLM, a Windows challenge and response authentication protocol

Supported.

Not supported by Apache.

Stop and restart commands

Shuts down the operating system or restarts the operating system and the Access Gateway Appliance.

Stops and starts the Access Gateway Service without affecting other services or applications.

The operating system can be rebooted or shutdown independently with standard operating system commands.

Protected resource logging

Can configure the directory and stop the proxy service if logging fails.

Cannot configure the directory or stop the proxy service when logging fails.

Web server connections

If the gateway has multiple network cards, you can specify which network card to use for the Web server connection.

Not configurable.

Web server failover

Configurable for simple failover or round robin.

Hard coded to round robin. This is an Apache limitation.

Web server certificate verification

Configurable per proxy service.

Globally configurable. If certificate verification is turned on for one proxy service, it is turned on for all proxy services.

Load balancing cookie

Access Gateway Appliance format.

Apache format.

5-6 byte UTF characters (supported by IIS Web servers)

Supported.

Unsupported.

TCP listen options

Idle timeout.

Keep alive interval.

Custom configuration

Touch files.

Advanced options. Click Access Gateways > Edit > Advanced Options or Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Advanced Options.

Device logging

ics_dyn.log

ags_error.log and Apache error.log

Device logging configuration

Log level set with options in the nash shell.

Configurable from the Administration Console. Click Access Gateways > Edit > Logging.

Sending alerts to an SNMP server

Unsupported.

Supported.

Manipulates cookies so that when a browser retains application cookies from the Web servers after a user logs out, these cookies become invalid.

Unsupported.

Supported.

NetStorage

Browser connections can be used.

Browser and WebDAV connections can be used.