2.3 Managing Access Gateways

Use the Servers page to view the status of Access Gateways, to modify their configuration, and to perform other actions such as creating a new cluster or stopping and starting an Access Gateway or its Embedded Service Provider.

  1. In the Administration Console, click Devices > Access Gateways.

  2. Select one of the following:

    New Cluster: To create a new cluster of Access Gateways, click New Cluster. A cluster can be one or more Access Gateways. For configuration information, see Section 6.4.1, Creating a New Cluster.

    Stop: To stop an Access Gateway Appliance, select the appliance, then click Stop. You must have physical access to the Access Gateway Appliance machine to start it again. To stop an Access Gateway Service, select the service, then click Stop. You can use the Restart option to start the Access Gateway Service.

    Restart: To reboot an Access Gateway Appliance, select the appliance, then click Restart. The Access Gateway Appliance is stopped, the operating system is rebooted, then the appliance is started. To stop and start the Access Gateway Service, select the service, then click Restart. If the Access Gateway Service is already stopped, use Restart to start it.

    Refresh: To update the list of Access Gateways and the status columns (Status, Health, Alerts, Commands), click Refresh.

  3. To perform an action available in the Actions drop-down menu, select an Access Gateway, then select one of the following:

    Assign to Cluster: To add the selected Access Gateway to a cluster, select Assign to Cluster, then select the cluster. This Access Gateway is reconfigured with the configuration of the primary cluster server. An Access Gateway Appliance can only be added to a cluster of Access Gateway Appliances. An Access Gateway Service can only be added to a cluster of Access Gateway Services.

    Remove from Cluster: To remove the selected Access Gateway from a cluster, select Remove from Cluster. The Access Gateway retains its configuration from the cluster, but no traffic is sent to it until it is reconfigured. You can assign it to a different cluster and have it updated with this cluster’s configuration, or you can delete all of its reverse proxies and start a new configuration.

    Delete: To remove the selected Access Gateway server from the list of servers that can be managed from this Administration Console, select Delete. If the Access Gateway is a member of a cluster, you must first remove it from the cluster before you can delete it.

    IMPORTANT:When an Access Gateway is deleted from the Administration Console, you can no longer manage it. To access it again, you must manually trigger an auto-import, which causes it to import into an Administration Console.

    Schedule Restart: To schedule when the selected Access Gateway should be stopped and then started, select Schedule Restart. On an Access Gateway Appliance, a restart stops the operating system, then starts the operating system and the Access Gateway. On an Access Gateway Service, a restart stops the Access Gateway Service, then starts it. For information on how to schedule this command, see Section 2.3.2, Scheduling a Command.

    Schedule Stop: To schedule when the selected Access Gateway or cluster should be stopped, select Schedule Stop.

    • When you stop an Access Gateway Appliance, you shut down the Access Gateway Appliance and the operating system. You must have physical access to the machine to start it again.

    • When you stop an Access Gateway Service, you stop just the Access Gateway Service. You can use the Restart option to start it again.

    For more information on how to schedule this command, see Section 2.3.2, Scheduling a Command

    Purge List Now: Click Purge List Now to cause all objects in the current purge list to be purged from the cache of the selected server or cluster.

    Purge All Cache: Click Purge All Cache to purge the server cache for the selected server or cluster. All cached content is lost.

    When you make certain configuration changes such as updating or changing certificates, changing the IP addresses of Web servers, or modifying the rewriter configuration, you are prompted to purge the cache. The cached objects must be updated for users to see the effects of such configuration changes. If your Access Gateways are in a cluster, you need to manage the purge process so your site remains accessible to your users. You should apply the configuration changes to one member of a cluster. When its status returns to healthy and current, issue the command to purge its cache. Then apply the changes to the next cluster member.

    IMPORTANT:Do not issue a purge cache command when an Access Gateway has a pending configuration change. Wait until the configuration change is complete.

    Update Health from Server: Click this action to send a request to the server for updated health information. If you have selected multiple servers, a request is sent to each one. The health status changes to an animated circle until the reply returns.

    Service Provider: Select one of the following actions:

    • Start Service Provider: To start the Embedded Service Provider associated with the selected Access Gateway, click Start Service Provider. The Embedded Service Provider is the module within the Access Gateway that communicates with the Identity Server.

      The service provider should be restarted whenever you enable or modify logging on the Identity Server.

    • Stop Service Provider: To stop the Embedded Service Provider associated with the selected Access Gateway, click Stop Service Provider. The Embedded Service Provider is the module within the Access Gateway that communicates with the Identity Server.

      When an Access Gateway is not functioning correctly, you should always try stopping and starting the service provider before stopping and starting the Access Gateway.

    • Restart Service Provider: To restart the Embedded Service Provider associated with the selected Access Gateway, click Restart Service Provider. This command stops the Embedded Service Provider and then starts it. The Embedded Service Provider is the module within the Access Gateway that communicates with the Identity Server.

      When an Access Gateway is not functioning correctly, you should always try restarting the service provider before stopping and starting the Access Gateway.

  4. Use the following links to manage a cluster or an Access Gateway.

    Name: Displays a list of the Access Gateway servers and the clusters that can be managed from this Administration Console.

    • To view or modify the general details of a particular server, click the name of the server.

    • To view or modify general details of a cluster, click the name of the cluster.

    Status: Indicates the configuration status of the clusters and the Access Gateways. Possible states are pending, update, current, and update all. For more information, see Section 2.3.1, Viewing and Updating the Configuration Status.

    Health: Indicates whether a cluster or an Access Gateway is functional. Click the icon to view additional information about the operational status of an Access Gateway.

    Alerts: Indicates whether any alerts have been sent. If the alert count is non-zero, click the count to view more information.

    Commands: Indicates the status of the last executed command and whether any commands are pending. Click the link to view more information. For more information, see Section 4.9, Viewing the Command Status of the Access Gateway.

    Statistics: Provides a link to the statistic pages.

    Edit: Provides a link to the configuration page. If the server belongs to a cluster, the Edit link appears on the cluster row. Otherwise, the link is on the server row. See Section 2.1, Configuration Overview.

2.3.1 Viewing and Updating the Configuration Status

  1. In the Administration Console, click Devices > Access Gateways.

  2. View the Status column.

    Status

    Description

    Current

    Indicates that all configuration changes have been applied.

    Update

    Indicates that a configuration change has been made, but not applied. To apply the changes, click the Update link, then select one of the following:.

    • All Configuration: The All Configuration option causes the Access Gateway to read its complete configuration file and restarts the Embedded Service Provider.

      The configuration update causes logged-in users to lose their connections unless the server is a member of a cluster. When the server is a member of a cluster, the users are sent to another Access Gateway and they experience no interruption of service.

    • Logging Settings: When the ESP logging settings have been modified on the Identity Server, the update option for Logging Settings is available. The Logging Settings option causes no interruption in services. When you modify Access Gateway logging settings, this option is not available because they are considered configuration settings.

    • Policy Settings: If a policy is modified for a protected resource of the Access Gateway and the policy change is the only modification that has occurred, the update option for Policy Settings is available. This option causes no interruption in services.

    Update All

    This link is available when a server belongs to a cluster. You can select to update all the servers at the same time, or you can select to update them one at a time. If the modification is a policy or a logging change, then use Update All. If the modification is a configuration change, we recommend that you update the servers one at a time.

    • When you select Update All for a configuration change, users experience an interruption of service.

    • When you update servers one at a time for a configuration change, users experience no interruption of service.

    When you make the following configuration changes, the Update All option is the only option available and your site will be unavailable while the update occurs:

    • The Identity Server configuration that is used for authentication is changed (Access Gateways > Edit > Reverse Proxy/Authentication, then select a different value for the Identity Server Cluster option).

    • A different reverse proxy is selected to be used for authentication (Access Gateways > Edit > Reverse Proxy/Authentication, then select a different value for the Reverse Proxy option).

    • The protocol or port of the authenticating reverse proxy is modified (Access Gateways > Edit > Reverse Proxy/Authentication > [Name of Reverse Proxy], then change the SSL options or the port options).

    • The published DNS name of the authentication proxy service is modified (Access Gateways > Edit > Reverse Proxy/Authentication > [Name of Reverse Proxy] > [Name of First Proxy Service], then modify the Published DNS Name option).

    For more information, see Section 6.4.6, Applying Changes to Cluster Members.

    Update

    If the configuration update contains a configuration error, the Update link is disabled and the Configuration Error icon is displayed. Click the icon to discover which objects have been misconfigured. You need to fix the error by either canceling or modifying the changes before you can perform an update.

    Update All

    If the configuration update contains a configuration error, the Update All and the member Update links are disabled and the Configuration Error icon is displayed. Click the icon to discover which objects have been misconfigured. You need to fix the error by either canceling or modifying the changes before you can perform an update.

    Pending

    Indicates that the server is processing a configuration change, but has not completed the process.

    Locked

    Indicates that another administrator is making configuration changes. Before you proceed with any configuration changes, you need to coordinate with this administrator and wait until the Access Gateway has been updated with the other administrator’s changes.

2.3.2 Scheduling a Command

Use the Schedule New Command page to schedule a command, such as a shutdown, restart, or upgrade.

  1. In the Administration Console, click Devices > Access Gateways.

  2. (Conditional) To schedule a shutdown or restart, select a server, then click Actions > Schedule Restart or Schedule Stop. Continue with Step 4.

  3. (Conditional) To schedule an upgrade for the Access Gateway Appliance, click [Name of Server] > Upgrade > Schedule Upgrade.

  4. Fill in the following fields:

    Name Scheduled Command: (Required) Specify a name for this scheduled command. This name is used in log files.

    Description: (Optional) Specify a reason for the command.

    Date & Time: Select the day, month, year, hour, and minute when the command should execute.

    The following fields display information about the command you are scheduling:

    Type: Displays the type of command that is being scheduled, such as Access Gateway Shutdown, Access Gateway Restart, or Access Gateway Upgrade.

    Server: Displays the name of the server that the command is being scheduled for.

  5. Click OK to schedule the command.