2.1 Recommended Installation Scenarios

The following scenarios provide an overview of the flexibility built into Access Manager. Use them to design a deployment strategy that fits the needs of your company.

2.1.1 Basic Setup

For a basic Access Manager installation, you can install the Identity Server and the Access Gateway outside your firewall. Figure 2-1 illustrates this scenario:

Figure 2-1 Basic Installation Configuration

  1. Install the Administration Console.

    The Administration Console and the Identity Server are bundled in the same download file or on CD 1.

  2. If your firewall is set up, open the ports required for the Identity Server and the Access Gateway to communicate with the Administration Console: TCP 1443, TCP 8444, TCP 289, TCP 524, TCP 636.

    For more information about these ports, see Setting Up Firewalls in the Novell Access Manager 3.0 SP4 Setup Guide.

  3. Run the installation again and install the Identity Server on a separate server.

    Log in to the Administration Console and verify that the Identity Server installation was successful.

  4. Install the Access Gateway. You can install either the NetWare® (CD 2) or the Linux (CD 3 or download file).

    Log in to the Administration Console and verify that the Access Gateway imported successfully.

  5. Configure the Identity Server and the Access Gateway. See Setting Up a Basic Access Manager Configuration in the Novell Access Manager 3.0 SP4 Setup Guide.

    In this configuration, the LDAP server is separated from the Identity Server by the firewall. Make sure you open the required ports. See Setting Up Firewalls in the Novell Access Manager 3.0 SP4 Setup Guide.

For information about setting up configurations for fault tolerance and clustering, see Clustering and Fault Tolerance in the Novell Access Manager 3.0 SP4 Setup Guide

The firewall protects the LDAP server and the Administration Console, both of which contain a permanent store of sensitive data. The Web servers are also installed behind the firewall for added protection. The Identity Server is not much of a security risk, because it does not permanently store any user data. This is a configuration that Novell has tested and can recommend. We have also tested this configuration with an L4 switch in place of the router so that the configuration can support clusters of Identity Servers and Access Gateways.

2.1.2 Advanced Network Configuration with a DMZ

An advanced network configuration assumes that you want fault tolerance, so you will install clusters of Access Gateways and Identity Servers. It also assumes that your network has at least two firewalls, one that separates external clients from your network and one that separates internal clients from some components of your network. Figure 2-2 illustrates this type of network.

Figure 2-2 Advanced Network Configuration

In this configuration, you can install the Access Manager components and configure them. When you install the machines for clustering, you need to configure the L4 switch and the second firewall. The firewall and the router can be the same piece of hardware. When you are ready to have external customers access resources, you need to configure the first firewall. For firewall information, see Setting Up Firewalls in the Novell Access Manager 3.0 SP4 Setup Guide.

Novell uses this configuration for its internal Web site, and we can recommend it as a tested configuration.

For clustering information, see Clustering and Fault Tolerance in the Novell Access Manager 3.0 SP4 Setup Guide.