Getting the Most out of Access Manager

I just got a marketing email from Micro Focus about Access Manager with a link to this "white paper" entitled "Getting the Most out of Access Manager":

https://www.microfocus.com/media/white-paper/getting_the_most_out_of_access_manager_wp.pdf?utm_source=pardot&utm_medium=nurture

Has anyone read that? I found it to be a pretty weak marketing document for using the Access Manager proxy.  But what caught my eye was the section on putting the IdP behind the AG, specifically:

"We now consider placing the Identity Server behind the Access Gateway the preferred configuration ."

I was surprised to see that.  I've been using NAM a very long time (since its inception) and I have never put the Identity Server behind the AG (granted the SBA is that way of course).  Just wondering if anyone does that (and why?)?.  I find the reasons in the "white paper" pretty weak.

I also figure if you want the IdP behind the AG, then just use the SBA.

Thoughts?

Matt

  • Always preferred to do that since the inception of NAM....mostly because of the old IPv4 address limitations and NAT/PAT'ing.... it also puts the majority of protection at the MAG... I guess you could also argue that any downtime of the MAG would make the IDP completely unavailable, rather than users smashing the IDP with no MAG.

  • I put all IDPs where x509 authentication is not needed behind AGW. Frankly I feel much better when tomcat is behind apache Blush

  • So I'm going to play "devils advocate" here. What is this great "protection" putting it behind the AG affords?  What is a concrete example?  In just about every deployment I've ever done, I'm behind much more sophisticated firewalls, IDS', load balancers, etc. and I don't see what putting it behind the AG affords in the way of protection here?  Sure I can block some additional paths (which I can do with the other devices too, e.g. f5), but ultimately it needs to be a public resource. 

    Matt

  • > I'm behind much more sophisticated firewalls, IDS', load balancers, etc.

    If you have idp behind layer 7 load balancer/firewall/whatever, then I totally agree with you. No benefit of having AGW in front.

    But in case of layer 4, I like to have AGW in front, to have at least better access logging, maybe some path rules.

  • The logging is certainly a valid argument, I'll grant you that.  The IdP itself has poor logging, at least from a readability standpoint (just love pouring through catalina.out!).  That said, most of my customers point at some sort of SIEM, so that is generally the go to for info anyway.  

    Good discussion never less, haven't looked at any of this in a very very long time so it is good to review.

    Matt

  • A lot of the content in that doc came from a paper I did on why you might use the AG. The recommendation came from the fact that the appliance does it that way and it provides some benefits. As others listed in their replies.