Symantec Access Management

  • 1.  Using CA Access Gateway as a Web Agent Replacement

    Broadcom Employee
    Posted Jan 16, 2018 12:31 AM

    Using CA Access Gateway as a Web Agent Replacement - CA Single Sign-On - 12.7 - CA Technologies Documentation 

     

    This topic has to be explained well in detail with clarification, here are my open questions:

     

    - Is the intention of this topic to replace webagents or webagents Option packs with AG ?

    - what is the recommendation, if some customer's wants to get rid of agent based architecture(eg: transforming 2000 webagents (200 apps with 200 LB urls/VIP)architecture to an agentless architecture ?

    - Does it not become single point of failure in case of issue with AG server(s) ?



  • 2.  Re: Using CA Access Gateway as a Web Agent Replacement

    Posted Jan 26, 2018 02:07 PM

    Looking forward for those answers too.



  • 3.  Re: Using CA Access Gateway as a Web Agent Replacement

    Posted Jan 26, 2018 03:57 PM

    Hi,

    Some of the intentions in this approach are to:

    • reduce Total Cost of Ownership (TCO) within an organization
    • reduce complexity
    • expand to allow for additional technologies and market direction (OIDC - JWT) and credential chaining

    Each customer will need to balance their End-to-End security requirements with simplified architecture.

    The Access Gateway systems do not need to become a single point of failure. Architecturally, you can hardware balancers pre and post multiple access gateways for high availability.



  • 4.  Re: Using CA Access Gateway as a Web Agent Replacement

    Posted Jan 26, 2018 05:30 PM

    We need to be careful about making CA AG connect to 200 Apps. Consider even if each app has 2 servers for purposes of resilience. It becomes 200 * 2 = 400 backend servers. It will be more than that in reality. Hence the first thing to consider is performance if that happens. 

     

    So consider what end goal is CA AG is going to serve. It is going to act as an Authentication end point (SAML / AuthAzWS / OIDC) OR would it serve as Proxy Gateway as well. When acting purely as an Authentication end, there is no proxy functions. I am more comfortable using the CA AG as an Authentication end point, rather than a gateway / proxy for entire enterprise. But if we have to design it as a gateway / proxy for entire enterprise we need to make sure it is a highly scaled / beefed up CA AG infrastructure.