Get Started!

This article discusses front-end server architecture to make Xton Access Manager available from the outside of the corporate network.

Xton Access Manager Front-End Server Architecture

Front-end Architecture for Production Deployment

For the production deployment of XTAM that could be accessed from the outside of the network we usually recommend to install a reversed proxy (load balancer) on the computer in DMZ to handle the inbound HTTPS traffic with SSL certificates. This reversed proxy will forward all requests to XTAM server inside the network.

HTTPS configuration with SSL certificate is optional for the trial use to test application functionality. However, if testing with SSL is desirable or for the production use the pre-requisite is to have a fully qualified domain name (FQDN) resolvable to the XTAM reversed proxy computer in DMZ (for example and an SSL certificate for this FQDN signed by an internet certificate authority trusted by browsers accessing the system. In this example XTAM will be accessed at

Xton Access Manager Front-End Server Architecture Load Balancer in DMZ

Front-end Architecture for Test or Trial Deployment

The alternative way to test the external setup is to install XTAM itself at the computer in DMZ, optionally load there a trusted SSL certificate mentioned earlier and switch it to bind directly to HTTP(s) port. It is slightly easier to do and will demonstrate XTAM functionality for the trial purposes.

Xton Access Manager Front-End Server Architecture XTAM in DMZ

The discussion below assumes two-server setup with one computer with reversed proxy at DMZ and the other one with XTAM behind the firewall. XTAM licensing does not count load balancer / reversed proxy computer as a node to purchase.

Details for Different OS

For Windows load balancers / reversed proxy we recommend to use Microsoft IIS. XTAM installation includes preliminary installation and configuration of Microsoft IIS as a load balancer option redirecting traffic to (possibly remote) XTAM farm. To install and configure IIS load balancer on an isolated computer at DMZ run XTAM setup on the computer at DMZ and select only Load Balancer option. Specify host name of the XTAM server when prompted. Follow Microsoft documentation to deploy SSL certificate bound to HTTPS port to secure IIS traffic after installation.

On Unix computers the typical load balancer choice is Apache HTTP server. Below is an FAQ article about how to configure it on RedHat / CentOS

Below is the article that discussed load balancer configuration for Debian and Ubuntu

Additional Considerations

When forwarding WEB traffic from a reversed proxy to XTAM server using https protocol make sure that XTAM uses trusted certificate or disable certificate check on the load balancer or direct the traffic on the unsecured HTTP port (XTAM listens an unprotected HTTP protocol on the port 8080 for test purposes). Below is an FAQ article to replace generated self-signed certificate of XTAM server with the one trusted by the load balancer

Note that XTAM server and load balancers could be installed on similar or on different operating systems (for example, Windows hosting XTAM server and Unix hosting the reversed proxy / load balancer). Also, it is possible to utilize existing load balancer in case the one is already in place (for example F5).

Mark Klinchin

Mark Klinchin

I am Co-Founder and CEO of Xton Technologies. I am interested in computers, software development, cyber security, content management, photography, image processing and mathematics.

Related Posts


XTAM Search Query Options

Xton Access Manager (XTAM) can quickly find records that match XTAM search criteria. By default, XTAM search query finds records by record name, description and a host name on a record. However, XTAM also uses Read more…


XTAM Update: adds shadow and self-reset option to manage MS Active Directory accounts and discovery host name verification

Xton Access Manager Product Update 2.3.201904072223 Today we released new update to the Xton Privileged Access Manager software. This update adds shadow and self-reset option to manage MS Active Directory accounts and discovery host name Read more…


XTAM API Python Example

This article provides a small example of Python script calling XTAM REST API. The example access XTAM REST API to retrieve current user information and XSRF REST API token. Then the example demonstrates the functions Read more…

Copyright © 2019 Xton Technologies, LLC. All rights reserved.