Get Started!

This article discusses front-end server architecture to make Xton Access Manager available from the outside of the corporate network.

Xton Access Manager Front-End Server Architecture

Front-end Architecture for Production Deployment

For the production deployment of XTAM that could be accessed from the outside of the network we usually recommend to install a reversed proxy (load balancer) on the computer in DMZ to handle the inbound HTTPS traffic with SSL certificates. This reversed proxy will forward all requests to XTAM server inside the network.

HTTPS configuration with SSL certificate is optional for the trial use to test application functionality. However, if testing with SSL is desirable or for the production use the pre-requisite is to have a fully qualified domain name (FQDN) resolvable to the XTAM reversed proxy computer in DMZ (for example xtam.company.com) and an SSL certificate for this FQDN signed by an internet certificate authority trusted by browsers accessing the system. In this example XTAM will be accessed at https://xtam.company.com/xtam/

Xton Access Manager Front-End Server Architecture Load Balancer in DMZ

Front-end Architecture for Test or Trial Deployment

The alternative way to test the external setup is to install XTAM itself at the computer in DMZ, optionally load there a trusted SSL certificate mentioned earlier and switch it to bind directly to HTTP(s) port. It is slightly easier to do and will demonstrate XTAM functionality for the trial purposes.

Xton Access Manager Front-End Server Architecture XTAM in DMZ

The discussion below assumes two-server setup with one computer with reversed proxy at DMZ and the other one with XTAM behind the firewall. XTAM licensing does not count load balancer / reversed proxy computer as a node to purchase.

Details for Different OS

For Windows load balancers / reversed proxy we recommend to use Microsoft IIS. XTAM installation includes preliminary installation and configuration of Microsoft IIS as a load balancer option redirecting traffic to (possibly remote) XTAM farm. To install and configure IIS load balancer on an isolated computer at DMZ run XTAM setup on the computer at DMZ and select only Load Balancer option. Specify host name of the XTAM server when prompted. Follow Microsoft documentation to deploy SSL certificate bound to HTTPS port to secure IIS traffic after installation.

On Unix computers the typical load balancer choice is Apache HTTP server. Below is an FAQ article about how to configure it on RedHat / CentOS

https://www.xtontech.com/resources/faq/red-hat-centos-linux-xtam-load-balancer-configuration/

Below is the article that discussed load balancer configuration for Debian and Ubuntu

https://www.xtontech.com/resources/faq/debian-ubuntu-linux-xtam-load-balancer-configuration/

Additional Considerations

When forwarding WEB traffic from a reversed proxy to XTAM server using https protocol make sure that XTAM uses trusted certificate or disable certificate check on the load balancer or direct the traffic on the unsecured HTTP port (XTAM listens an unprotected HTTP protocol on the port 8080 for test purposes). Below is an FAQ article to replace generated self-signed certificate of XTAM server with the one trusted by the load balancer

https://www.xtontech.com/resources/faq/replacing-self-signed-certificate-with-trusted-certificate/

Note that XTAM server and load balancers could be installed on similar or on different operating systems (for example, Windows hosting XTAM server and Unix hosting the reversed proxy / load balancer). Also, it is possible to utilize existing load balancer in case the one is already in place (for example F5).


Mark Klinchin

I am Co-Founder and CEO of Xton Technologies. I am interested in computers, software development, cyber security, content management, photography, image processing and mathematics.

Related Posts

xton

Configuring Windows Server NLB for Multi-Node Deployment

Configuring Windows Server NLB for Multi-Node Deployment Architecture This article discusses details of Windows Network Load Balancer (NLB) configuration to balance two or more XTAM Server nodes. Earlier we discussed XTAM Server multi-node architecture built Read more…

Industry

The Challenge of Multi-Factor Authentication and Shared Accounts

Recently, I wrote about the importance of combining multi-factor authentication (MFA) and privileged access management. According to 2018 Global Password Security Report, 45% of organizations are already using two-factor authentication (2FA) and the 451 Group Read more…

xton

KuppingerCole Analyst Executive View of XTAM

As Xton Access Manager (XTAM) continues to grow in the Privileged Account Management space we are briefing popular analyst firms such as Gartner, KuppingerCole, Forrester and others about our capabilities and product roadmap.  If you Read more…

Copyright © 2019 Xton Technologies, LLC. All rights reserved.