• State Not Answered
  • Replies 1 reply
  • Subscribers 99 subscribers
  • Views 282 views
  • Users 0 members are here
Options
Related

Clarification on Required Network Communication Between One Identity Manager Components

gsoto

We are currently validating the network and security requirements for a One Identity Manager implementation deployed in a highly segmented environment.

In our scenario, all main components are deployed in separate VLANs, and some of them are located in different datacenters:

  • Web Server (API Server)

  • Application Server

  • Database Server

  • Job Server

  • Workstation (IAG Tools / Designer / Manager)

From a supported and recommended product perspective, we would like to clarify the following points related strictly to component communication requirements:

  1. Workstation connectivity
    Is it required that a Workstation (used for IAG Tools such as Designer, Manager, etc.) has direct network communication with all backend components (Application Server, Database Server, Job Server), or is communication with the Application Server only sufficient to fully manage and administer the environment?

  2. Application Server connectivity
    From a functional and supported standpoint, should the Application Server have network communication only with the Database Server and the Job Server, or are there any additional direct communication requirements with other components?

The objective of these questions is to ensure our network rules and firewall configurations align with the minimum required and supported communication paths for One Identity Manager, without overexposing components unnecessarily.

Thank you in advance for your guidance.

  • 0

    Still a lot of information missing...

    Generally speaking, its a hub-spoke communication solution with the DB being the Hub and all the services, tools, web services being the spoke.

    With regards to tools, you can use AppServer (limited functionaltiy - but only https/443 required) or you can use a direct DB connection (full functionaltiy - mssql/1433). Each component talks to the DB, so JobQueue.exe looks at the DB table for the data (this is separate from the Job Server Web Interface [http/1880] that offers the logs, etc). Where ever tools are run, it also needs internet access to NodeJS (version dependent - most modern has requirement).

    The other service components talk to the DB (i.e. Job Service, etc).

    The web service modules (ApiServer/IdentityManager/etc) need to talk to AppServer via https/443.

    Depending on which version you are running, the ApiServer's Operations Support Portal and Manager are very good at offering a lot of fat tool functionality (OneID are on the move to mostly web based admin tools in the long term roadmap with only a couple of FAT tools still required - i.e. Compiler).

    Then you can have certain ports required outbound as well - but that wasn't part of your original question.