IAG deployment checklist
Applies To: Intelligent Application Gateway (IAG)
This deployment checklist is designed to help you plan your deployment before you begin installing and configuring IAG. It provides a list of considerations relating to the following:
Installation
Application publishing
Client endpoint deployment and compliance
Authentication and portal application authorization
Installation
Feature or Issue | Planning required |
---|---|
Network infrastructure |
All network adapters should be properly installed and configured with the appropriate IP addresses before installing and configuring IAG. Ensure you have at least one internal adapter and one external adapter on the IAG server. |
Hardware and software requirements |
|
Getting Started Wizard |
After installation, use the Getting Started Wizard to help you configure deployment settings, and complete basic IAG tasks. Collect the following information before running the Getting Started Wizard:
|
Application publishing
Feature or Issue | Planning required |
---|---|
Public Host Name |
When users are accessing a portal or published application, they need to know the host name to use. In most cases the host name will be a Fully Qualified Domain Name (FQDN) for example, mail.contoso.com. You should select a name that will be easy for your users to remember. |
Name resolution |
With IAG at the edge, the public host name has to resolve to an IP address on the IAG server. An "A record" must be created in your DNS server, pointing to an IP address on your IAG server computer. If your company’s public DNS Server is being hosted by your ISP or a third party, you will have to consult with them to create this entry. |
Authentication and authorization
Feature or Issue | Planning required |
---|---|
Server certificate for HTTPS |
To enable communications over an HTTPS channel between client endpoints and the IAG server, a server certificate has to be installed on the IAG server. The common name used to generate the certificate has to match the public host name. |
Authentication schemes |
IAG can authenticate portal or application sessions by using a variety of authentication schemes. Ensure that an authentication server is configured to authenticate clients making requests to IAG sites. For more information, see Configuring authentication and authorization servers in IAG. |
Authentication to published application servers |
If backend application servers published through IAG require authentication, ensure that these servers are correctly configured. If you are using delegation/single sign on, ensure that single sign on methods are set up correctly. For more information, see Preparing for authentication to application servers in IAG. |
Kerberos Constrained Delegation |
When using Kerberos constrained delegation as the authentication delegation method, Kerberos constrained delegation must be configured. For more information, see Configuring Kerberos constrained delegation with IAG SP2. |
Authentication Delegation |
When you configure authentication delegation, you must match the selected authentication delegation method to a supported method of authentication on the published server. |
Portal application authorization |
If you want to authorize access on a per-application basis for applications published in a portal, set up users and groups that will be assigned authorization permissions. For more information, see Configuring users and groups for application authorization in IAG. |
Client endpoint deployment and compliance
Feature or Issue | Planning required |
---|---|
Client endpoint support |
Review supported client endpoints before configuring client endpoint access. For more information, see IAG client endpoint system requirements. |
Access control |
You can control access by using IAG client endpoint policies. For more information, see Managing IAG client endpoint policies. |
Client certificates |
Client certificates can be used to authenticate client endpoints for IAG session access, or as an access control mechanism to specify that client endpoints certified with a client certificate have privileged access. Ensure that you have a mechanism for deploying client certificates for these purposes. For more information, see Deploying client certificates for IAG certified endpoints and client authentication. |
Deploying an array of IAG servers
Feature or Issue | Planning required |
---|---|
Array configuration |
You can join IAG servers together into an array for high-availability. For more information, see Deploying multiple IAG servers in an array. |