Using CA Access Gateway as a Web Agent Replacement - CA Single Sign-On - 12.7 - CA Technologies Documentation
This topic has to be explained well in detail with clarification, here are my open questions:
- Is the intention of this topic to replace webagents or webagents Option packs with AG ?
- what is the recommendation, if some customer's wants to get rid of agent based architecture(eg: transforming 2000 webagents (200 apps with 200 LB urls/VIP)architecture to an agentless architecture ?
- Does it not become single point of failure in case of issue with AG server(s) ?
Looking forward for those answers too.
Some of the intentions in this approach are to:
Each customer will need to balance their End-to-End security requirements with simplified architecture.
The Access Gateway systems do not need to become a single point of failure. Architecturally, you can hardware balancers pre and post multiple access gateways for high availability.
We need to be careful about making CA AG connect to 200 Apps. Consider even if each app has 2 servers for purposes of resilience. It becomes 200 * 2 = 400 backend servers. It will be more than that in reality. Hence the first thing to consider is performance if that happens.
So consider what end goal is CA AG is going to serve. It is going to act as an Authentication end point (SAML / AuthAzWS / OIDC) OR would it serve as Proxy Gateway as well. When acting purely as an Authentication end, there is no proxy functions. I am more comfortable using the CA AG as an Authentication end point, rather than a gateway / proxy for entire enterprise. But if we have to design it as a gateway / proxy for entire enterprise we need to make sure it is a highly scaled / beefed up CA AG infrastructure.