Chat now with support
Chat with Support

Cloud Access Manager 8.1.1 - Security and Best Practice Guide

Optimizing Cloud Access Manager for a production environment
Proxy hosts
STS hosts
Preventing direct access to applications protected by Cloud Access Manager
Before deploying Dell™ One Identity Cloud Access Manager, we recommend you perform the following steps to ensure Cloud Access Manager is optimized to handle the expected workload. Using this recommended configuration, a Proxy host can typically support up to 7,000 users and a Security Token Service (STS) host can typically support up to 15,000 users. You can add further Proxy and STS hosts to support more users and to provide high availability. For a production environment, we recommend that you deploy an additional proxy host and STS host to provide high availability and protect against a single host failure. For example a company with 20,000 users would typically deploy 4 Proxy hosts (20,000/7,000 +1) and 3 STS hosts (20,000/15,000 +1).
* 
NOTE: If you are not proxying any applications, including the Cloud Access Manager portal, the number of Proxy hosts should match the number of STS hosts.
To confirm you have deployed a sufficient number of hosts to support your users we recommend you use a phased rollout approach. Start by rolling out Cloud Access Manager to a small subset of users and monitor the CPU and memory usage of the Cloud Access Manager hosts to ensure sufficient spare capacity to scale out to the entire user base. For some applications this approach will not be possible, for example with federated applications such as Salesforce or Office 365™ where you have to switch over all users at the same time. In this situation, we recommend that you use a phased roll out of applications rather than users. Start with smaller applications and gradually add more when you have verified that sufficient spare resources are available on the Cloud Access Manager hosts.
For further information on how to install additional Cloud Access Manager hosts, please refer to the document entitled Dell™ One Identity Cloud Access Manager How To Configure for High Availability.

Proxy hosts

Dell™ One Identity Cloud Access Manager contains a reverse proxy to provide Single Sign-On (SSO) to web applications that do not support federation, for example basic, NT LAN Manager (NTLM), header and form authentication. The reverse proxy is also used to allow secure access to internal web applications from the Internet. When you access a proxied application, all communication between the web browser and the application goes through the proxy for the entire session, not only for the authentication.
For a production environment, we recommend that each proxy host has 8GB of physical memory and 8 processor cores. For example, two quad core processors giving a total of 8 cores spread over two processors.
A single proxy host can handle up to 12,000 concurrent connections. Modern web browsers typically use between 6 and 8 persistent HTTP connections when accessing an application. But during idle periods, such as when a user is reading, they will often reduce the number of connections to just a single connection, or even close all connections until the next user interaction. The browser can use each connection to send multiple HTTP requests to the application. The proxy will close a connection after either processing 100 HTTP requests, or after the connection has been idle for 60 seconds. The browser will establish a new connection the next time it needs to make an HTTP request. So, depending on the application you want to proxy, a single Proxy host will be able to support between 1,500 users (12,000/8) and 12,000 users. Our recommended maximum of 7,000 is an average of the two.
To support up to 12,000 concurrent connections, you must configure the proxy host to increase the number of persistent HTTP connections that it can support. This in turn requires greater memory allocation for the proxy. Please refer to Memory and HTTP connections for information on how to make the two changes required.

Memory

To support a larger number of persistent HTTP connections, first increase the amount of memory available to the proxy. For a production environment, we recommend that each proxy host has 8GB of physical memory, with 6GB of this memory allocated to the Java virtual machine used by the proxy.
To configure the maximum amount of memory allocated to the Java virtual machine
Perform the following steps on the proxy host.
1
Double click <Installation location>\Cloud Access Manager Proxy\bin\CloudAccessManagerProxyw.exe on each proxy host to open the proxy service configuration tool.
2
Click the Java tab.
3
In the Maximum memory pool field, enter the value 6144, then click Apply to set the maximum amount of memory allocated to the Java Virtual Machine heap to 6GB.
4
You must restart the proxy service for this setting to take effect. To restart the proxy service, click the General tab and then click Restart.

HTTP connections

For a production environment, the recommended default settings described below allow each proxy host to handle up to 12,000 concurrent, persistent HTTP connections.
To increase the number of concurrent HTTP connections
Perform the following steps on the proxy host.
1
Edit the file <Cloud Access Manager Proxy>\conf\server.xml on each proxy host and update the connector for port 443 to set the maxThreads setting to 12200. The file contains multiple connectors; only the connector for port 443 should be updated. The connectors for ports 80 and 8553 can remain at the default value of 200.
2
Next to the modified maxThreads parameter, insert a new parameter disableKeepAlivePercentage="99" as shown in the example below. This will allow 99% of the threads to be used for persistent connections, keeping 1% in reserve to process a single request per connection to help maintain availability during busy periods when all 12,000 persistent connections are in use.
<Connector protocol="HTTP/1.1" port="443" maxThreads="12200" disableKeepAlivePercentage="99"
scheme="https" secure="true"
SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="j2sdk/jre/lib/security/cacerts"
server=" "
/>
3
You must also configure the host to support this number of connections, by default Microsoft® Windows Server® 2008 R2 will allow approximately 8,000 connections. To allow a greater number of connections use the netsh command to increase the dynamic ports range, please refer to http://en.wikipedia.org/wiki/Ephemeral_port for further information.

The following example will allow approximately 12,000 persistent HTTP connections. Run this command from a command prompt as an administrator, this setting takes immediate effect and does not require a reboot.

netsh int ipv4 set dynamicport tcp start=40000 num=25000
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating