When the configuration import has finished, verify the configuration for your reverse proxies.
Click Access Gateways > Edit > [Name of Reverse Proxy].
Verify the listening address.
This is especially important if your Access Gateway has multiple network adapters. By default, the IP address of eth0 is always selected as the listening address.
Verify the certificates assigned to the reverse proxy.
The Subject Name of the certificate must match the published DNS name of the primary proxy service in the Proxy Service List.
Verify the web server configuration. In the Proxy Service List, click the Web Server Addresses link. Check the following values:
Web Server Host Name: If this name has a staging prefix or suffix, remove it.
IP addresses in the Web Server List: If the IP addresses in the production area are different from the IP addresses in the staging area, modify the IP addresses to match the production area.
Certificates: If you have configured SSL or mutual SSL between the proxy service and the web servers, configure the Web Server Trusted Root and SSL Mutual Certificate options. The export and import configuration option does not export and import certificates.
Click OK twice.
(Conditional) If you have multiple reverse proxies, repeat Step 1 for each proxy service.
On the Configuration page, click Reverse Proxy / Authentication, then select the Identity Server Cluster configuration.
If you have multiple reverse proxies, verify that the Reverse Proxy value in the Embedded Service Provider section is the reverse proxy you want to use for authentication, then click OK twice.
(Conditional) If Administration Console already contained some policies, verify that you do not have policies with duplicate names. Click Policies > Policies.
Policies with duplicate names have Copy-n appended to the end of the name, with n representing a number. If you have duplicates, reconcile them:
If they contain the same rules, you need to reconfigure the resources that use one policy to use the other policy before you can delete the duplicate policy.
If they contain different rules, rename the duplicate policies.
(Conditional) Apply any policy configuration changes.
Click Access Gateways > Update.
Click Identity Servers > Update.
If your Identity Server does not prompt you for an update, complete the following steps to trigger the update:
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
Set the Identity Server Cluster field to None, then click OK.
Click Reverse Proxy / Authentication.
Set the Identity Server Cluster field to the correct value, then click OK.
Update Access Gateway.
Update Identity Server.
Configure the keystores for Access Gateway.
If you have configured Access Gateway for SSL between Identity Server and Access Gateway and between Access Gateway and the browsers, verify that the trust stores and the keystores contain the correct certificates.
Click Security > Certificates.
Find the certificate for Access Gateway.
The subject name of this certificate must match the DNS name of Access Gateway. If this certificate is not in the list, you need to create it or import it.
This certificate must be in use by the ESP Mutual SSL and Proxy Key Store of Access Gateway.
If the certificate is not in use by the required keystores, select the certificate, then click Actions > Add Certificate to Keystores.
Click the Select Keystore icon, select ESP Mutual SSL and Proxy Key Store of Access Gateway, then click OK twice.
Configure the trust stores for Access Gateway.
Click Security > Certificates > Trusted Roots.
The trusted root certificate of the CA that signed Access Gateway certificate needs to be in the NIDP-truststore.
The trusted root certificate of the CA that signed Identity Server certificate, needs to be in the ESP Trust Store of Access Gateway.
If you need to add a trusted root to a trust store, select the trusted root, click Add Trusted Roots to Trust Stores.
Click the Trust Store icon, select the required trust store, then click OK twice.
If you made any keystore or trust store modifications, update Access Gateway and Identity Server.
(Optional) Create a cluster configuration and add this server as the primary server.