IAG deployment checklist

Article
02/02/2010

Applies To: Intelligent Application Gateway (IAG)

This deployment checklist is designed to help you plan your deployment before you begin installing and configuring IAG. It provides a list of considerations relating to the following:

Installation
Application publishing
Client endpoint deployment and compliance
Authentication and portal application authorization

Installation

Feature or Issue	Planning required
Network infrastructure	All network adapters should be properly installed and configured with the appropriate IP addresses before installing and configuring IAG. Ensure you have at least one internal adapter and one external adapter on the IAG server.
Hardware and software requirements	See IAG Service Pack 2 system requirements.
Getting Started Wizard	After installation, use the Getting Started Wizard to help you configure deployment settings, and complete basic IAG tasks. Collect the following information before running the Getting Started Wizard: Address ranges required for the internal network if you will supply this manually. Address of the DNS server if it is not supplied by DHCP. A list of static routes, including the IP address, subnet mask, and default gateway for each route. IAG server name DNS suffix if the IAG server will be part of a domain Domain or workgroup name to which the IAG server will be added. Credentials for logging on to the domain if IAG will be a domain member

Network infrastructure

All network adapters should be properly installed and configured with the appropriate IP addresses before installing and configuring IAG.

Ensure you have at least one internal adapter and one external adapter on the IAG server.

Hardware and software requirements

See IAG Service Pack 2 system requirements.

Getting Started Wizard

After installation, use the Getting Started Wizard to help you configure deployment settings, and complete basic IAG tasks. Collect the following information before running the Getting Started Wizard:

Address ranges required for the internal network if you will supply this manually.
Address of the DNS server if it is not supplied by DHCP.
A list of static routes, including the IP address, subnet mask, and default gateway for each route.
IAG server name
DNS suffix if the IAG server will be part of a domain
Domain or workgroup name to which the IAG server will be added.
Credentials for logging on to the domain if IAG will be a domain member

Application publishing

Feature or Issue	Planning required
Public Host Name	When users are accessing a portal or published application, they need to know the host name to use. In most cases the host name will be a Fully Qualified Domain Name (FQDN) for example, mail.contoso.com. You should select a name that will be easy for your users to remember.
Name resolution	With IAG at the edge, the public host name has to resolve to an IP address on the IAG server. An "A record" must be created in your DNS server, pointing to an IP address on your IAG server computer. If your company’s public DNS Server is being hosted by your ISP or a third party, you will have to consult with them to create this entry.

Authentication and authorization

Feature or Issue	Planning required
Server certificate for HTTPS	To enable communications over an HTTPS channel between client endpoints and the IAG server, a server certificate has to be installed on the IAG server. The common name used to generate the certificate has to match the public host name.
Authentication schemes	IAG can authenticate portal or application sessions by using a variety of authentication schemes. Ensure that an authentication server is configured to authenticate clients making requests to IAG sites. For more information, see Configuring authentication and authorization servers in IAG.
Authentication to published application servers	If backend application servers published through IAG require authentication, ensure that these servers are correctly configured. If you are using delegation/single sign on, ensure that single sign on methods are set up correctly. For more information, see Preparing for authentication to application servers in IAG.
Kerberos Constrained Delegation	When using Kerberos constrained delegation as the authentication delegation method, Kerberos constrained delegation must be configured. For more information, see Configuring Kerberos constrained delegation with IAG SP2.
Authentication Delegation	When you configure authentication delegation, you must match the selected authentication delegation method to a supported method of authentication on the published server.
Portal application authorization	If you want to authorize access on a per-application basis for applications published in a portal, set up users and groups that will be assigned authorization permissions. For more information, see Configuring users and groups for application authorization in IAG.

Client endpoint deployment and compliance

Feature or Issue	Planning required
Client endpoint support	Review supported client endpoints before configuring client endpoint access. For more information, see IAG client endpoint system requirements.
Access control	You can control access by using IAG client endpoint policies. For more information, see Managing IAG client endpoint policies.
Client certificates	Client certificates can be used to authenticate client endpoints for IAG session access, or as an access control mechanism to specify that client endpoints certified with a client certificate have privileged access. Ensure that you have a mechanism for deploying client certificates for these purposes. For more information, see Deploying client certificates for IAG certified endpoints and client authentication.

Deploying an array of IAG servers

Feature or Issue	Planning required
Array configuration	You can join IAG servers together into an array for high-availability. For more information, see Deploying multiple IAG servers in an array.