IAG deployment checklist

Updated: February 10, 2010

Applies To: Intelligent Application Gateway (IAG)

This deployment checklist is designed to help you plan your deployment before you begin installing and configuring IAG. It provides a list of considerations relating to the following:

  • Installation

  • Application publishing

  • Client endpoint deployment and compliance

  • Authentication and portal application authorization



Feature or Issue Planning required

Network infrastructure

All network adapters should be properly installed and configured with the appropriate IP addresses before installing and configuring IAG.

Ensure you have at least one internal adapter and one external adapter on the IAG server.

Hardware and software requirements

See IAG Service Pack 2 system requirements.

Getting Started Wizard

After installation, use the Getting Started Wizard to help you configure deployment settings, and complete basic IAG tasks. Collect the following information before running the Getting Started Wizard:

  • Address ranges required for the internal network if you will supply this manually.

  • Address of the DNS server if it is not supplied by DHCP.

  • A list of static routes, including the IP address, subnet mask, and default gateway for each route.

  • IAG server name

  • DNS suffix if the IAG server will be part of a domain

  • Domain or workgroup name to which the IAG server will be added.

  • Credentials for logging on to the domain if IAG will be a domain member

Application publishing


Feature or Issue Planning required

Public Host Name

When users are accessing a portal or published application, they need to know the host name to use. In most cases the host name will be a Fully Qualified Domain Name (FQDN) for example, mail.contoso.com. You should select a name that will be easy for your users to remember.

Name resolution

With IAG at the edge, the public host name has to resolve to an IP address on the IAG server. An "A record" must be created in your DNS server, pointing to an IP address on your IAG server computer. If your company’s public DNS Server is being hosted by your ISP or a third party, you will have to consult with them to create this entry.

Authentication and authorization


Feature or Issue Planning required

Server certificate for HTTPS

To enable communications over an HTTPS channel between client endpoints and the IAG server, a server certificate has to be installed on the IAG server. The common name used to generate the certificate has to match the public host name.

Authentication schemes

IAG can authenticate portal or application sessions by using a variety of authentication schemes. Ensure that an authentication server is configured to authenticate clients making requests to IAG sites. For more information, see Configuring authentication and authorization servers in IAG.

Authentication to published application servers

If backend application servers published through IAG require authentication, ensure that these servers are correctly configured. If you are using delegation/single sign on, ensure that single sign on methods are set up correctly. For more information, see Preparing for authentication to application servers in IAG.

Kerberos Constrained Delegation

When using Kerberos constrained delegation as the authentication delegation method, Kerberos constrained delegation must be configured. For more information, see Configuring Kerberos constrained delegation with IAG SP2.

Authentication Delegation

When you configure authentication delegation, you must match the selected authentication delegation method to a supported method of authentication on the published server.

Portal application authorization

If you want to authorize access on a per-application basis for applications published in a portal, set up users and groups that will be assigned authorization permissions. For more information, see Configuring users and groups for application authorization in IAG.

Client endpoint deployment and compliance


Feature or Issue Planning required

Client endpoint support

Review supported client endpoints before configuring client endpoint access. For more information, see IAG client endpoint system requirements.

Access control

You can control access by using IAG client endpoint policies. For more information, see Managing IAG client endpoint policies.

Client certificates

Client certificates can be used to authenticate client endpoints for IAG session access, or as an access control mechanism to specify that client endpoints certified with a client certificate have privileged access. Ensure that you have a mechanism for deploying client certificates for these purposes. For more information, see Deploying client certificates for IAG certified endpoints and client authentication.

Deploying an array of IAG servers


Feature or Issue Planning required

Array configuration

You can join IAG servers together into an array for high-availability. For more information, see Deploying multiple IAG servers in an array.