Gateway

Pros:

  • Fewer number of deployed components that require maintenance
  • Independent of target application platform
  • No impact on web or app server processing and performance
  • Works with existing security token types, such as creating third party Web Access Management (WAM) tokens

Cons:

  • Requires networking changes
  • Requires strategy for securing direct access to backend web or app servers (network routing or service level authentication)
  • Depending on the application, might require content/request/response rewriting
  • Another layer that requires HA/DR planning

Agents

Pros:

  • No networking or server level authentication changes required
  • Tight integration with web server handling requests
  • Scales with application

Cons:

  • High cost of ownership when many agent instances are deployed, although should be upgradable or patchable independently of PingAccess policy server
  • Policy evaluation is cached, and although periodically flushed or re-evaluated (for new sessions, updates to session token, etc.) , isn't as "real time" as proxy
  • Tight dependency on web server version and platform