Deploy PingAccess using Agents, as a Gateway (or reverse proxy), or using a combination of both. Before choosing a deployment, understand the pros and cons of each deployment scenario and determine how they impact your strategy.
Gateway
Pros:
- Fewer number of deployed components that require maintenance
- Independent of target application platform
- No impact on web or app server processing and performance
- Works with existing security token types, such as creating third party Web Access Management (WAM) tokens
Cons:
- Requires networking changes
- Requires strategy for securing direct access to backend web or app servers (network routing or service level authentication)
- Depending on the application, might require content/request/response rewriting
- Another layer that requires HA/DR planning
Agents
Pros:
- No networking or server level authentication changes required
- Tight integration with web server handling requests
- Scales with application
Cons:
- High cost of ownership when many agent instances are deployed, although should be upgradable or patchable independently of PingAccess policy server
- Policy evaluation is cached, and although periodically flushed or re-evaluated (for new sessions, updates to session token, etc.) , isn't as "real time" as proxy
- Tight dependency on web server version and platform