Building your Appgate SDP Collective

To harness its full potential, a series of crucial configuration steps must be undertaken. In this summary, we'll provide an overview of these essential steps to get you started on the path to a secure and efficient network environment.

1. Request License:  Begin by obtaining the necessary licenses for your AppGate SDP deployment. Licenses are the foundation upon which your secure access solution operates, so ensure you have the appropriate licensing in place.

2. Configure IP Pool:  Establishing an IP pool is a fundamental configuration step. This pool will define the range of IP addresses available for network access, ensuring that users and devices are allocated the appropriate resources securely.

3. IdP Integration:  AppGate SDP can integrate with your Identity Provider (IdP) for user authentication.  Integrating with your IdP ensures that only authorized users can access your network and resources.

4. SDP User Roles Verification:  Assigning and verifying user roles is crucial. Different users require different levels of access, and verifying these roles guarantees that users only have access to the resources they need.

5. Create Administrator Policy:  Admin policies define the rules and permissions for managing your SDP environment. Creating well-defined admin policies ensures that administrators have the appropriate levels of control and access.

6. Site Configuration:  Configuring your network sites is essential for defining the structure and boundaries of your SDP deployment. Proper site configuration ensures that users and resources are organized efficiently.

7. Create DNS policy and DNS Entitlement:  DNS enable domain-specific access controls. By creating DNS entitlements, you can enforce granular access policies based on DNS information.

8. Create DNS Policy:  DNS Policies go hand in hand with DNS Entitlements. Creating DNS polies allows you to define how DNS requests should be handled within your SDP environment.

9. Enable Gateway Function:  The Gateway function is a core component of AppGate SDP. Enabling the gateway function is the final step in configuring your SDP environment, allowing secure connections between users and resources.

Request License

Now that the first AppGate SDP Controller has been configured and you have signed into it, you will be able to use the Admin UI. From the Dashboard it now possible to request and add your production license for the system.

To request a production license, copy the unique "Request Code" and send it to your Customer Success Manager (CSM). The "Request Code" is mandatory to share in order to create the license file which will function with your SDP Collective.

For example:  Specify request code xxxxxxxxxx_v2

Once, you receive your Production License from your CSM can install it by navigating to Settings > Licenses > Add New

For more information, see licenses in the SDP Admin Guide.

Configure IP Pool

IP Pools are used to allocate an internal IP address to the Client once the user has been successfully authenticated. This IP address is assigned to the virtual tunnel interface for Client-to-Gateway communication.  To ensure there are sufficient free IP addresses to support all concurrent users, you may need to create a new IP pool or extend an existing pool of addresses.  The AppGate SDP system is designed to operate in both the IPv4 and IPv6 worlds. There are default IP pools provided for both. Support is provided such that the tunnel traffic can be of either type (at the same time). However IPv4 tunneled traffic will always use the IPv4 tunnel and IPv6 traffic will use the IPv6 tunnel.  

To create a new IP Pool if needed navigate to Identity > IP Pools > Add New. This new IP Pool will need to be associated with your IdP.

For more information, see the IP Pools and IP Pool Configuration in the SDP Admin Guide.

IdP Integration

AppGate SDP can integrate with your Identity Provider (IdP) for user authentication. Integrating with your IdP ensures that only authorized users can access your network and resources.

To create a new Identity Provider, navigate to Identity > Identity Providers > Add New.

For more information, see Authentication Services in the SDP Admin Guide.

LDAP

Service Account DN: We recommend that the Service account should have the minimum rights required to read the tree below base DN. You can check the LDAP username with the command: "dsquery user -name  <usuario>"

Once the configuration is complete, perform a connection test and user authentication test.

For more information, see LDAP/Radius Configuration and the LDAP Certificate Configuration  in the SDP Admin Guide.

SAML

AppGate SDP supports single sign-on authentication using SAML 2.0 identity providers (IdP) such as ADFS, OKTA, OneLogin and Ping. SAML can be used to authenticate users connecting through the Client, and also to authenticate administrators logging into the Controller console.

For more information, see SAML Configuration in the SDP Admin Guide.

OIDC

OAuth 2.0, is an IETF specified framework designed to support the development of authorization (and authentication) protocols. OpenID Connect [OIDC] is the third generation of OpenID to be based on this framework. OIDC uses the standard TLS infrastructure, which is universally implemented on most platforms as well as JSON Web Token (JWT) data structures. The earlier versions, OAuth and OAuth 2.0 are not supported by AppGate SDP.

For more information, see OIDC Configuration in the SDP Admin Guide.

SDP User roles verification

AppGate SDP provides a powerful role-based administration capability, allowing you to delegate certain aspects of system administration with the same level of granularity used to control user access to network resources.  Before delegating administration, decide on your admin Policy: the roles (privileges) that will be delegated and how they will be controlled eg. by using Tags to identify entities relating to a particular business unit, or by named instances to restrict access to specific elements of the system.

To create new Administrator User Roles, navigate to Access > Admin Roles > Add new.

For more information, see Admin User Access in the SDP Admin Guide.

Site Configuration

Site is an AppGate SDP term that defines the environment that the AppGate SDP system will protect; it should not be confused with a physical site. An AppGate SDP Site may represent one or more hosts in a subnet, a DMZ, a geographical location, a business unit, etc. Sites will typically include one or more Gateways (refer to HA Gateways and Roaming) to handle the Client tunnels connected to that Site. Unlike traditional VPN type solutions, Clients an connect simultaneously to multiple Sites in one Collective.

To edit the default site or to create additional sites navigate to System > Sites.
Edit existing site name:

• Change Default Site Name: System > Sites > Default Site

• Add Short Name (up to 4 characters). This is how the site will be displayed in your user's client.

• Add DNS's and Match Domain

For more information, see Sites in the SDP Admin Guide.

Create DNS Entitlement

Entitlements are assigned to users by Policies. Each Entitlement token issued, defines the Entitlements available to the user/device for a specific Site. The main elements of an Entitlement are the Client app shortcuts, the Actions (traffic protocols, hosts/urls, ports), and any access controls imposed by the Gateway relating to the Actions.

To create your DNS Entitlement, navigate to Access > Entitlement > Add New

• DNS Client Entitlement Select Site - Select the appropriate site for the protected resource

• Select Action: Allow UDP up <DNS_IP>

• Access Control: Always Allow Action(s)

• DNS Client Entitlement

Enable Gateway Function

1. User Authentication and Authorization: The Gateway plays a pivotal role in user authentication and authorization. It verifies the identity of users attempting to access network resources and checks their permissions based on defined policies. This ensures that only authorized users gain entry while keeping unauthorized individuals at bay.

2. Secure Access Broker: Acting as a secure access broker, the Gateway facilitates secure connections between users and the resources they need. It employs a Zero Trust model, meaning that trust is never assumed, and users must continually prove their legitimacy before accessing any resources.

3. Granular Access Control: One of the most significant advantages of the Gateway is its ability to enforce granular access control policies. This means that not only can it restrict access to specific resources, but it can also define how users interact with those resources, providing fine-grained control over network access.

4. Encryption and Tunneling: To safeguard data in transit, the Gateway ensures that all communication between users and resources is encrypted and tunneled. This encryption provides an additional layer of security, protecting sensitive information from prying eyes.

5. Adaptive Security: The Gateway is designed to adapt to changing threat landscapes and user behaviors. It continuously monitors user activity and network conditions, adjusting access privileges dynamically to mitigate risks in real-time.

6. Simplified Management: AppGate SDP's centralized management system makes it easier to configure, monitor, and manage the Gateway. This simplification streamlines the process of maintaining a secure network environment.

For more information, see Gateway in the SDP Admin Guide.

Single Server with Controller and Gateway Functions

Note: This step is optional and depends on the architecture design established for the client.

To configure your Gateway, navigate to System > Appliances > Select Ctrl Appliance > Functions tab.

1. Check Gateway option  

2. Assign Site  

3. Client Tunneling

4. Allow Destinations (configure networks behind the GW)

Dedicated Appliance with Gateway function

To configure your Gateway, navigate to System > Appliances > Select Ctrl Appliance > Functions tab.

1. Check Gateway option  

2. Assign Site  

3. Client Tunneling

4. Allow Destinations (configure networks behind the GW)