Designing the architecture for AppGate ZTNA involves visualizing how this solution will seamlessly integrate into your existing network. It's about determining the components required for a functional and secure deployment. You will need the following:-
Important / Core Components :
Request License: Begin by obtaining the necessary licenses for your AppGate ZTNA deployment. Licenses are the foundation upon which your secure access solution operates, so ensure you have the appropriate licensing in place.
Configure IP Pool: Establishing an IP pool is a fundamental configuration step. This pool will define the range of IP addresses available for network access, ensuring that users and devices are allocated the appropriate resources securely.
IdP Integration: AppGate ZTNA can integrate with your Identity Provider (IdP) for user authentication. Integrating with your IdP ensures that only authorized users can access your network and resources.
Create Administrator Policy: Admin policies define the rules and permissions for managing your AppGate ZTNA environment. Creating well-defined admin policies ensures that administrators have the appropriate levels of control and access.
Site Configuration: Configuring your network sites is essential for defining the structure and boundaries of your AppGate ZTNA deployment. Proper site configuration ensures that users and resources are organized effectively.
Enable Gateway Function: The gateway function is a core component of AppGate ZTNA. Enabling the gateway function is the final step in configuring your AppGate ZTNA environment, allowing secure connections between users and resources.
Optional / Depends on Use cases:-
Create DNS Entitlement: DNS entitlements enable domain-specific access controls. By creating DNS entitlements, you can enforce granular access policies based on DNS information.
Create DNS Policy: DNS Policies go hand in hand with DNS Entitlements. Creating DNS polies allows you to define how DNS requests should be handled within your AppGate ZTNA environment.
AppGate ZTNA User Roles Verification: Assigning and verifying user roles is crucial. Different users require different levels of access, and verifying these roles guarantees that users only have access to the resources they need.
Request License
Now that the first AppGate ZTNA Controller has been configured and you have signed into it, you will be able to use the Admin UI. From the Dashboard it now possible to request and add your production license for the system.
To request a production license, copy the unique "Request Code" and send it to your Customer Success Manager (CSM). The "Request Code" is mandatory to share in order to create the license file which will function with your AppGate ZTNA Collective.
For example: Specify request code xxxxxxxxxx_v2
Once, you receive your Production License from your CSM can install it by navigating to Settings > Licenses > Upload License
Licenses - link
Configure IP Pool
IP Pools are used to allocate an internal IP address to the Client once the user has been successfully authenticated. This IP address is assigned to the virtual tunnel interface for Client-to-Gateway communication. To ensure there are sufficient free IP addresses to support all concurrent users, you may need to create a new IP pool or extend an existing pool of addresses. The AppGate ZTNA system is designed to operate in both the IPv4 and IPv6 worlds. There are default IP pools provided for both. Support is provided such that the tunnel traffic can be of either type (at the same time). However IPv4 tunneled traffic will always use the IPv4 tunnel and IPv6 traffic will use the IPv6 tunnel.
To create a new IP Pool if needed navigate to Identity > IP Pools > Add. This new IP Pool will need to be associated with your IdP.
IP Pools - link
IP Pool Configuration - link
IdP Integration
AppGate ZTNA can integrate with your Identity Provider (IdP) for user authentication. Integrating with your IdP ensures that only authorized users can access your network and resources.
To create a new Identity Provider navigate to Identity > Identity Providers > Add.
Authentication Services - link
LDAP
Service Account DN: We recommend that the Service account should have the minimum rights required to read the tree below base DN. You can check the LDAP username with the command: "dsquery user -name <usuario>"
Once the configuration is complete, perform a connection test and user authentication test.
LDAP/Radius Configuration - link
LDAP Certificate Configuration - link
SAML
AppGate ZTNA supports single sign-on authentication using SAML 2.0 identity providers (IdP) such as ADFS, OKTA, OneLogin and Ping. SAML can be used to authenticate users connecting through the Client, and also to authenticate administrators logging into the Controller console.
SAML Configuration - link
OIDC
OAuth 2.0, is an IETF specified framework designed to support the development of authorization (and authentication) protocols. OpenID Connect [OIDC] is the third generation of OpenID to be based on this framework. OIDC uses the standard TLS infrastructure, which is universally implemented on most platforms as well as JSON Web Token (JWT) data structures. The earlier versions, OAuth and OAuth 2.0 are not supported by AppGate ZTNA.
OIDC Configuration - link
AppGate ZTNA User roles verification
AppGate ZTNA provides a powerful role-based administration capability, allowing you to delegate certain aspects of system administration with the same level of granularity used to control user access to network resources. Before delegating administration, decide on your admin Policy: the roles (privileges) that will be delegated and how they will be controlled e.g. by using tags to identify entities relating to a particular business unit, or by named instances to restrict access to specific elements of the system.
To create new Administrator User Roles navigate to Access > Admin Roles > Add.
Admin User Access - link
Site Configuration
Site is an AppGate ZTNA term that defines the environment that the AppGate ZTNA system will protect; it should not be confused with a physical site. An AppGate ZTNA Site may represent one or more hosts in a subnet, a DMZ, a geographical location, a business unit, etc. Sites will typically include one or more Gateways (refer to HA Gateways and Roaming) to handle the Client tunnels connected to that Site. Unlike traditional VPN type solutions, Clients an connect simultaneously to multiple Sites in one Collective.
To edit the default site or to create additional sites navigate to System > Sites.
Edit existing site name:
Change Default Site Name: System > Sites > Default Site
Give some valid name to the site. This is how the site will be displayed in your user's client.
Add DNS's and Match Domain
Sites - link
Create DNS Entitlement
Entitlements are assigned to users by Policies. Each Entitlement token issued, defines the Entitlements available to the user/device for a specific Site. The main elements of an Entitlement are the Client app shortcuts, the Actions (traffic protocols, hosts/urls, ports), and any access controls imposed by the Gateway relating to the Actions.
To create your DNS Entitlement navigate to Access > Entitlement > Add
Add a name.
Select Site - Select the appropriate site for the protected resource
Select Action: Allow UDP up <DNS_IP>
Access Control: Always Allow Action(s)
DNS Client Entitlement - link
Create DNS Policy
When DNS configuration is set using a DNS Policy, it makes it possible to configure multiple different DNS user groups within one system which might be based on criteria such as IdP or geo location of the user.
To create your DNS Policy navigate to Access > Policies > Add > DNS Policy.
Add a name,
Assignment > Add New
DNS Configuration
DNS Entitlement by name or Tag
DNS Policy - link
Enable Gateway Function
User Authentication and Authorization: The Gateway plays a pivotal role in user authentication and authorization. It verifies the identity of users attempting to access network resources and checks their permissions based on defined policies. This ensures that only authorized users gain entry while keeping unauthorized individuals at bay.
Secure Access Broker: Acting as a secure access broker, the Gateway facilitates secure connections between users and the resources they need. It employs a Zero Trust model, meaning that trust is never assumed, and users must continually prove their legitimacy before accessing any resources.
Granular Access Control: One of the most significant advantages of the Gateway is its ability to enforce granular access control policies. This means that not only can it restrict access to specific resources, but it can also define how users interact with those resources, providing fine-grained control over network access.
Encryption and Tunneling: To safeguard data in transit, the Gateway ensures that all communication between users and resources is encrypted and tunneled. This encryption provides an additional layer of security, protecting sensitive information from prying eyes.
Adaptive Security: The Gateway is designed to adapt to changing threat landscapes and user behaviors. It continuously monitors user activity and network conditions, adjusting access privileges dynamically to mitigate risks in real-time.
Simplified Management: AppGate ZTNA's centralized management system makes it easier to configure, monitor, and manage the Gateway. This simplification streamlines the process of maintaining a secure network environment.
Gateway - link
Single Server with Controller and Gateway Functions
Note: This step is optional and depends on the architecture design established for the client.
To configure your Gateway navigate to System > Appliances > Select Ctrl Appliance > Functions tab.
Check Gateway option
Assign Site
Client Tunneling
Allow Destinations (configure networks behind the GW)
Dedicated Appliance with Gateway function
To configure your Gateway navigate to System > Appliances > Select the dedicated Gateway Appliance > Functions tab.
Check Gateway option
Assign Site
Client Tunneling
Allow Destinations (configure networks behind the GW)