As already mentioned, the AppGate ZTNA system relies on the wider network to ensure traffic can pass successfully from the Client to another Client. As well as configuring Policies and Entitlements there are also various network related settings defined within the AppGate ZTNA system - such as DNS settings and the Client IP address pool. The step-by-step guides below are provided to help you remember all the places you may need to visit and actions you may need to perform in the admin UI to ensure your application traffic is routed successfully. Refer to user/device troubleshooting if you are having access issues.
System > Appliances > Function >
System TLS Connection > Allowed Sources: if this list is empty then no inbound Client connections will be allowed to the appliance. Refer to Appliances.
Identity > IP Pools
For IP telephony it might be easiest to have the IP pools share the address space of a L2 vLAN with the upstream routers to the internal network where the IP telephony controllers and non-AppGate ZTNA users reside.
Create an IP Pool: to provide a range of IPs for the virtual tunnel interfaces large enough for all the Client-to-Client users. The default IP Pool can be edited (if required). Refer to IP Pools.
System > Sites
IP telephony systems typically try to make UDP connections directly between Clients. They usually rely on knowing the IP address of the Clients to set this up, so Source NAT should be disabled. The L2 network must also support ARP because if two Clients connect to different Gateways they will have their traffic routed across the protected network between the Gateways.
General > Tunnel Traffic: Check Disable Source NAT on Gateways. If there is only one Gateway then Source NAT can be enabled or disabled but this may not work in the case of IP telephony. Refer to Create New Site.
Since IP telephony could potentially establish any Client-to-Client combination then subnet based routing might be a good option to use. This would be the same as the IP pool in this case and would direct traffic destined for any other Client to the virtual tunnel interface.
Client Routing > Subnet Based Routing: Defines static routes that include the IP Pool used by the 'other' Clients. Refer to Create New Site
Access > Entitlements
IP telephony might require some TCP up Entitlements to the IP telephony Controllers. UDP up and down Entitlements will be required to the IP pool address range for Client-to-Client calls. UDP up and down will also be required for all office networks where non-AppGate ZTNA users are based who may make or receive calls.
Actions: As a minimum, set an allow action in each direction (up and down) covering the tun IP (pool) of the other Client(s).
NOTE
There is a new API that resolves the IP(s) for a certain DN (user), that can use in combination with Entitlement Scripts to allow a user to connect back to another computer also being used by that same user.