As already mentioned, the AppGate ZTNA system relies on the wider network to ensure traffic can pass successfully from the client to the protected hosts, for instance when replacing a traditional VPN. As well as configuring policies and entitlements there are also various network related settings defined within the AppGate ZTNA system - such as DNS settings and the client IP address pool. The step-by-step guides below are provided to help you remember the actions you may need to perform in the admin UI to ensure your application traffic is routed successfully. Refer to user/device troubleshooting if you are having access issues.
System > Appliances >
System Settings > DNS Servers: this DNS server will be used by the appliance to resolve the hostnames of other appliances. Will be used by the Gateway to resolve entitlement actions (if no Site DNS is set).
Functions > Gateway > Secure Tunnel Settings > Client Tunneling - Allow Destinations: defines the allowed destinations to which any traffic tunneled between client and Gateway will be forwarded. If this list is empty then no client connections will be allowed to the protected networks. Refer to Create new appliance for more information.
[OPTIONAL] Functions > Gateway > System TLS Connection > Allow Sources: this list can be used to to restrict inbound client connections to the appliance. Refer to Create new appliance for more information.
Identity > IP Pools >
[OPTIONAL] Edit IP Pool: the default IP pools can be used or a new one created to provide a larger range of IPs for the virtual tunnel interfaces. Refer to IP Pools for more information.
System > Sites >
[OPTIONAL] Client Routing > Entitlement Based Routing: this is the default and allows dynamically resolved entitlements to add specific host routes in the client that direct traffic to the virtual tunnel interface. Refer to Create New Site.
[OPTIONAL] Client Routing > Subnet Based Routing: defines static routes to be configured in the client that direct traffic to the virtual tunnel interface. Refer to Create New Site.
Name Resolution > this DNS server will be used by the Gateway to resolve entitlement actions in order to direct client traffic to appropriate tunnels and set the firewall rules. If noting is specified, the Gateway appliance DNS servers will be used.
Access > Entitlements >
Actions: create an action to allow IP access to the DNS server(s) to be used by the client to resolve (protected) hosts.
Actions: create an action to allow IP access to the (protected) host.
Access > Policies >
Access:
Entitlement: include the entitlement for the (protected) host.
[OPTIONAL] Override Site: select a Site if you want all the user traffic routed to the protected network(s) via just one override Site [OPTIONAL].
DNS:
DNS Configuration: include the match domain DNS server(s) to be used by the client to resolve (protected) hosts.
DNS Entitlement: include the entitlement for the DNS server(s) included above.