Common Criteria

  • 3 minute read
Prev Next

This section is dedicated to the most recent National Information Assurance Partnership (NIAP) Common Criteria certification of AppGate ZTNA - version 6.4 (6.4.2) Clients. This section will describe how to install the AppGate ZTNA client with NIAP profile protection (PP) mode and ensure it is enabled. For more information, see NIAP's page for AppGate. For more information on Client installation, see the Installation section.

The download links provided below are for the specific version which are used as the Target of Evaluation (TOE).

Software for the certified version:

AppGate client for Windows in NIAP PP mode

To install the AppGate Client for Windows in NIAP PP mode, enter the following at the command line:
appgate-sdp-installer.exe /Y

Using an onboarding profile link will not work in NIAP PP mode unless an admin imports the AppGate Collective’s CA certificate manually into the workstation’s device certificate store. To import a certificate:

  1. Open mmc.exe as an administrator.

  2. Click File and select Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins window, select Certificates and click Add.

  4. In the Certificates snap-in window, select Computer account, click Next, select Local Computer, and click Finish.

  5. In the Add or Remove Snap-ins window, click OK.

  6. Go to the Appgate folder: Console Root\Certificates (Local Computer)\Appgate). Right-click on the Appgate folder and select All Tasks, then Import.

  7. In the Certificate Import Wizard, browse to select the CA certificate on your machine and complete the steps in the wizard to import it.

The Controller Controller name must match the “friendly name” of the certificate. To edit the friendly name:

  1. After importing the certificate, double-click on it to open the certificate details.

  2. In the Details tab, select Edit Properties. In the General tab, enter the Collective name (ex: sdp-controllers.example.com) in the Friendly name field and select OK.

Now you can use the onboarding profile link to create a profile and connect to AppGate ZTNA.

Optionally, a PowerShell script can be used to import and set the friendly name. For example:

# Specify the path and file name of the Collective’s CA certificate
$caFilename = ".\sdp-controllers_example_com.cer"

# Import the specified Appgate CA cert and get the thumbprint
$cert=(Import-Certificate "$caFilename" -CertStoreLocation Cert:\LocalMachine\Appgate)

# set the friendlyname of the cert - this step is required
$cert.FriendlyName = "sdp-controllers.example.com"

AppGate Client for macOS in NIAP PP mode

To install the AppGate Client for macOS in NIAP PP mode:

  1. Open the AppGate ZTNA installer .dmg file. This file includes programs for installing and uninstalling the client.

  2. Open AppGate ZTNA Installer.pkg to start the setup wizard.

  3. Review the terms and conditions, then click Continue, then click Agree.

  4. Select the default destination, select “install for all users of this computer,” then click Continue and Install. Once completed, click Close.

The product will install into its default configuration. To enable NIAP PP mode, execute the following terminal command from the user’s home directory:

sudo defaults write /Library/Preferences/com.appgate.sdp.plist protection_profile -bool true

Following installation, you must add the root CA certificate to the trust store. To do this:

  1. Take the PEM formatted root CA certificate and remove all the headers, footers, and newlines. You should be left with something like the following: MIIC7zCCAdegAwIBAgIIJNWMVQB03h8wDQYJKoZIhvcNAQELBQAwE=ANBgkqhkiG9w0BAQEFAAOCAQ****

    This value will be copied into the base64 cert section of the command below.

  2. Navigate to the user’s home directory and execute the following command:

    Sudo security add-internet-password -a agca-cert-<SDP FQDN> -j “Appgate SDP Client” -w <base64 cert> -l “Appgate SDP Client” -s “Appgate SDP Client” -T /Library/Application\ Support/Appgate/Appgate\ Service.app

In this case, <SDP FQDN> is the fully qualified domain name of the Controller and <base64 cert> is the value obtained in the previous step.

Verify AppGate Clients connect in NIAP PP mode

To ensure that the client is in NIAP PP mode:

  1. In the Controller’s Admin UI, Go to Usage, then Active Sessions.

  2. Click on a session to open the Session Details, and select the Device Claims tab.

  3. Find the PPModeEnabled claim. If it is set to true, then NIAP profile protection mode is enabled for that client.

Related articles