Appgate SDP controls access on an individual basis. It has been designed help automate defining, creating, and managing firewall rules, making it easier to avoid mistakes and prevent over-provisioning.
Application Discovery is a vital tool when you are migrating from a traditional network model to the ZTNA model. With a traditional VPN solution you may not know which applications users are connecting to, so you can't easily define the Policies and Entitlements that Appgate SDP requires. Application Discovery allows organizations to identify the apps users are connecting to and then create the appropriate Policies and Entitlements.
Policies
Policies are the front door to the Appgate SDP system and assign rights to users or devices after a successful sign-in. There are five different classes of Policy that can be assigned:
Access via Gateways based on Entitlements along with any related Conditions that apply
Admin rights to perform one or more administrative roles (admin UI and APIs)
Device controls that are pushed to the Client (Ringfence rules, Client profile settings, etc.)
DNS settings comprising match-domain DNS settings along with the required Entitlements for the DNS servers specified
Stop assigning Policies and do not authenticate the user/device
Policies are enabled on a per-user basis using claims-based assignment expressions. The Controller manages this process and the resulting settings/Entitlements are then passed to the Client.
Claims
Claims are key-value pairs that relate to the identity and context of the user or device and are specific to each session.
There are several types of claims:
Context. Based on helpers that evaluate things like is in the IP range.
User. Static, non-changing claims such as username from the IdP, user claims script, or Connector.
Device. Dynamic, changeable claims such as the IP address of the connecting device.
System. Dynamic, changeable claims such the country code from the Gateway.
And two classes of availability within the system:
Built-in (formerly Fixed). Set by the system; will always be gathered.
Scripted (formerly On-demand). Configured by the admin; gathered when required.
The Controller can use multiple claims when assigning a Policy to a user, which are also included in the claims token for later use by Gateway.
Scripts
The Appgate SDP system has evolved to allow almost all parts of the access control process flow to be made scriptable. This allows the system to inter-operate with countless external systems and network environments. User Claim scripts can be used to help decide what as well as when access rights should be granted while Criteria scripts focus on deciding on when specific access rights should be granted.
REST API
The Controller APIs will let you do almost everything an administrator can do through the UI. If you want to add an Entitlement to a Policy, this can be scripted on an external system and actioned using the appropriate REST API call. For instance, this would allow a provisioning system to add the related Entitlement for a new server instance it has just created.