Before you install AppGate ZTNA appliances, document your network topology so you can place Controllers, Gateways, and Connectors in the best locations.
Appliances are not limited to the DMZ. You can deploy them across your network because all appliance communication uses a trust model based on X.509 certificates. Plan for the following:
Choose appliance hostnames early. The system uses them to generate certificates.
Set up DNS so users and devices can resolve appliance names (including from the internet, if required),
Configure time synchronization (NTP) for all clients and appliances
Use the checklist below to prepare for installation and configuration. Review each item before you start. For a typical deployment example, see the Interface schematic in the Appendix.
Compatibility
Browser. Use a supported browser for the admin UI and Portal. AppGate tests primarily on Chrome, Firefox, and Safari. Validate your chosen browser in your environment before you deploy.
Virtualization platforms. If you run appliances on a hypervisor, confirm the platform is supported and up to date.
Client platforms. Confirm the operating systems on which you plan to install clients are supported.
For current support details, see the AppGate Support page.
Networking
List the protected resources users will access through the AppGate ZTNA system. Include their network zones or environments.
Determine how hostnames resolve in each network zone (if appropriate). In AppGate ZTNA, you configure each zone as a separate Site.
Assign IP addresses or hostnames for each AppGate ZTNA appliance in the Collective.
Chose the NICs, networks, and IP addresses for encrypted appliance-to-appliance traffic.
Verify each appliance can reach at least one DNS server and one NTP server.
Decide whether to dedicate a separate network and interface to each appliance.
Decide where clients will connect from: internal networks, the internet, or both.
If you authenticate through an external identity provider, verify the Controller can reach the required servers.
If you use AppGate's ZTP service, verify Controllers can reach *.appgate.net.
Confirm the default IP pool (254 addresses) is sufficient. If you Disable Source NAT on Gateways, route the IP pool range back to each Gateway.
Open the required ports to and from appliances (unless noted otherwise). See the interface schematic for more details.
Port | Protocol | Direction | Purpose |
443 | TCP | Inbound | Client connections and for communication between appliances. Listens only when TCP SPA is active. |
443 | UDP | Inbound | Client connections and for communication between appliances when using UDP-TCP SPA mode. |
53 | UDP | Inbound | Client connections and for communication between appliances when using UDP-TCP SPA mode. |
8443 | TCP | Inbound | System administration via the admin UI to Controllers and LogServer. |
123 | UDP | Outbound | Time synchronization to time servers. |
22 | TCP | Inbound | Appliance seeding and administration over SSH. Should be accessed via entitlement and/or from admin networks only. |
10000 - 65535 | TCP and UDP | Inbound and Outbound | Range used when establishing client-server connections. Check local port range by entering |
161 | UDP | Inbound | Used for SNMP. Must be open from any machine making SNMP calls. |
5555 | TCP and UDP | Inbound | Used for health checks. Must be open from any load-balancers or proxies in front of Controllers or Gateways. |
5556 | TCP and UDP | Inbound | Used for Prometheus servers. |
Refer to the following for more information:
System Security - best practice guide for details about how to secure an appliance.
Network configuration for more details about the communications within a Collective.
Identity Providers
Identify the identity providers (IdPs) you will use.
Before you deploy, audit user and machine group memberships. AppGate ZTNA policy decisions depend on group membership.
Name Resolution
Choose a name resolution approach for each Site.
Decide where you will use the product: internal network only, external network only, or both.
Define your local DNS domain.
Define your external DNS domain.
Confirm which internal DNS servers resolve your internal domain.
If you use the default DNS in an AWS VPC, note that it is the second address in the subnet (for example, 10.0.0.2).
Confirm you can access the cloud naming data (tags, VPCs, or virtual networks) used for host resolution.
Define the hostname(s) for the admin Controller Admin/API TLS connection.
Define the hostnames for Controllers’ System TLS connections.
Choose the profile DNS name clients use to reach the Controller. Make sure external users can resolve it.
Decide whether Gateways use hostnames or IP addresses. If you use hostnames, make sure internet users can resolve them.
Choose the hostname for the Portal.