Stateless, configurable appliances
An "appliance" is a virtual or physical instance running the system. Each appliance is a stateless, configurable machine functioning as a Controller, Gateway, Connector, Portal, LogServer, LogForwarder, Metrics Aggregator, or a combination. All appliances utilize the AppGate ZTNA Linux build, based on a customized Ubuntu version, containing all necessary dependencies for various functions.
Additional appliances can be added via the admin UI, and configuration changes are applied automatically upon deployment and registration. Operational information is managed using tokens, ensuring no user access rights information is transmitted.
Appliances are available in the AWS, Azure, and GCP marketplaces.
Secure TLS communications
No MPLS/VPN setup is needed for appliance communication within the Collective. All communications use secure (D)TLS with out-of-band seeding to prevent man-in-the-middle attacks. This design allows the AppGate ZTNA solution to be securely deployed over any network, whether public or private. Traffic between appliances is limited and not time-critical, requiring only a reliable TCP connection.
Protocol agnostic
AppGate ZTNAClients establish a secure tunneled connection to an available Gateway on each Site based on preset weighting. The multi-tunnel network driver receives an IP address from the IP pool, making tunneled Client-to-Gateway connections appear like any other network device. The tunnel supports various protocols, including TCP, UDP, GRE, and ICMP, facilitating complex systems like IP telephony.
Simple Integration
The system supports authentication using external LDAP (AD), LDAP certificate, OIDC, RADIUS, and SAML identity providers (IdPs). These include standard enterprise IdPs such as Active Directory (AD). These can be used to authenticate users connecting through the Client or Portal, headless Clients, administrators, and for REST API calls.
The password user interaction also uses the IdP for (re)authentication when access controls in an Entitlement require it. A different IdP can be specified for user interaction than the one used for authentication. If a SAML/OIDC provider is chosen, the authentication request can be issued via the browser, enabling the use of IdPs as an MFA provider in the AppGate ZTNA system.
AppGate’s Zero Trust platform, with its risk engine, allows quick integration of AppGate ZTNA with third-party technology providers like CrowdStrike.
AppGate ZTNAsupports Multi-Factor Authentication (MFA), including one-time passwords (OTPs) for added security. The MFA provider can be built-in or external RADIUS, with built-in options using OATH time-based authenticator apps (Google) and/or FIDO tokens, both auto-initializing on first user interaction. The Client guides the user through the setup process.
External RADIUS support includes pre-emptive, Radius-based, and challenge-response modes.
The IdP can require MFA at sign-in, and access controls in Entitlements can trigger MFA authentication.
The LogForwarder includes built-in support for exporting audit logs to various industry-standard SIEMs like Splunk.