To give Controllers access to ZTP Cloud Services, configure a connected AppGate ZTNA Collective to allow each Controller appliance to make outbound connections to ZTP using the following settings:
Domain: appgate.net
Port: 443
Protocol: HTTPS
How the Risk Engine works
An end user connects with the AppGate ZTNA client.
The Controller requests a risk level from the Risk Engine.
Adapters pull risk data from third-party sources.
Third parties respond, and the Risk Engine normalizes the responses into a risk level.
The Risk Engine sends the resulting risk level back to the Controller as a single value.
The Controller calculates entitlements and sends them to the Client.
Outbound firewall requirements
Grant Controller appliances outbound access to the full appgate.net domain so your Collective can use current and future ZTP service offerings. If your organization requires more stringent outbound firewall rules, allow Controller appliances access to at least these endpoints:
Registration Service — registers connected Collectives:
mgmt.<region>.appgate.net
AppGate ZTNA Health Check:
version.<region>.appgate.net
Risk Engine:
riskengine.<region>.appgate.net
NOTE
All services use HTTPS over port 443. Replace
<region>with the home region of your ZTP account: use1 for North America oreuc1for Europe. For more information, see Region availability.
Application Discovery
To use the Application Discovery feature, the following AppGate ZTNA appliances must have access to these endpoints:
Controller:
advisor.<region>.appgate.netlogpusher.<region>.appgate.net
LogServer or LogForwarder:
logpusher.<region>.appgate.net
NOTE
A LogServer or LogForwarder appliance is required for Application Discovery; these appliances do not need to be hosted. All services use HTTPS over port 443. Replace
<region>with the home region of your ZTP account:use1for North America oreuc1for Europe. For more information, see Region availability.