Defines rights and settings that will be assigned to users and devices at sign-in. You may wish to review the Before you start. When you're ready to Configure Policies, complete the fields in the form.
Actions
The Action menu allows you to: test access, clone the item for use within this system, export the item for use in another system (see import), or delete the item.
Add/Edit Policy
Assignment Criteria
Assignment Criteria apply to all 5 types of Policy and they define when this Policy will be assigned. Select criteria so as to achieve least privilege access rights. Refer to Using Policies for more details about how they are assigned.
These Claims-based expressions define which user/device a Policy will be assigned to. They are evaluated by the Controller immediately after sign-in or when tokens are renewed. Use static claims that are unlikely to change during the day - such as directory group membership, email address, etc. Each Policy can include one or more criteria expressions.
Multiple Policies can be assigned so care needs to be taken when selecting access criteria to ensure you get the right outcome. If you have pre-defined criteria or user claim scripts, then these will become available via the assignment criteria list.
The built-in script <Everyone> will assign the Policy to all users. Criteria expressions have three different combining modes (without using scripts):
<all criteria below must be true> - a logical AND of different criteria needs to equate to true
<at least one of the criteria below must be true> - a logical OR of different criteria needs to equate to true
<Criteria are met according to custom logic> - a simple Boolean expression comprising a number of different criteria needs to equate to true
NOTE
For more complex expressions it is recommended to use Custom Logic. Script mode is available for very advanced use cases which may break compatibility with the three list modes.
For more information see Configure Conditions
Policy Types
There are then some additional settings specific to each type of Policy. Client access is arguably the primary function for Policies. Refer to Using Policies for more details about Client access.
Access Policy
Entitlements by Name
Select one or more pre-configured Entitlements that will be included in this Policy. Policies can comprise Entitlements pointing to any number of different Sites.
Entitlements by Tag
By selecting one or more Tags, all the related Entitlements will be included in this Policy. Appgate SDP will auto-associate all the Entitlements to this Policy that have the matching Tag name (set when the Entitlement was created). This is useful when you need to associate many Entitlements to a Policy. Entitlements can be defined by name and tag at the same time
Site Settings
Override Site
The system is designed to use the Entitlements' Sites, but this can be overridden and have all Entitlements deployed to a specified Site. When you configure an Entitlement a Site must always be specified (tells Appgate SDP where to find this resource). Use should use 'Will not override...' (the default) unless you have a very specific use case which requires a specific Override Site to be used.
Override with a specific Site
Select another Site to be used from the list.
Override using a claim
Select the claim to be used. The claim must return the UUID of the Site. You can get the UUID of the Site from the address bar of your browser - just edit the specific Site and the URL will look like this: https://my-controller:8443/ui/sites/edit/91894c92-3502-4ab4-870e-d573d0362f48. In this case the Claim value should be 91894c92-3502-4ab4-870e-d573d0362f48
Override with the nearest Site
The Site with the nearest geolocation AND 'Use for nearest Site selection' enabled (both specified in Sites), will be used. The Controller will evaluate the users geolocation and these Entitlements will be added to the Token for the nearest Site. The same Entitlements need to be available on all Sites enabled for nearest Site selection. Remember to enable this feature and to specify the geolocation of the Site in Sites > General.
Detailed information about the use of Override Site can be found in the Using Policies section and there is an example in Sites and tunnels.
Use fallback Site
The fallback Site (if specified in Sites) will be used when this Site is unavailable.
Admin Policy
Privileges
Allows admin and API access to the admin port (default 8443) on the Controllers (and LogServer).
Admin Roles
Select one or more pre-configured Admin Roles to provision privileges for administrators or for using the Controller REST API.
Device Policy
Refer to Using Policies for more details about device and Client controls, including guidance about how they will be assigned. There may be issues when multiple Device Policies are assigned which can contain conflicting requirements, such as two different proxy PAC files. To provide a simple deterministic outcome, when multiple conflicting controls are assigned; the Policy with its name nearest to the beginning of the alphabet will be used.
Device Configuration
Apply Device Proxy
A proxy PAC file will be applied to the device by the Client. The proxy rules applied by the PAC file should normally be for other traffic NOT configured to be handled by Appgate SDP Entitlements. In this case the other traffic might be sent to some Cloud based web proxying service. Proxy servers can also be located behind the Appgate SDP system and not in the Cloud - in which case you must remember to add an Entitlement for each of these servers.
For more information on usage refer to Device and Client controls.
URL
Enter the URL of the PAC file i.e. http://mycompany.com/proxy.pac.
Persistent PAC file
Enable to leave the PAC file in place even when the Client quits. Never enable this if the proxy server is located behind the Appgate SDP system.
NOTE
This is only supported on Windows and macOS.
Trusted Network Detection
Suspends the operation of the Client when the Client is on a Trusted Network. The Client stays running but all routes are removed. In addition to removing routes, any Ringfence rules and PAC file that may be in place will also be removed. This feature is not normally required as Appgate SDP is designed to work equally well both on a trusted network and beyond. It is provided to assist with migration from a VPN based environment where for instance the infrastructure is not yet fully deployed to support a user group currently based on a trusted network
DNS Suffix
Will check for domains based on the DNS suffix provided i.e. uk.mycompany.com or *.mycompany.com. It is checked against the domain defined by DHCP option 15, which normally specifies the domain name that Client should use as suffix when resolving hostnames.
NOTE
This is not supported on iOS or Chrome OS.
Tamper Proofing
While the Client is connected, Tamper Proofing re-imposes Appgate SDP defined routes, Ringfence rules and PAC files if they have been altered by others. This is enabled by default and will then checks them every 5 seconds and re-imposes the correct rules/routes if required. Be careful in the case where the user's local subnet matches a defined route. In this case the user will get repeatably disconnected and reconnected forever.
Ringfencing
Ringfencing is designed to mitigate the security risk of transmission of malware between user devices such as laptops when they are sitting on a public network. Ringfence rules can block inbound and/or outbound local traffic except that which is required to establish the tunnel to the Gateways. Ringfence Rules can be applied in conjunction with particular Entitlements so that it is possible to increase the local protection of connecting devices in certain circumstances while still allowing (more restricted) access.
For example: To enable Advanced Ringfence when users are out of the office, create two complementary Policies, such as for a user group to access Skype:
Policy 1 includes: | Assignment criteria with device claims to assign the Policy only when the device is connected to the office network | "Block in" (built in) Rule applies |
Policy 2 includes: | Assignment criteria with device claims to assign the Policy only when the device is not connected to the office network | "External user" Rule applies |
For more information on rules refer to the Ringfence Rules section.
Ringfence Rules by Name
Select one or more pre-configured Ringfence Rules to restrict access to/from the Client device.
Ringfence Rules by Tag
By selecting one or more Tags, all the related Ringfence Rules will be included in this Policy.
NOTE
This is not supported on mobile devices.
Client Configuration
Client Features
Specific Client features can be hidden in the Client UI and then have their values pre-set by this Policy. See the Appgate SDP user guide for more details. Using the Managed by Admin option allows the user experience to be constrained which can suit some specific situations where certain options can be pre-defined for operational or security reasons.
For more information on usage refer to Device and Client controls.
.png?sv=2022-11-02&spr=https&st=2026-04-16T22%3A49%3A15Z&se=2026-04-16T23%3A10%3A15Z&sr=c&sp=r&sig=m7DfcNShv36yxf1pgjmU1Vm1QNnQIGuxASBmajPdAFI%3D)
Client Help Link
Customize the Client's help link (instead of using https://support.appgate.com/support/appgate-ztna-user-guide).
Client Profile Settings
Specific Client profiles and Client profile groups can be selected and imposed on the Client for this Collective. The order of the profiles can be set, and this reflects the order in which they will appear in the Client. The new profile(s) are received when the Entitlement token is renewed and applied at sign-out or when the Client next restarts.
For more information on usage refer to Client profiles.
DNS Policy
DNS Settings
DNS servers and Match Domains set in the DNS Policy are used by the Client to add a DNS configuration to the local operating system. This will typically comprise a match domain and the associated internal DNS server(s) capable of resolving IP addresses for the protected hosts. If there is no DNS Policy for the user then the DNS settings in the Identity Provider will be used.
There may be issues when multiple DNS Policies are assigned which refer to the same match domain. To provide a simple deterministic outcome, when multiple conflicting DNS Policies are assigned; the Policy with its name nearest to the beginning of the alphabet will be used.
Unless you are using the Client DNS auto-configuration option, you need to add an Entitlement so the user's application is able to access the DNS server(s) you have specified. Leave access control set to Always Allow Action(s).
DNS Entitlements by Name
Select one or more pre-configured Entitlements that will be included in this Policy.
DNS Entitlements by Tag
By selecting one or more Tags, all the related Entitlements will be included in this Policy.
DNS configuration
Add one or more DNS configurations for the Client based on match-domains. Systems other than desktops (Mobile devices, Portal, etc) require the use of special syntax to operate correctly. For more information about how to use Policy based DNS in the Appgate SDP system, refer to DNS and name resolution.
Match Domain
When this Domain matches a host definition, the DNS Server below will be used.
DNS Server
Enter one or more DNS Servers to be used by the Client.
NOTE
Linux will try only the first DNS server configured.
Register the Client's addresses in DNS
The (mapped) tun IPs presented by the Client will be registered with the DNS server for that Site. (Domain connected Windows only).
Site Settings
Override Site
The system is designed to use the Entitlements' Sites, but this can be overridden and have all Entitlements deployed to a specified Site. When you configure an Entitlement a Site must always be specified (tells Appgate SDP where to find this resource). Use should use 'Will not override...' (the default) unless you have a very specific use case which requires a specific Override Site to be used.
Override with a specific Site
Select another Site to be used from the list.
Override using a claim
Select the claim to be used. The claim must return the UUID of the Site. You can get the UUID of the Site from the address bar of your browser - just edit the specific Site and the URL will look like this: https://my-controller:8443/ui/sites/edit/91894c92-3502-4ab4-870e-d573d0362f48. In this case the Claim value should be 91894c92-3502-4ab4-870e-d573d0362f48
Override with the nearest Site
The Site with the nearest geolocation AND 'Use for nearest Site selection' enabled (both specified in Sites), will be used. The Controller will evaluate the users geolocation and these Entitlements will be added to the token for the nearest Site.
The same Entitlements need to be available on all Sites enabled for nearest Site selection. Remember to enable this feature and to specify the geolocation of the Site in Sites > General.
Detailed information about the use of Override Site can be found in the Using Policies section and there is an example in Sites and tunnels.
Use fallback Site
The fallback Site (if specified in Sites) will be used when this Site is unavailable.
Stop Policy
Profile Removal
This can be used when you want to stop access to the Collective either temporarily or permanently for (a group of) users. For more information on usage refer to using Policies.
Profiles Handling
When enabled, all relevant profiles will be removed from the Client stopping any future re-connection attempts.