Functions

  • 5 minute read
Prev Next

This section describes the fields in the Functions tab of the Add/Edit Appliance page. These fields may differ depending on the type of appliance you are configuring. See the System Settings and Miscellaneous sections for information on the fields in those respective tabs.

Select the appliance function

In the Functions tab, select the function(s) that you require for this appliance.

NOTE

Only certain combinations of functions are allowed.

Select from the following function types:

Controller

Provides authentication, authorization, and administration for the Collective.

NOTE

A Controller can only be enabled on an active appliance. Create and activate a spare appliance first.

Because the appliance is already activated, the first thing that happens when you enable the Controller function is a connectivity check. This checks port 443 to ensure full bidirectional connectivity exists between all existing Controllers and the candidate Controller. If the checks fail, a warning is shown and the connectivity issue must be resolved before trying again. If the checks pass, the form can be saved and the task of adding the new Controller begins.

When adding a Controller - initially there may be an error shown in the dashboard - if you click refresh after 10 seconds this should be cleared and then you can see better the status of the add process. See HA for more information about how to configure highly available Controllers.

Gateway

Provides secure access to a given Site. Multiple Gateways can be deployed per Site. See HA for more information about how to configure highly available Gateways.

Connection Broker

This feature is currently in Beta. For more information, contact your AppGate representative.

LogServer

Provides a local log server for use within the Collective. Once enabled, you will need to sign out and sign in before the Audit Logs tab appears in the admin UI. Once you are authenticated in your AppGate ZTNA system, you can access the LogServer with a link instead of navigating to Usage > Audit Logs each time.

AppGate ZTNA includes a built-in LogServer function using OpenSearch. The LogServer is an appliance that collects logs from the other members of the Collective, providing an audit trail of actions and user access. Only one LogServer can be deployed, therefore HA configuration is not supported. Its primary use case is to help customers during initial set up, configuration, evaluation, and during initial deployment. It is also suitable for use in production environments for smaller scale deployments.

The LogServer is not included in the base appliance image - so when this is enabled the required image will be automatically downloaded from a public container registry. The Controller will check that access to this registry is available when you save the configuration. To pass this check, make sure the appliance where you are enabling the LogServer has access to https://public.ecr.aws on port 443.

It is also possible to use sdpctl to do the download for you, so the creation of a LogServer is still possible even in a locked-down environment. To do this:

  • Download the zip file with sdpctl by doing: sdpctl appliance functions download LogServer

  • SCP the file up to the appliance.

  • On the appliance, run: arc image import /home/cz/image.zip

  • Enable the LogServer function on the appliance.

The LogServer's operational limits for production environments are detailed in Audit Logs where there is also more information about using a LogServer.

LogForwarder

Provides a means of collecting, grouping and securely distributing audit logs within an enterprise environment. If you have started using the LogServer (maybe on the Controller) during initial deployment and now want to migrate to a different appliance (LogServer or LogForwarder) - this can be done seamlessly without loosing any existing audit logs.

If you are migrating from LogServer to your first LogForwarder then afterwards you will be able to add additional LogForwarders either for HA operation or because you want to distribute audit logs differently according to the Site. See LogServer migrations for instructions.

LogForwarders can be configured for HA operation using two or more appliances. They can be deployed to export the logs by Site to different destinations. Multiple export protocols can be specified at the same time including one for the ELK stack. This means that if there is an ongoing requirement to retain the ELK stack (effectively a copy of the LogServer) in an enterprise environment then one can be deployed outside of the AppGate ZTNA Collective (for example, running in AWS) and the logs forwarded there whilst also exporting the log data into an enterprise-class logging system. See Audit Logs for more information about using a LogForwarder.

NOTE

You cannot operate a LogServer and LogForwarders within the same Collective.

Connector

Extends connectivity to remote sites and unmanaged resources without requiring the use of a stand-alone Client. See HA Connectors for more information about how to configure HA.

The Connector is available in two configurations: Express allows one Policy to be defined that connects down to local resources from the associated Site; Advanced allows multiple Policies to be defined for groups of local resources that connect up and down to one or more Sites. Express and Advanced may be configured on the same appliance. When this is done the Entitlement(s) for the Advanced Connector Clients should contain ONLY up rules and NOT down rules.

Portal

Hosts a web frontend allowing clientless access for multiple users without requiring the use of a stand-alone Client. AppGate ZTNA's Portal appliance provides zero-install browser-based access to protected resources, with comparable security to the full Client. From the user's perspective, there is no need for any installation or set-up processes, just having a modern browser is enough for secure access.

The Portal can be used in addition to or instead of the full Client. In this version it is recommended to be used to give zero-install secure access to a few internal resources for third party consultants. Future versions will be enhanced to provide secure access for remote offices or employee groups that only needs access to web based resources.

Only minimal changes to the configuration of the AppGate ZTNA system are required for users to utilize the Portal. See Portal for more information about how this function works, it's specific DNS requirements and recommendations on how to deploy one.

Metrics Aggregator

Provides a means of collecting, grouping and securely exporting Prometheus metrics for an enterprise environment. Prometheus metrics can be exported from individual appliances. The Metrics Aggregator avoids the need to configure this function on numerous different appliances as well as avoiding the need to configure firewalls to allow inbound access to to every appliance. All appliances sending metrics will need to be able to connect to the Metrics Aggregator (like a Controller). See System Monitoring and Logs for more information about Prometheus.

After selecting a function, you will configure the required options that appear. These options are described in the following sections:

Admin/API TLS Connection

Broker Configuration

Customize Sign-in Page

External Log Settings

High Availability Configuration

HTTPS Settings

Internal Log Settings

Resource Group Configuration

Secure Tunnel Settings

Site Settings

System TLS Connection (using SPA)

User Access Settings

Prometheus Exporter Settings

Related articles
  • Functions
    Admin Guide > Admin Guide v6.5 > Admin UI > System > Appliances > Functions
  • About appliances
    Admin Guide > Admin Guide v6.7 > General administration > Managing Appliances
  • About appliances
    Admin Guide > Admin Guide v6.6 > General administration > Managing Appliances