Stateless, configurable appliances
"Appliance" refers to the virtual or physical instance on which the system is running. Each appliance is a stateless, configurable machine that can operate as a Controller, Gateway, Connector, Portal, LogServer, LogForwarder, Metrics Aggregator, or some combination thereof. All appliances use the Appgate SDP Linux build which is derived from a customized version of Ubuntu and contains all the necessary dependencies to perform any of the different functions. From the admin UI it is possible to add additional appliances, and once they are deployed and registered, any configuration changes to that appliance are made automatically. However, all operational information is handled using tokens so no information relating to user access rights is passed in this way. Appliances are published in the AWS, Azure, and GCP marketplaces. |
Secure TLS communications
There is no requirement to set up any MPLS/VPN services to support communications between appliances within the Collective. All communications use secure (D)TLS with out-of-band seeding to ensure there can be no man-in-the-middle attacks. This design ensures that the Appgate SDP solution can be deployed over any networks securely, whether they be public or private, trusted, or untrusted. The amount of traffic between appliances is limited and not time critical, so there are no specific network requirements needed beyond having a reliable TCP connection.
Protocol agnostic
Appgate SDP Clients establish a secure tunneled connection to an available Gateway on each Site based on preset weighting. The multi-tunnel network driver is assigned an IP address from the IP pool, so the tunneled Client-to-Gateway connections will appear just like any other network-connected device. The tunnel supports many different protocols, such as TCP, UDP, GRE, and ICMP, as well as both up and down traffic. This allows the deployment of more complex systems such as IP telephony.
Simple Integration
The system supports authentication using external LDAP (AD), LDAP certificate, OIDC, RADIUS, and SAML identity providers (IdPs). These include standard enterprise IdPs such as Active Directory (AD). These can be used to authenticate users connecting through the client or Portal, headless clients, administrators, and for REST API calls.
The password user interaction also uses the IdP to (re)authenticate the user when access controls in an Entitlement require it. When configuring a user interaction, it is possible to specify a different IdP than the one used at authentication. When a SAML/OIDC provider is specified for this purpose, the authentication request could be issued via the browser, which makes it possible to utilize IdPs as an MFA provider in the Appgate SDP system.
AppGate’s Zero Trust platform, with its built-in risk engine, allows you to quickly integrate Appgate SDP with third party technology providers such as CrowdStrike.
Appgate SDP supports the use of Multi-Factor Authentication (MFA) such as one-time passwords (OTPs) for additional authentication. The MFA provider can be the built-in or external RADIUS. The built-in options use OATH time-based authenticator apps (Google) and/or FIDO tokens. Both options auto-initialize the first time the user interaction is required. The user is guided through the setup process by the Client.
The external RADIUS support includes pre-emptive, Radius-based, and challenge-response modes.
The IdP can be configured to require MFA at sign-in and/or access controls can be selected in Entitlements that will trigger MFA authentication.
The LogForwarder provides built-in support for the exporting of audit logs to several industry standard SIEMs such as Splunk.