📝Setup & Configuration Demo -Guide

ZTNA Setup and Configuration Guide | MicroZAccess

Overview:

Zero Trust Network Access (ZTNA) is an access control method that uses client device identification, authentication, and Zero Trust tags to provide role-based application access. It allows administrators to manage network access for both on-net local users and off-net remote users. Access to applications is granted only after verifying the device, authenticating the user's identity, authorizing the user, and performing context-based posture checks using Zero Trust tags.

Traditionally, users and devices have different rules for on-net access and off-net VPN access to company resources. With a distributed workforce and access that spans company networks, data centers, and cloud, managing these rules can become complex and negatively impact user experience. ZTNA can improve this experience.

Quick Start:

Endpoint Profile: is a configuration system that allows clients and servers to operate based on their specific requirements. It includes various components such as Overlay Servers, group memberships, and access policies. Each device can have its own set of multiple Endpoint Profiles, which are defined and managed by the administrator.

Overlay Servers: associated with an Endpoint Profile determine the network infrastructure that the endpoint will connect to. These servers act as gateways and provide access to the desired resources and services within the network. Each Overlay Server can be configured with different user-defined groups based on organizational convenience.

Group memberships: are created and managed by administrators to organize and control access to resources within the Overlay Server. By assigning group memberships to an Endpoint Profile, administrators can control and manage the access privileges of different entities within the network.

Security Groups: are access policies within the Endpoint Profile specify the rules and permissions governing the access to specific resources and services. These policies define what actions are allowed or restricted for the members of the assigned groups.

Setting up policies:

There are two broad concepts associated to configuring an Endpoint Profile when it comes to setting up access policies:

  • Security Groups:

  • To create new access policies in the Tenant:

    1. Access the "Security Groups" menu from the navigation panel.

    2. Locate the "Add" button at the bottom left of the Security Groups table and click on it.

    3. Fill in the required fields in the form that appears:

    4. Service:

      • Specify the type of access for the security group by selecting from the available protocols in the dropdown menu

        1. All TCP: This component refers to allowing access to all traffic that uses the TCP protocol. In ZTNA, access policies can be defined to allow or restrict specific TCP-based services or applications.

        2. All UDP: Similarly, this component relates to allowing access to all traffic that uses the UDP protocol. ZTNA access policies can be configured to permit or deny specific UDP-based services or applications.

        3. All ICMP: is used for network diagnostics and error reporting. Allowing or blocking ICMP traffic can be part of Access policies to control network visibility and potential vulnerability scanning.

        4. All traffic: This component implies unrestricted access to all types of network traffic, regardless of the protocol.

        5. SSH: is a network protocol used for secure remote access and control.

        6. SMTP: is used for sending email messages. Access policies can control access to SMTP servers to ensure secure communication and prevent unauthorized access or abuse.

        7. DNS (TCP): is used in cases where the response or query size exceeds the maximum limit of UDP or when a reliable connection is required.

        8. DNS (UDP): is the most common and efficient way to transmit DNS messages due to its low overhead. Access policies can be set up to permit or restrict DNS queries over UDP to manage access to DNS servers using UDP-based communication.

        9. HTTP: is used for web browsing and communication. Access policies can be employed to manage access to HTTP-based resources, such as websites or web applications, to enforce security measures and prevent unauthorized access.

        10. POP3: is an email retrieval protocol. Access policies can control access to POP3 servers, allowing or denying connections for email retrieval based on specified criteria.

        11. MIME: is a standard for encoding non-text attachments in email messages. Access policies may not specifically target MIME, as it typically operates at the application layer rather than the network layer where ZTNA focuses.

        12. LDAP: is used for directory services and user authentication. Access policies can define rules for LDAP access, ensuring secure authentication and controlling access to directory servers.

        13. HTTPS: is a secure version of HTTP that uses encryption. Access policies can be configured to enforce secure access to web resources over HTTPS, verifying the identity of the server and protecting data in transit.

        14. Custom TCP: This component refers to allowing access to a custom TCP port or service.

        15. Custom UDP: Similar to custom TCP, this component pertains to allowing access to a custom UDP port or service.

        16. Custom ICMP: This component implies allowing access to a custom ICMP type or code.

        17. Custom: This option allows you to specify and configure access policies for custom or non-standard protocols, ports, or services that are not explicitly covered by pre-defined options. With the "Custom" option, you can define specific criteria such as protocol type, port number.

    5. Protocol:

      • If you are defining a custom service, choose the type of protocol from the dropdown list.

      1. TCP: is used for applications that require guaranteed delivery and error-free communication, such as web browsing, file transfer (e.g., FTP), email (e.g., SMTP, POP3), and remote administration (e.g., SSH).

      2. UDP: is used for real-time applications, streaming media, voice over IP (VoIP), online gaming, DNS queries, and multicast or broadcast communication.

      3. ICMP: is used for network diagnostics, error reporting, and management between network devices. It includes messages for functions like echo requests and replies , network congestion detection, error reporting (e.g., unreachable hosts), and network device configuration (e.g., Time Exceeded, Redirect).

      4. ANY: refers to allowing all types of traffic, regardless of the protocol. It grants unrestricted access to all network traffic, including TCP, UDP, ICMP, and other protocols.

    6. Destination Ports:

      Define the destination port for the security group if you are defining a custom source.

    7. Source:

      Choose the source for the security group from the following:

      1. Any: Selecting this option will permit any source.

      2. Custom: Selecting this option provides additional fields:

        • Host: Specify the Endpoint Profile that should act as the source for

        • Subnet: Specify the CIDR of the custom source.

        • Groups: Select the desired group members from the provided list.

    8. Name:

      This will serve as the identifier for the security group being created.

    9. Description:

      This is an optional field which can be used to specify important information about the security group.

  • Overlay Server:

    To create a new Overlay Server in the Tenant:

    1. Access the "MZA Overlay Server" menu from the navigation panel.

    2. Locate the "Add" button at the bottom left of the Overlay Server table and click on it.

    3. Fill in the required fields in the form that appears:

    4. Name:

      Serves as the identifier for the new Overlay Server.

    5. Description:

      An Optional field to add more information about the Overlay Server.

    6. Groups:

    These are user-defined Group Memberships that an admin can create within an Overlay Server, providing additional granularity in access control and policy management. These group memberships allow administrators to define specific sets of users or devices with common attributes or requirements, enabling more targeted access policies and restrictions by bringing more granularity to the Network.

    1. Signaling Hub:

      Under Signaling Hub you can choose either of the two options:

      1. Auto: The system will manage the necessary settings, such as the public IP, port, and subnet, without requiring manual input.

      2. Custom: By opting for a custom signaling hub, you will be provided with additional fields:

        • Public IP: The public IP serves as the external address through which the signaling hub can be reached.

        • Port: The port is a specific endpoint on the signaling hub that facilitates communication.

        • Subnet: The subnet defines a range of IP addresses that can be used within a network.

Configuring Endpoint Profile:

The Endpoint Profile is where you configure and assign the required group members from the respective Overlay Servers to the Security groups based on the Organizational requirements.

To create new Endpoint Profiles in the Tenant:

  1. First, Select the Device from the Device menu from the Website header in which you want to create the new Endpoint Profile.

  2. Access the "MicroZAccess" menu from the navigation panel.

  3. Locate the "Add" button at the bottom left of the Endpoint Profiles table and click on it.

  4. Fill in the required fields in the form that appears:

  • Name:

    Serves as the identifier for the Endpoint Profile.

  • MZA Overlay Servers:

  1. If you click on “MZA Overlay Servers”, you will be provided with the list of Overlay Servers existing in the Tenant.

  2. Select the Overlay Servers which you want to be a part of the profile.

  • Group Membership:

Once you have selected the Overlay Servers:

  1. Click on “Group Membership” you will be provided with the list of group members.

  2. Select the group members that has to be included in the Profile Configuration.

  • Security Groups:

  1. By clicking on “Security Groups”, you will be provided with the list of Security Groups in the tenant.

  2. Select all the required Security Groups to be included depending on the access requirements.

  • Advanced:

In the "Advanced" section of the Endpoint Profile configuration, you can choose the Client/Server mode for the profile. Additionally, you will find the following fields:

  1. Remote Subnet: This field allows you to specify the network range or IP addresses that the device can access remotely or over the network. It defines the range of destinations that the device is allowed to communicate with.

  2. Remote Gateway: This field refers to the IP address or hostname of the remote gateway that serves as the entry point to the remote network. The remote gateway is responsible for routing traffic between the device and the remote network.

  3. WAN Subnet: This field represents the subnet of the wide area network (WAN), which is the network that connects different locations or networks over a larger geographical area.

  4. LAN Subnet: This field represents the subnet of the local area network (LAN), which is the network that connects devices within a specific location or area, such as an office or building.

Once you have filled all the necessary configurations,

  1. Click on “Add” to create the Endpoint Profile for the selected Device.

  2. You can find the Profile listed both in:

    • MicroZAccess section of the MicroZAccess Web Dashboard

    • Home screen of the MicroZAccess Desktop App

Users, Devices and Server:

  • Users:

To add a new user to the tenant,

  1. Go to “Users” page from the Navigation Panel.

  2. Locate the “Add” button to the bottom right of the Users table.

  3. You will be provided with a form with the following fields:

    1. Email

    2. Active

  • Device Systems:

To Create a new Device Server,

  1. Go to “Systems Device” page through the Navigation Panel

  2. You will be provided with a form with the following fields:

    1. Name: In this field, you can assign a name to the device system based on your preference or a descriptive identifier.

    2. Device Type: This field allows you to specify the operating system type of the device.

    3. Device Model: Here, you can specify the model or version of the operating system for the device.

  • Once you have filled in the necessary details, you can click the "Submit" button. This action will direct you to the Inventory tab of the MicroZAccess Web Dashboard, where you will find the newly registered device system listed. The device system will be added to the inventory, enabling you to manage and monitor it alongside other registered devices.

  • Server:

In the “Inventory Page” of the MicroZAccess, you can find the list of Devices registered in the Tenant where you can find the following columns:

  • DEVICE ID

  • DEVICE KEY

Once you obtain the following necessary information, you can use these as the credentials in the server mode of the Desktop App. This gives you access to the server mode of the MicroZAccess Desktop App.

PreviousCommon Use CasesNextIdentity Providers

Last updated