SwiftZAccess ( Agentless-ZTNA ) > SwiftZAccess Configuration and Policy orchestration > Agentless Domain Onboarding

Agentless Domain Onboarding

Agentless Domain Onboarding defines how an internal web application is securely published through SwiftZAccess, enabling controlled and secure external access without deploying an agent on the target system.

Traffic Flow Overview

Client Request → Network → Proxy → Network → Backend Server

  • Downstream: Client → Proxy

  • Upstream: Proxy → Backend Server

Navigation: Sidebar → Organization → Agentless ZTNA

Onboarding Parameters

  1. Name: A logical identifier used to recognize the onboarded domain within the system. This should be unique and meaningful for easy management.

  2. Description: Optional field to provide additional context or notes about the domain.
    Useful for administrative clarity and documentation.

  3. Domain: Specify the domain name without protocol (http/https) and without a trailing slash.
    Example:

    1. Original URL: https://www.domain.com/

    2. Enter: www.domain.com

  4. Port: Defines the port on which the application is running.

    1. HTTPS (default): 443

    2. HTTP (default): 80

    3. Custom Applications: Specify the required port.

  5. Upstream Scheme: Defines how the proxy communicates with the backend server.
    Options:

    1. None: Plain HTTP communication

    2. TLS: Secure HTTPS communication.

      1. If TLS is selected:

        1. Provide upstream server name

        2. Configure certificate path

  6. Downstream Schema: Defines how end-users access the application.

    1. Recommended: HTTPS

    2. Requirements:

      1. TLS version configuration

      2. Domain certificate path

    3. Supports:

      1. Multiple SNI (Server Name Indication) entries

      2. Secure certificate binding

  7. WebSocket Configuration: If the application uses WebSockets:

    1. Enable WebSocket support

    2. Specify the WebSocket path (e.g., /ws)

    3. Configure required headers

  8. Health Check: Health checks ensure backend availability and reliability.

    1. Enable health check

    2. Provide health-check API endpoint

    3. Behavior: If the backend is unavailable, the proxy can respond accordingly to prevent failed routing.

  9. Static Assets Optimization: Improves performance by bypassing proxy validation for static content.

    1. Enable static asset bypass

    2. Define asset paths (e.g., /images, /css, /js)

    3. Benefit: Reduces proxy overhead and improves response time.

  10. Listening Configuration: Defines how the proxy listens for incoming requests.

    1. IP Address: Typically 0.0.0.0 (listens on all network interfaces)

    2. Port: Should match the configured application port

Other Informations

  1. Upstream (Backend Configuration): Defines the backend server details where traffic is forwarded.

    1. Backend Server IP

    2. Backend Server Port

  2. CORS Configuration: Required if the backend enforces Cross-Origin Resource Sharing (CORS) policies.

    1. Enable CORS

    2. Configure:

      1. Allowed Origins

      2. Allowed Headers

      3. Allowed Methods

  3. Deployment Modes: SwiftZAccess supports multiple deployment models based on infrastructure and security requirements:

    1. Cloud-Based Proxy: A fully managed proxy hosted in the cloud that handles secure traffic routing.
      Required Configuration:

      1. Domain

      2. Port

      3. Server Names

      4. Downstream Scheme

      5. Upstream Scheme

      6. Public Server IP & Port

      7. TLS Certificates

      8. (Optional) WebSocket / CORS configuration

    2. Edge-Based (Without HTTPS Handling): Proxy is deployed at the edge without TLS termination.

      1. Required Configuration:

        1. Domain

        2. Port

        3. Listening IP & Port

        4. Upstream (Backend) IP & Port
          Note: TLS configuration is not required in this mode.

    3. Edge-Based (With HTTPS Handling): Proxy is deployed at the edge with full TLS handling.
      Required Configuration

      1. Domain

      2. Port

      3. Listening IP & Port

      4. TLS Certificates

      5. Upstream Configuration

      6. (Optional) WebSocket / CORS configuration

Important Notes

  • All required details must be provided by the domain owner

  • Ensure correct certificate paths for HTTPS configurations

  • Misconfiguration in upstream/downstream may break connectivity

  • Always validate backend accessibility before onboarding

Domain onboarding in SwiftZAccess allows secure and flexible application exposure through a proxy-based architecture. By correctly configuring domain parameters, deployment mode, and traffic flow settings, organizations can ensure secure, high-performance, and policy-driven access to their applications.