Controlling Access to Cloud Resources

The Genian ZTNA Gateway can be deployed in the Cloud to control access to Cloud Resources. Combined with the ZTNA Client feature embedded within the Genian ZTNA Agent, a secure connection is established between a remote endpoint and the ZTNA Cloud Gateway. After a user is successfully authenticated, only the access defined by the administrator will be available. Any other connection attempts will be discarded by the ZTNA Cloud Gateway.

Deploying the ZTNA Gateway in the AWS Cloud

Note

Presently the Genian ZTNA Gateway can only be deployed into AWS Cloud environments from the Genian ZTNA UI. To deploy a ZTNA Gateway in an environment other than AWS, See: Installing ZTNA Gateway

Note

Prior to following the steps below, be sure you have already added a Cloud Provider and Cloud Site. See: Managing Nodes in the Cloud

Enable ZTNA Client in Cloud Site

  1. From the top menu, navigate to System > Site
  2. Click on the desired Site Name
  3. Under ZTNA Client, set Status to 'Enabled'
  4. Leave the Network field blank for auto-assignment of an IP pool for remote endpoints connecting to the Cloud Gateway
  5. Click Save

Add the ZTNA Connection Manager Agent Action to Node Policy

  1. Select the applicable Node Policy (the Default Node Policy may be used unless you want to create a specific Node Policy)
  2. From the top menu, navigate to Policy > Node Policy and click on the desired Node Policy
  3. Under Authentication Policy, change Authentication Method from Password Authentication to Host Authentication
  4. Scroll down to the Agent Action section and Click Assign
  5. Select the 'ZTNA Connection Manager' by moving it from the Available window to the Selected window then click Update
  6. Click on the name of the Node Policy
  7. Scroll down and click on the ZTNA Connection Manager Agent Action
  8. Under the Plugin section, click Assign to the right of the Site window
  9. Select the desired site users will be connecting remotely to through the Cloud Sensor using the ZTNA Client
  10. Click Update then click the blinking Apply in the upper right-hand corner

Deploy Cloud Sensor

  1. From the top menu, navigate to System > Site
  2. Check the box next to yoursite.genians.net
  3. Click Tasks then select Add Cloud Sensor
  4. Select the desired site where you will be deploying the Cloud Sensor
  5. Select an Amazon Machine Image (AMI) (a recommended AMI will be displayed)
  6. Select the desired EC2 Instance Type (t2.medium is recommended)
  7. Select the desired Subnet ID for the subnet the Cloud Sensor will be deployed in
  8. Select the desired keypair for remote CLI access to the Cloud Sensor EC2

Note

Typically, CLI access to the Cloud Sensor is not required, however, the key pair is mandatory for the AWS EC2 creation process. Any valid key pair created for the specified region may be used. Refer to AWS documentation for more information on how to create a keypair for remote EC2 access.

  1. Click Check Init
  2. A Terraform initialization test will be performed to confirm all the information selected will succeed in EC2 creation
  3. If any errors are displayed during the Check Init process, address the issues in your AWS environment before proceeding

Note

At least one Elastic IP must be available in the region you deploy a Cloud Sensor to.

  1. Click Create
  2. When the Apply Complete message is displayed, this means the Cloud Sensor was successfully deployed
  3. Click Close to close the window
  4. The Cloud Sensor will now be displayed in the System list

Note

It may take up to 15 minutes for the Cloud Sensor to fully initialize and communicate with your Cloud Policy Server. To verify the status of the Cloud Sensor EC2, login to the AWS EC2 Console.

Set Cloud Sensor to Cloud Gateway Mode

  1. From the top menu, navigate to System
  2. Click on the Cloud Sensor IP
  3. Click on the Sensor tab
  4. For the eth0 interface, in the far-right Settings column, click on Sensor
  5. Under Sensor Operation, change Sensor Mode from Host to Inline and change Mirror Operating Scope from Local to Global
  6. Scroll down and click Update

Install Genian ZTNA Client and Verify Cloud Access

  1. Create a test account for remote access under Management > User > Tasks > Add User
  2. Browse to https://yoursite.genians.net/agent
  3. Click the Download button and follow the prompts to install the Agent
  4. Once installed, right click on the Agent icon, select Network Access and click Connect
  5. Enter the username and password created in the step above
  6. The ZTNA Client should pop up a message indicating you are now connected and provide your IP for the connection
  7. All traffic from the endpoint will now be routed through the Cloud Gateway
  8. The remote session information can be viewed under System > Site > ZTNA Client