Controlling Access to Customer Cloud or On-Prem Resources through a NAC 6.0 Gateway

When a NAC 6.0 Sensor is configured as NAC 6.0 Gateway, it can be deployed in a Customer Cloud or On-Prem to control remote access to Cloud or On-Prem Resources. Combined with the NAC 6.0 Client feature embedded within the Genian NAC 6.0 Agent, a secure connection is established between a remote endpoint and the NAC 6.0 Gateway. After a user is successfully authenticated, only the access defined by the administrator will be available. Any other connection attempts will be discarded by the NAC 6.0 Gateway.

Deploying the NAC 6.0 Sensor in a Customer Cloud or On-Premises

Skip this step if you have already installed a NAC 6.0 Sensor in your Cloud or On-Prem. For instructions on how to install a NAC 6.0 Sensor in a Customer Cloud or On-Prem:

See: /install/installing-genian-nac.

Create On-Prem Site

Note

On-Prem Infrastructure type is used for any non-AWS Cloud environment

  1. From the top menu, navigate to System > Site

  2. Click Tasks then Create

  3. Enter a Name for the site (ex. 'Corp Hub')

  4. For Infrastructure select On-Prem

  5. For Type select Hub or Branch (typically Hub if this is the first Gateway you have deployed)

  6. For Network Address enter the network address for the On-Prem or Cloud network (ex. 10.0.0.0/16 or 172.31.16.0/20)

  7. Click Save

Enable NAC 6.0 Client in On-Prem Site

  1. From the top menu, navigate to System > Site

  2. Click on the desired Site Name

  3. Under NAC 6.0 Client, set Status to 'Enabled'

  4. Leave the Network field blank for auto-assignment of an IP pool for remote endpoints connecting to the NAC 6.0 Gateway

  5. Click Save

Add the NAC 6.0 Connection Manager Agent Action to Node Policy

  1. Select the applicable Node Policy (the Default Node Policy may be used unless you want to create a specific Node Policy)

  2. From the top menu, navigate to Policy > Node Policy and click on the desired Node Policy

  3. Under Authentication Policy, change Authentication Method from Password Authentication to Host Authentication

  4. Scroll down to the Agent Action section and Click Assign

  5. Select the 'NAC 6.0 Connection Manager' by moving it from the Available window to the Selected window then click Update

  6. Click on the name of the Node Policy

  7. Scroll down and click on the NAC 6.0 Connection Manager Agent Action

  8. Under the Plugin section, click Assign to the right of the Site window

  9. Select the desired site users will be connecting remotely to through the NAC 6.0 Gateway using the NAC 6.0 Client

  10. Click Update then click the blinking Apply in the upper right-hand corner

Set NAC 6.0 Sensor to Gateway (In-Line) Mode

  1. From the top menu, navigate to System

  2. Click on the Sensor IP

  3. Click on the Sensor tab

  4. For the eth0 interface, in the far-right Settings column, click on Sensor

  5. Under Sensor Operation, change Sensor Mode from Host to Inline and change Mirror Operating Scope from Local to Global

  6. Scroll down and click Update

Install Genian NAC 6.0 Client and Verify Access

Note

The NAC 6.0 Client will connect to the NAC 6.0 Gateway over ports TCP 443,1194, and UDP 3870,3871 so these ports must be opened from the public IP of the end user's device to the public IP of the NAC 6.0 Gateway. Be sure to update firewall rules and security groups accordingly.

  1. Create a test account for remote access under Management > User > Tasks > Add User

  2. Browse to https://yoursite.genians.net/agent

  3. Click the Download button and follow the prompts to install the Agent

  4. Once installed, right click on the Agent icon, select Network Access and click Connect

  5. Enter the username and password created in the step above

  6. The NAC 6.0 Client should pop up a message indicating you are now connected and provide your IP for the connection

  7. All traffic from the endpoint will now be routed through the NAC 6.0 Gateway

  8. The remote session information can be viewed under System > Site > NAC 6.0 Client