Controlling Access to Customer Cloud or On-Prem Resources through a ZTNA Gateway

When a ZTNA Sensor is configured as ZTNA Gateway, it can be deployed in a Customer Cloud or On-Prem to control remote access to Cloud or On-Prem Resources. Combined with the ZTNA Client feature embedded within the Genian ZTNA Agent, a secure connection is established between a remote endpoint and the ZTNA Gateway. After a user is successfully authenticated, only the access defined by the administrator will be available. Any other connection attempts will be discarded by the ZTNA Gateway.

Deploying the ZTNA Sensor in a Customer Cloud or On-Premises

Skip this step if you have already installed a ZTNA Sensor in your Cloud or On-Prem. For instructions on how to install a ZTNA Sensor in a Customer Cloud or On-Prem:

See: Installing Genian ZTNA.

Create On-Prem Site

Note

On-Prem Infrastructure type is used for any non-AWS Cloud environment

  1. From the top menu, navigate to System > Site
  2. Click Tasks then Create
  3. Enter a Name for the site (ex. 'Corp Hub')
  4. For Infrastructure select On-Prem
  5. For Type select Hub or Branch (typically Hub if this is the first Gateway you have deployed)
  6. For Network Address enter the network address for the On-Prem or Cloud network (ex. 10.0.0.0/16 or 172.31.16.0/20)
  7. Click Save

Enable ZTNA Client in On-Prem Site

  1. From the top menu, navigate to System > Site
  2. Click on the desired Site Name
  3. Under ZTNA Client, set Status to 'Enabled'
  4. Leave the Network field blank for auto-assignment of an IP pool for remote endpoints connecting to the ZTNA Gateway
  5. Click Save

Add the ZTNA Connection Manager Agent Action to Node Policy

  1. Select the applicable Node Policy (the Default Node Policy may be used unless you want to create a specific Node Policy)
  2. From the top menu, navigate to Policy > Node Policy and click on the desired Node Policy
  3. Under Authentication Policy, change Authentication Method from Password Authentication to Host Authentication
  4. Scroll down to the Agent Action section and Click Assign
  5. Select the 'ZTNA Connection Manager' by moving it from the Available window to the Selected window then click Update
  6. Click on the name of the Node Policy
  7. Scroll down and click on the ZTNA Connection Manager Agent Action
  8. Under the Plugin section, click Assign to the right of the Site window
  9. Select the desired site users will be connecting remotely to through the ZTNA Gateway using the ZTNA Client
  10. Click Update then click the blinking Apply in the upper right-hand corner

Set ZTNA Sensor to Gateway (In-Line) Mode

  1. From the top menu, navigate to System
  2. Click on the Sensor IP
  3. Click on the Sensor tab
  4. For the eth0 interface, in the far-right Settings column, click on Sensor
  5. Under Sensor Operation, change Sensor Mode from Host to Inline and change Mirror Operating Scope from Local to Global
  6. Scroll down and click Update

Install Genian ZTNA Client and Verify Access

Note

The ZTNA Client will connect to the ZTNA Gateway over ports TCP 443,1194, and UDP 3870,3871 so these ports must be opened from the public IP of the end user's device to the public IP of the ZTNA Gateway. Be sure to update firewall rules and security groups accordingly.

  1. Create a test account for remote access under Management > User > Tasks > Add User
  2. Browse to https://yoursite.genians.net/agent
  3. Click the Download button and follow the prompts to install the Agent
  4. Once installed, right click on the Agent icon, select Network Access and click Connect
  5. Enter the username and password created in the step above
  6. The ZTNA Client should pop up a message indicating you are now connected and provide your IP for the connection
  7. All traffic from the endpoint will now be routed through the ZTNA Gateway
  8. The remote session information can be viewed under System > Site > ZTNA Client