ZTNA-Client

ZTNA-Client is a feature that allows remote users (branch offices, home offices, mobile, etc.) to securely access designated site resources via SSL-based VPN tunnels in a ZTNA environment.

It is primarily used with the ZTNA Agent. In environments where agent installation is difficult (lack of permissions, servers, special OS, etc.), connection is possible via an OpenVPN compatible client.

This implements consistent security policy enforcement, session visibility, and centralized access control.

How to Configure ZTNA-Client

Before configuring ZTNA-Client, you must first proceed with Site Settings.

1. Change ZTNA-Client Application Mode to Enabled and proceed with detailed settings.

Feature Name	Description and Sub-options	Description
SDP	Secures remote access and uses the Connection Manager.
Connection Manager	Select the VPN to use for network connection. (Genian ZTNA, Axgate VPN, SSLPNS)
	Client Network	Set the management sensor to manage clients.
	Use Virtual Network	By default, the sensor's management network is used, but when set to On, a virtual network is used.
	VXLAN Tunneling	Supports VXLAN connection between gateway sensors so that devices connecting to different ZTNA Gateways can use the same IP.
	Access Network	Specify the network range that the ZTNA Client will access. If unspecified, all networks are connected through the ZTNA Client tunnel.
	Static IP	Fixes the user's IP.
	Isolation	Access from outside and direct communication between other users are blocked.
	OpenVPN Compatibility	Provides a Config file usable with OpenVPN.
	Custom Server Domain	Set the server domain name or IP for the ZTNA Client to connect to. If not set, the sensor's IP or the gateway's public IP is automatically used.
	External Certificate	Set a trusted external certificate for the server domain that the ZTNA Client will connect to.

Note

When changing ZTNA-Client to use a virtual network, a TAP interface is created on the ZTNA sensor, and the Client IP is set via DHCP through the TAP interface.

2. To connect using SDP, separately configured SDP settings must be entered.

   Reference : understanding-sdp

   Feature Name	Description
   Controller Domain	Enter the connection domain of the SDP Controller.
   Controller Secret	Enter the secret key for authenticating to the SDP Controller.
   SPA Port	Enter the port number for the client to send SPA (Single Packet Authorization) to SDP upon initial access.
   User Authentication Port	Enter the port number to perform user authentication procedures after SPA transmission.
   Authentication Method	Select the authentication method used to perform user authentication after SPA transmission. \ User Authentication, Certificate + User Authentication

3. Add ZTNA Connection Manager to Node Policy - Node Action.

4. In the ZTNA Connection Manager node action settings, click Assign and add the site created earlier.

5. Go to System - Sensor - Click Sensor - Sensor Settings - Node tasks - Sensor Settings of the interface used by the sensor (Existing Interface, Created TAP Interface) - Set Sensor Operation Mode to Inline, Operation Scope to Global.

Note

If Inline and Global modes are not set, ZTNA-Client packets may not be processed correctly.

6. Install the agent. [ https://Policy Server IP/agent ]

7. Right-click Agent - Network Access - Click the configured Site name.

8. Enter user information and click Connect.

How to Check ZTNA-Client Sessions

Once connected to the site via the Agent or OpenVPN client, you can check the sessions accessing each site in the Web Console.

• Click System - Site, and click the number in the ZTNA-Client tab on the screen displayed in the Web Console to check the sessions connected to that site.

• In the ZTNA Client Sessions screen, you can check the connected User ID, Hub Name, Device Name, User IP, Assigned IP, Packet Volume, Packet Count, Creation Time, and Last Communication Time.

Related Links

• To use 2-Factor Authentication, refer to the ZTNA-Client Passkeys Authentication document.