Controlling Access to Customer Cloud or On-Prem Resources through a |product_name| Gateway
=================================================================================================

When a |product_name| Sensor is configured as |product_name| Gateway, it can be deployed in a Customer Cloud or On-Prem to control remote
access to Cloud or On-Prem Resources.  Combined with the |product_name| Client feature embedded
within the Genian |product_name| Agent, a secure connection is established between a remote endpoint
and the |product_name| Gateway. After a user is successfully authenticated, only the access defined
by the administrator will be available.  Any other connection attempts will be discarded by the |product_name| Gateway.

Deploying the |product_name| Sensor in a Customer Cloud or On-Premises
------------------------------------------------------------------------------

Skip this step if you have already installed a |product_name| Sensor in your Cloud or On-Prem.  
For instructions on how to install a |product_name| Sensor in a Customer Cloud or On-Prem:

See: :doc:`/install/installing-genian-nac`.

Create On-Prem Site
--------------------

.. note:: On-Prem Infrastructure type is used for any non-AWS Cloud environment

#. From the top menu, navigate to System > Site
#. Click Tasks then Create
#. Enter a Name for the site (ex. 'Corp Hub')
#. For Infrastructure select On-Prem
#. For Type select Hub or Branch (typically Hub if this is the first Gateway you have deployed)
#. For Network Address enter the network address for the On-Prem or Cloud network (ex. 10.0.0.0/16 or 172.31.16.0/20)
#. Click Save

Enable |product_name| Client in On-Prem Site
----------------------------------------------------

#. From the top menu, navigate to System > Site
#. Click on the desired Site Name
#. Under |product_name| Client, set Status to 'Enabled'
#. Leave the Network field blank for auto-assignment of an IP pool for remote endpoints connecting to the |product_name| Gateway
#. Click Save
 
Add the |product_name| Connection Manager Agent Action to Node Policy
-----------------------------------------------------------------------------

#. Select the applicable Node Policy (the Default Node Policy may be used unless you want to create a specific Node Policy)
#. From the top menu, navigate to Policy > Node Policy and click on the desired Node Policy
#. Under Authentication Policy, change Authentication Method from Password Authentication to Host Authentication 
#. Scroll down to the Agent Action section and Click Assign
#. Select the '|product_name| Connection Manager' by moving it from the Available window to the Selected window then click Update
#. Click on the name of the Node Policy
#. Scroll down and click on the |product_name| Connection Manager Agent Action
#. Under the Plugin section, click Assign to the right of the Site window
#. Select the desired site users will be connecting remotely to through the |product_name| Gateway using the |product_name| Client
#. Click Update then click the blinking Apply in the upper right-hand corner	
	
Set |product_name| Sensor to Gateway (In-Line) Mode
-----------------------------------------------------------

#. From the top menu, navigate to System 
#. Click on the Sensor IP
#. Click on the Sensor tab
#. For the eth0 interface, in the far-right Settings column, click on Sensor 
#. Under Sensor Operation, change Sensor Mode from Host to Inline and change Mirror Operating Scope from Local to Global
#. Scroll down and click Update

Install Genian |product_name| Client and Verify Access
--------------------------------------------------------------

.. note:: The |product_name| Client will connect to the |product_name| Gateway over ports TCP 443,1194, and UDP 3870,3871 so these ports must be opened from the public IP of the end user's device to the public IP of the |product_name| Gateway.  Be sure to update firewall rules and security groups accordingly.

#. Create a test account for remote access under Management > User > Tasks > Add User
#. Browse to https://yoursite.genians.net/agent
#. Click the Download button and follow the prompts to install the Agent 
#. Once installed, right click on the Agent icon, select Network Access and click Connect
#. Enter the username and password created in the step above
#. The |product_name| Client should pop up a message indicating you are now connected and provide your IP for the connection
#. All traffic from the endpoint will now be routed through the |product_name| Gateway
#. The remote session information can be viewed under System > Site > |product_name| Client