.. _ztna-client:

.. role:: raw-html(raw)
    :format: html

ZTNA-Client 
===================
| ZTNA-Client is a feature that allows remote users (branch offices, home offices, mobile, etc.) to securely access designated site resources via SSL-based VPN tunnels in a ZTNA environment.
| It is primarily used with the ZTNA Agent. In environments where agent installation is difficult (lack of permissions, servers, special OS, etc.), connection is possible via an OpenVPN compatible client.
| This implements consistent security policy enforcement, session visibility, and centralized access control.


How to Configure ZTNA-Client
------------------------------
Before configuring ZTNA-Client, you must first proceed with :ref:`Site Settings <site>`.

1. Change **ZTNA-Client Application Mode** to **Enabled** and proceed with detailed settings.
:raw-html:`<br/>`

    .. csv-table:: 
        :header: "Feature Name", "Description and Sub-options", "Description"
        :widths: 8, 20, 50

        "SDP", "Secures remote access and uses the Connection Manager.", ""
        "Connection Manager", "Select the VPN to use for network connection. :raw-html:`<br/>` (Genian ZTNA, Axgate VPN, SSLPNS)", ""
        "", "Client Network", "Set the management sensor to manage clients."
        "", "Use Virtual Network", "By default, the sensor's management network is used, but when set to On, a virtual network is used."
        "", "VXLAN Tunneling", "Supports VXLAN connection between gateway sensors so that devices connecting to different ZTNA Gateways can use the same IP."
        "", "Access Network", "Specify the network range that the ZTNA Client will access. If unspecified, all networks are connected through the ZTNA Client tunnel."
        "", "Static IP", "Fixes the user's IP."
        "", "Isolation", "Access from outside and direct communication between other users are blocked."
        "", "OpenVPN Compatibility", "Provides a Config file usable with OpenVPN."
        "", "Custom Server Domain", "Set the server domain name or IP for the ZTNA Client to connect to. If not set, the sensor's IP or the gateway's public IP is automatically used."
        "", "External Certificate", "Set a trusted external certificate for the server domain that the ZTNA Client will connect to."

    .. note:: When changing ZTNA-Client to use a virtual network, a TAP interface is created on the ZTNA sensor, and the Client IP is set via DHCP through the TAP interface.

2. To connect using SDP, separately configured SDP settings must be entered.

   | Reference : :ref:`understanding-sdp`

    .. csv-table:: 
        :header: "Feature Name", "Description"
        :widths: 15, 50

        "Controller Domain", "Enter the connection domain of the SDP Controller."
        "Controller Secret", "Enter the secret key for authenticating to the SDP Controller."
        "SPA Port", "Enter the port number for the client to send SPA (Single Packet Authorization) to SDP upon initial access."
        "User Authentication Port", "Enter the port number to perform user authentication procedures after SPA transmission."
        "Authentication Method", "Select the authentication method used to perform user authentication after SPA transmission. \\ User Authentication, Certificate + User Authentication"

3. Add **ZTNA Connection Manager** to **Node Policy - Node Action**.
:raw-html:`<br/>`

4. In the **ZTNA Connection Manager** node action settings, click **Assign** and add the site created earlier.
:raw-html:`<br/>`

5. Go to System - Sensor - Click Sensor - Sensor Settings - Node tasks - Sensor Settings of the interface used by the sensor (**Existing Interface, Created TAP Interface**) - Set **Sensor Operation Mode to Inline, Operation Scope to Global**.
:raw-html:`<br/>`
    .. note:: If Inline and Global modes are not set, ZTNA-Client packets may not be processed correctly.
        

6. Install the agent. [ \https://Policy Server IP/agent ]
:raw-html:`<br/>`

7. Right-click Agent - **Network Access** - Click the configured **Site** name.
:raw-html:`<br/>`

8. Enter user information and click **Connect**.
:raw-html:`<br/>`

How to Check ZTNA-Client Sessions
----------------------------------

Once connected to the site via the Agent or OpenVPN client, you can check the sessions accessing each site in the Web Console.

- Click **System - Site**, and click the number in the ZTNA-Client tab on the screen displayed in the Web Console to check the sessions connected to that site.
- In the **ZTNA Client Sessions** screen, you can check the connected **User ID, Hub Name, Device Name, User IP, Assigned IP, Packet Volume, Packet Count, Creation Time, and Last Communication Time**.

Related Links
-------------

- To use 2-Factor Authentication, refer to the :ref:`passkeys-ztna-client` document.
- To use SAML Authentication, refer to the :ref:`saml-ztna-client` document.