A Service refers to a server that is made accessible through CoIP Access ZTNA or an Access Policy, but onboarded through a Gateway Proxy, rather than the zLink agent.
The Gateway Proxy is a proxy for remote access traffic that terminates and filters ZTNA access. Since it is an agentless ZTNA model, it cannot provide Application Chamber functions.
Examples of Services that you may make accessible through a Gateway Proxy might include:
On-prem LDAP services
The corporate on-prem git repository
Applications running on unsupported architectures (e.g. OS/2 or VMS)
Embedded / IoT devices (e.g. IP cameras)
To onboard a Service, you must first create a Gateway Proxy in your network; once that is done, you can define Services to be exposed through that Gateway Proxy.
Deploying a Gateway Proxy
The process of deploying a Gateway Proxy is very similar to deploying a zLink agent on a server. The Gateway Proxy is a Linux appliance, and must be deployed to a supported operating system. (see Supported Operating Systems for details).
The Gateway Proxy deployment package is downloadable from the zCenter services portal. From Onboarding and Management > Services, click on Onboard Service and select Register Gateway Proxy to bring up the following window, which allows you to generate the installation package.
Once you have run the installer on the Gateway Proxy VM, you will see the Gateway Proxy in the list of available Gateway Proxies:
Creating a Service
Once you have deployed a Gateway Proxy, you may create a Service on that Gateway Proxy by selecting the target Gateway Proxy.
Then click Add Resource / Server to define a Service. The dialog box that comes up allows you to define the physical address for the target server, as well as the CoIP Address to be used to reference it.
The example below shows how an LDAP server with an IP address of 10.180.0.2 is configured to be accessible from remote hosts at the address 172.24.4.2.
You may then specify the ports that this Service is accessible by specifying Service Port Objects or Service Port Object Groups. Specifying a Service Port Object Group will filter the remote accesses to the Service so that only the ports and protocols defined in the Service Port Object are allowed.
Exposing a Service for Access
Once you have created a Service, you may grant access to it for Users, based on User Role, from an Application, or from another Service by creating an Access Policy.
Application traffic to the Service target on the physical network will be proxied through the Gateway Proxy. This means that on the physical network, application traffic will use the Gateway Proxy’s physical IP address as the source address.
Please sign in to leave a comment.