CoIP Access ZTNA and Application Chambers work with a logical construct called an Application. An Application denotes a group of servers that will be managed identically from a policy perspective. For example, an Access Policy granting access for users of a given User Role to an Application will apply identically to all endpoints belonging to the same Application.
Examples of Applications might be:
All Apache servers for a web application
All backend database servers serving multiple web applications
A collection of servers in a branch office
The actual role of the server is not important; all of the servers in an Application will inherit the same Access and Chamber Policies, so you can use the Application construct however best helps you manage your policies.
Endpoints can be onboarded without being assigned to an Application; for example, remote desktop targets do not need to be assigned to an Application.
You may change an endpoint’s Application at any time, but an endpoint may only be assigned to at most one Application.
Creating an Application
Applications are scoped by App Profile; ensure you have the correct App Profile selected before proceeding.
To create an Application, navigate to Onboarding and Management > Applications and select “Onboard Application +”
Give the Application a name which describes its purpose. Then, choose whether you would like to use CoIP Overlay addressing or Physical Addressing for referring to servers in this Application.
The zLink agent listens to and sends overlay traffic from a specific overlay IP address. If CoIP Overlay addressing is selected, each server will be assigned an address in the specified subnet. If Physical Addressing is selected, overlay traffic will be sent/received using the server’s physical IP address. These settings only affect overlay traffic between servers, and do not affect physical network traffic.
The benefit of CoIP addressing is that you may choose a completely unused subnet, so that all endpoints in all physical networks will be able to use a common overlay IP address to reach servers in this Application.
Using a physical IP address may work for simple or existing deployments, but if endpoints in many physical domains are connected together, Overlay Addressing can help to resolve potential IP address conflicts.
Onboarding Servers to an Application
The process of onboarding servers to an Application is basically the same as onboarding a remote desktop target, with a slight variation.
When a server configured with the default package downloaded from Onboarding and Management > Manage Servers comes online, it is not automatically associated with an Application. To do that, you must move the server (either manually, or through API) into the target Application.
The Onboarding and Management > Application view allows you to download a package which is pre-configured with the Application detail; once the zLink agent is installed, no further administrator action is needed to begin enforcing Access Policies or Chamber Policies.
To onboard a server directly into an Application, download and install the zLink installation package from within the target Application. Select the target architecture and installation method, and click “Generate Package” to continue.
A URL-downloadable package is only available for 20 minutes; after this time, the URL will expire and must be re-generated.
You may reuse the package downloaded from the zCenter services portal to install it on other machines as needed. However, Zentera releases new features, the zLink agent version available on the portal will be updated; consider always downloading from the portal before installation as a best practice.
The zLink agent installed provides all endpoint features, including ZTNA (remote desktop access, Secure Shell, and network mode), and Application Chambering.
Once you have downloaded the package, run the installer on the server to be onboarded.
Once the installation process completes, you will see the server show up in the Application detail view (Onboarding and Management > Applications). The presence indicator indicates that the zLink agent is running and is able to connect to Zentera Air services.
You will also see the machine in the global Manage Servers view.
Moving a server to a new Application
You may move a server to a new Application, or remove it from any Application, by clicking on the hostname to open the Server Details. From this view, click the Move Server button at the bottom of the window, and select the destination Application for this server.
Offboarding a server
You may also temporarily offboard a server from an Application from Onboarding and Management > Applications. Select the Application containing the server, then slide the radio button under Actions to the off position. This temporarily removes the server from the Application and removes any security policies associated with that Application (e.g. Access Policies or Chamber Policies), but does not change its availability as an access target for Remote Desktop or Secure Shell.
You may permanently offboard a server from CoIP Platform at any time by clicking the trash can icon, or by running the uninstaller bundled with the zLink download package on the server.