This article outlines the steps required to onboard a User, a Server, and a single Remote Desktop Access Policy.

This article assumes the following:

• The access mode is for a single User to access a single Server via a dedicated Access Policy

• zCenter Application Profile and Application is already configured

• The reader is familiar with the fundamentals of the zCenter APIs and the Zapy SDK toolkit

For more detailed information, refer to the following documents:

• Zapy User Guide: https://support.zentera.net/hc/en-us/articles/10774249444759 

• Zapy Python SDK Tarball: https://support.zentera.net/hc/en-us/articles/8268912221719

• 8.1.x API Document: https://support.zentera.net/hc/en-us/articles/8910790615831

Additionally, each CLI python script accepts --help option to show parameter details.

Onboarding Linux Server or VM

Agent installation on a Linux server can be automated by first generating a URL.  The URL references a unique installation package, which includes the mapping to a specific Application Profile and Application (sometimes also referred to as Server Group).  This mapping, after installation will automatically activates the pre-configured Chamber Policies for that Application.

Script

zapy/scripts/generate_ep_installer.py

Usage:

zapy/scripts/generate_ep_installer.py --ccred <credential-file> --app_profile <application-profile-name> --app <application-name>

Notes:

• Each generated URL has a limited expiration time, which is configurable in Advanced Management > API Management > Token Settings > Tokens for zLink Package Download

• This script generates both a URL, as well as a bash script that can be run on the target server, or even during cloud instance launch phase with tools such as cloud-init

Configure ZNS Cluster for Remote Desktop Access

It may be necessary to manually assign the ZNS Cluster for a given server.  This assignment affects the secure tunnels for User Access Policies such as Remote Desktop, Port-Mapped Applications, or Secure Shell.

Script

zapy/cli/zc_v36/end_server_set_zns_cluster.py

Usage:

zapy/cli/zc_v36/end_server_set_zns_cluster.py --ccred <credential-file>  --end_server_id <server-id> --zns_cluster_id <zns-cluster-id>

Notes:

• For Overlay Network Access policy types, such as Application-to-Application, or Application-to-Service, the ZNS Cluster selection is done per Access Policy as opposed to per server

• To retrieve the list of ZNS clusters and IDs, use the following CLI:

  • zapy/cli/zc_v36/customer_list_zns_clusters.py --ccred <credential-file>

• A new capability will be available starting with zCenter version 8.1.5, where it will be possible to assign the ZNS Cluster for Remote Desktop Access Policies for an entire Application.  Once this capability is available, this automation step may become obsolete or unnecessary for most configurations.

Onboarding User

User creation has various options, which correspond to the fields generally entered in admin portal.

Script

zapy/cli/zc_v36/user_create.py

Usage:

zapy/cli/zc_v36/user_create.py --ccred <credential-file> --account <account-name> --auth_type external --first_name <first> --last_name <last> --email <email>

Notes:

• Each account name must be unique

• Use --auth_type external for external IdP authentication, if configured

Onboarding User Role

User Roles are required for attaching User Access Policies.  Multiple users may be added to a User Roles.

Scripts

zapy/cli/zc_v36/user_role_create.py
zapy/cli/zc_v36/user_role_add_user.py

Usage:

zapy/cli/zc_v36/user_role_create.py   --ccred <credential-file> --user_role_name <user-role-name>
zapy/cli/zc_v36/user_role_add_user.py --ccred <credential-file> --user_role_id <user-role-id> --account <account>

Configure Remote Desktop Access Policy

Remote Desktop Access Policy is added to a User Role.  Since there are several sub-types of the Remote Desktop Access Policy, the below is an example and should be reviewed/adapted for the specific needs and use case.  Following options are available:

• VNC/RDP - Use --connect_view option.  The specific VNC or RDP access is provisioned  automatically depending on the OS, Windows target servers get RDP, Linux/Mac target servers get VNC

• NoMachine - Use --no_machine option

• SecureShell - Use --secure_terminal option

• For VNC Invite - Use --vnc_invite option

Scripts

zapy/cli/zc_v36/user_role_add_virtual_desktop_acl.py

Usage:

zapy/cli/zc_v36/user_role_add_virtual_desktop_acl.py --ccred <credential-file> --user_role_id <user-role-id> --end_server_id <server-id> --connect_view --server_func accessServer

Notes

• Option --server_func {accessDesktop,accessServer}   is dependent on the type of license used

Off-boarding

To off-board, the following steps are required, other zCenter records, including the Access Policy are removed implicitly.

• Remove User record

  • zapy/cli/zc_v36/user_delete.py --ccred <credential-file> --account <account>

• Remove User Role record

  • zapy/cli/zc_v36/user_role_delete.py --ccred <credential-file> --user_role_id <user-role-id> 

• Remove Server record

  • zapy/cli/zc_v36/end_server_unregister.py --ccred <credential-file> --end_server_id <server-id>