In This Section
Overview
This section overviews the User Interface of the zCenter Admin Portal and gives brief descriptions of the major menus.
The zCenter Admin Portal is a web-based portal that is hosted on a CoIP Controller Appliance. As shown in Figure 1, the Portal is split into four primary sections. The first of these is the menu on the left. Made up of Major and submenu items, this section selects the view on the right-hand side of the page. The Major menu displays submenus, each controlling a portion of the Portal. This article will focus on the major menu area on the left (outlined in red), with a brief description of the what the menu item does. Look for links in some of the descriptions for more information on those items.
zCenter Admin Portal
Service Management
This section defines the service settings of your CoIP Controller. Visible only to Service Admins, this section is used for initial configuration and maintenance of the Controller Appliance (along with the zCLI).
This menu selection is only visible to users with Service Admin role capabilities.
Service Domain Name
Sets the domain name (base URL) for the CoIP Controller. This allows Admins to access the Management Interface with a browser using:
https://<your_service_domain_name>/zCenter
You can optionally configure Alternate Domain Names here too.
Service Domain Name
Accessing the zCenter portal page
Browsing to the root page at https://<your_service_domain_name> will return a 404 error. If you receive this, add zCenter to the end of your URL.
License
Licenses are stored on zCenter. This page allows user to view the Issue and Expiration Dates. The total number of licenses, the number licenses in-use and the number available. Additionally, it allows import and update license files. New licenses and renewals can only be obtained from Zentera.
Selecting Import License offers two choices, Upload license file saved locally, or Download license file from URL and your choice depends on how your licenses were delivered by Zentera. In some cases, Customers request license files to be emailed (or other mechanisms) to deliver the actual file. Alternatively, licenses can be made available via URL retrieval from your local license service or from Zentera.
License Summary
Please contact Zentera on best practices for license file management.
Settings
This section contains options allowing admins to configure:
zCenter admin portal access restrictions (specific whitelisted IP addresses)
Manage 2 Factor Authentication modes for both Admins and CoIP Access users
Configure Disk Space Alerts
Configure log size management options to prevent log flooding
System Settings
Admin Portal Whitelisting
For enhanced security, zCenter allows administrators to specify a whitelist of source IP addresses of machines which are allowed to connect to the zCenter Admin Portal. As many deployment configurations assign a public address to the zCenter appliance, this extra security measure blocks accesses from unauthorized servers.
Two-Factor Authentication
Two-Factor Authentication adds another layer of defense by utilizing out-of-band credentials, using email as the second factor. When enabled, the requestor will receive a time-based authentication code that must be used in conjunction with their Admin account / password in order to log in.
The history of logins can be found in the section History found later in this document.
Two-Factor can be individually set for Admins and CoIP Access Users. You can Enable / Disable Two-Factor, and can set the Verification Code life time from 1 to 30 minutes after which it will expire and the user will have to log in again.
Email-based Two-Factor Authentication requires the Mail Sender and Email Notifications to be configured under Service Management.
Disk Space Alerts
Alerts can be configured to maintain the health of the underlying server. As time goes on, the collection of security event log grows and in particularly noisy network environments where thousands of packets are flooding the CoIP protected resources the logs can grow.
In order for Disk Space Alerts to operate correctly you must configure the Mail Sender, and the Email Notifications sections of the Service Management section.
This section allows the Admin to configure alerts based on the amount of available disk space (first alert) as well as the threshold at which zCenter will pause security event logging so as to not cause a failure in production environments (critical alert).
Disk Space Alerts
In this section you will find the current status of the Controller appliance's disk space. The first 3 lines, Total Disk Space, Free Disk Space, and Used Disk Space report the current conditions of the Controller's disk space. These fields are update as disk space changes.
The next two lines labeled Free Disk Space > are thresholds that trigger Email Notifications of low disk space, and lower disk space that causes the Controller to automatically stop recording Security Logs when those thresholds are passed.
Contact Zentera Systems for best practices on managing zCenter controller disk space.
Identity Services
zCenter supports both SAML 2.0-based Identity Providers, LDAP directory services, and a local directory for administrator accounts. This section allows you to configure connections to your corporate LDAP or AD servers to authenticate zAccess users, as well as to connect to a SAML 2.0 based Identity Provider to authenticate zCenter admin users including both Service admin and Customer admin.
The Identity Services can apply to both Admin Account and CoIP Access User Account. To configure them for Admin Account, make sure the “Admin Account” tab is selected as shown below. Then you can proceed to configure Directory Services and/or SAML 2.0 by selecting the corresponding tab. However, you can only select one under the “Authentication method for external Service Admin accounts” drop down list. The same principle applies to the CoIP Access User Account.
SAML-based authentication is currently supported only for admin accounts, not for CoIP Access User Accounts.
Directory Services
The Directory Services tab allows you to configure access to different services as needed by clicking on the Create Directory Service button. The dialog that appears contains the required information to connect zCenter to you authorized LDAP / AD.
Once you have configured the directory service, click Test to validate these settings. A positive result indicates that zCenter can talk to the LDAP / AD server.
Create Directory Service
Saving this configuration lists the new service.
Directory Services Table
zCenter supports multiple Corporate Directory services. They can all be configured and listed in the table. You can use the up and down arrows to change precedence. The Save Precedence button is used to commit your changes to the system. You can edit it later with the Edit link in the list.
SAML 2.0
The SAML 2.0 tab allows you to configure an Identity Provider by clicking the New Identity Provider button.
Create Identity Provider
Once you enter the information for the Identity Provider, click Save to list the IdP in the SAML 2.0 table as shown below.
To ensure the trust relationship between zCenter as a Service Provider and the IdP, you may need to provide the Service Provider information to the IdP administrator by clicking the View Service Provider Info button and collecting all the needed information as shown below.
View Service Provider Information
HA Status
This tab displays the current status of zCenter's High Availability system and configuration details. Information includes whether HA mode has been enabled, which HA mode is set on the current machine, the IP addresses for the Active and Standby machines, the Service IP for accessing zCenter, and the database binary log files.
HA for zCenter operates by maintaining two identical physical Controller Appliances configured for Active and Standby roles.
In normal operation, the Active controller manages requests for CoIP deployments. The Active also synchronizes the Standby with the most current state of the system (Master Database Replication).
The Standby monitors the health of the Active controller and should it detect a problem (i.e. lost connection with the Active) the system deactivates the failed Active, and switches the Standby into Active mode. On this event an HA Failover Email Notification for is sent to the Admins for corrective action. See the section below on Email Notifications for how to configure the HA Failover alert.
Please contact Zentera for best practices when setting up an HA Controller.
Mail Sender
This section is used to configure zCenter email alert in the event of an HA failover, disk space warning, or other alerts. You will need to configure the Mail Sender to allow zCenter access to your organization's Email/SMTP server. This configuration allows zCenter to send alert emails through your approved email service.
Required information for configuring the Mail Sender includes:
Sender Name (name you would like recipients to see for an email)
Sender Address (email address to be used for sending out email alerts)
Hostname (DNS name of your SMTP/email server)
Port (SMTP port of email server)
Username (sender address username)
Password (password to sender address account)
Mail Sender
Event Mail To
Allows the Admin to customize zCenter alert emails with a specified sender name / email, designated recipients, message subjects, and customized content. All of these notification follow the same general configuration in the Edit Email Notifications pane when you click on the Edit link for a given notification type.
Email Notifications
Types of Email Notifications
HA Failover - Send an alert on an HA Failover (see HA Status above)
Login Verification Code - Problems with Two-Factor Verification codes
Free Space Alerts - Levels are configured in the Settings section above
Warning - Disk space has fallen below the first low warning level
Pause Security Log - Disk space has fallen below the second low warning level and Security Logging has been paused
Resume Security Log - Disk space has risen above the second low warning level and Security Logging has restarted
Return to Normal - Disk space has risen above the first low warning level
Policy Configuration Failure - Multiple conditions can trigger these alerts
zCenter failed to enable one or more of the following critical policies:
Chamber cannot be enabled
App Interlock cannot be enabled
CoIP Network cannot be formed
Network Security Monitoring has reported a problem
Endpoint Network Security Violation - Must be enabled
On End Points, changes outside of zCenter's control will trigger these alerts:
End Point firewall changed (e.g. iptables command on the End Point)
Routing Table rules changed (e.g. route add / del on the End Point)
Network Interface changed (e.g. attempt to add, delete, or modify a Network Interface)
Endpoint Quarantine / Recover - Must be enabled
Number of Violations per Time Period sets the trigger for this capability
Too many violations in a period of time will Quarantine a given End Point. This alert is generated both when the End Point is quarantined and when an Admin recovers it (in Project Management → Quarantined End Points)
When editing a notification, the following information is needed:
Sender Name - This is the name that recipients will receive the email from
Sender Email Address - This is the address that sends the email
High Priority - Send with High Priority
To Email Address - List of recipient addresses (multiple allowed)
Customized Subject - Subject of the email alert
Customized Content - Body of the email alert
Event Mail To
As an example, this will allow you to configure the alert email for an HA Failover like this:
Example HA Alert Email
From: ServiceAdmin@example.com To: zAdminTeam@example.com, bill@example.com Subject: HA Failover on zcenter.example.com All, The controller's primary (10.0.0.100) has failed, however service has continued on the secondary (10.0.0.102). This requires immediate attention. Thanks, Service Admin
ZNS Clustering
A Zentera Network Switch Cluster is made up of multiple ZNS nodes. It is used to switch inter-cloud domain (CoIP WAN) traffic between endpoints. This primarily used to contain traffic within a data center (no hair pinning), or to manage the network load across domains. ZNS Clusters are typically deployed in regional data centers while the Controller itself might be 1000s of kilometers away (control traffic only).
ZNS Cluster are configured at two levels:
Global Level (shown below)
CoIP WAN Level
CoIP WAN ZNS Cluster setting takes precedence over Global.
This tab allows the administrator to configure and manage ZNS clusters, including
Creating, changing, and deleting ZNS nodes
Configuring a cluster
Setting the default cluster
If an application profile does not specify a certain cluster, zCenter will use the system's default cluster to bridge CoIP traffic.
ZNS Clustering
For more information on ZNS Cluster Installation / Programming please see ZNS Node Installation and Programming Guide
Branding
Zentera products have the ability to be "rebranded" to reflect your corporate image. Many things can be customized in the Branding page including Titles, Favicons, Colors, and others.
This tab allows the admin to specify white label settings for the CoIP Controller (logo, HTML title, color scheme, and copyright text).
Branding
Project Provisioning
This section explains how to define the various components of an Application Profile (network topology). An Application Profile is a configuration for a CoIP network. App Profiles can be drawn in the zCenter UI or created through zCenter's API. The basic hierarchy of an App Profile is:
Customers
Cloud Projects
Application Profiles
Cloud Domains
Server Groups (Cloud Server Pools)
Edge Gateways (Fabric Server Pools)
Inline Devices (Stream and Tap)
CoIP LANs / WANs
IP Components and Compute Flows (for physical network connections)
The Project Provision section contains the underlying tools to construct App Profiles.
For more information on how to build Application Profiles please refer to CoIP Fundamentals and Application Profiles in this guide.
Cloud Domains
A Cloud Domain is a logical construct that simply represents a network domain. Essentially, you can think of this as an isolated network in, say "South Paris Data Center 1" or "IT Closet in Building 23". Cloud Domains can exist On-Prem, in the Cloud, or a remote site. As mentioned, a Cloud Domain is a logical structure. Multiple Cloud Domains can exist in the same Data Center if that's what's called for in your architecture.
A Cloud Domain belongs to a specific Customer and can be shared across multiple App Profiles.
Options include:
Customer (Cloud Domain will be used as a resource of the Cloud Project / Application Profile owned by this Customer only)
Security Monitoring Interval - defines the frequency with which components in this cloud domain will perform a security check (confirm policies, check for iptables modifications and restore if necessary, etc - disabled by default)
Cloud Domains
VM Templates
VM Templates are used to automate VM management in public cloud providers (Amazon EC2, Rackspace, Microsoft Azure, and OpenStack for Enterprise). They are used to define Cloud Server compute resources assigned to a Cloud Server Pool. VM template control what VM images and compute sizes are available for Cloud Projects.
VM Templates
Cloud Server Pools
Cloud Server Pools represents collections of Cloud Servers (endpoints) available for use as Compute Resources in an Application Profile. It allows users to pre-define resources but not deploy until needed.
Cloud Server Pool register, manage and remove endpoints. Cloud Server Pools are specific to a Customer and Cloud Domains. A Server Pool can further be set to Deny New Registration and/or to allow Auto-join if a Server Group has been defined.
Cloud Server Pools are rooted in a Cloud Domain and like sharing Cloud Domains across projects, Cloud Server Pools can also be shared.
Cloud Server Pools
Fabric Server Pools
Fabric Server Pools represents collections of Fabric Servers (specialized endpoints) available for use in an Application Profile. It allows Admins to pre-define resources but not deploy them until needed.
Fabric Server Pools register, manage and remove Fabric Servers which includes Edge Gateways and Inline Devices. Fabric Server Pools are specific to a Customer and a Cloud Domain.
Fabric Server Pools are rooted in a Cloud Domain and like sharing Cloud Domains across projects, Fabric Server Pools can also be shared.
See Zentera Edge Gateway Installation for more information on installing and managing an Edge Gateways.
Fabric Server Pools
Cloud Projects
The Cloud Projects are collectors for various CoIP deployments that are related. They bring the various components of a project together to be deployed in Enterprise and/or Public or Private Cloud of choice.
A given Cloud Project can contain many App Profiles. For instance, you might have a Cloud Project titled, "Web Services" with multiple App Profiles providing different services.
Each Cloud Project is associated to one or more Application Profiles.
Figure 14 - Cloud Projects
zLink Packages
This section enables administrators to download individual Linux RPM (RedHat, CentOS, SUSE), Linux Debian (Ubuntu) and Windows packages for Cloud and Fabric Servers.
The correct zLink Dependency package must be installed before the zLink package is installed.
There are separate zLink installation packages for Windows and Linux RPM (RedHat, CentOS, SUSE) and Linux Debian (Ubuntu). You cannot "mix and match" packages from other versions of zCenter.
If the TAP functionality will be used, the TAP driver package for Windows must be installed before the zLink package.
See also zLink Agent Installation or Zentera Edge Gateway Installation for more details.
zLink Packages
CoIP Access Users
CoIP Access enables remote users to connect to resources in Cloud Domain. This section is for creating CoIP Access user accounts so users can login to CoIP Launcher. Since it involves user credentials, this section is subject to the system-wide use of Directory Services, Two-Factor Authentication, and Password Policies (described in Portal Management → Password Policies).
CoIP Access Users
CoIP Access User Groups
This tab allows Admins to specify which CoIP Access Users have permissions to access a given resource. It consists of two columns, one for Users in this Group and one for Users not in this Group. This allows finer grain control on "who gets to see what".
Add CoIP Access users to a group, choose the Customer and Cloud Project the group will be made available for use in an App Profile.
CoIP Access User Groups
Project Management
This sections explains how to manage the various network addressing and security features for a given Application Profile. There are a number of options in this menu that help you secure your applications
CoIP Address Management
This tab displays the CoIP overlay IP addresses and physical IP addresses used for a given Application Profile, and allows the administrator to manage them.
CoIP Address Management
Application Profiles
Application Profile is the core concept that enables admins to build overlay network using components configured in previous sections (Cloud Domain, VM Template, Cloud Server Pools, Fabric Server Pools, Cloud Projects etc).
The Manage Profile link on the right takes you to a read-only view of the App Profile where you can add or remove compute resources but you cannot change the structure. To edit an App Profile go to press the Project Provision button on the bottom of the display or go to Project Provisioning → Cloud Projects.
Application Profile
The above figures show an example list of Application Profiles, an example of the graphical representation of Application Profile policies, and the list of hosts/endpoints in one of the Server Groups. Each host record shows Physical IP (Private and Public*), OS, CoIP Address and Security settings.
If the hosts belong to Cloud, the Private and Public Physical IP addresses are the assigned by the Cloud Service Provider.
Note: The correct zLink Package must be successfully installed before the Hosts made part of Application Profile. Verify coip interface (ifconfig in Linux, ipconfig in Windows)
The public IP address of a host displayed throughout zCenter is the IP address as observed by zCenter. This may be a public physical IP address, if the host has one, or it may be the IP address of the Internet gateway the host is behind. As a result, multiple hosts may show up with the same "public IP address".
Security Profiles
The Security Profile controls the security rules that apply to an Application Profile. Security Profiles are managed independently from the Application Profile, allowing role-based control over security settings. This decoupling allows the project admin role to scale an Application Profile (for example, by bringing new endpoints into a Server Group) without allowing them to control the security settings of the Application Profile.
The Security Profile tab allows service admins, customer admins, or security admin roles to configure zChamber settings and Tap settings for a given Application Profile.
In addition to the zChamber security settings, this tab can also be used to dynamically configure Tap packet capture or inline packet forwarding.
Under Project Management → Security Profiles, the Admin will find a list of App Profiles each with a link, Manage Security Profiles, that will display a view of the App Profile.
Security Profiles
Security Profile for an App Profile
Clicking on a Server Group in the App Profile will raise a dialog that is used to configure security for this profile:
Security Profile Configuration Dialog
The five main sections of the dialog are:
Chamber Mode:
Security Filter Table:
Smart Discovery - Smart Discovery is a powerful feature to explore your data and uncover valuables insights. It's the foundation to help organizations identify relationships within their data and use that as a basis to provide insights that contribute to improved decision making and enabling regulatory compliance. Zentera Smart Discovery can be used to discover overlay CoIP traffic, underlay Physical traffic or both. Once enforced, Smart Discovery job runs on selected hosts for specified duration.
Security Tap Policies - Set security policies for Inline Devices in Tap configuration mode
Security Inline Policies - Set security policies for Inline Devices in Stream mode
Configuring Chamber Mode
Configure Chamber Mode
Visual changes in the App Profile view help indicate that none, some, or all End Points are under protection. When no End Points are protected, the Server Group shows as a blue circle. When a subset of the End Points are protected, the chamber shows up as a light orange lock box. When all End Points are protected, the lock box is dark orange.
Configuring Security Filter Table
Running Smart Discovery
Smart Discovery is a tool for monitoring an application and its interconnection with CoIP and Physical networks. zCenter watches the networks, determines the process hierarchy of the executable, and develops Provision Rules (PRT) that can then be enforced.
In the App Profile view, select a Server Group and then Configure and Discovery.
Run New Smart Discovery
On this dialog you can configure which machines to monitor and for how long (hours). After the run completes, these discovered rules can be viewed and edited using Enforce Discovered Rules to DRT and Edit Enforced Rules in DRT options from the main dialog. The discovered rules will come in the form of OS executable paths. Choose the executables and their corresponding network protocols you would like to allow and choose "Add???".
Endpoint Profiles
This tab allows the administrator to list all the Endpoints that have registered to the zCenter. The details can be sorted by customer name, Application Profiles, server types, zLink version, and presence.
Clicking on an Endpoint will show its basic information and App Profile related information. Information that has been verified is marked with a check icon.
Security Logs
This tab allows the administrator to view security event logs that are collected by the zCenter controller. There are 3 categories of security logs:
Chamber Logs
These logs display data about Chamber policy violations for a given Application Profile. These logs can be useful for detecting anomalous behavior, such as attempts to probe ports or access prohibited destinations.
Network Monitoring Logs
These logs display any detected changes to a host's network interface, firewall, or routing table. The CoIP Platform checks each host for these events, logs them, and re-applies the correct policies with 10 seconds.
Discovery Logs
Zentera's Application Interlock feature allows administrators to limit network usage to predefined, whitelisted applications. An attempt to use an application not in the whitelisted is blocked and logged in the Application Interlock Logs.
Security Logs
Current CoIP Access User Login Sessions
CoIP Access enables remote users connect to resources from a laptop or desktop. This tab shows the active login sessions for CoIP Access. CoIP Access users are managed from the Project Management → CoIP Access Users.
CoIP Access User Login Sessions
In-Progress WAN Sessions
In-Progress WAN Sessions
Quarantined Endpoints
Quarantined Endpoints
Security Rule Provisioning
This section of the zCenter Admin Portal introduces key features in release 6. It resembles a firewall operation which allows admin to configure .... for a component in Application Profile...
Application Filter Groups
Example: Create an application filter rule to block SSH in End Server C.
First of all prepare a Type 1 app profile with two server group, there are two cloud servers in server group A and one cloud server in server group B.
So far the cloud servers in server group A and server group B can connect with each other.
Step 1. Click "Application Filter Groups" and click "AddFilter/Group" button
Step 2. Select "Filter" in Type field, input correct Executable Path and Checksum and named as "Application_SSH".
Step 3. Go to Security Profiles page and click server group B.
Step 4. Click "Configure Filters"
Step 5. Click "Inbound" tab and click "Add New" button.
Step 6. Select "Inbound To Endpoints" in direction filed, select "Predefined Filter Groups" in service filed.
Select "Application_SSH" on right panel, the service rule will add to Service field, and select "Block" on Policy Action field.
Step 7. Click "Change Mode for Individual Cloud Servers" to go to Configure Chamber Mode page and change mode to "Prevention".
Step 8. We can check all rules from View Endpoint Rule Table which include SFT, PRT and System rule.
Now we have finished the application filter rule setting to block SSH in End Server C.
Address Filter Groups
Example: Create an address filter rule to End Server C to block End Server B's CoIP address.
First of all prepare a Type 1 app profile with two server group. This part please refer to the example of application filter groups.
Step 1. Click "Address Filter Groups" and click "AddFilter/Group" button
Step 2. Select "Filter" in Type field, input "172.24.1.2" in Address field and named as "Address_172.24.1.2".
Step 3. Go to Security Profiles page and click server group B.
Step 4. Click "Configure Filters"
Step 5. Click "Inbound" tab and click "Add New" button.
Step 6. Select "Inbound To Endpoints" in direction filed, select "Predefined Filter Groups" in service filed.
Select "Address_172.24.1.2" on right panel, the service rule will add to Service field, and select "Block" on Policy Action field.
Step 7. Click "Change Mode for Individual Cloud Servers" to go to Configure Chamber Mode page and change mode to "Prevention".
Step 8. We can check all rules from View Endpoint Rule Table which include SFT, PRT and System rule.
Now we have finished the address filter rule setting in End Server C to block CoIP address from End Server B.
Service Filter Groups
Example: Create a service filter rule to End Server C to block ICMP.
First of all prepare a Type 1 app profile with two server group. This part please refer to the example of application filter groups.
Step 1. Click "Service Filter Groups" and click "AddFilter/Group" button
Step 2. Select "Filter" in Type field, select "ICMP" in Portal field and named as "Service_ICMP".
Step 3. Go to Security Profiles page and click server group B.
Step 4. Click "Configure Filters"
Step 5. Click "Inbound" tab and click "Add New" button.
Step 6. Select "Inbound To Endpoints" in direction filed, select "Predefined Filter Groups" in service filed.
Select "Service_ICMP" on right panel, the service rule will add to Service field, and select "Block" on Policy Action field.
Step 7. Click "Change Mode for Individual Cloud Servers" to go to Configure Chamber Mode page and change mode to "Prevention".
Step 8. We can check all rules from View Endpoint Rule Table which include SFT, PRT and System rule.
Now we have finished the service filter rule setting to block ICMP in End Server C.
Example: Create an service filter group to End Server C to block ICMP, TCP port 3000 and TCP port 22 at same time.
We can combine multiple same type filters to a group. Let's take service filter group as an example.
First of all prepare a Type 1 app profile with two server group. This part please refer to the example of application filter groups.
Step 1. Create 3 service filters named as "Service_ICMP", "Service_TCP_3000" and "Service_TCP_22".
service filter for ICMP
service filter for TCP port 3000
service filter for TCP port 22
Step 2. Click "Application Filter Groups" and click "AddFilter/Group" button
Step 3. Select "Group" in Type field, select "Service_ICMP", "Service_TCP_3000" and "Service_TCP_22" from right panel, then the selected service filters will be added into filter group, and named as "Service_filter_group_ICMP_TCP300_TCP22".
Step 4. Go to Security Profiles page and click server group B.
Step 5. Click "Configure Filters"
Step 6. Click "Inbound" tab and click "Add New" button.
Step 7. Select "Inbound To Endpoints" in direction filed, select "Predefined Filter Groups" in service filed.
Select "Service_filter_group_ICMP_TCP300_TCP22" on right panel, the service filter group will add to Service field, and select "Block" on Policy Action field.
Step 8. Click "Change Mode for Individual Cloud Servers" to go to Configure Chamber Mode page and change mode to "Prevention".
Step 9. We can check all rules from View Endpoint Rule Table which include SFT, PRT and System rule.
Now we have finished the service filter group setting in End Server C to block ICMP, TCP port 3000 and TCP port 22.
Portal Management
This section of the zCenter Admin Portal enables administrators to create and manage user accounts, tenant-spaces, user privileges, and user password policies.
Customers
The CoIP Platform is capable of multi-tenancy; each tenant is referred to as a "Customer." This menu allows a service admin to create/update/delete tenants on the zCenter controller as well as utilize Identity Services.
Create Customer
Clicking Manage Identity Services allows administrator to configure Corporate Directory Services and SAML 2.0 for admin accounts and for CoIP Access user accounts. If desired, a customer may choose to use its own corporate directory service and SAML 2.0 service by referring to the Identity Services section for details. Otherwise, they may use the ready-configured Identity Services.
Admin Users
This menu tab allows service admins to create or manage other Service or Customer Admin accounts.
A Service Admin can only create other Service Admins, or a Customer Admin (tenant administrator). Tenant-specific admin roles, such as Project Admin, Security Admin, and Read-Only Admin can only be created by a Customer Admin.
Admin Users
Password Policies
This menu tab allows the Service Admin to configure customer-specific password policies, including: password age limits, enforce password history (reject previously used passwords), maximum login fails, as well as requirements for minimum length and special characters.
Password Policies
Current Login Sessions
This menu tab is used to manage admin login sessions that are currently active on a zCenter. The admin can review active login sessions, and force disconnect an active login session. This capability is useful to identify and terminate stale admin login sessions.
Current Login Sessions
History
This section of the zCenter Admin Portal displays the various logs collected by the CoIP Controller on all known endpoints and Application Profiles, with the exception of Security Logs.
Portal Login Sessions
This menu tab contains detailed information on past admin user login sessions and is useful for compliance monitoring.
Portal Login Sessions
Configuration Change Logs
This menu tab contains logs of changes made within the CoIP Controller web portal (zCenter). Information included are where in the zCenter portal was changed, what part, what action was attempted, the result of the attempt, the timestamp, the user who did the change, and the account type of the user.
Configuration Change Logs
Email Logs
View history of alert emails sent by the CoIP Controller and when they were sent.
Email Logs
CoIP Access User Login Sessions
View history of CoIP Access user logins. Information includes source IP address, when a login occurred, and when the connection ended.
CoIP Access User Login Sessions
API Management
This section allows administrators to create API keys that can used to automate configuration and management of the CoIP Platform.
Customer API Credentials
Create and manage API call credentials. API credentials are enacted at the "Customer" level and include the following privileges:
CustomerFullAccess (access to all API commands)
CustomerReadOnlyAccess (access to "list" commands)
DiagnosisAccess (access to commands to test CoIP connection performance and display active traffic on an endpoint)
See Zentera CoIP API User Guide for more details.
System Tools
Starting from release 5.2, Zentera introduced the following tools to help monitoring selected application profiles.
Network Monitoring
Example of Using TYPE 3
Step 1. Create a bi-directional TYPE 3 like like the below setting.
Step 2. Go to System Tools > Network Monitoring page and click "Run New Monitor Job" button.
Step 3. Select app profile that want to be monitored and click "OK" button.
Step 4. Click Edge Gate "172-19-10-200"
Step 5. Input "172.19.10.201,172.19.10.211" in IP pairs to monitor field and click "Run" button to start job.
Step 6. Go to VM 172.20.10.201 and use command "ping 172.20.10.211"
Step 7. Now we can observe throughput information on network monitoring flow chart.
Chart of TX Throughput
Chart of RX Throughput
Express Mode
The Express mode is introduced starting in Release 5.3.1 for simple application profile creation.
When it is enabled for the customer, the customer admin will see the following user interface upon login:
The snapshot shows the service information including Service Domain name, release version, uptime, resource status, and license consumption. The App Profile Overview table lists all the existing applications and involved resource status. The table will be empty if no application has been built. For an experienced user, you may select "Advanced Mode" in the upper right corner to get to the familiar environment which provides a lot more as shown in the previous section.
The Express mode has four templates to help a customer admin to quickly design a network application to meet his needs. To start building your own application, click "My App Profiles" on the left menu bar and then "Create App Profile" button
Template 1: Two Server Groups with Agents
This template helps you build an overlay network connecting two server groups in two different network domains. Servers in the server group have Zentera agent (zLink) installed and they can communicate with each via the on-demand CoIP overlay network.
Template 2: One Server Group With Agents and the Other Without Agents
When installing an agent to some server is not ideal, this template helps you create an application proxy gateway called "Edge Gateway" so that those agentless servers behind the Edge Gateway can be reached by the server in the other group.
Template 3: Combining Template 1 and 2
This template combines both Template 1 and Template 2.
Template 4: Template 3 With Remote Access
As an extension of Template 3, if some end users are required to remotely access some servers, use this template to build the application. This template will set up to allow pre-qualified users to remotely access resources in server groups and servers behind the Edge Gateway.
Example of Using Template 1
Below are steps to build an overlay network application to connect two server groups in different domains:
Go to "My App Profiles" and click "Create App Profile" button, select the first template "CoIP overlay network connecting two server groups in different network domains", and scroll to the bottom to click "Next".
Fill up all the blanks to configure the application profile.
This profile: Type in the name for this application profile.
New network domain A: Type the name of the new network domain A. If you want to use an existing domain, click on "-- Create new network domain --" dropdown to choose one.
Server Group A: Type in the name of the server group.
New network domain B: Type the name of the new network domain B. If you want to use an existing domain, click on "-- Create new network domain --" dropdown to choose one.
Server Group B: Type in the name of the server group.
Server Group A subnet: The default is 172.24.0.0/24 and can be changed.
Server Group B subnet: The default is 172.24.1.0/24 and can be changed.
After filling in all the information, click "Next" at the bottom.
Decide how to protect servers in server groups against the physical network.
By default, the server in the server group is able to communicate with outside servers via the physical network. Tick the box to enable a chamber so that servers can only communicate over CoIP overlay network. Furthermore, add rules to allow needed connection via the underlay network.
Scroll to the bottom and click "Next" when you are done. You can click "Previous" to view and modify settings if needed.
This last step shows the graphical presentation of the overlay network that has been built.
Scroll to the bottom and click "Finish" to finish building the Application Profile.
Upon finishing, the wizard shows the application and guides the customer to download needed
packages for endpoint registration.For instance, mouse over the cloud icon for domainA and click on it to show instructions for downloading installation package for the server in domainA.
Download the package within the specified duration, transfer it to the targeted server, and install.
Do the same for the server in the other domain.
Go to "My Endpoints" on the left bar to show the existing Application Profiles.
If the installation process went smoothly, registered endpoints will be listed under the selected Application Profile.
Comments
0 comments
Please sign in to leave a comment.