The zCenter admin portal is designed to support enterprise admin users to onboard distributed applications, endpoints, services, and application users to the CoIP® Access Platform, which implements Secure Access Services Edge (SASE) overlay, and define access policies to connect and protect those distributed resources. This quick start guide helps a user to quickly understand how to onboard applications, endpoints, services, and application users.
The picture below shows the various onboarding tabs on the admin portal.
Note: the CoIP Access Platform UI supports two major flows. The Onboarding Flow is a new, streamlined experience for managing Zero Trust access policies, white the Advanced Mode supports more configurable controls. These guides focus on the Onboarding Flow, but reference operations in Advanced Mode where required to complete a step.
CoIP Access Platform defines an Application as a policy object representing a group of servers that implement the same functions and use the same access policies. A simple example is a 3-tier web service architecture, where three Applications are defined to represent the presentation tier, the application tier, and the data tier. Another example may be a large group of servers that run sophisticated genomic analysis as a cluster. Another example could be an ftp server, and may include only one endpoint.
Note that the term “Application” does not imply that only one software package runs on the server endpoints in the Application. For example, the server that runs genomic analysis could also run performance monitoring software or other IT support tools on the endpoint for monitoring and support. The CoIP Application object can be defined to include all these functions together.
Onboarding an Application
To onboard a new Application object, go to Onboarding and Management > Applications, and click the 'Onboard Application +” at the top of the page.
This brings up a view of an Application in an edit mode, where you are prompted to fill out the “Onboarding Method” table by specifying either the use of underlay IP addressing or overlay IP addressing.
Note: the agentless method for onboarding is supported through the Service policy object. In the current release, if a Service must also support initiating connections to access other Applications, Endpoints, or Services, this must be configured in the zCenter Advanced mode.
To register endpoints and servers and download the installation package that assigns servers to this Application role, click the “Register Server +” bottom on top of the “Servers” table. This brings up a pop-up window that allows the admin to specify the proper OS for the installation package, and to select the download method for the installation package (URL or immediate package download).
With CoIP services, all endpoints and gateway proxies use a web access model to connect to zCenter/ZNS over outbound port 443. In the local environment where the endpoints or gateway proxy are located, a web proxy may control outbound web access. The admin may optionally pre-configure web proxy settings to be used by the endpoint servers in this download menu if required. Proxy settings can also be configured or changed at the individual endpoint by editing the zasa.cfg file.
When finished with the installation configuration, click “Download”.
To install, simply run the installation package on the targeted endpoint (administration privileges are required). After successful installation, the zasad service will start and automatically connect to zCenter and complete its registration. The zCenter automatically computes security rules for this endpoint and pushes an update, and, based on the Access Policies in effect, will also update security rules on any other affected endpoints.
CoIP Access Platform defines the Endpoint policy object as a single server that can be accessed by Users, Applications or other Endpoints. An Endpoint can also work as a client to access other Applications, Endpoints, or Services. In this way, it is essentially an Application object, with a fixed size of 1.
To onboard an endpoint, go to the Endpoints tab under Onboarding and Management, and click the button of “Onboard Endpoint +” on the top of the page. This brings up the Endpoints > Edit Endpoint page, where you can fill out the “Onboarding Method” table by the Endpoint object name, and whether underlay IP addressing or the overlay IP addressing are to be used.
Note: the agentless method for onboarding is supported through the Service policy object. In the current release, if a Service must also support initiating connections to Applications, Endpoints, or Services, this must be configured in the zCenter Advanced mode.
The process for registering a server as an Endpoint is identical to that for Application onboarding described above.
CoIP Access Platform defines a Service as a generic enterprise service, such as LDAP, git server, database, that can be accessed by applications, endpoints, or users, but does not have the CoIP zLink agent installed. As a result, the target service must be identified by IP address or FQDN.
There are two Service models: Gateway Proxy, and Direct IP; both are onboarded using the “Onboard Service +” button on Onboarding and Management > Services.
Direct IP Service Model
The Direct IP Service model specifies IP addresses (individual or ranges) that can be targets of a CoIP Access Policy. The Direct IP also allows you to specify additional behavior, such as unidirectional/bidirectional traffic, and as well as any Service Port filters used.
Gateway Proxy Service Model
A Gateway Proxy is an application proxy server that bridges application traffic between a physical IP network and the CoIP overlay network. Through the proxy connection, the gateway proxy also supports NAT for address translation between physical IP address and CoIP address (i.e. the overlay IP).
The gateway proxy is designed to deploy adjacent to the applications, endpoints or services that are being onboarded to CoIP. It is a recommended best practice to deploy the gateway proxy in the same subnet as the target servers it Is serving, as this reduces the ‘distance’ that application traffic needs to flow through the physical network. If the gateway proxy is set up to forward traffic from to a remote destination, the user must also set up physical forwarding IP addresses that proxy the destination in the overlay network.
One Gateway Proxy can be shared and support multiple access policies in one Application Profile. All resources programmed in all access policies associated with this Gateway Proxy must be routable in the underlay physical network to this proxy. The user must avoid programming physical IP address with collision across policies. For the detailed functions of the Gateway Proxy, one can refer to the CoIP Access Platform Administration Guide.
Onboarding a Gateway Proxy
From Services > Onboard Service, when Gateway Proxy is selected as the access type, you may either select an existing Gateway Proxy or register a new one, by clicking “Register Gateway Proxy +”. A single Gateway Proxy device may support multiple Services.
After selecting a Gateway Proxy, add the target resource to this Service by clicking the “Add Resource / Server +” button. A pop-up appears, allowing you to program a range of physical addresses in CIDR format – this can represent an individual server (e.g. LDAP) or an entire subnet of machines. The corresponding CoIP address range used for the overlay network routing must be set up as well. One popular approach for choosing the CoIP address is to identical address with the physical IP to reduce confusion. If, however, the physical networks being connected have an IP conflict with each other, then using a different CoIP address as a NAT IP can help to resolve it.
Users are onboarded to the system using Onboarding and Management > Users.
On this page, you can also create User Roles which are used to associate multiple groups of Access Policies to a user.
To onboard a user, click the “Onboard User” button, and fill out the user information and select the role(s) that this user is associated with.
For each individual user, CoIP supports Zero Trust Identity Factors to associate with for security authentication. At the individual User level, you may pre-provision the expected MAC address(es) and hostname for the user device. If these are not provided, and if you have configured the system to validate them, these and the other Zero Trust Identity Factors will be determined on first login and cached.
Once Applications, Endpoints, Services, and User policy objects have been onboarded, the next step is to define the Access Policies between them. This topic is covered in the Creating Secure Access Policies Quick Start Guide.
Once the secure Access Policies are defined, you may then install the necessary packages for agent and Gateway Proxy for servers and endpoints. Once the installation packages are successfully installed, the servers, endpoints, and Gateway Proxy servers will then automatically connect to the control plane with zCenter and have all secure access policies automatically enforced.
End users use CoIP Launcher to sign on to CoIP services and start to access the provisioned applications, endpoints and services through the overlay secure access platform powered by Zentera technology. End users can refer to the CoIP Launcher 2.0 User Guide Quick Start Guide for further guidance.