Thanks for signing up to Zentera Air! You've now joined the growing ranks of administrators and developers who are simplifying access and securing private applications with Zero Trust.
About the Services
Zentera Air is an advanced Zero Trust access platform, enabling a wide variety of remote access cases, including:
- Secure Remote Desktop Access for remote users
- Zero Trust Network Access to private applications
- Micro-segmentation for workload protection
Applications and servers can be anywhere – on-prem, in the cloud, or both. Your portal for management and control is hosted in Zentera's secure datacenters, while data traffic is carried either by our global network, or through providers of your choice.
About This Guide
This Getting Started guide will help you onboard and begin familiarizing yourself with the Zentera Air platform, through exercises and templates that will help you to familiarize yourself with the feature and controls. Once completing this guide, you should be able to
- Onboard users to Zentera Air
- Create and assign user roles
- Onboard servers
- Create and manage access policies
- Understand Application Profile concepts and create new ones
- Understand the tools available for security and access log management
Getting Access to Zentera Air
Once you sign up for Zentera Air services, you'll receive an initial welcome email letting you know that your service is being provisioned. Provisioning usually takes between 5-8 minutes, but can take longer depending on service load.
Once your service has been provisioned, you'll receive an email with your portal information and login credentials:
Make a note of your portal URL, as not only will you be using it not only to log in to the portal, your users will need this to access their services.
|NOTE: custom portal URLs are currently not available in Zentera Air, but are planned for a future update. Please email us at email@example.com to be notified when custom portal URLs become available.|
Click the "Login Now" button to open your portal in your browser.
For security, navigating to the base URL returns a 404. To reach your destination, you must append a path, for example:
https://base-url/zCenter/ (admin portal login)
https://base-url/launcher/ (CoIP Launcher)
Navigating the Portal
The Portal Dashboard
The key elements of the portal dashboard are shown above:
- The navigation menu enables you to quickly access pages that let you configure the users, applications, and access methods.
- The Application Profile selector enables you to quickly move between different Application Profiles that you are managing.
- The Segmentation Protection Scorecard gives you quick feedback on the security policies that are active in this Application Profile, and suggestions on how to improve them.
- The Status View allows you to review the status of the various components of the Application Profile, as well as any alerts that may warrant review or action.
The Default Application Profile
Your Zentera Air tenant comes with a default Application Profile, named "Default App Profile", allowing you to onboard and test the core functions without having to learn much about how to configure them. Clicking on the Onboarding and Management > Applications tab on the navigation menu shows that two applications, App1 and App2, have been provisioned.
An application in the Zentera Air context represents a group of servers which will be managed with an identical set of policies – for example, a group of Apache servers might be one application, and a group of Tomcat servers might be a second application. In the view above, you can see under "Servers" that we haven't onboarded any servers to either App1 or App2 yet.
If you've defined an access policy between these two applications, you can apply them to individual Apache or Tomcat servers simply by onboarding them into the correct application. In the Default App Profile template, we've defined a set of policies, as shown below. You can view these policies in your portal by navigating to Access Policy Management > Access Policies.
You can see that there are quite a few policies already defined for you. In particular, note the following:
- User-to-Application: these policies correspond to CoIP Access, which are network-mode policies (like VPN, only direct to the servers in that application with no network level access)
- Application-to-Application: these specify policies between application tiers (e.g. between Apache and Tomcat servers)
- Application-to-Service: these policies create explicit whitelist policies for common network services that should be enabled even when the application chamber is turned on.
Examples of some common services and how they are defined in the portal are shown below:
Onboarding a server to Zentera Air is a simple process. You can download installation packages for your servers from the portal and run them on the server to be onboarded. This process can even be automated through APIs (which is outside the scope of this guide).
Generating the Installation Package
To onboard a server to an application, navigate to Onboarding and Management > Applications and click the download button on the application you wish to onboard to. This brings up the following dialog:
You can download the package to your local machine, or simply generate a link which you can open on the target machine. Generated links are valid for 15 minutes, so you must use them quickly after generating them.
To onboard a Windows server instead, select the Windows radio button to generate a Windows installer package.
Retrieving the Installation Package
You can copy the installation package link and paste it in the target machine to download the package.
Un-TAR and execute the installation script (must be run with administrator privilege), and the zLink agent (zasa) will be automatically set up and started.
Once zLink is installed and running, you will notice that the machine has a new virtual interface, called coip. The details of setup and management of the coip interface are outside the scope of this document, but all secure remote access is provided through this virtual interface.
To install on Windows, extract the installer to a folder, and then run the install script as shown below. Do not attempt to run the installer without extracting, as the installation process may fail.
On Windows, the CoIP interface will appear as a new Ethernet adapter (172.24.1.1 in the example below).
You can confirm that the server is onboarded and registered to the zCenter portal by going to Onboarding and Management > Applications. Now, we see that one server has been onboarded to the App1 application.
You can see detailed information about this server, including the Zero Trust factors that are gathered about this server, by clicking on the pencil icon () to the right of App1.
On this screen, click on the hostname to bring up the detailed view.
Configuring User Accounts and Roles
The next step in setting up user access is to set up user accounts and roles.
User accounts are logins for individual users. Credentials may be stored locally within the portal (a "local account"), or may be stored on your identity provider (that is, LDAP, SAML, OAuth, or OpenID Connect). Configuration of the identity provider is outside the scope of this guide.
User roles enable you to group users define assign role-based access controls to resources and applications.
Your portal comes with two pre-configured local accounts, testadmin and testuser, and two pre-configured user roles, "Standard Access" and "Admin Access". These pre-configured accounts and roles are for your convenience during initial onboarding, and you may edit or delete as you begin to configure your own.
|Username||Default Role(s)||Default Password|
Admin Access, Standard Access
You can view these users and roles under the Onboarding and Management > Users page. Here, we can see that the Standard Access and Admin Access roles are configured for these users; based on the access policies that have been set up, these roles have been granted some access to resources in App1. You can click on the role to view more information about the role, or click on the application to see details of the access policy.
Logging in to the User Portal
The User Portal provides your users quick links to access to all of the resources granted by their user role. To log in to the User Portal is simple, browse to https://<base-url>/launcher/. You will be prompted to enter your customer alias, which by default is your email domain. For example, if you signed up for Zentera Air service with the email firstname.lastname@example.org, your customer alias will be zentera.net:
After entering the customer alias, you will be prompted to authenticate using your user credentials.
|NOTE: Multi-Factor Authentication is not enabled for the default test accounts. You may configure the MFA method of your choice, including hardware tokens or passwordless authentication, when used with your corporate IdP.|
Once you have authenticated, you will be prompted to download and install the CoIP Launcher 2.0 client. If you have enabled CoIP Access (VPN-style connectivity) for your users, they will be prompted to enter an administrator password; administrator run level is not required for desktop access.
After CoIP Launcher 2.0 is installed, your User Portal will display in your browser as shown below. In this case, the testadmin account has access to the "Default App Profile" Application Profile; you may also click the button to the left to display the resources available for access. If you have onboarded a server to the App1 profile, you should see it displayed in this list.
Sliding the Connect slider to the ON position will enable the user to connect to resources. However, connections in CoIP Access Platform, the underlying technology used in Zentera Air, are established on-demand, for security purposes. This enables the security context of the connection to be reauthorized for each transaction. As shown below, the initial ping triggers the security re-evaluation, and has higher latency than the subsequent pings.
Enabling Desktop Access
To enable desktop access for a user, you must first specify servers as an Access Desktop. You can configure a server as an Access Desktop by viewing the list of servers (Onboarding and Management > Servers) and checking the box on the left to select the server, as shown below. You may select multiple servers at a time; you may also use the search fields or filters to narrow the list before you select servers.
Once selected, press the Enable Access button on the controls on the bottom in order to enable the Access Desktop functionality.
Creating a User Role for Desktop Access
Once you have an Access Desktop, create a role for it in Onboarding and Management > Users. Click the "Role" tab, and select "Create Role". You can give your new role a name, and assign Access Desktops to that role. For an Access Desktop, select the "Connect View - VNC/RDP" to configure the remote desktop functionality level for the new role.
You can then assign the new role to your existing users, who will then be given permission to connect to the Access Desktop.
Using Remote Desktop Access
Users who a granted access to an Access Desktop will see that resource in the User Portal, as shown below.
Zentera Air supports multiple simultaneous VNC sessions; the user must first create a session using the "New Session" button, then enter the credentials to log in to the Access Desktop. If the credentials are accepted, CoIP Launcher will launch a viewer, allowing the user to access the remote machine.
Congratulations! If you followed this Getting Started guide, you've just onboarded Access Desktops and granted access to them using User Roles. You've also used and tested CoIP Access, enabling VPN-style network mode access to specific resources.
At this point, you can use the Default App Profile to explore other functions. Some ideas:
- Onboard a second server to the App2 application, and confirm unidirectional communication from App1 to App2
- Change the Access Policy settings, or create new ones, to explore the policy definition framework
- Turn on the Chamber mode to test the segmentation and workload protection controls
Or, you could create your own Application Profile to test with some of your applications.
If you need help or clarification on any part of Zentera Air, feel free to contact us at email@example.com, or create a ticket in our support portal.