Applies To

• Zentera Air Advanced
• Zentera Air Ultimate

About Services

A Service refers to a server that is made accessible through ZTNA, but onboarded through a Gateway Proxy, rather than the zLink agent.

The Gateway Proxy is a proxy for remote access traffic that terminates and filters ZTNA access. Since it is an agentless ZTNA model, it cannot provide Application Chamber functions.

Examples of Services that you may make accessible through a Gateway Proxy might include:

• On-prem LDAP services
• The corporate on-prem git repository
• Applications running on unsupported architectures (e.g. OS/2 or VMS)
• Embedded / IoT devices (e.g. IP cameras)

To onboard a Service, you must first create a Gateway Proxy in your network; once that is done, you can define Services to be exposed through that Gateway Proxy.

Deploying a Gateway Proxy

The process of deploying a Gateway Proxy is very similar to deploying a zLink agent on a server. The Gateway Proxy is a Linux appliance, and must be deployed to a supported operating system.  (see  Supported Operating Systems for details).

The Gateway Proxy deployment package is downloadable from the zCenter services portal. From Onboarding and Management > Services, click on Onboard Service and select Register Gateway Proxy to bring up the following window, which allows you to generate the installation package.

Once you have run the installer on the Gateway Proxy VM, you will see the Gateway Proxy in the list of available Gateway Proxies:

Creating a Service

Once you have deployed a Gateway Proxy, you may create a Service on that Gateway Proxy by selecting the target Gateway Proxy.

Then click Add Resource / Server to define a Service. The dialog box that comes up allows you to define the physical address for the target server, as well as the CoIP Address to be used to reference it.

The example below shows how an LDAP server with an IP address of 10.180.0.2 is configured to be accessible from remote hosts at the address 172.24.4.2.

You may then specify the ports that this Service is accessible by specifying Service Port Objects or Service Port Object Groups. Specifying a Service Port Object Group will filter the remote accesses to the Service so that only the ports and protocols defined in the Service Port Object are allowed.

Exposing a Service for Access

Once you have created a Service, you may grant access to it for Users, based on User Role, from an Application, or from another Service by creating an Access Policy.

Application traffic to the Service target on the physical network will be proxied through the Gateway Proxy. This means that on the physical network, application traffic will use the Gateway Proxy’s physical IP address as the source address.