Introduction

TransientAccess is a zero trust network access (ZTNA) solution which uses application networking paradigm to simplify remote access, revolutionizing the way enterprises integrate 3rd party users. Remote users’ devices are never connected to corporate networks but instead apps on the user’s device and the apps in the corporate network are connected to each other independent of any physical network topology. It couples zero trust architecture with granular access control policies, application segmentation and full visibility into users’ and applications’ activities.

How it works TransientAccess has 3 components involved:

  1. Controller: The component which authenticates and authorizes users and orchestrates connections. It is normally deployed in TransientX cloud as a service (SaaS).
  2. Connector: Connectors are deployed in front of applications which will be accessed, usually in a private cloud or on-prem data center.
  3. Clients: Users install TransientAccess clients on their devices in order to access enterprise resources.

When an authenticated user requests access to a remote enterprise resource, a temporary network of apps on users’ device and the enterprise resource (e.g. enterprise apps, servers) is created, as needed.

Connectors are never exposed to the Internet, have no incoming connections and are deployed behind firewalls and other existing security components. The end-to-end traffic is based on DTLS protocol with 2048-bit keys.

TransientX sessions are established transparently, without requiring any changes in existing security configurations such as firewall ACLs.

Client devices and users authenticate to the TransientAccess Management Console (shown with green dotted line at the Fig 1), which evaluates credentials and device security posture.  It then orchestrates a session connecting the requested set of resources to authenticated users and devices. In so doing, it builds a one-time use, ephemeral network between apps and requested resources such as business-critical apps, in a transparent way. (shown with blue line at the Fig. 1)

Once established, all traffic between the devices and the requested apps is encrypted. Data downloaded and used by apps in the TransientAccess network is also encrypted at rest.

As a result, it is possible to instantly connect remote workers, contractors, partners, and BYOD devices to an enterprise’s perimeter without internet exposure.

Figure 1 – TransientX Solution

 

VPN Challenges Solved

TransientAccess’ key design tenet is application networking technology. This novel approach solves majority of issues associated with VPNs:

Zero trust architecture

Unlike implicit trust model inherent in VPNs, with TransientAccess, users are pre-authorized before connecting to any resource and transient application networks are built on demand among authorized apps only. Authorized users are connected with authorized apps on a need to know basis.

Devices are not part of the network

Unlike VPNs, remote devices are not brought to the corporate networks but enterprise applications are brought to authorized users using a temporary application networks. This way, the risk of lateral movement is reduced significantly.

Resources are not exposed to the Internet

Neither connectors nor any applications or resources inside the network have inbound connections. When needed, they become a part of an invisible application network, spun up on demand, which conceals internal IP addresses.

Native micro-segmentation

TransientAccess inherently allows application micro-segmentation using transient application networks. This eliminates the need to create complex network segmentation strategies that require updates every time a network changes.

TransientAccess Benefits

Superior security

  • Application access is solely on authorization basis
  • Easy shift from network centric security models to application and user centric models
  • Internal resources are never exposed and lateral movement is impossible

Simple administration

  • Software defined architecture. No appliances or cross-team FW or ACL configuration changes
  • Majority of enterprise implementations can be finished in hours, compared to months or even years.
  • Enables simple micro-segmentation without network segmentation
  • No dependency on MDMs or DDOS appliances or any other security tools

Cost effective

  • Reduced TCO (Total cost of ownership) eliminates costs of inbound security appliances e.g. DDOS appliances or VPN concentrators.
  • There is no need to replicate security stack and it works in tandem with existing VPN solutions.

Onboarding Guidelines

Onboarding any company to TransientX starts with defining the essential elements: Users, Connectors, Workspaces, and Policies. TransientAccess Management Console is the main application to manage and configure those elements. It can also be used to customize login screens and distribute the workspaces.

Add Users

Users are the essential part of the overall solution offered by TransientX and should be defined first. Users can be defined either as a Company Administrator or a Company User. User definition can be done by using the TransientAccess Management Console, as described in paragraph Users. Only Company Administrators can access the TransientAccess Management Console.

The Company Users will be referred to the Policies to indicate what policy is applicable for them. TransientX offers Group functionality to eliminate need for referring each user separately. For example, companies might prefer to distinguish between remote staff workers and remote customers in terms of security. Grouping allows Company Administrators to address the specifics of each group’s policies separately and efficiently.

Add Connectors

Connector is an application allowing users to have controlled access to the perimeter, and is an essential element for the infrastructure. The Connector application should be installed on one of the Windows Servers located inside the private network. The following steps should be taken to make Connector ready.

  1. Download the TransientAccess Connector Application from the TransientAccess Management Console, as described in paragraph Connectors.
  2. Define Connector Administrator at TransientAccess Management Console, as described in paragraph Connectors.
  • Install the TransientAccess Connector Application to one of the Windows Servers located inside the private network to be accessed, as described in paragraph TransientAccess Connector.
  1. Login to the TransientAccess Connector Application by using the credentials obtained during step ii, as described ain paragraph TransientAccess Connector.

Create Policies

Policies are the mechanisms that allow connections between Users, Workspaces, and Connectors with additional security measures. In other words, Policy defines what Users/Groups will be enabled to make connection to what Connector by way of what Workspace. Definition of Policies can be done by using the TransientAccess Management Console, as described in paragraph Policies. Policy can be also used to further increase security measures, including file encryption, Data Leak Protection, and Protection. File encryption can be done based on TransientAccess internal key pairs. It is also possible to use a dedicated certificate for encryption as part of the policy. Definition of Certificate can be done by using the TransientAccess Management Console, as described in paragraph Certificates.

Customize Login Screen

Companies may choose to use their logo on TransientAccess Client Apps. This can be done by uploading the company logo using the TransientAccess Management Console, as described in paragraph Authentication.

First User Experience

After defining all the elements of TransientAccess architecture, the solution is ready for the first User experience. Users should use the TransientAccess Client App to have their secure connection to the protected Applications.

Before doing anything else, the TransientAccess Client App authenticates the User, first. Users should enter their credentials from the TransientAccess Management Console, as described in paragraph Add Users. Company Admins, add the apps to the Polices (as local and/remote apps) to enable the Users to access and launch that apps.

Please note that clicking on the ‘X’ icon of the Client App only pushes the application to the background. In order to close the Client Application, the User must locate the TransientAccess Client App icon with the hidden icons on their task bar, right click, and select the Quit option. If Quit is selected, the TransientAccess Client App will immediately cease working. It is also possible to select “Signout” in the same manner, to sign the User out from the TransientAccess Client.

The TransientAccess Client App gives the User the opportunity of selecting the following options: Signout, Quit, Policy select, or getting App version by using the Menu icon, as described in paragraph TransientAccess Client.

First User Experience

Installation Manual

The TransientAccess solution is based on the following applications, which this chapter will explain:

  • TransientAccess Management Console
  • TransientAccess Connector
  • TransientAccess Client

 

TransientAccess Management Console

The TransientAccess Management Console is used by the Company Administrators to make necessary configurations and to monitor events. Installation will be made by TransientX Administrators. TransientAccess will generate a customer-specific URL through which the TransientAccess Management Console will be accessible (e.g. demo.portal.transientx.com).

TransientAccess Management Console is a Web-based application available at a customer-specific URL, and is accessible through web browsers (e.g. Chrome). The Company Administrator should launch any web browser and enter the customer-specific URL (e.g. demo.portal.transientx.com) to have access to it. The Company Administrator will be asked to enter their credentials before using the Application, as shown in Figure 2 – TransientAccess Management Console Login Screen. Initial credentials will be provided by TransientAccess. Company Administrator should change the password upon their first successful login.

Figure 2 – TransientAccess Management Console Login Screen

Company Administrator should click the LOGIN button to start authentication. Authenticated Company Administrators will be directed the Dashboard page, as shown in Figure 3 – TransientAccess Management Console Dashboard Page.

Figure 3 – TransientAccess Management Console Dashboard Page

The TransientAccess Management Console includes four sections: Dashboard, Manage, Monitoring, and Configuration.

Dashboard Section

The Dashboard section includes three sub-sections, and gives statistical information regarding Users, Applications, and Workspaces within each sub-section, as shown in Figure 3 – TransientAccess Management Console Dashboard Page.

  • User section gives the number of Enrolled and Pending Users.
  • Applications section (depleted) gives statistical information with respect to Application Usage. Numbers of Enrolled Devices, Active Devices, and Users are presented in tabular format, as well as in graphical representations, separated by tabs according to workspaces.
  • Workspaces section gives statistical information with respect to the used workspace, at which the numbers of Enrolled Devices, Active Devices, and Users are presented in tabular format as well as in graphical representations, separated by tabs according to workspaces.

Manage Section

Manage section includes three sub-sections: Workspaces, Policies, and Users. These sub-sections will be available at the side-menu when you click on the Manage section, as shown in Figure 4 – Manage Section.

Figure 4 – Manage Section

Platforms

When clicking on the Workspaces menu item, the Workspace management page appears, as shown in Figure 5 – Platforms Management. This page lists already-defined workspaces. It is possible to add new workspaces and update already-defined workspaces from this page.

Figure 5Platforms Management

‘Platform’ is the definition of the platform that a User will be employing to access to the Apps served within SDP. Compatible platforms are Windows, iOS, and Android operating systems. The TransientX solution includes a TransientAccess Client Application which enables the opening of a secure, transient connection between the User and App. The TransientAccess Client App also applies additional security measures, as defined in the Policy that applies to the logged-in User.

TransientX supports Windows, iOS, and Android platforms. The Workspace Management page allows downloading or getting the link for the TransientAccess client application.

Downloading the TransientAccess Client App is possible by clicking on the Download hyperlink shown under the URL column for any workspace. Each workspace is listed as a row comes with management functions such as “View/Edit”, “Get app link”, and “Delete”, as shown in Figure 6 – Platforms Actions. Management functions are listed as pop-up items after clicking on the Action icon at the end of a row.

Figure 6 – Platforms Actions

Policies

Upon clicking the Policies menu item, the Policy Management page appears, as shown in Figure 7 – Policy Management. This page lists already-defined Policies, and it is also possible to add new policies or update already-defined policies.

Figure 7 – Policy Management

Policies the mechanisms that allow connections among Users, Workspaces, and Connectors with additional security measures. In other words, Policy defines what Users/Groups will be enabled to make connection to what Connector by using what Workspace. Policy can be also used to further increase security measures, including file encryption, Data Leak Protection, and Protection. File encryption can be done based on TransientX internal key pairs, it is also possible to use a dedicated certificate for encryption as part of the policy.

TransientAccess supports many Policies. Clicking the    icon enables Company Administrators to create a Policy. The Policy creation page includes six tabs, listed below. Each tab enables Admins to define the policy.

  • General Tab
  • Apps Tab
  • Data Leak Protection Tab
  • Network Access Tab
  • Protection Tab
  • Users Tab.

The General Tab includes general definition of the Policy, such as the policy name, policy type (as application or workspace), applicable platform, version number, and a description of the policy, as shown in Figure 8 Policy – General Tab. One of the most important definitions in this section is to define the User’s workspace under the Platform item.

Figure 8 Policy – General Tab

The Apps Tab includes the applications to be used at the client. We have two types of applications as Remote Apps and Local Apps

The Remote Apps sub-tab includes the defined apps in accordance with the protocol. In this section protocol and remote location is defined. The default application at the client resolves the protocol and launches default application accordingly. For example, if default application for http/https protocol is Chrome, defined http://sap1 app will be run by Chrome. Data Encryption tab includes the option of whether to apply transparent file encryption or not. Remote apps defined as shown in Figure 9 Policy – Remote Apps.

Figure 9 Policy – Remote Apps

The Local Apps, includes the applications installed at the client machine. The application full path is given to dfine the application. While doing that, client System variables might be used in the format of %systemdrive%. It is also possible to define wild-chars (e.g. *) on the path while defining the local apps. Example local apps shown in Figure 10 Policy – Local Apps.

Figure 10 Policy – Local Apps

 

The Data Leak Protection tab enables defining optional protections on the client side. TransientAccess enables Admins to enable or disable

  • Transparent file encryption
  • Copy/Paste protection
  • Screen recording/capturing protection
  • Key logger protection
  • Printing protection
  • Visual indication of containerized apps

All these settings are applicable at client side and defined as shown in Figure 11 Policy – Data Leak Protection Tab. These are enhanced security features to prevent all kinds of data leakage at the client.

The Data Encryption includes the option of whether to apply transparent file encryption or not. If applied, the encryption key to be used is also defined here or forced to use random key per client. Admins also define the duration before the content is disposed.

Figure 11 Policy – Data Leak Protection Tab

The Network Access Tab comes with three sub-tabs as “Connections”, “Access Control List”, and “DNS Settings”.

The Connections sub-tab enables admins to define what Connectors are to be used in this policy, as shown in Figure 12 Policy – Network Access – Connectors Tab. Company Administrators can search and select the Connectors defined at this sub-tab. In order to add connectors to Policy, first enable “Use following TransientX connectors while accessing remotely:” check box. After that type the connector names at the Connectors edit box and select the connector to add to the list. It is possible to define more than one connector. By doing this, TransientAccess increases the Availability and Scalability of the system. It is highly recommended to use at least two separate machines for connectors and distribute the connectors on them evenly.

The TransientAccess client comes with two modes as “Application Only” and “All Device”. The required mode defines at the policy and client behaves accordingly based on the selected policy.

When policy is set to “Application Only”, it means that only the applications started from Client or App Portal will be able to access to the target network. Whereas, the applications launched from the hos OS directly will not be able to access to the target network.

When policy is set to “All Device” mode, it means that any application started from Host OS will be able to access to the target network. In this mode, “Data Leak Protection” features will not be applied.

Figure 12 Policy – Network Access – Connectors Tab

 

The “Access Control List” sub-tab enables Company Administrators to define the access rules for the users using this Policy as shown Figure 13 Policy – Network Access – Access Control List Tab. It is possible to define many rules to define a rule set. This rule set is executed in the order of top to bottom. “Allow” means connector will allow the connection to the application specified. “Block” means connector will block the connection to the application specified. If the user request doesn’t match with any rule in the rule set, it will be evaluated as Skip rule at which client will access the application directly not through the connector.

The Company Admins can define the port numbers for the resources to be accessed, as well to achieve nano-segmentation.

Please note that the “Access Control List” defines to be tunneled traffic to the target network. That is why, all intrinsic resources need to be included here which includes the followings for example (if used);

  • Internal DNS server
  • Accessed resources withing the applications

Figure 13 Policy – Network Access – Access Control List Tab

 

The “DNS Settings” sub-tab enables Company Administrators to define the custom DNS settings.

The “DNS Settings” sub-tab enables Company Administrators to the custom DNS settings for the users using this Policy as shown in Figure 14 Policy – Network Access – DNS Settings.

Figure 14 Policy – Network Access – DNS Settings

 

The Protection tab enables Admins to add additional anti-debugging, anti-virtual machine, and jailbreak protections, as shown in Figure 15 Policy – Protection Tab.

Figure 15 Policy – Protection Tab

 

The Users tab enables Admins to add applicable users for a policy, as shown in Figure 16 Policy – Users Tab. This is the final, most important aspect of Policy definition. By adding Users/Groups here, Company Administrators define the Users who are going to obey this Policy.

Figure 16 Policy – Users Tab

 

Upon completion, clicking the Save button enables the Policy to be used in operations. It is also possible to change the settings of any defined policy or delete any of them later, by clicking the Action icon and then selecting the appropriate action, as shown in Figure 17 Policy Actions.

Figure 17 Policy Actions

 

Connectors

Upon clicking the “Connectors” menu item, the Connectors page appears, as shown in Figure 18 Connectors. This page lists already- Connectors. It is possible to add, update or delete Connectors from this page.

Figure 18 Connectors

The Connectors page includes a download icon  to download the Connector Application. Download starts after clicking the selected download link. Installation details can be found in paragraph TransientAccess Connector.

Clicking the  icon enables Company Administrators to define a Connector that can be used in operation, as shown in Figure 19 Connector Definition. The Connector define page includes details about the to-be-defined Connector Administrator as listed below:

  • Name
  • Login Name
  • Password

This Connector Administrator should be used within the TransientAccess Connector Application Authentication process, as indicated in paragraph TransientAccess Connector. Only this Connector Administrator is allowed access to the TransientAccess Connector Application.

Figure 19 Connector Definition

It is also possible to Edit or Delete a VPN Gateway (Connector) using the Action icon displayed at the end of each Connector definition, as shown in Figure 20 VPN Gateway (Connector) Actions.

Figure 20 VPN Gateway (Connector) Actions

 

Users

Upon clicking the Users menu item, the Users Management page appears. This page lists already-defined Users. The Users sub-sections enable Company Administrators to define Users and Groups.

Users are an essential part of the overall solution offered by TransientX, and should be defined first. Users can be defined as being either Company Administrators or Company Users. Defined Company Administrators are allowed to log in to the TransientAccess Management Console, whereas defined Company Users are not. Defined Company Users are allowed only to access to the protected Apps of SDP in accordance with the defined Policy applicable to them. Company Users should be included within the Policy to be used, as described in paragraph Policies.

TransientAccess offers Group functionality to eliminate need for referring each User individually. For example, companies might prefer to distinguish remote staff workers and remote customers in terms of security. Grouping allows Admins to address the specifics of each group’s policies separately. A Group is used to combine Users under a logical description and apply Policy only to that group to eliminate defining Policy for each User (although it is possible to do so). At the Group tab, it is possible to add a new Group, update any already-defined Group, or delete any Group as shown in Figure 20 User Groups.

Figure 20 User Groups

TransientAccess supports the ability to define many Groups. Clicking the + icon enables Company Administrators to create a Group. The Group create page includes only a name, since it is a logical grouping of the Users as shown in Figure 21 Create Group. When a User is defined, Company Administrator indicates which Group(s) that User belongs to. It is possible to assign a User to several Groups.

Figure 21 Create Group

Upon clicking the Save button, the Group is created and listed on the page. Editing, Blocking, or deleting a Group is also possible through the action icon displayed at the end of the row, as shown in Figure 22 Group Actions.

Figure 22 Group Actions

 

At the User tab, it is possible to add, update or delete a User, as shown in Figure 23 Users.

Figure 23 Users

 

TransientAccess supports many Users. Clicking the + icon enables Company Administrators to create a User, as shown im Figure 24 Create User. The User create page includes details about the User to be defined, as listed below:

  • Login name
  • First name
  • Last name
  • Email
  • Role (Options are Company Administrator and Company User)
  • Groups (Selecting more than one group is possible)
  • Option to select “Receive System Notifications” (Available for Company Administrators only).

Figure 24 Create User

Upon clicking the Save button, the new User will be created and listed on the page as Inactive. An activation email is sent to the defined User, as shown in Figure 25 User Activation Label.

Figure 25 User Activation Label

When the User clicks on the “Confirm Now” button, the User is activated in the system and asked to enter a password, as shown in Figure 26 User Password Change.

Figure 26 User Password Change

Editing, Blocking, or Deleting a User is also possible using the action icon displayed at the end of the row, as shown in Figure 27 User Actions. Possible actions are Edit User, Reset Password of the User, Block the User, and Delete the User. If the User is blocked, their status is changed to Blocked. The Reset Password action will send an email to the user to enable password change.

Figure 27 User Actions

 

 

 

Monitoring Section

The Monitoring section includes two sub-sections, Audit Events and Security. These sub-sections become available at the side-menu when Company Administrators clicks on the Monitoring section. as shown in Figure 28 Monitoring.

Figure 28 Monitoring

Audit Events

Upon clicking the “Audit Events” menu item, the Audit page appears. This page lists all events logged that day, as shown in Figure 29 Monitoring – Audit Events.

Figure 29 Monitoring – Audit Events

Details about a listed Event can be displayed by clicking the Details icon Details icon at the end of each row.

It is also possible to filter events based on date, users, and event types, as shown in Figure 30 Filtering Audit Events. Filter menu opens when the Company Administrator clicks on Filter icon Filter icon.

Figure 30 Filtering Audit Events

Event types are:

  • Create (depleted)
  • Delete (depleted)
  • Download (depleted)
  • Forgot password
  • Login
  • Logout
  • Patch File (depleted)
  • Update (depleted)

It is also possible to export events at CSV format by clicking on “EXPORT TO CSV” Button.

Security Events

Upon clicking the “Security Events” menu item, the page listing security events appears, as shown in Figure 31 Monitoring – .

Figure 31 Monitoring – Security Events

It is also possible to filter events based on date, users, and event types, as shown in Figure 32 Filtering Audit Events. Filter menu opens when the Company Administrator clicks on Filter icon Filter icon.

Figure 32 Filtering Security Events

Event types are:

  • Tunnel: Connector connection of the user
  • Connection: Application access of the user through a connection
  • DNS: Resolved IP address

It is also possible to export events at CSV format by clicking on “EXPORT TO CSV” Button.

 

Configuration Section

The Configuration section includes three sub-sections, Authentication, Certificates, and VPN Gateways. These sub-sections become available at the side-menu when Company Administrators clicks the Configuration section, as shown in Figure 33 Configuration.

Figure 33 Configuration

Authentication

Clicking the Authentication menu item causes the Login customization page to appear, at which Company Administrators can customize the logo of the company and the Welcome text, as shown in Figure 34 Configuration – Login Page Customization. Authentication section also includes Identity Provider” sub-tab at which external 3rd party Identity Providers might be defined.

Figure 34 Configuration – Login Page Customization

 

Identity Providers

This section enables Company Administrators to define external Identity Providers systems. Supported IdPs are

  • SAML 2.0 Providers
  • Microsoft Azure AD
  • Active Directory/LDAP

Figure 35 Supported Identity Providers

Active Directory / LDAP Providers
  1. Cloud App: Define IdP

a) Go to portal (<company>.portal.transientx.com)

b) Login to your company

c) Go to Configure>Authentication>Identity Providers

d) Click Add Provider

e) Select Microsoft Active Directory/LDAP and click NEXT button to proceed.

f) Fill the form in accordance with the definitions given below.

 

    • Vendor – Select provider type (LDAP or Active Directory)
    • Identity Provider Name – Enter the name of the provider
    • Username LDAP attribute – Name of LDAP attribute which is mapped to TransientX Internal IdP as username (e.g. ‘uid’). For Active Directory it can be ‘sAMAccountName’ or ‘cn’. The attribute should be filled for all LDAP user records you want to import from LDAP to TransientX Internal IdP. So there you could use the mail attribute if you want this as username in TransientX Internal IdP.
    • RDN LDAP attribute – This is the Relative Distinguished Name LDAP attribute. This is a list of attributes which will be searched when a user attempts to authenticate. The attributes listed here should be unique within an OU level or better-yet unique within a domain. Usually it’s the same as Username LDAP attribute.
    • UUID LDAP attribute – Name of LDAP attribute which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it’s ‘entryUUID’ however some are different. For example for Active Directory it should be ‘objectGUID’. If your LDAP server really doesn’t support the notion of UUID, you can use any other attribute, which is supposed to be unique among LDAP users in tree. For example ‘uid’ or ‘entryDN’. Any standard LDAP v3 directory should use ‘entryUUID‘.
    • User Object Classes – These are the ‘types’ of objects which can be used to authentication against. You can specify more if your organization has other specific identifiers such as ‘staff’ or ‘contractor’. The default for Microsoft AD is: person, organizationalPerson, user.
    • LDAP connection URL – Enter connection URL (e.g. ldap://ldap.example.com:389). In case the port number is not specified in the connection URL, then the standard port number 389 is used.
    • LDAP Users DN – This is the Distinguished Name for the location where you can find your users (example: ou=Users,dc=example,dc=com).
    • Authentication Type – Select Authentication type. Simple: Requires username (in a DN form) and a password. None: Username and password passed as empty strings.
    • LDAP Bind DN – Enter bind DN (username in a DN form). This is the Distinguished Name for the user account which you will use to authenticate against your LDAP service in order to allow Keycloak to authenticate users.
    • Bind Credential – Enter bind password. This the password for the user account configured in the LDAP Bind DN.

g) Click Apply button and see that “Ready for Next Steps message at the right top corner.

h) Click Next button

i) In the “Path” input field, enter the path to the location of users or groups (e.g. ‘dc=example,dc=com’)

j) In the “Group Filter” field, specify the type of users / groups you want to add (e.g. ‘ou = *’ to display all available groups)

k) Click GET button

l) Do groups mapping

m) Click Next Button and wait until Finish button appears.

n) Click Finish

0) Make identity provider active.

 

SAML2.0 Identity Providers

 

1- Okta SAML: Application creation at Okta

1.1. Register new Azure A/D Application

  1. Login to https://www.okta.com/
  2. Click on “My Applications” at the Dashboard screen
  3. Click on the “Admin” button in the upper right corner
  4. Click on “Security” -> “API”
  5. Click on “Token”
  6. Click on the “Create Token” button
  7. Enter the name of the token and click “Create Token”
  8. Copy the API tokenand click “Ok, got it”
  9. Click on “Applications” -> “Applications”
  10. Click on the “Add Application” button
  11. Click on the “Create New App” button
  12. In the window that opens, select “Platform”: “Web” and “Sign on method”: “SAML 2.0”
  13. Click “Create”
  14. In the window that opens, enter the name of the App and click “Next”
  15. Click on the “Show Advanced Settings” link
  16. Check the box “Allow application to initiate Single Logout”
  17. In the next input fields enter “https://temp”:
    – Single sign on URL
    – Audience URI (SP Entity ID)
    – Default RelayState
    – Single Logout URL
  18. Click the “Download Okta Certificate” button on the right side of the window and download the certificate
  19. Change downloaded certificate file name extension to “cer” from “cert”
  20. Go to the “Signature Certificate” menu item, click “Browse ..” and select the downloaded certificate file
  21. Click on the “Upload Certificate” button
  22. Scroll to the bottom of the page and click “Next.”
  23. Select the radio button “I’m a software vendor. I’d like to integrate my app with Okta” and click the “Finish” button
  24. Click on the “Assignments” tab and assign groups to application
  25. Click on the “Sign On” tab, click the “View Setup Instructions” button
  26. Copy “Identity Provider Single Sign-On URL” and “Identity Provider Single Logout URL

 

Cloud App: wizard steps

  1. Go to portal company.portal.transientx.com
  2. Login to company
  3. Go to Configure>Athentication>IdentityProvider
  4. Click Add Provider
  5. Select SAML Provider
  6. Fill in the next fields with the previously saved data (steps 7 and 24 in Okta SAML: Application creation at Okta):

– Sign On URL: Identity Provider Single Sign-On URL
– Sign Out URL: Identity Provider Single Logout URL
– API Token

  1. In the Domain Name field, enter a domain name that matches the SignOn / SignOut URL
  2. Fill in the “Alias” field
  3. Fill the “Domain”
  4. Click the “Apply” button
  5. Click the “Next” button
  6. Do groups mapping
  7. Click the “Next” button
  8. Copy Redirect URIand click “Finish”
  9. Make identity provider active

Okta SAML: finishing application setup

  1. Login to https://www.okta.com/
  2. Click on the right main menu item (on which the username is displayed) and select “Your Org”
  3. Click on the “Admin” button in the upper right corner
  4. Click on “Applications” -> “Applications”
  5. Click on the created provider
  6. Click on the name of the created application
  7. Click on the “General” tab
  8. Scroll to the “SAML Settings” section and click the “Edit” button
  9. Click the “Next” button
  10. Click on the “Show Advanced Settings” link
  11. In the next input fields enter Redirect URI (obtained at step 14 in Cloud App: wizard steps):
    – Single sign on URL
    – Audience URI (SP Entity ID)
    – Default RelayState
    – Single Logout URL
  12. Click the “Next” button
  13. Click the “Finish” button

 

Microsoft Azure AD

Company Administrators might define Microsoft Azure AD as external IdP by applying following steps

1- Azure AD: Application creation at Azure AD

1.2 Register new Azure A/D Application

  1. Login to Azure Portal (https://azure.com)
  2. Go to “Azure Active Directory”>”App registrations”
  3. Click “New registration”
  4. Enter a name (e.g. trsx_ad_test). Put Redirect URI “https://test“.
  5. Click “Register”

1.3 Give API Permissions

  1. Go to “API permissions”
  2. Click “Add a permission”
  3. Click on the “Microsoft Graph”
  4. Click on “Application permissions”
  5. Go to “Directory”. Set the “Directory.Read.All” checkbox
  6. Go to “Group”. Set the “Group.Read.All” checkbox
  7. Go to “User”. Set the “User.Read.All” checkbox
  8. Click button “Add permissions”
  9. Click “Grant admin consent for Default Directory”
  10. Click “Yes” in the confirmation dialog
  11. Go to “Overview”
  12. Copy and save Application (client) ID and Directory (tenant) ID it will be needed in future for configure portal application

 

1.4 Define Endpoints

  1. Click “Endpoints”
  2. Copy and save SAML-P sign-on endpoint and SAML-P sign-out endpoint it need in future for configure portal application
  3. Go to “Certificates & secrets” and then click on “New client secret”
  4. Enter description for client secret, select expiration period and click on “Add” button
  5. Copy and save client secret it need in future for configure portal application
  6. Go to “All services”, and then select “Enterprise applications” under “Identity” section
  7. Click on your application
  8. Go to “Users and groups” and add all users and groups

 

  1. Cloud App: Define IdP

 

  1. Go to portal (<company>.portal.transientx.com)
  2. Login to your company
  3. Go to Configure>Authentication>Identity Providers
  4. Click Add Provider
  5. Select Microsoft Azure AD
  6. Fill the form with the parameters saved before;
    • Identity Provider Name: Give a unique name to define Provider
    • Sign On URL: Use the URL that you recorded at the step 1.3.b as SAML-P sign-on endpoint.
    • Sign Out URL: Use the URL that you recorded at the step 1.3.b as SAML-P sign-out endpoint.
    • Alias: Give a unique name (no spaces) as alias
    • Client ID: Use the recorded Application Client ID field at the step 1.2.l
    • Tenant ID: Use the recorded Directory Tenant ID field at the step 1.2.l
    • Client Secret: Use the recorded Client Secret Key at the step 1.3.h
  1. Click Apply button and see that “Ready for Next Steps message at the right top corner.
  2. Click Next button
  3. Do groups mapping
  4. Click Next Button
  5. Copy and save Redirect URL it will be needed for continue configuration on azure portal
  6. Click Finish
  7. Make identity provider active.

 

  1. Azure AD: finishing application setup

 

  1. Login to https://azure.com
  2. Go to “Azure Active Directory”>”App registrations”
  3. Select your company and click “Branding”
  4. Fill next fields with Redirect URL and Save (user Redirect URL from step 2.k in Cloud App: wizard steps):
    – Homepage URL
    – Term of Service URL
    – Privacy Statement URL
  5. Click “Save”
  6. Select “Authentication”
  7. Fill next fields with Redirect URL and Save (user Redirect URL from the step 2.k in Cloud App: wizard steps):
    – Redirect URIs: Redirect URI
    – Advanced Settings: Logout URL
  8. Click “Save”
  9. Select “Expose an API” and click on “Add a Scope”
  10. Set next field and Save:
    – Application ID URI set as Redirect URL (user Redirect URL from the step 2.k in Cloud App: wizard steps) without “/broker/<alias>/endpoint”
  11. Finish

TransientAccess Connector

Connector is an Application allowing users to have controlled access to the Applications served within the SDP, and is an essential element of the infrastructure. The Connector Application should be installed to one of the Windows Servers located inside the private network which has the Applications to be accessed. Connector comes for Windows and Linux platforms.

TransientAccess Connector for Windows

TransientAccess Connector for Windows can be downloaded from the “Connectors” section of the TransientAccess Management Console. The Connectors page includes a download icon to download the TransientAccess Connector Application. This Application is installed to a Windows Server, which acts as the connector for zero trust network access (ZTNA) solution. Upon clicking the download icon, a pop-up window appears, giving the option to select Windows x86 or x64, as shown in Figure 36 Connector Download. Download starts after clicking the selected download link.

Figure 36 Connector Download

The downloaded Connector Application is a self-extracting file and asks for a destination folder to extract content to. Extract the content to the desired folder and run the TrsxGateway executable file.

Upon running the TrsxGateway executable, it asks for Company ID, as shown in Figure 37 TransientAccess Connector – Company ID.

Figure 37 TransientAccess Connector – Company ID

Enter the credentials defined at the “Connector” section of the TransientAccess Management Console, as shown in Figure 38 TransientAccess Connector – Login Credentials. The credentials to be used should be those defined at the Connectors item, under the Configuration menu item. Please refer to paragraph 3.1.2.3 Connectors to see how to define credentials.

Figure 38 TransientAccess Connector – Login Credentials

The Application shows the main status page after being successfully authenticated by the Connector Admin. The status page shows statistics about Throughput, Sending, and Receiving data, as well as connection details including the connector name, domain name, and IP addresses, as shown in Figure 39 TransientAccess Connector Application. It also shows active connections when the “CONNECTIONS” tab is selected.

Figure 39 TransientAccess Connector Application

 

TransientAccess Connector for Linux

TransientAccess Connector supports Linux as well. Actually, for production environment Linux based Connector is suggested to be used because of its high performance boosted by the Operation System. Linux distribution is done via docker to simply the installation. There are two ways of installing connectors as Automated and Manual installation.

Automated Installation

In order to start installation execute following command with root priviledges.

bash <(curl -s https://transientx.com/downloads/trsx_install_connector.sh)

The script will show the following menu.

*** Main Menu ***

Please enter your choice…

1 -> Initial Setup

2 -> Add Connector

3 -> Advanced Setup

0 -> Quit

 

Initial Installation:

On Main Menu, enter 1 and click Enter key.

It will update & upgrade the Linux, install docker libs, and download connector image. After that it will ask to deploy a connector by asking following questions.

  • company name; enter full domain name of your company (demo.portal.transientx.com)
  • connector name; enter the connector name defined at WebApp
  • connector password; enter the password of the connector defined at WebApp

Confirm your settings when it is asked by the script. The script will ask you to deploy more connectors. Proceed accordingly.

Add additional connectors:

After initial installation you might want to add more connectors. Run the script again and select 2 at the Main Menu. It will ask what image to be used for the connector and above given details regarding with to be deployed connector.

Advanced setup:

Advanced set-up is for TransientX technical set-up. Please ask assistance to use that menu.

 

Please note that, the script also modifies start-up configuration of the Linux, to start docker images automatically on restart of the machine.

Manual Installation

Following steps should be followed to deploy docker images, manually, for Connector

  1. Copy or download a distributable docker image archive on docker host machine into some directory. The archive name is in format: trsx_connector_x64_1.4.0.0_1200.tar.gz

$ wget www.transientx.com/downloads/trsx_connector_x64_1.4.0.0_1200.tar.gz

  1. Load an image from a tar archive:

$ sudo docker load -i trsx_connector_x64_1.4.0.0_1200.tar.gz

  1. Check the image is loaded:

$ sudo docker images
REPOSITORY                 TAG                IMAGE ID            CREATED             SIZE
trsx/connector_x64    1.0.10.0_0    cc52f871a9bd     13 hours ago     350MB

  1. Create a new named container for given image:$ sudo docker create –env GATEWAY_AUTH_LOGIN=connector5 –env GATEWAY_AUTH_COMPANY=<companyname>.portal.transientx.com –env GATEWAY_AUTH_PASSWORD=<password> –env GATEWAY_AUTH_REMEMBER_ME=yes –name connector5 trsx/connector_x64:1.0.10.0_0

    Where:
    GATEWAY_AUTH_LOGIN=connector5 defines a login or username of connector instance
    –name connector5 defines a container name
    <companyname> defines your company name
  2. Check the container is created$ sudo docker ps -a
    CONTAINER ID                             IMAGE                                                   COMMAND                     CREATED                                     STATUS                PORTS     NAMES
    536a99b43c17       trsx/connector_x64:1.0.10.0_0     “/usr/bin/supervisor…”     5 seconds ago    Created                                connector5
  3. Start container by container name or container id:$ sudo docker start connector5
    $ sudo docker start 536a99b43c17
  4. Stop container by name or id:$ sudo docker stop connector5
    $ sudo docker stop 536a99b43c17
  5. Delete container by name or id:$ sudo docker rm connector5
    $ sudo docker rm 536a99b43c17
  6. Delete image by tag or id:$ sudo docker rmi trsx/connector_x64:1.0.10.0_0
    $ sudo docker rmi cc52f871a9bd

Please note that, start-up configuration should be updated to make the docker images to start automatically on restart of the machine.

TransientAccess Client

TransientAccess Clients are easy-to-install application and it is available for Windows, Mac OS, iOS, and Android OS.

For Windows, the TransientAccess Application should be downloaded from the URL link distributed by the System Admin. For iOS and MacOS, download is possible from the Apple App Store, and for Android, download is possible from Google Play.

Downloading and Installation for Mobile platforms is a straightforward task, no different than it is for any other mobile Apps. However, downloading and installation differs for the Windows platform.

TransientAccess Client works on “App Only” and “All Device” modes.

“App Only” mode enables users to have access to resources through the applications started from TransientAccess Client. “All Device” mode enables users to have access to resources through any application started from the client machine. How the client will work is defined at the Policy.

Latest client can be installed from transientx.com/downloads page through the Application Portal.

When the Client App is run/executed from any platform, it asks for a Company Name (e.g. demo.portal.transientx.com), as shown in Figure 40 TransientAccess Client App – Company Name. After entering the Company Name, click the Next button to proceed.

Figure 40 TransientAccess Client App – Company Name

If the Company name is correct, the Client App asks for User credentials for the login process, as shown in Figure 41 TransientAccess Client App – Login.

Figure 41 TransientAccess Client App – Login

After successful login, TransientAccess Client connects to the User selected Policy, as shown in Figure 42 TransientAccess Client App.

Figure 42 TransientAccess Client App

Any defined client app can be launched using the Action icon at the end of the App’s row (Hint: double click on the icon also opens the app), as shown in Figure 43 TransientAccess Client – Application Actions.

Figure 43 TransientAccess Client – Application Actions

 

Please note that for the Windows platform, clicking the ‘X’ icon of the TransientAccess Client App pushes the application to the background. In order to close the TransientAccess Client Application, the User should locate the TransientAccess Client App icon with the hidden icons of their task bar, right click, and select the Quit option, as shown in Figure 44 TransientAccess Client App Taskbar Actions. If Quit is selected, the TransientX Client App will immediately cease working. It is also possible to select “Signout” at the same location, to sign Users out of the TransientAccess Client.

Figure 44 TransientAccess Client App Taskbar Actions

When the User clicks the Menu icon for the TransientAccess Client App, as shown in Figure 45 TransientAccess Client App Main Menu, the User will have the options to Sign out, Quit, Select the Policy, or get ‘About’ information. Selecting Quit will make the Client App cease running, selecting Signout will make the logged-in User log out, selecting Policy will give the User the option to choose the to-be-used Policy, and selecting About will make the Client App provide information regarding the Application, including the version information.

Figure 45 TransientAccess Client App Main Menu

Transform device centric networks into Zero Trust Application Networks instantly

Resources