Component interaction

This section provides an overview of how the various components in a Access deployment interact with each other. The following table describes how various components interact with Access.

Table 1. component interaction with access

Component

Access

Access + Standalone Sentry

Access administrative portal

All Access related configurations , monitoring, reporting are done in the Access administrative portal.

All Access related configurations , monitoring, reporting are done in the Access administrative portal.

UEM

Managed apps which use Tunnel, the Tunnel app, and configurations are pushed from UEM.

Access gets device posture information from UEM.

Managed apps which use Tunnel, the Tunnel app, and configurations are pushed from UEM.

Tunnel

Tunnel establishes trust with Access. Only authentication traffic to Access goes through Tunnel. To trigger Tunnel, apply the Tunnel VPN configuration to the managed apps and AppConnect apps.

Tunnel establishes trust with Access. Only authentication traffic to Access goes through Tunnel. To trigger Tunnel, apply the Tunnel VPN configuration to the managed apps and AppConnect apps.

Standalone Sentry

Not applicable.

 

Access gets device posture information from Standalone Sentry.

Standalone Sentry:

Gets the following from the Access administrative portal
- SP and IdP federated pairings
- conditional rules for access control
- SSL certificates and signing certificates (X.509 certificate and corresponding private key)

Captures information on which users, devices, and apps authenticate to enterprise cloud service. This information is reported in the Access administrative portal.

Standalone Sentry Communicates with the Access administrative portal on port 443.

Standalone Sentry syncs up with  Access at 15-minute intervals. To force update the configuration changes to Standalone Sentry, use the following CLI command in CONFIG mode:
accs config-fetch update

UEM compliance actions and policies

Policies configured in a UEM define the checks on device posture and compliance actions if the device in non compliant. Access does the following if devices are out of compliance:

  • Access blocks connection to cloud service if devices are non compliant (violate an UEM policy) and also have a blocking action set up against the corresponding policy. If there is a non blocking action (such as email, monitor, notify) for a policy violation, Access does not take any action.
  • For Core and Connected Cloud, Access quarantines connection to cloud service if the devices are non compliant (violate an UEM policy) and also have a quarantine action set up against the corresponding policy.
    However, for Cloud, Access does not take any action against a corresponding quarantine policy.

In addition, you can configure Access to revoke a session token if a device is non compliant. For more information on device compliance for session revocation, see About session revocation.

For more information on UEM compliance actions and policies, see the respective Core or Cloud guides.