Working with Applications and Application Groups

Introduction

Adding Applications to the Controller

Adding Application Groups to the Controller

Workflow: Publishing Applications to nZTA Gateways

Introduction

After you have defined the user authentication system for your Ivanti Neurons for Zero Trust Access (nZTA) service, you can:

An application, or application group, can be associated with only one secure access policy.

Adding Applications to the Controller

For each application you want to make available through nZTA, you add an application definition to the Controller. Application definitions are referenced from a secure access policy in the following ways:

  • A single application can be referenced from a secure access policy to identify an application for the policy.
  • Multiple applications can be referenced from an application group, to enable all of the applications in the application group to be identified for a secure access policy.

To add an application:

  1. Log into the Controller as a Tenant Admin, see Logging in as a Tenant Administrator.

  2. From the nZTA menu, click the Secure Access icon, then select Manage Applications > Applications.

    The Applications page appears. This page lists all applications defined on the Controller.

    Applications Page

    This page also includes a built-in application called Application discovery. The Application Detail for this application is *:*, indicating that all applications that it applies to all unlisted applications. This application is used by the nZTA application discovery feature, and cannot be deleted.

  3. Click Create Application.

    A form appears enabling you to create the application.

    Add an Application
  4. Enter the Application Name.

  5. Enter the Application Details. That is, the URI (Uniform Resource Identifier) you use to access the application. To view a complete list of valid entries for this field, see Defining Applications and Application Groups.

  6. For scenarios that require one or more additional domains to be associated with an application, select Allowed Domains:

    Adding allowed domains for an application

    Add your domains through one of the following methods:

    • Individually, by entering valid domains in the Enter Allowed Domain text box, then selecting Add Domain to add the domains to the list. You can add several domains at the same time by using a comma (,) separator. Repeat this step for each domain you want to add.
    • In bulk, by uploading a Comma-Separated Value (CSV) text file containing the full list of your domains.

    Domains added to this list must conform to the same scheme rules as the URI used in the Application Details field. To view a complete list of valid domain schemes, see Defining Applications and Application Groups.

    In the list of added domains:

    to edit an entry, click the three dots next to the entry and then select Edit.

    to remove individual entries, click the three dots next to the entry and then select Delete.

    to remove all entries, select all check boxes and click Delete.

  7. For HTTP/HTTPS applications, the SAML Access setting appears.

    The Controller can use SAML to provide a secure connection to your application or resource. In this scenario, nZTA acts as a SAML Identity Provider (IdP), with the application acting as the SAML Service Provider (SP). To learn more about using SAML, see SAML Authentication.

    • Disable this setting if you are using a application-level login for the application.
    • Enable this setting if you are using SAML single sign-on for the application. Then:
      • Under Download IdP Metadata, click Download the IDP metadata file using the link and save the IdP metadata file.
      • Log into your application and upload the IdP metadata file. Refer to the product documentation for the third-party application for details of this process.
      • In the application, download the SAML metadata as a file. Refer to the product documentation for the third-party application for details of this process.
      • Under Upload the file below, select and upload the SAML metadata file from the application.
      • You must keep the SAML metadata up-to-date, especially after renewing certificates. This is essential for a secure and successful SaaS Apps SAML SSO flow. Regularly updating configurations in both the Identity Provider and Service Providers helps prevent authentication failures and ensures the security of the authentication process.

  8. (Optional) If you want to add custom SAML attributes, use Attribute and Value to add key-value pairs. Click Add to add an attribute pair, and repeat as required.

    Added attributes are displayed beneath the input fields. Click the corresponding X indicator to remove an attribute.

  9. To associate an icon with this application, either:

    • Select an Application Icon from the list of supported icons. This field auto-populates based on the scheme you use in Application Details.
    • Click Upload your own Icon to upload a bespoke image file as the reusable custom icon. Then select the icon from the list to associate to this application. Make sure your icon is in JPEG format using the maximum dimensions 48 x 48 pixels (maximum file size 1 MB). Ivanti recommends you use only square images for your application icons. You can edit or remove the uploaded custom icon.
  10. Enter a Description for the application.

  11. (Optional) To create a bookmark for this application, select Create bookmark for application.

    Use the Bookmark option, where applicable, to allow the end user to copy the Application Details URI for use with other applications. For example, a TCP URI can be bookmarked to facilitate copy and paste into VNC or similar.

  12. (Optional) To enable application discovery for this application, select Enable Application Discovery.

    To use application discovery, your application must be defined as a wildcard-prefixed FQDN (for example, "*.example.com"). To learn more about application discovery, see Defining Applications and Application Groups.

  13. (Optional) If you want to add the new application to an application group, select the Add to Application Group check box, and then select the required application group.

    When using SAML authentication, make sure you add to a single application group only those applications that use the same SAML authentication source.

  14. To save this application and create another application, select the Create another check box.

  15. Click Create Application.

    The new application appears in the list of applications.

    Applications can also be added to the Controller during the Create Secure Access Policy workflow, see Workflow: Publishing Applications to nZTA Gateways.

    After you have defined your applications in the Controller, you can publish the actual applications to your nZTA Gateways, see Workflow: Publishing Applications to nZTA Gateways.

Editing and Deleting Applications

To edit an existing application definition, select the corresponding check box and click Edit. nZTA shows the Edit Application form, populated with the details of the application. Use this form to update the name and other details of your application.

For SAML applications, you can use the Upload SAML Metadata form to replace the metadata definition file previously-uploaded with a new or modified version. However, be aware that that federation metadata files can be digitally-signed and, in that case, cannot be manually edited prior to upload back into nZTA. In this scenario, you must obtain a new digitally-signed metadata file from your SAML SP suitable for uploading through this page. The parameters in an unsigned metadata file can be edited before the file is re-uploaded.

To delete an existing application, select the corresponding check box and click Delete.

You cannot delete the Application discovery application.

Adding Application Groups to the Controller

Multiple applications can be referenced from an application group.

When you select an application group during any subsequent process, all applications in the group are included automatically.

That is:

For SAML authentication, make sure you add to a single application group only those applications that use the same SAML authentication source. A secure access policy can associate an application group with only one authentication method. Therefore, all applications added to the group must use the same SAML metadata for authentication.

To create an application group:

  1. Log into the Controller as a Tenant Admin, see Logging in as a Tenant Administrator.

  2. From the nZTA menu, click the Secure Access icon, then select Manage Applications > Application Groups.

    The Applications Groups page appears. This page lists all application groups defined on the Controller.

  3. Click Create Application Group.

    The Create Application Group form appears.

    Add an Application Group
  4. Enter the Group Name.

  5. Select the Applications you want to add to the group.

    You cannot add the Application discovery application to a group.

  6. Click Create Application Group.

    The application group is added to the list.

Workflow: Publishing Applications to nZTA Gateways

After you have added any required application definitions to the Controller, you can publish these definitions to your nZTA Gateway(s) so that they are available for use.

To do this, use the Create Secure Access Policy workflow.

To publish applications to the nZTA Gateway(s), start the Create Secure Access Policy workflow.

You can access the Create Secure Access Policy workflow from:

To start the Create Secure Access Policy workflow using the toolbar:

  1. Log into the Controller as a Tenant Admin, see Logging in as a Tenant Administrator.

    The Network Overview page appears.

  2. Click the Workflows pull-down menu, and then select the Create Secure Access Policy workflow.

    Select the Create Secure Access Policy Workflow

    The Create Secure Access Policy workflow appears.

The Create Secure Access Policy workflow includes a multi-step workflow:

After the Create Secure Access Policy workflow finishes, all selected applications are pushed to the selected nZTA Gateway.

If you are using multiple gateways, you will need to repeat the publication process for each gateway.

Selecting Applications for Publication

The Select or Create Applications step of the Create Secure Access Policy workflow enables you to create a new application, or to select an existing application that you want to publish.

You can also create applications independently of the Create Secure Access Policy workflow, see Adding Applications to the Controller.

To select an existing application:

  1. Access the Create Secure Access Policy workflow, see Workflow: Publishing Applications to nZTA Gateways.

  2. In the Create Secure Access Policy workflow, select the Select or Create Application step.

  3. Click Select an Application and select the required application from the drop-down list.

  4. (Optional) If you want to add the application to an application group, select the Add to Group check box, and then select the required application group.

    The applications in a group can be published as a single action.

    To learn more about the process of creating an application group, see Adding Application Groups to the Controller.

  5. Click Next to continue to the next step of the workflow, see Selecting Device Policies for Applications.

To create a new application:

  1. Access the Create Secure Access Policy workflow, see Workflow: Publishing Applications to nZTA Gateways.

  2. In the Create Secure Access Policy workflow, select the Select or Create Application step.

  3. Click Select an Application and select Add New Application.

    The add new Application form appears.

  4. To add a new Application, follow the steps described in Adding Applications to the Controller.

  5. (Optional) If you want to add the new application to an application group, select the Add to Group check box, and then select the required application group.

    The applications in a group can be published as a single action.

    To learn more about the process of creating an application group, see Adding Application Groups to the Controller.

  6. Click Next to continue to the next step of the workflow, see Selecting Device Policies for Applications.

Selecting Device Policies for Applications

The Select Device Policies step of the Create Secure Access Policy workflow enables you to select the required device policy for the application that you want to publish.

To create device policies, see Creating Device Policies and Device Policy Rules.

To select device policies:

  1. Access the Create Secure Access Policy workflow, see Workflow: Publishing Applications to nZTA Gateways.

  2. In the Create Secure Access Policy workflow, select the Select Device Policies step.

    A list of existing device policies appears.

  3. Select a device policy.

  4. Click Next to continue to the next step of the workflow, see Selecting User Rules for Applications.

Selecting User Rules for Applications

The Select or Create User Rules step of the Create Secure Access Policy workflow enables you to compile a list of one or more user rules (and the groups to which they optionally belong) that apply to the applications you want to publish.

You can create user rules independently of the Create Secure Access Policy workflow, see Creating User Rules.
You can create user groups independently of the Create Secure Access Policy workflow, see Creating User Groups.
You can create authentication policies independently of the Create Secure Access Policy workflow, see Working with User Authentication.

To create a user rule:

  1. Access the Create Secure Access Policy workflow, see Workflow: Publishing Applications to nZTA Gateways.

  2. In the Create Secure Access Policy workflow, select the Select or Create User Rules step.

  3. For the user group, either:

    • Click Select or Create User Group(s), and select the required user group.
    • Click the plus symbol for the Select or Create User Group(s) property, and create the required user group using a Group Name, an Authentication Policy and (optionally) a Description.
  4. For the authentication policy, either:

    • Click Select an Authentication Policy, and select the required policy.
    • Click the plus symbol for the Select an Authentication Policy property, and create the required authentication policy, see Working with User Authentication.
  5. For the user rule, either:

    • Click Select or Create Rule, and select the required user rule.
    • Click the plus symbol for the Select or Create Rule property, and create the required user rule:
      • Enter a Rule Name for the rule.
      • Click Select Attribute Type and select the required authentication attribute type. The following options are supported: Username, SAML (Azure AD) and Custom.
      • Click Expression and select either Matching or Not Matching.
      • Enter the required User match string for the selected Expression. Wildcard matches are supported. For example: *
      • Click Add to List.
  6. Click Add User Rule.

    The new user rule is added to the list of rules.

  7. (Optional) Repeat steps 3 to 6 to create additional rules, if required.

  8. In the list of rules, select each rule that is required by enabling its check box.

  9. Click Next to continue to the final step of the workflow, see .Confirming the Create Secure Access Policy Workflow

To select an existing user rule:

  1. Access the Create Secure Access Policy workflow, see Workflow: Publishing Applications to nZTA Gateways.

  2. In the Create Secure Access Policy workflow, select the Select or Create User Rules step.

    The Select or Create User Rules page lists all existing user rules.

  3. In the list of rules, select each rule that is required by enabling its check box.

  4. Click Next to continue to the next step of the workflow, see Confirming the Create Secure Access Policy Workflow.

Selecting an nZTA Gateway for your Applications

The Select Gateways step of the Create Secure Access Policy workflow enables you to identify the nZTA Gateway to which you want to publish applications.

To select the required nZTA Gateway(s):

  1. Access the Create Secure Access Policy page, see Workflow: Publishing Applications to nZTA Gateways.
  2. On the Create Secure Access Policy page, select the Select Gateways step.
  3. Click Select Gateway and select the required nZTA Gateway.
  4. Click Next to continue to the next step of the workflow, see Confirming the Create Secure Access Policy Workflow.

Confirming the Create Secure Access Policy Workflow

After you have successfully completed all steps of the Create Secure Access Policy workflow, the final Summary step of the workflow becomes active.

This step displays all information that was defined/gathered during the Create Secure Access Policy workflow, and enables you to complete the workflow.

  1. Access the Create Secure Access Policy workflow.

  2. In the Create Secure Access Policy workflow, select the Summary step.

    A summary page displays all information that was defined/gathered during the previous steps.

  3. Examine the summary information.

  4. Click Finish to confirm the summary and complete the Create Secure Access Policy workflow.

The applications are published to the selected nZTA Gateway.

After you have published applications to your nZTA Gateway(s), users can enroll their desktop and mobile devices, see Enrolling Mobile/Desktop Clients.