Ivanti Neurons for Zero Trust Access: Tenant Admin Guide

Contents

• End User License Agreement
• Preface
  • Document conventions
    • Text formatting conventions
    • Command syntax conventions
    • Code Block
    • Notes and Warnings
  • Requesting Technical Support
    • Self-Help Online Tools and Resources
    • Opening a Case with PSGSC
  • Reporting Documentation Issues
• About this Guide
• Overview of Ivanti Neurons for Zero Trust Access
  • Securing a Diverse Application Infrastructure
  • Hyper-Converged Zero-Trust Access
  • An Overview of Ivanti Neurons for Zero Trust Access
  • Deploying and Using nZTA
  • Using a Custom Domain
  • Deploying Gateways
    • Using Gateway Groups for High Availability
  • Defining User Authentication
    • Creating User Authentication Methods
    • Using User Authentication Policies
    • Defining User Authentication Rules and Groups
  • Publishing Applications
    • Defining Applications and Application Groups
    • Defining User Rules and User Rule Groups
    • Creating Device Policies and Device Policy Rules
  • Enrolling a User Device
    • Existing ICS Users
    • First Time Users
    • Existing nZTA Users
  • Viewing Licensing/Subscription Usage
  • Summary of Steps to Configure Your nZTA Deployment
• Logging in as a Tenant Admin
  • Preparing to Login
  • Logging into the Controller as a Tenant Admin
    • Working with the Onboarding Wizard
    • Viewing the nZTA Network Overview
    • Changing the UI Theme
    • Setting the Timezone
    • Configuring Session Timeouts
    • Resetting All Filters and Selections
  • Logging out of the Controller
• Specifying a Custom Domain
  • Introduction
  • Configuring a Custom Domain
  • Checking the Configured Domain
• Configuring CASB/SWG
• Working With User Authentication
  • Introduction
  • Viewing User Authentication Methods
  • Viewing User Authentication Policies
  • Creating User Rules and User Groups
    • Creating User Rules
    • Creating User Groups
    • Associating User Groups with Admin Roles
  • Workflow: Creating a Local Authentication Policy
  • Workflow: Creating a SAML Authentication Policy With Azure AD
    • Configuring Azure AD with Service Provider Metadata from the Controller
    • Configuring MFA with Azure AD (Optional)
    • Configuring nZTA to use Azure AD Security Groups (Optional)
  • Workflow: Creating an Authentication Policy for On-Premises ICS SAML
    • Configuring Secondary Authentication for On-Premises ICS (Optional)
    • Configuring a SAML Identity Provider in Ivanti Connect Secure
    • Configuring a Metadata Provider in Ivanti Connect Secure
    • Defining an On-Premises SAML Authentication Method
    • Defining Authentication Policies for On-Premises SAML Authentication
    • Configuring ICS with Controller Metadata
  • Workflow: Creating a SAML Authentication Policy for Okta
    • Creating an Okta SAML Application
    • Using Okta Group Attribute Statements to Categorize Users
    • Defining and Applying Okta Authentication in nZTA
  • Workflow: Creating a SAML Authentication Policy for Ping Identity
    • Creating a PingID SAML Application
    • Defining and Applying PingID Authentication in nZTA
    • Updating Your PingID SAML Application with Your SP Metadata
  • Workflow: Adding TOTP to an Authentication Policy
    • Unlocking Locked User Accounts
• Working With Gateways
  • Introduction
    • High Availability
    • Gateway Deployment Workflows
  • Configuring Networks in your Gateway Datacenter
  • Using Dynamic IP Addressing to Profile Client Traffic
  • White-listing Required IP Addresses for your Services
  • Viewing and Monitoring Gateways in the Controller
    • Viewing Gateway Logs
    • Viewing Gateway Tasks
    • Editing Gateway Configuration
    • Troubleshooting Gateway Issues
  • Adding Gateway Groups for High Availability
  • Creating Gateway Selectors
  • Workflow: Creating a Gateway in VMware vSphere
    • Adding a vSphere Gateway in the Controller
    • Registering a VMware vSphere Gateway
  • Workflow: Creating a Gateway in Amazon Web Services
    • Adding an AWS Gateway in nSA
    • Registering an Amazon Web Services Gateway
  • Workflow: Creating a Gateway in Microsoft Azure
    • Adding an Azure Gateway in nSA
    • Creating a Gateway through Azure Marketplace
    • Creating a Gateway using the Azure Template and Image Files
  • Workflow: Creating a Gateway in KVM/OpenStack
    • Preparing to Create a KVM Gateway
    • Adding a KVM Gateway in nSA
    • Preparing Metadata for OpenStack
    • Creating the KVM Gateway Virtual Machine Instance in OpenStack
  • Workflow: Creating a Gateway in Google Cloud Platform
    • Preparing to Create a GCP Gateway
    • Adding a GCP Gateway in nSA
    • Downloading Metadata for Google Cloud Platform
    • Uploading the GCP Virtual Machine Image onto the Google Cloud Platform
    • Creating a VM Instance of the Uploaded GCP Image Manually
    • Creating a VM Instance of the Uploaded GCP Image Using a Script/Template
    • Completing the Configuration of the Controller
  • Upgrading Gateways
    • Checking a Current Gateway Version and Applying an Individual Update
    • Rolling Back a Gateway to a Previous Version
  • Configuring a Default Gateway for Application Discovery
• Creating Device Policy Rules and Device Policies
  • Introduction
  • Viewing Device Policies and Rules
  • Creating Device Policies
  • Configuring Default Device Policy for Users
  • Creating Device Policy Rules
    • Options for Antispyware and Firewall Rules
    • Options for Antivirus Rules
    • Options for CVE Check Rules
    • Options for Command Rules
    • Options for File Rules
    • Options for Hard Disk Encryption Rules
    • Options for Location Rules
    • Options for MAC Address Rules
    • Options for Netbios Rules
    • Options for Network Rules
    • Options for OS Rules
    • Options for Process Rules
    • Options for Port Rules
    • Options for Patch Management Rules
    • Options for Registry Rules
    • Options for Risk Sense Rules
    • Options for System Integrity Rules
    • Options for Time of Day Rules
• Working With Applications and Application Groups
  • Introduction
  • Adding Applications to the Controller
    • Editing and Deleting Applications
  • Adding Application Groups to the Controller
  • Workflow: Publishing Applications to ZTA Gateways
    • Selecting Applications for Publication
    • Selecting Device Policies for Applications
    • Selecting User Rules for Applications
    • Selecting a ZTA Gateway for your Applications
    • Confirming the Create Secure Access Policy Workflow
• Creating/Editing Secure Access Policies
  • Introduction
  • Viewing your Secure Access Policies
  • Creating a Secure Access Policy
  • Editing a Secure Access Policy
• Enrolling Mobile/Desktop Clients
  • Introduction
  • Viewing Currently Enrolled User Devices
    • Uploading Client Logs to the Controller
  • Setting Global Device Preferences
    • Configuring Lock Down Mode
    • Downloading Device Preferences for use with an External Service
  • Enrolling a Windows Desktop Device
    • Enabling Trusted Root CA Certificate on Windows Domain
  • Enrolling a macOS Desktop Device
  • Enrolling a Linux Desktop Device
    • Enrolling on Ubuntu or Debian
    • Enrolling on Fedora or CentOS/RHEL
  • Enrolling an iOS Mobile Device
    • Installing a Beta Release of the iOS Client
  • Enrolling an Android Mobile Device
• Using Ivanti Secure Access Client with Ivanti Neurons for Zero Trust Access
  • Introduction
  • On-Demand and Simultaneous Connection Handling
  • Resource Precedence Over Simultaneous Connections
  • Using SAML Single Logout to Force User Authentication
  • Disabling the nZTA Connection
  • Dynamic Policy Update and CARTA
    • Using Application Discovery with Ivanti Secure Access Client
  • Using an Existing Enterprise PKI
• Upgrading Ivanti Secure Access Client
  • Introduction
  • Working with Client Packages
    • Upgrading Ivanti Secure Access Client Automatically
    • Enabling Manual Upgrade of Ivanti Secure Access Client
    • Enabling Minimum Supported Client Version
  • Working with ESAP Packages
    • Updating ESAP Definitions on Clients Automatically
    • Enabling Manual Update of ESAP Definitions on Clients
• Using the Insights Menu to Monitor User Activity and Service Usage
  • Introduction
    • Using Filters and Selectors to Monitor Specific Services
  • Reviewing Your Network Activity
    • Understanding the Display
    • Using the Filter Bar
    • Using the Summary Ribbon
    • Using the World Map
    • Using the Sankey Chart View
    • Using the Active Anomaly, Connected Clients Version, and Non-Compliance Charts
    • Using the Top Active Breakdown Charts
    • Viewing Detailed Logs for a Chart
  • Reviewing User Activity
    • Understanding the Display
    • Using the Summary Ribbon
    • Viewing a Summary of UEBA Threat Scores for your Users
    • Viewing Top Access Trends
    • Viewing User Activity Charts
  • Showing Activity for a Specific User
    • Understanding the Display
    • Using the Summary Ribbon
    • Viewing UEBA Threat Data for the Selected User
    • Viewing Access Trends for the Selected User
    • Viewing the User Access Sankey Chart
    • Viewing User Activity Charts
  • Viewing and Terminating User Sessions
  • Reviewing Application Usage
    • All Applications
    • Discovered Applications
    • Default ZTA Gateway Applications
    • Configuring Default Gateway Application
  • Showing Usage Data for a Specific Application
    • Understanding the Display
    • Using the Summary Ribbon
    • Viewing Application Accesses by Device Type
    • Viewing Access Trends for the Selected Application
    • Viewing the Application Access Trends Sankey Chart
    • Viewing Application Activity Charts
  • Monitoring ZTA Gateway Activity
    • Understanding the Display
    • Using the Summary Ribbon
    • Reviewing the Status of your Deployed ZTA Gateways
    • Viewing ZTA Gateway Access Trends
    • Viewing ZTA Gateway Activity Charts
  • Reviewing Policy Failures
    • Understanding the Display
    • Using the Summary Ribbon
    • Viewing Policy Failures Access Trends
    • Viewing Policy Failure Activity Charts
  • Checking the Logs
    • Setting a Log Time Period
    • Setting Log Criteria and Filtering the Output
    • Viewing Log Records
    • Filtering the Logs
    • Exporting Logs
    • Viewing Scheduled Log Export Jobs and Downloading Log Files
  • Associating Geographical locations to IP Addresses
  • Actions
  • Reports
    • Creating a Report
  • Viewing Alerts and Notifications
• Using Enterprise Integration to Export Your Logs for External Analysis
  • Introduction and Prerequisites
  • Importing a Trusted Server CA Certificate
  • Adding a Client Certificate to the Controller
  • Adding a Public Syslog Server to the Controller
  • Adding a On-Prem Syslog Server for ZTA Gateways
    • Setting a Custom Syslog Filter
• APPENDIX: Supported Applications in this Release