Working with Applications and Application Groups


Introduction

After you have defined the user authentication system for your Ivanti Neurons for Zero Trust Access (nZTA) service, you can:

Note

An application, or application group, can be associated with only one secure access policy.

Adding Applications to the Controller

For each application you want to make available through nZTA, you add an application definition to the Controller. Application definitions are referenced from a secure access policy in the following ways:

  • A single application can be referenced from a secure access policy to identify an application for the policy.

  • Multiple applications can be referenced from an application group, to enable all of the applications in the application group to be identified for a secure access policy.

To add an application:

  1. Log into the Controller as a Tenant Admin, see Logging in as a Tenant Administrator.

  2. From the nZTA menu, click the Secure Access icon, then select Applications > Applications.

    The Applications page appears. This page lists all applications defined on the Controller.

    applciationspage

    FIGURE 189 Applications Page

    Note

    This page also includes a built-in application called Application discovery. The Application Detail for this application is *:*, indicating that all applications that it applies to all unlisted applications. This application is used by the nZTA application discovery feature, and cannot be deleted.

  3. Click Add.

    A form appears enabling you to create the application.

    addnewapp

    FIGURE 190 Add an Application

    Note

    At any point during this process, you can reset the form data by clicking Reset. You can also view existing application definitions in a pop-up dialog by clicking View Applications.

  4. Enter the Application Name.

  5. Enter the Application Details. That is, the URI (Uniform Resource Identifier) you use to access the application. To view a complete list of valid entries for this field, see Defining Applications and Application Groups.

  6. For scenarios that require one or more additional domains to be associated with an application, select Add Allowed Domains:

    addappalloweddomains

    FIGURE 191 Adding allowed domains for an application

    Add your domains through one of the following methods:

    • Individually, by entering valid domains in the Add Domain text box, then selecting Add to add the domains to the list. You can add several domains at the same time by using a comma (,) separator. Repeat this step for each domain you want to add.

    • In bulk, by uploading a Comma-Separated Value (CSV) text file containing the full list of your domains.

    Domains added to this list must conform to the same scheme rules as the URI used in the Application Details field. To view a complete list of valid domain schemes, see Defining Applications and Application Groups.

    In the list of added domains, remove individual entries by selecting the X indicator adjacent to the domain name. To remove all domains, select Clear All.

  7. For HTTP/HTTPS applications, the SAML Access setting appears:

    addnewappsaml

    FIGURE 192 Defining a new application with SAML access

    The Controller can use SAML to provide a secure connection to your application or resource. In this scenario, nZTA acts as a SAML Identity Provider (IdP), with the application acting as the SAML Service Provider (SP). To learn more about using SAML, see SAML Authentication.

    • Disable this setting if you are using a application-level login for the application.

    • Enable this setting if you are using SAML single sign-on for the application. Then:

      • Under Download IdP Metadata, click Download and save the IdP metadata file.

      • Log into the application and upload the IdP metadata file. Refer to the product documentation for the third-party application for details of this process.

      • In the application, download its SAML metadata as a file. Refer to the product documentation for the third-party application for details of this process.

      • Under Upload SAML Metadata, upload the SAML metadata file from the application.

  8. (Optional) If you want to add custom SAML attributes, use Attribute and Value to add key-value pairs. Click Add to add an attribute pair, and repeat as required.

    Added attributes are displayed beneath the input fields. Click the corresponding X indicator to remove an attribute.

  9. To associate an icon with this application, either:

    • Select a Application Icon from the list of supported icons. This field auto-populates based on the scheme you use in Application Details.

    • Use Upload Icon to upload a bespoke image file as the icon for this application. Make sure your icon is in JPEG format using the maximum dimensions 48 x 48 pixels (maximum file size 1 MB). Ivanti recommends you use only square images for your application icons.

  10. Enter a Description for the application.

  11. (Optional) To create a bookmark for this application, select Create bookmark for application.

    Note

    Use the Bookmark option, where applicable, to allow the end user to copy the Application Details URI for use with other applications. For example, a TCP URI can be bookmarked to facilitate copy and paste into VNC or similar.

  12. (Optional) To enable application discovery for this application, select Enable Application Discovery.

    Note

    To use application discovery, your application must be defined as a wildcard-prefixed FQDN (for example, “*.example.com”). To learn more about application discovery, see Defining Applications and Application Groups.

  13. (Optional) If you want to add the new application to an application group, select the Add to Application Group check box, and then select the required application group.

    Note

    When using SAML authentication, make sure you add to a single application group only those applications that use the same SAML authentication source.

  14. Click Create Application.

    The new application appears in the list of applications.

Note

Applications can also be added to the Controller during the Create Secure Access Policy workflow, see Workflow: Publishing Applications to ZTA Gateways.

After you have defined your applications in the Controller, you can publish the actual applications to your ZTA Gateways, see Workflow: Publishing Applications to ZTA Gateways.

Editing and Deleting Applications

To edit an existing application definition, select the corresponding checkbox and click Edit. nZTA shows the Edit Application form, populated with the details of the application. Use this form to update the details of your application.

For SAML applications, you can use the Upload SAML Metadata form to replace the metadata definition file previously-uploaded with a new or modified version. However, be aware that that federation metadata files can be digitally-signed and, in that case, cannot be manually edited prior to upload back into nZTA. In this scenario, you must obtain a new digitally-signed metadata file from your SAML SP suitable for uploading through this page. The parameters in an unsigned metadata file can be edited before the file is re-uploaded.

To delete an existing application, select the corresponding checkbox and click Delete.

Note

You cannot delete the Application discovery application.

Adding Application Groups to the Controller

Multiple applications can be referenced from an application group.

When you select an application group during any subsequent process, all applications in the group are included automatically. That is:

Note

For SAML authentication, make sure you add to a single application group only those applications that use the same SAML authentication source. A secure access policy can associate an application group with only one authentication method. Therefore, all applications added to the group must use the same SAML metadata for authentication.

To create an application group:

  1. Log into the Controller as a Tenant Admin, see Logging in as a Tenant Administrator.

  2. From the nZTA menu, click the Secure Access icon, then select Applications > Application Groups.

    The Applications Groups page appears. This page lists all application groups defined on the Controller.

    appgrps

    FIGURE 193 Application Groups Page

  3. Click Add.

    The Add Application Group form appears.

    addnewappgrp

    FIGURE 194 Add an Application Group

    Note

    At any point during this process, you can reset the form data by clicking Reset. You can also view existing application groups in a pop-up dialog by clicking View Application Groups.

  4. Enter the Group Name.

  5. Select the Applications you want to add to the group.

    Note

    You cannot add the Application discovery application to a group.

  6. Click Create.

    The application group is added to the list.

Workflow: Publishing Applications to ZTA Gateways

After you have added any required application definitions to the Controller, you can publish these definitions to your ZTA Gateway(s) so that they are available for use.

To do this, use the Create Secure Access Policy workflow.

To publish applications to the ZTA Gateway(s), start the Create Secure Access Policy workflow.

You can access the Create Secure Access Policy workflow from:

To start the Create Secure Access Policy workflow using the toolbar:

  1. Log into the Controller as a Tenant Admin, see Logging in as a Tenant Administrator.

    The Network Overview page appears.

  2. Click the Workflows pull-down menu, and then select the Create Secure Access Policy workflow.

    tapubres

    FIGURE 195 Select the Create Secure Access Policy Workflow

    The Create Secure Access Policy workflow appears.

The Create Secure Access Policy workflow includes a multi-step workflow:

After the Create Secure Access Policy workflow finishes, all selected applications are pushed to the selected ZTA Gateway.

If you are using multiple gateways, you will need to repeat the publication process for each gateway.

Selecting Applications for Publication

The Select or Create Applications step of the Create Secure Access Policy workflow enables you to create a new application, or to select an existing application that you want to publish.

Note

You can also create applications independently of the Create Secure Access Policy workflow, see Adding Applications to the Controller.

To select an existing application:

  1. Access the Create Secure Access Policy workflow, see Workflow: Publishing Applications to ZTA Gateways.

  2. In the Create Secure Access Policy workflow, select the Select or Create Application step.

  3. Click Select an Application and select the required application from the drop-down list.

  4. (Optional) If you want to add the application to an application group, select the Add to Group check box, and then select the required application group.

    Note

    The applications in a group can be published as a single action.

    To learn more about the process of creating an application group, see Adding Application Groups to the Controller.

  5. Click Next to continue to the next step of the workflow, see Selecting Device Policies for Applications.

To create a new application:

  1. Access the Create Secure Access Policy workflow, see Workflow: Publishing Applications to ZTA Gateways.

  2. In the Create Secure Access Policy workflow, select the Select or Create Application step.

  3. Click Select an Application and select Add New Application.

    The add new Application form appears.

  4. To add a new Application, follow the steps described in Adding Applications to the Controller.

  5. (Optional) If you want to add the new application to an application group, select the Add to Group check box, and then select the required application group.

    Note

    The applications in a group can be published as a single action.

    To learn more about the process of creating an application group, see Adding Application Groups to the Controller.

  6. Click Next to continue to the next step of the workflow, see Selecting Device Policies for Applications.

Selecting Device Policies for Applications

The Select Device Policies step of the Create Secure Access Policy workflow enables you to select the required device policy for the application that you want to publish.

Note

To create device policies, see Creating Device Policies and Device Policy Rules.

To select device policies:

  1. Access the Create Secure Access Policy workflow, see Workflow: Publishing Applications to ZTA Gateways.

  2. In the Create Secure Access Policy workflow, select the Select Device Policies step.

    A list of existing device policies appears.

  3. Select a device policy.

  4. Click Next to continue to the next step of the workflow, see Selecting User Rules for Applications.

Selecting User Rules for Applications

The Select or Create User Rules step of the Create Secure Access Policy workflow enables you to compile a list of one or more user rules (and the groups to which they optionally belong) that apply to the applications you want to publish.

Note

You can create user rules independently of the Create Secure Access Policy workflow, see Creating User Rules.

You can create user groups independently of the Create Secure Access Policy workflow, see Creating User Groups.

You can create authentication policies independently of the Create Secure Access Policy workflow, see Working with User Authentication.

To create a user rule:

  1. Access the Create Secure Access Policy workflow, see Workflow: Publishing Applications to ZTA Gateways.

  2. In the Create Secure Access Policy workflow, select the Select or Create User Rules step.

  3. For the user group, either:

    • Click Select or Create User Group(s), and select the required user group.

    • Click the plus symbol for the Select or Create User Group(s) property, and create the required user group using a Group Name, an Authentication Policy and (optionally) a Description.

  4. For the authentication policy, either:

    • Click Select an Authentication Policy, and select the required policy.

    • Click the plus symbol for the Select an Authentication Policy property, and create the required authentication policy, see Working with User Authentication.

  5. For the user rule, either:

    • Click Select or Create Rule, and select the required user rule.

    • Click the plus symbol for the Select or Create Rule property, and create the required user rule:

      • Enter a Rule Name for the rule.

      • Click Select Attribute Type and select the required authentication attribute type. The following options are supported: Username, SAML (Azure AD) and Custom.

      • Click Expression and select either Matching or Not Matching.

      • Enter the required User match string for the selected Expression. Wildcard matches are supported. For example: *

      • Click Add to List.

  6. Click Add User Rule.

    The new user rule is added to the list of rules.

  7. (Optional) Repeat steps 3 to 6 to create additional rules, if required.

  8. In the list of rules, select each rule that is required by enabling its check box.

  9. Click Next to continue to the final step of the workflow, see Confirming the Create Secure Access Policy Workflow.

To select an existing user rule:

  1. Access the Create Secure Access Policy workflow, see Workflow: Publishing Applications to ZTA Gateways.

  2. In the Create Secure Access Policy workflow, select the Select or Create User Rules step.

    The Select or Create User Rules page lists all existing user rules.

  3. In the list of rules, select each rule that is required by enabling its check box.

  4. Click Next to continue to the next step of the workflow, see Confirming the Create Secure Access Policy Workflow.

Selecting a ZTA Gateway for your Applications

The Select Gateways step of the Create Secure Access Policy workflow enables you to identify the ZTA Gateway to which you want to publish applications.

To select the required ZTA Gateway(s):

  1. Access the Create Secure Access Policy page, see Workflow: Publishing Applications to ZTA Gateways.

  2. On the Create Secure Access Policy page, select the Select Gateways step.

  3. Click Select Gateway and select the required ZTA Gateway.

  4. Click Next to continue to the next step of the workflow, see Confirming the Create Secure Access Policy Workflow.

Confirming the Create Secure Access Policy Workflow

After you have successfully completed all steps of the Create Secure Access Policy workflow, the final Summary step of the workflow becomes active.

This step displays all information that was defined/gathered during the Create Secure Access Policy workflow, and enables you to complete the workflow.

  1. Access the Create Secure Access Policy workflow.

  2. In the Create Secure Access Policy workflow, select the Summary step.

    A summary page displays all information that was defined/gathered during the previous steps.

  3. Examine the summary information.

  4. Click Finish to confirm the summary and complete the Create Secure Access Policy workflow.

    The applications are published to the selected ZTA Gateway.

After you have published applications to your ZTA Gateway(s), users can enroll their desktop and mobile devices, see Enrolling Mobile/Desktop Clients.