You can control user's access to applications that are not based on a browser, but run locally on a user's computer. You need to select Client-access Apps when you add a new application. Based on the level of control and flexibility desired by your organization, you can add and configure two types of client-access applications:
TCP-type client-access application. When you want to provide secure access to a single TCP application using a single hostname, you can add and configure, and deploy a TCP-type client-access application. This is created for each application (perApp) and supports TCP only. All existing TCP-type client-access applications are fully backward compatible with the latest Enterprise Application Access Cloud.
For more than 200 TCP-type client-access applications on macOS platform, consider switch to tunnel-type client-access applications.
Tunnel-type 2.0 client-access application. When you want to provide secure access to an application, you can define a destination based on protocol type (TCP or UDP or both), hostnames within the organization's domain (perDomain) or subdomain, private IPV4 addresses with subnets, and specific ports or port ranges. You can add and configure, and deploy a tunnel-type client-access application with this destination definition. Even multiple destination definitions can be pooled into a single tunnel-type 2.0 client-access application for ease of maintenance.
For example, one destination might be a private IP addresses to access local printer server, second destination might access an external web portal, and a third destination may access an internal mail server, for the employees of the organization.
You can give selective access to partners and contractors to certain subdomains with DNS exceptions. The tunnel-type 2.0 client-access application relies on DNS resolution in the connector to find the application server IP. You need to use EAA Client version 2.0.0 to configure a tunnel-type 2.0 client-access application.
Both types of client-access applications let you set up access control rules or services, like the Enterprise Application Access solution used for secure access for HTTP applications.
The tunnel-type client-access applications have some ACL limitations. Tunnel-type client-access application allows you to provide an internal hostname with subdomains, or a list of single or multiple local IP addresses. To deny access to certain users, IPs, or other parameters, you can set up access control rules.
If the application you try to securely access through the EAA Client solution is hosted on multiple application servers within your data center and you need load balancing, use a TCP-type client-access application.
Load-balancing capability is not available in a tunnel-type client-access application.
Below table compares the TCP-type and tunnel-type client-access application supported by the EAA Client.
TCP-type client-access application
Tunnel-type client-access application
Does not provide any cloud termination so there is no way to do load-balancing regardless of the protocol.
Created for each application (perApp)
Created for a domain (perDomain)
Exact hostname only
Domain exception list support
Customize traffic type (TCP, UDP, both)
Customize domain name (wildcard or exact hostname), or IP address (including CIDR notation for subnets)
Port (port range, specific port, comma separated list of both)
Allows pooling of many hostname destinations into a single tunnel-type client-access application for enterprises providing ease of maintenance for administrators.
Access Control List
Deny access by:
Deny access by:
Updated 5 months ago