You need to configure EAA Client after you install it for the first time. You can configure EAA Client with the configuration wizard. Next, you can connect to TCP and UDP applications.

Configure endpoint protection software to allow EAA Client traffic

The EAA Client software installed on the user's computer needs to communicate with the EAA Management Portal. Endpoint protection software can block this communication. If you have any endpoint protection software installed on your computer, like Symantec Cloud Endpoint Protection, you need to:

Whitelist EAA Client executables.
Create bypasses for the firewall.
Configure your endpoint protection software.
Allow certain IPs to ensure connectivity to EAA connectors.

Whitelist EAA Client executables

If your computer has any endpoint protection software installed, you need to allow these EAA Client executables (based on your operating system):

For Windows 7 or Windows 10 OS, when EAA Client software is installed under C:\Program Files\EAAClient\ directory, then allow:
- C:\Program Files\EAAClient\EAAClient.exe
- C:\Program Files\EAAClient\resources\elevate.exe
- C:\Program Files\EAAClient\wapptunneld.exe
- C:\Program Files\EAAClient\winhttp.exe
- C:\Program Files\EAAClient\autoupdate-windows.exe
- C:\Program Files\EAAClient\uninstall.exe
- C:\Program Files\EAAClient\wapprun.exe
- C:\Program Files\EAAClient\wapprestart.bat
- C:\Program Files\EAAClient\wappdelclientexe.bat
- C:\Program Files\EAAClient\wapphide.vbs
- C:\Program Files\EAAClient\wapprun.bat
- C:\Program Files\EAAClient\wappstart.bat

The path for these executables changes based on your installation directory.

For a macOS allow:
- /opt/wapp/bin/eaacUininstall
- /opt/wapp/bin/wapptunneld
- /Applications/EAAClient.app/Contents/MacOS/EAAClient

Create bypass rules for firewall

A firewall can block traffic to and from your computer. You can configure bypass rules to allow communication between the EAA Client and the EAA Management Portal. Set up the following rules in your firewall:

Inbound or Outbound	Source or Destination	Protocol/Port
Outbound	*	TCP/`443`
Outbound	*	UDP/`53`
Inbound	`127.50.100.1`	TCP/`9078`
Inbound	`100.64.0.1`	UDP/`53`

Configure Symantec EndPoint Protection

The below table shows an example of the firewall rules setting for Symantec Cloud Endpoint Protection software to let the EAA Client communicate with the EAA Management Portal.

Active	Rule Name	Allow	Direction	Protocol	Types
✓	HTTPS out	Allow	Outbound	TCP	All
✓	DNS out	Allow	Outbound	UDP	All
✓	EAAClient	Allow	Inbound	TCP	All

Allow certain service IPs to ensure connectivity to EAA connectors

To have proper connectivity from Enterprise Application Access Cloud to the connector, you should allow certain IPs. Please contact support for this task.

Use a forward proxy with EAA Client

Configure EAA Client when you have a forward proxy within your organization. Some organizations use a forward proxy server within the corporate network to connect to the internet. The user's computer connects to the forward proxy server to perform operations like authentication, web filtering, and then the traffic is routed to the internet.

If EAA Client is installed on these machines, organizations require EAA Client to forward all Enterprise Application Access traffic to the forward proxy before reaching the Enterprise Application Access Cloud.

forward proxy

EAA Client supports both HTTP and HTTPS proxy type. With respect to proxy authentication, EAA Client supports No Authentication, NTLMV2 Authentication modes.

You need to configure the system proxy for the users' computers. You may use a Group Policy management tool (GPO) to push the system proxy changes to all the user's computers. Based on the OS, the system proxy setup is different as described below.

System Proxy configuration for Mac users

EAA Client sends secure web traffic. Use only these proxy settings for any interface (like Wi-Fi, Thunderbolt). For example, if you use a Wi-Fi interface, configure the following proxy settings:

In Select a protocol to configure select option for HTTPS traffic: Secure Web Proxy (HTTPS).
In Secure Web Proxy Server enter proxy server's URL host or IP address (port number).
If you select more protocols, EAA Client only sends secure web traffic.

If you select only Web Proxy (HTTP) as the protocol for any interface, EAA Client only sends secure web traffic (proxy settings don't work).
Web Proxy HTTP

System Proxy configuration for Windows 7 users

Make sure you set the manual proxy settings for your organization's proxy server.

Open the Start Menu and type proxy.
Click, Configure proxy server.
The Internet Properties window opens.
Select Connections.
In Local Area Network (LAN) settings click LAN settings.
In Proxy server enter the Address and Port of the proxy server.

System Proxy configuration for Windows 10 users

Make sure you set the manual proxy settings for your organization's proxy server.

Open the Start Menu > Settings > Network & Internet > Proxy.
In Manual proxy setup select Use a proxy server.
In Address enter the IP address of proxy server.
In Port enter the port of the proxy server.
Add any exceptions list (optional).
Click Save.

Configure EAA Client with a forward proxy for Windows 10 and Mac

Run the silent install command with forward proxy mode enabled. Use the --forwardproxy enable option.
If you do not use this option in silent install, the forward proxy is disabled.
- For example - to do a silent install for EAA Client for Windows 64x with an IdP portal URL https://myidpportal.mycompany.com enable the forward proxy server, and to start EAA Client immediately after installation - download the EAA Client and run the command:
```
<EAA Client package directory>\EAAClient-x64.exe" --mode unattended --unattendedmodeui none --url 
<idp_portal_url>  --forwardproxy enable
```
- To do a silent install for EAA Client for MacOS with an IdP portal URL
  https://myidpportal.mycompany.com run the command:
```
sudo ./Contents/MacOS/installbuilder.sh --mode unattended --unattendedmodeui none --url 
https://myidpportal.mycompany.com  --forwardproxy enable
```

When the user opens the EAA Client, the proxy is enabled in EAA Client Settings > Options > Advanced.
If your organization configured a forward proxy on the user's computer, the Proxy (URL host or IP address
of proxy server URL) and the Authentication type appear. The Network is Public (using Proxy).
If you are on a trusted network and proxy server is used the Network is On-premises (using Proxy) appears.

📘
You cannot disable the forward proxy option on the command line with Silent install. You can only disable the forward proxy within the EAA Client settings window. EAA Client receives this information from the Proxy Settings configured by the network administrator.

EAA Client with a forward proxy for Windows 10 and Mac

Share the proxy credentials to the employees of the organization.
The user is prompted for proxy credentials and enters the Username, Password, and Domain and clicks OK.
If any of the credentials are incorrect, the user is prompted again with a dialog box.

If EAA Client detects proxy configured in the system, alert appears under Alerts: Client is ready to use Proxy.

All traffic intercepted by EAA Client now goes through the organization's internal forward proxy to reach the Enterprise Application Access Cloud, then to reach the app server.

All inbound traffic comes to the EAA Client through the forward proxy.
EAA Client checks the system proxy settings every 45 seconds for any changes and updates (like proxy server's URL or IP address, or port, domain).
If the user logs out or quits EAA Client, they are prompted to enter the proxy credentials when they log in or authenticate again with EAA Client.

If you disable Enable Proxy option in the EAA Client settings window, and enable it again, you are prompted to enter the proxy credentials.

If the network administrator updates the PAC script inside Automatic proxy setup in the Proxy Settings on the Windows or MacOS, EAA Client does not update the PAC details but issues an alert PAC file is already in use please disable existing PAC settings. The admin or user has to turn off the Proxy setup script in the Automatic proxy setup to fix this issue.

Automatic proxy setup

The user can disable the forward proxy in two ways:

Disable the Proxy in EAA Client > Options > Advanced.
Click Cancel when prompted to enter the proxy credentials, and click Yes for Disable proxy.

The user may not be able to use EAA Client to access TCP-type and tunnel-type client access applications when a forward proxy is configured by the organization because EAA Client does not intercept the traffic with this configuration.

Configure EAA Client with a forward proxy for Windows 7

Prerequisite:

In the Windows 7 OS proxy settings, you, or user have to add proxy auto-configuration (PAC) file manually to the Script address when they want to use EAA Client with a forward-proxy server. The Script address is http://127.50.100.1:9078/api/eaaproxypac.
In LAN Settings enable Use automatic configuration script, add the PAC script address and click OK.

Run the silent install command with forward proxy mode enabled. Use the --forwardproxy enable option. If you do not use option in silent install, the forward proxy is disabled.
For example - to do a silent install for EAA Client for Windows 64x computer with an IdP_portal_URL https://myidpportal.mycompany.com, enable the forward proxy server and to start EAA Client to immediately after installation - download the EAA Client and run the command:
```
<EAA Client package directory>\EAAClient-x64.exe" --mode unattended --unattendedmodeui none --url 
<idp_portal_url>  --forwardproxy enable
```
Or, to do a silent install for EAA Client for Mac computer with an IdP_portal_URL of https://myidpportal.mycompany.com run the command:
```
sudo ./Contents/MacOS/installbuilder.sh --mode unattended --unattendedmodeui none --url 
https://myidpportal.mycompany.com  --forwardproxy enable
```

📘
You cannot disable the forward proxy option on the command line with Silent install. You can only disable the forward proxy within the EAA Client settings.

When the user opens the EAA Client, the Proxy is enabled in EAA Client Settings > Options > Advanced . If the organization has configured a forward proxy on the employees' computer, the Proxy (URL host or IP address of proxy server URL) and the Authentication type is displayed. The Network is Public (using Proxy).

If you are on a trusted network and proxy server is being used check Network > On-premises (using Proxy).
EAA Client receives this information from the Proxy Settings configured by the network administrator.
Share the proxy credentials with the employees of the organization. The user is prompted for proxy credentials and enters the Username, Password, and Domain and clicks OK.
If any of the credentials are incorrect, the user is prompted again with the dialog box.

All traffic intercepted by EAA Client now goes through the organization's internal forward proxy to reach the Enterprise Application Access Cloud, then to reach the app server. All inbound traffic comes to the EAA Client through the forward proxy.

📘
When EAA Client is not in use, the admin or user has to remove the PAC script manually.

For Windows, you get an alert when EAA Client has successfully detected proxy configured in the system (check the alerts inside EAA Client settings).

Client is ready to use proxy

The user can disable the forward proxy in two ways:

Disable Proxy in EAA Client > Options >Advanced.
Click Cancel while entering the proxy credentials, and click Yes for Disable proxy.

The user may not be able to use EAA Client for accessing your TCP-type and tunnel-type client access application, if a forward proxy has been configured by the organization, since EAA Client does not intercept the traffic anymore.

Limitations of EAA Client forward proxy support

Auto-detection for Web Proxy Auto Discovery (WPAD) protocol and proxy auto-configuration (PAC) is not supported in this release.
MITM Proxy is not supported.
SSO-based authentication is not supported.
On MacOS, when both VPN and EAA Client are enabled, any changes to the system proxy settings is not detected in the EAA Client settings.
EAA Client in Windows 7 does not support automatic management of PAC script configuration in system proxy settings.
For internet explorer browser configuration, add 127.50.100.1 under Exceptions. See Microsoft docs for navigating to the Exceptions from the Settings > Internet options menu .
On MacOS, forward proxy is not supported with Safari browser.

Use alerts to debug forward proxy issues with EAA Client

Check the alerts to debug any commonly faced issues while configuring EAA Client with a forward proxy.

EAA Client issues several alerts in the EAA Client settings when you configure forward proxy when you have problems. You can set the verbosity to high and check the alerts, if you have problems.

If the proxy server is not reachable from user's machine, you get the alert:

Connection TimedOut to Proxy: http...
Check reachability to Proxy Server

Check the proxy server host URL or IP address, port and make sure it's correct. Retry after correcting it.

If the user's laptop is using a wrong authentication scheme, you get the alert:

Unsupported proxy authentication scheme
Please contact administrator

You should use NTLMv2 authentication or No authentication scheme. Contact the network administrator to fix it.

If you entered wrong proxy credentials, if you set the verbosity to high and check the alerts, you see:

Authentication Failed to Proxy: https...
Please authenticate again

Enter the correct proxy credentials and retry to authenticate with the proxy server.

If you have an existing PAC file in your Automatic Proxy Setup, you will receive this alert message:

PAC settings already in use: http...
Please disable existing PAC settings

You should disable the existing PAC settings.

Silent install of EAA Client

You might want to install EAA Client in the background on many computers using software deployment solutions like KACE, JAMF, and SCCM. Execute the installation in command line mode. Command line installation for every software differs considerably. You can use this as a reference and update as required to suit your environment.

To perform a silent install you need to download the relevant files based on whether you want to deploy on 32 bit (Windows platform) or a 64 bit (Windows or Mac platform) computers.

If an existing version of the EAA Client is already installed (regardless of the version), the silent install first removes the existing installation before installing the new version.

Silent install of EAA Client in Windows

Download the latest EAA Client packages for Windows from Akamai download links:

https://eaaclientdownloads.akamai-access.com/eaaclientdistro/EAAClient-x64.exe

https://eaaclientdownloads.akamai-access.com/eaaclientdistro/EAAClient-i386.exe

Enter the command to start the silent installation with the IdP portal URL:

<EAA Client package directory>\EAAClient-x64.exe" --mode unattended --unattendedmodeui none --url 
<idp_portal_url> --autostart no

For example, to do a silent install for EAA Client for Windows 64 bit computer with an IdP_portal_URL https://myidpportal.mycompany.com:

".\EAAClient-x64.exe" --mode unattended
         --unattendedmodeui none --url https://myidpportal.mycompany.com --autostart no

The --url option is optional. Use this option when you want EAA Client to authenticate with a pre-configured IdP in the URL location.

The default value for --autostart is yes. This enables EAA Client to start immediately after successful installation. When doing silent install with SYSTEM user, it is recommended to use the no option. This prevents deployment solutions without administrative privileges to automatically start the EAA Client. Instead, it allows the users to manually start the EAA Client on their computers.

The installation starts and runs in the background. Nothing is visible on the screen. It takes a few minutes, and is longer if there is an existing client. After the installation is finished, the IDP.ini file in the EAA Client installation folder is updated with IdP_portal_URL giving in the --url parameter of the silent installation command. When EAA Client starts it is in Not Configured state. The EAA Client automatically opens the browser tab and launches the IdP_portal_URL. After users authenticate, the configuration process automatically finishes. A web page opens to confirm successful configuration. Then, if you open the EAA Client, it is in Authenticated state.

Silent install of EAA Client in MacOS

Download the latest EAA Client packages for MacOS from Akamai download links:

https://eaaclientdownloads.akamai-access.com/eaaclientdistro/EAAClient.app.zip

Unzip the EAAClient*.zip file with the command tar -xvf EAAClient.app.zip.
A new Contents folder is created in the path the tar command was invoked from.

Enter this command to start silent installation with the IdP portal URL:

sudo ./Contents/MacOS/installbuilder.sh --mode unattended
          --unattendedmodeui none --url <idp_portal_url> --autostart no

For example, for the IdP_portal_URL https://myidpportal.mycompany.com:

sudo ./Contents/MacOS/installbuilder.sh
          -mode unattended --unattendedmodeui none --url
        https://myidpportal.mycompany.com --autostart no

The --url option is optional. Use this option when you want EAA Client to authenticate with a pre-configured IdP in the URL location.

Switch EAA Client to a different identity provider after doing a silent install

Silent installation of EAA Client creates an IDP.ini in the software installation folder. Update the IDP.ini file with the new identity provider (IdP) URL and configure the EAA Client to this identity provider.

IDP.ini file location:

Windows OS: C:\ProgramFiles\EAAClient\idp.ini
MacOS: /Applications/EAAClient.app/Contents/MacOS/idp.ini

If you installed EAA Client in other location, search for idp.ini inside */<<EAA_CLIENT_NAME>>/ folder.

The IDP.ini file has the URL of the identity provider portal.

For the silent install command, for the --url option, if you provide https://myidpportal.mycompany.com as the IdP_portal_URL, theIDP.ini file contains this string:

url = https://myidpportal.mycompany.com

A user with admin privileges, should follow this procedure to allow EAA Client to configure to another identity provider portal. For example, to configure to https://myidpportal2.mycompany.com:

Open the IDP.ini file, replace the old URL with the new URL, and save it. For example update as:url = https://myidpportal2.mycompany.comand save the file.
Do a reset.
Start the EAA Client. Click EAA Client icon > Open EAA Client.
Configure EAA Client.
This configures EAA Client to the new identity provider.