Configure EAA Client
You need to configure EAA Client after you install it for the first time. You can configure EAA Client with the configuration wizard. Next, you can connect to TCP and UDP applications.
Configure endpoint protection software to allow EAA Client traffic
The EAA Client software installed on the user's computer needs to communicate with the EAA Management Portal. Endpoint protection software can block this communication. If you have any endpoint protection software installed on your computer, like Symantec Cloud Endpoint Protection, you need to:
-
Whitelist EAA Client executables.
-
Create bypasses for the firewall.
-
Configure your endpoint protection software.
-
Allow certain IPs to ensure connectivity to EAA connectors.
Whitelist EAA Client executables
If your computer has any endpoint protection software installed, you need to allow these EAA Client executables (based on your operating system):
-
For Windows 7 or Windows 10 OS, when EAA Client software is installed under
C:\Program Files\EAAClient\
directory, then allow:C:\Program Files\EAAClient\EAAClient.exe
C:\Program Files\EAAClient\resources\elevate.exe
C:\Program Files\EAAClient\wapptunneld.exe
C:\Program Files\EAAClient\winhttp.exe
C:\Program Files\EAAClient\autoupdate-windows.exe
C:\Program Files\EAAClient\uninstall.exe
C:\Program Files\EAAClient\wapprun.exe
C:\Program Files\EAAClient\wapprestart.bat
C:\Program Files\EAAClient\wappdelclientexe.bat
C:\Program Files\EAAClient\wapphide.vbs
C:\Program Files\EAAClient\wapprun.bat
C:\Program Files\EAAClient\wappstart.bat
The path for these executables changes based on your installation directory.
-
For a macOS allow:
/opt/wapp/bin/eaacUininstall
/opt/wapp/bin/wapptunneld
/Applications/EAAClient.app/Contents/MacOS/EAAClient
Create bypass rules for firewall
A firewall can block traffic to and from your computer. You can configure bypass rules to allow communication between the EAA Client and the EAA Management Portal. Set up the following rules in your firewall:
Inbound or Outbound | Source or Destination | Protocol/Port |
---|---|---|
Outbound | * | TCP/443 |
Outbound | * | UDP/53 |
Inbound | 127.50.100.1 | TCP/9078 |
Inbound | 100.64.0.1 | UDP/53 |
Configure Symantec EndPoint Protection
The below table shows an example of the firewall rules setting for Symantec Cloud Endpoint Protection software to let the EAA Client communicate with the EAA Management Portal.
Active | Rule Name | Allow | Direction | Protocol | Types |
---|---|---|---|---|---|
✓ | HTTPS out | Allow | Outbound | TCP | All |
✓ | DNS out | Allow | Outbound | UDP | All |
✓ | EAAClient | Allow | Inbound | TCP | All |
Allow certain service IPs to ensure connectivity to EAA connectors
To have proper connectivity from Enterprise Application Access Cloud to the connector, you should allow certain IPs. Please contact support for this task.
Use a forward proxy with EAA Client
Configure EAA Client when you have a forward proxy within your organization. Some organizations use a forward proxy server within the corporate network to connect to the internet. The user's computer connects to the forward proxy server to perform operations like authentication, web filtering, and then the traffic is routed to the internet.
If EAA Client is installed on these machines, organizations require EAA Client to forward all Enterprise Application Access traffic to the forward proxy before reaching the Enterprise Application Access Cloud.
EAA Client supports both HTTP and HTTPS proxy type. With respect to proxy authentication, EAA Client supports No Authentication, NTLMV2 Authentication modes.
You need to configure the system proxy for the users' computers. You may use a Group Policy management tool (GPO) to push the system proxy changes to all the user's computers. Based on the OS, the system proxy setup is different as described below.
System Proxy configuration for Mac users
EAA Client sends secure web traffic. Use only these proxy settings for any interface (like Wi-Fi, Thunderbolt). For example, if you use a Wi-Fi interface, configure the following proxy settings:
-
In Select a protocol to configure select option for HTTPS traffic: Secure Web Proxy (HTTPS).
-
In Secure Web Proxy Server enter proxy server's URL host or IP address (port number).
If you select more protocols, EAA Client only sends secure web traffic.
If you select only Web Proxy (HTTP) as the protocol for any interface, EAA Client only sends secure web traffic (proxy settings don't work).
System Proxy configuration for Windows 7 users
Make sure you set the manual proxy settings for your organization's proxy server.
-
Open the Start Menu and type proxy.
-
Click, Configure proxy server.
The Internet Properties window opens. -
Select Connections.
-
In Local Area Network (LAN) settings click LAN settings.
-
In Proxy server enter the Address and Port of the proxy server.
System Proxy configuration for Windows 10 users
Make sure you set the manual proxy settings for your organization's proxy server.
-
Open the Start Menu > Settings > Network & Internet > Proxy.
-
In Manual proxy setup select Use a proxy server.
-
In Address enter the IP address of proxy server.
-
In Port enter the port of the proxy server.
-
Add any exceptions list (optional).
-
Click Save.
Configure EAA Client with a forward proxy for Windows 10 and Mac
-
Run the silent install command with forward proxy mode enabled. Use the
--forwardproxy enable
option.
If you do not use this option in silent install, the forward proxy is disabled.- For example - to do a silent install for EAA Client for Windows 64x with an IdP portal URL
https://myidpportal.mycompany.com
enable the forward proxy server, and to start EAA Client immediately after installation - download the EAA Client and run the command:
<EAA Client package directory>\EAAClient-x64.exe" --mode unattended --unattendedmodeui none --url <idp_portal_url> --forwardproxy enable
- To do a silent install for EAA Client for MacOS with an IdP portal URL
https://myidpportal.mycompany.com
run the command:
sudo ./Contents/MacOS/installbuilder.sh --mode unattended --unattendedmodeui none --url https://myidpportal.mycompany.com --forwardproxy enable
- For example - to do a silent install for EAA Client for Windows 64x with an IdP portal URL
When the user opens the EAA Client, the proxy is enabled in EAA Client Settings > Options > Advanced.
If your organization configured a forward proxy on the user's computer, the Proxy (URL host or IP address
of proxy server URL) and the Authentication type appear. The Network is Public (using Proxy).
If you are on a trusted network and proxy server is used the Network is On-premises (using Proxy) appears.
You cannot disable the forward proxy option on the command line with Silent install. You can only disable the forward proxy within the EAA Client settings window. EAA Client receives this information from the Proxy Settings configured by the network administrator.
-
Share the proxy credentials to the employees of the organization.
-
The user is prompted for proxy credentials and enters the Username, Password, and Domain and clicks OK.
If any of the credentials are incorrect, the user is prompted again with a dialog box.
If EAA Client detects proxy configured in the system, alert appears under Alerts: Client is ready to use Proxy
.
All traffic intercepted by EAA Client now goes through the organization's internal forward proxy to reach the Enterprise Application Access Cloud, then to reach the app server.
All inbound traffic comes to the EAA Client through the forward proxy.
EAA Client checks the system proxy settings every 45 seconds for any changes and updates (like proxy server's URL or IP address, or port, domain).
If the user logs out or quits EAA Client, they are prompted to enter the proxy credentials when they log in or authenticate again with EAA Client.
If you disable Enable Proxy option in the EAA Client settings window, and enable it again, you are prompted to enter the proxy credentials.
If the network administrator updates the PAC script inside Automatic proxy setup in the Proxy Settings on the Windows or MacOS, EAA Client does not update the PAC details but issues an alert PAC file is already in use please disable existing PAC settings
. The admin or user has to turn off the Proxy setup script in the Automatic proxy setup to fix this issue.
The user can disable the forward proxy in two ways:
-
Disable the Proxy in EAA Client > Options > Advanced.
-
Click Cancel when prompted to enter the proxy credentials, and click Yes for Disable proxy.
The user may not be able to use EAA Client to access TCP-type and tunnel-type client access applications when a forward proxy is configured by the organization because EAA Client does not intercept the traffic with this configuration.
Configure EAA Client with a forward proxy for Windows 7
Prerequisite:
-
In the Windows 7 OS proxy settings, you, or user have to add proxy auto-configuration (PAC) file manually to the Script address when they want to use EAA Client with a forward-proxy server. The Script address is
http://127.50.100.1:9078/api/eaaproxypac
.
-
In LAN Settings enable Use automatic configuration script, add the PAC script address and click OK.
-
Run the silent install command with forward proxy mode enabled. Use the
--forwardproxy enable
option. If you do not use option in silent install, the forward proxy is disabled.
For example - to do a silent install for EAA Client for Windows 64x computer with an IdP_portal_URLhttps://myidpportal.mycompany.com
, enable the forward proxy server and to start EAA Client to immediately after installation - download the EAA Client and run the command:<EAA Client package directory>\EAAClient-x64.exe" --mode unattended --unattendedmodeui none --url <idp_portal_url> --forwardproxy enable
Or, to do a silent install for EAA Client for Mac computer with an IdP_portal_URL of
https://myidpportal.mycompany.com
run the command:sudo ./Contents/MacOS/installbuilder.sh --mode unattended --unattendedmodeui none --url https://myidpportal.mycompany.com --forwardproxy enable
You cannot disable the forward proxy option on the command line with Silent install. You can only disable the forward proxy within the EAA Client settings.
When the user opens the EAA Client, the Proxy is enabled in EAA Client Settings > Options > Advanced . If the organization has configured a forward proxy on the employees' computer, the Proxy (URL host or IP address of proxy server URL) and the Authentication type is displayed. The Network is Public (using Proxy).
-
If you are on a trusted network and proxy server is being used check Network > On-premises (using Proxy).
EAA Client receives this information from the Proxy Settings configured by the network administrator.
-
Share the proxy credentials with the employees of the organization. The user is prompted for proxy credentials and enters the Username, Password, and Domain and clicks OK.
If any of the credentials are incorrect, the user is prompted again with the dialog box.
All traffic intercepted by EAA Client now goes through the organization's internal forward proxy to reach the Enterprise Application Access Cloud, then to reach the app server. All inbound traffic comes to the EAA Client through the forward proxy.
When EAA Client is not in use, the admin or user has to remove the PAC script manually.
For Windows, you get an alert when EAA Client has successfully detected proxy configured in the system (check the alerts inside EAA Client settings).
The user can disable the forward proxy in two ways:
-
Disable Proxy in EAA Client > Options >Advanced.
-
Click Cancel while entering the proxy credentials, and click Yes for Disable proxy.
The user may not be able to use EAA Client for accessing your TCP-type and tunnel-type client access application, if a forward proxy has been configured by the organization, since EAA Client does not intercept the traffic anymore.
Limitations of EAA Client forward proxy support
-
Auto-detection for Web Proxy Auto Discovery (WPAD) protocol and proxy auto-configuration (PAC) is not supported in this release.
-
MITM Proxy is not supported.
-
SSO-based authentication is not supported.
-
On MacOS, when both VPN and EAA Client are enabled, any changes to the system proxy settings is not detected in the EAA Client settings.
-
EAA Client in Windows 7 does not support automatic management of PAC script configuration in system proxy settings.
-
For internet explorer browser configuration, add
127.50.100.1
under Exceptions. See Microsoft docs for navigating to the Exceptions from the Settings > Internet options menu .
-
On MacOS, forward proxy is not supported with Safari browser.
Use alerts to debug forward proxy issues with EAA Client
Check the alerts to debug any commonly faced issues while configuring EAA Client with a forward proxy.
EAA Client issues several alerts in the EAA Client settings when you configure forward proxy when you have problems. You can set the verbosity to high and check the alerts, if you have problems.
- If the proxy server is not reachable from user's machine, you get the alert:
Connection TimedOut to Proxy: http...
Check reachability to Proxy Server
Check the proxy server host URL or IP address, port and make sure it's correct. Retry after correcting it.
- If the user's laptop is using a wrong authentication scheme, you get the alert:
Unsupported proxy authentication scheme
Please contact administrator
You should use NTLMv2 authentication or No authentication scheme. Contact the network administrator to fix it.
- If you entered wrong proxy credentials, if you set the verbosity to high and check the alerts, you see:
Authentication Failed to Proxy: https...
Please authenticate again
Enter the correct proxy credentials and retry to authenticate with the proxy server.
- If you have an existing PAC file in your Automatic Proxy Setup, you will receive this alert message:
PAC settings already in use: http...
Please disable existing PAC settings
You should disable the existing PAC settings.
Silent install of EAA Client
You might want to install EAA Client in the background on many computers using software deployment solutions like KACE, JAMF, and SCCM. Execute the installation in command line mode. Command line installation for every software differs considerably. You can use this as a reference and update as required to suit your environment.
To perform a silent install you need to download the relevant files based on whether you want to deploy on 32 bit (Windows platform) or a 64 bit (Windows or Mac platform) computers.
If an existing version of the EAA Client is already installed (regardless of the version), the silent install first removes the existing installation before installing the new version.
Silent install of EAA Client in Windows
-
Download the latest EAA Client packages for Windows from Akamai download links:
https://eaaclientdownloads.akamai-access.com/eaaclientdistro/EAAClient-x64.exe https://eaaclientdownloads.akamai-access.com/eaaclientdistro/EAAClient-i386.exe
-
Enter the command to start the silent installation with the IdP portal URL:
<EAA Client package directory>\EAAClient-x64.exe" --mode unattended --unattendedmodeui none --url <idp_portal_url> --autostart no
For example, to do a silent install for EAA Client for Windows 64 bit computer with an IdP_portal_URL https://myidpportal.mycompany.com
:
".\EAAClient-x64.exe" --mode unattended
--unattendedmodeui none --url https://myidpportal.mycompany.com --autostart no
The --url
option is optional. Use this option when you want EAA Client to authenticate with a pre-configured IdP in the URL location.
The default value for --autostart
is yes
. This enables EAA Client to start immediately after successful installation. When doing silent install with SYSTEM user, it is recommended to use the no
option. This prevents deployment solutions without administrative privileges to automatically start the EAA Client. Instead, it allows the users to manually start the EAA Client on their computers.
The installation starts and runs in the background. Nothing is visible on the screen. It takes a few minutes, and is longer if there is an existing client. After the installation is finished, the IDP.ini
file in the EAA Client installation folder is updated with IdP_portal_URL giving in the --url
parameter of the silent installation command. When EAA Client starts it is in Not Configured state. The EAA Client automatically opens the browser tab and launches the IdP_portal_URL. After users authenticate, the configuration process automatically finishes. A web page opens to confirm successful configuration. Then, if you open the EAA Client, it is in Authenticated state.
Silent install of EAA Client in MacOS
-
Download the latest EAA Client packages for MacOS from Akamai download links:
https://eaaclientdownloads.akamai-access.com/eaaclientdistro/EAAClient.app.zip
-
Unzip the
EAAClient*.zip
file with the commandtar -xvf EAAClient.app.zip
.
A new Contents folder is created in the path thetar
command was invoked from. -
Enter this command to start silent installation with the IdP portal URL:
sudo ./Contents/MacOS/installbuilder.sh --mode unattended --unattendedmodeui none --url <idp_portal_url> --autostart no
For example, for the IdP_portal_URL https://myidpportal.mycompany.com
:
sudo ./Contents/MacOS/installbuilder.sh
-mode unattended --unattendedmodeui none --url
https://myidpportal.mycompany.com --autostart no
The --url
option is optional. Use this option when you want EAA Client to authenticate with a pre-configured IdP in the URL location.
The default value for --autostart
is yes
. This enables EAA Client to start immediately after successful installation. When doing silent install with SYSTEM user, it is recommended to use the no
option. This prevents deployment solutions without administrative privileges to automatically start the EAA Client. Instead, it allows the users to manually start the EAA Client on their computers.
The installation starts and runs in the background. Nothing is visible on the screen. It takes a few minutes, and is longer if there is an existing client. After the installation is finished, the IDP.ini
file in the EAA Client installation folder is updated with IdP_portal_URL giving in the --url
parameter of the silent installation command. When EAA Client starts it is in Not Configured state. The EAA Client automatically opens the browser tab and launches the IdP_portal_URL. After users authenticate, the configuration process automatically finishes. A web page opens to confirm successful configuration. Then, if you open the EAA Client, it is in Authenticated state.
Switch EAA Client to a different identity provider after doing a silent install
Silent installation of EAA Client creates an IDP.ini
in the software installation folder. Update the IDP.ini
file with the new identity provider (IdP) URL and configure the EAA Client to this identity provider.
IDP.ini
file location:
-
Windows OS:
C:\ProgramFiles\EAAClient\idp.ini
-
MacOS:
/Applications/EAAClient.app/Contents/MacOS/idp.ini
If you installed EAA Client in other location, search for idp.ini
inside */<<EAA_CLIENT_NAME>>/
folder.
The IDP.ini
file has the URL of the identity provider portal.
For the silent install command, for the --url
option, if you provide https://myidpportal.mycompany.com
as the IdP_portal_URL, theIDP.ini
file contains this string:
url = https://myidpportal.mycompany.com
A user with admin privileges, should follow this procedure to allow EAA Client to configure to another identity provider portal. For example, to configure to https://myidpportal2.mycompany.com
:
-
Open the
IDP.ini
file, replace the old URL with the new URL, and save it. For example update as:url = https://myidpportal2.mycompany.com
and save the file. -
Start the EAA Client. Click EAA Client icon > Open EAA Client.
-
Configure EAA Client.
This configures EAA Client to the new identity provider.
Updated about 1 year ago