(BETA) Edge Transport based Web (HTTPs) Application

📘

Note:

This feature is in tech-preview and is not in general availability (GA). It can be enabled in your contract by contacting Akamai Support.

In the past, to integrate EAA with ION you had to contact Akamai Professional services for onboarding CDN capabilities like DDoS protection and caching, in addition to securing your web applications with EAA. In future, you can perform this integration as a self-service without the help of professional services.

When Web applications or Clientless applications (clientless application is an EAA application that does not use the AZTC Client) are deployed in EAA DPOPs (Data Point of Presence), the end-user might be far away from the DPOP, resulting in a large latency when they access a web-application as shown in the figure below:

The Akamai Intelligent Edge platform is of planetary scale having many Akamai intelligent edge servers distributed world-wide. When you integrate EAA with ION the edge server closest to the end-user is picked, providing the best route with the least latency. The end-user sees a better performance as shown in the figure below:

In addition, you can also benefit from other CDN capabilities like caching, DDoS protection.

You must contact Akamai support to enable the Automatic mode of Edge Transport in your contract. Then, you can do the self-service integration, by enabling edge transport delivery and using the Automatic mode to configure edge transport.

To perform this integration with the help of professional services, you will need to enable edge transport delivery and use the Manual mode to configure edge transport.

After you deploy an Web Application (HTTP Application) with Edge Transport, you can search using HTTP with Edge Transport criteria on the Application list page, and all applications which are deployed with this mode are shown:

Also, if you click on Application Health for the Web Application with Edge Transport, you can check the health condition of the different states, including EDGE TRANSPORT:

STEP 1: Enable Edge Transport Delivery setting in EAA

To integrate EAA with Akamai CDN, like ION, you must enable the Edge Transport Delivery setting in EAA when you can configure an application in EAA.

1. Log in to Enterprise Center.

2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

3. On the Applications list page select the HTTP application for which you want to enable ION integration with EAA.

4. In the Settings tab of Application, go to the App Settings section.

5. Enable Edge transport delivery. When disabled, the end-user accesses the EAA DPOP directly (default). When enabled, the traffic from the end-user goes to Akamai CDN, like ION, and then is sent to EAA DPOP.

6. Next, configure Edge Transport in manual mode or Edge Transport in automatic mode.

STEP 2A: Configure Edge Transport in Manual mode

After you enable Edge Transport Delivery setting, you see the Edge Transport section in the Advanced tab of the Application details page.

Manual Edge Transport Configuration will be enabled by default and you will not be able to disable it.

In this mode, you can manually configure different options which allow you to integrate EAA with ION or Kona Site Defender (KSD). You will need to contact Akamai professional services for this integration.

The procedure for configuring manual mode of Edge transport is shown below:

1. Log in to Enterprise Center.

2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

3. On the Applications list page go to the application where you enabled Edge transport delivery.

4. Click the Advanced Settings tab. You will see the Edge Transport section.

5. Go to Manual Edge Transport Configuration. This is enabled by default. Additional configuration options appear.

6. Akamai Performance Package. This field appears only if you have enabled Manual Edge Transport Configuration. You can integrate Enterprise Application Access with Kona Site Defender (KSD) and ​Akamai​ ION to enhance application security and performance. Select this option if the application is being used as a front end by the EAA Cloud service as well as a Content Delivery Network (CDN). When enabled, your traffic is delivered from the CDN instead of the Enterprise Application Access Data POP. To complete this integration and the necessary setup that is required in KSD and Ion, contact support.

7. Edge Cookie Encryption Key. This field appears only if you have enabled Akamai Performance Package. Select this auto-generated key to encrypt the token generated by the Akamai edge node. It helps the ​Akamai​ edge validate the user session for caching purposes. Use this as the encryption key within your cookie authorization rule in your ​Akamai​ ION configuration. To complete this integration and the necessary setup that is required in KSD and Ion contact support.

8. SureRoute Test Object. This field appears only if you have enabled Akamai Performance Package.This auto-generated URL is the test object URL for SureRoute. Copy the URL and paste it to your SureRoute Test Object configuration in ​Akamai​ ION. To complete this integration and the necessary setup that is required in KSD and Ion contact support.

9. Akamai Edge Enforcement. This field appears only if you have enabled Manual Edge Transport Configuration. When you integrate Enterprise Application Access with Kona Site Defender (KSD), Ion, or Dynamic Site Accelerator (DSA) with Enterprise Application Access, your traffic is delivered from the CDN instead of an Enterprise Application Access Data POP. You must grant permission for Enterprise Application Access to see the real client IP and verify the Edge signature. Enable this feature to only authorize traffic from your CDN web properties with an Edge signature and to pass the real client IP on to Enterprise Application Access. To complete this integration and the necessary setup that is required in KSD and Ion contact support.

10. G2O key. This field appears only if you have enabled Akamai Edge Enforcement.This auto-generated Ghost to Origin (G2O) key is for use in your Kona Site Defender (KSD), Ion, or Dynamic Site Accelerator (DSA) integration. To complete this integration and the necessary setup that is required in KSD and Ion contact support.

11. G2O nonce. This field appears only if you have enabled Akamai Edge Enforcement.This auto-generated Ghost to Origin (G2O) nonce is for use in your Kona Site Defender (KSD), Ion, or Dynamic Site Accelerator (DSA) integration. To complete this integration and the necessary setup that is required in KSD and Ion contact support.

12. Click, Save and Deploy, to save the changes and deploy the EAA Application.

STEP 2B: Configure Edge Transport in Automatic mode

📘

Note:

To enable Automatic mode for Edge Transport, you must contact Akamai Support. This mode is a tech preview feature and is not in general availability (GA). If it is not enabled for your account, you will see manual mode for Edge Transport, by default.

This feature is only available for HTTPS applications in EAA. It is not available for RDP, VNC, SSH applications in EAA.

After you enable Edge Transport Delivery setting, you will see the Edge Transport section in the Advanced tab of the Application details page.

In the automatic mode, Manual Edge Transport Configuration is disabled and you see these additional options:

• Edge hostname. An edge hostname is a property that is created in the Property Manager for the external hostname of the application, when you save the application in EAA. It is activated in Property Manager when you deploy the application in EAA. If the external hostname is, for example, intranet.customer.com (which is the domain that the end-users will type on a web browser), the edger hostname will be CNAME’ed to the Akamai Edge hostname, for example, intranet.customer.com.edgekey.net. After saving the EAA application, you can click Edit property in Property Manager to view the newly created Edge hostname.
• Edge certificate. After you save the EAA application, click Perform Domain Validation, provide a CNAME for the Edge hostname. An Edge certificate is generated. After you update the DNS server, and it is proved that you own the domain, the Perform Domain Validation link disappears. This step proves that you own the domain and can generate the edge certificate for it.

The procedure for configuring automatic mode of Edge transport is shown below:

1. Log in to Enterprise Center.

2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

3. On the Applications list page go to the application where you enabled Edge transport delivery.

4. Click the Advanced Settings and go to the Edge Transport section.

5. Go to Manual Edge Transport Configuration. It is disabled for your contract, since you may have contacted Akamai support to enable automatic mode for Edge Transport. Edge hostname and Edge certificate options are visible.

6. Click, Save, to save the EAA Application.

7. You will see Edge Cookie Encryption Key, SureRoute Test Object, G2O key, and G2O nonce settings automatically configured, since you are using automatic mode for edge transport.

8. Click Save and Deploy, to save the changes and deploy the EAA Application.
   You will see “Edge transport configured” in the Deployment Summary section on the right:

📘

Notes:

1. You can switch to manual mode of Edge Transport, by enabling Manual Edge Transport Configuration, to manually update the property after it has been created.
2. When using automatic mode, if you update the property in Property manager, changes will be lost when you redeploy the EAA Application.

STEP 3: Update the CNAME of your application with your DNS provider

After you deploy the Web Application, you will need to create a CNAME to point to the Akamai Edge hostname with your DNS provider.

The procedure for updating the CNAME for your application in your DNS provider is shown below:

1. Log in to Enterprise Center.

2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

3. On the Applications list page go to the application where you enabled Edge transport delivery.

4. In the Settings tab of Application, go to the App Settings section.

5. In the External Host label, copy the Edge hostname next to “IMPORTANT: Please create a CNAME for this application and point it to:”.
   For this example the External Host is intranet.customer.com, the Edge hostname is intranet.company.com.edgekey.net.

6. Update your DNS provider with the Edge hostname as a CNAME for your application, so that the traffic from the end user is routed to the Akamai Edge server and then it is routed to the EAA DPOP.

📘

Note:

If you change the External Host to a different name, EAA creates a new version of the property in Property Manage and then activates it on deployment, and the updated CNAME appears automatically. For the above example, if you change intranet.mycompany.com, a new version of the property is created in property manager, and the IMPORTANT message will contain the new CNAME, which is intranet.mycompany.com.edgekey.net. You do not need to log into the Property manager to edit the property and make any changes.