(BETA) Connector Pools, Application Access Groups (AAG)

Connector Pools and Application Access Groups allow the admin to make common configuration changes in a single place and apply them to all resources like applications, directories, and Enterprise DNS. This greatly improves productivity and provides efficient management for connectors and applications.

Connector Pools

In EAA, you can group a set of connectors that are in the same geographical location and are of the same package type, to create a Connector Pool. You then assign this Connector Pool to a set of applications (of any type like web app, client-access app, RDP, SSH) defined within the Application Access Group (AAG), Directories, or Enterprise DNS Applications. If your organization has many applications you don’t have to assign the connector to each application and deploy it individually. This applies for Directories and Enterprise DNS applications. Changes are made in one place and applied in multiple areas thereby improving productivity and simplifying the onboarding process.

In addition, you can create a reusable registration token for beta connectors, which can be used multiple times for installing the connector within the connector pool, allowing you to manage your connectors very efficiently.

You can also configure the Connector Pool to send alerts to notify the admin when any of the Connectors are down, unreachable, or their state changes.

connector_pool_aag_diagram

Create a Connector Pool

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
  3. Click Add New Connector Pool.
  4. Provide these details:
    Name: A name for the connector pool.
    Description. A description for the connector pool.
    Location. Provide a location for your connector pool. This is just a named reference for you and the connector does not physically reside at the location specified.
    Package Type. Select a package that matches the package of the existing connector you want to assign.
  5. Click, Create Pool.Your connector pool is created. You will not have any Connectors, Directories, Enterprise DNS, or Application Access Groups associated with this connector pool on the Connector Pool detail page.

connector_pool_detail_page

Associate existing Connectors to the Connector Pool

You can associate connectors that serve the applications in the AAG, Directories, or Enterprise DNS applications to the Connector Pool. All the connectors of the Connector Pool must be of the same package type. Your existing connectors not assigned to any connector pool are unassigned connectors.

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
  3. Select the Connector Pool you created.
  4. Click Associate Connector in the Connectors tile or Associate Connectors to the Connector Pool icon.
  5. All the connectors of this package type are shown.
    1. To select all of the unassigned connectors, click the box next to unassigned connectors. A check mark appears in the box and all connectors are selected.
    2. To select a specific unassigned connector, click the > next to unassigned connector to expand it. Select the specific unassigned connectors from the list. A check mark appears in the box next to the selected connector.
    3. To select other connectors from other connector pools, you can select the connector pool. A check mark appears in the box and the connector pool is selected.
      6.Click Associate. All existing unassigned connectors are associated with the connector pool and appear in the Connectors tile on the Connector Pool details page.

Create a new connector on the Connector Pools page

You can create a connector of the same package as the connector pool, on the connector pools page.

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
  3. Click on the Connector Pool that you created. It will be of a certain package.
  4. Click on Create New Connector in the Connectors tile or Add New Connector to the Connector Pool icon.
  5. Provide a Connector Name, Description (optional) for the connector. Enable Debugging, if you wish to enable troubleshooting for the connector, with more detailed logs and debug utilities. The package type for the connector is automatically derived from the package type of the connector pool.
  6. Click Save.
  7. The new connector appears in the Connectors tile of the Connector Pool page.
  8. You can download the connector image and upload it in your virtual environment.

Associate a Connector Pool to an AAG, Directory, or Enterprise DNS

After you create a Connector Pool and add connectors to it, you can associate it to an Application Access Group, Directory, or Enterprise DNS.

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
  3. Click on the Connector Pool that you created.
  4. On the connector pool details page, if you want to associate it to an AAG, go to the AAG tile, click Associate Application Access Group to the Connector Pool, select the AAG, click Associate. The AAG appears in the Connector Pools page, in the Application Access Groups tile.
  5. On the connector pool details page, if you want to associate it to a Directory, go to the Directory tile, click Associate Directories to the Connector Pool, select the Directory, click Associate. The Directory appears in the Connector Pools page, in the Directories tile.
  6. On the connector pool details page, if you want to associate it to an Enterprise DNS, go to the Enterprise DNS tile, click Associate DNS Server to the Connector Pool, select the Enterprise DNS, click Associate. The Enterprise DNS appears in the Connector Pools page, in the Enterprise DNS tile.
  7. Click on the respective AAG in the AAG tile, or Directory in the Directories tile, or Enterprise DNS in the Enterprise DNS tile.
  8. You are taken to the AAG details page or Directories details page or Enterprise DNS details page, respectively.
  9. Click the Pending Changes blue tab on the right.
  10. Verify that AAGs, Directories, EDNS, and associated connector pools associations are all correct, and click Deploy.
  11. Provide a Deploy Confirmation message.
  12. Click Deploy
    Note: Your connectors in the connector pool must be running successfully for the deployment to succeed.

Miscellaneous actions for Connector in a Connector Pool (Diagnostics, Performance, Disable Connector, Edit, Delete, Move Connector to Pool, Dissociate)

You can perform any of these actions on a connector added to a Connector Pool.

connector_pool actions

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
  3. All the Connector Pools are shown on the Connector Pools list page.
  4. Select the Connector Pool where your connector resides on which you wish to perform Diagnostics, check Performance, Disable, Edit, Delete, Move to another Pool, or Dissociate operations:
    1. Diagnostics. Help you run diagnostics debug utility. Remote debugging has to be enabled.
    2. Performance. See Connector Health Monitoring
    3. Disable Connector. Connector is disabled from the connector pool, so that it will not be able to serve any traffic to the resources like Directories, Enterprise DNS, or AAG. If the Connector has associations with other resources then they are shown and you can close the dialog box. Click Close. You will not be able to disable the Connector without dissociating the connector from the connector pool.

connector_cannot_be_disabled

You must first dissociate the Connector from the Connector Pool, and then disable it.(see below g.)

  1. Edit. Allows you to edit any of the Connector values and make changes. Click Save Connector (tick mark)
    5. Delete. Deletes the Connector permanently. Resources (applications, directories, enterprise DNS) associated with this connector will go down as well.
    6. Move Connector to Pool. This enables you to move a connector from one connector Pool to another one. Select another Connector Pool of the same package type and click Associate. This Connector is moved to the new Pool If not available, you can also create a new Connector Pool of the same package type by clicking Create New.
    7. Dissociate. Connector is dissociated with this connector pool and moved to the unassigned connectors list. It will stop serving traffic to the resources of this Connector Pool, but will continue to serve traffic to any directories, applications directly associated with it, if any. Click Dissociate. Click Save Connector.

Assign Unassigned Connectors to a Connector Pool from the Connector Pools list page

All your existing connectors are shown as Unassigned Connectors on the Connector Pools list page. Follow these steps to assign it to a connector pool, if you’ve already created the connector pool. You can either use Bulk Edit for multiple connectors or Assign to Pool for each connector.

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
  3. All the existing connectors are shown as Unassigned Connectors at the top.
  4. Click on it, a new window appears with all the unassigned existing connectors.

unassigned_connectors

  1. If you want to assign more than one of the unassigned connectors to a single connector pool, select Bulk Edit.

a. In the Assign Connectors to a Pool window, select one or more connectors or Connector Pool, click Select.

b. All of the Connector Pools of the same package type as the individual connectors are shown selectable and other connector pools are grayed out (not selectable).
Your unassigned connectors will now be assigned to the connector pool of the same package type.

  1. If you want to assign each of the unassigned connectors individually, select Assign to pool, in the Connector Pool column, for the connector you wish to assign.

a. For all the connector pools that are of this Package type are shown in the drop down list.

b. From the Pools column, Select the connector pool or connector pools you wish to assign the connector to.

c. Click Associate.

d. Click Assign, for the dialog message, Are you sure you want to assign this connector?

Your unassigned connector will now be assigned to the connector pool of the same package type.

Assign a connector to a Connector Pool from the Connector list page

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
  3. On the Connectors list page, under the Connector Pool column, you can see if any of your existing connectors are already assigned to a Connector Pool or not.
  4. For a connector that is not assigned to any connector pool and you wish to assign it follow these steps:
    1. In the connector pool column, click Assign to pool. For all the connector pools that are of this Package type are shown in the drop down list.
    2. From the Pools column, Select the connector pool or connector pools you wish to assign the connector to.
    3. Click Submit.
    4. Click Assign, for the dialog message, Are you sure you want to assign this connector?
      Your unassigned connector will now be assigned to the connector pool of the same package type.
  5. For a connector that is already assigned to the connector pool, the connector pool name is shown. If you click on it, it takes you to the Connector Pool details page, and you can make changes, if required.

Set Alerts for Connector state changes

You can send alerts to the administrator when the connectors in the connector pool go down, come up, or unreachable and not communicating with the applications.

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
  3. All of the Connector Pools are shown on the Connector Pool list page.
  4. Select the Connector Pool for which you want to set the alerts.
  5. Go to the Settings tile in the Connector Pool detail page.
  6. Enable Send alerts. If any or all of the connectors of this Connector Pool are down, come up, or unreachable an alert is sent to the administrator.

Disabling the Connector Pool

By default when you create a Connector Pool and assign connectors to it, it is enabled by default. This allows it to serve traffic to the different resources like AAG, Directories, or Enterprise DNS applications that are associated with this pool. You can disable the Connector Pool and not traffic is sent to the resources. After disabling, you will not be able to add any new resources.

📘

Note

1.Disabling the Connector Pool is not available for the Connector (BETA) type.

  1. If you have a Connector Pool with both your existing connectors (which we unassigned) and Connector (BETA), then disabling is not available.

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
  3. All of the Connector Pools are shown on the Connector Pool list page.
  4. Select the Connector Pool you wish to disable.
  5. On the right side, next to Pending Changes, turn off the Enable button.
  6. This Connector Pool will not be able to serve traffic to the existing resources and you will not be able to add any new resources. All the Connectors inside the Connector Pool as disabled as well.

Connector Registration Token

In earlier versions of EAA, the security credentials for a connector was embedded inside the connector and was for one-time use only. So, for example, if you had to install ten connectors to drive the traffic to your application, you had to download the connector image ten times from the EAA Management portal on the Connectors page and then do the manual install in your virtual environment. This takes a lot of time for connector management for the administrator.

To simplify the connector management process, EAA has introduced a Connector Registration Token which is essentially a multiple-use security credential associated with the connector image. The registration token can be generated from the Enterprise Center admin portal along with security settings from the Connector Pools page. It allows the administrator to download the connector image once and set up many connector instances quickly as the number of registration tokens that you have generated.

registration_tokens_tile

In the above example, the admin has created two registration tokens with different security settings. One of the tokens expires in 4 days and has been unused. The second token has been used 2 out of 5 times and expires in 5 days. Every time you use the registration token for installing a connector in the data center, the Registrations : Used gets incremented till the Max limit is reached, provided it is within the Expires period. Even if you delete the connector after creating and installing it with the token, the Registrations : Used does not decrement, since it has already been counted as used for a registration or it cannot be reused for another connector registration. If you do not use all of the registration tokens (Registrations : Used = Registrations : Max) within the Expires period, they are invalid and cannot be used any more. You must regenerate new Registration Tokens.

Registration Tokens can only be used for the Beta Connectors within this Connector Pool.

For the Manual Registration process, the Registration Token must be copied and pasted into the Connector Console utility while installing the connector in the virtual environment in the data center.

For the Automatic Registration process, the Registration Token is automatically embedded in the connector before you download the Connector from Enterprise Center, and install it in the virtual environment in the data center.

Create a Registration Token for Beta Connector

You can create a connector registration token with security settings. Beta Connectors can register themselves with the Connector Pool using the Registration Code in the Registration Token.

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
  3. Go to the Registration Tokens tile.
  4. Click on Add Registration Token for the Connector Pool (+ icon)
  5. Provide these security settings for the Registration Token
    1. Token name. A name for the registration token
    2. Maximum number of registrations. Maximum number of times you want to reuse this token for other connector images.
    3. Expires in. Specify the no of days, months, or years the registration token should be valid for reuse. After expiration, you will not be able create any reusable images of the connector.
    4. Generate template with embedded token. (for automatic registration only) You can embed the registration token in the connector image, so that it can be downloaded at once in the virtual environment when you do automatic registration. It is not needed to enable this option, if you want to do manual registration.

  6. Click Add to list. The Registration Token is added to the Registration Tokens tile.

You can use the registration token for connector registration in the virtual environment using the Manual Registration or Automatic Registration of the Beta Connector image.

Use Registration Tokens tile to generate a Beta Connector with registration token

After you create a registration token for the Beta Connector, you can generate a Beta Connector image with the token embedded in the image, directly in the registration tokens tile.

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools. All of the Connector Pools are shown on the Connector Pool list page.
  3. Click the Connector Pool for which you want to create a registration token.
  4. Go to the Registration Tokens tile.
  5. You will see the registration token that you created earlier.
  6. You can generate the Beta Connector image with a specific registration token in two ways:
    1. Click the Generate Connector image with embedded Registration Token. Gear icon under Connector image column.
    2. Click the Actions next to the registration token. Select the Generate Connector Image.

beta connector image with registration token

This will take some time, since the file is more than 1 GB. After the image is generated you will see an entry in the Connectors tile, the package type is BETA and the name of the generated image is of the form, CONNECTORPOOLNAME_TIMESTAMP where CONNECTORPOOLNAME is the name of the connector pool and the TIMESTAMP is the timestamp of when the Beta Connector image was generated with the embedded registration token.

For example, here we have a Beta Connector image of name
azure_pool_20240423T124755, where Connector Pool Name is AZURE_POOL and the timestamp is 20240423T124755, i.e. April 23, 2024 at time of 12 hours 47 minutes and 55 seconds:

beta connector image registers and runs successfully

Manual Registration of Beta Connector Image

In the manual registration process, you download the connector image. Then, you provide the Registration Code during installation of the connector instance. The base connector image is downloaded only once and reused to instantiate multiple connector instances with the registration token, as long as the security settings of the registration token is satisfied.

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools. All of the Connector Pools are shown on the Connector Pool list page.
  3. Select the connector pool you created earlier.
  4. Go to the Connectors tile in the Connector Pool detail page.
  5. Click Download Beta Connector Image.
  6. For Connector Image Token(s), select the registration token you created earlier. If you did not create a registration token, see Create a Registration Token
  7. Click Manual Registration. Click Download. You can download the generic image of the Beta connector.
  8. Install the image in your virtual environment.
  9. For the VMWare ESXi environment, see Deploy a VMware vSphere Client using ESX or ESXi version 6.5 or later.
  10. Power on the connector instance in vSphere Client.
  11. Using the VMWare connector console utility, SSH into the connector, using Start SSH server (option 7) and then after you SSH into the server, select Show Registration Status (option 1)

connector_vm_console

  1. Click the Copy code to Clipboard next to the Token in the Registration Tokens tile.
  2. Enter ‘y’ and paste the registration code in the VMWare connector console utility:

copy_token

You will see a message “Verifying for Connector Registration:”. After the connector is registered, you will see a message, Connector Registered in the VMWare connector console utility.

connector_automatic_registration_vmware

  1. If you go back to the Connector Pools page and click Refresh the list of connectors associated to the Connector Pool (refresh connector list),you will see the newly installed connector in the connector pool in your data center. This might take a few minutes to show up in the Enterprise Center, while EAA validates the token and its security settings and runs successfully. You will see an entry for the beta connector in this format:

beta connector image registers and runs successfully

  1. To reuse the registration code for installing another instance of the connector in the data center, repeat steps 11, 12, 13 and register a second instance. If you reuse a conector token after the maximum number of registrations, the connector registration fails in the virtual environment.

Since you’re not required to download the connector instance again, it greatly improves the productivity and connector maintenance is simplified.

Automatic Registration of Beta Connector Image

In the automatic registration process, you can embed a registration token in the standard connector template, and then download a custom connector template in the virtual environment. This custom connector template can be instantiated multiple times for multiple connector instances within your data center, as long as you adhere to the security settings of the registration token that you associated while creating the customer connector template.

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
  3. All of the Connector Pools are shown on the Connector Pool list page.
  4. Click the Connector Pool for which you want to create a registration token.
  5. Go to the Registration Tokens tile.
  6. Click on Add Registration Token for the Connector Pool (+ icon)
  7. Provide these security settings for the Registration Token
    1. Token name. A name for the registration token
    2. Maximum number of registrations. Maximum number of times you want to reuse this token for other connector images.
    3. Expires in. Specify the no of days, months, or years the registration token should be valid for reuse. After expiration, you will not be able create any reusable images of the connector.
    4. Generate template with embedded token. (for automatic registration only) You can embed the registration token in the connector image, so that it can be downloaded at once in the virtual environment when you do automatic registration. It is not needed to enable this option, if you want to do manual registration.

  8. Click Add to list. The Registration Token is added to the Registration Tokens tile.
  9. Next you need to download the Connector Template. This can be done in two ways:
    1. Using the Registration Tokens tile: In the Registration Token’s tile, click Download Connector template with embedded Registration Token under Connector Template column. The file, for example, Microsoft Azure.json, gets downloaded to your machine.

beta connector template automatic registration

ii. Using the Connectors tile: Go to the Connectors tile in the Connector Pool detail page. Click Download Beta Connector Template. Click Automatic Registration. For Connector Template Token, select the correct Registration Token from the list. Make sure the token is not expired and not fully used. If you did not create a registration token, see Create a Registration Token. Click Download. The file, for example, Microsoft Azure.json, gets downloaded to your machine.


  1. Install the template in your Azure virtual environment. See Install Connector in Microsoft Azure environment.
  2. Go back to the Enterprise Center. Navigate to Application Access > Clients & Connectors > Connector Pools.
  3. If you go back to the Connector Pools page and click Refresh the list of connectors associated to the Connector Pool (refresh connector list),you will see the newly installed connector in the connector pool in your data center. This might take a few minutes to show up in the Enterprise Center, while EAA validates the token and its security settings and runs successfully. You will see an entry for the beta connector in this format:
    beta connector image registers and runs successfully

  4. You can reuse the custom connector image to instantiate multiple connector instances in your data center, as long as you adhere to the security settings of the registration token embedded in the custom image.

Since you’re not required to download the connector instance again or embed a security token during connector installation, it further improves the productivity and connector maintenance is even more simplified.

Application Access Groups

An Application Access Group (AAG) is a group of EAA applications that are served by the same set of connectors in the Connector Pool to service the application traffic, and have the same Authentication and Authorization rules.

All of the connectors that serve the applications are associated with the same Connector Pool. When you make changes to the connectors, the changes are applied to the AAG. This makes it easier to manage your connector configuration changes. You do not have to add the connector to each of the applications, deploy the application.

If you need a common MFA policy for all of the applications in the AAG, it can be configured with an Identity Ruleset and applied to all of the applications in the AAG. It is not required to add authentication policies for each of the applications and deploy the applications individually, reducing the time required to configure authentication policy.

Also, if you need a common set of authorization rules for all your applications in the AAG, it can be configured with an Access Ruleset and applied to all of the applications in the AAG. You can specify all of the ACLs in EAA in the Access Ruleset and it can be applied to all of the applications. You do not have to add ACLs for each of the applications and deploy the applications individually, reducing the time required to configure ACLs.

In this way, managing connectors, authentication policies, and authorization rules in one place in the AAG and applying them to all the applications saves time and improves productivity.

Comparison of stand-alone EAA Application versus Application associated with an AAG

  1. In an EAA Application, Connectors are added to Application in Settings tab in Applications Details Page:

When the Application is added to an AAG, the Connector Pool in the AAG serves traffic for the Application.

  1. In an EAA Application, the Authentication policies, MFA details are added to Application in Authentication tab in Applications Details Page:

When the Application is added to an AAG, the Identity Ruleset in the AAG provides the authentication policies and MFA details for the Application.

  1. In an EAA Application, the Access Control Lists (ACLs) or access control rules are added to the Application in Access tab in Applications Details Page:

When the Application is added to an AAG, the Access Ruleset in the AAG provides the ACLs for the Application.

AAG Workflow

The overall workflow is shown below:

AAG Workflow

The high level steps are:

  1. Create the AAG.
  2. Associate one or more Connector Pools.
  3. Use Identity Ruleset to add Authentication Rules.
  4. Deploy the AAG.
  5. Associate Applications to the AAG and deploy all the Applications.
  6. Use Access Ruleset to add Authorization Rules (optional - Disabled by default) Deploy the AAG.
  7. Override the AAG’s Authentication Rules in any of your specific Apps (optional - Disabled by default) and deploy the specific Apps.
  8. Override the AAG’s Authorization Rules in any of your specific Apps (optional - Disabled by default) and deploy the specific Apps.

Use AAG with Connector Pools, Identity Ruleset, Access Ruleset, and Applications

STEP 1: Create an AAG

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Applications > Application Access Groups.
  3. Click on Add New Application Access Group.
  4. Provide these details:
    1. Application Access Group Name. Provide a name for the application access group.
    2. Description. Provide a meaningful description for the application access group.
    3. Application Type. Select Private Apps to use the existing EAA cloud. Select Private Apps with Edge Transport to use EAA Cloud on Akamai Edge network.
  5. Click Create Application Access Group. A blank Application Access Group detail page is created. There are no Applications, Connector Pools, Identity Ruleset or Access Ruleset in any of the tiles on the AAG detail page. Access Ruleset is disabled by default as seen below:

new AAG details page

You must do the following before you deploy the AAG:
i) Associate one or more connector pools to the AAG
ii) Assign an existing Identity ruleset or create a new Identity ruleset and assign to the AAG.

STEP 2: Associate Connector Pools to AAG

  1. If you’ve already created a Connector Pool, you can click Associate Connector Pools in the Connector Pool tile or click the Associate Connector Pools to the Application Access Group icon, select the Connector Pool or Connector Pools, click Associate. The Connector Pools appear in the Connector Pools tile, in the Application Access Groups page. All the connectors in the connector pool must be reachable. If you check the Deployment section on the right, AAG indicates it is not ready for deployment and if Connector Pool is okay and all connectors are reachable, you will see a display message:

Connector Pool in AAG deploy message

STEP 3: Create or assign a Identity Ruleset to the AAG

  1. Create an Identity Ruleset for the AAG. Or if you have an existing Identity Ruleset, you can assign it to this AAG using Manage Rulesets. If the identity ruleset is okay, when you check the Deployment section on the right, the AAG indicates it is ready for deployment and a check mark appears next to Identity Ruleset:

Connector Pools and Identity Ruleset added to AAG - Deploy message

STEP 4: Deploy the AAG

  1. Click the Deploy icon in the top right corner.
  2. The Pending Changes section opens up with this AAG selected, click Deploy.
  3. Provide a Deploy Confirmation message.
  4. Click Deploy. After the AAG is deployed, you will see a Deployment Status : Success in the AAG tile on the AAG list page. You can also see this in the AAG details page on the right indicating the AAG is successfully deployed.

AAG Deployed without DPOPs

This completes the initial deployment of the AAG. Next you can add the applications to the AAG.

STEP 5: Associate Applications to the AAG and deploy them

📘

Note:

Before you associate an application to an AAG, you must deploy the AAG.

  1. Associate Applications to the AAG. To associate applications with this AAG, click Associate in the Applications tile or click Associate Applications to the Application Access Group icon. You can select all of the Unassigned Apps by clicking the box next to it, or expand the Unassigned Apps by clicking the > mark, and individually selecting the unassigned applications in the Unassigned Apps list, or select other applications from other AAG or other AAGs. Then, click Associate. When an Application or Applications are associated with an AAG and the Applications are not yet deployed, they will appear in the “Draft Association” state.

For example, here we’ve associated two HTTP applications, App-1 and test-lin, from the Unassigned Apps to an AAG named AAG DEMO. Both are in the Draft Association state, to indicate that they must be deployed for the configuration changes to be propagated from the AAG to the Applications.

associate app to AAG in draft association state

📘

Note

If you go to any of the applications associated with an AAG that has an identity ruleset or access ruleset assigned to the AAG, and the AAG that has not yet been deployed, you will see (Draft) next to the AAG name to indicate that the AAG has to be deployed for the configuration changes to be applied to the Application.

If you want to associate other applications to the AAG, repeat this step till you have selected all of the applications that you want to associate with this AAG. All these applications will be serviced by the same connector pools, identity ruleset.

  1. Click the Deploy icon in the top right corner.
  2. The Pending Changes section opens up with the corresponding applications selected. Make sure they are all the correct applications and are selected in the Pending Changes window under Applications.
  3. Provide a Deploy Confirmation message.
  4. Click Deploy. The application deployment automatically triggers an AAG deployment. The AAG gets automatically deployed in all of the DPOP regions where the applications reside.The applications appear in the Applications tile of the Application Access Group as Deployment Status: App Deployed
  5. Also, if you check the AAG detail page, you see the blue Deployed icon and when you expand it, the AAG also gets deployed on all the DPOPs where the applications associated with the AAG reside.

AAG deployed with DPOPs

For example, this AAG is deployed on DPOP-DPus-east-coast-1 where the three applications associated with the AAG reside.

AAG deployed with DPOPs example

STEP 6: Create and assign an Access Ruleset to AAG (optional)

  1. (optional) If you want to assign an Access Ruleset, you must select Enable Access Ruleset (disabled by default in a new blank AAG) in the Access Ruleset tile of the AAG:

Enable Access Ruleset

From the Select Access Ruleset pull down menu, select the Access Ruleset you want to assign to the AAG and click Save. To create a new Access Ruleset see Create an Access Ruleset for the AAG. Or if you have an existing Access Ruleset, you can assign it to this AAG using Manage Access Rulesets.

  1. If the access ruleset is okay, when you check the Deployment section on the right, the AAG indicates it is ready for deployment and a check mark appears next to Access Ruleset:

AAG Deploy message with CP and AAG having identity ruleset and access ruleset

  1. Click the Deploy icon in the top right corner.
    21.The Pending Changes section opens up with this AAG selected, click Deploy.
  2. Provide a Deploy Confirmation message.
  3. Click Deploy. After the AAG is deployed, you will see a Deployment Status : Success in the AAG tile on the AAG list page. You can also see this in the AAG details page on the right, along with the DPOPs where it has been deployed.

STEP 7: Override authentication rules for any specific apps in the AAG (optional)

  1. If you have any specific application in the AAG which should not have the authentication rules specified in the Identity Ruleset of the AAG, you can override the setting. Click on the Application within the AAG tile. Go to the Authentication tab. Enable Override. Enable Authentication. Configure any authentication settings specific for this application. You can then configure your MFA for each Application, or MFA for each directory or group associated with this Application.
    Save and Deploy the application.

override identity ruleset for specific app

STEP 8: Override authorization rules for any specific apps in the AAG (optional)

  1. If you have any specific application in the AAG which should not have the authorization rules specified in the Access Ruleset of the AAG, you can override the setting. Click on the Application within the AAG tile. Go to the Access tab. Enable Override. Enable Access. Configure any ACL specific for this application.doc:access-control-rules Save and Deploy the application.

override access ruleset for specific app

Draft Status of an AAG

If an application is associated with an AAG and the AAG is not yet deployed, you will know it is two ways:

a. If you go to the Application’s Authentication tab (if Identity Ruleset is assigned to the AAG) or Access Tab (if Access Ruleset is assigned to the AAG), you see (Draft) next to the AAG name.

AAG Draft State for Application Authentication

b. If you go to the Application’s tile in the AAG page, you see Draft Association in the Updated column for the Application.

AAG Draft State for Application Authentication2

If all configurations are okay and you successfully deploy the AAG, the draft state will disappear in both places.

Identity Ruleset

Identity Ruleset in an AAG allows you to configure authentication policies that are applied to all applications associated with the AAG. It is mandatory to add an identity ruleset to an AAG. When you first configure a new AAG, there are no Identity rulesets present in the Identity Ruleset tile. You can create a new identity ruleset or assign an existing ruleset, if you created earlier for another AAG.

Default identity ruleset in AAG

Note: If you disable the Disable Authentication setting for the Identity Ruleset tile, it means that there are no authentication policies set for the AAG, so everyone (even unauthenticated users) can access the application. Therefore you should not enable this setting unless it is for troubleshooting authorization issues.

Create Identity Ruleset

You can only have one Identity Rule associated with an Identity Ruleset.

To create a new identity ruleset follow this procedure:

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Applications > Application Access Groups.
  3. Select the AAG from the AAG list page by clicking the pencil icon, Edit Application Access Group.
  4. Go to the Identity Ruleset tile inside the AAG detail page.
  5. You can create an identity ruleset from three different places:
    • From the Select Identity Ruleset menu select Create Ruleset
    • From the Action menu (...) select Create Ruleset
    • From the Select Identity Ruleset menu select Manage Rulesets, then select Create Ruleset.
  6. In the New Identity Ruleset Window, provide a Name, Description for the ruleset. Click Next>>.
  7. Next you need to add the rules based on the identity provider, the directory, and group membership.
    1. Click Add Identity Rule
    2. For Identity Provider: Select an Identity provider. Note: EAA only supports one Identity Provider.
    3. For Assigned Directories: All directories assigned to this IdP are present. Click Associate Directory and select one or more directories that are allowed access to this AAG. Click Add Directory.
    4. Add desired groups to the directories: All groups of the directory are selected by default. Groups associated with each Directory can be edited under the Authorized Groups column, if required. Click Save, to add the desired groups. Check that the Authorized Groups are correct and are the ones needed to access the AAG.
    5. The Manage MFA section can be used to customize the MFA configuration for the rule. Click Manage MFA to expand it.
    6. Click Add Rule. A Rule is created and associated with the Ruleset. You can only associate one Rule with an Identity Ruleset.
    7. Click Save.
  8. In the Identity Ruleset tile, using the Select Identity Ruleset drop-down menu, select the ruleset you just created, expand it to check that all the authorization policies and permissions are correct, and it should be assigned to the AAG. You should see the IdP name, Directory name, and User Groups all listed under the ruleset name you created.
  9. Click Save in the bottom right corner of the AAG details page.

Identity Ruleset MFA overrides

The Identity Ruleset is now assigned to the AAG.

Copy an Identity Ruleset from another application

If you have already created an identity ruleset for another AAG, you can copy it to another AAG, instead of creating a new one.

To copy the authentication rules from another application to a new identity ruleset follow this procedure:

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Applications > Application Access Groups.
  3. Select the AAG from the AAG list page by clicking the pencil icon, Edit Application Access Group.
  4. Go to the Identity Ruleset tile inside the AAG detail page.
  5. You can create an identity ruleset from three different places:
    • From the Select Identity Ruleset menu select Create Ruleset
    • From the Action menu (...) select Create Ruleset
    • From the Select Identity Ruleset menu select Manage Rulesets, then select Create Ruleset.
  6. In the New Identity Ruleset Window, provide a Name, Description for the ruleset. Click Next>>.
  7. Click on Copy icon next to the Add Identity Rule

Copy Identity Ruleset

  1. All the EAA Applications that use this Identity Ruleset are shown. Search for the application from where you want to copy the Identity Ruleset containing the Authentication settings. Select the application. Verify the settings IdP, Directories, MFA settings are correct.

Copy Identity Ruleset from Authentication Settings

Click Copy, to populate the authentication settings into the Edit Identity Ruleset window, customize if needed (alter directories or groups). Click Add Rule, to associate this rule with this Identity Ruleset. Click Save to create this new rule set.

  1. In the Identity Ruleset tile, using the Select Identity Ruleset drop-down menu, select the ruleset you just created, expand it to check that all the authorization policies and permissions are correct, and it should be assigned to the AAG. You should see the IdP name, Directory name, and User Groups all listed under the ruleset name you created.
  2. Click Save in the bottom right corner of the AAG details page.

Manage Identity Ruleset

You can manage all of the Identity Rulesets you create using Manage Rulesets in the Identity Ruleset tile of the AAG detail page. It allows you to create, edit, and delete any of your rulesets and also see which rulesets are associated with which AAG, and which rules belong to a ruleset.

Manage Identity Ruleset

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Applications > Application Access Groups.
  3. Select the AAG from the AAG list page by clicking the pencil icon, Edit Application Access Group. You get to the AAG details page. You will see the Applications, Connector Pools, Identity Ruleset, Access Ruleset tiles.
  4. Go to the Identity Ruleset tile inside the AAG detail page.
  5. You can go to an Manage Ruleset from two different places:
  • From the Select Identity Ruleset menu select Manage Rulesets
  • From the Action menu (...) select Manage Rulesets.
  1. All of the rulesets you’ve created are shown. You can expand on each of the Ruleset to see the details of which IdP, directory, User groups are associated with the rule. You can click on the # under Used in column to see the number of AAG and names of the AAG that has this Ruleset. You can click on the # under the
    # of Rules column, to see how many rules are in this Ruleset.
  2. Click the pencil icon (Edit Ruleset) to edit the Ruleset and make any changes and click Save to save the Ruleset.
  3. Click the trash icon (Delete Ruleset) to delete the Ruleset.
  4. Click on the Copy this ruleset to copy it and paste it when you create a new ruleset.
  5. You can also create a new identity ruleset by clicking Create new ruleset inside the Manage Identity Rulesets window. Steps are the same as the Create Identity Ruleset, which has been described above.
  6. You can use the Search Identity Rulesets to search the Identity Ruleset by Name, Description, IdP Name, or IdP Hostname.

Access Ruleset

Access Ruleset in an AAG allows you to configure authorization policies (or access control list or ACLs) that are applied to all applications associated with the AAG. By default, if there are no ACLs, it is an Allow All policy, provided Identity Ruleset criteria is met. Therefore if you wish to add additional access rules like, for example, users from a certain country or a specific time zone or users accessing the AGG from devices with low risk device posture tiers or tags, or more you can add them with Access Ruleset. If you do not specify any Access Ruleset within the AAG, you will still be able to deploy the AAG, provided Connector Pools are added to AAG and Identity Ruleset criteria is met. Therefore when you first configure a new AAG and go to the AAG details page, you see that Access Ruleset is disabled by default. You can click Enable Access Ruleset in the Access Ruleset tile or click the Enable Access Ruleset icon.

Access Ruleset

The rules in a ruleset are evaluated from top to bottom.

Create Access Ruleset

You can only have one Access Rule associated with an Access Ruleset.

To create a new Access Ruleset follow this procedure:

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Applications > Application Access Groups.
  3. Select the AAG from the AAG list page by clicking the pencil icon, Edit Application Access Group.
  4. Go to the Access Ruleset tile inside the AAG detail page.
  5. You can create an access ruleset from three different places:
    1. From the Select Access Ruleset menu select Create Ruleset
    2. From the Action menu (...) select Create Ruleset
    3. From the Select Access Ruleset menu select Manage Rulesets, then select Create Ruleset.
  6. In the New Access Ruleset window provide a Name, Description for the ruleset. Click Create Ruleset. You see a blank Rules page with a Default Rule of Allow, with no other rules in it.
Blank Access Ruleset

📘

Note

If you save this Access Ruleset with no specific access rules created and assign it to the AAG in the Access Rule set tile, then since only the default rule is ALLOW, if the identity ruleset conditions are met, users will be able to access the application, with not additional access rules condition. To add additional DENY access rules, see next step.

  1. Provide a Rule Name.
  2. The Rules within the Ruleset are evaluated Top-Down. You can specify DENY rules by specifying parameter, is or is not, value. You can also AND multiple rules.

Here is an example of an access ruleset:

It denies access to all applications in the AAG when accessed using a high risk device from Afghanistan:

Manage Access Ruleset

  1. Click Done. This associates the rule with the ruleset. Click Save.
  2. You can similarly add multiple rules by clicking Add Rule. The rules are evaluated top-down, with the topmost rule having the highest priority.

For example, here we have two rules created within the ruleset, with Rule Two disabled and Rule One demo enabled, in the 2304 -Demo-Ruleset:

multiple rules in Access Ruleset

  1. In the Access Ruleset tile, using the Select Access Ruleset drop-down menu, select the ruleset you just created. Check that the rules are correct and click Save.

The ruleset is displayed in the Access Ruleset tile of the AAG.

Manage Access Ruleset

You can manage all of the Identity Rulesets you create using Manage Rulesets in the Identity Ruleset tile of the AAG detail page. It allows you to create, edit, and delete any of your rulesets and also see which rulesets are associated with which AAG, and which rules belong to a ruleset.

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Applications > Application Access Groups.
  3. Select the AAG from the AAG list page by clicking the pencil icon, Edit Application Access Group. You get to the AAG details page. You will see the Applications, Connector Pools, Identity Ruleset, Access Ruleset tiles.
  4. Go to the Access Ruleset tile inside the AAG detail page.
  5. You can go to an Manage Ruleset from two different places:
  • From the Select Access Ruleset menu select Manage Rulesets
  • From the Action menu (...) select Manage Rulesets.
  1. All of the rulesets you’ve created are shown. You can expand on each of the Ruleset to see the details of which IdP, directory, User groups are associated with the rule. You can click on the # under Used in column to see the number of AAG and names of the AAG that has this Ruleset. You can click on the # under the # of Rules column, to see how many rules are in this Ruleset.
  2. Click the pencil icon (Edit Ruleset) to edit the Ruleset and make any changes and click Save to save the Ruleset.
  3. Click the Delete this ruleset icon (trash) to delete the Ruleset. A Ruleset can be deleted only if it is not associated with any AAG. If the ruleset is associated with any AAG, it is grayed out and cannot be deleted. When clicked, a confirmation message is shown, select Yes, delete this Ruleset, to delete it.
  4. Click the Copy this ruleset icon to Copy a Ruleset. It opens the ruleset in an editable window and admin can customize if required like changing the rule name, adding a rule, deleting a rule using the edit (pencil) icon and delete (trash) icon. Then click Save, to save the copied ruleset.
  5. You can also create a new identity ruleset by clicking Create new ruleset inside the Manage Identity Rulesets window. Steps are the same as the Create Identity Ruleset.
  6. You can use the Search Access Rulesets to search the Access Ruleset by Name, Description, or Rule Name in the Manage Access Rulesets.

Disable Access Ruleset

By default in EAA if you do not configure any ACLs, the default is Allow All types to traffic to the applications. Therefore we require the admin to know that this will be the access rule for the applications in the AAG when you set Disable Ruleset in the Identity Ruleset tile of the AAG details page. If you don’t enable this option, then you will be required to configure at least one Identity Ruleset before you deploy the AAG.

Deployment-ready conditions for an AAG

For an Application Access Group to be deployment ready, any of the three conditions must be met:

i) At least one Connector Pool must be associated with the AAG

One connector in AAG

ii) A valid Identity Ruleset must be associated with the AAG. If you have not assigned a valid Identity Ruleset, you can disable it, to make the AAG deployment ready.

connector and identity ruleset in AAG

Note: This is not safe to disable the Identity Ruleset, since you are making your applications available to anyone who does not authenticate, since there are not authentication rules configured.

iii) A valid Access Ruleset must be associated with the AAG. If you have not assigned a valid Identity Ruleset, it can be left in the default state, which is Disabled (in any new AAG) to make the AAG deployable.

connector and identity ruleset and access ruleset in AAG

If any of these conditions are met, the AAG will be in Ready to deploy state and it can be deployed.

Delete an AAG

You cannot delete an AAG when you have active resources like Connector Pools, Applications, Identity Ruleset, and Access Ruleset associated with it. You can delete an AAG only after you remove all of the active resources.

Follow this procedure to remove any active resources and delete the AAG:

  1. Log in to the Enterprise Center.
  2. Navigate to select Application Access > Applications > Application Access Groups.
  3. Select the AAG from the AAG list page by clicking the pencil icon, Edit Application Access Group. You get to the AAG details page. You will see the Applications, Connector Pools, Identity Ruleset, Access Ruleset tiles. You get to the AAG details page.
  4. Go to the Connector Pools tile, click Dissociate (- icon) next to each connector in the connector pool. The connector does not server traffic for the applications any more. Repeat this for any other connectors in the Connector Pool.
  5. Go to the Applications tile, click Dissociate next to each application.

connector and identity ruleset and access ruleset in AAG

For Dissociate Application, enter Yes. Repeat this for all the applications in the Applications tile.

  1. Go to the Identity Ruleset tile and select Disable Authentication. For the dialog box , Are you sure you want to disable Authentication, select Disable.
  2. Go to the Access Ruleset tile and select Disable Authorization. For the dialog box , Are you sure you want to disable Authorization, select Disable.
  3. Click Save to save the AAG with all the changes.
  4. For Do you want to delete AAG, enter Yes.

The AAG is deleted and removed for the AAG list page.

Create a New Application and add to an AAG

You can create a new EAA Application and add it to an existing AAG. The Application inherits the Connector Pools, Identity Ruleset, and Access Ruleset from the AAG.

Follow this procedure to add a new Application to an existing AAG:

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

  3. Click Add Application (+).

  4. Enter type, application name, and an optional description.

  5. Click Add Application.The application configuration page opens.

  6. Add all of the App Settings, Server Settings as described in Configure Access parameters for an Application.

  7. In the Application Access Group section, select the AAG you wish to use for this application by selecting the drop-down Select Application Access Group and picking the AAG from the list. The Connector Pools, Identity Ruleset, and Access Ruleset from the AAG is used for this application. It is displayed under the Application Access Group section:

New App with AAG

📘

Note:

a) If you do not wish to associate the application with the AAG, click Remove association. In the dialog box, Remove Association Confirmation, click Remove.

b) If the AAG association is removed, the Connectors section appears. Click Add connector. Select one or more connectors and click Add Connector. The associated connector appears in Connectors.

  1. Click the Authentication tab. If there are any Identity Ruleset configured in the AAG, that is shown here and the authentication policies are coming from the AAG.
  2. Click the Access tab. If there are any Access Ruleset configured in the AAG, that is shown here and the ACLs are coming from the AAG.
  3. You can set up the Services, Advanced settings like any Access Application (step 10)
  4. Click Save and Deploy, to save and deploy the changes.

If you go to the AAG details page, this application that’s added to the AAG will be listed with other applications.


Limitations

  1. Identity Ruleset is not updated when Directory Verification Required is disabled on an third-party IdP, so does not work with third-party IdP.
  2. If you are using a docker-based connector, you cannot use the same connector pool for both clientless (HTTP, RDP, or SSH) apps and cliented (TCP-type client-access, Tunnel-type client-access) apps.

You must have two different AAGs:

  • Have one AAG for clientless apps serviced by a docker based connector pool containing only docker based connectors configured for clientless traffic.
  • Have one AAG for clientled apps serviced by a docker based connector pool containing only docker based connectors configured for clientled traffic.