Download, configure and use EAA Client for UDP or TCP applications.

These steps are completed by both an Enterprise Application Access (EAA) administrator and the users. First you enable the client in the identity provider (IdP). Next, you can add and configure a TCP-type or Tunnel-type client-access applications.

To install the EAA Client, users or you can download and install it from the Login Portal. By default, the Login Portal presents a download option that is specific to the user's operating system. A user completes the steps in this procedure. You can also download the client from the Login Portal to distribute it to users across their organization. Depending on the operating system, download and install the client:

1. Install the EAA Client.

2. Configure EAA Client.

3. Connect to TCP and UDP applications.

Enable EAA Client and Enable tunnel reuse in an identity provider

The setting to enable EAA Client is done in an ​Akamai​ or third-party identity provider (IdP) configuration in Enterprise Application Access. By default, the setting to enable EAA Client is disabled. You must enable before you configure a TCP-type or Tunnel-type client-access application.

When you enable EAA Client, Enable tunnel reuse is also enabled by default. When you create a client-access application, a web socket tunnel is created and a connection is directly tied to the tunnel. If the tunnel terminates due to any reason, the application connection also gets terminated, causing application to hang. You can avoid this, if you have enabled tunnel reuse. By default, you can have up to 20 connections in a pool and 120 seconds as idle timeout per tunnel. If the tunnel is idle for more than this time period, it times out. You can reconfigure the idle tunnel pool size and idle tunnel timeout based on your application.

1. Log in to Enterprise Center.

2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

3. Select the identity provider to open it.

4. In Client section, select Enable EAA Client. Enable tunnel reuse is turned on by default, for more optimal performance.

5. In Client section, set Idle tunnel pool size. It is the number of connections per pool. Default is 20, you can select a value between 1 and 50 connections.

6. In Client section, set Idle tunnel timeout. It is the time after which the tunnel times out, if it has been idle. Default is 120 seconds, you can set a value between 60 and 3600 seconds.

7. Select Akamai Cloud Zone. The cloud zone should be a geographic location closest to the data center where your application resides.

8. Click Save.

9. Deploy the identity provider.

📘

Note:

You can also try out Connector Pools to add multiple connectors and associate them to TCP-type or Tunnel-Type applications. For more information, see our limited availability feature, Associate Connector Pools to an Application. For more information, see our Beta feature, Application Access Groups (AAG).

Tunnel reuse on a per-application basis

The Access service in Guardicore Platform Agent uses web-socket connections to communicate with the EAA Cloud and the connector inside the datacenter when an end-user accesses a tunnel-type client-access application.

The tunnel reuse capability using the Idle Tunnel Pool Size and Idle Tunnel Timeout parameters in the identity provider provide common pooling and timeout behavior for all web sockets of all tunnel applications, resulting in short-lived connections. To improve performance and more granularity, Guardicore Platform Agent supports tunnel reuse on a per application basis.

Prerequisite

1. You must have Guardicore Platform Agent version 7.2 or higher to use the application-level settings other than Inherit from IdP. It is not supported in EAA Client.
2. It is in limited availability. You must contact Akamai support to enable this feature for your account.

Configure application-level tunnel reuse

1. Log in to Enterprise Center.

2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

3. Select the Tunnel-type client-access application for which you want to configure application-level tunnel reuse capability.

4. Click the Advanced tab.

5. In the EAA Client parameters section, select an option for Enable tunnel reuse:

   • Inherit from IdP (default). The application inherits its tunnel reuse settings from the identity provider (IdP) it is associated with. If tunnel reuse is enabled on the IdP, this application uses the Idle tunnel pool size and Idle tunnel timeout values from the IdP configuration. This setting has no effect if tunnel reuse is disabled globally on the IdP. You can click the IDP settings link to navigate directly to the associated IdP to view or modify its global settings. Changes made to the IdP affect all applications that inherit from it.
   • Enable. This lets you override the IdP settings and configure tunnel reuse specifically for this application. Also see, explanation of Pool size limits.
     • Idle tunnel pool size. The maximum number of idle connections to keep in the pool for this specific application. The default value is 20. You can enter a value between 1 and 50.
     • Idle tunnel pool timeout. The time in seconds that an idle connection remains in the pool before being closed. The default value is 120 seconds. You can enter a value between 60 and 3600 seconds.\
       

       📘

       Note:

       When you use Enable option, all custom template headers for the application are ignored by Guardicore Platform Agent 7.2 or later versions.

   • Disable. Tunnel reuse is explicitly disabled for this application, even if it is enabled globally on the IdP. The Idle tunnel pool size and Idle tunnel timeout values are not used.

6. Click Save and Deploy, to save and deploy the changes in the IdP.

Explanation of Pool Size Limits

There are two types of pool sizes:

• Per-application pool size. This is the Idle tunnel pool size you configure for a single application. It defines the maximum number of connections kept in the pool for that specific app.
• Global maximum pooled connections. This is a cap on the total number of idle connections that can be pooled across all applications combined.

EAA determines this global limit as follows:

If global (IdP-level) tunnel reuse is enabled, the global limit is the higher value between the IdP's pool size and the largest per-application pool size configured. If global (IdP-level) tunnel reuse is disabled, but per-application pooling is enabled for one or more apps, the global limit is the largest pool size value from among those applications.

In summary, the application behavior based on the combination of global IdP setting and the per-application settings is:

Add a TCP-type client-access application

Add a TCP-type client-access application to EAA Client and configure it's parameters.

1. Log in to Enterprise Center.

2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

3. Click Add Application (+).

4. In Type select Client-Access App. In Mode select TCP mode (single port, port mapping, load-balancing options).

5. Enter application name and optional description.

6. Click Add Application.

7. In App Settings > Settings configure the following:

   • Application Host. Enter the hostname of the client access application. This is the hostname that the native client uses to communicate with the application or application server. For example, if you are configuring a client like Outlook, this would be the hostname that is associated with Outlook accounts in your organization such as mail.mydomain.com and is used to communicate with Microsoft Exchange.

   • Port. Specify the same port number, as you are going to add for the application App Server IP/FQDN. The EAA Client listens for traffic on this port from the user's computer.

   • Endpoint Host. Enter the external host of your application. This is the cloud endpoint for all communications between the client access application and Enterprise Application Access. Additionally, choose one of the following:

   • Use your domain. If you use your own custom domain, you must provide a certificate configured as a complete bundle with all the subordinates (having the full chain of trust), otherwise you will see a web-socket error. To use an uploaded certificate, select Use uploaded certificates and select the previously uploaded certificate.

   • Use Akamai domain. If you use an ​Akamai​ domain no certificate is needed. For example, Akamai domain.

   The cloud zone should be a geographic location that is closest to the data center where your application server resides. It is in the Client-*form, for example Client-US-East, Client-US-West. Enter closest location to the application in the data center.

8. Optionally, you can add an application category for the app.

9. Click Save.

10. To add connectors to the application go to Connectivity, Authentication and Access section, click Connectors.

    📘

    More than one connector is recommended for high-availability and load balancing.

11. Click Add connector and select one or more connectors, and click Add Connector.
    To remove a connector, click Remove Connector next to it.
    The associated connector appears in Connectors.

    📘

    The connector should run to deploy the application.

12. To add Application Server IP/FQDN to the application configure the following:

    • Server IP/FQDN. Enter the IP address or fully qualified domain name (FQDN).

    • Port. Specify the port of the TCP application. It should be the same port number as you entered in previous steps.

To configure multiple applications servers for load balancing, click Add New Server (+). Enterprise Application Access supports various load balancing techniques including round-robin, session or cookie stickiness, and source IP hash in Advanced tab.

1. To add authentication to the application in Authentication enable Authentication.

2. For Identity provider, select an identity provider from the list.

3. Click Assign Directory and select one or more directories from the list.

4. Click Associate.
   The directory appears in Assigned Directories.

5. To add an access control rule (ACL) to the application in Access enable Access.

   1. To create a new rule, click Add Rule (+) in Deny Access Rules.

   2. To edit an existing rule, click Edit Rule.
      The rule settings dialog appears.

   3. In Rule Name enter a name for the rule and click Add.

   4. In Type select Device Risk Tier.
      In Operator appears is, that is no the default value for Device Posture risk tiers.

   5. In Value select High.

6. Click Add Criteria (+).

   1. In Type enter the value, if applicable, or select the value for the access control type.

   2. Click Time to configure the time-based settings.

   3. In Start Time and End Time enter a time in hh:mm, AM-PM format.

   4. In time zone select a time zone.

   5. Select the days of the week that you want to deny access.

7. Click Save.

8. You can optionally configure Advanced settings. See Set up Advanced Settings

9. Click Save and Deploy.

Add a tunnel-type client-access application

Add a tunnel-type client-access application to EAA Client and configure its parameters.

1. Log in to Enterprise Center.

2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

3. Click Add Application (+).

4. In Type select Client-Access App. In Mode select Tunnel mode (multiple ports, UDP and TCP).

5. Enter application name and optional description.

6. Click Add Application.

7. In App Settings > Settings configure the following:

   • Endpoint Host. Enter the external host of your application.
     This is the cloud endpoint for all communications between the client access application and Enterprise Application Access. Additionally, choose one of these domains:

   • Use your domain. If you use your own custom domain, you must provide a certificate configured as a complete bundle with all the subordinates (having the full chain of trust), otherwise you get a web-socket error.
     To use an uploaded certificate, select Use uploaded certificates and select the previously uploaded certificate.

   • Use Akamai domain. If you use an Akamai domain no certificate is needed.

   • Akamai Cloud Zone. The cloud zone should be a geographic location closest to the data center where your application resides.

8. Optionally, you can add an application category for the app.

9. Click Save.

10. In Destinations > Settings you can configure different traffic types (TCP, UDP or both), different domains (wildcard or specific) or IP based access (with or without subnets), port ranges or specific ports or combinations of both.
    To add more destinations, click Add Destination and configure the next destination.

    📘

    If a route for a particular destination already exists, then EAA Client does not add the IP address to the routing table, but will issue an IP route collision alert.

11. To add connectors to the application go to Connectivity, Authentication and Access section, click Connectors.

    📘

    More than one connector is recommended for high-availability and load balancing.

12. Click Add connector and elect one or more connectors, and click Add Connector.
    To remove a connector, hover over it and click Remove Connector.
    The associated connector appears in Connectors.

    📘

    The connector should run to deploy the application.

13. To add authentication to the application select Authentication.

    a. Enable Authentication.

    b. In Identity provider select an identity provider from the list.

    c. Click Assign Directory and select one or more directories from the list.

    d. Click Associate.
    The directory appears in Assigned Directories.

14. To add an access control rule (ACL) to the application in Access enable Access.

    a. To create a new rule, click Add Rule (+) in Deny Access Rules.

    b. To edit an existing rule, click Edit Rule.
    The rule settings dialog appears.

    c. In Rule Name enter a name for the rule, and click Add.

    d. In Type select Device Risk Tier.
    In Operator is is now the default value for Device Posture risk tiers.

    e. In Value select High.

15. Click Add Criteria (+).

    a. In Type enter the value, if applicable, or select the value for the access control type.

    b. Click Time configure the time-based settings.

    c. In Start Time and End Time enter a time in hh:mm, AM-PM format.

    d. In time zone select a time zone.

    e. Select the days of the week that you want to deny access.

16. Click Save.

    📘

    For a client access application, the Enable websocket support option is enabled by default. This option is required to establish a tunnel from the client to the EAA cloud.

17. If the Destinations (defined in step 10) defined in your tunnel-type client-access applications overlap with the LAN route on end-user devices and the desired behavior is for the EAA Client to capture and service the request for those IP Addresses then, Click Advanced tab, go to EAA Client Parameters, enable Override IP route. It is enforced for the Destinations that are IPs or Subnets.

18. You can optionally configure other Advanced settings, see Set up Advanced Settings

📘

Note

If you're seeing performance issues for TCP applications in tunnel mode, click TCP Optimization, for higher throughput.

To provide selective access to some subdomains to some users, or certain IP addresses within the tenant see
Set up DNS exceptions and Add access control rules.

19. Click Save and Deploy, to deploy the changes.

Limitations of tunnel-type 2.0 client-access applications.

Limitations of using multiple destinations with tunnel-type 2.0 client-access applications:

• You cannot configure the same parameters for two destinations inside a tunnel-type client access application. For example, if you have Destination 1 and Destination 2 with the same parameters for traffic type, IP address host name, and same port you get a warning message.

• You cannot configure two different tunnel-type client-access applications with the same destination parameters and be associated with the same identity provider. You get a warning message when you deploy the application.

Connect to TCP and UDP applications

Connect EAA Client to your TCP and UDP applications.

1. Launch your TCP or UDP applications. If EAA Client is stuck in Connecting see Troubleshoot stuck in connecting state.

2. Log out from your TCP or UDP application.