Create an on-premises network, configure network policies, and allow the users to disable the trusted network.
An on-premises network is a network within your organization that can be securely accessed and only by the employees. A public network can be accessed by any user and is an untrusted network. EAA Client allows secure access to configured applications by tunneling traffic through the user's computer. It helps when the employees are in a public network. When employees are within the corporate network perimeter, this can increases the delay, though. It happens because there is an additional loop from the application server to the Enterprise Application Access management POP, and then to the employee's computer (black path).
The application can be directly accessed from the application server by employees (green path), when they are within the on-premises network. Configure the trusted network policies within the Enterprise Center, so that when the employee's computer (with the EAA Client application) satisfies the policy, the employee has direct access to the enterprise application in the application server.
On-premises network can be enabled inside the identity provider (IdP) used by the EAA Client access application. Configure the rules or trusted network policies which determine whether employees are in a trusted network (on-premises) or in a public network (off-premises), and provide access to the organization's secure applications.
Your employee can disable trusted network on his machine, even if you enabled it in the identity provider (IdP). In this case, all the traffic goes through EAA Cloud (black path).
Configure hostname IP pair network policies. To enable the on-premises network detection for EAA Client, first enable on-premises network in the identity provider (IdP) which has the
EAA Client settings enabled (go to Advanced settings). Next, configure Hostname IP pair network policy. Configure a FQDN (fully qualified domain name) hostname and an IP address (go to Advanced settings). The hostname resolves in the trusted network to the mentioned IP only. If you do a nslookup(name server command line lookup tool) on the hostname inside the corporate network, you should get the IP address of the server. For example, if nslookup shows:
>nslookup corp.companyname.com Server:127.0.0.1
Then you need to enter for the hostname IP pair:
as the hostname IP pair value to configure the trusted network policy.
You can provide up to four hostname IP pairs.
When the user is not in the corporate network, the hostname resolves to a different IP address and therefore EAA Client considers the user is in the public network.
Also, if the user checks the Network Type in the EAA Client settings. It is set to On Premise when the user satisfies the trusted network policy you configured for your organization. If the policy is not satisfied, then the Network Type is set to Public.
Enabled EAA Client in the identity provider.
Log in to Enterprise Center.
In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.
Select the IdP with enabled EAA Client.
In Settings > Client select Enable Captive Portal.
In Hostname:IP pair enter one or more paired values of hostname and IP (IPV4 only). Use the following format:
Deploy the IdP.
Disable direct access to your organization's applications when the employee is inside the corporate network.
Even though you enabled on-premises network settings in the identity provider (IdP) for your organization, an employee can override this configuration using the EAA Client software on their computer. All the traffic to access the application goes from the user's computer to Enterprise Application Access Cloud, and then to the corporate application, even when the employee is within the corporate network.
The option to disable the trusted network is only visible to the user if you enabled on-premises network in the identity provider (IdP).
Right-click the EAA Client icon on the Windows desktop toolbar or the Mac menu bar.
Click EAA Client icon > Open EAA Client.
In Advanced > On Premise set Direct access to application when your device is connected to your organization network to Disabled.
The network type changes from On Premise to Public.
Updated 5 months ago