Set up services for applications
By default, EAA Client follows an allowlist access model, which allows access to all applications.
-
A TCP-type client-access application can be accessed by all users within the organization.
-
All thin client applications associated with the tunnel-type client-access application can be accessed by all users of that domain.
-
Log in to the Enterprise Center.
-
In the Enterprise Center navigation menu, select Application Access > Applications > Applications.
-
In Settings > Services, leave Access control deselected to provide access to all users to a single application or multiple applications.
-
Click Save and go to Advanced Settings.
-
Make any changes you need to make on the Advanced Settings tab.
-
Click Save and go to Deployment.
Next, you can control who can view which applications by setting up access control rules.
Access control rules
You can select the Access control option in an EAA application to deny access to all users, like a blocklist access model. You may need a layer of security that regulates which users or groups can view your domain's content.
In EAA Client, you can create an access control rule to block or deny access to an application or multiple applications based on these criteria:
Access control rules
| Access control type | Description |
|---|---|
| URL | The web address or path requested by the user. |
| Group | The group that a user belongs to. |
| User | The username assigned to the end user. |
| Method | An HTTP method such as GET, POST, PUT, DELETE, HEAD, OPTIONS, TRACE, CONNECT, or an other custom method that is used for the application. |
| Client IP | The IP address of the client that you want to restrict. |
| Country | The country where you want to prevent the end user from accessing the application. |
| Time | The days of the week and the exact times (based on time zone) that you want to restrict access. This access control type is available with HTTP/HTTPS applications only. |
| App Host | The hostname of the application server. Applies to tunnel-type client-access applications only. |
| App Port | The port number of the application server. Applies to tunnel-type client-access applications only. |
| App Protocol | Select TCP or UDP protocol. Applies to tunnel-type client-access applications only. |
For every rule you create, you select the access control type, an operator, and define the values for the selected type. You can choose whether an operator isor is notis restricted as a control type.
By default, access control rules are disabled for an application. All users can access an application. You must enable the feature and then configure the rules and criteria you require.
For tunnel-type client-access applications, there may be multiple applications within the domain. For example, if you want to deny access to UDP applications for the finance team, you set the following rule:
| Type | Operator | Value |
|---|---|---|
| App Protocol | is | UDP |
| Group | is | Finance |
Access control rules are not applied to an application until you deploy or redeploy the application.
Access control list limitations
When the application server is running multiple applications on the same IP address, same port and of the same protocol, the access control list (ACL) rules might not be applied reliably and there is a vulnerability.
For example, app1 and app2 are hosted on the same server, app.example.com. An ACL rule is set up to allow User A access to app1.app.example.com. If an attacker modifies the application parameters, such as the host header, before it reaches the EAA Client, then the EAA Client is not able to detect it. This allows the attacker to access app2.app.example.com.
The EAA Client does not perform termination, decryption, or deep-inspection of the application payload for tunnel-type client-access applications.
Updated 29 days ago