The Zero Trust Policy Builder currently supports four different use cases. Each is defined within a sample configuration XML file. These configuration files determine the state of the environment which is being secured.

Note: It is recommended that Notepad++ or some other XML aware application is used when working with the ZTAG configuration files

Open the desired sample configuration file. The XML files contain similar sections for the Virtual Service configuration that will be used to publish and secure the application/workload. Policy-specific sections will be unique based on the use case.

  1. Modify the LoadMaster connection settings for the LoadMaster or ECS Connection Manager:
    • The LoadMaster or ECS Connection Manager IP Address
    • The LoadMaster or ECS Connection Manager TCP Port

  2. Modify the Virtual Service configuration with settings based on workload requirements.
    • A Nickname (friendly name) to identify the workload being published
    • A Virtual IP Address to publish the workload
    • A Scheduling Method on how the distribution of the traffic to backend systems should occur.
      • rr = round-robin
      • wrr = weighted round robin
      • lc = least connection
      • wlc = weighted least connection
      • fixed = fixed weighting
      • adaptive = resource based (adaptive)
      • sh = source IP hash
      • dl = weighted response time
      • sdn-adaptive = resource based (SDN adaptive)
      • uhash = URL hash
    • Select whether SSL/TLS Acceleration should be enabled on the Virtual Service.
      • Y
      • N

    Optional – If a certificate is present on the LoadMaster/ ECS Connection Manager, a prompt will be provided to select which certificate should be used in the configuration. A certificate can be uploaded and applied by entering the following parameters

    • Path/ location to the certificate file (PFX)
    • A friendly name or identifier for the certificate
    • The passphrase for importing the certificate

  3. Modify the Real Server configuration with settings based on workload requirements.

    Real Server Check Method

    • https
    • http
    • tcp

    Real Server Check Port to use

    Real Server Port should it differ from the check port

    Non_Local Real Servers to specify whether the Real Servers are on a directly connected interface or on a remote network

    • Y
    • N

  4. Modify the Real Server list with the IP Address or FQDN of the backend systems being published. Lines can be removed or added based on the number of Real Servers in the environment.

  5. SourceIP/Method/Path Only - The SourceIP/Method/Path use case identifies where the traffic originates from based on IP Address. This section defines the networks and descriptions for each within an environment.
    • Source IP Address using Regular Expression (RegEx) to identify the networks in the environment.
    • Description (friendly name) of the networks in the environment.

  6. SourceIP/Method/Path Only - The policy section is where the security settings are configured. Lines can be added or removed depending on the number of rules that should be applied in the policy.
    • Source IP Address to apply the security policy too.
    • The method that should be permitted for the defined path/ bucket.
      • GET
      • PUT
      • DELETE
      • POST
    • The path or bucket to apply the security policy too.
    Note: Any Source IP Addresses that are applied here must be identified in the Identify_Network section for the SourceIP use case above

  7. AuthHeader/Method/ SourceIP Only - The AuthHeader/Method/SourceIP use case identifies who is accessing the workload with the user account that appears in the Authentication Header. This section defines the user accounts or Object IDs and descriptions for each within an environment.
    • Username to identify the account or object ID in the environment.
    • Description (friendly name) of the user account in the environment.

  8. AuthHeader/Method/ SourceIP Only - The policy section is where the security settings are configured. Lines can be added or removed depending on the number of rules that should be applied in the policy.
    • Username to apply the security policy too.
    • The method that should be permitted for the defined path/ bucket.
      • GET
      • PUT
      • DELETE
      • POST
    • The source IP Address as to where the traffic originates from using Regular Expression (RegEx).
    Note: Any Usernames that are applied here must be identified in the Identify_Users section for the SteeringGroup use case above

  9. SteeringGroup/SourceIP/Path Only -The SteeringGroup/SourceIP/Path use case identifies who is accessing the workload with the Active Directory Group they are a member of. This section defines the Active Directory Groups and description for each within an environment.
    • Active Directory Group Names used to secure the environment.
    • Description (friendly name) of the AD Groups in the environment.
    Note: If using the Steering Group Use Case, the Edge Security Pack Single Sign On domain must be configured before running the ZTAG Policy Builder

  10. SteeringGroup/SourceIP/Path Only - The policy section is where the security settings are configured. Lines can be added or removed depending on the number of rules that should be applied in the policy.
    • Username to apply the security policy too.
    • The source IP Address as to where the traffic originates from using Regular Expression (RegEx)
    • The path of the application that the AD group should have access to.
    Note: Any Groups that are applied here must be identified in the Identify_Groups section for the SteeringGroup use case above

  11. Trusted/Un-Trusted Only - The Trusted Zone section identifies the known networks in the environment. These are the networks where Multi-Factor Authentication will not be required.
    • The Source IP will be the network address using Regular Expression (RegEx) that clients will be connecting from. Lines can be added or removed depending on the number of known networks in the environment.

  12. Trusted/Untrusted Only - The Permitted Groups Trusted Zone section is where the Active Directory groups are defined. Members of these groups should be granted access to the application if they connect to the application from a network listed in the Trusted Zones section above. Lines can be added or removed depending on the number of groups that need access to the application.
    • Group – Active Directory group name
    Note: If using the Trusted/ Untrusted Use Case, the Edge Security Pack Single Sign On domain for the trusted zone must be configured before running the ZTAG Policy Builder

  13. Trusted/Un-Trusted Only - The Permitted Groups Un-Trusted Zone section is where the Active Directory groups are defined. Members of these groups should be granted access to the application if they connect to the application from a network that is NOT listed in the Trusted Zone section above. If the same group should have access regardless of the network they are connected to; the group names should be listed in both sections. Lines can be added or removed depending on the number of groups that need access to the application.
    • Group – Active Directory group name
    Note: Using the Trusted/ Un-Trusted Use Case, the Edge Security Pack Single Sign On domain for the un-trusted zone must be configured before running the ZTAG Policy Builder.

  14. Optional - During each run of the Zero Trust Policy Builder, the option to take a backup before any changes are applied is presented. These options are used to define the name and where the backup should be stored. A date and time stamp will also be included in the backup file name.
    • File Path – Ensure the proper permissions are applied to the folder.
    • Backup file name – Used to identify the backup being taken

  15. Logging is generated for each run of the Zero Trust Policy Builder. These settings will provide the location for the log files and how much of the disk can be utilized to store files.
    • File Path – Ensure the proper permissions are applied to the folder.
    • Max Log Size – The maximum size of each of the log files.
    • Max Log Rollovers – The maximum number of log file rollovers to allow. The setting of 2 rollover files and 500KB maximum size will allow 1000KB of storage to be used on the system running the Zero Trust Policy Builder.