Trusted/Untrusted Zone Use Case

The following are the configuration steps for the Trusted/Untrusted Zone Use Case.

Open the Config_Trusted_Zones.xml file in Notepad++ or your preferred application.

The ZTAG configuration sections for this use case are:

• LoadMaster_Connection
• VirtualService_Configration
• RealServer_Configuration
• RealServer_List
• Zero_Trust_Access_Gateway_Trusted_Zones
• PermitedGroups_Trusted_Zone
• PermitedGroups_UnTrusted_Zone
• Backup_Options
• Logging_Options

The configuration steps are as follows:

1. Modify the LoadMaster connection settings for the LoadMaster or ECS Connection Manager:
   • The LoadMaster or ECS Connection Manager IP Address
   • The LoadMaster or ECS Connection Manager TCP Port

   

2. Modify the Virtual Service configuration with settings based on workload requirements.
   • A Nickname (friendly name) to identify the workload being published
   • A Virtual IP Address to publish the workload
   • A Scheduling Method on how the distribution of the traffic to backend systems should occur.
     • rr = round-robin
     • wrr = weighted round robin
     • lc = least connection
     • wlc = weighted least connection
     • fixed = fixed weighting
     • adaptive = resource based (adaptive)
     • sh = source IP hash
     • dl = weighted response time
     • sdn-adaptive = resource based (SDN adaptive)
     • uhash = URL hash
   • Select whether SSL/TLS Acceleration should be enabled on the Virtual Service.
     • Y
     • N

   Optional – If a certificate is present on the LoadMaster/ ECS Connection Manager, a prompt will be provided to select which certificate should be used in the configuration. A certificate can be uploaded and applied by entering the following parameters

   • Path/ location to the certificate file (PFX)
   • A friendly name or identifier for the certificate
   • The passphrase for importing the certificate

     

3. Modify the Real Server configuration with settings based on workload requirements.

   Real Server Check Method

   • https
   • http
   • tcp

   Real Server Check Port to use

   Real Server Port should it differ from the check port

   Non_Local Real Servers to specify whether the Real Servers are on a directly connected interface or on a remote network

   • Y
   • N

     

4. Modify the Real Server list with the IP Address or FQDN of the backend systems being published. Lines can be removed or added based on the number of Real Servers in the environment.

   

5. The Trusted Zone section identifies the known networks in the environment. These are the networks where Multi-Factor Authentication will not be required.
   • The Source IP will be the network address using Regular Expression (RegEx) that clients will be connecting from. Lines can be added or removed depending on the number of known networks in the environment.

   

6. The Permitted Groups Trusted Zone section is where the Active Directory groups are defined. Members of these groups should be granted access to the application if they connect to the application from a network listed in the Trusted Zones section above. Lines can be added or removed depending on the number of groups that need access to the application.
   • Group – Active Directory group name

   

   Note: If using the Trusted/ Untrusted Use Case, the Edge Security Pack Single Sign On domain for the trusted zone must be configured before running the ZTAG Policy Builder
7. The Permitted Groups Un-Trusted Zone section is where the Active Directory groups are defined. Members of these groups should be granted access to the application if they connect to the application from a network that is NOT listed in the Trusted Zone section above. If the same group should have access regardless of the network they are connected to; the group names should be listed in both sections. Lines can be added or removed depending on the number of groups that need access to the application.
   • Group – Active Directory group name

   

   Note: Using the Trusted/ Un-Trusted Use Case, the Edge Security Pack Single Sign On domain for the un-trusted zone must be configured before running the ZTAG Policy Builder.
8. Optional - During each run of the Zero Trust Policy Builder, the option to take a backup before any changes are applied is presented. These options are used to define the name and where the backup should be stored. A date and time stamp will also be included in the backup file name.
   • File Path – Ensure the proper permissions are applied to the folder.
   • Backup file name – Used to identify the backup being taken

   

9. Logging is generated for each run of the Zero Trust Policy Builder. These settings will provide the location for the log files and how much of the disk can be utilized to store files.
   • File Path – Ensure the proper permissions are applied to the folder.
   • Max Log Size – The maximum size of each of the log files.
   • Max Log Rollovers – The maximum number of log file rollovers to allow. The setting of 2 rollover files and 500KB maximum size will allow 1000KB of storage to be used on the system running the Zero Trust Policy Builder.