Xaccess Onboarding
Use the Xaccess Onboarding Wizard to set up the initial configuration to prepare for using Xaccess policies for endpoint assets (user assets) for the Xshield instance. The wizard lets you deploy and register the first CT Connector to the Xshield instance and integrate an Identify Provider (IdP) with the instance.
Staggered onboarding is supported; you can complete the wizard in more than one attempt.
Prerequisites
-
At least one CT Connector deployed in a private data center (on VMWare), on AWS, or on Azure.
-
The exact instance ID of the instance where the CT Connector is deployed - UUID on VMWare, Instance ID on AWS, or vmID on Azure.
-
The details needed to integrate the IdP. This can vary by the IdP solution or the type of IdP you want to integrate.
-
For integration with Azure AD - An Azure AD subscription and the Azure AD role to add the ColorTokens ZTNA app to your Azure AD tenant from Microsoft Azure Marketplace and enable SAML-based SSO.
-
For integration with other SAML IdPs - An active IdP subscription and the privileges to enable SAML-based SSO for the subscription.
-
For integration with Active Directory (AD) - URL to the AD setup, public key (if LDAPS-enabled), and login credentials to the setup.
-
-
We recommend that you read the deployment recommendations for CT Connectors before you start deploying and registering the Connectors.
Register the first CT Connector
Remember that CT Connectors are mapped to Xshield app instances, and the agents on the CT Connectors are installed using the product keys for the instances. So, if you are managing multiple app instances, ensure that you're adding the Connector to the correct app instance.
-
Go to the Xaccess menu (in the left navigation panel).
You will see the Deploy Connector page.
-
In the Instance ID text box, enter a valid instance ID of the Connector.
-
Click Done.
You may need to wait for a few seconds for Xshield to verify the validity of the Connector with the app instance. Upon successful verification, the CT Connector is registered with the instance.
Add/edit DNS servers
DNS servers are needed to resolve the Fully Qualified Domain Names (FQDNs) of the instance. User assets may also use these servers to perform perimeter checks to determine whether they are Local or Remote to the data center network where the apps and services are deployed.
The DNS servers for the VMWare, AWS, or Azure VM instance are auto-populated on the Configure DNS page. You can edit the existing DNS servers or add new ones on this page.
-
Click Add DNS to add more DNS servers.
The changes you make on this page are also updated in the relevant VM instance.
Integrate IdP or AD and fetch user identities
Onboard users by fetching their user identities in one of the following ways:
-
Fetch from Security Assertion Markup Language SAML-based IdPs such as Azure AD and JumpCloud - Create a trust relationship between an Identity Provider (IdP) tenant and the Xshield instance, choose user attributes that must be fetched from the IdP, and fetch the user identities.
We highly recommend using SCIM-based provisioning to advance Xaccess enablement for the instance.
-
Fetch selected users from an Active Directory (AD) using a Base DN.
-
Add user attributes for Local users from the Xshield UI. This is available only for testing purposes for users' access when they are not remote and not recommended for production deployments.
Do the following on the Onboard Users page.
-
Select one of Azure AD SSO or Others tile.
The Others tile has the option to select other SAML IdPs, AD, or to add Local users.
-
Perform the steps listed here to integrate SAM-based IdPs or ADs.
The type of IdP you select here (SAML-based or AD) impacts the overall authentication options and settings for Xaccess users. For added security, we recommend that you always integrate a SAML-based IdP.
-
Click Done.
Successful onboarding
Onboarding can be completed only after the first CT Connector is registered and the IdP is integrated with the instance. Upon successful onboarding, you will see a Successfully configured message, the statistics of user identities fetched from the IdP, and the options to proceed with enabling Xaccess policies for the instance.
Failed onboarding
Some of the common causes for failed onboarding are incorrect instance ID and unsuccessful integration with the IdP.
Default Xaccess settings
On an instance that has completed the Xaccess Onboarding Wizard, the following are the default Xaccess settings in the Xaccess > Settings pages. You must change these defaults to suit your requirements.
| Settings | Defaults |
| VPN Configuration |
|
| IP Pool |
None. You must set an IP address pool for IPsec tunnels. |
| Domains |
None |
| Assigned static IPs to end users |
Unchecked |
| Always tunnel traffic to listed domains via Xaccess only |
Unchecked |
| DNS Configuration |
|
| DNS servers |
The DNS servers added during the CT Connector deployment. |
| Advanced Configuration Settings |
|
| Allow all access |
Unchecked |
| Enable default remote access to internal resources |
Unchecked |
| Hide real IP Addresses of servers from remote users by default |
Unchecked |
| SCIM-based provisioning |
Disabled |
| Idle session logout |
One day (24 hours) |
| User attributes refresh time |
Four hours |
| Onboard Users |
|
| IdPs |
The IdP integrated with the Xaccess Configuration Wizard. |
Next steps
-
Enable L2 application discovery on the CT Connector.
-
Configure advanced Xaccess settings for the user assets and the IdP.