Configure Xaccess settings

Configure more settings for your Xaccess private network after completing the Xaccess Onboarding wizard to set up Xaccess in your instance. The Xaccess Onboarding wizard only adds the first CT Connector, the first Identity Provider (IdP) integration, and the DNS servers for the private network. 

All Xaccess settings listed in the Xaccess > Settings menu are instance-level settings and apply to all the CT Connectors, user assets, and IdPs in the Xaccess private network. 

  • Some of the settings, such as that for IPSec VPNs on the endpoints, are mandatory settings that you must configure to enable Xaccess policies for the instance. 

    • Some of the settings, such as that for the level of access in the private network (bypass Xaccess policies, default remote access for all users), and IdP integrations, are optional settings.

VPN configuration

Configure IPsec VPN settings for the IPsec tunnels established from the endpoints (user assets). Some of these are mandatory settings. 

IP pool for IPsec tunnels

Use this setting to specify the range of IP addresses (currently internally unused) for the IPsec tunnels that user assets use for remote access. For example, specifying 192.168.0.0/24 allows up to 256 hosts to use Xaccess policies for the instance.

  • Go to Settings > VPN Configuration and add a CIDR range in the IP pool text box.

Domains accessible through Xaccess

Add a list of domains that remote users can access. Wildcard domain inputs are supported.

  • Add one or more domains in the Domains text box.

Enable static IP addresses for IPsec tunnels

For easier management and to troubleshoot access-related issues quickly, set the currently assigned IP addresses for active IPsec tunnels to be static for up to one year. This setting also applies to the unused IP addresses in the pool. When used for IPsec tunnels, they are used for a year if the tunnels are active.

  • To make IP addresses static, select the Assigned static IPs to end users.

Tunnel traffic to listed domains only via Xaccess

This setting enforces access to the accessible domains only through Xaccess policies. This means that Xaccess policies are used even when the user assets are Local

  • To enable this setting, select Always tunnel traffic to the listed domains via Xaccess only.

DNS configuration

DNS servers are needed to resolve the FQDN of the instance and perform perimeters checks to determine if a user asset is Remote or Local to the Xaccess private network. Add more DNS servers if needed, or edit the existing ones.

  • To add or edit DNS servers, go to Xaccess > Settings > DNS Configuration.

Advanced configuration settings

Configure some settings for Xaccess capabilities in the Xaccess private network for the instance.

  • To configure advanced Xaccess settings, go to Xaccess > Settings > Advanced Configuration Settings.

Allow all access

Enabling this setting temporarily disables the Xaccess policies for all the user assets in the instance. The user assets are not protected from Xshield if this option is enabled. All relevant Xaccess policies still reside on the CT Brokers. Disabling this setting reverts the level to access to its original state (with enforced Xaccess policies).

We recommend that you gauge the impact of disabling policies for user assets before enabling this for a production Xaccess private network.

  • To temporarily disable Xaccess policies, select Allow all access.

Enable default remote access to internal resources

Enabling this setting temporarily allows all users access to all applications discovered in the Xaccess private network. Disabling this setting reverts the level of access to its original state (with enforced Xaccess policies).

  • To temporarily enable this setting, select Enable default remote access to internal resources.

Hide real IP Addresses of servers from remote users by default

Enabling this setting hides the actual IP address of the Xshield-protected workloads in the routing tables and displays their IP addresses in the 172.X.X.X private range of addresses. Users must access such workloads using the workloads' domain names.

  • To enable this setting, select Hide real IP Addresses of server from remote users by default.

SCIM-based provisioning

Enable SCIM-based provisioning to enable automatic maintenance of user identities from the SAML IdPs integrated with the instance. This also requires that you add the instance's API endpoint parameters to the SAML IdPs. 

  1. Set the toggle switch (turns Green).

  2. Copy the Base URL and Bearer Token values and add them in the IdPs' native configuration to fully enable SCIM-based provisioning.

Session Idle Time

This setting defines the idle duration of the user asset, after which the user asset is logged out from the Xaccess private network. You can set up a minimum Session Idle Timeout of One hour and up to 2 days. The default interval is One day.

User Attributes Refresh Interval

This setting defines the time interval to fetch new and updated user attributes from all the IdPs integrated with the instance. You can set up a minimum User Attribute Refresh Interval of Fifteen minutes and up to 2 days. The default interval is Four hours. Xshield queries the IdPs for new and updated users periodically at this interval.

Onboard users

After you integrate the first IdP with the instance with the Xaccess Onboarding wizard, you can integrate more IdPs if needed. Upon successful integration with an IdP, the user attributes are fetched, and you can later enable Xaccess policies for the users from the IdP.

You can also edit the settings of the existing IdPs if they need to be changed.

  • Click an existing IdP, click Edit in the fly panel, and edit the details.  

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.