Xaccess FAQs

Some of the Frequently Asked Questions (FAQs) for the components and features of the Xaccess solution are listed here.


Supported platforms


Q) What OSes are supported as Xaccess endpoints (user assets)?

Xaccess is supported on user assets with Xshield-supported macOS and Windows OSes.

Q) Are apps for Xaccess available on Microsoft Store or Mac App Store?

No. Currently, Xaccess features can be availed only using Xshield agents available for download from the Xshield UI. Apps in Microsoft Store or Mac App Store will be made available in the near future.

Q) Is Xaccess supported on mobile devices?

No. Currently, Xaccess only works on computing devices such as laptops and desktops.


Xaccess architecture


Q) Briefly, how does Xaccess work?

Xaccess is designed to provide secure remote access to the resources in the private corporate network. The resulting Xaccess private network for an Xshield instance is a multi-region, AWS VPC peered cluster of CT Brokers that extend connectivity to the private on-premises or cloud applications via the CT Connectors deployed on-premises or in the AWS or Azure cloud. 

QIs Xaccess built to work only with Xshield-protected workloads?

No. You can use Xaccess to enable secure remote access to application workloads that are not protected using Xshield agents. For such usage, Xaccess policies are enforced at the level of the private networks or domains of the workloads.


CT Connectors

Q) What is the failover time for CT Connectors?

10 seconds.

Q) What are the management operations available for CT Connectors from Xshield?

CT Connectors can be disabled, decommissioned, and queried for logs using the Logcollect utility from the Xshield UI. Upgrading CT Connectors from the UI isn’t supported yet.


Xaccess features


Q) Briefly, what are the steps to onboard users for Xaccess?

Onboarding the first set of users from an Identity Provider (IdP) is part of the Xaccess Onboarding Wizard, the workflow to enable the Xaccess solution for the Xshield instance. To prep onboarded users for Xaccess policies, you must install the Xshield agents (Type = User Access) on the users’ assets and register these assets with the instance. 

Q) Can I onboard user assets selectively?

Yes. To onboard user assets selectively, you must set the Onboarding mode for the instance to one of Review and onboard assets or Pre-approved assets. These modes control how endpoints are registered with the instance and provide the options to approved selected assets.

  • In the Review and onboard mode, you must select assets for registration manually on the Assets > Pending for Approval page. 

  • In the Pre-approve assets mode, you must feed a CSV reference list of assets that must be registered with the instance.

Remember that the Onboarding mode is set at the level of the instance. So, workload assets must also be onboarded with the selected Onboarding mode.

Q) Can I integrate multiple IdPs with an instance?

Yes. The Xaccess user directory can consist of users from multiple IdPs. The IdPs must be of the same type (multiple SAML-based ones or multiple ADs).

Q) Does Xaccess support idle session logouts?

Yes. Idle session logouts can be set for one hour and up to 2 days. The default is One day. This is an instance-level setting and applies to all the user assets managed from an instance.

Q) What are the device posture check mechanisms available with Xaccess? 

Device posture data from the user assets are sent to the instance along with the telemetry data from the assets. If the asset's security posture is found vulnerable, the Xaccess Quarantine template assigned to the relevant Endpoint group takes effect. The asset's connectivity is limited to the emergency-access networks and domains listed in the Quarantine template. 

Q) How can I monitor Xaccess users from the Xshield UI?

Xaccess comes with an autonomous Dashboard for Xaccess entities, the Xaccess Dashboard. You can monitor the users and user assets from the Dashboard. You can also use the Visualization and Monitoring features such as Visual Explorer, Flow Explorer, Alerts, and HUD Dashboard.


Xaccess endpoint app


Q) What is the typical login behavior for users at their first login?

  • Xaccess users managed from an instance that uses a single IdP or LDAP are logged in at the first authenticated attempt.

  • Xaccess users managed from an instance that uses ‘n’ IdPs or LDAPs may be prompted for a maximum of ‘n’ authentication attempts. After a successful first login, users are logged in at the first authenticated attempt.


Troubleshoot common issues


Q) Xaccess Quarantine templates have stopped working for my instance!

Xaccess Quarantine templates do not apply when the access settings for the instance are set to Allow all access or Enable default remote access to all internal resources. To reenable the Quarantine templates, disable these access settings.

Q) Some users are unable to access the usual applications they used to access!

One of the causes for persisted loss of access to usual applications is the vulnerable security posture of the assets. Assets are deemed vulnerable if some security features on the assets are turned OFF or unsatisfactory. Xaccess Quarantine templates are applied to such assets, and their access is restricted to the bare minimum defined in the template. 

See the ENDPOINTS QUARANTINED widget on the Xaccess Dashboard and drill down to see the vulnerable assets. Quarantined assets must be recovered using the OS-native procedures before they can regain their usual access.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.