C E N T R I F Y D E P L O Y M E N T G U I D E App Gateway Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of your corporate identity and access infrastructure. Our thorough approach to availability, reliability, scalability, security and privacy ensures that you can depend on Centrify as a trusted partner and provider. This document is a step by step configuration guide for Centrify App Gateway and intended for IT professionals with basic understanding of computing systems.
Contents Abstract...1 Introduction...3 Prerequisites...4 Configuring App Gateway...4 Option 1: Use this external URL for application access on or off the corporate network...7 Option 2: Using Centrify generated external URL and SSL certificate for external access...11 Testing your setup...12 High Availability (HA) setup...13 Separation of traffic...14 Conclusion...16 Contact Centrify...16
Introduction With the Centrify Identity service IT departments are now able to provide SSO to both SaaS apps and on-premises apps that use a web interface. However since on-premises apps are usually behind a corporate firewall they are only available to users who are on the corporate network physically, or who have VPN'ed into the network. From a user s perspective using VPN can be painful, time-consuming and in some cases impossible because the user s machine doesn't have the required VPN client. From an IT perspective using VPN can be painful because the user's device must be enabled with a VPN client, they need to maintain certificates, they have to deploy additional hardware in their network and VPN s can be very complex to configure if you want to restrict access to certain resources. VPN exposes the internal network to outside threats since VPN utilizes a device wide tunnel to the entire network rather than just giving access to the resources requested / needed. In addition, in some cases the VPN routes all of the traffic from the device through the corporate network. The Centrify App Gateway solves all of these issues. With this feature (available in Centrify Identity Service, App+ Edition), you can enable secure access to on-premises applications like SAP NetWeaver / SharePoint / etc without requiring the user to install anything, or establishing a VPN session, or without opening extra ports in an organization s firewall, or adding devices in their DMZ that act as gateway. The AppGateway is part of a Centrify supplied software program called Centrify Cloud Connector that needs to be installed inside the environment. The Centrify Cloud Connector is a simple Windows service that runs behind a customer s firewall to provide real-time authentication, access to internal applications policy and access to user profiles without synchronizing data to the cloud.
With the App Gateway, Centrify has built a dedicated cloud to provide this feature so that the app gateway traffic does not flow through the same back-end as the rest of our service. This ensures that the App Gateway traffic does not impact the performance of the core service, and vice versa and the App Gateway Cloud infrastructure is setup to scale automatically based on the traffic. The App Gateway tab will be available on ONLY internal application templates this includes all custom templates (Bookmark, SAML, Username and Password, Ws-Fed etc.) and the following apps: Accellion Alfresco on-premise SAP Netweaver Drupal (SAML) FortiMail Admin Login Canvas (SAML) Moodle (SAML) Review Board Joomla! (SAML) Accellion Private Cloud Blackboard Learn (SAML) Sharepoint Server (Ws-Fed) FortiMail LiquidFiles CrashPlan PROe phpmyadmin JIRA Download Prerequisites 1. Cloud Connector configured for your tenant 2. Access to DNS server to modify DNS records 3. To use a personal external URL (Step 15 in this document) a SSL server certificate for the webserver which is hosting the application is required Configuring App Gateway 1. Log onto the Cloud Manager Portal 2. Click on Apps 3. Click on Add Web Apps (or on one of your existing on-premises apps)
4. Select the Customs tab within the Add Web Apps dialog 5. Click on Add next to Bookmark 6. Confirm the Add Web App Dialog 7. Close the Add Web Apps widget The configuration editor for the newly added Web App will open automatically 8. Enter the internal URL for your Website 9. Click Save 10. Select User Access on the left side
11. Select the Everybody role (you may select a different role if you want to restrict access to the URL to a given set of people) 12. Click Save 13. Select App Gateway on the left side 14. Select the Make this application available via the internet check box
Option 1: Use this external URL for application access on or off the corporate network This option is recommended for production configuration 15. Select Use this external URL for application access on or off the corporate network (Note: you will need to upload an SSL certificate and make DNS changes after saving) 16. Click on Upload SSL Server Certificate and upload the SSL certificate for your WebServer 17. Click on Save
18. Configure the displayed C-Name in your DNS Server 19. Example from GoDaddy.com DNS settings
20. Back in the Admin Portal click on Validate
21. If more than one Cloud Connector which can reach the application is configured on the tenant you can select one or multiple cloud connectors to serve only the application. The selected Cloud Connector will be exclusively serving the application as well as authentication requests. If more than one internal application is configured that has not been assigned to a specific cloud connector all cloud connector which can reach those internal applications will serve all requests (See diagram in best practice section for details)
Option 2: Using Centrify generated external URL and SSL certificate for external access This option is only recommended for testing and should not be used for production. 22. Select Use this Centrify generated external URL for application access on or off the corporate network. This option will allow you to quickly test the application / URL without the need to modify any DNS records or to upload a SSL certificate. The Centrify Cloud Service will proxy everything. 23. Click on Save
Testing your setup 1. Log on to the User Portal using a username which is part of the group for which you configured the application 2. Click on the configured App Tile (Bookmark or Username Password, which ever you configured)
High Availability (HA) setup To enable High Availability for your AppGateway you simply install the Centrify Cloud Connector on more than one Windows system within your environment. The Centrify Cloud Service will automatically load balance user authentication requests, AppGateway for connection to on-premises apps or Centrify Privilege Service traffic between the available Cloud Connectors. For Active Directory environments each system on which the Cloud Connector is installed must be a domain joined system For LDAP directory, each system on which the Cloud Connector is installed must be able to communicate with the LDAP directory A single Cloud Connector can serve as AD Proxy, LDAP Proxy and AppGateway simultaneously A single Cloud Connector can support one Active Directory Domain or multiple forests if a trust relationship between the forests exist A single Cloud Connector can support multiple LDAP directories, there are no limitations on the number of LDAP directories support.
Separation of traffic If separation of authentication and on-premises application traffic is required the Cloud Connectors behavior will depend on being installed on a domain joined system and if affinity for an application is configured. 1. A Cloud Connector on a domain joined system will serve all traffic 2. A Cloud Connector on a NON domain joined system will ONLY serve Application traffic via App Gateway and the domain joined system will serve all traffic
3. A Cloud Connector on a domain joined system with Affinity configured for one specific application will serve authentication requests and all other internal applications, but other Cloud Connectors will NOT serve the Application with the Affinity configured 4. A Cloud Connector on a NON domain joined system with Affinity Configured will serve all Applications, but other Cloud Connectors will NOT serve the Application with the Affinity configured and the domain joined Cloud Connectors will server all traffic
Conclusion On-Premises Gateway provides the visibility and reporting IT needs to ensure the right users have the right access. See which devices are accessing your apps. Track failed logins. Monitor app usage by region, group, time of day, and much more. Traditional VPNs provide full network access, which opens up a big security risk they bore a hole through your firewall and allow access to your entire network. With On-Premises App Gateway, only specific apps are made available limiting the access for each endpoint, and allowing IT fine-grained control of who has access to what. Contact Centrify Centrify strengthens enterprise security by managing and securing user identities from cyber threats. As organizations expand IT resources and teams beyond their premises, identity is becoming the new security perimeter. With our platform of integrated software and cloud-based services, Centrify uniquely secures and unifies identity for both privileged and end users across today s hybrid IT world of cloud, mobile and data center. The result is stronger security and compliance, improved business agility and enhanced user productivity through single sign-on. Over 5000 customers, including half of the Fortune 50 and over 80 federal agencies, leverage Centrify to secure their identity management. Learn more at www.centrify.com. Santa Clara, California: +1 (669) 444-5200 Email: sales@centrify.com EMEA: +44 (0) 1344 317950 Web: www.centrify.com Asia Pacific: +61 1300 795 789 Brazil: +55 11 3958 4876 Latin America: +1 305 900 5354