Hosted Applications

Print Friendly, PDF & Email

This page shows all the applications within the organization whose access has been restricted for users. You can configure and add new applications as well.

Application Catalog List

When the administrator adds organizational site, a corresponding application ‘ZTNA Apps Portal’ is created using site details. Administrator can use this default application in the Firewall and DDoS policy. The administrator cannot delete or edit this application.

Further, the following details for all the applications is displayed.

Column Name Description
Name Name of the application.
Description Description of the application.
Type Type of application.
Status Status of the application. (If the tenant has an automatically generated certificate, this column will be available.)
IP Address / Domain Name The web address/ domain name.
Port Value Port Value.
State State of the application.
External Domain Name External Domain Name of the application server.
Relative URL Path Relative URL Path.
Status Status of the application (Active/Inactive).
Protocol Protocol of the application.
WAF Rules Applied List of all the applicable WAF Rules.
Host Header It is an HTTP header that specifies the domain name or IP address of the target server in a client’s request.
Origin Header It is an HTTP header that indicates the source or origin of a request.
Tags The static and dynamic tags based on which access to the application is granted. The option to update static tags is also available within the details panel on the right.
Search To search applications by their name.
Add Filter To add a filter. To know more, refer the Adding a filter to refine the view section on Visibility page.
Export To export the information displayed on this page in CSV file format.
Add Application To add an application.

Note
If a site is deleted, all the related applications on Application Catalog page become inactive. To make these applications active again, edit the applications and update the domain name. This is applicable only for auto-generated certificates.

Actions available with applications

When you hover over each application, the following options appear in the column next to Tags.

Action Icon Action Label Description
Edit Edit To edit the application details.
Delete Delete To delete the application profile.
right arrow Side bar To view the details of the application.
  • The applications can be sorted alphabetically by clicking the sorting symbol next to Application Name column.
  • Bulk action: Select the checkboxes in front of the application names to perform bulk delete action on selected applications.

Note
Only one tag is shown for each application. You can hover over the blue colored text next to the tag to view additional tags, if any.

When you click an application name, the following details are displayed in the right pane.

Application Details
Name Description
Name Name of the application.
Description Description of the application.
Type Type of application.
IP Address / Domain Name The web address/ Domain Name.
Port Value The port number.
External Domain Name External domain name for the application.
App Connector Group The app connector that will be used to connect applications hosted on premises to site hosted on cloud environment.
Status The status of the application (Enabled/Disabled).
Protocol The protocol of the application.
Tags The tags applied to an application. You can find an option to remove Static tags from the “Application Details” section in the right sidebar of the application page.
Actions and Status
Name Description
Enable/Disable Application You can use the toggle button to activate or deactivate the application.

Note ☛ Disabled applications are hidden from the user portal and access to disabled applications is blocked.

Test Connection Button To confirm the connection status between the active app connector and the application, click ‘Test Connection’. When the connection is successfully established, it will be denoted as ‘Reachable’, accompanied by a message stating “The application is reachable via the <name of the app connector>”. Otherwise, it will be labelled as ‘Unreachable’. Test connection option is available only for private apps and agent-based apps.

Adding an application

To add a new application in the application catalog, follow these steps.

Note
The application addition process offers a “Save as Draft” feature. This mode allows users to save their application in an unfinished state, preserving their progress for future editing and refinement.

  1. Log on to the Seqrite ZTNA portal. Navigate to Application Catalog in the left navigation pane.
  2. On the Application Catalog page, Click Add Application. A new page appears.
  3. Enter the following information in the Application Information section.
  4. Add application - Application information

    • Enter the Application Name.
    • Enter the Application Description.
    • Upload the application logo.
  5. Enter the following details and select appropriate options (wherever applicable) in the Application Details section.
  6. Select one of the application types.
    • Agentless Apps
      • Public
      • Private
    • Agent-Based Apps
      • Network Apps
      • DNS-Mapped Apps
  7. Depending on the application type that you select, relevant parameters are displayed.

    Public Web Apps

    Application types public web apps

    Setting Up Public Web Apps

    To configure public web applications, provide the following application details:

    1. Application Details

    Field Description
    IP Address or Domain Name Enter the IP address or domain name of the application.

    Note: Seqrite ZTNA supports IPv6-enabled public web applications, allowing users to access these applications using domain names. However it does not support IPv6-only domains.

    Protocol Select the appropriate protocol from the drop-down menu.
    HTTP/HTTPS If the selected protocol is either HTTP or HTTPS, you can configure the following advanced HTTP/S settings and WAF Rules:
    Advanced HTTP/S Settings
    Enable HTTP/2 With HTTP/2, loading times for websites are enhanced by reducing the latency and overhead associated with multiple requests.
    Bypass Authentication Bypass Authentication lets you get into apps directly without needing to log in through the user portal. You can get a complete overview of all the applications with Bypass Authentication enabled by accessing the WAF section on the Dashboard Page.

    Note ☛ Access to the Bypass Authentication option is exclusive to users who have purchased the add-on for either Enterprise or Standard licenses.

    Relative URL Path Administrators have the flexibility to configure applications requiring multiple relative paths simultaneously, while also enforcing restricted access exclusively to those paths. Enter a relative URL path. For example: for the URL https://myapps.organization.com/careers/engineering, the relative URL path is /careers/engineering. The relative URL path must start with a forward slash (/).

    Note ☛ It is possible to include multiple relative paths within a single application.

    Default Landing Path The default landing path for an application refers to the initial page or screen that users encounter when they first access the application. With the default landing path set and Restricted Access Path enabled, users are limited to accessing only the landing path and are restricted from accessing other paths within the application domain. ZTNA provides built-in support for a default landing path, for cases where an application’s landing page is hosted elsewhere.

    Note ☛ The Restricted Access Path option is exclusively supported for the Default Landing Path.

    Host Header Enter the Host Header. The Host header is a field in the HTTP request header that specifies the domain name or IP address of the server to which the client is making a request. Choose ‘Custom’ option to modify header values.
    Origin Header Enter the Origin Header. The Origin header is a field in the HTTP request header that indicates the origin of the request. The origin is the combination of the scheme (for example, ‘HTTP’ or ’HTTPS’), hostname, and port number from which the request is sent. Choose ‘Custom’ option to modify header values.
    WAF Rules
    SQL Injection Enabling SQL Injection as a WAF rule enhances security by blocking SQL injection attacks.
    Cross Site Scripting Enabling Cross Site Scripting (XSS) protection as a WAF rule helps mitigate the risk of XSS attacks by filtering and blocking malicious script injections across different websites.
    OS Command Injection Enabling OS Command Injection as a Web Application Firewall (WAF) rule enhances security by preventing unauthorized execution of operating system commands through web applications.
    System Resource Access Enabling System Resource Access Injection as a WAF rule enhances security by guarding against unauthorized access attempts to system resources.
    Server Side Template Injection Enabling Server Side Template Injection (SSTI) as a WAF rule enhances security by detecting and mitigating potential vulnerabilities arising from template injection attacks.
    Port Value The Port Value will be auto populated based on the selected protocol.
    External Domain Name Enter the external domain name. This domain name will be accessed directly by end users through the user portal.
    Tags Enter the tags applicable to the application.

    Private Web Apps

    Application types private web apps

    Setting Up Private Web Apps

    To configure private web applications, provide the following application details:

    1. Application Details

    Field Description
    IP Address or Domain Name Enter the IP address or domain name of the application.
    Protocol Select the appropriate protocol from the drop-down menu.
    HTTP/HTTPS If the selected protocol is either HTTP or HTTPS, you can configure the following advanced HTTP/S settings and WAF Rules:
    Advanced HTTP/S Settings
    Enable HTTP/2 With HTTP/2, loading times for websites are enhanced by reducing the latency and overhead associated with multiple requests.
    Bypass Authentication Bypass Authentication lets you get into apps directly without needing to log in through the user portal. You can get a complete overview of all the applications with Bypass Authentication enabled by accessing the WAF section on the Dashboard Page.

    Note ☛ Access to the Bypass Authentication option is exclusive to users who have purchased the add-on for either Enterprise or Standard licenses.

    Relative URL Path Administrators have the flexibility to configure applications requiring multiple relative paths simultaneously, while also enforcing restricted access exclusively to those paths. Enter a relative URL path. For example: for the URL https://myapps.organization.com/careers/engineering, the relative URL path is /careers/engineering. The relative URL path must start with a forward slash (/).

    Note ☛ It is possible to include multiple relative paths within a single application.

    Default Landing Path The default landing path for an application refers to the initial page or screen that users encounter when they first access the application. With the default landing path set and Restricted Access Path enabled, users are limited to accessing only the landing path and are restricted from accessing other paths within the application domain. ZTNA provides built-in support for a default landing path, for cases where an application’s landing page is hosted elsewhere.

    Note ☛ The Restricted Access Path option is exclusively supported for the Default Landing Path.

    Host Header Enter the Host Header. The Host header is a field in the HTTP request header that specifies the domain name or IP address of the server to which the client is making a request. Choose ‘Custom’ option to modify header values.
    Origin Header Enter the Origin Header. The Origin header is a field in the HTTP request header that indicates the origin of the request. The origin is the combination of the scheme (for example, ‘HTTP’ or ’HTTPS’), hostname, and port number from which the request is sent. Choose ‘Custom’ option to modify header values.
    Static URL Address Provide the Static URL Address, if needed. Certain web applications include sub-URLs that might redirect to other internal URLs to display specific content, like logos or paths. ZTNA faces difficulty loading these due to static page content, resulting in incomplete user display. The Static URL Address, resolves this by revealing blocked content from private web apps.
    WAF Rules
    SQL Injection Enabling SQL Injection as a WAF rule enhances security by blocking SQL injection attacks.
    Cross Site Scripting Enabling Cross Site Scripting (XSS) protection as a WAF rule helps mitigate the risk of XSS attacks by filtering and blocking malicious script injections across different websites.
    OS Command Injection Enabling OS Command Injection as a Web Application Firewall (WAF) rule enhances security by preventing unauthorized execution of operating system commands through web applications.
    System Resource Access Enabling System Resource Access Injection as a WAF rule enhances security by guarding against unauthorized access attempts to system resources.
    Server Side Template Injection Enabling Server Side Template Injection (SSTI) as a WAF rule enhances security by detecting and mitigating potential vulnerabilities arising from template injection attacks.
    Web RDP If the selected protocol is Web RDP, you can configure the following attributes:
    RDP Access Type
    If the selected RDP access type is ‘Limited Application Access’, enter the Remote Application Name, Remote Application Directory, and Remote Application Argument.
    Permissions
    Allow Clipboard Access Allow business user to copy/paste text content from/to specific application. By default, it is restricted.
    Allow File Transfer Allow business user to upload and download files from/to specific applications.(i.e. if user needs to download a file from RDP instance to base machine, you can enable the option). You need to configure below fields in order to grant file transfer access.
    Content Inspection Applications using webRDP, webSSH, and webVNC protocols with content inspection activated will be listed on the Content Inspection Records page. Content Inspection enhances security by detecting threats and ensuring authorized file transfers.
    Allow Session Recording Switch on recording of business user activities for a specific application. Recordings can be found under Audit logs. (https://docs.seqrite.com/docs/seqrite-ztna/settings/audit-trail/).
    WebSSH If the selected protocol is WebSSH, you can configure the following attributes:
    Private Key
    Providing support for importing a private key file while accessing webSSH applications
    While configuring a WebSSH application the administrator can import the private key file as shown in the following image, so that the end user can access the application by entering the valid credentials.

    Note

    • The use of passphrases to generate private keys is not supported.
    • At present, the only supported method for authentication to WebSSH applications is through private key files encrypted with RSA.
    Permissions
    Allow Clipboard Access Allow business user to copy/paste text content from/to specific application. By default, it is restricted.
    Allow File Transfer Allow business user to upload and download files from/to specific applications. (i.e. if user needs to download a file from RDP instance to base machine, you can enable the option). You need to configure below fields in order to grant file transfer access.
    Content Inspection Applications using webRDP, webSSH, and webVNC protocols with content inspection activated will be listed on the Content Inspection Records page. Content Inspection enhances security by detecting threats and ensuring authorized file transfers.
    Allow Session Recording Switch on recording of business user activities for a specific application. Recordings can be found under Audit logs. (https://docs.seqrite.com/docs/seqrite-ztna/settings/audit-trail/).
    Web Telnet If the selected protocol is Web Telnet, you can configure the following permissions:
    Permissions
    Allow Clipboard Access Allow business user to copy/paste text content from/to specific application. By default, it is restricted.
    Allow Session Recording Switch on recording of business user activities for a specific application. Recordings can be found under Audit logs. (https://docs.seqrite.com/docs/seqrite-ztna/settings/audit-trail/).
    Web VNC If the selected protocol is Web VNC, you can configure the following permissions:
    Permissions
    Allow Clipboard Access Allow business user to copy/paste text content from/to specific application. By default, it is restricted.
    Allow File Transfer Allow business user to upload and download files from/to specific applications. (i.e. if user needs to download a file from RDP instance to base machine, you can enable the option). You need to configure below fields in order to grant file transfer access.
    Content Inspection Applications using webRDP, webSSH, and webVNC protocols with content inspection activated will be listed on the Content Inspection Records page. Content Inspection enhances security by detecting threats and ensuring authorized file transfers.
    Allow Session Recording Switch on recording of business user activities for a specific application. Recordings can be found under Audit logs. (https://docs.seqrite.com/docs/seqrite-ztna/settings/audit-trail/).
    Port Value The Port Value will be auto populated based on the selected protocol.
    External Domain Name Enter the external domain name. This domain name will be accessed directly by end users through the user portal.
    App Connector Group Choose the relevant App Connector Group from the dropdown menu.
    Tags Enter the tags applicable to the application.

    Agent Based Apps

    To configure agent based applications, provide the following application details:
    Agent Based apps

    Setting Up Agent-Based Apps

    To configure agent-based applications, provide the following information. For more details on Seqrite Universal Agent, refer to the Seqrite Univeral Agent and Deployment Sections.

    1. Application Information

    • IP Address or Domain Name: Enter the IP address or domain name of the application.
    • Protocol: Select the appropriate protocol from the dropdown menu. Administrators have the flexibility to assign multiple ports and protocols to each application.
      Note: When HTTPS is the chosen protocol, administrators should specify the Domain Name rather than the IP address. The external domain name will be automatically populated.
    • External Domain Name: Enter the external domain name. This domain name will be accessed directly by end users through the user portal.
    • App Connector Group: Choose the relevant App Connector Group from the dropdown menu.
    • Tags: Assign any relevant tags that apply to the application.

    2. Additional Configuration (Optional)

    • You have the option to configure the following additional parameters based on your requirements:
      • Sub-Domain Name: Utilize sub-domain names to enhance application structuring and organization.
        An application accessible through the parent domain could be redirected to another domain internally. These internal redirects do not get accessed through the Seqrite Universal Agent unless explicitly configured in the sub-domain section of the additional parameters. 

        In order to securely access all the domains of the parent domain through the ZTNA agent, add these domains to the sub-domain section.  

        For example:
        If we access the website https://documetation-example.com and the website loads and provides URLs to retrieve images from another website, https://documentaiton-images.com. In this scenario, the application URL would be https://documentation-example.com and the sub-domain would be https://documetation-images.com.

      • Protocol: Determine the communication protocol to be employed for data transfer.
      • Port Value: Establish the port value for streamlined data routing and connectivity.
    • User Portal Settings: Customize access controls and personalize the user experience with the following options.
      • Lock Port Value: Secure a specific port number to prevent unauthorized changes.
        The user would connect to the port configured in the application and not a random port. For example, if the admin configured the application for port “8080” then the user would access the application on the same port. Without the Lock Port Value configuration, the user could connect to a random port (for example: 10450 and then internally it would redirect to the application port 8080).
      • Auto-Connect: Enable automatic connection establishment for user convenience.
        On successful end-user authentication, the application connection will be automatically established for user convenience.
      • Hide App on User Portal: Simplify the user experience by concealing the applications for which the Auto-Connect option is enabled within the user portal.
        This is an advanced configuration and should be done only when the end users have clear awareness of the accessible applications.

    3. Advanced HTTPS Settings

    • Enable HTTP/2
      With HTTP/2, loading times for websites are enhanced by reducing the latency and overhead associated with multiple requests.
    • Bypass Authentication
      Bypass Authentication lets you get into apps directly without needing to log in through the user portal. You can get a complete overview of all the applications with Bypass Authentication enabled by accessing the WAF section on the Dashboard Page.

      Note ☛ Access to the Bypass Authentication option is exclusive to users who have purchased the add-on for either Enterprise or Standard licenses.

    • Relative URL Path
      If the selected protocol is either HTTP or HTTPS, you must install the plugin before using relative paths in the application. After updating the relative path in the application, refresh the portal, reconnect, and changes will appear. Relative paths in logged-in agent apps are blocked when accessed, but not if logged in another tab.
    • Default Landing Path
      The default landing path for an application refers to the initial page or screen that users encounter when they first access the application. With the default landing path set and Restricted Access Path enabled, users are limited to accessing only the landing path and are restricted from accessing other paths within the application domain. ZTNA provides built-in support for a default landing path, for cases where an application’s landing page is hosted elsewhere.

      Note ☛ The Restricted Access Path option is exclusively supported for the Default Landing Path.

    Note
    For the Agent Based Apps the supported protocols are HTTP, HTTPS, RDP, SSH, Telnet, SMB, VNC, SFTP, FTP, and SCP.

    Note
    Presently, in order to establish a connection with the SMB app on Windows OS, it is necessary to stop and disable the server services, followed by a reboot of the device.

    Note
    After upgrading from ZTNA 2.2.4 to ZTNA 2.3.0, it is necessary to upgrade the agent to version 1.10.x during the downtime. If the customer’s agent version is 1.9.x or earlier, agent-based web or legacy applications (such as SSH) may fail to reconnect. In such cases, the customer must manually restart the ZTNA agent to restore connectivity to these applications. Automatic reconnection occurs only if the agent-based applications are configured for “Auto Connect”.

    Network Apps

    This application category supports a wide spectrum of TCP-UDP applications. With this feature, administrators gain the flexibility to configure private IPs, subnets, single ports, port ranges, and more. This advancement empowers seamless integration of VoIP, SIP, and streaming protocol-based applications within your network infrastructure. Access to this feature-rich category is available through an additional license subscription.

    Note
    This feature is available only for Enterprise and Standard licenses through an additional license subscription.

    Setting Up Network Apps

    To configure network applications, provide the following application details:
    Network apps

    1. Application Details

    Field Description
    Data Traffic Select the direction of data traffic.
    Upstream Upstream denotes data flowing from user endpoints to application servers. Select this option if you want to manage outgoing traffic from the application.
    Downstream Downstream denotes data flowing from application servers to user endpoints. Choose this option if you need to manage incoming traffic to the application.
    Both If you want to manage both incoming and outgoing traffic opt for this option.
    IP Address Enter IP addresses or IP address ranges for the application. You can provide a maximum of 20 IP addresses or IP address ranges.
    Protocol Select TCP and/or UDP protocol from the drop-down menu.
    Port Value You have the option to specify either multiple single port values or multiple ranges of port values. You can configure multiple IP addresses, ports, and protocols all in one place. Choose from IP ranges, single IP addresses, or entire subnets, and manage both TCP and UDP protocols across multiple ports. Simplify your admin tasks with ease.
    Tags Enter the tags applicable to the application.

    Considerations for setting up network applications with TCP-UDP protocols

    • Network Settings in Sites: In a specific scenario where UDP applications are being configured, it's essential to also establish TCP applications. This is because TCP is initially used to establish a connection, followed by a transition to UDP for communication. Moreover, for UDP applications to operate, virtual IP pools are utilized to dynamically assign IP addresses to agent devices accessing network applications. Each Seqrite ZTNA Agent will be allocated a singular IP address from the virtual IP pool for accessing network-based applications.
    • App Connector Settings: For seamless access to UDP applications, ensure the App Connector is correctly installed and connected. Configure the LAN Subnet field within the app connector to enable access to diverse UDP applications. You have the option to enable or disable NAT according to your requirements. NAT facilitates the translation of private LAN IP addresses into public ones for internet communication, and vice versa, enhancing connectivity.

    App Connector Configuration for Network Apps

    Note ☛ For security reasons, the administrator must manually perform the following steps on the system where the app connector is installed.

    If you are running the app connector on a Linux host system, you will need to ensure that your host OS meets the following requirements:

    • Ubuntu 22.04 and above
    • Kernel version > 4.5

    Important Note
    You need to allow UDP port 1194 and 1195 in your host's firewall.

    If you need to allow Ingress/Egress traffic from the app connector to your application, you will need to allow this traffic in your host machine's firewall. There are a couple of ways to achieve this:

    For Debian-based systems using UFW:

    If UFW is enabled in your host system, then you can allow traffic from and to the tun interface of the app connector using the following UFW commands:

    • ufw route allow out on tun0: To allow traffic from the application to the app connector's Docker instance.
    • ufw route allow in on tun0: To allow traffic from the app connector's Docker instance to the application.

    For all other systems (including Debian-based) without UFW (i.e. UFW disabled/not present):

    • The iptables utility should be installed in your Linux host with the help of the appropriate package manager.
      • For Debian-based systems, you can use the following command:

        apt-get install iptables

      • For RHEL-based systems, you can use the following command:

        yum install iptables

    • After successfully installing the utility, run the following commands to allow traffic flow:
      • iptables -I FORWARD -i tun0 -j ACCEPT: To allow traffic from the app connector's Docker instance to the application.
      • iptables -I FORWARD -o tun0 -j ACCEPT: To allow traffic from the application to the app connector's Docker instance.

    IP forwarding also needs to be enabled on Linux host systems. To check the current status of IP forwarding, run the following command:

    cat /proc/sys/net/ipv4/ip_forward

    If the return value is 0, then it indicates that forwarding is disabled. Enable it with the following command:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    Important
    All of the above commands require super-user privileges.

    Connecting Network Apps from macOS System

    When connecting network applications from a macOS system, you may encounter the following pop-ups. To proceed, simply click “OK”.



    Accessing Network-Based Applications on a Windows 7 Virtual Machine

    To access network-based applications on a Windows 7 virtual machine (VM), follow these steps:

    1. Install Required Windows Updates:
      • Install the following updates on your Windows 7 VM:
        • KB4490628
        • KB4474419
    2. Download and Install OpenVPN:
      • Download OpenVPN version 2.4.12 for Windows 7 from OpenVPN Community Downloads.
      • Run the installer (openvpn-install-2.4.12-I601-Win7.exe) with administrator rights.
    3. Install OpenVPN:
      • Open Command Prompt or PowerShell with administrator rights.
      • Navigate to the directory where openvpn-install-2.4.12-I601-Win7.exe is located.
      • Execute this command to install OpenVPN silently (without shortcuts, GUI, associations, or OpenSSL utilities):
        openvpn-install-2.4.12-I601-Win7.exe /S /SELECT_SHORTCUTS=0 /SELECT_OPENVPNGUI=0 /SELECT_ASSOCIATIONS=0 /SELECT_OPENSSL_UTILITIES=0
    4. Rename the TAP Adapter:
      • Navigate to Control Panel > Network and Internet > Network Connections.
      • Find the network adapter named "TAP-Windows Adapter V9".
      • Right-click on it and choose "Rename".
      • Rename it to "ZT Network Adapter".
    5. Install Any Required Agent:
      • If your network-based applications require a specific agent or software for connectivity, install it on your Windows 7 VM.
    6. Access Network-Based Applications:
      • After completing the above steps, you should be able to access your network-based applications via the network connection established by OpenVPN.
  8. After this is done, click Add. The Applications page is displayed with the application details that you have configured.

Was this page helpful?