Lab 2: Onboard a Second Application(16.0)

Guided Configuration supports more than a single application per Identity Aware Proxy Deployment. In this module you will learn how to modify an existing IAP deployment to onboard new authentication methods, SSO methods, and applications.

This Module also introduces the Application Group to provide different contextual access controls on parts of a website.

Section 2.1 - Access Guided Configuration

To onboard a new application to the IAP, you will first access the Guided Configuration menu.

Task 1 - Access the Zero Trust IAP guided configuration

  1. From Firefox, click on the Access tab located on the left side.

    image1

  2. Click Guided Configuration

    image2

  3. Click IAP_DEMO

    image3

  4. Click Config Properties from the top ribbon

    image4

  5. Enable Application Groups

  6. Click Save & Next

    image4-1

Section 2.2 - User Identity

Adding an additional User Identity to IAP is just a few simple steps.

Task 1 - Configure Certificate Authentication with OCSP

  1. Click User Identity in the Ribbon

    image5

  2. Click Add to create a new User Identity

    image6

  3. Enter Name ocsp

  4. Select On-Demand Certificate Authentication from the Authentication Type dropdown

  5. Select OCSP Responder from the Authentication Server Type dropdown

  6. Select ocsp-servers from the Authentication Server dropdown

  7. Leave Request selected under Choose Auth Mode

  8. Click Save

    image7

  9. Verify the ocsp object was created and click Save & Next

    image8

Section 2.3 - SSO & HTTP Header

In this section, you will create a custom header value to pass to the web server.

Task 1 - Create Custom Header

  1. Click Add

    image9

  2. Enter Name header_sso

  3. Change radio button for Type to HTTP Headers

  4. In the SSO Headers section, enter userID in the Header Name Field

  5. Click Save

    image10

  6. Verify the header_sso object was created and click Save & Next

    image11

Section 2.4 - Applications

In this section you will define a second application with subpaths.

Task 1 - Configure Application header.acme.com

  1. Click Add to create a new application

    image12

  2. Toggle Advanced Setting to ON in the top left corner to see additional properties

  3. Enter Name header.acme.com

  4. Enter FQDN header.acme.com

  5. Enter Subpath Pattern /admin.php

  6. Under Pool Configuration, you will create a node by entering 10.1.20.6 in the IP Address/Node name field. Note This may already exist in the drop down menu.

  7. Verify the pool member properties of Port 443 and Protocol HTTPS

  8. Click Save

    Note

    Subpaths are used in Application Groups to define contextual access on portions of an application (separate from the default contextual Access Policy). If necessary, an application can be split up into multiple Application Groups to meet an organization’s access control needs.

    image13

  9. Verify header.acme.com was created and click Save & Next

    image14

Section 2.5 - Application Groups

In this section you will configure two Application groups to enforce different policies on parts of the header.acme.com website.

Task 1 - Create header-ad Group

  1. Click Add
image15

  1. Enter Name header-ad

  2. Under Applications List, select / and click the arrow to move it into the Selected box

  3. Click Save

    image16

Task 2 - Create header-ocsp Group

  1. Click Add to create a second application group

    image17

  2. Enter Name header-ocsp

  3. Under Applications List, select /admin.php and click the arrow to move it into the Selected box

  4. Click Save

    image18

  5. Verify both applications groups have been created.

  6. Click Save & Next

    image19

Section 2.6 - Webtop

In this section you will verify that two applications are added to the Webtop Sections

Task 1 - Verify applications

  1. Ensure that both applications are listed under Webtop Sections and click Save & Next

    image20

Section 2.7 - Contextual Access

In this section you will configure Contextual Access for the previously created Application Groups

Task 1 - Configure Contextual Access for header_ad Group

  1. Click Add

    image21

  2. Enter Name header-ad

  3. Select Application Group from the Resource Type dropdown

  4. Select header-ad from the Resource dropdown

  5. Select ad from the Primary Authentication dropdown

  6. Select header_sso from the HTTP_Header dropdown

  7. Enter Domain Admins in the Primary Authentication filter Group Name

  8. Click Add beside Domain Admins

  9. Click Save

    image22

Task 2 - Configure Contextual Access for header-ocsp Group

  1. Click Add

    image23

  2. Enter Name header-ocsp

  3. Select Application Group from the Resource Type dropdown

  4. Select header-ocsp from the Resource dropdown

  5. Select ad from the Primary Authentication dropdown

  6. Select header_sso from the HTTP_Header dropdown

  7. Enter Domain Admins in the Primary Authentication filter Group Name

  8. Click Add beside Domain Admins

    image24

  9. Check Additional Checks

  10. Click Add under Additional Checks

    image25

  11. Enter Name webadmin-group

  12. Check User Group Check

  13. Enter Website Admin in the Primary Authentication filter Group Name

  14. Click Add beside Website Admin

    image26

  15. Select Step Up from the Match Action dropdown

  16. Select ocsp from the Step Up Authentication dropdown

  17. Click Save

    image27

  18. Click Save again to save the Contextual Access Properties for ocsp-header

    image28

  19. Click Deploy located under the ribbon. Deployment will take a few moments.

    image29

Section 2.8 - Testing

In this section you will use user1’s credentials to default website header.acme.com. However, when you attempt to access the admin page you will be prompted for certificate based authentication. After a successful login you will close your browser and login to default website using user2’s credentials. User2 will be denied due to not having the correct AD groups.

Warning

You must use Firefox for testing!

Task 1 - Login to header.acme.com using user1

  1. Open Firefox

  2. Access the site https://iap1.acme.com

  3. At the logon page enter the Username: user1 and Password: user1

  4. Click Logon

    image30

  5. Click the header.acme.com tile

    image31

  6. Notice the custom header UserID has a value of user1

    image32

  7. Access the admin portion of the website https://header.acme.com/admin.php

  8. Select the certificate user1

  9. Click OK

    image34

  10. You should be successfully logged into the admin portion of the site.

    image33

  11. Close the browser completely.

Task 2 - Login to header.acme.com using user2

  1. Open a new browser window.

  2. Access the site https://iap1.acme.com

  3. At the logon page enter the Username: user2 and Password: user2

  4. Click Logon

    image35

  5. Notice the missing basic.acme tile. User2 is not a member of the required group Sales Engineering to view the application

  6. Click the header.acme.com tile

    image36

  7. Notice the custom header UserID has a value of user2

    image37

  8. Access the admin portion of the website https://header.acme.com/admin.php

  9. You receive a Access Denied page due to not having the correct group membership Website Admin

    image38

  10. This concludes lab 2.

    image100