Make services available in the Application Access Portal

To make services in the protected network available in the Application Access Portal, define Application Access Service elements.

Application Access Service elements map external URLs to HTTP-based services in the protected network. Application Access Service elements contain settings that define how the internal URLs of the HTTP-based services are translated to external URLs. URL translation makes sure that all traffic to registered web resource hosts is routed through the Application Access Portal. End users can access the Application Access Services through the Application Access Portal, or directly through web browser bookmarks.

For more details about the product and how to configure features, click Help or press F1.

Steps

Select Secure SD-WAN.
Browse to Application Access Portal > Application Access Services.
Right-click Application Access Services, then select New Application Access Service.
Configure the settings, then click OK.

Next steps

You are now ready to define which users are allowed to access the services.

Application Access Service Properties dialog box

Use this dialog box to define the properties of an Application Access Service element.

Option	Definition
General tab
Name	Specifies a unique name for the element. Note: The name must only contain letters, numbers, dashes (-), and underscores (_).The name cannot contain spaces.
Link Translation	Specifies how incoming connections are routed to services in the protected network. URL Rewrite — A URL prefix that corresponds to a service in the protected network is added to the URL. Incoming connections are routed to the service in the protected network based on the URL prefix. HTTP responses from the servers in the protected network are rewritten to change the outgoing URLs. This option does not require any additional DNS entries. DNS Mapping — Incoming connections to the Application Access Portal are translated to an internal host running on a specific port. This option requires a DNS entry for each service in the protected network. Freeform URL — Users can manually enter a URL in the Application Access Portal in addition to selecting a predefined service. Instead of having to configure every portal service individually, you can create a list of allowed URLs and certificates or CAs.
Disable Client-Side Rewrite	When selected, disables client-side URL rewriting. Select this option only if client-side URL rewriting does not work as expected and you need to revert to a previous working configuration. Client-side URL rewriting improves compatibility when JavaScript is used to dynamically construct URLs. Disabling the rewriting changes the way the URLs in JavaScript are handled and often breaks the links within JavaScript. Note: Client-side URL rewriting must be enabled to connect to some services, such as Sharepoint and Office365, through the Application Access Portal.

Option	Definition
When Link Translation method is URL Rewrite
Profile	Shows the selected Application Access Service Profile element. Click Select to select a Application Access Service Profile. Click Select to select an element.The profile contains settings for SSO and cookie protection.
External URL Prefix	Specifies the prefix of the URL where users access the service. Enter a forward slash (/) followed by a unique prefix.
Internal URL	Specifies the URL of the service in the protected network. The URL must be followed by a forward slash (/).
Alternative Hosts	Specifies additional host names or IP addresses at which the web server can be contacted. Click Add to add a row to the table, or Remove to remove the selected row.
SSO Domain	Shows the selected SSO Domain element. Users can use SSO for all services that share credentials as part of the same SSO Domain.
Client Trust	Specifies which certificate authorities (CA) are trusted for client connections to the service. Clients trust the CA that you select from the drop-down list. To allow the client to trust any CA, select Trust All CAs.

Option	Definition
When Link Translation method is DNS Mapping
Profile	Shows the selected Application Access Service Profile element. Click Select to select a Application Access Service Profile. Click Select to select an element.The profile contains settings for SSO and cookie protection.
External URL	Specifies the URL where users access the service. The URL must be an HTTPS URL and a valid host name with a top-level domain.
Internal URL	Specifies the URL of the service in the protected network. The URL must be followed by a forward slash (/).
Server Credentials	Specifies the certificate that is used for HTTPS connections. Use Self-Signed Certificate — When selected, the engine creates and uses a self-signed certificate. The self-signed certificate expires in 30 days. Select — Allows you to select a TLS Credentials element.
Rewrite HTML	When selected, the Application Access Portal searches the HTML content of the service and rewrites URLs so that traffic is routed through the Application Access Portal. Note: By default, the Application Access Portal searches the HTML content of the service and rewrites URLs so that traffic is routed through the Application Access Portal.
Alternative Hosts	Specifies additional host names or IP addresses at which the web server can be contacted. Click Add to add a row to the table, or Remove to remove the selected row.
SSO Domain	Shows the selected SSO Domain element. Users can use SSO for all services that share credentials as part of the same SSO Domain.
Client Trust	Specifies which certificate authorities (CA) are trusted for client connections to the service. Clients trust the CA that you select from the drop-down list. To allow the client to trust any CA, select Trust All CAs.

Option	Definition
When Link Translation method is Freeform URL
Cookie Protection	Specifies whether cookie protection is used. On — When selected, the Application Access Portal creates temporary cookies that it passes to the browser to minimize the risk of misuse. Off — When selected, cookie protection is not used.
Allowed URLs	Specifies the protocols, IP addresses, or DNS names of the accessible services. Protocol — The protocol used by the service. Host Name or IP Address — The host name or IP address 0 that end users can enter in the Access Services field on the Application Access Portal webpage. Port — The port used by the service.
Trusted CAs	Specifies which certificate authorities (CA) are trusted for client connections to the service. Clients trust the CA that you add to the list. Click Add to add an element to the list, or Remove to remove the selected element. To allow the client to trust any CA, click Add, then click Select Any to add the Trust All CAs element to the list.

Option	Definition
Look & Feel tab
Visible in Portal	When selected, a link to the service appears on the Application Access Portal webpage.
Title	The title that is displayed for the service on the Application Access Portal webpage.
Start Page	Specifies the path to the page to open when the user connects to the service.
Icon (Optional)	The icon for the service on the Application Access Portal. Shows the file name of the selected icon. Click Browse to browse to the location of the file.
Description (Optional)	The description that is displayed for the service on the Application Access Portal webpage.

Application Access Service Profile dialog box

Use this dialog box to define the properties of an Application Access Service Profile element.

Option	Definition
General tab
Name	Specifies a unique name for the element.
Summary	A summary of the defined settings.
Category	Shows the assigned category. Click Select to include the element in predefined categories.
Comment	An optional comment for your own reference.

Option	Definition
Single Sign-On tab
Authentication Type	Single Sign-On Not Used — The SSO feature is not used. HTTP — HTTP authentication is used. In most web browsers, the user must enter their credentials in a pop-up window. Basic, Digest, or NT LAN Manager (NTLM) are used as the authentication method. If more than one method is available in the HTTP headers, the precedence is in this order: NTLM, Digest, then Basic. Form — The web browser redirects to a custom logon webpage that has a customizable logon form.

Option

Definition

Single Sign-On tab

Authentication Type

Single Sign-On Not Used — The SSO feature is not used.
HTTP — HTTP authentication is used. In most web browsers, the user must enter their credentials in a pop-up window. Basic, Digest, or NT LAN Manager (NTLM) are used as the authentication method. If more than one method is available in the HTTP headers, the precedence is in this order: NTLM, Digest, then Basic.
Form — The web browser redirects to a custom logon webpage that has a customizable logon form.

Option	Definition
When Authentication Type is HTTP
Support NTLMv2	Deselect this option if you have legacy devices that do not support NTLMv2.

Option	Definition
When Authentication Type is Form
Logon Page URL	Enter a forward slash (/) followed by the path to the page that the user uses to log on.
POST Request URL	Enter a forward slash (/) followed by the path to the resource that is called for the POST request.
User Name Field Name	Enter the field name used for the user name.
Domain and User Name Format	If you select Custom, enter the custom format. Use these variables: %DOMAIN %USER For example, you can enter: `%DOMAIN\%USER`.
Password Field Name	Enter the field name used for the password.
Extra Parameters	Enter the other parameters used in the form in the Field Name and Value columns.
Add	Adds a row to the Extra Parameters list.
Remove	Removes the selected row from the Extra Parameters list.

Option	Definition
Cookie Hiding tab
Cookie Hiding	Only Encrypt The Cookies Listed Below — Only the cookies listed in the Exceptions list are encrypted. Encrypt All Cookies, Except For The Cookies Listed Below — All cookies are encrypted, except for the cookies listed in the Exceptions list.
Exceptions	Enter the names of the cookies that you want to include or exclude from encryption.
Add	Adds a row to the Exceptions list.
Remove	Removes the selected row from the Exceptions list.

Application Access SSO Domain dialog box

Use this dialog box to define the properties of an Application Access SSO Domain element.

Option	Definition
Name	Specifies a unique name for the element.
SSO Mode	Session-Based — The user is logged off when the session ends. Persistent — The user remains logged on for a set number of days.
Timeout (Only if the SSO mode is Persistent)	Enter the number of days that the user remains logged on.
Comment	An optional comment for your own reference.