Adding an internal TCP based agent-ZTNA application

Once the installation and configuration of the ZTNA is complete, you can now add your internal apps to Forcepoint ONE SSE to provide contextual access controls.

Follow the below steps to provide access internal app via ZTNA over TCP proxies:

Steps

  1. In the Forcepoint ONE SSE portal, click Protect > Add Apps > Managed Apps.
  2. On the Managed Apps page, select the Any TCP ZTNA App/Service option.
  3. In the new window, fill out the fields to configure your app:
    1. Provide a name for the application.
    2. You can (optionally) upload an image that will appear on the policies page as well as a small icon that will be used on logs and Dashboard pages.
    3. Select the data center name that you configured. Again, this is a name that will be used in logs (that is, this app is in the Campbell, CA office location).
    4. Enter the TCP proxy ports that the internal application can be accessed over. This field supports individual ports and ports ranges.
    5. Enter either Service Hostname or IP Subnets. However, you can enter both Service Hostname and IP Subnets simultaneously.
      Following is the behavior when Service Hostname and IP Subnets are entered:
      • The SmartEdge agent provides connectivity to all possible combinations of both the Port(s) and Hostname(s) as well as the Port(s) and IP_Subnet(s) set groupings.
      • Connectivity is matched against the ZTNA apps' policy rules.
    6. To save the details, click Save.

Result

A default rule is created with Action set to Deny and other fields to Any in Protect > Policies page. For agent-based ZTNA apps, you can see ZTNA TCP in the top left of the app logo and Data center name on the bottom left of the app logo.