App Gateway, Secure Remote Access and Single Sign-on to Internal Web Apps

Centrify Identity Service enables you to provide single sign-On (SSO) to both SaaS apps and on-premises apps that use a web interface. On-premises apps are unique in that they sit on the corporate network and are available only to users who are on the network physically, or who have VPN’ed into the network. From a user perspective, firing up a VPN session can be painful and time-consuming (or impossible if using a machine that doesn’t have the requisite VPN client). From an IT perspective, this can be painful in that the user’s device must be enabled with a VPN client.

One of the problems with VPNs that IT deals with is that once a user is inside the network, the user has access to the entire network, introducing a significant level of risk. Because of this IT has to limit the types of users that can access the network. For the most part, suppliers, vendors, partners, and even certain remote workers are left out when it comes to accessing internal applications. Also, VPN access is often overkill in that the user simply needs secure access to a single resource. However, the VPN routes all of the traffic from the device through the corporate network.

The App Gateway solves all of these issues. On-premises app gateway functionality is available as a premium feature in the App+ edition of Centrify Identity Service. With this feature, IT can give users remote access only to the on-premises apps they need, without changing a single line of code, anywhere. End users can access both SaaS and on-premises apps all from Centrify User Portal or Centrify Mobile apps without having to install anything, or firing up a VPN session.

App Gateway

With the App Gateway, we’ve built a dedicated cloud infrastructure to provide this feature (app gateway traffic does not flow through the same back-end as the rest of our Identity Service ). This enables us to ensure that App Gateway usage does not impact the performance of the core service, and vice versa. The App Gateway Cloud infrastructure is setup to scale automatically based on the traffic.

The App Gateway is available for applications such as Sharepoint sites, IIS-based apps, more than a dozen application templates available in the application catalog, and any web application running inside your internal network. This feature is also available to use with any of our custom templates (Bookmark, SAML, Username and Password, Ws-Fed, etc.) which are used often to configure internal applications. Below is the list of applications from our app catalog, where App Gateway is available to use:

Accellion Accellion Private Cloud Alfresco on-premise Blackboard Learn (SAML)
Canvas (SAML) CrashPlan PROe Drupal (SAML) FortiMail
FortiMail Admin Login JIRA Download LiquidFiles Joomla! (SAML)
phpMyAdmin Moodle (SAML) Review Board SAP Netweaver
Parallels PinnacleCart Plesk Panel GitHub Enterprise on-premise Sharepoint Server (Ws- Fed) Moodle (SAML)
Redmine

To get started, just follow these steps:

Step 1: Sign up for App+ edition of Centrify Identity Service

Step 2: Download and install Cloud Connector which enables Application Gateway services

Installing Cloud Connector takes less than five-minutes. Once it is done you’re ready to encrypt and tunnel secure connections to on-premises applications. There’s no need to open ports in your firewall, thanks to an outbound connection from the Cloud Connector to the Centrify Identity Service. If you are already running Cloud Connectors in your environment, make sure they are > 14.10 version and you have signed up for App+. We’ve made the installer flexible so you can choose to run the App Gateway with AD proxy or independently.

Refer to “Installing and configuring Cloud Connectors” in documentation for further details.

Before continuing to the next step, verify that Cloud Connectors is all set for App Gateway Services. Go under Cloud Manager -> Settings -> Cloud Connectors -> Check “App Gateway” column on the connectors.

Cloud Connector App Gateway Services

Step 3: Configure App Gateway on internal applications

Begin by adding any of the above listed web applications from the Centrify App Catalog using the Apps page in Cloud Manager. See Adding web applications from the Centrify App Catalog for the details. If the application is not in the app catalog, you can add it by using the custom template from the Centrify App Catalog.

Once the application is added, navigate to Application -> Application Gateway tab.

Application Gateway for internal app

When using the App Gateway, there are two deployment options to choose from based on the URL that you wish to use:

1. Option 1: Use your own external URL. This is the recommended approach for deploying apps for production use as this enables sharing deep URLs from on-prem apps between your users. With this approach, users can continue to use the same URL to access the application from internal and external networks.

This option requires you to:

  1. Upload an SSL Certificate, and Note: This SSL Server certificate needs to match either the fully qualified domain name or the wildcard domain name of your application. The attachment should have an extension of .pfx. During upload, you will be prompted for a pass phrase.
  2. Update your DNS settings.

App Gateway - Use internal URL option1

Note: You will be given further instructions on the screen to setup the CNAME record in your public DNS server. An example format is shown in the yellow box.

Option 2: Use a Centrify generated external URL. This is recommended for testing only as the Centrify generated URL is a CNAME pointing to your actual on-prem app. This option automatically sets this up for you. This is a great way to quickly test the feature; but, it is not meant for production deployments, as shared links from the app will work only if both users are inside the network. With this deployment model, users will either have to: (i) bookmark the generated URL to access the app, or (ii) access it from the Centrify User Portal.

App Gateway - Use internal URL option2

Conclusion
On-premises app gateway functionality provides easy and secure access to on-premises apps without requiring configuration of a VPN client or a VPN concentrator, or modified firewall policies. With Centrify, IT can give users remote access only to the apps they need, without changing a single line of code, anywhere. IT can manage user identity and access to on-premises and cloud apps, and secure users’ mobile devices, all from a single console.

Many more exciting features are coming up on top of the base App Gateway feature. Stay tuned.

Next Steps

Register for a trial subscription of Centrify Identity Service today to see how it can benefit your organization: http://www.centrify.com/free-trial/identity-service-form-appplus/