Enterprise Application Access

Quick Start Guide

11/15/2017
Notice
Copyright 2017 by Akamai Technologies, Inc. All Rights Reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system or translated into any language in any
form by any means without the written permission of Akamai Technologies, Inc. While every precaution
has been taken in the preparation of this document, Akamai Technologies, Inc. assumes no responsibility
for errors, omissions, or for damages resulting from the use of the information herein. The information in
these documents is subject to change without notice. Akamai and the Akamai wave logo are registered
trademarks or service marks in the United States (Reg. U.S. Pat. & Tm. Off). Akamai Intelligent Platform
is a trademark in the United States. Products or corporate names may be trademarks or registered
trademarks of other companies and are used only for explanation and to the owner’s benefit, without
intent to infringe. Published 11/17.

Akamai Confidential: NDA Required for Release

As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast,
reliable and secure. The company’s advanced web performance, cloud security and media delivery
solutions are revolutionizing how businesses optimize the consumer, enterprise or entertainment
experience to any device, anywhere. To learn how Akamai solutions, and its team of Internet experts, are
helping businesses move faster forward, please visit www.akamai.com and follow @Akamai on Twitter.

For troubleshooting help contact support@akamai.com.

-2-
Table of Contents

Notice 2

Welcome to Enterprise Application Access 5

Really quick: How EAA works 5

The service architecture 5

What you need to get started 6

About Akamai Luna Control Center 6

Access EAA from Luna Control Center 7

Step 1: Create, download, and install a connector 7

About connectors 7

Connector installation requirements 8

Create and download a connector 8

Step 2: Set up an authentication source in Enterprise Application Access 10

About identity providers (IdP) as authentication sources for your application 10

About the Cloud Directory 11

Add users to the directory 11

Add a directory to an identity provider (IdP) 12

Step 3: Add a new application to Enterprise Application Access 14

Add an application to EAA 14

Configure access parameters for an application 14

Step 4: Configure an authentication source 16

Step 5: See your configuration take off! Deploy your application. 19

Step 6: Give it a try 20

-3-
Access an application in the Login Portal 20

Supplemental information: Whitelist IP addresses (Outbound - port 443) 21

-4-
Welcome to Enterprise Application
Access
Enterprise Application Access (EAA) is a simple way to secure and deliver your applications that run
behind a firewall or in a public cloud. It is a secure remote access service that lets you protect your
applications from Internet threats while giving control and governance of access from your contractors,
partners, vendors and employees. Your users on the Internet will connect to the EAA service through a
URL they enter in their browser, provide their credentials, and gain access to your applications.

This quick start guide gives a high-level explanation of the EAA architecture and will guide you through
the process to setup and deploy your first application.

For more complete user assistance, visit the EAA product help.

Really quick: How EAA works

Enterprise Application Access (EAA) makes it easy to secure your application. You just attach an EAA
connector that connects to your application server. It then can dial out to the EAA service on TCP Port
443, commonly open for outbound communication on most companies’ firewalls.

Your internet users connect to the EAA service through a URL they enter in their browsers. They simply
provide their credentials to gain access to your applications.

The service architecture

On a high-level, the service is architecturally designed based on three major components,

-5-
 1. Data Edge: Provides the data plane between the user and the application, as well as the data
security, application performance and optimization components.
2. Management edge: Provides management, logging, reporting, and configuration capabilities.
The EAA management and data edges are based on a secure, multi-tenant architecture. In addition
to the multi-tenant data cloud, you have the option to select a dedicated single-tenant data cloud
that can be configured to only process a single user’s traffic.
3. Enterprise connector: See About connectors.

What you need to get started

Make sure you have the following items:

1. An account or contract with Akamai Luna Control Center with permissions for the Enterprise
Application Access (EAA) product. If you don’t have an account, contact your sales
representative. For instructions on how to access EAA on Luna Control Center, see About
Akamai Luna Control Center.
2. An admin or editor role in the Luna Control Center account.
3. The private IP address, or fully qualified domain name of a web-based application to provide
access to.
4. Credentials to install and run the EAA connector in your VMware, AWS, or other virtual
environment.

About Akamai Luna Control Center

Enterprise Application Access (EAA) Management Portal is accessible from the Akamai Luna Control
Center. In Luna Control Center, you can manage groups and properties for your Akamai accounts and
monitor, configure, resolve, and plan your products from the mega menu.

-6-
 1. Context selector: Manage groups and properties.
2. Account selector: Choose the account or contract.
3. Mega menu: The contents and products under these menus may change based on the account or
contract selected.
If you do not see the content or product in the mega menu, make sure the correct account or contract
is selected. For further assistance contact your account representative.

For more information on context, groups, and properties, see the Select a Group or Property help.

Access EAA from Luna Control Center

To access the Enterprise Application Access (EAA) Management Portal in Luna Control Center,

1. Log in to Luna Control Center (https://control.Akamai.com).

2. In the Account selector, select the account or contract you need.
3. From the Configure mega menu, navigate to the Enterprise Cloud Networking category and select
the Enterprise Application Access product. The Enterprise Application Access Management
Portal appears.

Step 1: Create, download, and install a

connector
About connectors
The Enterprise Application Access (EAA) connector is a complete virtual appliance deployed behind the
firewall in your data centers or hybrid cloud environments. You can deploy multiple connectors for
redundancy and scaling. Connectors are cryptographically unique and devoid of any management
interface or UI. As soon as you create a connector and power it on, it dials out on port 443 outbound and
checks in with the EAA service for its configuration settings. For more information about EAA
architecture see Enterprise Application Access Architecture Overview.

-7-
Connector installation requirements
Installation requirements for a connector are as follows:

1. A virtual environment account with sufficient privileges to create a VM and assign computing
resources.
2. An IP subnet of internal applications. The connector should run close to internal applications,
possibly in the same subnet as the application, and be able to communicate with the application in
test, ideally with an internal IP address or internal FQDN/hostname.
3. A firewall that allows the connector's private IP address to reach the application on configured
port numbers. Any internal firewall should allow the EAA connectors to reach the application on
the configured port numbers. For example, a firewall rule to allow the connector to reach the
application server internal IP address or hostname (if DNS is configured) on port numbers 80,
443, or any application specific port.
4. A connector that’s able to reach the Enterprise Application Access service over the internet. This
communication is carried out over an open TCP port 443, and only needs outbound connectivity.
5. Make sure that the connector is configured with an IP address either dynamically through an
internal DHCP server or statically through VM console menu (Note: The configuration menu only
appears for VMware, Hyper-V, VirtualBox, KVM, Openstack.)
6. NAT’ing and routing should be configured correctly to allow traffic outbound as well as to allow
the connector to reach the application.

Create and download a connector

Complete the following procedure to create an Enterprise Application Access (EAA) connector and
download the connector file that you install in a virtual environment.

It may take some time before your connector file is available for download.

To create and download a connector,

1. Log in to the Enterprise Application Access (EAA) Management Portal.

2. From the top menu bar, select the Connectors tab. The Connectors page appears.

3. Click Add connector. The connector configuration page appears.

4. Enter a connector name and an optional description.

5. Select a package type. The package type corresponds to the virtual environment where you are
installing the connector. For example, if you are installing the connector on a VMWare

-8-
 environment, select VMWare.

6. Click Save Changes. A dialog appears indicating that you will receive an email when the connector
file is ready for download or you can go to the Connectors page to download the file when it’s
available.
7. After reading the text in the dialog, click Okay. You are directed to the Connectors page.
8. Navigate to the connector card for the connector you created. The status of the connector appears
in the connector card.
9. When the download link is available, click the Click here to download link. The connector file
opens in a separate browser window.

10. Download the connector file in a secure location to prevent any accidental deletion. The contents
of the connector file are used to set up the connector on the virtual environment.

Next Steps: Install the connector on the virtual environment. For instructions see Install and approve a
connector.

Install and approve a connector

Connectors install in your environment as a virtual machine. Determine your virtual environment, then
follow the procedure to install your connector in that environment.

l Install a connector in a Microsoft Azure environment

l Install a connector in a Microsoft Hyper-V environment
l Install a connector in a Docker-based container
l Install a connector in a VMware environment
l Assign a static IP address to a connector running in a virtualized environment

-9-
After successful installation, the connector runs in your virtual environment. Return to the connector
configuration card. Make sure you can see a button labeled “Click here to approve.” This indicates that the
connector is checked in.

To approve a connector, click Click here to approve. The connector status changes to "Connector is
running".

Step 2: Set up an authentication source

in Enterprise Application Access
About identity providers (IdP) as authentication
sources for your application
When you put an application behind Enterprise Application Access (EAA) an identity provider (IdP)
authenticates it. EAA acts as a bridge between the application and IdP.

When a user attempts to access an application, the user’s browser initiates a TLS session to the EAA Edge.
The EAA Edge terminates this TLS session, authenticates the user to the directory associated with the
application (optionally adding 2-factor or multi-factor authentication), and matches the user against their
access policy. The EAA Edge can authenticate users to the following Directories and identity providers
(IdP):

l Active Directory (LDAP), including support for Kerberos. Visit the product help to learn how to
Integrate an Active Directory.
l SAML Identity Providers (Okta, Ping, OneLogin, and so on). Visit the product help to learn more
About SAML and identity providers.
l Open ID Connect implementations (e.g., Google Directory).
l EAA Internal IDP (Identity Provider) - Customers have the option to leverage EAA as their
directory source as needed. See About the Cloud Directory.

- 10 -
After the user is authenticated, the outbound session from the connector and the inbound session from the
user’s device are “stitched” together in the EAA. The connector further proxies this user-to-connector
session to the application (i.e., creates a third session), thereby provisioning a dynamic, end-to-end path for
the user to interact with the application.

In the context of Enterprise Application Access (EAA) authentication, identity is a set of attributes which
describe a user. These digital identities are stored in a directory. For directory types see About directories.
For more information about attributes see About user attributes.

Identity providers (IdP) offer user authentication as a service. They create, maintain, and manage identity
information for principals (typically a user) in a cloud. Some IdPs can can act as the directory and others
can delegate authentication back to the Active Directory (AD) or LDAP. IdPs provide authentication to
applications within a federated or distributed network.

IdPs use SAML, a federated identity protocol that enables web browser Single Sign-On (SSO), to securely
exchange identity information between two autonomous entities. See About SAML.

The primary use case for IdPs is Single Sign-On (SSO) authentication. Additional security such as two
factor authentication (2FA) and multi-factor authentication (MFA) can be layered on top of the SSO
authentication. See Single Sign- On (SSO) and About multi-factor authentication.

Next steps: About SAML

Add an IdP to EAA

About the Cloud Directory

Every tenant is pre-provisioned with an EAA Cloud Directory to provide quick access to applications
without AD integration or to extend third party or contractor access to applications without VPN. By
default all users are part of the main “Users” group. EAA doesn’t store or cache passwords for users.

Add users to the directory

To add a user to the directory,

1. From the top menu bar choose Identity > Directories. The Directory cards appear.

- 11 -
 2. On the directory card, click Users. The User information appears.

3. Click Upload Bulk Users, Create User, or Invite User.

4. Complete the user details fields.

5. Click Invite User. New users receive an email to create a password and complete their account
authorization.

You can create more groups and add users to various groups for role based authorization.

Add a directory to an identity provider

(IdP)
To add a directory to an IdP,

1. Log in to the Enterprise Application Access (EAA) Management Portal.

- 12 -
2. From the top menu bar choose Identity > Identity Providers. The Identity Providers page appears.

3. Click Settings (gear icon) on the IdP card.

4. Click Assign Directory. The directory cards appear.

5. Select the directory. If you are a first time user, select the Cloud Directory card.

6. Click Save & Exit.

- 13 -
Step 3: Add a new application to
Enterprise Application Access
Add an application to EAA
Select an application that you want to securely access outside of your enterprise network. For example, try
Sharepoint, SAP, Jira, Jenkins, Confluence, and so on.

Web-based applications use the application type HTTP. Non web-based application types include RDP,
VNC, or SSH.

Configure access parameters for an

application
Configure access parameter such as the server’s private IP address or fully qualified domain name,
whether your server runs HTTPS or HTTP, and nearest cloud zone for an application.

In our example, the web-based application server runs HTTPS with a private IP address of
192.168.2.195.

For more information on specific application types, see Configure and deploy a remote desktop (RDP)
application, and Create an SSH application.

To add an application and configure the access parameters for the application,

1. From the top menu bar, click Applications. The application cards appear.
2. Click Add Application. A window appears.

3. Enter an application name and an optional description.

4. Select the application type.

- 14 -
 5. Select the application profile.

6. Click Create App and Configure. The application general tab opens.
7. The Application Server IP/FQDN type is pre-populated based on the Application Profile.
8. In the second Application Server IP/FQDN field, enter an IP port number.
For HTTPS, IP port 443 is default. If your application doesn’t normally redirect you to the
login page, you may need to include a suffix (e.g., /login) in the third field.

9. To configure multiple applications servers for load balancing, click Add More. EAA supports
various load balancing techniques for example, Round-robin, session or cookie stickiness, source
IP hash, and so on.
10. If you are configuring a VNC application, optionally enter a VNC passphrase or password, if your
server is configured to allow access via VNC.
11. Select an External Host Name domain type, then enter an external host name for the application.

l If you use an Akamai domain, you don't need to configure certificates.

l In our example, the complete external URL to access this application is https://eaa-acme-
app.go.Akamai-access.com . If you are using the Akamai domain Akamai-access.com , you
don’t need to configure certificates or your external DNS.
l If you use your domain, you need to specify a certificate for the domain. Visit the help for
to learn About certificates.
l If you use your domain, you need to setup a CNAME redirect. Visit the help for to learn
how to Set up a CNAME redirect for an application.

- 15 -
 12. Select an Akamai Cloud Zone. The cloud zone should be located closest to the data center where
your application server resides.

13. Click ADD/REMOVE CONNECTOR.

14. Select a connector to associate with the application.

15. Click Done

16. To add more connectors, click ADD/REMOVE Connector. We recommend adding more than
one connector for high availability and active-active load balancing.

17. Click Save & go to Authentication. The Authentication tab opens to the IdP list.

Step 4: Configure an authentication

source
When you put an application behind Enterprise Application Access (EAA) an identity provider (IdP)
authenticates it. EAA acts as a bridge between the application and IdP.

EAA creates and provides an Akamai IdP and Cloud Directory for every new account. These items
contain the authentication credentials for all of the users in your tenant, and can be modified to contain

- 16 -
additional users or groups. You can create more identity providers, associate different authentication
sources.

To assign an IdP to an application, assign a directory to an application, and prepare your application for
deployment do as follows,

1. On the IdP configuration page appears, click Assign Identity Provider. The IdP cards appear.

2. Select the IdP to assign to the application.

3. Click Assign directory. A window appears with Cloud Directory cards.

4. Click the directory card you want to assign to the application. The directory card expands to expose
more information and available actions.

5. To authorize user access to the application, assign groups from the Cloud Directory. Click Assign
Groups. A window appears.

- 17 -
 6. Select the groups to assign to the application.

7. Click Done. NOTE: You can use your Active Directory as well for authentication if needed.
8. At the bottom of the page, click Save and go to Services. The SERVICES tab for the application
opens.
9. As a first time user, leave the defaults for the application’s SERVICES tab unchanged.

10. Click Save & go to Advanced Settings to continue. The application’s ADVANCED SETTINGS
tab opens.

11. As a first time user, leave the defaults for the application’s ADVANCED SETTINGS tab
unchanged. Click Save & go to DEPLOYMENT to continue. The application’s DEPLOYMENT
tab opens.

- 18 -
Step 5: See your configuration take off!
Deploy your application.
To deploy an application,

1. Click Click to Deploy Application.

If the Click to Deploy Application button is not visible and instead you see APPLICATION
STATUS: APP NOT READY, correct the items listed and try again.

The deployment process takes three to five minutes. The application status indicates whether the
application is ready for secure access.

When the deployment is complete you will see the following screen:

- 19 -
Step 6: Give it a try
To try accessing your application through the Enterprise Application Access login portal to see experience
your application as your customers will.

Access an application in the Login

Portal
To access an application in the Login Portal,

1. Open a browser window on any device that has internet connectivity and is not connected to your
internal network. This saves some aggravation if there are additional configuration steps required
in your network to reach outside applications (for example, Firewall or Secure Web Gateway
configurations).
2. Enter the external URL of the application you created. From our example in this procedure, enter
https://eaa-acme-app.go.Akamai-access.com. A login screen appears.

3. Log in with the username and password assigned to the directory. In the case of Active
Directory/LDAP, use your AD credentials to login.

You can now access your enterprise applications through EAA without exposing them to Internet or
opening your application perimeter for inbound access.

- 20 -
Supplemental information: Whitelist IP
addresses (Outbound - port 443)
You can further lock down access to specific destinations by whitelisting IP addresses in an outbound
direction from your perimeter on port 443. For a list of IP addresses to whitelist, contact support at 1-877-
4-AKATEC or support@akamai.com,or contact your account team.

- 21 -