Professional Documents
Culture Documents
As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast,
reliable and secure. The company’s advanced web performance, cloud security and media delivery
solutions are revolutionizing how businesses optimize the consumer, enterprise or entertainment
experience to any device, anywhere. To learn how Akamai solutions, and its team of Internet experts, are
helping businesses move faster forward, please visit www.akamai.com and follow @Akamai on Twitter.
-2-
Table of Contents
Notice 2
About connectors 7
-3-
Access an application in the Login Portal 20
-4-
Welcome to Enterprise Application
Access
Enterprise Application Access (EAA) is a simple way to secure and deliver your applications that run
behind a firewall or in a public cloud. It is a secure remote access service that lets you protect your
applications from Internet threats while giving control and governance of access from your contractors,
partners, vendors and employees. Your users on the Internet will connect to the EAA service through a
URL they enter in their browser, provide their credentials, and gain access to your applications.
This quick start guide gives a high-level explanation of the EAA architecture and will guide you through
the process to setup and deploy your first application.
For more complete user assistance, visit the EAA product help.
Your internet users connect to the EAA service through a URL they enter in their browsers. They simply
provide their credentials to gain access to your applications.
-5-
1. Data Edge: Provides the data plane between the user and the application, as well as the data
security, application performance and optimization components.
2. Management edge: Provides management, logging, reporting, and configuration capabilities.
The EAA management and data edges are based on a secure, multi-tenant architecture. In addition
to the multi-tenant data cloud, you have the option to select a dedicated single-tenant data cloud
that can be configured to only process a single user’s traffic.
3. Enterprise connector: See About connectors.
1. An account or contract with Akamai Luna Control Center with permissions for the Enterprise
Application Access (EAA) product. If you don’t have an account, contact your sales
representative. For instructions on how to access EAA on Luna Control Center, see About
Akamai Luna Control Center.
2. An admin or editor role in the Luna Control Center account.
3. The private IP address, or fully qualified domain name of a web-based application to provide
access to.
4. Credentials to install and run the EAA connector in your VMware, AWS, or other virtual
environment.
-6-
1. Context selector: Manage groups and properties.
2. Account selector: Choose the account or contract.
3. Mega menu: The contents and products under these menus may change based on the account or
contract selected.
If you do not see the content or product in the mega menu, make sure the correct account or contract
is selected. For further assistance contact your account representative.
For more information on context, groups, and properties, see the Select a Group or Property help.
-7-
Connector installation requirements
Installation requirements for a connector are as follows:
1. A virtual environment account with sufficient privileges to create a VM and assign computing
resources.
2. An IP subnet of internal applications. The connector should run close to internal applications,
possibly in the same subnet as the application, and be able to communicate with the application in
test, ideally with an internal IP address or internal FQDN/hostname.
3. A firewall that allows the connector's private IP address to reach the application on configured
port numbers. Any internal firewall should allow the EAA connectors to reach the application on
the configured port numbers. For example, a firewall rule to allow the connector to reach the
application server internal IP address or hostname (if DNS is configured) on port numbers 80,
443, or any application specific port.
4. A connector that’s able to reach the Enterprise Application Access service over the internet. This
communication is carried out over an open TCP port 443, and only needs outbound connectivity.
5. Make sure that the connector is configured with an IP address either dynamically through an
internal DHCP server or statically through VM console menu (Note: The configuration menu only
appears for VMware, Hyper-V, VirtualBox, KVM, Openstack.)
6. NAT’ing and routing should be configured correctly to allow traffic outbound as well as to allow
the connector to reach the application.
It may take some time before your connector file is available for download.
-8-
environment, select VMWare.
6. Click Save Changes. A dialog appears indicating that you will receive an email when the connector
file is ready for download or you can go to the Connectors page to download the file when it’s
available.
7. After reading the text in the dialog, click Okay. You are directed to the Connectors page.
8. Navigate to the connector card for the connector you created. The status of the connector appears
in the connector card.
9. When the download link is available, click the Click here to download link. The connector file
opens in a separate browser window.
10. Download the connector file in a secure location to prevent any accidental deletion. The contents
of the connector file are used to set up the connector on the virtual environment.
Next Steps: Install the connector on the virtual environment. For instructions see Install and approve a
connector.
-9-
After successful installation, the connector runs in your virtual environment. Return to the connector
configuration card. Make sure you can see a button labeled “Click here to approve.” This indicates that the
connector is checked in.
To approve a connector, click Click here to approve. The connector status changes to "Connector is
running".
When a user attempts to access an application, the user’s browser initiates a TLS session to the EAA Edge.
The EAA Edge terminates this TLS session, authenticates the user to the directory associated with the
application (optionally adding 2-factor or multi-factor authentication), and matches the user against their
access policy. The EAA Edge can authenticate users to the following Directories and identity providers
(IdP):
l Active Directory (LDAP), including support for Kerberos. Visit the product help to learn how to
Integrate an Active Directory.
l SAML Identity Providers (Okta, Ping, OneLogin, and so on). Visit the product help to learn more
About SAML and identity providers.
l Open ID Connect implementations (e.g., Google Directory).
l EAA Internal IDP (Identity Provider) - Customers have the option to leverage EAA as their
directory source as needed. See About the Cloud Directory.
- 10 -
After the user is authenticated, the outbound session from the connector and the inbound session from the
user’s device are “stitched” together in the EAA. The connector further proxies this user-to-connector
session to the application (i.e., creates a third session), thereby provisioning a dynamic, end-to-end path for
the user to interact with the application.
In the context of Enterprise Application Access (EAA) authentication, identity is a set of attributes which
describe a user. These digital identities are stored in a directory. For directory types see About directories.
For more information about attributes see About user attributes.
Identity providers (IdP) offer user authentication as a service. They create, maintain, and manage identity
information for principals (typically a user) in a cloud. Some IdPs can can act as the directory and others
can delegate authentication back to the Active Directory (AD) or LDAP. IdPs provide authentication to
applications within a federated or distributed network.
IdPs use SAML, a federated identity protocol that enables web browser Single Sign-On (SSO), to securely
exchange identity information between two autonomous entities. See About SAML.
The primary use case for IdPs is Single Sign-On (SSO) authentication. Additional security such as two
factor authentication (2FA) and multi-factor authentication (MFA) can be layered on top of the SSO
authentication. See Single Sign- On (SSO) and About multi-factor authentication.
1. From the top menu bar choose Identity > Directories. The Directory cards appear.
- 11 -
2. On the directory card, click Users. The User information appears.
5. Click Invite User. New users receive an email to create a password and complete their account
authorization.
You can create more groups and add users to various groups for role based authorization.
- 12 -
2. From the top menu bar choose Identity > Identity Providers. The Identity Providers page appears.
5. Select the directory. If you are a first time user, select the Cloud Directory card.
- 13 -
Step 3: Add a new application to
Enterprise Application Access
Add an application to EAA
Select an application that you want to securely access outside of your enterprise network. For example, try
Sharepoint, SAP, Jira, Jenkins, Confluence, and so on.
Web-based applications use the application type HTTP. Non web-based application types include RDP,
VNC, or SSH.
In our example, the web-based application server runs HTTPS with a private IP address of
192.168.2.195.
For more information on specific application types, see Configure and deploy a remote desktop (RDP)
application, and Create an SSH application.
To add an application and configure the access parameters for the application,
1. From the top menu bar, click Applications. The application cards appear.
2. Click Add Application. A window appears.
- 14 -
5. Select the application profile.
6. Click Create App and Configure. The application general tab opens.
7. The Application Server IP/FQDN type is pre-populated based on the Application Profile.
8. In the second Application Server IP/FQDN field, enter an IP port number.
For HTTPS, IP port 443 is default. If your application doesn’t normally redirect you to the
login page, you may need to include a suffix (e.g., /login) in the third field.
9. To configure multiple applications servers for load balancing, click Add More. EAA supports
various load balancing techniques for example, Round-robin, session or cookie stickiness, source
IP hash, and so on.
10. If you are configuring a VNC application, optionally enter a VNC passphrase or password, if your
server is configured to allow access via VNC.
11. Select an External Host Name domain type, then enter an external host name for the application.
- 15 -
12. Select an Akamai Cloud Zone. The cloud zone should be located closest to the data center where
your application server resides.
17. Click Save & go to Authentication. The Authentication tab opens to the IdP list.
EAA creates and provides an Akamai IdP and Cloud Directory for every new account. These items
contain the authentication credentials for all of the users in your tenant, and can be modified to contain
- 16 -
additional users or groups. You can create more identity providers, associate different authentication
sources.
To assign an IdP to an application, assign a directory to an application, and prepare your application for
deployment do as follows,
1. On the IdP configuration page appears, click Assign Identity Provider. The IdP cards appear.
4. Click the directory card you want to assign to the application. The directory card expands to expose
more information and available actions.
5. To authorize user access to the application, assign groups from the Cloud Directory. Click Assign
Groups. A window appears.
- 17 -
6. Select the groups to assign to the application.
7. Click Done. NOTE: You can use your Active Directory as well for authentication if needed.
8. At the bottom of the page, click Save and go to Services. The SERVICES tab for the application
opens.
9. As a first time user, leave the defaults for the application’s SERVICES tab unchanged.
10. Click Save & go to Advanced Settings to continue. The application’s ADVANCED SETTINGS
tab opens.
11. As a first time user, leave the defaults for the application’s ADVANCED SETTINGS tab
unchanged. Click Save & go to DEPLOYMENT to continue. The application’s DEPLOYMENT
tab opens.
- 18 -
Step 5: See your configuration take off!
Deploy your application.
To deploy an application,
If the Click to Deploy Application button is not visible and instead you see APPLICATION
STATUS: APP NOT READY, correct the items listed and try again.
The deployment process takes three to five minutes. The application status indicates whether the
application is ready for secure access.
When the deployment is complete you will see the following screen:
- 19 -
Step 6: Give it a try
To try accessing your application through the Enterprise Application Access login portal to see experience
your application as your customers will.
1. Open a browser window on any device that has internet connectivity and is not connected to your
internal network. This saves some aggravation if there are additional configuration steps required
in your network to reach outside applications (for example, Firewall or Secure Web Gateway
configurations).
2. Enter the external URL of the application you created. From our example in this procedure, enter
https://eaa-acme-app.go.Akamai-access.com. A login screen appears.
3. Log in with the username and password assigned to the directory. In the case of Active
Directory/LDAP, use your AD credentials to login.
You can now access your enterprise applications through EAA without exposing them to Internet or
opening your application perimeter for inbound access.
- 20 -
Supplemental information: Whitelist IP
addresses (Outbound - port 443)
You can further lock down access to specific destinations by whitelisting IP addresses in an outbound
direction from your perimeter on port 443. For a list of IP addresses to whitelist, contact support at 1-877-
4-AKATEC or support@akamai.com,or contact your account team.
- 21 -