Secure Connect - Architecture of Clientless Remote Access
Architecture of Clientless Remote Access (ZTNA)
Clientless Remote Access is a turnkey as-a-service solution. As shown in the diagram above, the customer environment will establish connectivity to Secure Connect fabric. The Edge traffic will be acquired by Secure Connect fabric via Service Edge. Service edge works as a proxy and connects to secure connect services as well as authentication services. The Secure Connect fabric can route traffic to the application as the interconnection establishes.
The following are the high-level responsibilities of each block.
Customer Edge
-
The client initiates a browser connection to the application-specific URL
-
This request gets resolved and redirected to the nearest Datacenter based upon AnyCast DNS
Service Edge
-
The Datacenter knows which service to reach out to from the connection request
-
Connects to the nearest Umbrella cloud where the service is running and proxies the traffic coming from the browser
Fabric Services
-
The ZTNA Proxy changes the traffic source to an address within 100.64.0.0/16 or 100.127.0.0/16 (carrier grade NAT range)
-
A request is sent for authentication and posture check
-
Once authenticated and authorized, it will redirect the request to the policy engine, where the decision is made to let the request in or not based on your set policies
-
Once decided, it will be sent to our routing engine to deliver traffic to the application correctly
Customer Environment
-
The user has secured access to the application