Application Parameters

Provider and Protocol

Providers

• Local - If the application is hosted onsite - for example, at the corporate premises - select this option.

• AWS - If the application is hosted in the cloud on Amazon Web Services (AWS), there is an option to manage assets based on labels. select this option. If AWS is selected, the only protocols available for configuration are RDP, VNC, SSH, and TELNET.

Protocols

The following applications are available to configure and each application is associated with a protocol and its standard port number. Click on each link to know more about configuring it.

• Web Applications - HTTP, HTTPS, SaaS, Link

• Networks - TCP, SSH Tunnel, Network

• Servers - RDP, SSH, VNC, TELNET

• Databases - PSQL

• Files - SMB

Application Parameter

The parameters for each application differ according to the type of application selected. The parameters specific to an application are described in the above articles.

Visible - By default, this option is enabled. When enabled, the application is displayed on the end user's Applications Portal.

However, there are scenarios when the application need not be visible to the end user, although it is published and available for the user to connect to. One of such scenarios is - when connecting to an application from the Application Portal - the application is redirected to a different URL. This redirected traffic needs to be routed
through the Cyolo connect tunnel.

For example, if an application is published on the portal for the URL www.cnn.com , when users click on
it, the traffic is redirected to edition.cnn.com, which will not be routed through the Cyolo platform and therefore is insecure. To force traffic to route to edition.cnn.com through the Cyolo platform, another application for edition.cnn.com is created, but the Visible option is disabled. Now both URLs are routed
through the secure Cyolo platform.

Internal address/URL - Enter the internal IP address or URL of the server hosting the application. This address or URL must be accessible from IDAC.

Site - Sites represent the logical segmentation of the organization. Each site has at least one IDAC that publishes resources from that site.

When adding a site, a DNS suffix www.example.com and/or a network address in the form of CIDR notation is configured. A site is automatically chosen as per the internal IP address or URL entered under the Internal address/URL field. Therefore, selecting a site here specifies the IDAC that publishes this application.

By default, "All sites" is selected. Click the drop-down to either select a specific IDAC from the drop-down list to publish this application on a specific IDAC, or select All sites to publish this application on all IDACs, including existing and future IDACs.

It is a recommended to select more than one IDAC for high availability. If a specific site is selected, the application is published to that IDAC only. If a new IDAC is installed on the same site that already publishes this application, the new IDAC will publish the said application.

Subdomain - Enter the subdomain or domain prefix to be added to the domain to form the public URL that users connect to. For example, if the subdomain entered is web and the domain is domain.cyolo.io,
the public URL is web.domain.cyolo.io.

Domain - Domains added under Applications > Domains page are listed here. Generally, only a single domain is configured on the portal; however, multiple domains can be added as per network requirement. By default, the first domain is displayed in this field. Click the drop-down to select the domain of your choice.

Icon - Upload an image file to be displayed as the icon for the application on the Application Portal.

To know more about options particular to each application, refer to the sections linked above.

Authentication Method

Authentication method here refers to the authentication parameters set within the application. To sign in to applications, users must either enter the credentials or the sign-in must be done on their behalf. This section allows the portal admin to configure the authentication mechanism before accessing a resource from the Applications Portal.

Sign-in settings - This section has the following options:

None -- Selecting this option means the user will be prompted for authentication before signing in to the application. If the application or resource requires authentication, it must be entered manually. This option is available on all applications.

Basic -- Basic authentication is selected when the credentials are username and password. Basic authentication is available when HTTP, HTTPS, RDP, SSH, VNC, TELNET, PSQL, and SMB type of applications are selected under the Protocols section. These are the options available for basic authentication:

• User logon credentials - The credentials used to log in to the Applications Portal are used to access the application. The user will not be prompted for a username and password.

• Prompt user and store in personal vault -- The user will be prompted for a username and password when connecting for the first time. The credentials will be stored in the user's personal vault and automatically used for every subsequent sign-in attempt, so the user will not be prompted for credentials thereafter.

• Assign secret from vault -- With this option set, the portal admin stores the application's username and password in the system vault. When the user connects to the application, they are not prompted for credentials; instead, the stored credentials are used in the background to sign in the user. For more information on
  vaults, refer to the section: Vault.

• Prompt the user and pass-through the credentials - This option prompts the user to provide credentials that are passed to the application but are not stored.

Forms - This option is for web applications working with web forms. Forms-based SSO depends on the specific SSO implementation for each web application. Cyolo provides options for different SSO designs, including one-time tokens and CSRF tokens, inserting authentication parameters as headers, and using different pre-login and login URLs. Forms-based authentication is available when web applications (HTTP/HTTPS), are selected under the Protocols section.

SamlSP - SAML SP SSO solution adds an added layer of protection. It acts as a proxy that monitors users' activities within a service provider. SamlSP-based authentication is available when web applications (HTTP/HTTPS), are selected under the Protocols section.

Private Key - Private key is used when the credentials are a private key and, optionally, a username. Private key authentication is available when SSH is selected under the Protocols section. These are the options available for private key authentication:

• User logon credentials - The credentials used to log in to the Applications Portal are used to access the application. The user will not be prompted for a username and password.
• Prompt user and store in personal vault - The user will be prompted for a username and private key when connecting for the first time. The credentials will be stored in the user's personal vault and automatically used for every subsequent sign-in attempt, so the user will not be prompted for credentials thereafter.
• Assign secret from vault - The portal admin stores the application's username and private key in the system vault. When users connect to the application, they are not prompted for credentials; instead, the stored credentials are used in the background to sign in the user.