Browse Docs
ONLINE DOCUMENTATION

Appgate SDP with DefensX Agent

Overview

Appgate SDP is a cloud-native, API-enabled Zero Trust Network Access (ZTNA) solution that secures user access to applications across hybrid, cloud, and on-premises environments.

It uses Single Packet Authorization (SPA), a technique originally popularized by the open-source tool fwknop, first released in 2004.

SPA can operate in two different modes:

  • TCP (TLS Extension): New connections must present a single TCP packet containing a TLS ClientHello with a specially crafted extension before a TLS session can be established.

  • UDP + TCP (SPA-DNS + SPA-DTLS): New connections must first present a valid UDP packet containing a time-based encrypted key. Only after this packet is validated will the TCP port (typically 443) be opened.

By default, Appgate SDP uses the UDP-TCP model, which sends two UDP packets simultaneously:

  • SPA-DNS packet → UDP port 53 (appears like a DNS request)

  • SPA-DTLS packet → UDP port 443

Both packets contain encrypted payloads that allow the Appgate SDP controller to authenticate the client and dynamically open firewall access.

Problem Description

Appgate SDP uses a DNS-like packet because outbound DNS traffic is commonly allowed in most networks. However, the packet must reach the SDP controller without any modification.

In practice, this requirement can fail in several scenarios:

  1. Many networks redirect outgoing DNS traffic to an internal DNS resolver.

  2. Some ISPs or routers intercept DNS requests for filtering or analytics.

  3. Security tools that detect DNS exfiltration may drop these packets because they reuse the same transaction ID with different binary payloads.

  4. DNS security platforms (such as DefensX) needs to inspect and modify DNS requests before forwarding them.

Any modification to the original packet prevents Appgate SDP from verifying the client.

Normally, the Appgate client also sends a DTLS packet (UDP 443) to the same controller at the same time. If:

  • the DNS packet is modified or redirected, and

  • UDP port 443 traffic is blocked by a firewall,

then both SPA-DNS and SPA-DTLS packets fail, preventing the client from authenticating.

Appgate SDP Connection Error

In this case, the client will typically show a Connection failed error after approximately 20 seconds.

Solution

Ensure that UDP port 443 is allowed on the firewall so the SPA-DTLS mechanism can function.

This port should be enabled even if the DefensX Agent is not installed, because the other scenarios (DNS interception, ISP filtering, or DNS security controls) are also common and can interfere with SPA-DNS packets.
Secure Industries, Inc 101 Avenue of The Americas, Floor 9 New York, NY 10013