Configuring ZTNA in DefensX

Before configuring ZTNA services, the deployment environment must be prepared. For ZTNA environments, it is strongly recommended to place Connector Agents in a separate deployment where LOGON User is disabled. This approach ensures that the connector always operates with the required subscription and is not affected by users logging in to the machine.

Start by creating a dedicated deployment for connectors. Navigate to Policy Groups and click +New Deployment in the Deployment table. Create a new deployment named Connectors and ensure that Create a Local Group is enabled during the creation process.

After the deployment is created, open the Advanced Options for the new deployment and configure the following settings:

Next, navigate to Settings → Subscriptions and add the deployment group created for the Connectors deployment to the Auto Provisioning Groups of the Premium+ subscription.

With this configuration, Connector Agents deployed through this deployment will automatically receive the Premium+ subscription and will not be affected by Windows users logging in to the machine.

Once these configurations are completed, proceed with deploying the agents.

For detailed deployment instructions, see the Deployment guide.

If users connect from within an office network that already hosts a DefensX Connector, Office IPs can be defined for that connector.

These IPs should correspond to the public IP address used by the connector when accessing the DefensX ZTNA Cloud Network.

When a ZTNA client connects from an IP address matching the defined Office IPs, all ZTNA services provided by that connector are disabled locally. This allows the client to access services directly over the local network, bypassing the ZTNA tunnel.

After the agent installation is completed, navigate to the Deployment table and click the number under Deployed Agents for the relevant deployment. This will open the list of agents deployed under that deployment.

From there, select the connector agent and click the Configure button for ZTNA Office IPs, where you can enter the organization’s external (public) office IP addresses.

After completing these steps, the connector will be ready to operate with ZTNA connectivity.

To create Secure Access Policies, navigate to the Configuration page.

Click + New Secure Access Policy, provide a name for the policy, and ensure that the Status is set to Active. After completing the required fields, save the configuration to create the policy.

Navigate to the Configuration page and click + New Secure Access Service.

Enter a Name that clearly identifies the service. Select the appropriate Connector (Agent) that will provide access to the service. Under Application Restrictions, you can select which browser or available process can use the service or choose No Restriction to let any process to use the secure tunnel to access the service and ensure that Status is set to Active.

In DNS Hostname or IP Address, define the hostname(s) or IP address(es) through which the service will be accessible. Set the Protocol to what is needed for that service, then specify the Target Service IP or Hostname by entering the IP address or hostname of the target service.

Finally, enter the required Port(s) that the service listens on and save the configuration to complete the Secure Access Service setup.

In the Secure Access Policies table, click the Linked Services cell for the relevant policy and set the required Secure Access Service to Active.

Next, click the Linked User Groups cell for the same policy and add the desired User Group as a membership.

Once these steps are completed, the selected services and user groups will be linked to the Secure Access Policy.

If a Secure Access Policy has no group assignment, it applies to all DefensX ZTNA clients, granting them access to the defined services.