EAA Client architecture overview

The high-level flow for each TCP-type client-access application is described here.

High-level flow for TCP-type client-access applications


For each application (1), a WebSocket tunnel is created and the traffic is directed to the Enterprise Application Access (EAA) cloud (2). Unlike a VPN, this tunnel does not provide access to the entire network. It only establishes connectivity to the authorized application. From the EAA cloud, traffic is directed to the connector through the firewall (3). Traffic is then forwarded to the application server (4). For example, if you configure the Outlook client as a client-access application, this traffic is directed to the Microsoft Exchange server.

With this workflow, a single TCP application is secured by EAA. End users are able to access the application with the configured internal host. If there are multiple desktop applications, then multiple TCP client applications need to be configured. For a detailed implementation flow, see TCP-type client-access application workflow.

The high-level flow for each tunnel-type client-access application is described here:

High-level flow for tunnel-type client-access applications


A tunnel-type client-access application establishes connectivity for the entire domain or the organization. Unlike a traditional VPN, it provides secure access to one or more applications (both TCP and UDP) and to one or more groups within your organization (1). However, it does not provide secure access to the entire network. A WebSocket tunnel is created and the traffic is directed to the EAA cloud (2). The connector (3) does a network address translation (NAT) after resolving the subdomains. This each application communicate securely with its application server respectively, through the configured internal host on the machine (4). The IT administrator can selectively exclude certain applications in certain subdomains from being intercepted by the Enterprise Application Access Client. For more details see Set up DNS exceptions.

With this workflow, multiple applications can be securely and selectively accessed by certain users and groups within your organization using a single tunnel client access application. For a detailed implementation flow, see Tunnel-type client-access application workflow

Note: For a list of known issues and limitations associated with the EAA Client, see the EAA Release Notes.