Certificate-based validation of origin servers

Perform certificate validation for directory server and application server (for HTTPS, RDP and SSH applications) .

As a leader in Zero-Trust security, EAA doesn’t trust anyone or any device. As directories and applications migrate from your data center to public clouds, the EAA connector does certificate validation of the origin servers, using industry standard - TLS technology, mitigating any man-in-the-middle (MITM) attacks. The origin server can be a directory service like AD, LDAP, AD LDS, an application server for an HTTPS web-application, an application server for a RDP application, or an application server for a SSH application.

EAA customers can also leverage this enhanced security while communicating with the origin servers which may continue to reside within your data center. The EAA connector inside the data center validates the authenticity of the origin server and improves the security posture.

Note: Certificate based origin server validation is optional and can be disabled as per customer needs.

The work-flow for enabling origin server certificate validation depends on the type of service:

Directory origin server validation:

This enables the connector to validate the directory before doing any services like adding authenticated users to the directory, updating groups in directories.

HTTPS origin server validation:

  1. Upload the ROOT CA certificate with the full bundle for the web application server into EAA.
  2. Enable server certificate verification and select this certificate to do origin server validation while configuring your HTTPS application and deploy it. (STEP 5). Note that if you enable server certificate verification and do not select any root CA certificate, the public CA certificates available in the connector are used to validate the origin server. If the origin server is not signed by the public CA, server certificate validation fails. Users will not be able to access the web application securely.

This enables the connector to validate the HTTPS origin server using SSL protocol. Then, users can access the HTTPS access application.

Note: Origin server certification validation is not done for HTTP applications.

RDP origin server validation:

  1. Upload the ROOT CA certificate with the full bundle for the RDP server into EAA.
  2. Enable server certificate verification and select this certificate to do origin server validation while configuring your RDP application and deploy it. (STEP3) Note that if you enable server certificate verification and do not select any root CA certificate, the public CA certificates available in the connector are used to validate the origin server. If the origin server is not signed by the public CA, server certificate validation fails. Users will not be able to access the RDP application securely.

This enables the connector to validate the RDP origin server with SSL protocol. Then, the user can access the RDP application.

SSH origin server validation:

Add the SSH host key while configuring your SSH application and deploy it. (STEP 6)

This enables the connector to validate the SSH origin server with SSL protocol. Then the user can access the SSH application. If no SSH host key is added while configuring the SSH application, then SSH server validation is not done.

Note:

Origin server validation is not done for VNC applications, SaaS applications and client-access applications.