1. Introduction
Secure Private Access (SPA) from Exium provides fast, seamless way of accessing private applications without the clunkiness of VPN infrastructure. SPA is a cloud-based Software Defined Perimeter (SDP) or Zero Trust Network Access (ZTNA) solution that is delivered through Exium’s Intelligent Cybersecurity Mesh.
Even with the trend toward higher cloud and SaaS adoption, organizations still have a variety of private applications that need the same level of secure and reliable access control. Regardless of whether these applications are hosted in the data center or at a third-party cloud provider, many of the same cybersecurity threats exist since employees are still connecting through a variety of personal and company-issued devices.
Traditional virtual private network (VPN) solutions lack the granular access control required for a zero-trust security model. VPNs, for example, have no way of knowing whether the device authenticating to the network is in the hands of the right individual. Stolen credentials can grant access to the network and deliver a malicious payload weeks and months before ever being noticed. This can easily compromise the entire business.
Exium SPA overcomes this by providing Zero Trust Network Access (ZTNA) capabilities to provide secure remote access to internal private applications, regardless of whether they are hosted by a public cloud service provider or in your organization’s private data center.
With all traffic directed through a fully encrypted tunnel, your private applications are never exposed to the public internet. This, combined with its granular zero trust capabilities, ensures a higher level of security for remote employees connecting to your internal private network.
How it works?
Adjacent to the internal applications running in a public cloud, data center, or on-premise server, SPA places a small piece of software called Cyber Gateway (CGW), deployed as a container or a VM, which is used to extend a highly secure Zero Trust Path out to the Intelligent Cybersecurity Mesh.
The CGW establishes an outbound connection, and does not receive any inbound connection requests, thereby preventing DDoS and other cyberattacks. Private Access utilizes a lightweight Exium Client installed on a Microsoft Windows, Apple macOS, iOS, Android, or a Linux device. The Exium Client steers Private Access application traffic to the Exium Intelligent Cybersecurity Mesh using either DNS or the IP address.
Moreover, within Exium service, both the user devices and the CGW use battle-tested hardware root-of-trust eliminating credential theft and man-in-the-middle attacks. A Mesh Cybernode approves access and stitches together the user-to-application session. SPA is 100 percent software defined, so it requires no appliances and allows users to benefit from the cloud and mobility while maintaining the security of their applications.
SPA provides zero trust, secure remote access to internal applications running in public cloud environments or private data centres, reducing risk, and simplifying security operations. With SPA, applications are never exposed to the internet, making them inaccessible to unauthorized users.
Instructions Coverage
This page provides steps to activate Exium Secure Private Access (SPA) by installing and using Exium Cyber Gateway (CGW).
Section (2) provides link to guide for quickly setup CGW for the first time.
Section (3) provides overview of the CGW architecture.
Section (4) explains CGW deployment models.
Section (5) provides steps to login to workspace and access admin console.
Section (6) provides steps to add CGW and trust paths.
Section (7) explains how CGW service can be monitored using web UI.
Section (8) provides CGW management console commands.
Section (9) describes steps to test and verify SPA services.
Section (10) provides link to CGW HA setup instructions page.
2. Pre-requisites
Please refer to the Cyber Gateway (CGW) deployment guide and arrange VM or bare metal for CGW:
Note: “Steps to install CGW” section in above PDF document must be followed, after Gateway is added/created on Admin Console (see section 6 in current page).
3. Reference Architecture
Remote users with agent connected will be able to access private network via CGW. CGW must have internet access to establish IPSec tunnel with Cyber Mesh on cloud. Existing firewalls in customer datacenter must whitelist UDP ports 4500 and 500 to allow IPSec traffic.
In below example, remote users sitting in their homes, airports or anywhere outside office/datacenter will be able to access private network running on subnet 10.0.0.0/24
There are two ways CGW can be deployed and used for Secure Private Access (SPA):
- Two separate interfaces for WAN and LAN connectivity
- Single interface for WAN and LAN connectivity
3.1 CGW Deployment with 2 interfaces
User can refer below sample diagram to understand the logical network diagram with CGW on their network with two separate interfaces for LAN and WAN connectivity. (Trust path subnet example 10.0.0.0/24)
3.2 CGW Deployment with single interface
User can refer below sample diagram to understand the logical network diagram with CGW on their network with single interface for LAN and WAN connectivity. (Trust path subnet example 10.102.232.0/29)
4. Deployment Models
CGW is designed to provide fast, seamless access to private applications using cloud delivered CyberMesh. Remote workers can connect with Exium Clients on their devices and access Corporate Apps, IaaS, PaaS and other private networks.
4.1 Securing Single Site (On-Prem, Data Center or Cloud)
User can deploy CGW in one site (on-prem, data center or cloud) to access secured private network which keeps sensitive data. (Trust path subnet example 10.0.0.0/24)
4.2 Securing Multiple Sites (On-Prem, Data Center or Cloud)
User can deploy CGWs in multiple sites to secure internal information exchange which will also keep internal communication secured. Remote users with Exium Agent connected can access both Data Centers running on different IP subnets, at the same time. Communication among the data centers will also be secured if they deploy CGW. (Trust path subnet example Data center-1: 10.0.0.0/24 & Data center-N: 10.11.0.0/24)
5. Login to Partner Portal / Workspace
Navigate to https://partner.exium.net/sign-in
Enter “Partner Tag/Name” and click on “Continue”.
Enter “Contact email or username” and click on “Continue”. (User must be in the Admin group)
An email will be sent to user’s registered email id for user verification.
Exium partner admin main console will open in another web page.
Click on “Companies” to display the list of the companies/ customers.
Identify the customer/company name and click on the first icon available in column “Action” to login to their workspace/admin console. It will authenticate automatically and allow access to admin console.
6. Gateway Management
6.1 Add Gateway / CGW
Click on “Gateways” tab on the left panel of “Admin Console” web page.
Click on “Add Gateway”.
CGW name will be created by system. Email & mobile number will be auto filled, user can modify them if required. Click on “Save” button to continue.
New page will open for adding trust path details.
6.2 Add Trust Path
Once Gateway is added successfully, rust Path Management page will open. Fill the mandatory field, “Network Destination” (LAN Subnet to allow). Refer pictures shown in section 4.1 and 4.2 above for more details. Trust path is the private network subnet which will be allowed for remote users to access. Users can add and associate multiple trust paths to CGW.
Refer Below example, which explains trust paths.
Data Center-1:
- CGW-1:
- Trust Path: 10.0.0.0/24
Data Center-N:
- CGW-2:
- Trust Path: 10.11.0.0/24
Remote users will be allowed to access the private networks 10.0.0.0/24 and 10.11.0.0/24 at the same time. They will not be able to access the private networks 10.1.0.X or 10.12.0.X which are also available in Data Centers behind CGW.
6.2.1 Associate User Group with Trust Path
Create new user group if different set of users require Private Mesh or Secure Private Access. Or identify the group name from existing user groups and select them from drop down list available in option “Allowed User Groups”.
Admin can also update “Allowed User Groups” setting in existing Trust Path later. Below picture shows an example of trust path, Name will show the trust path user has created.
Click on “Save” once finished.
7. CGW Installation and Service Connection
Please refer to the Cyber Gateway (CGW) deployment guide:
Refer section “Steps to install CGW” in above PDF document to install CGW application and connect the service.
Parameters required for the installation command:
Workspace name: Name which was used to login to admin console – section (3)
CGW name: Name which was created in earlier steps – section (6.1)
8. CGW Setup Management Access
There are two ways admins can access CGW for connectivity, configurations and management:
- CGW VM Console (Command Line Interface / CLI)
- CGW Web UI (User Interface)
8.1 CGW Management Using Console / Command Line
CGW command line interface supports below commands for service operations.
Display supported commands:
8.1.1 Service Connect
Use below command to connect CGW service.
User can also connect to a specific server by selecting it from the list. Use command “sudo xlgateway servers” to get the list of the Cyber Nodes and pass it with connect command:
8.1.2 Service Disconnect
Use below command in case user wants to disconnect service:
8.1.3 Service Status
Use below command to check Exium CGW connection status:
8.1.4 Login
Use below command to login:
8.1.5 Logout
Use below command to logout:
8.2 CGW Management Using Web UI
Once CGW installation completes, it will show the URLs to access CGW UI.
For eg:
If single interface is present on VM, then one URL link will be displayed in above output.
8.2.1 CGW Web UI Access
Select the machine/laptop which is accessible from CGW VM/machine. Open internet browser (recommended: chrome) on laptop and type one of the URL shown on terminal (http://172.16.0.5:9630).
Use the same password (for cgw username) which was set during CGW VM on-boarding.
To get the UI access details again, login to CGW VM and run the below command:
# sudo xlgateway status
8.2.2 CGW Login
After successful setup, login screen will appear.
Provide workspace name and click on “Continue”:
Provide username/gateway name and click on “Next”:
8.2.3 CGW Login Verification
A verification link will be sent to the registered email ID and an SMS will be sent to the registered mobile number.
User can click on the link either email (shown above) or from SMS (shown below) to complete the verification procedure.
8.2.4 CGW Home Screen
After successful verification, home screen will appear.
Click on “Start” to connect the service.
8.2.5 CGW Service Connection
Once the service is connected, it will show “Stop” button.
Now users can use Secure Private Access feature and login from their remote Exium Clients to access private network/servers.
8.2.6 CGW Admin Dashboard
On CGW UI screen, click on the admin icon on top right corner.
It will open Admin Dashboard.
8.2.7 Display CGW Network Interfaces
On Admin Dashboard, click on “Network Interface” to display CGW interfaces:
It will show “WAN”, “LAN”, “tun0”, “par-gre” and other interfaces available on CGW.
8.2.8 Display Connected Devices
On Admin Dashboard, click on “Connected Devices” to display the devices connected to CGW on LAN interface:
8.2.9 Logout
On CGW UI Home screen, click on three lines available on top left corner to show available options:
Click on “Logout” button to logout from CGW:
8.2.10 CGW Settings
On CGW UI Home screen, click on three lines available on top left corner to show available options.
Click on “Settings” to display available settings/parameters:
8.2.11 Upload Logs
On CGW UI Home screen, click on three lines available on top left corner to show available options.
Click on “Settings” to get access to button to upload logs.
Click on “Upload” button. After uploading logs, successful message will be displayed.
8.2.11 Service Reset
On CGW UI Home screen, click on three lines available on top left corner to show available options.
Click on “Settings” to get access to button to reset service.
Service Reset is recommended when CGW service or UI is not working properly.
9. Access Private Application/Resources Securely
Once CGW setup, login and connection complete successfully. Remote users will be allowed to access private resources of customer datacenters.
- Remote users must be on-boarded to the workspace who all will need access to customer’s private data centers behind CGW.
- Users must be part of a user group which will be allowed to access private resources. The same user group must be associated with the trust paths.
- Users must download Speerity client on their laptops/Mac/Ubuntu machines (click here Speerity Downloads to download clients)
- Login on Speerity client using valid workspace and username (received over email)
- After successful connection to Smart (nearby) Cybernode, they will be allowed to access private network/resources
If you have any issue during installation/configuration, contact us at support@exium.net or raise a ticket on https://exium.net/help-center/
If you would like to see how Exium can help defend your organization, contact us at hello@exium.net
10. CGW with High Availability
Please refer below page which describes the steps to setup CGW with high availability. CGW must be deployed in HA mode to provide service continuity to end/remote users.
https://exium.net/cgw-high-availability-setup-user-guide/