Configuring an application to use the App Gateway

On the App Gateway page, you can configure the application so that your users can access it whether they are logging in from an internal or external location. For applications configured for the App Gateway, users do not have to use a VPN connection to access the application remotely.

App Gateway is an add-on feature. Please contact your sales representative to have the feature enabled for your account.

Some applications can be used with App Gateway; not all applications are set up to use this feature. At this time, Web applications may use HTTPS or HTTP, and either the standard port of 443 or a non-standard port. IP addresses are only supported for on-premise apps and are not supported for external-facing apps.

To configure an application for external App Gateway connections

  1. Make sure that your on-premise web application is accessible.

    You can specify a URL that uses either HTTP or HTTPS. To specify the port, add the port at the end of the URL, such as HTTP://acme.log.com:3433. Login URLs with IP addresses are not supported.

  2. Install Delinea in your network. If you have already installed them, just make sure that they’re the current release version (prior versions don’t support App Gateway connections). If you’re using a cloud-based directory service, you won’t need to install the Active Directory service components with the Delinea Connector.

  3. Add, configure, and deploy the application.

    You can enable App gateway access for custom applications, such as user-password and SAML applications.

  4. (Optional) On the Application Gateway page, select Make this application available via the Internet.

    The Privileged Access Service verifies the application settings and displays the URL that you provided in application settings as the internal URL for the application.

  5. Specify the external URL that users open to access the application from external locations. You can use an existing URL or use one that the Centrify automatically generates for you.

    If you use an existing external URL, any links to the application URL do not need to change and will continue to work as is. However, you do need to upload an SSL certificate and modify your DNS settings.

    • To use your existing external URL, select Use this external URL for application access on or off the corporate network and do the following:

      1. Enter the existing URL. You can enter an internal or external URL here. Login URLs with IP addresses are not supported.

      2. Click Upload to browse to and upload your SSL certificate with the private key for the URL that you entered.

        The certificate file has either a .PFX or .P12 filename extension.

    • To use the auto-generated URL, select Use this Centrify generated external URL for application access on or off the corporate network. Later, you’ll need to notify users to use the auto-generated URL or access the application from the Admin Portal.

      If you use the auto-generated URL, the option Rewrite generated external URL to internal URL in requests and responses found in Gateway Options is selected by default to improve compatibility with applications that utilize html redirects in the payload.

  6. In Gateway Options, select Lock session to source IP address to require re-authentication if a user’s source IP address changes during the app gateway session.

    This option is not recommended for OWA, as it might cause authentication failures.

  7. In Gateway Options, select Lock session to expiration of user to require re-authentication if a user’s identity cookie expires during the app gateway session.

    This option is not recommended for OWA, as it might cause authentication failures.

  8. In Gateway Options, select Pass the requested URL to the application without decoding.

    This option passes the raw URL to the application, which is sometimes necessary for compatibility.

  9. In Gateway Options, select Enable standard web proxy headers to set X-Forwarded-For (RFC-7239), and REMOTE_USER.

    This option allows you to use the App Gateway with network monitoring devices or additional reverse proxies. In addition, you can select either Client IP Address or Username as values for the X-Forward-For header, depending on whether you want to monitor the header for specific IP ranges or users.

  10. Select a connector to use with the application at the __Delinea Connectors to use with this service** section. Choose one of the following:

    • Any available

      Select this option to allow the Privileged Access Service to randomly select one of the available connectors for your App Gateway configuration. Click Test Connection to make sure the connection between the connector and the application is successful.

    • Choose

      Select this option to specify one or more Delinea Connectors to use for your App Gateway configuration. If you select more than one connector, the Privileged Access Service randomly chooses one of the selected connectors to use for the application. Once the configuration is saved, each future App Gateway request uses a random connector from those selected, as long as the connector is online.

      Once you select the connectors you want to use, click Test Connection to make sure the connection between the selected connectors and the application is successful. At least one connector must succeed in order to save the configuration.

      If any of the Delinea Connectors are offline, they are not displayed in the list of available Delinea Connectors.

  11. Click Save to save the App Gateway changes.

    If you configured the application to use an external URL you need to edit your DNS settings to accommodate the App Gateway connection for this application. For more details, see "Adding the CNAME Record in Your Public DNS Server ".