Deployment Considerations and Best Practices

This article provides key considerations, best practices, and requirements to plan your Axis Security deployment and achieve the best results.

Authentication

Companies use authentication services in the form of Identity Providers (IdPs) to allow users to access the resources they need in a secure manner. IdPs provide a way to manage access by adding or removing privileges.

Before you deploy Axis Security, consider the following:

Authentication Planning Checklist

#TaskNotes
1IdP: Which Identity Provider (IdP) will you be using to manage and authenticate users? Axis Security allows you to use SAML as your method of authentication
2Merging IdPs: Will you be using more than one IdP? Are you planning to merge identities together from another source now or over time? This can help decide on the optimal configuration for your needs.
3Existing Groups: Are there existing groups in the IdP that dictate application or network access already? This can help with the transition to Axis Security.
If not, work with Axis Security Support ([email protected]) to find the most optimal way of providing application access based on groups

For more information about identity management, click here

Connectors

Connectors provide a secure and authenticated interface between a customer’s network and the Atmos Cloud. Connectors are deployed on network segments that can access secured applications and the Atmos Cloud simultaneously. For more information about connectors, click Connector Information Notification

Before you deploy your connectors, consider the following:

Connector Planning Checklist

#TaskNotes
1Number of data centers:
How many different data centers or cloud VPCs will have apps and servers that you intend to access through Atmos Cloud. This will help determine how many connector zones will be needed.
2Applications:
Are most of the private apps hosted in one of these locations (data centers) or are they distributed across all locations? This is important because if you have apps distributed across many locations, you’ll need to create connector zones for each location.
3Type of connector deployment:
Axis Security supports all infrastructure platforms for application access, including a data center on VMware or a cloud such as AWS or GCP.

We provide templates/OVAs for these platforms, though you can install connector software on supported Linux servers on any infrastructure beyond what we have templates for.
4Number of Connectors: (High availability): How many connectors are deploying per connector zone?

Important: Axis recommends 2 or more connectors for each deployed connector zone. A cluster of at least 2 connectors provides continuous connectivity in the case where one connector goes offline for planned or unplanned reasons. Since the Axis Security Cloud intelligently manages traffic r-direction and load-balancing, as long as at least 1 connector is online and reachable, access to applications will be preserved.

Applications

An application is a resource specified by a domain name, a local domain name, or an IP address, defined on a standard set of ports, managed, and accessed through the Atmos Cloud. For more information about applications, click here.

Before you configure your applications, consider the following when deploying your applications and gather the following information:

Application Planning Checklist

#TaskNotes
1Applications: What applications will you be using?

For example, Jira, Microsoft Office 360, SSH Range, or Network Range. This is important because you need to map all these applications to the associated connectors.
2Atmos Agent: Are you going to use the Atmos Agent to access some or all of the applications?

If you are using the Atmos Agent, consider the following:

Application Type: some applications can only be accessed using the Atmos Agent.
* Device Types: (mobile devices, Macs, PCs) the users will be accessing the apps from.
* Device Posture: Are device posture checks required?

Click here for a feature comparison: Atmos Agent versus Atmos Air (Agentless).

Naming Applications, Policies, Connector Zones, & Application Tags

Application Names

A good practice for naming an application is to specify the server name associated with the application. For example, server1 RDP.

This is useful for helping you more easily manage your applications in the Management Console and for checking if the server associated with the application is operational.

For configurations with a large number of application definitions, consider using a naming convention that is easy to search against. For example, if the SSH servers in a Dev environment are given a name containing “devssh”, then using the search function, it’s possible to easily filter for all of the applications related to your “devssh” hosts.

Policy Rule Names and Descriptions

Create rules with meaningful names and descriptions. Although the description for the rule is optional, we highly recommend that you include a description that accurately describes the rule (how it is being applied); for example, 3rd Party access for IoT in France.
See also Best Practices for Configuring a Policy.

📘

Tip

When you define a rule, identity, or identity group, check the spelling.

Connector Zones Names and Descriptions.

A good practice for naming a connector zone is to specify the connector zone’s location or its main use. For example, USA_3rdpartyaccess.

Application Tags

Create application tags with meaningful names. Good examples for naming application tags are HR Applications, Company-wide apps, and Production DevOps Access. A bad example is HTTP. For more information, see the Application Tags section in the Best Practices for Configuring a Policy.

📘

Note:

Axis Security highly recommends using application tags to group users, group applications by use case, or map applications.

Atmos Agent

If you are currently using Active Directory on your network, you might need to configure the Active Directory application to access resources.

The Atmos Agent requires additional firewall rules. To learn more, see Atmos Agent Device Prerequisites.