Third-Party Access
This chapter describes how to provide access for third parties such as contractors.
Table of contents
Legacy Extranet
Today, providing third-party access to network resources can present difficulties for organizations. Many organizations maintain complex extranet designs to allow for private circuits, VPNs, or other methods of IP connectivity into the network for their partners. These extranet environments can be costly, complex to maintain, and timely to provision, leading to an expensive and slow-to-provision experience when trying to onboard new partners to the business.
Agentless Access
HPE Aruba Networking SSE provides allow third-party access easily, in a secure, scalable manner. Agentless access enables publishing applications through a web portal, with access granted only to certain users. Just like with agent-based access, discussed in the remote employee access chapter, the connection is brokered through the connector.
With the agentless approach, consider the limitations in the table below. If these are required for the design, consider agent based access for certain third-party users.
Use the agentless deployment to provide access to Web, RDP, SSH, Git, and DB (MSSQL database) applications with a seamless user experience and granular visibility and control without the need to install any software on the client. Clientless deployment supports most popular browsers.
The device posture checks if a SSL client certificate is installed on the client’s browser. A device trust check is achieved by querying SSL certificates. With a clientless approach, less access to resources is provided because there is less visibility and control over the device than with the Atmos Client.
Feature | Agent- Based | Agentless |
---|---|---|
Any ports and protocols (UDP/TCP). | Yes | No |
Certificate-based device posture checking. | Yes | Yes |
Destination Network Ranges. | Yes | No |
Host-based client applications. | Yes | No |
Applications that require the specific IP address of the devices, such as server-initiated or peer-to-peer such as VOIP. | Yes | No |
SaaS applications | Yes | No |
SMB file sharing | Yes | No |
Requires comprehensive device posture checks and more restrictive security policy. | Yes | No |
SSH Range | Yes | No |
Agentless is recommended for third-party access because it provides seamless user experience and granular visibility/control without installing anything in the device for Web, RDP, SSH, Git, and MS SQL database applications. It is also easy to provide temporary access; for example, contractors can be provided access with little intervention by IT teams. Also, since many third parties access resources without using corporate-provisioned devices, the Access Cloud portal provides a secure and easy method of providing limited access.
Identity Considerations
Managing user identities for third parties can be a time-consuming task. Many customers choose to have a second identity source, managed by the third party, which can be integrated into the policy. This can allow administrators to write a third-party access policy once, then link it to the Identity store of the third party, allowing the third party to administer its own accounts.
IOT/OT Considerations
Along with contractors and third-party partners another common usage for agentless access is administering IOT / OT environment. Commonly, these environments are administered by consultants, vendors, or other contractors. Traditional VPN access is out of the question for many of these environments since the security posture prohibits inbound connectivity, notably because these systems are generally slow to receive security patches and are deemed high-risk.
HPE Aruba Network SSE provides the ability to grant permission to users to administer these systems quickly, without providing inbound connectivity, simply deploying a connector in that zone and enabling user access, with granular policy, as needed.