Link Search Menu Expand Document
calendar_month 23-May-24

Third-Party Access

This chapter describes how to provide access for third parties such as contractors.

Table of contents

Legacy Extranet

Today, providing third-party access to network resources can present difficulties for organizations. Many organizations maintain complex extranet designs to allow for private circuits, VPNs, or other methods of IP connectivity into the network for their partners. These extranet environments can be costly, complex to maintain, and timely to provision, leading to an expensive and slow-to-provision experience when trying to onboard new partners to the business.

Agentless Access

HPE Aruba Networking SSE provides allow third-party access easily, in a secure, scalable manner. Agentless access enables publishing applications through a web portal, with access granted only to certain users. Just like with agent-based access, discussed in the remote employee access chapter, the connection is brokered through the connector.

With the agentless approach, consider the limitations in the table below. If these are required for the design, consider agent based access for certain third-party users.

Use the agentless deployment to provide access to Web, RDP, SSH, Git, and DB (MSSQL database) applications with a seamless user experience and granular visibility and control without the need to install any software on the client. Clientless deployment supports most popular browsers.

The device posture checks if a SSL client certificate is installed on the client’s browser. A device trust check is achieved by querying SSL certificates. With a clientless approach, less access to resources is provided because there is less visibility and control over the device than with the Atmos Client.

FeatureAgent- BasedAgentless
Any ports and protocols (UDP/TCP).YesNo
Certificate-based device posture checking.YesYes
Destination Network Ranges.YesNo
Host-based client applications.YesNo
Applications that require the specific IP address of the devices, such as server-initiated or peer-to-peer such as VOIP.YesNo
SaaS applicationsYesNo
SMB file sharingYesNo
Requires comprehensive device posture checks and more restrictive security policy.YesNo
SSH RangeYesNo

Agentless is recommended for third-party access because it provides seamless user experience and granular visibility/control without installing anything in the device for Web, RDP, SSH, Git, and MS SQL database applications. It is also easy to provide temporary access; for example, contractors can be provided access with little intervention by IT teams. Also, since many third parties access resources without using corporate-provisioned devices, the Access Cloud portal provides a secure and easy method of providing limited access.

Identity Considerations

Managing user identities for third parties can be a time-consuming task. Many customers choose to have a second identity source, managed by the third party, which can be integrated into the policy. This can allow administrators to write a third-party access policy once, then link it to the Identity store of the third party, allowing the third party to administer its own accounts.

IOT/OT Considerations

Along with contractors and third-party partners another common usage for agentless access is administering IOT / OT environment. Commonly, these environments are administered by consultants, vendors, or other contractors. Traditional VPN access is out of the question for many of these environments since the security posture prohibits inbound connectivity, notably because these systems are generally slow to receive security patches and are deemed high-risk.

HPE Aruba Network SSE provides the ability to grant permission to users to administer these systems quickly, without providing inbound connectivity, simply deploying a connector in that zone and enabling user access, with granular policy, as needed.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.