Reference Architecture
This section describes the components and features of a remote worker design, with reference designs and bill-of-materials.
Table of contents
HPE Aruba Networks SSE is purchased per user for a given time period (1, 3, 5, or 7 years). All users in a workspace must have the same license level. Advanced Plus is the recommended license tier because it enables organizations to realize the full value of a Zero Trust remote access design including ZTNA, SWG, and CASB with all the advanced DLP features.
The table below outlines the features provided in each license tier.
Package / Bundle | Foundation | Foundation Plus / Foundation SWG | Advanced | Advanced Plus |
---|---|---|---|---|
Common | X | X | X | X |
Management | X | X | X | X |
Portal | X | X | X | X |
Agent | X | X | X | X |
Connectors | X | X | X | X |
Branch Connectivity | X | X | X | X |
Smart Routing | X | X | X | X |
Server Initiated Flow | X | X | X | X |
Identity | X | X | X | X |
Log Streaming | X | X | X | X |
Partner Integrations | X | X | X | X |
Analytics | X | X | X | X |
Device Posture | X | X | X | X |
Custom Block Pages | X | X | X | X |
Network Ranges | X | X | X | X |
SSH | X | X | X | X |
RDP | X | X | X | X |
VNC | X | X | X | X |
Web | X | X | X | X |
SWG | X | X | X | |
Threat Intelligence Protection | X | X | X | |
DLP | X | X | X | |
Malware Protection | X | X | X | |
CASB | X | X | ||
Experience | X | X | ||
Cloud Firewall | X | X | ||
Advanced DLP | X | |||
Local Edge | X | |||
Sandbox | Requires add-on | X | ||
Managed Connectors | Requires add-on | Requires add-on |
Identity Planning
Integrating with identity providers should be considered carefully when planning architecture. Consider which identity providers to be integrated and which protocols to use. Certain identity providers do not support the required protocols, and may not be compatible, such as on-premise Active Directory. Consider the groups and users included in policies and ensure that the policies are created. For third-party access, consider the identity sources to use, which may differ from your corporate identity store.
Connector Planning
There is no cost for the connectors, though operators should plan for the compute and connectivity requirements of the connector. Best practice is to deploy at least two connectors in each zone for redundancy.
For setting up a connector, select one of the following options:
- Deploy a connector on your own server. Click here to read and verify the server requirements.
- Deploy a virtual machine template. Follow the deployment instructions here.
- Deploy in AWS. Follow the AWS deployment instructions here.
A managed connector offering will be available soon.