Quick start steps with Zero Trust Network Access

In this topic, you will learn the steps you need to take to configure the Portnox™ Zero Trust Network Access service.

If you already completed some of the steps, proceed to the next steps.

Note: Portnox Cloud has functions to control network access, not just access to resources such as applications and services. If you only use Portnox Cloud for Zero Trust Network Access, in any of the configuration steps, you can skip the steps relating to network access and do only the steps related to resource access.

Create a Portnox Cloud tenant to access the service.
In this step, you create an account with Portnox Cloud and your own tenant. You only need to do this once.
Log in to Portnox Cloud to start working with the service.
In this step, you access the tenant that you created earlier. You must complete this step every time you want to work with Portnox Cloud.
Configure your cloud-based authentication repository in Portnox Cloud.

For example:
Configure access to SSO web applications (previously known as Conditional Access for Applications, CAA):

Note: You need to complete these steps only if you will be using Zero Trust Network Access to secure access to SSO web applications. If you will be using Zero Trust Network Access to secure access only to hosted resources, skip this step.
1. Configure an identity provider.
  
  The identity provider is a web app, often configured in your authentication repository, that checks the identity of users of web applications. You should set up an identity provider that can work with the authentication repository you set up earlier in this process.
2. Configure applications to use ZTNA conditional access.
  
  For each web application, the setup steps are different. We have a collection of guides for well-known web applications. However, if your application is not on the list, look at your application’s administrative guide. Search for topics like SAML integration.
Configure access to hosted resources (previously known as Remote Private Access, RPA):

Note: You need to complete these steps only if you will be using Zero Trust Network Access to secure access to hosted resources. If you will be using Zero Trust Network Access to secure access only to SSO web applications, skip this step.

Create the Zero Trust Network Access gateway, run the Zero Trust Network Access Docker container, and add resources.
- If you host your private resources on-premises and want to use a Linux machine as a gateway, configure a Linux-based Docker container.
- If you host your private resources on-premises and want to use a Windows machine as a gateway, configure a Windows-based Docker container.
Optional: Install AgentP on user devices or ask users to install AgentP on their devices.
Note: Zero Trust Network Access needs a user certificate on the device to be able to authenticate with the resource. You can either get such a certificate by installing AgentP on the device, or by using an Intune/Jamf agent already on the device and configuring Intune/Jamf to work with the Portnox SCEP server.
- If you want users to install AgentP, send them the following link: https://docs.portnox.com/byod/. These are end-user instructions for all popular desktop/mobile operating systems: Windows, macOS, iOS, and Android. They teach the users how to install AgentP.
- If you want to automatically distribute AgentP to user devices, here are some guides for popular endpoint management systems:
  - Microsoft Windows Group Policy
  - Microsoft Intune
  - Jamf
  - Kandji
Note: If you choose this option, skip the next step.
Optional: If you use Microsoft Intune or Jamf in your organization and you don’t want to use AgentP:
1. Integrate Portnox Cloud with Intune or Jamf.
  Here are the relevant guides:
  - Integrate with Intune
  - Integrate with Jamf
2. Configure Intune or Jamf so that the devices request SCEP certificates from Portnox Cloud.
  Here are some guides for diferent operating systems:
  - Intune and Windows devices
  - Intune and macOS devices
  - Intune and iOS devices
  - Intune and Android devices
  - Jamf and macOS/iOS devices
Note: If you choose this option, skip the previous step.
Configure groups, policies, and more.

Once you have Zero Trust Network Access working, you can now adjust it specifically to your needs.
1. Manage groups of application users.
  
  Groups allow you to set different access policies for different users. For example, you can allow only your developers to access your development applications, and only your finance department to access your finance applications. If you choose to control this access at the application-level, you can create one group for all users.
  
  Note: By default, your Portnox Cloud portal has one group called Default, which contains all your users that are not specifically assigned to any other groups.
2. Configure risk assessment policies and assign them to groups.
  
  Risk assessment policies help you check if a user’s device is secure enough to access applications. You can give different importance to various conditions, like not having antivirus software or using an old version of the operating system. If the total score exceeds a certain limit, you can consider the device as unsafe.
  
  Note: By default, your Portnox Cloud portal has one risk assessment policy called System Default Policy, which is set up with recommended security measures for all operating systems, and which is assigned to the Default group.
3. Configure access control policies for applications and assign them to groups.
  
  An access control policy for an application decides what to do if the risk assessment policy labels the device as unsafe. You can choose to let unsafe devices use your applications, or you can tell the user what they should do to make their device safe.
  
  Note: By default, your Portnox Cloud portal has one access control policy called System Default Policy, which is set up to deny access to unsafe devices, and which is assigned to the Default group.