Skip to main content

Security Policy Guide 25.2.10

Workload Setup Using PCE Web Console

After you pair workloads, you can view details by clicking a single workload. You can name the workload from the Workload Summary page, write a description, and change the workload's policy state.

Creating Managed Workloads by Installing VENs

When you install a VEN on a workload and pair it to the PCE, it becomes a managed workload because it can be managed using the PCE. For more information, see VEN Installation and Upgrade Guide.

Unmanaged Workloads

Unmanaged workloads extend rule-writing capabilities to network entities not paired with the PCE and do not have an installed VEN. Adding unmanaged workloads to the PCE enables you to write rules that allow workloads paired with the PCE to communicate with other entities. The policy between workloads with a VEN and unmanaged workloads is enforced using the outbound rules on the workloads where the VEN is running. For unmanaged workloads, enforcement is displayed as blank.

For example, when you want to ensure that a network file server belonging to an HRM application is only accessible from the database workloads of the HRM application, you can add unmanaged workloads for the file servers and use label-based rules to enforce the policy. The PCE utilizes the outbound rules on the database workloads running the VEN to ensure that only databases labeled HRM are permitted to establish outbound connections to the network file servers.

Adding Unmanaged Workloads

You can add unmanaged workloads from the Workloads list. After assigning labels, write label-based rules that apply to unmanaged workloads.

Tip

You can also create an unmanaged Workload from a blocked traffic IP address. See Create Unmanaged Workload from Blocked Traffic.

  1. In the Servers & Endpoints category, click Workloads.

  2. Click Add > Add Unmanaged Workload.

  3. In the Add Unmanaged Workload details page, enter a name and description for the unmanaged workload.

  4. In the Label Assignment section, select the labels you want to be applied to the unmanaged workload.

  5. In the Host Attributes section, enter all relevant information about the unmanaged workload, such as its hostname, location, OS Family, Release, and Public IP.

  6. (Optional) In the Machine Authentication ID field, enter all or part of the DN string from the Issuer field of the end entity certificate (CA Subject Name). Complete this field when you plan to use this unmanaged workload with the AdminConnect feature, as it involves a laptop running Windows or Linux.

  7. When using Kerberos for encryption, type a SPN to authenticate VEN.

  8. Click Save.