AdminConnect Setup
Using AdminConnect, you can control access to network resources based on Public Key Infrastructure (PKI) certificates. Because the feature bases identity on cryptographic identity associated with the certificates and not IP addresses, mapping users to IP addresses (common for firewall configuration) is not required.
With AdminConnect, a workload can use a client's certificates-based identity to verify its authenticity before allowing it to connect.
Certificates for AdminConnect
AdminConnect relies on PKI certificates for relationship-based access control of workloads.
The feature uses the same certificate infrastructure enabled for SecureConnect. If you have not set up a certificate for SecureConnect, see SecureConnect Setup.
The exact prerequisites and limitations for certificate setup apply to AdminConnect. Additionally, because you can use AdminConnect to control access for laptops, certificates on laptops must meet these additional requirements:
The certificate must have a unique Subject Name and Subject Alt Name.
The certificate must be enabled with all extended key usages to check trust validation.
Secure Laptops with AdminConnect
You can use Illumio to authenticate laptops and grant them access to managed workloads. To manage a laptop with AdminConnect, complete the following tasks:
Deploy a PKI certificate on the laptop. See Certificates for AdminConnect.
Add the laptop to the PCE by creating an unmanaged workload and assign the appropriate labels to it to be used for rule writing
Create rules using those labels to grant access to the managed workloads. For information, see "Enable AdminConnect for a Rule" in the Security Policy Guide.
Configure IPsec on a laptop.
To add a laptop to the PCE by creating an unmanaged workload:
To manage a laptop with AdminConnect, add the laptop to the PCE as an unmanaged workload.
Choose Workloads > Add > Add Unmanaged Workload.
Complete the fields in the General, Labels, Attributes, and Processes sections.
In the Machine Authentication ID field, enter all or part of the DN string from the Issuer field of the end entity certificate (CA Subject Name). For example:
CN=win2k12, O=Illumio, OU=Portal, ST=CA, C=US, L=Sunnyvale
Tip
Enter the exact string that you get from the
opensslcommand output.Click Save.
To configure IPsec on a laptop:
You must configure IPsec so these clients can use the AdminConnect feature with laptops in your organization.
For information about configuring IPsec using netsh, see the Microsoft Technet article Netsh Commands for Internet Protocol Security (IPsec) .
See also the following examples for information about the IPsec settings required to manage laptops with the AdminConnect feature.
PS C:\WINDOWS\system32> netsh advfirewall show global Global Settings: ---------------------------------------------------------------------- IPsec: StrongCRLCheck 0:Disabled SAIdleTimeMin 5min DefaultExemptions NeighborDiscovery,DHCP IPsecThroughNAT Server and client behind NAT AuthzUserGrp None AuthzComputerGrp None AuthzUserGrpTransport None AuthzComputerGrpTransport None StatefulFTP Enable StatefulPPTP Enable Main Mode: KeyLifetime 60min,0sess SecMethods ECDHP384-AES256-SHA384 ForceDH Yes Categories: BootTimeRuleCategory Windows Firewall FirewallRuleCategory Windows Firewall StealthRuleCategory Windows Firewall ConSecRuleCategory Windows Firewall Ok. PS C:\WINDOWS\system32> netsh advfirewall consec show rule name=all Rule Name: telnet ---------------------------------------------------------------------- Enabled: Yes Profiles: Domain,Private,Public Type: Static Mode: Transport Endpoint1: Any Endpoint2: 10.6.3.189/32,10.6.4.35/32,192.168.41.163/32 Port1: Any Port2: 23 Protocol: TCP Action: RequireInRequireOut Auth1: ComputerKerb,ComputerCert Auth1CAName: CN=MACA, O=Company, OU=engineering, S=CA, C=US, L=Sunnyvale, [email protected] Auth1CertMapping: No Auth1ExcludeCAName: No Auth1CertType: Intermediate Auth1HealthCert: No MainModeSecMethods: ECDHP384-AES256-SHA384 QuickModeSecMethods: ESP:SHA1-AES256+60min+100256kb ApplyAuthorization: No Ok.