AppGate Technical Architecture Overview

April 13, 2017 |
AppGate Technical Architecture

This week we launched the latest version of AppGate, our market-leading implementation of the Software-Defined Perimeter architecture. AppGate offers:

– Individualized perimeter for each user

– Fine-grained authorization for on-premises and cloud

– Dynamic adjustment to new cloud server instances

– Consistent access policies across heterogeneous environments

– Contextual awareness that drives access and authentication

How does AppGate do all that?

AppGate Architecture image

AppGate offers a distributed architecture with three main functions:

  1. Controller – handles authentication and token-issuing service
  2. Gateway – handles distributed, dynamic access control
  3. LogServer – provides secure logging services

This architecture ensures that servers only accept incoming connections from the Gateway.


AppGate Policy Model

Policies are tools used to assign entitlements to a user, group of users, or administrators. Policies include a list of entitlements and filters that define who those entitlements should be assigned to.

Policy-Centric Approach - Image of AppGate Policy Model

The list of entitlements within a policy is used by the Controller to create the entitlement token(s) for each user.

The policy defines all the entitlements allowed by a user during the session. The conditions within each entitlement are used by the Gateway to control whether the entitlement is permitted for that specific session.

The Controller applies the filters within a policy to decide which policies apply upon authentication. If no filters have been included in the policy, then it won’t be assigned to any users. If a user’s claims don’t match any filters, then no policies will be allocated and the user will not receive any entitlements.


An entitlement provides the definition of the protected resource in AppGate.

Entitlements can allow, block or alert and are subject to filters and conditions and define the exact network resources which users may access. Network access types include:

  • IP access, reverse IP access, or ICMP access
  • Target hostnames, IP addresses, subnets, AWS security groups & tags

Examples of a user entitlement:

  • TCP access to port 443 on host
  • TCP access to port 22 on subnet
  • TCP access to port 3389 on all AWS resources with Security Group Dev_Team4
  • ICMP access to host QA_Server_11

This screenshot shows how to create an entitlement within AppGate. Here we show that the Client is entitled to TCP access to port 443 on host

Screenshot of AppGate Entitlements


Filters determine which users are allowed access. Entitlements are filtered at authentication time and conditions are evaluated at the time of access. As demonstrated in the screenshot, AppGate enables you to determine access at a very granular level through the definition of these criteria. Policies are:

  • Filtered at authentication time
  • Evaluated by the Controller upon user device authentication (and renewal)
  • Used to determine the set of entitlements (targets, ports, and protocols)

Screenshot of AppGate Filters


Conditions determine how and when users can access resources. Conditions are evaluated at time of access and may prompt for password, OTP, or require explanation. Conditions may also permit or block access based on attributes such as network location, time of day, etc.

Screenshot of AppGate Conditions


Attributes include the user, device and contextual information. Attributes mapping defines how attributes in each user identity provider directory will be mapped to AppGate claim names. This mapping defines which user-claims will be available to include in filter and condition expressions.

AppGate Attributes Screenshot


AppGate offers an identity-centric network security solution. To learn more about the AppGate architecture, get the paper on Securing User Access to Enterprise Systems in Private or Public Clouds.

Get the Whitepaper: Securing-User-Access-to-Enterprise-Systems-in-Private-or-Public-Clouds

Back to Blog Home

Philip Marshall

As Cryptzone’s Director of Product Marketing, Phil Marshall brings over 14 years of experience in both product and services marketing as well as 10 + years experience in the high-tech publishing space with publications including Dr. Dobb’s Journal and Byte magazine. Prior to joining Cryptzone, Phil worked at security firms Rapid7, Positive Technologies and RSA. He also was a Senior Product Marketing Manager at Black Duck, the leading open source governance and management firm.

A speaker at recent (ISC)2 conferences and ISACA, he’s participated in numerous webinars, in panel discussions and presented on topics including Identity Security, Application Security and Open Source Governance and Management.

Marshall earned a BA at Bates College and an MBA, cum laude, at the F.W. Olin Graduate School of Business at Babson College.

Leave a Reply

Your email address will not be published. Required fields are marked *