Owner

Network Connector: Connects an entire private network to CloudConnexa, acting as a router between the WPC and the private network. It can be deployed on hardware routers or general-purpose computing devices/VMs configured as software routers.

Host Connector: Connects a specific host (e.g., an application server or IoT device) to CloudConnexa, making services available on that host accessible through the WPC.

Routers: DD-WRT, OpenWrt, PfSense, Teltonika, Ubiquiti (EdgeMAX).

Cloud IaaS: AWS VPC (using VPG or Transit Gateway), Azure VNet (using ARM templates), GCP VPC.

Operating Systems: Windows Server (for routing and NAT), macOS (for routing and NAT), Linux (OpenVPN 3 client with DCO support).

Two-Factor Authentication (2FA): Can be enabled for users, with an option to allow trusted devices. Owners can clear trusted devices or reset 2FA for a user.

Device Identity Verification & Enforcement (DIVE): Reduces the attack surface by "locking the device profile containing the digital certificate to the device's identity," ensuring "only authorized devices to connect to your WPC." Policies can be configured based on OS, OS version, antivirus presence, client certificate, and disk encryption.

Connection Timeout: Configurable setting to automatically disconnect user connections after a specified duration (default 24 hours) for security policy enforcement.

Connect Auth Policy: Determines if and when a user is prompted for credentials during connection (e.g., "Every time," "On prior auth timeout," "No").Device Allowance: Limits the "maximum number of Devices per user account" that can connect to the WPC.

Profile Distribution Mode: Can be "Automatic" (default, where devices and profiles are automatically created on user authentication) or "Manual" (requiring the owner/admin to create devices and distribute .ovpn profiles offline).

Allowable Regions for connection.

Connection authentication mode (Connect Auth).

Maximum devices per user.

Mode of internet traffic routing (Internet Access method).

Access control to specific Networks, Hosts, Applications, or IP Services (via Access Groups).

Required device posture attributes (Device Posture policies).

Required location context (Location Context policies).

Application Domain-based Routing (Recommended): Routes traffic to applications using their domain names, even if IP addresses overlap across networks. It "cloaks IP addresses," making the actual application server IPs and network routes not disclosed to the client. This also allows for per-application micro-segmentation.

IP Routing (IP Services): Identifies traffic to be routed based on subnet IP addresses configured as IP Services.

Both can be used concurrently.

Sources: User Groups, Hosts, Networks, and source IP Services from those Networks.

Destinations: Shared Applications via AppHub, User Groups, Hosts, Networks, and IP Services/Applications reachable from Networks or Hosts

Split Tunnel On (Level-1 Security): "Private and trusted internet traffic is tunneled; all other internet traffic uses local internet." "Trusted internet traffic" includes internet destinations (domain names or IP subnets) configured as Applications or IP Services.

Split Tunnel Off (Level-2 Security): "All traffic is tunneled; Internet traffic exits from selected Internet Gateways." This is used for maximum security and control, requiring at least one Network to be configured as an Internet Gateway.

Restricted Internet (Level-3 Security): Blocks all internet traffic except to trusted internet destinations, offering the "strictest control."

Domain Filtering (Content Filtering): Provides DNS content filtering to "block malicious and suspicious websites," even if internet traffic doesn't pass through the WPC. Classifies web content into 43 categories organized into eight groups.

Traffic Filtering (IDS/IPS): A built-in Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). When monitoring, it identifies malicious traffic (malware, intrusion, DoS, phishing, vulnerabilities/exploits, known threats, adware, cryptojacking, Tor) based on signatures classified into three threat priority levels: Critical, High, and Medium. When blocking is enabled, it acts as an IPS.

Metrics & Reporting: Provides dashboards to view top 10 content categories and threat categories, event counts, and detailed reports (CSV exportable) for observed and blocked domain filtering and traffic filtering events.

App Provider: A business that shares its applications

App Client: A business that requests and consumes shared applications. (A business can be both.)

Invitation: App Provider sends an invitation using the App Client's email address or Cloud ID.

Reception: App Client receives the invitation. If not a CloudConnexa customer, directs to sign-up. If existing, directs to accept.

Approval: App Client approves the invitation (via email link or Administration Portal).

Activation: Access to the shared application becomes active for the App Client.

Functionality: Allows programmatic configuration and management of the WPC.

Authentication: Requires creating API credentials (client ID and secret) and obtaining an OAuth 2.0 access token.

Documentation: Available in the Administration Portal (Swagger documentation).

Purpose: Maintains records of all modifications to CloudConnexa configurations, including changes made by Administrators, API, and Users (via the User Portal). Crucial for security teams to identify unauthorized changes and for regulatory compliance (GDPR, HIPAA, PCI-DSS).

Logged Entities: Covers a wide range of configuration changes for Access Groups, Cyber Shield settings, Hosts, Networks, Users, User Groups, Device Posture policies, DNS settings, Log Streaming, and authentication settings.

Viewing & Exporting: Audit log entries can be viewed, filtered by various criteria (entity type, operation type, change source, initiator IP, etc.), and exported as CSV files.

Purpose: Aggregates and presents statistics on all DNS requests made by connected clients through CloudConnexa's DNS servers. Shows allowed, blocked (by Cyber Shield), and failed requests.

Requirement: CloudConnexa DNS Proxy function must be enabled for DNS logs to be available.

Filtering & Exporting: Entries can be filtered by domain, query type, resolution status, user/device, host/connector, and user group. Exportable as CSV.

Purpose: Collects specific events from WPC log sources and streams them in JSON format (compressed as .gz files) to a configured AWS S3 bucket. Facilitates integration with third-party log collection tools like Splunk and DataDog.

Event Types: Includes DNS logs (registered domain and subdomain levels), OpenVPN tunnel connection/disconnection events, Cyber Shield Domain Filtering blocked events, and Cyber Shield Traffic Filtering blocked events.

Status & Notifications: Log Streaming status (Active, Paused, Error) can be monitored. Email alerts can be configured for status changes and when log events exceed a plan allowance.

WPC Topology: Controls access control enforcement. "Full Mesh" (default) allows full access; "Custom" enables Access Groups for a "deny by default" approach.

Default Region for Connector: Sets the default CloudConnexa Region for new Connector configurations.

Source Network Address Translation (SNAT): When enabled, sets the source IP address of inbound traffic from the WPC to the connected Region's IP address. Disabled by default, with SNAT often handled by Connectors directly.

WPC Subnet Range: Configures the IP address range from which Tunnel IP addresses are assigned to User Devices and Connectors. Should not overlap with private networks.

Domain Routing IP Addresses: Sets the IP Subnet range for intermediary IP addresses used in Application Domain-based Routing.

Custom OpenVPN Options: Allows pushing custom OpenVPN options to all clients.

Enable Configuring Routes for Networks: When enabled, allows defining custom Routes under Network IP Services to optimize routing tables for Clients and Connectors.

Connection Timeout: Sets the maximum duration for user connections before automatic disconnection.

Default Connection Authentication (Connect Auth): Defines the default authentication policy for newly created User Groups.

Default Device Allowance: Sets the maximum number of devices per user for newly created User Groups.

Device Identity Verification & Enforcement (DIVE) Policy: Configures the DIVE policy for users, ensuring only authorized devices connect.

Profile Distribution Mode: Determines whether CloudConnexa automatically creates devices and profiles or if manual distribution is required.

User Authentication Method: Configures authentication for users (CloudConnexa username/password, SAML Single Sign-On, or Private LDAP).

User Group Mapping: For SAML and LDAP, allows mapping IdP attributes to CloudConnexa User Groups, supporting primary and secondary group assignments based on priority rules.

SCIM 2.0: Supports System for Cross-domain Identity Management (SCIM) for automatic user and group provisioning from IdPs (e.g., Okta, Azure, JumpCloud, OneLogin).

Two-Factor Authentication (2FA): Enables or disables 2FA for users and allows/disallows trusted devices.

Private DNS Servers: Allows configuring CloudConnexa to use external private DNS servers instead of its default.

DNS Records: Allows adding custom DNS records for public or private domains, which CloudConnexa's Proxy DNS servers will use for resolution.

Default DNS Suffix: Sets a default DNS suffix.

DNS Zone: Configures CloudConnexa's DNS proxy servers to forward DNS requests to different authoritative DNS servers based on defined zones.

CloudConnexa DNS Proxy: Can be turned off, but this impacts features like custom DNS, application routing, content filtering, DNS records, DNS zones, and AppHub application sharing.