Remote Access: When Using Axeda Policy Server
The Axeda Policy Server enables your customers to control access to their assets through the settting of policies for various actions that may be requested. Every policy has three possible settings, each represented by an icon in the APS user interface. The following table describes these settings and shows the related icon:
|
Icon
|
Policy Description
|
|---|---|
 |
Always Allow — The Agent does not need to ask for permission, so on request, the Agent performs the requested action.
|
 |
Ask for Approval — Upon receiving a request for an action from a platform, the Agent sends an ASKING message to Policy Server to request permission for the action and also a message to the platform that it is waiting for permission.
|
 |
Deny — The Agent is never allowed to perform the requested action and sends a message to the platform that the action is not permitted by Policy Server.
|
When it receives an ASKING message from the Agent, Policy Server sends an e-mail to the address specified for the policy and then stores the action request in the Pending Requests queue. The action request remains in the Pending Request page until it is approved or denied, or it times out. If timed out, the action is denied and needs to be requested again. A message is logged in the audit log for Policy Server.
If approved or denied, the action request is removed from the Pending Requests page. A message regarding the approval or denial is written to the audit log. Policy Server sends its response (accept or deny) to the asset. The asset sends another status message (ASK_ACCEPTED or ASK_DENIED) to the eMessage Connector to tell it whether the action request was approved or denied. If the action request was approved, the asset then processes the action.
Interactions between the Agent and the Connector
Here is the sequence of interactions between the Agent and the Connector for a remote session:
1. User starts remote session and the RemoteSession is created on the platform and on GAS (Global Access Server). Egress is stored to tell the Agent to start the RemoteSession.
2. Agent polls the eMessage Connector and the Connector returns session ConnectToSession details to the Agent.
3. The Agent checks the rules in its local copy of the policy and respons within 300 milliseconds with an ASKING status code (40000004).
 |
The Connector does not terminate the remote session when it receives this code. It transitions the RemoteSession status to WAITING_FOR_AUTHORIZATION. In addition, the Remote Access Client looks for this message and displays it as "Waiting for Authorization".
|
4. At this point, the customer must approve the remote session request using the Policy Server application. Once the request is approved, the Agent sends an ASK_ACCEPTED message and the SUCCESS status code to the Connector.
5. The Connector does not terminate the session when it receives the ASK_ACCEPTED message and processes the SUCCESS code by transitioning the status of the remote session to STARTED.