The CloudGen Access Proxy is a software tool that contains two services: the Envoy Proxy and the CloudGen Access Proxy Orchestrator.
The Envoy Proxy listens to requests and proxies them to the correct destination. The CloudGen Access Proxy Orchestrator ensures that the Envoy Proxy is correctly configured. See also: Add CloudGen Access Proxy
The CloudGen Access Proxy Orchestrator requires a valid token (CloudGen Access Proxy enrollment link) that contains the necessary information to bootstrap and authorize the service. You can obtain the enrollment link by registering the proxy in the CloudGen Access Console.
The Envoy Proxy requires connectivity to internal/protected resources and must have an outbound open port, which is configured in the console. This port is used only for the clients to connect to (the CloudGen Access App that runs on the devices). The Proxy Orchestrator communicates with the CloudGen Access Console for obtaining policies (control plane).
As a rule of thumb, a CloudGen Access Proxy (possibly with high availability) should be deployed per network/VLAN. Proxies should be deployed as close as possible to resources that they serve, in order to maximize security and performance.
See the following articles for more information on configuration, installation instructions, networking, troubleshooting, and high availability setup.