Configure Browser Access AnyApp

Configure Browser Access AnyApp

This article explains how to enable and test the Browser Access AnyApp feature. This functionality enhances the current Browser Access solution by extending support for additional protocols, such as RDP and SSH.

Definitions

AnyApp: Netskope feature name for supporting non-web applications, such as RDP and SSH, over Browser Access.

Guacamole: Apache Guacamole is a clientless remote desktop gateway supporting protocols, such as RDP and SSH. After installed on a server, Guacamole allows access to servers, workstations, and infrastructure via browser, providing a layer of isolation by not directly connecting the user to the resource. Instead, users control an HTML canvas of the remote screen, enabling actions like copy-paste. It’s especially useful for providing 3rd-party access, such as MSPs or contractors, without direct connection to company resources. More info at apache.org.

Background

Enabling the AnyApp feature extends support for additional protocols such as RDP and SSH via Browser Access. This is particularly useful for third-party users (like partners, vendors, and contractors) because installing the Netskope Client is typically not possible on unmanaged devices. This solution requires additional configuration on the Publisher, including resource settings. More details are provided in the Publisher Requirements section.

Prerequisites

  • Reach out to your Netskope account team to get this feature enabled.
  • A Netskope Reverse Proxy SAML Account for Private Apps already configured on your tenant.
  • A Publisher (dedicated for AnyApp) with adequate resources and minimum version R120. More details are provided in the Publisher Requirements section.

Publisher Requirements

To set up and use the Browser Access AnyApp feature, it is important to carefully review and fully understand these requirements.

  • It is recommended to assign a dedicated set of Publishers for Browser-based RDP/SSH applications.
  • In order to support the AnyApp feature, the server hosting the Publisher needs to be sized correctly. VM Sizing guidelines for up to 30 concurrent RDP connections are as follows:
    • 6 CPU cores
    • 8 GB RAM
    • 30 GB HDD (Available disk space)

Workflow

These steps are required to use the AnyApp feature:

  1. Install a Publisher.
  2. Upgrade Publisher resources (resizing).
  3. Enable the AnyApp feature.
  4. Configure an AnyApp Private App Definition and Policy.
  5. Validate AnyApp App Access.

Install a Publisher

Use the Publisher installation steps here. Create and register a new Publisher. Note that, for cloud-based deployments, the memory, CPU, and HDD can be modified while configuring the respective instances.

Upgrade Publisher Resources (resizing)

To support up to 30 concurrent RDP connections on a single Publisher instance, Netskope recommends the following specifications:

  • 6 CPU cores
  • 8 GB RAM
  • 30 GB HDD (Available disk space)

Important – Follow this guide to resize the Publisher according to your requirements.

Note – SSH is not resource intensive, so no additional resources are needed.

Note – For quick testing and use cases where customers do not require more than 30 concurrent RDP connections per Publisher instance, it is recommended to choose sizing based on their specific requirements. A base Publisher size (default values) would also suffice for a quick test for end-to-end connectivity, but performance may be impacted.

Note – If there is a requirement to handle more than 30 concurrent connections, it is recommended to increase the number of Publishers.

Enable AnyApp

Make sure the feature flag for Browser Access AnyApp is enabled for the tenant.

  1. Choose 6 for Browser Access AnyApp settings in the configuration menu within the Publisher Wizard.
  2. Choose 1 for Enable Browser Access AnyApp.
  3. Verify that AnyApp is enabled on the Wizard menu that appears after enabling AnyApp (Browser Access AnyApp: Enabled).
  4. To further verify that the AnyApp docker containers are running, select 7 to Exit and issue the command docker ps and verify that the containers guacamole-frontend, guacamole-backend are running.

For example:

Configuration menu:
1. Upgrade
2. Network settings
3. Syslog settings
4. Troubleshooter
5. Log settings
6. Browser Access AnyApp settings
7. Exit
6
Browser Access AnyApp:
	Disabled
Configuration menu:
1. Enable Browser Access AnyApp
2. Return to previous menu
1
The system does not meet the requirements: The number of CPU(2) is below the recommendation(6). The RAM size(3.900000GB) is below the recommendation(8.000000GB). The disk space(12.000000GB) is below the recommendation(30.000000GB). 
The system does not meet the requirements for Browser Access, do you want to continue [yes/no]
yes
 guacamole-frontend Pulling 
 guacd Pulling 
 guacd Pulled 
 guacamole-frontend Pulled 
 Container guacamole-backend  Creating
 Container guacamole-backend  Created
 Container guacamole-frontend  Creating
 Container guacamole-frontend  Created
 Container guacamole-backend  Starting
 Container guacamole-backend  Started
 Container guacamole-frontend  Starting
 Container guacamole-frontend  Started
Restarting publisher...
Publisher information:
	Version: 120.0.0.8519
.
.
<Output omitted>
.
.
Browser Access AnyApp:
	Enabled
Update status:
	System updates available.
	Publisher update available.
Configuration menu:
1. Upgrade
2. Network settings
3. Syslog settings
4. Troubleshooter
5. Log settings
6. Browser Access AnyApp settings
7. Exit
7
ubuntu@anyapphost:~$ 
ubuntu@anyapphost:~$ docker ps
CONTAINER ID      IMAGE         COMMAND         CREATED         STATUS         PORTS         NAMES
2cd4a332e3ff   netskopeprivateaccess/ba_any_app_fe_test:latest   "catalina.sh run"        2 hours ago   Up 2 hours                       guacamole-frontend
19d7a549be9e   guacamole/guacd:1.5.4                             "/bin/sh -c '/opt/gu…"   2 hours ago   Up 2 hours (healthy)             guacamole-backend
cdb9d9fedd02   new_edge_access:latest                            "/bin/bash -l automa…"   2 hours ago   Up 2 hours                       unruffled_meninsky
ubuntu@anyapphost:~$

Additionally, when AnyApp is enabled, the Netskope Web UI will display the Browser Access AnyApp as Connected in the Publisher UI Section.

Filtering is available for AnyApp enabled Publishers, as shown here:

Configure an AnyApp Private App Definition and Policy

Make sure the feature flag for Browser Access AnyApp is enabled for the tenant.

  1. Create the RDP/SSH Browser Access app. This is similar to the existing Browser Access App for http/https.
  2. Go to Settings > Security Cloud Platform > App Definitions and select the Private Apps tab.
  3. Create a New Browser Access Private App, or edit an existing one. Enable the Allow Browser Access toggle.
  4. Enter a host address, and then select a protocol from the dropdown.
  5. Select Publishers that have AnyApp enabled.
  6. Select the Publisher(s) that will serve the Application
    Although there is a visual hint indicating what Publishers have AnyApp enabled, there is no UI validation to restrict the selection of AnyApp Publishers for RDP/SSH. Please note that traffic will fail if a non-AnyApp Publisher is selected and the RDP/SSH traffic is sent to it.
  7. Click Save.
  8. Create a Real-time policy with Allow/Block for the RDP/SSH app for users/groups based on your requirements. For more details, go here.

Validate AnyApp App Access

  1. For RDP app access, after successfully authenticating through Browser Access, you will see the login screen (see the screenshot below). At this point, you must enter your credentials to access the RDP server.

Note: The default RDP authentication method for RDP app access is NLA.
Only interactive authentication using a username and password is supported.
See additional details under Additional Notes.

For SSH app access, after successfully authenticating through Browser Access, the user will see the login screen (see the screenshot below). At this point, you must enter your credentials to access the SSH server.

Note: Only interactive authentication using a username and password is supported. See additional details under Additional Notes.

(Optional) RDP and SSH Browser Access Applications can also be accessed through the Browser Access User Portal, if provisioned by the admin.

AnyApp Updates and Maintenance

Enabling auto-update for Publishers will ensure that the AnyApp service is updated along with Publisher updates. It is recommended that you enable auto-update for your Publishers.

Error codes related to AnyApp for publisher auto-upgrade can be found here.

Troubleshooting

Can not see the option to enable AnyApp on the Publisher

  1. Check the configuration file (nsconfig.json) on the Publisher to validate whether the feature flag enable_non_web_app_browser_access is set to ‘1’ (as shown below). If it is not, please reach out to your Netskope Support team for further assistance.
    The nsconfig.json file is located in the resources/ directory.
  2. After enabling the AnyApp feature flag:
    • It may take up to 60 minutes to refresh.
    • Alternatively, restart the Publisher to see the changes immediately.

Validate AnyApp on the Publisher is enabled

  • docker ps
  • You should see guacamole-frontend and guacamole-backend is up and running.

To retrieve guacamole logs

  • docker logs guacamole-frontend
  • docker logs guacamole-backend
  •  

To check if the Publisher received the request to AnyApp:

Check Publisher logs: logs/agent.txt.

New L4 connection {clientId}:{connId}, dest guacamole-frontend:8080

[anyapp-publisher:2024-05-30 06:52:39.010 +00:00] [info] agenthandler.cpp:669:processSendToServer():0x7f31598ed500 New L4 connection 9yXrO0BPTlMp:26, dest guacamole-frontend:8080

AnyApp App accessibility issues

  • The alerts from the browser are useful.
  • Here are some examples:
    • SSH: CLIENT_UNAUTHORIZED (Incorrect Username/Password)
      A screenshot of a computer

Description automatically generated
    • RDP: CLIENT_UNAUTHORIZED (Incorrect Username/Password)
      A screenshot of a computer

Description automatically generated
    • RDP: UPSTREAM_NOT_FOUND (Connection Timeout)Check the connectivity from the Publisher to the Private App.
    • Additional error codes can be found here.

Additional Notes

  • China Publishers are not supported with AnyApp.
  • NLA is the default authentication method for RDP. To enable other authentication methods, such as TLS or Any, review the screenshot below.

    Typical use cases for additional authentications methods:

    • TLS: Compatible with AD-joined windows PC, or every time the user must be specified in the format DOMAIN\User, like for local admin access.
    • ANY: Compatible with XRDP (Linux-based servers).
  • Copy/Paste (clipboard) controls are not supported. By default, these actions are blocked, and any customizations to enable them are not officially supported.

  • The default session timeout for AnyApp is 60 minutes (1 hour) for both SSH and RDP connections. If there is no user interaction or screen update from the SSH/RDP server within this period, the session will be disconnected. However, if there is continuous activity, the session will not disconnect, as active screen updates prevent the timeout. Additionally, there is a keepalive mechanism with a timeout set to 15 seconds, and keepalive messages are sent every 0.5 seconds. If a network issue occurs, the session will close after 15 seconds without a response. During this 15 second window, the browser will send 30 ping messages.
  • SSH access currently doesn’t support certificate-based authentication.
  • Access via mobile platforms is not officially supported.
Share this Doc

Configure Browser Access AnyApp

Or copy link

In this topic ...