Configure Browser Access for Private Apps

Configure Browser Access for Private Apps

Browser Access is an additional method through which users can access enterprise internal web applications over HTTP/HTTPS. Users can also access non HTTP/HTTPS internal applications using the Netskope Client.

Prerequisites

You must have an active Identity Provider (IdP) account and have privileges to modify settings in your IdP account that will direct traffic to Netskope.

Browser Access requires that the hostname in the originating HTTP request matches the hostname expected by the Application server.  Browser Access only supports HTTP/1.1, HTTP/2, and TLS 1.2. TLS 1.3 and HTTP/3 are not supported.

Browser Access is activated by a feature flag. Contact your Netskope sales representative or Netskope support team to enable this feature for your tenant.

Important

Browser Access is not offered for applications accessed through China and Kingdom of Saudi Arabia PoPs.

Workflow

  1. Create a SAML Reverse Proxy account in the Netskope UI, and then update your IdP account with the Netskope ACS URL and Audience URL.
  2. Enable Browser Access for a Private App.
  3. Create a Real-time Protection policy to grant users browser access to Private Apps.

Create a SAML Account for Browser Access

You will need your IdP SSO URL and certificate to complete these steps.

  1. Log in to the Netskope UI.
  2. Go to Settings > Security Cloud Platform and click SAML (under Reverse Proxy).
  3. Click Add Account.
    2.png
  4. In the New Account window, enter a name for the account.
    ClientlessSAMLAcct.png
  5. Select Private Apps from the Application dropdown list.
  6. Enter these parameters:
    • IdP SSO URL: Enter your IdP SSO URL.
    • IdP Certificate: Enter your IdP certificate.
  7. Click Save and View Netskope Settings to see the URLs for this account. Copy the Browser Access ACS URL and Audience URL to use in your IdP account. Update your IdP account with these URLs before proceeding.
    ClientlessNetworkSettings.png

    Note

    Multiple IdPs for Browser Access is currently in Beta. Only the first account in the list (the top one) will be considered (and the other ones will be omitted).

Enable Browser Access for a Private App

These instructions are for new and existing Private Apps.

  1. Go to Settings > Security Cloud Platform > App Definition and click Private Apps.
    PrivateApps.png
  2. Click New Private App to create a new private app, or select an existing app (and jump to step 4).
    ClientlessNewPrivateApp.png
  3. Enter a meaningful app name in the Application Name field.
  4. Enable Allow Browser Access.
  5. Enter the Host domain in the Host field (like jira.site.io). The Host field supports the following syntax: Host (jira.site.io). Only one host can be added. Browser Access does not support wildcards in host names. Next add a TCP port number.

    After adding the hostname and port, the Public Host URL is displayed. This is the URL by which properly authenticated users can access the private app. You can copy the public host name by clicking the copy icon CopyIcon.png.

  6. Select HTTP or HTTPS. For HTTPS, the private app must either use a certificate that is signed by a trusted certificate authority, or you must select the Trusted self-signed certificate option.

    Note

    Netskope supports self-signed trusted root certificates. Cross-signed root certificates are not supported in the certificate chain file. To learn more, go here.

    A Private App can be accessed via a browser in two ways: 

    • Using the generated hostname from the Public Host field.

      Note

      You can use the public host name for your custom host name in your DNS system. Create a DNS record, select the CNAME type, and then add your public host name.

    • Creating a custom hostname and uploading a certificate and key pair for the private host. Click the Custom Hostname toggle, and then click Upload the Certificate to open a page to enter your certificate and key.

      Note

      You will need to upload the certificate and key for the custom host name. Click the Custom Hostname toggle, and then click Upload the Certificate to open a page to enter your certificate and key.

      The server cert should be on top, followed by the rest of the chain, with the root cert at the bottom.

      For more information about certificates, refer to Configuring Certificates for Private Apps Browser Access.

  7. Enable Allow Unauthenticated CORS if you want to allow Cross Origin Resource Sharing (CORS) OPTIONS requests.

    Refer to Enable CORS OPTIONS Request over Browser Access for more information.

    Note

    This feature is controlled by a feature flag. Contact Netskope Support to get this feature enabled.

  8. Click in the Publisher text field and select one or more Publishers from the dropdown list.

    Tip

    For high-availability, add multiple Publishers for each Private App. Up to 16 Publishers can be used per Private App.

  9. Click Save.

Connecting the Private App to the Publisher may take several minutes. Make sure that you see the green icon for this Private App before proceeding. If the badge is red, use the Troubleshooter feature or check your firewall rules before proceeding.

Note

When a user has access to a Private App on different tenants using Netskope-encoded Private App URLs from the same browser, then after accessing the Private App on one tenant, a user will need to clear the cookies from the browser before being able to access the Private App on a different tenant.

Create a Real-time Protection Policy for Browser Access to Private Apps

You need to create a Real-time Protection policy in order to allow Browser Access to Private Apps.

  1. Go to Policies > Real-time Protection.
  2. Click New policy and select Private App Access.
  3. For Source, select the Users, OU, or Groups for which you want to grant access to the private app(s).
  4. For Access Method, select Browser Access. At least one Access Method must be defined, either Browser Access or Client.

    If Browser Access is used, Client users will not be able to access Browser Access Private Apps. It’s necessary to create two application definitions for each Private Access resource if you want to access a resource via both Browser Access and the Client.

    If Access Method is not showing, click Add Criteria to search for and select Access Method, and then select Browser Access.

  5. For Destination, leave Private App and select your private app from the dropdown list.
  6. For Action, select Allow to grant access. To deny access, select Block, select a policy notification template from the dropdown list, or create one.
  7. Give the policy a name (like Browser Access for JIRA), and then click Email Notification to choose the notification template for the policy. When finished, click Save.
    ClientlessRTpolicy.png
  8. Click Apply Changes.

Share this Doc

Configure Browser Access for Private Apps

Or copy link

In this topic ...