Enable Browser Access Apps with a User Portal
Enable Browser Access Apps with a User Portal
This article explains how to enable and test the Browser Access User Portal feature. This functionality enriches the end-user experience because users can view and access authorized private applications from a single portal.
Background
Currently, when a private app is published via Browser Access, you’ll configure a custom hostname, or a Netskope-encoded URL that gets generated in the tenant UI. An admin would need to share these links to end users for which they need access to and this may become tedious for a large enterprise with hundreds or thousands of private applications.
Admins can configure a user portal where logged-in users can obtain a list of Browser Access (only) applications they are authorized to access and launch from the portal.
Prerequisites
To configure a User Portal, you need a Netskope Reverse Proxy SAML Account for Private Apps already configured on your tenant.
Enable the Browser Access User Portal Feature
Reach out to your Netskope account team to get this feature enabled. Please note that this feature has a tenant-wide flag.
Configure the User Portal
Ensure the feature flag for the NPA Browser Access User Portal feature is enabled for your Netskope tenant before proceeding.
- To configure a User Portal, go to Settings > Security Cloud Platform > App Definition, and on the Private Apps tab, click New Private App.
- Enable Allow Browser Access and User Portal Configuration.
This is a special app and requires the:- Application Name.
- Host (Only FQDN is supported).
- Certificate for Custom Hostname.
Note that the Protocol (defaults to TCP 443; https), Publisher(s), and App tags are not required because they are not applicable to the User Portal. The TLS termination of the user portal requests is handled by the NPA Clientless Service.
Notes
- Configuring a custom hostname is best practice and should always be done; however, the portal can also be accessed directly using the Public Host URL.
- Only one portal per tenant can be configured.
- The portal configuration hostname can be a placeholder (dummy record) and doesn’t need to be a valid DNS A record. However, the intended portal FQDN must have a CNAME pointing to the public host URL generated in the configuration.
- Click Save and Create Policy.
- Go to Policies > Real-time Protection and click New Policy. Select Private Access App from the dropdown. Allow (or Block) the User Portal app in a Real-time policy for users/groups as per your requirements. We recommend that you create a separate policy for the User Portal.
- Click Save.
- Upload the Certificate.
Similar to custom FQDN certs, you will need to upload the cert for the portal following these instructions: Private App Cert UI.
Access Apps in the User Portal
After provisioning the portal app in the Netskope UI, an admin needs to share the portal URL with the end user(s). Only end-users specified in the policy are allowed to access the portal.
- Launch the User Portal and enter the IdP credentials. The landing page will look something like this.
- You can search for an app within portal, and also sort the apps. Click on the app tile to launch the app.
To log out, click the profile icon in the top right corner and select Log Out.
Troubleshooting the User Portal
Unable to reach the portal
- Ensure the portal is added in a real-time policy. If blocked due to lack of policy, an Alert would be generated in SkopeIT events.
Note that a successful login to the portal would be logged in SkopeIT Network Events. - Collect a HAR Capture and a screen recording for Support investigation.
- Ensure the portal hostname is resolvable.
- Customers would need to add the CNAME to their DNS to point the Portal hostname to the corresponding Web UI generated Public Host URL.
Note that Portal access will be supported with Netskope encoded URL as well.
~ $dig portal.acme.com ; <<>> DiG 9.10.6 <<>> portal.acme.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47812 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;portal.acme.com. IN A ;; ANSWER SECTION: portal.acme.com. 3600 IN CNAME ns-2abdedba-443-tenantname.goskope.com. ns-2abdedba-443-tenantname.goskope.com. 1800 IN A 163.116.158.137 ;; Query time: 312 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Aug 16 18:37:46 IST 2024 ;; MSG SIZE rcvd: 132
Certificate Validity
Check the validity of the certificate. Replace portal.acme.com with the actual portal URL.
openssl s_client -showcerts -servername portal.acme.com -connect portal.acme.com:443 | openssl x509 -noout -dates