This guide is a walk through to setup a BrowZer application using CloudZiti
In this document you may see the following acronyms, phrases, or words. This explains what they represent in a general way.
Zero Trust: “The main concept behind zero trust is “never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a managed corporate network such as the corporate LAN and even if they were previously verified.” (wikipedia)
Ziti SDK: Zero Trust Software Development Kit created by NetFoundry which is an interface to a ZITI network. The ZITI SDK enables easy application modification (pre-compile) to augment the way the application requests access to resources it requires to perform work. ZITI SDKs and associated ZITI-Enabled applications are completely open source works on GitHub. AKA - THE FUTURE!
ServicePolicy(AppWan): A Service Policy(AppWan) is a policy group of Indentites(Endpoints) which shall be able to access other identities(Endpoints) which provide services.
Console: The CloudZiti NPaaS, multitenant, cloud solution which customers of NetFoundry utilizes to manipulate, augment, create, and destroy elements of a ZITI network.
VPN: Virtual Private Network: A mechanism of many different methods which transports data on behalf of application running on a CLIENT device. It is generally designed to extend a private networks over public infrastructure and normally includes security protocols to protect it while doing so. VPNs were not designed with Zero Trust in mind as they must be heavily augmented to protect private services from unauthorized access to services by even authenticated devices/users. AKA - THE OLD WAY!
BrowZer: A group of Ziti components that work in concert to enable and facilitate clientless browser access to web servers that are dark on the internet.
What & Why
Some customers can’t install the ZDE, because they can’t install software (as in a Scada environment), or because it can create conflicts with their current VPN.
Some customers may need to use public or shared devices. Where using an identity for a single device is not an option.
Some customers may have implemented the “prohibit installation” policy for their employees.
Value to Customer
- No need for any agent/client installation and still being able to access the critical infrastructure our customers have.
- A Cloud Ziti Network up and running.
- A Web Application
Part 1: Setup Needed Items to support a BrowZer Application
In this section:
- Create a WSS enabled NetFoundry Hosted Edge Router
- Create an Edge Router Policy
- Create the Service
- Create a Service Policy
In the Console, Create a NetFoundry Hosted Edge Router with the WSS Listener enable. BrowZer requires at least one Edge Router with the WSS Listener enabled. Launching a NF Hosted is recommended.
In the Console, Create an Edge Router Policy to make ensure this router is available for your Identities(Endpoints).
In the Console, Create the Service you want to access. We recommend using an Advance Service. A web service is required to use BrowZer. This must be assigned to the Identities(Endpoints) that has reachability to the hosting application.
In the Console, Create a Service Policy(AppWan) to allow the access to the specified clients we’ll create later.
Part 2: Auth0 & JWT Signer
In this section:
- Create an Auth0 Account
- Create an Auth0 Application(SPA)
- Gather Information from Auth0 needed
- Create a new JWT Signer
- Create a new Authentication Policy
- Create or update the Identities(Endpoints)
This tutorial follows the Auth0 settings. Other IDP must have their own settings. If you don't already have an account you can sign up for a free account at https://auth0.com/signup
Adding a new Application in Auth0
Once you have an account setup you can add a new "Application":
Then click on the "Create Application":
Then Create a "Single Page Web Application":
Gathering Information from Auth0
In order to setup the new JWT Signer we'll need to get some information from the new Auth0 Application that was just created.
Scroll down to the Advanced Settings and click on Endpoints
You’ll also need to write down the OAuth Token URL that will be used on the BrowZer App creation and the JSON Web Key Set.
Adding the callback & logout URL to your BrowZer App(s) you created
All BrowZer Apps have the following template:
- APP_NAME, is the name we’ll assign to the BrowZer app we’ll create.
- NET_NAME, is the name we’ll assign the first time you click on “BrowZer Apps”.
In Auth0, under the Application/Settings you'll find "Allowed Callback URLs" & "Allowed Logout URLs"
You can add one callback URL for all apps are created under the same NET_NAME In this case, NET_NAME=natashell. The URL needs to be in this format: https://*.<NET_NAME>.browzer.cloudziti.io
Adding a JWT Signer & Authentication Policy
Create the JWT
In the Console, Create a new JWT Signer
Using the values from Auth0 fill out the information in the new JWT Signer dialog.
For the ISSUER, use the “Domain” value.
(Please make sure to add the trailing slash).
For the Audience, use the “ClientID” value.
For the JWKS Endpoint, use the "JSON Web Key Set URL" value.
For the External Auth URL, use the "OAUTH Token URL" value.
Finally set the JWT Claim "email" & the Identities to "External Id".
Create the Authentication Policy
In the Console, Create a new Authentication Policy
In this example we disable the certificate options & only use the JWT Signer as the Authenticator.
Create or Assign Identities(Endpoints) to the Authentication Policy
In the Console, Create or update the Identities(Endpoints) that will have the access to BrowZer. Please ensure you have add the necessary attributes you define in your Service Policy(AppWan) to the Identities(Endpoints) so it’ll have access to the service.
Finally make sure it has an Authentication Policy you created for BrowZer
Part 3: The BrowZer Application
In this section:
Make sure to complete the BrowZer Getting Started by clicking on the BrowZer Apps in the navigation menu.
Create a BrowZer Application
In the MOP Console, Create a new BrowZer Application.
For the App Entry, Select the service you created on Part 1.
For the Public URL, you’ll set a name for your app (APP_NAME), this name creates the whole URL you’ll use to access your service securely. In this case, APP_NAME=private-app and the URL is
Set the OIDC Base URL to the “Domain” value from Auth0 in Part2, in the format:
(This time without any slash at the end)
Set the ClientID to the "ClientId" value you got from Auth0 in Part 2.
Access your Application