Introduction
NetFoundry's BrowZer offers simple and secure access to any private web app over the internet underlay based on trusted identity using only a browser. A private overlay network is created from your browser to access the web app and your web app is no longer reachable over a public domain address. Currently, the product supports only Chromium browsers such as Google Chrome, Microsoft Edge, Brave, etc.
Read more about Browzer
This guide is a walk-through to set up a BrowZer application using CloudZiti with AzureAD as IDP.
Key Benefits of "BrowZer"
- Provides highly secure access to web apps over "Chromium" browsers on any internet.
- Based on Zero Trust networking principles with 6 layers of protection
- Apps are made dark i.e they are not reachable on public domains
- Integrates with your AzureAD tenant for strong authentication
- No need to install any endpoint or software on the device to access web apps
- Faster onboarding of users to provide highly secure and private access to web apps
- Routing over a globally available smart fabric with CloudZiti
- Host web apps on any cloud anywhere; achieve secure access via NetFoundry Cloud+ BrowZer.
Prerequisites
- A Cloud Ziti Network that is up and running.
- A Web Application
- An Entra tenant
Deployment
Step 1: Configure your CloudZiti network support a BrowZer Application
Please refer to the NetFoundry support guide BrowZer Getting Started in order to launch BrowZer applications to an existing CloudZiti network
Your network must be at least version 7.3.91 Learn how to identify your network version here.
A. Create a WSS-enabled NetFoundry Hosted Edge Router
In the NetFoundry console, Create a NetFoundry Hosted Edge Router with the WSS Listener enabled. BrowZer requires at least one Edge Router with the WSS Listener enabled. NetFoundry-hosted Edge Routers provide data transport as part of the fabric for endpoints and customer edge routers to dial to the fabric.
B. Create an Edge Router Policy
In the Console, Create an Edge Router Policy.
Edge Router Policies - Defines specific Edge Routers for specific Endpoints (can be used for Network Transport segregation/optimization).
C. Create the Service
The service definition provides the details of what device, or devices) will be utilized to provide access to services, either on the device(Zero Trust Client SDK Application) or on the network connected to the device (via its LAN, for example).D. Create a Service Policy (AppWAN)
The AppWAN(Service Policy) defines the services that can be accessed by one or more client endpoints.
In the Console, Create a Service Policy(AppWan) to allow access to the specified endpoints.
Step 2: Create an Entra application or Fetch App details from Entra
A) For BrowZer versions 0.78.1 and above, the ID token is replaced with access token. The following steps will be applicable for these deployments- https://openziti.io/docs/identity-providers-for-browZer-entra
-
Add an
Optional claim
to theToken configuration
as described in the OpenZiti docs here. -
Expose an API
as described in the OpenZiti docs here. -
Make sure someone is made the
Owner
of the Entraapplication
as described in the OpenZiti docs here. -
Adjust the
API permissions
as described in the OpenZiti docs here. -
Adjust the
Manifest
of the Entraapplication
as described in the OpenZiti docs here.
The BrowZer architecture requires the use of an Identity Provider (IdP) capable of facilitating SSO.
In this solution recipe, we have deployed Entra as the IDP.
B) For Browzer versions 0.77.x and earlier, the following steps in in Azure are applicable.
In the Azure console, to register an application that will act as the IDP, click on "App registrations"
Register an application
- The Application (client) ID would be used in the
- "AUDIENCE" field under JWT Signer config [Step 3]
-
"CLIENT ID" field under the BrowZer App config [Step 5]
- The Directory (tenant) ID would be used in the
- "Issuer" & "JWKS Endpoint" fields under the JWT Signer config [Step 3]
-
"OIDC BASE URL" field under the BrowZer App config [Step 5]
Step 3: Create the JWT Signer
You can access & manage the JWT Signers in the console by finding the icon on the left-hand side navigation menu.
and then click on the "JWT Signers" tab on the top navigation menu.
To add a JWT Signer, click on the symbol at the top right of the page.
In order to setup the JWT Signer we'll need to get some information from the new Entra Application that was just created.
- "Signer Name": Give the JWT Signer a name.
-
"Issuer": The issuer will include <Directory (tenant) ID> in the below format.
- https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0
- "Audience": <Application (client) ID>
-
"JWKS Endpoint": A JSON Web Key Set (JWKS) endpoint that returns a public key is used to validate the token signature. The JWKS Endpoint will include <Directory (tenant) ID> in the below format.
- https://login.microsoftonline.com/<Directory (tenant) ID>/discovery/keys
In the "Match JWT to Identity When" section
- "JWT Claim's": Set the JWT Claim "email".
- "Identity's": Select the Identities as "External Id".
"External Auth URL": Set the external authentication URL of the JWT signer to https://login.microsoftonline.com/
Once you have created a new JWT Signer it can be assigned to a Authentication Policy
Step 4: Create the Authentication Policy
Authentication occurs when a client wishes to interact with the Controller. Read more about Authentication Policies & Ziti Authentication
You can access & manage the Authentication Policies in the console by finding the icon on the left-hand side navigation menu:
and then click on the "Authentication Policies" tab on the top navigation menu:
In this example, we disable the certificate options & only use the JWT Signer as the Authenticator.
Step 5: Create a BrowZer Application
Access the BrowZer Applications in the console from the left-hand side navigation menu:
To add a new BrowZer application, click on the symbol at the top right of the page.
Application Name: Give the BrowZer application a name.
Primary Settings
- Select the service configured in Step 1. C in the 'App Entry Point' section.
- Service Requires Https: (This feature is NOT Currently supported)
Public Access Point Settings
- Public URL: This will be the hostname that you use to access your application. Must be unique per the BrowZer app and must meet domain name qualifications.
User Authentication Settings
-
"OIDC BASE URL" should include <Directory (tenant) ID> in the below format.
- https://login.microsoftonline.com/<Directory (tenant) ID>/
- "Client ID": <Application (client) ID>
Step 6: Configure the Entra 'Application' callback
https://<APP_NAME>.browzer.cloudziti.io/
, where <APP_NAME>
is the name of the BrowZer app.
Step 7: Create or Assign Identities(Endpoints) to the Authentication Policy
In the Console, Create or update the Identities(Endpoints) that will have access to BrowZer by choosing the 'AUTHORIZATION POLICY' to match the policy created in Step 4
Please ensure you have added the necessary attributes you define in your Service Policy(AppWan) to the Identities(Endpoints) so it’ll have access to the service.
Enjoy Using BrowZer