BrowZer Deployment using The NetFoundry Cloud with Entra as IDP

Introduction

NetFoundry's BrowZer offers simple and secure access to any private web app over the internet underlay based on trusted identity using only a browser. A private overlay network is created from your browser to access the web app and your web app is no longer reachable over a public domain address. Currently, the product supports only Chromium browsers such as Google Chrome, Microsoft Edge, Brave, etc.

Read more about Browzer

This guide is a walk-through to set up a BrowZer application using CloudZiti with AzureAD as IDP.

Key Benefits of "BrowZer"

  • Provides highly secure access to web apps over "Chromium" browsers on any internet.
  • Based on Zero Trust networking principles with 6 layers of protection
  • Apps are made dark i.e they are not reachable on public domains
  • Integrates with your AzureAD tenant for strong authentication
  • No need to install any endpoint or software on the device to access web apps
  • Faster onboarding of users to provide highly secure and private access to web apps
  • Routing over a globally available smart fabric with CloudZiti
  • Host web apps on any cloud anywhere; achieve secure access via NetFoundry Cloud+ BrowZer. 

Prerequisites

  • A Cloud Ziti Network that is up and running.
  • A Web Application
  • An Entra tenant

 

Deployment 

Step 1: Configure your CloudZiti network support a BrowZer Application

Please refer to the NetFoundry support guide BrowZer Getting Started in order to launch BrowZer applications to an existing CloudZiti network 

Your network must be at least version 7.3.91  Learn how to identify your network version here.

A. Create a WSS-enabled NetFoundry Hosted Edge Router

In the NetFoundry console, Create a NetFoundry Hosted Edge Router with the WSS Listener enabled. BrowZer requires at least one Edge Router with the WSS Listener enabled. NetFoundry-hosted Edge Routers provide data transport as part of the fabric for endpoints and customer edge routers to dial to the fabric.  

browzer2.png

B. Create an Edge Router Policy

In the Console, Create an Edge Router Policy. 

Edge Router Policies - Defines specific Edge Routers for specific Endpoints (can be used for Network Transport segregation/optimization).

browzer13.png

C. Create the Service

The service definition provides the details of what device, or devices) will be utilized to provide access to services, either on the device(Zero Trust Client SDK Application) or on the network connected to the device (via its LAN, for example). 
In the Console, Create the Service for the web application. Assign the Identities(Endpoints) that have reachability to the web application.

D. Create a Service Policy (AppWAN)

The AppWAN(Service Policy) defines the services that can be accessed by one or more client endpoints.

In the Console, Create a Service Policy(AppWan) to allow access to the specified endpoints.

browzer4.png

Step 2: Create an Entra application or Fetch App details from Entra

A) For BrowZer versions 0.78.1 and above, the ID token is replaced with access token. The following steps will be applicable for these deployments- https://openziti.io/docs/identity-providers-for-browZer-entra 

  1. Add an Optional claim to the Token configuration as described in the OpenZiti docs here.

  2. Expose an API as described in the OpenZiti docs here.

  3. Make sure someone is made the Owner of the Entra application as described in the OpenZiti docs here.

  4. Adjust the API permissions as described in the OpenZiti docs here.

  5. Adjust the Manifest of the Entra application as described in the OpenZiti docs here.

The BrowZer architecture requires the use of an Identity Provider (IdP) capable of facilitating SSO.

In this solution recipe, we have deployed Entra as the IDP. 

 

B) For Browzer versions 0.77.x and earlier, the following steps in  in Azure are applicable.

 

In the Azure console, to register an application that will act as the IDP, click on "App registrations"

 

Register an application

  • The Application (client) ID would be used in the
    • "AUDIENCE" field under JWT Signer config [Step 3]
    • "CLIENT ID" field under the BrowZer App config [Step 5]
  • The Directory (tenant) ID would be used in the
    • "Issuer" & "JWKS Endpoint" fields under the JWT Signer config [Step 3]
    • "OIDC BASE URL" field under the BrowZer App config [Step 5]

Step 3: Create the JWT Signer

You can access & manage the JWT Signers in the console by finding the icon on the left-hand side navigation menu.

and then click on the "JWT Signers" tab on the top navigation menu.

To add a JWT Signer, click on the  symbol at the top right of the page.

In order to setup the JWT Signer we'll need to get some information from the new Entra Application that was just created.

Note down the "Application (client) ID" and "Directory (tenant) ID" values

  • "Signer Name": Give the JWT Signer a name.
  • "Issuer": The issuer will include <Directory (tenant) ID> in the below format.
    • https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0
  • "Audience"<Application (client) ID>
  • "JWKS Endpoint": A JSON Web Key Set (JWKS) endpoint that returns a public key is used to validate the token signature. The JWKS Endpoint will include <Directory (tenant) ID> in the below format.
    • https://login.microsoftonline.com/<Directory (tenant) ID>/discovery/keys

In the "Match JWT to Identity When" section

  • "JWT Claim's":  Set the JWT Claim "email".
  • "Identity's": Select the Identities as "External Id".

"External Auth URL": Set the external authentication URL of the JWT signer to https://login.microsoftonline.com/

Once you have created a new JWT Signer it can be assigned to a Authentication Policy

Step 4: Create the Authentication Policy

Authentication occurs when a client wishes to interact with the Controller. Read more about Authentication PoliciesZiti Authentication

You can access & manage the Authentication Policies in the console by finding the icon on the left-hand side navigation menu:

and then click on the "Authentication Policies" tab on the top navigation menu:

In this example, we disable the certificate options & only use the JWT Signer as the Authenticator.

Step 5: Create a BrowZer Application

Access the BrowZer Applications in the console from the left-hand side navigation menu: 

To add a new BrowZer application, click on the  symbol at the top right of the page.

Application Name: Give the BrowZer application a name.

Primary Settings

  • Select the service configured in Step 1. C in the 'App Entry Point' section.
  • Service Requires Https:  (This feature is NOT Currently supported)

Public Access Point Settings

  • Public URL: This will be the hostname that you use to access your application. Must be unique per the BrowZer app and must meet domain name qualifications.

User Authentication Settings

  • "OIDC BASE URL" should include <Directory (tenant) ID> in the below format.
    • https://login.microsoftonline.com/<Directory (tenant) ID>/ 
  • "Client ID": <Application (client) ID>

Step 6: Configure the Entra 'Application' callback

In the new application 'nginx-aws-skip' created in Step 2. A, configure 'Redirect URIs' to: https://<APP_NAME>.browzer.cloudziti.io/, where <APP_NAME> is the name of the BrowZer app.

Step 7: Create or Assign Identities(Endpoints) to the Authentication Policy

In the Console, Create or update the Identities(Endpoints) that will have access to BrowZer by choosing the 'AUTHORIZATION POLICY' to match the policy created in Step 4

Please ensure you have added the necessary attributes you define in your Service Policy(AppWan) to the Identities(Endpoints) so it’ll have access to the service.

Enjoy Using BrowZer

The URL to be accessed is the one you configured in Step 5. 
The web app accessed via BrowZer is not reachable via the Internet. The application is therefore dark to the outside world and reachable only within the NetFoundry network.

 

Was this article helpful?
1 out of 2 found this helpful