Accessing Solarwinds with BrowZer

Introduction

This guide is a walkthrough to set up a BrowZer application to access SolarWinds. 

Naming Conventions

In this document, you may see the following acronyms, phrases, or words. This explains what they represent in a general way.

  • Zero Trust: “The main concept behind zero trust is “never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a managed corporate network such as the corporate LAN and even if they were previously verified.” (Wikipedia)

  • Ziti SDK: Zero Trust Software Development Kit created by NetFoundry which is an interface to a ZITI network. The ZITI SDK enables easy application modification (pre-compile) to augment the way the application requests access to resources it requires to perform work. ZITI SDKs and associated ZITI-enabled applications are completely open-source works on GitHub. AKA - THE FUTURE!

  • ServicePolicy(AppWan): A Service Policy(AppWan) is a policy group of Indentites(Endpoints) that shall be able to access other identities(Endpoints) that provide services.

  • Console: The CloudZiti NPaaS, a multitenant, cloud solution that customers of NetFoundry utilize to manipulate, augment, create, and destroy elements of a ZITI network.

  • VPN: Virtual Private Network: A mechanism of many different methods that transports data on behalf of an application running on a CLIENT device. It is generally designed to extend private networks over public infrastructure and normally includes security protocols to protect it while doing so. VPNs were not designed with Zero Trust in mind as they must be heavily augmented to protect private services from unauthorized access to services by even authenticated devices/users. AKA - THE OLD WAY!

  • BrowZer: A group of Ziti components that work in concert to enable and facilitate clientless browser access to web servers that are dark on the internet.

  • SOLARWINDS: a non-open-source suite of integrated business applications that includes modules for various business needs such as IT operations management (ITOM), IT service management (ITSM) network device management, Network monitoring, Bandwidth Graph/CPU/memory management, and more.

Prerequisites

  • A Cloud Ziti Network is up and running.
  • Having a SolarWinds instance up and running. We use the window server 2022 for SQL and SolarWinds setup. Please follow the Appendix instructions to install the SolarWinds instance and make sure the firewalls are open correctly to access the Server.
  • In this example, the the SolarWinds server IIS default port 8787 is changed to 80. As per recommendation from SolarWinds we should leave the default port 8787. Just to show how we can change default port; I use the http port 80. Make sure that same port is used to configure the ziti services. 

 

Deployment 

Part 1: Setup Needed Items to Support a BrowZer Application

Architecture diagram:

In this section:

In the Console, create a NetFoundry Hosted Edge Router with the WSS Listener enabled and Create a Private Edge router. BrowZer requires at least one Edge Router with the WSS Listener enabled.  Launching an NF Hosted is recommended. 

Create a Private ER

Click here to follow the steps to create private ER. Use the name (SOLARWINDS-ER). This ER should be in the same subnet of the SolarWinds server. If not, make sure the ER can reach the SolarWinds server.

Create Service

In the Console, Create the Service you want to access Soalarwinds.  We recommend using an advanced service. 

  • For the Intercept IP use the SolarWinds server Private IP
  • The PORT will be default mapped port on IIS services for SolarWinds server. In our example, use port 80 (or default port 8787 if you didn't change it). 
  • Identities is the Private Edge router (SOLARWINDS-ER) we just created.
  • Leave the default check yes to Forward address and Forward Port. 

 

Service Policy

In the Console, Create a Service Policy(AppWan) to allow access to the specified clients we’ll create later.

Part 2: Auth0 & JWT Signer

In this section:

This tutorial follows the Auth0 settings. Other IDP must have their own settings. If you don't already have an account you can sign up for a free account at https://auth0.com/signup

Adding a new Application in Auth0

Once you have an account setup you can add a new "Application":

mceclip2.png

 

Then click on the "Create Application":

mceclip3.png

Then Create a "Single Page Web Application":

 

 

Gathering Information from Auth0

In order to setup the new JWT Signer we'll need to get some information from the new Auth0 Application that was just created.

 

From the Application, we’ll require a few things we’ll need to write down. From the basic Information, we’ll gather the “Domain” and “ClientID

Scroll down to the Advanced Settings and click on Endpoints

You’ll also need to write down the OAuth Token URL that will be used on the BrowZer App creation and the JSON Web Key Set.

 

Adding the callback & logout URL to your BrowZer App(s) you created

All BrowZer Apps have the following template:

https://<APP_NAME>.<NET_NAME>.browzer.cloudziti.io

where:

  • APP_NAME, is the name we’ll assign to the BrowZer app we’ll create.
  • NET_NAME, is the name we’ll assign the first time you click on “BrowZer Apps”.

In Auth0, under the Application/Settings you'll find "Allowed Callback URLs" & "Allowed Logout URLs"

You can add one callback URL for all apps created under the same NET_NAME In this case, NET_NAME=solar.  The URL needs to be in this format: https://*.<NET_NAME>.browzer.cloudziti.io

For example:

 https://*.solar.browzer.cloudziti.io

For Example:

Put the same URLs under the "Allowed Logout URLs" also.

Adding a JWT Signer & Authentication Policy

Create the JWT

In the Console, Create a new JWT Signer

Using the values from Auth0 fill out the information in the new JWT Signer dialog.

For the ISSUER, use the “Domain” value.

https://<Domain>/ 

(Please make sure to add the trailing slash).

For the Audience, use the “ClientID” value.

For the JWKS Endpoint, use the "JSON Web Key Set URL" value.

For the External Auth URL, use the "OAUTH Token URL" value.

Finally set the JWT Claim "email" & the Identities to "External Id".

 

Create the Authentication Policy

In the Console, Create a new Authentication Policy

In this example, we disable the certificate options & only use the JWT Signer as the Authenticator.

 

Create or Assign Identities(Endpoints) to the Authentication Policy

In the Console, Create or update the Identities(Endpoints) that will have access to BrowZer. Please ensure you have added the necessary attributes you define in your Service Policy(AppWan) to the Identities(Endpoints) so it’ll have access to the service.

Finally, make sure it has an Authentication Policy you created for BrowZer

 

Part 3: The BrowZer Application

In this section:

Make sure to complete the BrowZer Getting Started by clicking on the BrowZer Apps in the navigation menu.

Create a BrowZer Application

In the MOP Console, Create a new BrowZer Application.

For the App Entry, Select the service you created on Part 1.

For the Public URL, you’ll set a name for your app (APP_NAME), this name creates the whole URL you’ll use to access your service securely. In this case, APP_NAME=private-app and the URL is

For example:

https://solarapp.solar.browzer.cloudziti.io

Set the OIDC Base URL to the “Domain” value from Auth0 in Part2, in the format:

https://<domain> 

(This time without any slash at the end)

Set the ClientID to the "ClientId" value you got from Auth0 in Part 2.

Access your Application

The URL access is the one you got in the previous step. For this tutorial, the URL is:
https://solarapp.solar.browzer.cloudziti.io/
After the authentication with the Google email that is set up in the endpoint authentication policy, you will be connected to the SolarWinds landing page.  If this is your first time connecting to the page, you will be presented with the following screen. Please login with the username and password that was set up in the Solarwind configuration file. (Please refer to the Appendix for information)
After the login with username and password 

APPENDIX

Create Your Own Solarwinds Instance

  • Please follow the above instructions and set up the SolarWinds/SQL server as per requirements.
  • Optionally, you can change the SolarWinds access port from default 8787 to 80 on IIS. For SSL/TLS access change the protocol to HTTPS and keep default port 8787.
Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.