Introduction
This guide is a walkthrough to set up a BrowZer application to access MRTG.
Naming Conventions
In this document, you may see the following acronyms, phrases, or words. This explains what they represent in a general way.
-
Zero Trust: “The main concept behind zero trust is “never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a managed corporate network such as the corporate LAN and even if they were previously verified.” (Wikipedia)
-
Ziti SDK: Zero Trust Software Development Kit created by NetFoundry which is an interface to a ZITI network. The ZITI SDK enables easy application modification (pre-compile) to augment the way the application requests access to resources it requires to perform work. ZITI SDKs and associated ZITI-enabled applications are completely open-source works on GitHub. AKA - THE FUTURE!
-
Service Policy (AppWan): A Service Policy (AppWan) is a policy group of Identities (Endpoints) that shall be able to access other identities (Endpoints) that provide services.
-
Console: The Cloud Ziti NPaaS, a multitenant, cloud solution that customers of NetFoundry utilize to manipulate, augment, create, and destroy elements of a ZITI network.
-
VPN: Virtual Private Network: A mechanism of many different methods that transports data on behalf of an application running on a CLIENT device. It is generally designed to extend private networks over public infrastructure and normally includes security protocols to protect it while doing so. VPNs were not designed with Zero Trust in mind as they must be heavily augmented to protect private services from unauthorized access to services by even authenticated devices/users. AKA - THE OLD WAY!
-
BrowZer: A group of Ziti components that work in concert to enable and facilitate clientless browser access to web servers that are dark on the internet.
-
MRTG: an open-source suite of integrated business applications that includes modules for various business needs such as IT operations management (ITOM), IT service management (ITSM) network device management, Network monitoring, Bandwidth Graph/CPU/memory management, and more.
Prerequisites
- A Cloud Ziti Network is up and running.
- Having an MRTG instance up and running with an edge router. We use the Ubuntu 22.04 setup. Please follow the Appendix instructions to install the MRTG instance and autonomous edge router. In this example document, the edge router is named mrtg-er.
- In this example, the MRTG server uses default port 80 (for http) and port 443 (for https). Make sure that the same port is used to configure the Ziti services.
Deployment
Part 1: Setup Needed Items to Support a BrowZer Application
Architecture diagram:
In this section:
- Create a WSS-enabled NetFoundry Hosted Edge Router
- Create an Edge Router Policy
- Create the Service
- Create a Service Policy
In the Console, create a NetFoundry Hosted Edge Router with the WSS Listener enabled. BrowZer requires at least one Edge Router with the WSS Listener enabled. Launching an NF Hosted is recommended.
In the Console, Create an Edge Router Policy to ensure this router is available for your Identities (Endpoints).
Create Service
In the Console, Create the Service that you want to access MRTG. We recommend using an advanced service.
- For the forward address use the MRTG private IP of the eth0 interface. In My case, I use the 10.1.0.5. Put any FQDN for intercept IP.Note: For the case of docker-compose, the forward address uses the docker Container IP or container name.
- The PORT will be the default port on the MRTG server. In our example, use port 80.
Note: For TLS/HTTPS testing use port 443 instead of 80.
- Identities are the edge router mrtg-er.
- Leave the default check yes to Forward Port.
Service Policy
In the Console, Create a Service Policy(AppWan) to allow access to the specified clients that we’ll create later.
Part 2: Auth0 & JWT Signer
In this section:
- Create an Auth0 Account
- Create an Auth0 Application(SPA)
- Add callback & logout
- Create an Auth0 API
- Create an Auth0 Custom Trigger
- Gather Information from Auth0 needed
- Create a new JWT Signer
- Create a new Authentication Policy
- Create or update the Identities(Endpoints)
This tutorial follows the Auth0 settings. Other IDPs must have their own settings. If you don't already have an account you can sign up for a free account at https://auth0.com/signup
Adding a new Application in Auth0
Once you have an account setup you can add a new "Application":
Then click on the "Create Application":
Then Create a "Single Page Web Application":
Adding the callback & logout URL to your BrowZer App(s) you created
All BrowZer Apps have the following template:
https://<APP_NAME>.<NET_NAME>.browzer.cloudziti.io
where:
- APP_NAME, is the name we’ll assign to the BrowZer app we’ll create.
- NET_NAME, is the name we’ll assign the first time you click on “BrowZer Apps”.
In Auth0, under the Application/Settings you'll find "Allowed Callback URLs" & "Allowed Logout URLs"
You can add one callback URL for all apps created under the same NET_NAME In this case, NET_NAME=solarapp. The URL needs to be in this format: https://*.<NET_NAME>.browzer.cloudziti.io
For example:
https://*.solarapp.browzer.cloudziti.io
For Example:
Put the same URLs under the "Allowed Logout URLs" also.
Create an API
Now you can add a new "API":
Click on Create API
Fill out the form using the URL
https://<APP_NAME>.<NET_NAME>.browzer.cloudziti.io
Create a custom trigger
Under Actions select "Triggers":
Click on "post-login":
Click on the + symbol & select "Build from Scratch":
Name the a new Action "Add Email to Access Token":
Remove the prefilled out content & past the following:
/**
* Handler called during a PostLogin flow.
*
* @param {Event} event - Details about the user and the
* context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be
* used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
if (event.authorization) {
api.accessToken.setCustomClaim(`email`, event.user.email);
}
};
then click on "Deploy":
Return to "post-login" & click on "Custom"
Click and drag your Add Email to Access Token Action onto the Trigger, then drop it into place, then click Apply in the top right.
Gathering Information from Auth0
In order to setup the new JWT Signer we'll need to get some information from the new Auth0 Application that was just created.
Scroll down to the Advanced Settings and click on Endpoints
You’ll also need to write down the OAuth Token URL that will be used on the BrowZer App creation and the JSON Web Key Set.
Adding a JWT Signer & Authentication Policy
Create the JWT
In the Console, Create a new JWT Signer
Using the values from Auth0 fill out the information in the new JWT Signer dialog.
For the ISSUER, use the “Domain” value.
https://<Domain>/
(Please make sure to add the trailing slash).
For the Audience, use the Identifier you used when creating the API above.
For the JWKS Endpoint, use the "JSON Web Key Set URL" value.
For the External Auth URL, use the "OAUTH Token URL" value.
Finally set the JWT Claim "email" & the Identities to "External Id".
Create the Authentication Policy
In the Console, Create a new Authentication Policy
In this example, we disable the certificate options & only use the JWT Signer as the Authenticator.
Create or Assign Identities(Endpoints) to the Authentication Policy
In the Console, Create or update the Identities(Endpoints) that will have access to BrowZer. Please ensure you have added the necessary attributes you define in your Service Policy(AppWan) to the Identities(Endpoints) so it’ll have access to the service.
Finally, make sure it has an Authentication Policy you created for BrowZer
Part 3: The BrowZer Application
In this section:
- BrowZer Getting Started
- Create a new BrowZer Application
- Access the Application
Make sure to complete the BrowZer Getting Started by clicking on the BrowZer Apps in the navigation menu.
Create a BrowZer Application
In the MOP Console, Create a new BrowZer Application.
For the App Entry, Select the service you created in Part 1.
For the Public URL, you’ll set a name for your app (APP_NAME), this name creates the whole URL you’ll use to access your service securely. In this case, APP_NAME=private-app, and the URL is
For example:
https://mrtg.solarapp.browzer.cloudziti.io
Set the OIDC Base URL to the “Domain” value from Auth0 in Part2, in the format:
https://<domain>
(This time without any slash at the end)
Set the ClientID to the "ClientId" value you got from Auth0 in Part 2.
Access your Application
Create Your Own MRTG Instance
Note: This example creates the MRTG instance on the Ubuntu 22.04 Linux server. If you are using another OS or Docker instance then follow the guide here.
First, you will need to update the APT package index to the latest version. You can update it with the following command:
sudo apt update -y
sudo apt upgrade -y
Install the SNMP and SNMPD.
apt-get install apache2 snmpd snmp
Open the configuration file of SNMP and add the following lines as shown below,
vi /etc/snmp/snmpd.conf
#rocommunity public default -V systemonly
#rocommunity6 public default -V systemonly
rocommunity public localhost
Restart the SNMP service to take effect.
systemctl restart snmpd
Now it's time to install the MRTG package. it will create the directory /var/www/html/mrtg. click yes to create.
apt-get install mrtg
Create full access to newly created files.
sudo chmod +7 /etc/mrtg
sudo chmod +7 /var/www/html/mrtg
Then create a configuration file for MRTG.
cfgmaker public@localhost > /etc/mrtg/mrtg.cfg
Once the config file is created, create an index file for the webserver.
Restart the mrtg services.
indexmaker /etc/mrtg/mrtg.cfg > /var/www/html/mrtg/index.html
sudo systemctl restart mrtg
Open the web browser and enter your /server IP/mrtg/ to view the presentation of the MRTG graph.
Install TLS/SSL certificate to access using HTTPS/443(Optional):
sudo openssl req -new -newkey rsa:2048 -nodes -keyout domain.com.key -out domain.com.csr
sudo a2ensite default-ssl.conf
sudo a2enmod ssl
sudo systemctl reload apache2
Steps to install Autonomous Router:
Follow the deploy edge router guide to install autonomous edge router.