What is Portnox Private Access and how does it work?

In this topic, you will learn what is the Portnox™ Private Access service and how it works.

The Portnox Private Access service provides secure user access to private web applications. It eliminates the need to use VPNs, if their only purpose is to enable access to private web applications.

By private web application, we mean a web application that is not available to the general public. It can be hosted on-premises or in a secure cloud instance and is intended only for employee access. With the rise of remote work, such applications are often used by remote employees, requiring a secure channel over insecure Internet connections.

Traditionally, VPNs are used to create secure channels. However, VPNs are difficult to manage and often expensive, sometimes requiring specialized equipment for on-premises setups. Portnox Private Access provides a simpler, affordable solution for web application access. The only requirement is to set up a virtual machine with a Docker container or a container instance in the same local network as the applications that need access, and to install Portnox AgentP on user devices.

How does Private Access work?

If your application is integrated with Portnox Private Access, here is what happens when an example user tries to access the application.

From the user’s point of view, the process is almost identical to the one when the user logs in to a public web application.

  1. The user types the address (URL) of the web application in their browser to access it. Depending on how the organization’s administrator sets up Portnox Cloud, this URL can be in the customer’s domain (for example, https://application.vorlon.com) or in the portnox.com domain (for example, https://application.us.portnox.com).

    Note: To use your own domain, the organization administrator must add a special entry to the organization’s DNS server.

  2. The user is then connected to Portnox Cloud. Cloud checks for the user’s certificate in the browser’s underlying operating system, and uses this certificate to securely authenticate the user.

    Note: AgentP installs this certificate in the operating system when the user enrolls with AgentP. AgentP can make this certificate invalid if it discovers that the user’s device no longer meets the organization’s security policy requirements.

  3. Portnox Cloud then creates a secure tunnel within the browser, which connects the user to the private application without any extra steps needed.

    Note: The secure tunnel first connects Portnox Cloud with the Docker container in your application’s local network, and then connects the Docker container with the application. The entire connection is fully encrypted and highly secure.

What do you need to be able to use Private Access?

To be able to use Portnox Private Access, you need to meet the following conditions.

  • You need to buy a Portnox Private Access license.

  • You need to have a configured cloud-based authentication repository such as Microsoft Entra Id (Azure Active Directory) or Google Workspace. Portnox Cloud must work together with your authentication repository to know the users accessing your applications.

  • You need to be able to run a Portnox Docker container in the local network where you host your private applications. You can run the Docker container on a physical or virtual machine, using many operating systems (Linux, Windows, macOS). You can also run the Docker container in a cloud such as Azure container instances, AWS, or Google Cloud, if this is where you host your private web applications.

  • Your users need to have Portnox AgentP installed on all their devices that need to access the private applications. You can distribute AgentP using your endpoint management solutions such as Intune, or you can ask your users to install AgentP manually.

    Note: If you want to ask your users to install AgentP manually, you can give them the following link: https://docs.portnox.com/caa/. This link contains end-user instructions for all popular desktop/mobile operating systems: Windows, macOS, iOS, and Android. This documentation was created originally for Portnox Conditional Access, but the process is exactly the same for Portnox Private Access.

  • Optionally: If you want to use a URL in your organization’s domain, you need to be able to modify the organization’s domain DNS server to add an IN CNAME record, and you need to buy a TLS certificate with a private key for this URL or use a wildcard certificate if you have one for your domain.

How is the integration with Private Access configured?

For Private Access to work, you need to create at least one gateway and at least one application entry in Portnox Cloud, and you need to run the Docker container in the local network where you host your private applications.

Creating a gateway entry in Portnox Cloud

  1. You need to choose where your gateway is located. Portnox Cloud provides two locations: one US-based and one EMEA-based. You can choose the location depending on where you host your web applications, but the performance of Portnox Cloud is excellent with both locations. If your applications are hosted outside US/EMEA, you can use either location without any noticeable performance losses.
  2. You need to install Docker on a physical or virtual machine in the local network where you host your private web applications. If you host your private web applications in a cloud such as Azure, AWS, or Google Cloud, you need to use the provider’s mechanism to create a Docker instance in the same local network, for example, Azure container instances.
  3. You need to create a Docker container by running a command provided by Portnox Cloud. This makes it very easy to create the container correctly, even if your knowledge of Docker is very limited.

Creating an application entry in Portnox Cloud

  • You need to choose which gateway the application works with.

  • You need to choose if you want to use a Portnox URL for the application, or a URL in your organization’s domain:

    • If you want to use a portnox.com URL, this URL will be either: application_name.us.portnox.com, if your application is connected to the US-based gateway, or application_name.eu.portnox.com, if your application is connected to the EMEA-based gateway.

      Note: Different organizations can use the same application names. You only need to make these names unique within your organization. When Portnox Cloud authenticates a user using the certificate, it immediately knows which organization the URL belongs to, as this information is included in the certificate.
    • If you want to use your organization’s URL, for example, https://application.vorlon.com, you need to upload a certificate and a private key purchased from a certification authority for application.vorlon.com (or a wildcard certificate), and you need to add a canonical name (CNAME) record to your DNS server, for example: 
      application.vorlon.com. IN CNAME application.us.portnox.com.

  • You need to supply the IP address and port of the private web application, which must be accessible from the Docker container. For example, if you use a Class A (10.0.0.0/16) network, you can have your Docker container running at 10.250.0.10, and you can have your application running on a web server at 10.1.9.57, on port 443, using the HTTPS protocol.