Configure Remote Private Access with on-premises applications and a Linux Docker container

In this topic, you will learn how to configure the Portnox™ Remote Private Access (RPA) service to allow your remote users to access your private web applications hosted on-premises, by using a Docker container in an on-premises machine with Linux.

In this scenario:

  • You want your remote users to be able to access private web applications that you host on-premises.

  • You need to host a Portnox Docker container in the on-premises local network to be able to access these web applications. You want to use a Linux-based physical or virtual machine to run Docker and host the container.

We assume that you have already set up a physical or virtual machine on your chosen platform with Linux installed. We also assume that this machine is running in a network that has direct access to the application. We will provide examples for Ubuntu and Red Hat, which you can easily adapt for other Linux distributions.

We also assume that you already installed and enrolled AgentP on your client devices.

Set up the Remote Private Access gateway in Portnox Cloud

In this section, you will set up a Remote Private Access gateway in Portnox Cloud, install Docker on your machine, and run the Portnox Remote Private Access Docker container.

  1. Optional: On your Linux-based machine, install Docker using your distribution’s package management framework.
    Important: If Docker is already installed, skip this step. If you don’t have a physical or virtual machine to install Docker, you can get a third-party Linux image. For example, you can download the latest Ubuntu Server image from the Linux VM Images project and import it into your hypervisor.

    Ubuntu:

    sudo apt-get install docker.io -y

    RedHat:

    sudo yum install -y yum-utils
    $sudo yum-config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo
    $sudo yum install docker-ce
    $sudo systemctl start docker
  2. In the top menu of Portnox Cloud, select the Remote Private Access option. Then, on the Remote Private Access screen, click on the + Create button and select the Create gateway option.

  3. In the Gateway details step, enter a name for this gateway in the Gateway Name field, and in the Gateway Region field, select either US Node or EU Node. Then, click on the Create and view details button.

  4. In the Provision container step, click on the Copy command link under the displayed Docker command to copy the command to the clipboard.

  5. Paste the copied command in your machine’s terminal window to run the Docker container.

Set up the Remote Private Access application in Portnox Cloud

In this section, you will set up a Remote Private Access application in Portnox Cloud and configure it to access your private web application hosted in the same local network as the Docker container.

  1. In the top menu of Portnox Cloud, select the Remote Private Access option. Then, on the Remote Private Access screen, click on the + Create button and select the Create application option.

  2. On the Application details screen, enter a name for the application in the Application Name field, and in the Gateway field, select the gateway that you have just created.
    Note: The Application Name must be a valid subdomain name, because the URL will be constructed using this name. You should only use lowercase letters, digits, and hyphens.

    Result: If you want to use the Portnox URL, you can copy the URL for your application by clicking on the  ⧉  icon.

    Note: Make sure to check if your web application will accept connections when accessed using this URL. If your web security solution has an anti-CSRF feature, you will need to configure it to allow this URL.
  3. Optional: If your application uses the same IP address and port as other applications:
    Note: This is quite a common situation, for example, when you use a single on-premises web server to host several applications, and you create internal domain names for these applications such as: confluence.vorlon-onpremises.com or jira.vorlon-onpremises.com.

    1. Activate the Configure custom HTTP host header for this application checkbox.
    2. In the Value column, enter the host header value.
  4. Optional: If you want to use a URL in your own domain for the application:
    1. Activate the Use a custom URL linked to an SSL certificate checkbox.

    2. In the Upload SSL certificate section, click on the Select file button, and upload the certificate and private key for the custom URL (in the PKCS #12 format). Then, enter the password for the private key in the Certificate password field, and click on the Apply certificate button.

      Note: You must acquire the specific subdomain certificate from the relevant certificate authority, or you can use a wildcard certificate for all your subdomains.
    3. Verify the details displayed for the certificate.

    4. If you are using a certificate with multiple domains/subdomains or a wildcard certificate, in the Domain field, select the relevant domain for your application’s URL, and in the Suffix field (if active – only for wildcard certificates), enter the subdomain.

      In this example, your application’s URL will be: privateapp.vorlon.com.

    1. In your DNS server, add a canonical name record for your application’s URL.

      For example, in the BIND server, enter the following record:

      privateapp.vorlon.com. IN CNAME privateapp.us.portnox.com.
  5. In the IP, port and protocol section, enter the details of the hosted web application in the IP Address, Port, and Protocol fields.

  6. Optional: In the Policy assignments section, change the setting to Application-based and then select an access control policy and a risk assessment policy if you want to control access to this application without using groups.
  7. Click on the Save button to save your configuration.

Result: Your users can now access your private web application by typing the URL in their browser.

Update an existing gateway container

In this section, you will learn how to update your Remote Private Access gateway Docker container to the latest version.

Important: The Remote Private Access gateway Docker container does not update to the latest version on its own, and at this time, we cannot update it for you remotely. We are working on a way to be able to automate this process in the future. For now, to update to the latest Remote Private Access gateway version, please follow the manual steps below.
  1. Open a Linux terminal window to be able to run Docker commands.
  2. Find the name of the container: 
    sudo docker ps

    The name of the container will be displayed in the NAMES column.

  3. Stop the old Docker container: 
    sudo docker stop container_name
  4. Optional: If you want to save space, remove the old version of the Docker image: 
    sudo docker rmi portnox/portnox-private-access:latest
  5. Pull the latest version of the Docker image: 
    sudo docker pull portnox/portnox-private-access:latest
  6. Remove the old Docker container: 
    sudo docker rm container_name
  7. In Portnox Cloud, select the Private Access option in the top menu, click on the gateway that you want to update, and then click on the Edit button.

  8. In the Provision container section, click on the Copy command link under the displayed Docker command to copy the command to the clipboard.

  9. Paste the copied command in your machine’s terminal window to run the new Docker container.