Configure Remote Private Access with on-premises applications and a Windows virtual machine

In this topic, you will learn how to configure the Portnox™ Remote Private Access (RPA) service to allow your remote users to access your private web applications hosted on-premises, by using a Docker container in an on-premises virtual machine with Windows.

In this scenario:

  • You want your remote users to be able to access private web applications that you host on-premises.

  • You need to host a Portnox Docker container in the on-premises local network to be able to access these web applications. You want to use a Windows-based virtual machine to run Docker Desktop and host the container.

We assume that you have already set up a physical or virtual machine on your chosen platform with Windows installed. We also assume that this machine is running in a network that has direct access to the application.

We also assume that you already installed and enrolled AgentP on your client devices.

Note: We recommend running Portnox Docker containers using Linux for performance reasons. Portnox Docker images are built for Linux so in Windows, they have to be run using virtualization. If you run Docker Windows in a virtual machine, you will need nested virtualization, which can affect performance.
Note: This procedure has been tested on Windows 10 Enterprise running in a Hyper-V virtual machine. It applies either unmodified or with little modifications to all other Windows versions that are still supported by Microsoft and Docker, as long as they support Hyper-V or WSL, which is required by Docker Desktop.

Install Docker Desktop

In this section, you will learn how to follow Docker documentation to install Docker Desktop on the Windows machine.

Skip this section if Docker Desktop is already installed.

  1. Optional: If you want to run Docker Desktop in a virtual machine, enable nested virtualization in your hypervisor on the host machine.

    This step depends on the hypervisor that you are using. Below are some examples for popular hypervisors. Consult the documentation of your hypervisor for more information.

    • Hyper-V: Execute the following command in PowerShell with administrative privileges:

      Set-VMProcessor -VMName "vm_name" -ExposeVirtualizationExtensions $true

      where vm_name is the name of your virtual machine.

    • VirtualBox: Go to your virtual machine > Settings > System > Processor and turn on the Enable Nested VT-x/AMD-V option.

    • VMware Workstation: Go to your virtual machine > Edit virtual machine settings > Processors and turn on the Virtualize Intel VT-x/EPT or AMD-V/RVI option.

  2. Enable the Windows Subsystem for Linux (WSL) and install Ubuntu:
    Note: For detailed instructions on how to enable WSL and install Ubuntu, see official Microsoft documentation.
    Note: You can run Docker Desktop with WSL or Hyper-V. WSL is recommended for performance reasons. If you need to run Docker Desktop with Hyper-V instead, refer to the official Docker and Microsoft documentation.
    1. Open Windows PowerShell with administrative privileges.
    2. Run the following command to enable WSL and install Ubuntu: 
      wsl --install

    Result: WSL with Ubuntu is ready and you can proceed with Docker installation.

  3. Install Docker Desktop:
    Note: For detailed instructions on how to install Docker Desktop, see official Docker Desktop documentation.
    1. Download the Docker Desktop installer from the official website.

      The links to download the latest versions of Docker Desktop for Windows are available in the official Docker Desktop documentation.

    2. Run the downloaded installer file and in the installer window, when prompted, activate the Use WSL 2 instead of Hyper-V checkbox.

    3. Restart Windows when prompted.
  4. Run Docker Desktop from the Start menu or the desktop icon.

  5. Optional: Test Docker in the Windows command line:
    1. Open the Windows command line (cmd).
    2. Run the following command: 
      docker run hello-world

      Result: If you see the following output, it means your installation was successful and Docker is ready:

Set up the Remote Private Access gateway in Portnox Cloud

In this section, you will set up a Remote Private Access gateway in Portnox Cloud and run the Portnox Remote Private Access Docker container.

  1. In the top menu of Portnox Cloud, select the Remote Private Access option. Then, on the Remote Private Access screen, click on the + Create button and select the Create gateway option.

  2. In the Gateway details step, enter a name for this gateway in the Gateway Name field, and in the Gateway Region field, select either US Node or EU Node. Then, click on the Create and view details button.

  3. In the Provision container step, click on the Copy command link under the displayed Docker command to copy the command to the clipboard.

  4. Paste the command in a text editor and modify it for Windows (the original command is for Linux) by removing the sudo command at the start.
  5. Paste the modified command in a command prompt window with administrative privileges to run the Docker container.

    Result: The Docker container is running in Docker Desktop.

Set up the Remote Private Access application in Portnox Cloud

In this section, you will set up a Remote Private Access application in Portnox Cloud and configure it to access your private web application hosted in the same local network as the Docker container.

  1. In the top menu of Portnox Cloud, select the Remote Private Access option. Then, on the Remote Private Access screen, click on the + Create button and select the Create application option.

  2. On the Application details screen, enter a name for the application in the Application Name field, and in the Gateway field, select the gateway that you have just created.
    Note: The Application Name must be a valid subdomain name, because the URL will be constructed using this name. You should only use lowercase letters, digits, and hyphens.

    Result: If you want to use the Portnox URL, you can copy the URL for your application by clicking on the  ⧉  icon.

    Note: Make sure to check if your web application will accept connections when accessed using this URL. If your web security solution has an anti-CSRF feature, you will need to configure it to allow this URL.
  3. Optional: If your application uses the same IP address and port as other applications:
    Note: This is quite a common situation, for example, when you use a single on-premises web server to host several applications, and you create internal domain names for these applications such as: confluence.vorlon-onpremises.com or jira.vorlon-onpremises.com.

    1. Activate the Configure custom HTTP host header for this application checkbox.
    2. In the Value column, enter the host header value.
  4. Optional: If you want to use a URL in your own domain for the application:
    1. Activate the Use a custom URL linked to an SSL certificate checkbox.

    2. In the Upload SSL certificate section, click on the Select file button, and upload the certificate and private key for the custom URL (in the PKCS #12 format). Then, enter the password for the private key in the Certificate password field, and click on the Apply certificate button.

      Note: You must acquire the specific subdomain certificate from the relevant certificate authority, or you can use a wildcard certificate for all your subdomains.
    3. Verify the details displayed for the certificate.

    4. If you are using a certificate with multiple domains/subdomains or a wildcard certificate, in the Domain field, select the relevant domain for your application’s URL, and in the Suffix field (if active – only for wildcard certificates), enter the subdomain.

      In this example, your application’s URL will be: privateapp.vorlon.com.

    1. In your DNS server, add a canonical name record for your application’s URL.

      For example, in the BIND server, enter the following record:

      privateapp.vorlon.com. IN CNAME privateapp.us.portnox.com.
  5. In the IP, port and protocol section, enter the details of the hosted web application in the IP Address, Port, and Protocol fields.

  6. Optional: In the Policy assignments section, change the setting to Application-based and then select an access control policy and a risk assessment policy if you want to control access to this application without using groups.
  7. Click on the Save button to save your configuration.

Result: Your users can now access your private web application by typing the URL in their browser.

Automatically update the existing local container

In this section, you will learn how to automatically update your Docker container to the latest version by deploying another Docker container: portnox-autoupdate.

Important: The portnox-autoupdate Docker container automatically updates all Portnox Docker containers to their latest versions as soon as they are available. If you already installed the portnox-autoupdate Docker container to automatically update another Portnox Docker container, you do not need to install it again.
  1. Note down the organization ID:
    1. In Portnox Cloud, go to Settings > Services > General Settings > Self Onboarding.
    2. In the Self Onboarding section, see the URL that is displayed.
      Note: If self-onboarding is not activated, click on the Edit link and temporarily turn it on to see the URL.

      The organization ID is the last part of the URL, after the last / symbol.

      For example, if the URL is https://user-registration.portnox.com/b2973887-1274-45c4-91d0-4a342a861c76, then the organization ID is b2973887-1274-45c4-91d0-4a342a861c76.

  2. Get an API token from Portnox Cloud:
    1. In Portnox Cloud, go to Settings > Profile Settings > Clear API tokens
    2. Click on the Generate token link.
    3. In the Generate a new token window, enter the name for the token that describes its purpose and click on the Generate token button.
    4. Click on the  ⧉  button to copy the code and store it in a safe place.

      Important: You will not be able to access this code again after closing this window.
  3. Deploy the portnox-autoupdate Docker container: 
    docker run --restart=always -d --name portnox-autoupdate ^
  -v /var/run/docker.sock:/var/run/docker.sock ^
  -v portnox-autoupdate-logs:/app/logs ^
  -e AUTO_UPDATE_ORG_ID=your_organization_ID ^
  -e AUTO_UPDATE_PORTNOX_API_TOKEN=your_API_access_token ^
  portnox/portnox-autoupdate:latest

    For example:

    docker run --restart=always -d --name portnox-autoupdate ^
  -v /var/run/docker.sock:/var/run/docker.sock ^
  -v portnox-autoupdate-logs:/app/logs ^
  -e AUTO_UPDATE_ORG_ID=b2973887-1274-45c4-91d0-4a342a861c76 ^
  -e AUTO_UPDATE_PORTNOX_API_TOKEN=zZD0XR18UmNc8gG1TRt9ZyMhHnl ^
  portnox/portnox-autoupdate:latest