What is Portnox Remote Private Access and how does it work?

In this topic, you will learn what is the Portnox™ Remote Private Access (RPA) service and how it works.

Portnox™ Remote Private Access service provides secure user access to private web applications, removing the need for VPNs when they are only used to access such applications.

A private web application is a web application that is not publicly accessible. It can be hosted on-premises or in a secure cloud instance and is meant only for specific people, such as employees, students, or contractors who have been explicitly given access. With the rise of remote work, these applications are often accessed by remote employees, requiring a secure connection over possibly insecure internet networks.

Traditionally, VPNs have been used to create secure connections. However, VPNs are often hard to manage and do not have modern security features like multi-factor authentication, certificate-based authentication, and real-time risk assessment. They may also need special hardware for on-premises deployments.

Portnox Remote Private Access provides a simpler and more cost-effective way to access secure web applications. The only requirement is to set up a Docker container or a container instance in a network that has a direct connection to the applications, such as a local network or a virtual network in the cloud.

One key advantage of Portnox Remote Private Access is its ability to adapt to changes in the security status of devices accessing private applications. By integrating with your UEM solution, such as Intune, or using Portnox AgentP to manage configuration and monitor device risk levels, you can instantly revoke access if a device goes above a set security limit. For example, if a user removes antivirus software, Portnox Cloud can be set to automatically block access to private applications from that device until the issue is fixed.

How does Remote Private Access work?

If your application is integrated with Portnox Remote Private Access, here is what happens when an example user tries to access the application.

For the user, the process is almost the same as logging into a public web application.

  1. The user types the address (URL) of the web application in their browser to access it. Depending on how the organization’s administrator sets up Portnox Cloud, this URL can be in the customer’s domain (for example, https://application.vorlon.com) or in the portnox.com domain (for example, https://application.us.portnox.com).

    Note: To use your own domain, the organization administrator must add a canonical name record to the organization’s DNS server, and upload a TLS certificate (for that subdomain or wildcard) with the corresponding private key to Portnox Cloud.

  2. The user is then connected to Portnox Cloud. Cloud checks for the user’s certificate in the browser’s underlying operating system, and uses this certificate to securely authenticate the user.

  3. Portnox Cloud then creates a secure tunnel within the browser, which connects the user to the private application without any extra steps needed.

    Note: The secure tunnel first connects Portnox Cloud with the Docker container in your application’s local network, and then connects the Docker container with the application. The entire connection is fully encrypted and highly secure.

What do you need to be able to use Remote Private Access?

To be able to use Portnox Remote Private Access, you need to meet the following conditions.

  1. License

    • You need to buy a Portnox Remote Private Access license.

  2. Authentication repository

    • You need to set up a cloud-based authentication repository, such as Microsoft Entra ID (Azure AD) or Google Workspace. Portnox Cloud connects with your authentication repository to authenticate users accessing your private applications.

    • If you do not use an external repository, you can use Portnox Cloud’s internal repository to manage users.

  3. Docker container

    • You need to deploy a Portnox Docker container in a network that has direct access to your private applications, for example, the same local network where you host your private applications. You can run the container on physical or virtual machines using any operating system supported by Docker, including Linux, Windows, or macOS.

    • If your private applications are hosted in the cloud, you can deploy the container in services like Azure, AWS, or Google Cloud.

    • The Docker container needs to be able to communicate with the Internet on ports TCP 443 and UDP 3478.

  4. AgentP and certificates

    • You need to install and enroll Portnox AgentP on all client devices. During enrollment, AgentP will install the required certificates on the client device.

      Note: In the near future, AgentP will no longer be a requirement, and you will be able to distribute certificates using your unified endpoint management solution instead.
  5. Optional: custom domain configuration

    To use a custom URL in your organization’s domain:

    • You need to add a canonical name (CNAME) record to your domain’s zone on your DNS server.

    • You need to obtain a TLS certificate with a private key for this URL or use an existing wildcard certificate, and upload this certificate to Portnox Cloud.

How is the integration with Remote Private Access configured?

For Remote Private Access to work, you need to create at least one gateway and at least one application entry in Portnox Cloud, and you need to run the Docker container in a network with direct access to your private applications.

Creating a gateway entry in Portnox Cloud

  1. You need to choose where your gateway is located. Portnox Cloud provides two locations: one US-based and one EMEA-based. You can choose the location depending on where you host your web applications, but the performance of Portnox Cloud is excellent with both locations. If your applications are hosted outside US/EMEA, you can use either location without any noticeable performance losses.

  2. You need to install Docker on a physical or virtual machine in a network that has direct access to your private web applications. If you host your private web applications in a cloud such as Azure, AWS, or Google Cloud, you need to use the provider’s mechanism to create a Docker instance in its virtual network, for example, Azure container instances.

  3. You need to create a Docker container by running a command provided by Portnox Cloud. This makes it very easy to create the container correctly, even if your knowledge of Docker is very limited.

Creating an application entry in Portnox Cloud

  • You need to choose which gateway the application works with.

  • You need to choose if you want to use a Portnox URL for the application, or a URL in your organization’s domain:

    • If you want to use a portnox.com URL, this URL will be either: application_name.us.portnox.com, if your application is connected to the US-based gateway, or application_name.eu.portnox.com, if your application is connected to the EMEA-based gateway.

      Note: Make sure to check if your web application will accept connections when accessed using this URL. If your web security solution has an anti-CSRF feature, you will need to configure it to allow this URL.
    • If you want to use your organization’s URL, for example, https://application.vorlon.com, you need to upload a certificate and a private key obtained from a certification authority for application.vorlon.com (or a wildcard certificate), and you need to add a canonical name (CNAME) record to your DNS server’s zone, for example: 
      application.vorlon.com. IN CNAME application.us.portnox.com.

  • You need to supply the IP address and port of the private web application, which must be accessible from the Docker container. For example, if you use a Class A (10.0.0.0/16) network, you can have your Docker container running at 10.250.0.10, and you can have your application running on a web server at 10.1.9.57, on port 443, using the HTTPS protocol.

  • If your application runs on the same IP address and port number as other applications, you need to provide the Host HTTP header value that will be sent to the web server to open the correct application.