Configure ZTNA with on-premises console resources and a Linux Docker container

In this topic, you will learn how to configure Portnox™ ZTNA to allow your remote users to access your private console resources hosted on-premises, by using a Docker container in an on-premises machine with Linux.

In this scenario:

  • You want your remote users to be able to access private console resources that you host on-premises.

    Note:
    At the moment, ZTNA supports the following console resources: RDP, SSH, VNC, and telnet.

  • You need to host a Portnox Docker container in the on-premises local network to be able to access these resources. You want to use a Linux-based physical or virtual machine to run Docker and host the container.

We assume that you have already set up a physical or virtual machine on your chosen platform with Linux installed. We also assume that this machine is running in a network that has direct access to the resource. We will provide examples for Ubuntu and Red Hat, which you can easily adapt for other Linux distributions. We also assume that you already distributed certificates to your client devices.

Set up the ZTNA gateway in Portnox Cloud

In this section, you will set up a ZTNA gateway in Portnox Cloud, install Docker on your machine, and run the Portnox ZTNA Docker container.

  1. Optional: On your Linux-based machine, install Docker using your distribution’s package management framework.
    Important:
    If Docker is already installed, skip this step. If you don’t have a physical or virtual machine to install Docker, you can get a third-party Linux image. For example, you can download the latest Ubuntu image from the Linux VM Images project and import it into your hypervisor.

    Ubuntu:

    sudo apt-get install docker.io -y
    Important:
    While the Ubuntu apt repository includes Docker, for production machines Docker recommends using its own apt repository instead. This gives you access to newer versions and additional packages. You can find the relevant instructions in the official Docker documentation.

    RedHat:

    sudo yum install -y yum-utils
    sudo yum-config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo
    sudo yum install docker-ce
    sudo systemctl start docker
  2. In the top menu of Portnox Cloud, select the Zero Trust Resources > Gateways option. Then, on the Gateways screen, click on the + Create gateway button.

  3. On the Create gateway screen, enter a name for this gateway in the Gateway friendly name field, and in the Region field, select either US Node or EU Node. Then, click on the Create gateway and generate Docker commands button.

  4. In the Provision container step, click on the Copy command link under the displayed Docker command to copy the command to the clipboard.

  5. Paste the copied command in your machine’s terminal window to run the Docker container.

Set up the ZTNA resource in Portnox Cloud

In this section, you will set up a ZTNA resource in Portnox Cloud and configure it to access your private resource hosted in the same local network as the Docker container.

  1. In the top menu of Portnox Cloud, select the Zero Trust Resources > Resources option. Then, on the Resources screen, click on the + Create resource button.

  2. In the Resource type step, select the Console resource option, the relevant Protocol, and then the Choose an existing gateway option. In the Gateway field, select the gateway that you have just created. Then, click on the Next button.
    Note:
    Currently, Portnox Cloud supports the following protocols for console resources: Remote Desktop Protocol (RDP), Secure Shell (SSH), Virtual Network Computing (VNC), and Telnet.

  3. In the Details step, in the Resource Name field, enter the name for this resource and optionally the Resource Description.
    Note:
    The Resource Name must be a valid subdomain name, because the URL will be constructed using this name. You should only use lowercase letters, digits, and hyphens.

    Result: If you want to use the Portnox URL, you can copy the URL for your resource by clicking on the  ⧉  icon.

    Note:
    Make sure to check if your web resource will accept connections when accessed using this URL. If your web security solution has an anti-CSRF feature, you will need to configure it to allow this URL.
  4. Optional: If your resource uses the same IP address and port as other resources:
    Note:
    This is a common situation, for example, when you use a single on-premises server to host several resources of the same type, and you create internal domain names for these resources such as: ssh1.vorlon-onpremises.com or ssh2.vorlon-onpremises.com.

    1. Activate the Configure custom HTTP host header for this resource checkbox.
    2. In the Value column, enter the host header value.
  5. Optional: If you want to use a URL in your own domain for the resource:
    1. Activate the Use a custom URL linked to an SSL certificate checkbox.

    2. In the Upload SSL certificate section, click on the Select file button, and upload the certificate and private key for the custom URL (in the PKCS #12 format). Then, enter the password for the private key in the Certificate password field, and click on the Apply certificate button.

      Note:
      You must acquire the specific subdomain certificate from the relevant certificate authority, or you can use a wildcard certificate for all your subdomains.
    3. Verify the details displayed for the certificate.

    4. If you are using a certificate with multiple domains/subdomains or a wildcard certificate, in the Domain field, select the relevant domain for your resource’s URL, and in the Suffix field (if active – only for wildcard certificates), enter the subdomain.

      In this example, your resource URL will be: privateapp.vorlon.com.

    1. In your DNS server, add a canonical name record for your resource’s URL.

      For example, in the BIND server, enter the following record:

      privateapp.vorlon.com. IN CNAME privateapp.us.portnox.com.
  6. In the Network details section, enter the details of the hosted resource in the IP Address and Port fields.
    Note:
    By default, the Port field is pre-filled with the port number that is typical for the selected protocol. For example, port 22 for SSH. Unless your server is running on a non-standard port, keep the default port number.

  7. Depending on the Protocol that you selected earlier, configure additional options available for that protocol:
    • GUI-based consoles: RDP/VNC:

      • You can configure the following DLP (data loss prevention) options: Do not allow users to copy from the remote desktop and Do not allow users to paste from clients if you want to make sure that the users don’t copy sensitive information to/from their RDP/VNC session.

      • For RDP, you can also configure the following visual settings: Display width and Display height to adjust the console to your server’s display resolution.

    • Text-based consoles: SSH/Telnet: You can configure the following DLP (data loss prevention) options: Disable copying from terminal and Disable pasting from client if you want to make sure that the users don’t copy sensitive information to/from their SSH/Telnet session.
  8. Click on the Next button.
  9. Optional: In the Enforcement step, change the setting to Override with custom policy and then select a risk assessment policy if you want to control access to this resource using a custom risk assessment policy.
  10. Click on the Add resource button to save your configuration.

Result: Your users can now access your private console resource by typing the URL in the browser.

Note:
You can only access ZTNA resources using the browser. You cannot use, for example, a third-party client such as PuTTY for SSH and Telnet, or TightVNC for VNC.

Configure the hosted application access control policy

In this section, you will configure the access control policy for groups that you want to have access to this hosted application.

  1. In the Cloud portal top menu, click on the Groups option.

  2. Select a group that you want to configure, click on the  ⋮  icon at the end of the row that represents the group, and then select the Group policies option.

    Note:
    Repeat this step and the next steps for any other groups that you want to be able to access hosted applications.
  3. Scroll down to the ZTNA Resources section.
  4. Optional: If needed, change the System Default Policy in the Hosted resources drop-down menu to another access control policy. Then, click on the Save button on the bottom of the page to save your changes.
  5. Optional: To configure the selected access control policy, follow the steps in this topic: Create or edit an access control policy

Automatically update an existing local server container

In this section, you will learn how to automatically update your Docker container to the latest version by deploying another Docker container: portnox-autoupdate.

Important:
You cannot manually update a running Docker container. To update it, you must remove the existing container, pull the latest version of the container image, and then deploy a new container from that image. The portnox-autoupdate Docker container automates this complex process. It automatically updates all other Portnox Docker containers to their latest versions as soon as they are available. If you already deployed the portnox-autoupdate Docker container to automatically update another Portnox Docker container, you do not need to deploy it again.
  1. Find the organization ID:
    1. In Portnox Cloud, go to Settings > Services > General Settings > Self Onboarding.
    2. In the Self Onboarding section, see the URL that is displayed.
      Note:
      If self-onboarding is not activated, click on the Edit link and temporarily turn it on to see the URL.

      The organization ID is the last part of the URL, after the last / symbol.

      For example, if the URL is https://user-registration.portnox.com/b2973887-1274-45c4-91d0-4a342a861c76, then the organization ID is b2973887-1274-45c4-91d0-4a342a861c76.

  2. Get an API token from Portnox Cloud:
    1. In Portnox Cloud, go to Settings > Profile Settings > Cloud API tokens
    2. Click on the Generate token link.
    3. In the GENERATE A NEW TOKEN window, enter the name for the token that describes its purpose and click on the Generate token button.
    4. Click on the  ⧉  button to copy the code and store it in a safe place.

      Important:
      You will not be able to access this code again after closing this window.
  3. Deploy the portnox-autoupdate Docker container: 
    sudo docker run --restart=always -d --name portnox-autoupdate \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v portnox-autoupdate-logs:/app/logs \
  -e AUTO_UPDATE_ORG_ID=your_organization_ID \
  -e AUTO_UPDATE_PORTNOX_API_TOKEN=your_API_access_token \
  portnox/portnox-autoupdate:latest

    For example:

    sudo docker run --restart=always -d --name portnox-autoupdate \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v portnox-autoupdate-logs:/app/logs \
  -e AUTO_UPDATE_ORG_ID=b2973887-1274-45c4-91d0-4a342a861c76 \
  -e AUTO_UPDATE_PORTNOX_API_TOKEN=zZD0XR18UmNc8gG1TRt9ZyMhHnl \
  portnox/portnox-autoupdate:latest