Configure ZTNA with on-premises resources and a Windows virtual machine

In this topic, you will learn how to configure Portnox™ ZTNA to allow your remote users to access your private resources hosted on-premises, by using a Docker container in an on-premises machine with Windows.

In this scenario:

  • You want your remote users to be able to access private resources that you host on-premises.

  • You need to host a Portnox Docker container in the on-premises local network to be able to access these resources. You want to use a Windows-based virtual machine to run Docker Desktop and host the container.

We assume that you have already set up a physical or virtual machine on your chosen platform with Windows installed. We also assume that this machine is running in a network that has direct access to the resource.

We also assume that you already distributed certificates to your client devices.

Note:
We recommend running Portnox Docker containers using Linux for performance reasons. Portnox Docker images are built for Linux so in Windows, they have to be run using virtualization. If you run Docker Windows in a virtual machine, you will need nested virtualization, which can affect performance.
Note:
This procedure has been tested on Windows 10 Enterprise running in a Hyper-V virtual machine. It applies either unmodified or with little modifications to all other Windows versions that are still supported by Microsoft and Docker, as long as they support Hyper-V or WSL, which is required by Docker Desktop.

Install Docker Desktop

In this section, you will learn how to follow Docker documentation to install Docker Desktop on the Windows machine.

Skip this section if Docker Desktop is already installed.

  1. Optional: If you want to run Docker Desktop in a virtual machine, enable nested virtualization in your hypervisor on the host machine.

    This step depends on the hypervisor that you are using. Below are some examples for popular hypervisors. Consult the documentation of your hypervisor for more information.

    • Hyper-V: Execute the following command in PowerShell with administrative privileges:

      Set-VMProcessor -VMName "vm_name" -ExposeVirtualizationExtensions $true

      where vm_name is the name of your virtual machine.

    • VirtualBox: Go to your virtual machine > Settings > System > Processor and turn on the Enable Nested VT-x/AMD-V option.

    • VMware Workstation: Go to your virtual machine > Edit virtual machine settings > Processors and turn on the Virtualize Intel VT-x/EPT or AMD-V/RVI option.

  2. Enable the Windows Subsystem for Linux (WSL) and install Ubuntu:
    Note:
    For detailed instructions on how to enable WSL and install Ubuntu, see official Microsoft documentation.
    Note:
    You can run Docker Desktop with WSL or Hyper-V. WSL is recommended for performance reasons. If you need to run Docker Desktop with Hyper-V instead, refer to the official Docker and Microsoft documentation.
    1. Open Windows PowerShell with administrative privileges.
    2. Run the following command to enable WSL and install Ubuntu: 
      wsl --install

    Result: WSL with Ubuntu is ready and you can proceed with Docker installation.

  3. Install Docker Desktop:
    Note:
    For detailed instructions on how to install Docker Desktop, see official Docker Desktop documentation.
    1. Download the Docker Desktop installer from the official website.

      The links to download the latest versions of Docker Desktop for Windows are available in the official Docker Desktop documentation.

    2. Run the downloaded installer file and in the installer window, when prompted, activate the Use WSL 2 instead of Hyper-V checkbox.

    3. Restart Windows when prompted.
  4. Run Docker Desktop from the Start menu or the desktop icon.

  5. Optional: Test Docker in the Windows command line:
    1. Open the Windows command line (cmd).
    2. Run the following command: 
      docker run hello-world

      Result: If you see the following output, it means your installation was successful and Docker is ready:

Set up the ZTNA gateway in Portnox Cloud

In this section, you will set up a ZTNA gateway in Portnox Cloud, install Docker on your machine, and run the Portnox ZTNA Docker container.

  1. In the top menu of Portnox Cloud, select the Zero Trust Resources > Gateways option. Then, on the Gateways screen, click on the + Create gateway button.

  2. On the Create gateway screen, enter a name for this gateway in the Gateway friendly name field, and in the Region field, select either US Node or EU Node. Then, click on the Create gateway and generate Docker commands button.

  3. In the Provision container step, click on the Copy command link under the displayed Docker command to copy the command to the clipboard.

  4. Paste the command in a text editor and modify it for Windows (the original command is for Linux) by removing the sudo command at the start.
  5. Paste the modified command in a command prompt window with administrative privileges to run the Docker container.

    Result: The Docker container is running in Docker Desktop.

Set up the ZTNA resource in Portnox Cloud

In this section, you will set up a ZTNA resource in Portnox Cloud and configure it to access your private resource hosted in the same local network as the Docker container.

  1. In the top menu of Portnox Cloud, select the Zero Trust Resources > Resources option. Then, on the Resources screen, click on the + Create resource button.

  2. In the Resource type step, select the Hosted resource option, and then the Choose an existing gateway option. In the Gateway field, select the gateway that you have just created. Then, click on the Next button.

  3. In the Details step, in the Resource Name field, enter the name for this resource and optionally the Resource Description.
    Note:
    The Resource Name must be a valid subdomain name, because the URL will be constructed using this name. You should only use lowercase letters, digits, and hyphens.

    Result: If you want to use the Portnox URL, you can copy the URL for your resource by clicking on the  ⧉  icon.

    Note:
    Make sure to check if your web resource will accept connections when accessed using this URL. If your web security solution has an anti-CSRF feature, you will need to configure it to allow this URL.
  4. Optional: If your resource uses the same IP address and port as other resources:
    Note:
    This is quite a common situation, for example, when you use a single on-premises web server to host several resources, and you create internal domain names for these resources such as: confluence.vorlon-onpremises.com or jira.vorlon-onpremises.com.

    1. Activate the Configure custom HTTP host header for this resource checkbox.
    2. In the Value column, enter the host header value.
  5. Optional: If you want to use a URL in your own domain for the resource:
    1. Activate the Use a custom URL linked to an SSL certificate checkbox.

    2. In the Upload SSL certificate section, click on the Select file button, and upload the certificate and private key for the custom URL (in the PKCS #12 format). Then, enter the password for the private key in the Certificate password field, and click on the Apply certificate button.

      Note:
      You must acquire the specific subdomain certificate from the relevant certificate authority, or you can use a wildcard certificate for all your subdomains.
    3. Verify the details displayed for the certificate.

    4. If you are using a certificate with multiple domains/subdomains or a wildcard certificate, in the Domain field, select the relevant domain for your resource’s URL, and in the Suffix field (if active – only for wildcard certificates), enter the subdomain.

      In this example, your resource URL will be: privateapp.vorlon.com.

    1. In your DNS server, add a canonical name record for your resource’s URL.

      For example, in the BIND server, enter the following record:

      privateapp.vorlon.com. IN CNAME privateapp.us.portnox.com.
  6. In the IP, port and protocol section, enter the details of the hosted resource in the IP Address, Port, and Protocol fields.

    Note:
    If you select HTTP in the Protocol field, to access it using ZTNA you still use HTTPS, not HTTP. For example, http://privateapp.vorlon.com or http://privateapp.us.portnox.com will not work.
  7. Click on the Next button.
  8. Optional: In the Enforcement step, change the setting to Override with custom policy and then select a risk assessment policy if you want to control access to this resource using a custom risk assessment policy.
  9. Click on the Add resource button to save your configuration.

Result: Your users can now access your private resource by typing the URL in the browser.

Configure the hosted application access control policy

In this section, you will configure the access control policy for groups that you want to have access to this hosted application.

  1. In the Cloud portal top menu, click on the Groups option.

  2. Select a group that you want to configure, click on the  ⋮  icon at the end of the row that represents the group, and then select the Group policies option.

    Note:
    Repeat this step and the next steps for any other groups that you want to be able to access hosted applications.
  3. Scroll down to the ZTNA: HOSTED APPLICATION ACCESS section.
  4. Optional: If needed, change the System Default Policy in the drop-down menu to another access control policy.

    The selected policy will be applied to any applications that are not specifically listed below.

    Note:
    By default, the System Default Policy is configured to not allow access to hosted applications. If you need only limited access level control for your hosted applications, instead of selecting allowed applications for the group, you can select a policy that allows access to hosted applications or configure the System Default Policy to allow access.

  5. Add the applications that this group will be allowed to access:
    1. Click on the Add new link at the end of the ZTNA: HOSTED APPLICATION ACCESS section.

      A new row will appear above the Add new link, representing settings for one or more hosted applications.

    2. Click on the  ✎  icon in the AUTHORIZED APPLICATIONS column.

    3. In the ADD HOSTED APPLICATION CONTROL POLICY window, build a logical tree of conditions that specifies one or more applications.

      You can add conditions that depend on the Resource name or the Gateway name or region. When ready, click on the Save button.

      For example, in this policy, the group will have access only to applications with names that begin with the string vorlon, accessed using the US Node gateways.

    4. In the ON VIOLATION, ENFORCE POLICY column, select an access control policy that should be applied if a device violates the risk assessment policy defined for the group.
      Note:
      The selected policy should prevent access to the application.
    5. Click on the Save button in the bottom-right corner to save your changes.

Automatically update the existing local container

In this section, you will learn how to automatically update your Docker container to the latest version by deploying another Docker container: portnox-autoupdate.

Important:
You cannot manually update a running Docker container. To update it, you must remove the existing container, pull the latest version of the container image, and then deploy a new container from that image. The portnox-autoupdate Docker container automates this complex process. It automatically updates all other Portnox Docker containers to their latest versions as soon as they are available. If you already deployed the portnox-autoupdate Docker container to automatically update another Portnox Docker container, you do not need to deploy it again.
  1. Find the organization ID:
    1. In Portnox Cloud, go to Settings > Services > General Settings > Self Onboarding.
    2. In the Self Onboarding section, see the URL that is displayed.
      Note:
      If self-onboarding is not activated, click on the Edit link and temporarily turn it on to see the URL.

      The organization ID is the last part of the URL, after the last / symbol.

      For example, if the URL is https://user-registration.portnox.com/b2973887-1274-45c4-91d0-4a342a861c76, then the organization ID is b2973887-1274-45c4-91d0-4a342a861c76.

  2. Get an API token from Portnox Cloud:
    1. In Portnox Cloud, go to Settings > Profile Settings > Cloud API tokens
    2. Click on the Generate token link.
    3. In the GENERATE A NEW TOKEN window, enter the name for the token that describes its purpose and click on the Generate token button.
    4. Click on the  ⧉  button to copy the code and store it in a safe place.

      Important:
      You will not be able to access this code again after closing this window.
  3. Deploy the portnox-autoupdate Docker container: 
    docker run --restart=always -d --name portnox-autoupdate ^
  -v /var/run/docker.sock:/var/run/docker.sock ^
  -v portnox-autoupdate-logs:/app/logs ^
  -e AUTO_UPDATE_ORG_ID=your_organization_ID ^
  -e AUTO_UPDATE_PORTNOX_API_TOKEN=your_API_access_token ^
  portnox/portnox-autoupdate:latest

    For example:

    docker run --restart=always -d --name portnox-autoupdate ^
  -v /var/run/docker.sock:/var/run/docker.sock ^
  -v portnox-autoupdate-logs:/app/logs ^
  -e AUTO_UPDATE_ORG_ID=b2973887-1274-45c4-91d0-4a342a861c76 ^
  -e AUTO_UPDATE_PORTNOX_API_TOKEN=zZD0XR18UmNc8gG1TRt9ZyMhHnl ^
  portnox/portnox-autoupdate:latest