Docs
Browser Isolation Installation

Browser Isolation

The Browser Isolation component of Oplon Secure Access is an advanced piece of software designed to provide a secure and seamless browsing experience. This module completely isolates the web browser from the user's local environment, performing all web page rendering operations on a remote server. This approach protects users' devices from malware, ransomware, phishing and other web-based threats, and also allows secure access to sites and resources within a corporate intranet without accessing them directly.

Architecture and Preparation

To install the Browser Isolation component (after installing the basic Oplon Secure Access appliance), it is necessary to have at least one dedicated node. In fact, Oplon's designated architecture for Browser Isolation is scalable, balanced, and multi-node.

         +---------------------------+
         |    Oplon Secure Access    |
         |      (Orchestratore)      |
         +------------+--------------+
                      |
      +-----------------------------------+
      |                                   |
      v                                   v
 +-------------+    ...  ...  ...   +-------------+
 |   Nodo      |    ...  ...  ...   |   Nodo      |
 |  Browser    |    ...  ...  ...   |  Browser    |
 | Isolation 1 |    ...  ...  ...   | Isolation n |
 +-------------+                    +-------------+

Before continuing with the guide it is necessary:

  1. Deploy or Clone the Oplon Secure Access Appliance:
    • Ensure that you have deployed (or cloned) an Oplon Secure Access appliance configured in basic mode. Follow the instructions given here to the point of dashboard access.
  2. Installing Licenses:
    • Install the provided licenses by following the directions in this guide
  3. Opening ports from the Oplon Secure Access node(s) (orchestrators) to the Browser Isolation Nodes:
    • 8088
    • 3322

Configure Orchestrator node(s).

It is important, if you are coming from an installation prior to the release of Browser Isolation, to make sure that the Rewrite rule SecureAccessRWHeaderRDConnect has the flow set to "BOTH", to check or modify it, go to: ADC Settings > Reweite Management > Rewrite Header Rules > Search: "SecureAccessRWHeaderRDConnect":

Modify SecureAccessRWHeaderRDConnect 1/2

Here go to Edit and change the flow to BOTH if not present:

Modify SecureAccessRWHeaderRDConnect 2/2

Additionally you also need to add or change the address to do Browser Isolation from Secure Access Grouping. To do it:

  • if already present in the Virtual Domain of OSA, modify the "/pages/bi" with the address of the Browser Isolation node.
  • Otherwise clone "/pages/rd/tunnel" and configure it as follows:

Add Endpoint Browser Isolation

Install Container

If you get a new or cloned appliance, or if you previously installed Browser Isolation, you will now install the relevant container for your browser service.

If you are in doubt as to whether or not you have already installed the container responsible for the browser isolation service, just run this command as root:

docker ps -a | grep browsergate

If it returns a value it means that it was correctly installed.

Otherwise continue from root with:

cd /share
bash OPLON_INSTALL_CONTAINERS.sh -bi 127.0.0.1

Follow the update procedure and proceed with the guide

Import and configure the Listner.

As a first step, you need to import the listner and change the Ip address to which it listens.

To do this, you need to go to ADC Settings > Listeners, mark the checkmark "View Template Listners", look for "BrowserIsolation" and click on the copy puslant and copy it inside the Platform module, as shown here:

Import Listner 1/2

Import Listner 2/2

After that, deflag "View Template listners" and edit the rule with the address with the ip to which you want the listner to listen:

Change Address

Import Grouping.

Now let's take care of importing the grouping critical to mapping our back ends for Browser Isolation.

To do this, we go to ADC Settings > Groupings, flag "View Template Groups," search for "BrowserIsolation" and copy via its key:

Import Grouping

Import Rewrite Header rule "SecureAccessRWHeaderBIConnect"

To import the Rewrite rule instead:

ADC Settings > Rewrite Management > Rewrite Header Rules, from here we usually flag "View Template Rewrite Rules", we look for "SecureAccessRWHeaderBIConnect" and copy with the appropriate button:

Import RW Header

Starting the Modules for Browser Isolation.

Now the Modules/Services need to be set to start automatically:

  • R00_BrowserBridge
  • R00_DesktopBridge

To do this you need to go to: Modules, All Modules, search for "R00_" and set start to automatic to both modules as follows:

R00_ Modules

R00_BrowserBridge in automatic

Save and Re-Init

Finally make all the save and re-init of the configurations you just made

Save and Reinit
Oplon Secure Access UpdateMFA Setup