Browser Isolation

The Browser Isolation component of Oplon Secure Access allows secure access to sites and applications within the corporate network without exposing traffic directly to the web. Page rendering takes place on an isolated remote server, protecting the user’s device from threats such as malware, ransomware and phishing while keeping the corporate network closed to the outside.

Single Node Architecture (Base)

The base architecture of Oplon Secure Access with Browser Isolation provides a single node that acts both as the orchestrator and as the Browser Isolation node. This configuration is ideal for environments with moderate load requirements and offers a simple and compact solution to enable secure web browsing.

As a quick check to verify that Browser Isolation is actually installed, make sure that:

The R00_BrowserBridge module is started (and set to start automatically)
The SecureAccess grouping applied to the listener serving Secure Access is configured as follows:

Secure Access Listener Browser Isolation Single Node
The Browser Isolation listener is enabled on localhost, port 8089 and with SSL set to false

Secure Access Grouping Browser Isolation Single Node

Multi Node Architecture (Advanced)

To install the Browser Isolation component (after installing the base Oplon Secure Access appliance), at least one dedicated node is required. The architecture designed by Oplon for Browser Isolation is in fact scalable, balanced and multi-node.


         +---------------------------+
         |    Oplon Secure Access    |
         |      (Orchestrator)       |
         +------------+--------------+
                      |
      +-----------------------------------+
      |                                   |
      v                                   v
 +-------------+    ...  ...  ...   +-------------+
 |   Browser   |    ...  ...  ...   |   Browser   |
 | Isolation   |    ...  ...  ...   | Isolation   |
 |   Node 1    |    ...  ...  ...   |   Node n    |
 +-------------+                    +-------------+

Before continuing with the guide, you must:

Deploy or clone the Oplon Secure Access appliance:
- Make sure you have deployed (or cloned) an Oplon Secure Access appliance with a basic configuration. Follow the instructions provided here up to the dashboard access step
Install the licenses:
- Install the provided licenses by following the instructions in this guide
Open the ports from the Oplon Secure Access node(s) (orchestrators) toward the Browser Isolation nodes:
- 8089
- 3322

Configuring the Orchestrator node(s)

If you are coming from an installation prior to the release of Browser Isolation, it is important to make sure that the Rewrite rule SecureAccessRWHeaderRDConnect has its flow set to “BOTH”.

Unlike the single node architecture, you also need to add or change the address used for Browser Isolation in the Secure Access Grouping. To do this:

if it is already present in the OSA Virtual Domain, edit “/pages/bi” by entering the address of the Browser Isolation node and set SSL to true.
Adding the Browser Isolation Endpoint

Configuring the Browser Isolation node(s)

Configuring the Browser Isolation container

To configure the Browser Isolation node correctly, you need to reinstall the container, configuring it with the fixed IP address of the dedicated appliance.

The Browser Isolation container must be configured to listen on the appliance’s IP address (not on 127.0.0.1) to allow connections from the orchestrator node.

Run the following command, replacing <IP_APPLIANCE> with the actual IP of the Browser Isolation node:


cd /share
bash OPLON_INSTALL_CONTAINERS.sh -bi <IP_APPLIANCE>
# Example: bash OPLON_INSTALL_CONTAINERS.sh -bi 192.168.1.100

For more details on the available parameters and other advanced container configurations, see the full documentation.

Follow the installation procedure proposed by the script and proceed with the next steps of the guide.

Importing and configuring the Listener

As a first step, you need to import the listener (if not already present) and change the IP address it listens on.

To do this, go to ADC Settings > Listeners, check the “View Template Listners” box, search for “BrowserIsolation” and, using the copy button, copy it into the module in use (Platform, StandardHA, EnterpriseHA or cluster), as shown here:

Then, disable “View Template Listners”, edit the listener by entering the correct IP and set SSL to true:

Importing the Grouping

Now let’s import the grouping, which is essential to map our Browser Isolation back ends.

To do this, go to ADC Settings > Groupings, enable “View Template Groups”, search for “BrowserIsolation” and copy it using its button:

Importing the Rewrite Header rule “SecureAccessRWHeaderBIConnect”

To import the Rewrite rule instead, go to ADC Settings > Rewrite Management > Rewrite Header Rules, enable “View Template Rewrite Rules”, search for “SecureAccessRWHeaderBIConnect” and copy it using the dedicated button.

Starting the Browser Isolation Modules

You now need to set the following Modules/Services to start automatically:

R00_BrowserBridge
R00_DesktopBridge

To do this, go to Modules > All Modules, search for “R00_” and set the start to “automatic” for both modules, as follows:

Save and Re-Init

Finally, save and reinit all the configurations you have just applied.