Browser Isolation

The Browser Isolation component of Oplon Secure Access enables secure access to internal websites and applications without exposing native traffic to the web. Page rendering takes place on an isolated remote server, protecting the user’s device from threats like malware, ransomware, and phishing, while keeping the corporate network sealed off from the outside.

Single Node Architecture (Base)

The base architecture of Oplon Secure Access with Browser Isolation consists of a single node that acts both as an orchestrator and as a Browser Isolation node. This configuration is ideal for environments with moderate load requirements and offers a simple and compact solution to implement secure website browsing.

The installation is already included in the standard Oplon Secure Access installation. No additional steps are required to configure the Browser Isolation node in this mode.

As a quick check to verify the actual installation of browser isolation, you need to verify that:

The R00_BrowserBridge module is started (and set to automatic startup)
The SecureAccess grouping applied to the listener that listens for Secure Access is configured as follows:

*Secure Access Grouping Browser Isolation Single Node*

Multi Node Architecture (Advanced)

To install the Browser Isolation component (after installing the basic Oplon Secure Access appliance), it is necessary to have at least one dedicated node. In fact, Oplon’s designated architecture for Browser Isolation is scalable, balanced, and multi-node.


         +---------------------------+
         |    Oplon Secure Access    |
         |      (Orchestratore)      |
         +------------+--------------+
                      |
      +-----------------------------------+
      |                                   |
      v                                   v
 +-------------+    ...  ...  ...   +-------------+
 |   Nodo      |    ...  ...  ...   |   Nodo      |
 |  Browser    |    ...  ...  ...   |  Browser    |
 | Isolation 1 |    ...  ...  ...   | Isolation n |
 +-------------+                    +-------------+

Before continuing with the guide it is necessary:

Deploy or Clone the Oplon Secure Access Appliance:
- Ensure that you have deployed (or cloned) an Oplon Secure Access appliance configured in basic mode. Follow the instructions given here to the point of dashboard access.
Installing Licenses:
- Install the provided licenses by following the directions in this guide
Opening ports from the Oplon Secure Access node(s) (orchestrators) to the Browser Isolation Nodes:
- 8088
- 3322

Configure Orchestrator node(s).

It is important, if you are coming from an installation prior to the release of Browser Isolation, to make sure that the Rewrite rule SecureAccessRWHeaderRDConnect has the flow set to “BOTH”, to check or modify it, go to: ADC Settings > Reweite Management > Rewrite Header Rules > Search: “SecureAccessRWHeaderRDConnect”:

*Modify SecureAccessRWHeaderRDConnect 1/2*

Here go to Edit and change the flow to BOTH if not present:

*Modify SecureAccessRWHeaderRDConnect 2/2*

Additionally you also need to add or change the address to do Browser Isolation from Secure Access Grouping. To do it:

if already present in the Virtual Domain of OSA, modify the “/pages/bi” with the address of the Browser Isolation node.
Otherwise clone “/pages/rd/tunnel” and configure it as follows:

Configure Browser Isolation Node(s)

Browser Isolation Container Configuration

To properly configure the Browser Isolation node, you need to reinstall the container by configuring it with the fixed IP address of the dedicated appliance.

The Browser Isolation container must be configured to listen on the appliance IP address (not on 127.0.0.1) to allow connections from the orchestrator node.

Run the following command, replacing <APPLIANCE_IP> with the actual IP of the Browser Isolation node:


cd /share
bash OPLON_INSTALL_CONTAINERS.sh -bi <APPLIANCE_IP>
# Example: bash OPLON_INSTALL_CONTAINERS.sh -bi 192.168.1.100

For more details on available parameters and other advanced container configurations, see the complete documentation.

Follow the installation procedure provided by the script and proceed with the next steps of the guide.

Import and configure the Listner.

As a first step, you need to import the listner and change the Ip address to which it listens.

To do this, you need to go to ADC Settings > Listeners, mark the checkmark “View Template Listners”, look for “BrowserIsolation” and click on the copy puslant and copy it inside the Platform module, as shown here:

After that, deflag “View Template listners” and edit the rule with the address with the ip to which you want the listner to listen:

Import Grouping.

Now let’s take care of importing the grouping critical to mapping our back ends for Browser Isolation.

To do this, we go to ADC Settings > Groupings, flag “View Template Groups,” search for “BrowserIsolation” and copy via its key:

Import Rewrite Header rule “SecureAccessRWHeaderBIConnect”

To import the Rewrite rule instead:

ADC Settings > Rewrite Management > Rewrite Header Rules, from here we usually flag “View Template Rewrite Rules”, we look for “SecureAccessRWHeaderBIConnect” and copy with the appropriate button:

Starting the Modules for Browser Isolation.

Now the Modules/Services need to be set to start automatically:

R00_BrowserBridge
R00_DesktopBridge

To do this you need to go to: Modules, All Modules, search for “R00_” and set start to automatic to both modules as follows:

Save and Re-Init

Finally make all the save and re-init of the configurations you just made