The CSRF_TRUSTED_ORIGINS allows the Agilicus external name to be allowed to sign in.
Once we have done this, we run docker compose up, and, NetBox is now running.
From here, assuming we already have a connector installed, we can create an application following the below steps. All except the last step are done through the ‘Resources/Applications/New’ stepper. The last step (enabling User Context headers), navigate to Resources/Applications/Overview, and select your new application, then select the Proxy header.
At this stage, you should be able to navigate to https://netbox.__MYDOMAIN__ (or, https://profile.__MYDOMAIN__ and see the icon). You should be auto-logged in as a user in the admin group. You can later add users to Agilicus AnyX permissions with ‘self’ or ‘admin’ to give control of what they can do in netbox. Add additional groups if desired.
NOTE: since we chose the ‘multiple roles’ option in the stepper, we must manually configure the firewall rule, allowing each of the roles full HTTP access, and then allowing NetBox to decide what sub-permissions to do based on group.
LibreNMS is “a fully featured network monitoring system“. In order to make it externally accessible, we will treat it as a Web Application.
Application Setup
The LibreNMS application is setup using defaults with 1 exception: we must HTTP Rewrite the Media Type text/html.
In this sample, we show setting it up so that all users in the organisation have equivalent access.
First, create a new web application. Select a ‘name’ (which will become part of the URL, e.g. https://NAME.DOMAIN), a description and a category. The latter two are for information purposes only.
Now we can select a hostname. By default it will be NAME.DOMAIN, but, if you have an alternate hostname setup as a CNAME, you may use it here.
You may use an onsite connector you have previously setup, or a VPN you have previously setup.
This choice controls the fidelity of the access & audit logs, as well as the depth of the WAF. The first choice gives full audit records on each access transation, and protects against SQL injection, CSRF and XSS attacks. The second option keeps the custodial control of the TLS private key entirely within your site and private. Both will work for this example.
Now we select the coordinates of the LibreNMS server *as it is on your current site*. This might be a hostname or IP, it is how you currently use LibreNMS.
We now select authenticate by the reverse proxy.
Here we can control the initial default access. You can change this later in the ‘Access’ tab.
We are now complete on the initial setup, and then have 1 more non-default step to perform, to do the Media rewrite.
Now that this is done, we have one last step. The LibreNMS web application writes the local IP:PORT into the HTML and we must rewrite it. To do so, on the ‘define’ screen, select ‘librenms’ from the top, and, under the HTTP Rewrites section, add ‘text/html’ to the media to be re-written. At this stage, we should be able to login and use normally.
In addition, you should set ‘application/json’ to the rewrite, in order to be corrected on return to API-driven components.
You may consider setting the ‘Include user context headers’ which will cause the authenticated user information to be available as a trusted header.
Node Red is a web-based events management system. For the sake of this sample, we are going to run Node Red in a container as below:
docker run -it -p 1880:1880 -v node_red_data:/data --name mynodered nodered/node-red
We will use Agilicus AnyX to create an identity-aware proxy in front of it, making it available to a defined group of users anywhere without a VPN.
First, we need an Agilicus Connector which has onwards connectivity to the container we created. In this example, I am running the connector on the same machine. If you run it on a different machine you may need to adjust the docker command to allow connectivity from off-box.
Next, we will create the web application:
At this stage we are done, we can now try the node-red application. We can launch it from Agilicus Profile (https://profile.mydomain/) or directly using the url that was shown in step 2
Here we show launching from Profile (we can later set the icon)
In this demonstration we will use the Agilicus Connector to securely, simply expose a Grafana service running inside a Kubernetes cluster.
This will work for clusters that have no Ingress, no LoadBalancer, no public IP. It will allow you to add any user, from any identity provider, with a simple single-sign-on. If you push alerts via a Chat channel, you can just click on the link to get to the graph, no VPN.
First, install the Agilicus Connector in your Kubernetes cluster.
Second, create the Grafana Application in the Admin web interface.
The application name will become the hostname (e.g. here we will have https://grafana.MYDOMAIN)
You may use a pattern-based name (APPNAME.MYDOMAIN), or, a specific hostname (e.g. my-grafana).
Here we will use the Kubernetes Connector we created earlier.
For this demonstration we use TLS from user to the connector in your Kubernetes cluster. If there is a desire for fine-grained audit, use the other option.
The hostname will be with respect to CoreDNS in your cluster. In this case, we have installed grafana in the ‘grafana’ namespace, so it is http://grafana.grafana:3000
We select ‘authenticated by proxy’. In this case, no traffic will hit Grafana except for authenticated, authorised users.
You may choose to allow everyone access, or create specific groups.
We are now complete. Hit APPLY, and wait 2-3 minutes, then enter https://grafana.MYDOMAIN in your browser.
Auto-Sign-In, Auto-User-Create (Optional)
The authenticating proxy sets various headers in a trusted fashion. These include:
In this demonstration we will use the Agilicus Connector to securely expose an internal web server, using a clientless zero-trust secure connector.
Install Sample Web Server
Download the sample web server (the source code and compiling instructions are on github). Unzip the package and run the appropriate one for your platform, open a browser to http://localhost:8080/. This does not modify any files on your computer: it is a single executable with a few HTML files inside it.
OK, now we have a sample web server running locally. The web browser should show something like below.
Setup Agilicus Connector
Refer to the Agilicus Connector configuration instructions for more details.
Setup Sample Application
Refer to the Applications configuration instructions for more details.
Create a new Application. Select a template (static website). You can walk through the remainder of the options, but they will be filled in correctly already (except for the Connector to use).
For the demonstration we will use the existing domain name choice. However, you may wish to create a CNAME and have this application available as e.g. ‘wiki.example.com‘.
Now we will select how the application upstream connection works. We will access the simple static web site from onsite (emulating e.g. your corporate wiki or vacation planner)
Now we will select the internal coordinates. The sample static web site runs on our localhost, and on port 8080. You might have instead used an internal hostname here (e.g. wiki.example.com) and a port like 80.
Now we will choose how users are authenticated. In some cases you may just want a completely unauthenticated site. In some cases your application has native support for OpenID Connect (in which case see Authentication Clients).
Here we will choose “Is authenticated by a proxy”. This means the Agilicus Platform will automatically handle authentication and authorisation. Your application will receive pre-defined headers with the username and user roles. No unauthenticated user traffic will arrive at your application.
We may also choose a Logout URL, in case your web site has a spot users can end their session explicitly. This is optional.
We will also choose how the users are Authenticated. This controls how groups will be pre-setup for you, and how users are assigned. If we select “Is used by all users in my organisation”, this means that any user will have a default role, automatically: no need to grant permission.
If we say “has named users with a single role”, we will have to select the users manually, and all will have the same web application firewall permission (e.g. allow/deny).
We are now complete. We are given an overview of what we have setup, and an option to download a JSON file we might later use as a template. This is optional. When we hit Apply, a set of steps are performed:
Create new Web Application Firewall
Create DNS name
Create TLS certificate
Apply Web Application Firewall Rules
Create default group
Assign users to group
Create Authentication Client
Configure Identity Aware Web Application Firewall to use Authentication Client
These steps will take approximately 3-4 minutes.
You will be given a URL to navigate to with your browser. Its pattern will be https://static-website.MYDOMAIN. If all has gone well, when you navigate to that you will be required to sign-in, and then it will work the same as when you use http://localhost:8080.
Note: there is a default Content-Security-Policy in the Web Application Firewall, and a default set of Web Application Firewall rules for this application. Yours may vary and may require allowing e.g. different Javascript script-src or style-src.
Congratulations! You are now complete.
Things you may wish to observe:
the sample website outputs a line of text for each HTTP request. Note that an unauthenticated browser does not generate any traffic
the user audit screen will show your accesses: each session, each HTTP transaction. This is cryptographically secure, based on a JWT on each transaction: no IP/port matching.
See the companion code in Github. This can be run with docker-compose up to demonstrate.
In this example, we have an HTML web dashboard (running on localhost:5000), and an API (running pn localhost:5001). We use the Web Application Firewall rewrite to remap the API to a prefix (so it will become conceptually localhost:5000/api). This allows it to be represented as a single-sign-on session, on a single external URL.
In this example, we first create an application. On the 3rd step, “My Application Is An API”… if your API correctly uses CORS, you can leave this as-is. Else consider setting it, or example the ‘Define’ step later for more configuration.
When you get to step 7 (Configure Upstream Services), enter 1 for each endpoint. The main (HTML) one is ‘application’, the others are path_prefix. Substitute the real hostname if you need (you may need additional remapping later if your application is hard-coded).
Once you have completed the New Application Stepper, navigate to the ‘Define’ screen to refine the setup. On the ‘Proxy’ Tab, enable ‘Rewrite Common Media Types’.
Add permission to your user, and the page should work at https://<name><domain>/
This is a technical walk through of how to set up Agilicus AnyX with Twlilio® and VTScada for remote use without a VPN or DMZ. See the Infosheet for a high level view.
The use of custom address lists for server connections in the Thin Client/Server Setup dialog simplifies the configuration steps and no longer requires custom SSL certificate installations.
In this guide we are going to be making some changes to the VTScada setup. Notably:
We will configure the Agilicus inbound server name in the VTScada address connection dialog
We will create a Twilio endpoint on VTScada
We will create an application in Agilicus AnyX
We will select and enable a firewall rule in the Agilicus AnyX for the Twilio endpoint
This is a technical walk through of how to set up Agilicus AnyX with Twlilio® and VTScada for remote use without a VPN or DMZ. See the Infosheet for a high level view.
The following requirements need to be satisfied in the VTScada configuration to enable Twilio:
VTScada must be version v12.1.30 or newer,
not be the free version, and must support alarms
The VTScada “Connection Addresses” dialog tab of thin client manager must be configured with a host entry that matches exactly the Agilicus configured application hostname in the Server List. In this walkthrough, we will be using the hostname “waterdemo.cloud.egov.city”
Additionally, to complete this exercise, you will need access to a Twilio account, complete verification of the telephone number you wish to add to the roster, and register a telephone number in your Twilio account.
In this guide, we will set up a VTScada environment to be authenticated by proxy. This means a server will be available by a hostname, but no traffic will be allowed to the VTScada environment until the authorization rules have been met.
This may include identity and multi-factor credential verification. The Agilicus AnyX will manage a valid third-party signed TLS certificate via our partner Let’s Encrypt, configure to ensure the best practices for TLS are followed, and ensure all network traffic is audited and subject to the additional access control measures enabled through Agilicus AnyX.
Agilicus AnyX Application Configuration
Use the ‘New Application’ stepper to create a new application.
In this example, the endpoint we are creating will be called ‘waterdemo’ in the Organization using the cloud.egov.city subdomain.
Choose “My application is accessed: from my site via an onsite connector”
Configure the upstream service to match the server realm being used by VTScada. Here we can use the “Default” Realm server configured on HTTP Port 80 .
For the upstream local hostname/ip address, we can enter the IP address as used by the Realm server seen above (ie: 192.168.10.15 ). If selecting the internal hostname, enter the value of `hostname` lowercase (e.g. open a ‘cmd’ shell on the VTScada machine and run that to get the exact computer name), ensure the host running the Agilicus connector can both resolve the hostname locally, and has reachability to the TCP port as well
For authentication, select is authenticated by a proxy, has named users with a single role.
Navigate to Applications/Overview, and select the “Configure Application” action for the newly created application. This will move you to the application’s details.
Choose the Security tab to configure the firewall to configure the Twilio firewall rules.
Open the ‘Configure Application’ for the newly created VTScada application.
Choose the ‘Security’ tab to configure the firewall.
Create a new Firewall Rule allowing POST and GET methods for anyone matching the prescribed path.
The path can be described as containing the Realm name, Realm GUUID and Telecom specific syntax.
The <realm> will be a GUUID and can be seen in the URL when loading up the Anywhere Client, e.g. 48708544-07e3-4d1b-9b6e-ea8ace4b00fe.
The GUUID follows a standard string pattern.
We can then selectone of three Firewall rule option that employ ever stricter limitations to access the VTScada server path for the Twilio endpoint.
The first rule, can use a Regular Expression to match the Twilio path with a GUUID pattern across all Realms:
If we wish to limit to the particular realm (eg: Default) , we can anchor (^) the firewall rule and match the Realm specific URL path precisely. This rule would be:
Finally, if we wish to filter specifically for both the Realm and GUUID path, we can anchor the path match (^) to the beginning of the URL and also the specific GUUID value.
In the “Thin client/Server setup” menudialog, select “Connection Addresses” and configure the Agilicus external server name exactly as previously configured in the Agilicus Application stepper (in this case, the waterdemo FQDN). Make sure to check the “Secure” checkbox and specify port 443.
Configure the user credentials, domain and realm in the Alarm properties. The realm matches the configured realm and domain must be https://<agilicusexternalname>
Testing the Alarm Call-Out
To test alarm call-out, use Idea-studio to create new page with “Roster Alarm Test” widget
The widget is located under Tag Types\Communications\Alarm Notification\Roster
Assign the tag “Default Call-Out Off
You can now use the newly created page to configure the roster and trigger an alarm.
Checking the checkbox will trigger an alarm.
Right clicking the checkbox will allow you to edit the call-out roster.
Create a contact row. Link the contact to the user with alternate contact details.
If you have successfully configured Twilio and Agilicus, you will receive a phone call-out repetitively until the alarm is acknowledged after the roster callout checkbox has been toggled. You can see the call-out status in the alarms page.
Troubleshooting
VTScada Twilio logs will also be present in your VTScada installation path under:
New log files are only written when the max # of lines (configurable) is reached or the application is stopped. So it’s possible the log files for the current troubleshooting session are not present until the application is stopped.
Here we can verify the callback URLs are being passed correctly to Twilio, in log lines such as:
In this example, we will show setting up an “Icecast” audio streaming system, and force users to be authenticated via OpenID Connect. We will also show Authorisation: a set of “viewers” who can stream the music, and an Administrator.
For this example we will use an onsite connector as a means of reaching the Icecast server. Go through the steps to install this now (or use one already installed).
First, let us open the “New Application” menu. We will do this manually (without a template) to demonstrate.
Give the application a name. This must be a valid hostname (it will be part of the URL a user will use, e.g. https://<NAME>.<DOMAIN>. You may describe the application and give it a category, these are just used for reporting purposes.
You have a choice: you can supply your own domain name (in which case you must put a CNAME in your DNS pointing to our domain ca-1.agilicus.ca), or you may use a name from the CNAME you set up when you created the organisation initially.
Now we indicate how the upstream Icecast application is accessed. We will do this via the onsite connector.
Select the specific connector (which we previously created and installed).
You now have 2 choices. You may have a full web application firewall with fine-grained (e.g. per transaction) audit logs, or you may have a perfect TLS session end to end transparent (in which case the private key will be solely on your site: we will have no access). For this demonstration, we will use the Enhanced Web Application Firewall.
We now enter the coordinates (in the private network, e.g. as would be reachable by that onsite connector) for the Icecast server.
We wish to have the OpenID Connect Proxy handle authentication and authorisation. We can also enter a URL that, when fetched, will force a logout.
We are later going to have 2 types of users (viewers, admins). You might choose an “auto-create” user type for the viewer, allowing anonymous but attributable access.
At this stage we are done creating the application, we will now set up the identity aware web application firewall authorisation.
Create Authorisation Roles, Firewall Rules
On the “Define” screen we can fine tune. First add a “viewer” role, then an “admin” role which includes viewer. Make the default role “viewer”.
Now let us set up the firewall. We will allow ‘viewer’ to GET anything except /admin. We will allow administrators to do any (GET/PUT/POST/…) on /admin/ tree.
At this stage we can open up our Icecast server (https://APPLICATION.DOMAIN), we will be challenged to provide credentials, after that, single sign-on, we are streaming our sweet music.
In this demonstration we will show compiling and hosting a simple web application. No container is needed, we can entirely host it by just dropping a ‘zip’ file of the build into a browser. In addition, we will entirely handle the authentication for the application (no changes, single-sign-on). We will protect a manifest file of secrets to prevent access by unauthenticated users.
The specific application I will demonstrate is gitlab-monitor, a tool which monitors your Gitlab pipelines. It has an unfortunate security model: it requires you to place a config file on the server, accessible by the client, which has a Gitlab Personal Access Token. This is not safe. So, lets host it safely.
Building The Application
Every application has its own build strategy. Make, npm, nuget, etc. This one uses the npm (or yarn) ecosystem.
git clone https://github.com/timoschwarzer/gitlab-monitor
cd gitlab-monitor
npm i
npm audit fix
npm run build
tar -C dist -cvf /tmp/gitlab-monitor.tar .
OK, now we have built the application. We have a file, /tmp/gitlab-monitor.tar, which is the binary ready to run. Let’s get it on the web with a domain name, a certificate, etc.
An application is a type of template, we will later make instances of it (e.g. staging, production). The application configuration will ask for a name (this will become the hostname, e.g. https://<appname>.<yourdomain>. We will add an image (which will show up in https://profile.<yourdomain> for launching).
We select the Identity Aware WAF Proxy (v1) runtime.This will, by default, force authentication of the user.
Now we will upload the application bundle we compiled above. You can just drag and drop the tar file onto the button, or, press “upload bundle” and select it. You can pick a name (e.g. gitlab-monitor-v2) or use the default one of the file name.
OK now we must configure the firewall rules. There are 2 firewalls in series here, the first acts on fine-grained paths, and the second acts to force authentication before allowing access. We will rely on this feature to protect our config.json (which contains the secret). Thus we must allow access to all paths first, and then deny the config file except for known users.
OK, now we have the template defined, we will create an instance. Instances can be used for e.g. “staging vs production”. They typically run in child-organisations, which is out of scope here. We will use ‘latest’ as the tag (which controls the version of the runtime). We attach the bundle from above.
We will now mount our config file into the instance. First, configure instance:
Now we can upload our config file, specify the path as /app/config.json, and we are done.
An Application may be hosted in the Agilicus platform, or external. For this example we are going to show how to develop a new application, initially not hosted.
An Application may be hosted in the Agilicus platform, or external. For this example we are going to show how to develop a new application, initially not hosted. For steps we will need:
Authentication Client (OpenID Connect client id)
Application (to attach permissions to, externally hosted)
Create group, assign users to it
Application Setup
We can do the first two steps aove in a single step with the “New Application” configuration. First, under the Application menu, select ‘New’. Select ‘manually’.
Now we give the application a name. The name will eventually be part of the URL (as a hostname) so keep it a single word. We add a description (which end users will see in the catalog), and a category (which will be used for grouping in reports).
We now indicate how we will ultimately access this application. Since it is (currently) external, this does not matter, leave the top item checked. Later when we move it to be hosted this will become a URL.
Now we indicate how the user accesses the application. Since we are just developing it, and it is on our desktop, leave this as “over the public Internet” (e.g. the application is not hosted in or through the Agilicus platform for the data path).
We now indicate that our application will participate in the authentication. This means that it has a built-in library handling OpenID Connect.
We must now configure the redirect URI (which is part of the OpenID Connect specification). Here we will use http://localhost:3000/ since we are hosting this on our desktop. Later we will add the production redirect URI in the Authentication Client.
We must now indicate how users are granted access. If we say “is used by all users in my organisation”, this means that the “All users” group will be granted access.
If we say “has named users with a single role”, this means authorisation is Boolean (allow/deny), but for a named set of users. We will use this option for the sample.
If our application has distinct roles for the users (e.g. Admin, Editor, Viewer), we can use the “has named users with distinct roles”.
Now we are complete, we will hit apply.
We can inspect the Authentication Client created. Later when we change the redirect URI we can change it here.
At this time we will change the application allowed from ‘All’ to ‘Sample-React-App’, forcing it to only allow our new application.
Group Create, Permissions Assign
Create a new group. Assign yourself (and any other users)
Now, create a new row in the “Application Permissions”, add the new group, and assign ‘Self’ as a permission to the application column.
The Ubiquiti EdgeRouter-X has a built in web interface. In this example, we use a connector installed on it to make this web interface available to arbitrary users over the public Internet
The Ubiquiti EdgeRouter-X has a built in web interface. In this example, we use a connector installed on it to make this web interface available to arbitrary users over the public Internet… without opening the firewall. Each user must use Single-Sign-On via Agilicus plus their existing identity provider, and then can access from any device without a VPN.
Step 1. Create application
Step 2. Enter name (hostname we will use externally), description
Step 3. Indicate we use standard pattern hostname.
Step 4. Indicate its via an Agilicus Connector (in this case, installed on the Ubiquiti EdgeRouter-X directly).
Step 5. Select the connector (previously configured as per instructions)
Step 6. Indicate we will use TLS from user to device.
Step 6. Configure upstream as localhost:443, on TLS (this is the local web server of the EdgeRouter)
Step 7. Indicate that Agilicus will do an OpenID Connect Authentication Proxy, use /logout as the revoke token URI.
Step 8. Indicate that we will have individual users.
Step 9. Apply. After this is complete we will then add a user to permissions and test.
At this stage we can assign permissions:
Now we can either use profile (https://profile.MYDOMAIN) which has all applications in it as a launcher, or navigate directly (https://erx.MYDOMAIN).
If desired, publish so that it is selectable in profile, and give it an icon:
A Content-Security-Policy is a header which instructs a browser how to interpret & allow or deny various types of active content (images, fonts, frames, …). It helps mitigate certain types of attacks including Cross-Site-Scripting (XSS) or data injection.
A Content-Security-Policy is a header which instructs a browser how to interpret & allow or deny various types of active content (images, fonts, frames, …). It helps mitigate certain types of attacks including Cross-Site-Scripting (XSS) or data injection.
The Agilicus Web Application Firewall allows setting and editing this header. You can see it on the ‘Define’ tab of the application. 3 macro-settings may be applied:
clear — remove (unset) the Content-Security-Policy
strict angular defaults — this is a set of defaults suitable for an Angular application compiled with AOT and subresource-integrity
lax angularjs defaults — this is a set of defaults suitable for an older AngularJS application (including unsafe-inline)
Once you set one of these buttons you may then edit the individual types.
In addition to the check-box settings, a set of ‘hosts’ may be configured. This can include ‘data:’ , ‘*’, ‘https:’, ‘https://example.com’, etc. For more information see Content Security Policy (CSP) in the Mozilla Web Docs.
Microsoft ClickOnce is a technology which merges ‘web’ with ‘desktop’ applications. The user is presented with a web page, which downloads an initial manifest, which in turn downloads/synchronises the remainder of the application.
Microsoft ClickOnce is a technology which merges ‘web’ with ‘desktop’ applications. The user is presented with a web page, which downloads an initial manifest, which in turn downloads/synchronises the remainder of the application.
Typically a ClickOnce application will, once loaded, start consuming resources from its (http) Origin (e.g. REST API’s, databases, etc).
Setup a ClickOnce application as any other Web Application. Then, on each Desktop that will access it, follow the below instructions.
Agilicus Agent
Download the Agilicus Agent (Windows) to the Downloads
Run without arguments. Enter your domain (e.g. the CNAME you setup during the sign-up phase)
If a browser pops up, sign-in as normal
At this stage you are done. The user will see a new menu item on their Start Menu (called ‘Refresh’), they can run this any time the Administrator has added new applications that have for some reason not synced. They can also run this to resynchronise Shared fileystems, including re-supplying a second-factor authentication challenge.
Chrome Extension
Agilicus recommends installing the Agilicus ClickOnce Chrome Extension. This makes the end-user experience ‘native’, no interaction is required. The user will open https://DOMAIN/ as normal. This DOMAIN will be wrapped by the Agilicus’s OpenID Connect Proxy, which enforces authentication and authorisation in advance and hands it off to a previously installed Agilicus Agent which will interact with Chromes Native Messaging. The net effect will be “click” and “run” occur automatically with no user interaction, with single-sign on.
Most Chrome users can install the Extension from the Chrome Web Store. If for some reason you do not see the extension, below are the instructions to side-load it. Install and enable the extension.
By default the extension may (depending on your settings) only enable on Click or on specific sites. You may check the extension settings as at right.
Chrome Extension Side-load (Optional)
Note: you only need these instructions if you wish a newer version than published, or you cannot see the entry in the Chrome Web Store.
When done, you can check the Extension is installed on the chrome://extensions page (image shown to right).
To diagnose if the Registry ‘allow’ key is set, you can navigate to ‘chrome://policy’ and you should see a policy installed as below image under ExtensionInstallAllowlist
The Identity-Aware Web Application Firewall acts as an HTTP-proxy. In doing to, it can inject an identity-flow (authentication on behalf of) as well as rewrite/rework various HTTP constructs to make them accurate relative to an external environment.
The Identity-Aware Web Application Firewall acts as an HTTP-proxy. In doing to, it can inject an identity-flow (authentication on behalf of) as well as rewrite/rework various HTTP constructs to make them accurate relative to an external environment.
Typically there is no configuration required in this section, however, you may use it to tweak for individual applications as needed.
Include User Context Headers
If the ‘Include User Context Headers’ is set, several headers are added to the request, allowing the upstream web server to infer user and role. these include:
It is common for certain body documents to have embedded components linking to the internal name of the host. This could include a JSON search result, showing http://internal instead of https://external.example.com, it could include XML, HTML, CSV, etc.
In this section, we can add specific Media (MIME) types. If they are set, the contents will be rewritten to match the external coordinates.
HTTP (Host) Names Rewrite
The internal host may have multiple names. This can occur with e.g. virtual machines (‘intranet’ is also ‘vweb01’) and these names internally might be used interchangeably. In this section we add a set of hosts that, if present, will be rewritten to the external name.
HTTP Response Header Overrides
Set Header
This allows setting an arbitrary header to an arbitrary value.
Append Header
This allows appending a value to an existing response header.
Remove Header
This will remove a header from the response. It may be used to e.g. remove private internal information or version leakage.
Remove Match
This feature allows removing entire header lines matching some criteria. If your response included:
Host: foobar
Host: foo
Then, if we put in ‘Name’: ‘Host’ and value ‘foo’, both lines are removed. If we put in value ‘bar’ only the first line is removed. A regex is allowed here, so we could put in e.g. ‘fo.*’.
Parameter Rewrite Filter
This feature allows overwriting specific GET parameters. E.g. if the URL is https://www?foo=bar, you can rewrite this to foo=baz. It also allows deflate (e.g. decompress) and base64-encoded.
HTTP Request Header Overrides
The Request Overrides operate in the same fashion as the Response Overrides.
Proxied Service Configuration
This field should not be used in normal circumstances. It allows proxying to an external host (e.g. for demonstration purposes).
Connect to VTScada – Adding a Web Anywhere Client Application
The following guide outlines the steps for creating a VTScada Anywhere Client application in the Agilicus platform. These instructions are intended for VTScada deployments with version v12.1.30+ on Windows, Linux, and Android devices.
The following guide outlines the steps for creating a VTScada web application in the Agilicus platform. These instructions are intended for VTScada v12.1.30+ deployments on Windows, Linux, and Android devices.
If you require assistance for Safari and iOS device , contact us.
Step 1: Create the Application
From the left sidebar, expand Applications and select New:
Application name. The chosen name will also be required to configure the VTScada Server list later in the instructions.
a description of the application.
Click on Next to get to the “Hostname Aliases” section and accept the proposed Hostname, or specify a different one. (If different, will need to be applied to the VTScada Server address list)
Select the first option of “I access via NAME-OF-APP.subdomain.domain.name” and click on next.
First under “My application is accessed” select “from my site via an onsite connector”
Within “Set up web application firewall” select “My application expects to receive requests using its internal hostname”
Under “My application hosts all or most of its pages under a common path prefix”, enter your VTScada Realm name (eg: /Default) that is the default Path we will allow authenticated users to navigate. Other path exceptions will be created later in the Firewall ruleset.
From the “Select a connector” drop down, pick the connector that you had previously created.
Within the “Enter the hostname” field, type in the hostname of the server that is hosting your VTScada web portal. This should be the same as your VTScada thick client.
In this configuration, the VTScada Server Setup and “Default” Realm server / and URLs point to an IP address of 192.168.10.15, and a TCP port of 80, with no SSL (Secure).
Click on Next to be taken to the “Authentication section”:
Select “is authentication by a proxy” and type in “/logout” (without the double quotes) into the “Enter the logout url” field.
We will also use the Optional “Enter the redirect after signin path” URL to redirect to the VTScada Server Realm page once users perform Authentication. Therefore, fill the value of the field with the name of the Realm ( eg: /Default )
Select “has named users with a single role (I will assign users later)” and click on Next:
Select the APPLY button to finish off this section of the setup.
Step 2: Configure the Application
Click on “Overview” within the Applications section and select the Actions icon in the very far right hand side of the screen for the VTScada application that we just created:
After clicking on “Configure Application”, select the Proxy section
Within the Proxy section select the “Common Path Prefix” and input the Realm name. This will limit the Anywhere Client to the desired realm path unless allowed by the Firewall rules in the following steps. In this case, we use the path /Default which is our VTScada realm.
Click on “Rewrite Common Media Types” checkbox.
Next, select the “Security” section and scroll to the “Firewall Rules”
In the Firewall section, we will enter rules that will allow Authenticated Users with permissions to the “Self” role to access specific paths within the VTScada Anywhere Client. These specific path are explicit in order to match valid content within the VTScada Realm that may fall outside of the “Path Prefix” set in the previous step ( eg: /Default ). These paths contain various web objects such as Icons, CSS files, Images, Anywhere Client scripts, and specific paths to the Server realm GUUID.
If using Website uptime monitoring, we recommend making the standard website browser icon “favicon.ico” available without authentication so that Web monitoring software can easily test end to end website uptime and availability by fetching this object.
This rule matches the GUUID path pattern used in VTScada Anywhere Client. If you wish to be more precise and secure, you can change this rule to the actual GUUID seen in the browser URL path like this example, and make it “^/Default/48708544-07e3-4d1b-9b6e-ea8ace4b00fe”
2. This rule matches the Anywhere Client script path
3. This rule should bear the name of the Server realm. In this case “Default”. This should be made to match your Server realm. This should be created by default in the original application configuration, but we can change the syntax here to be more specific.
4. This rule matches the VTScada path for images and objects for both the Regular and Light version of the server
5. This rule matches the standard favicon.ico website icon
6. This rule matches the Style Sheets path
7. This rule matches a logout path that would be used to sign out of the VTScada application
We have now completed setting up your VTScada resource within the Agilicus platform. At this point you would want to create the appropriate Role Based Access Control permissions per the steps below:
Step 3: Add Permissions
Select Access -> Application Permissions
Grant Firewall Role (self) Permission of the application name (VTS) to the required Identity
Step 4: Configure VTScada
From the VTScada Application Manager, select the Server Setup dialog:
Select the “Connection Addresses” tab, select the “+” icon to create a connection address entry.
Enter the matching Agilicus Application name FQDN exactly as created in the “Connection Address” dialog, select port 443 and check “Secure“
Click “Apply” to submit the new address. This will allow VTScada Anywhere Client to present a list of valid hostnames where the Anywhere Client is allowed to connect. Since the FQDN is the one we configured through the Agilicus platform, the VTScada Anywhere Client will be permitted to browse via the newly created service.
Each application will be provisioned with a URL of https://<appname>.<domainname>, and, be available to any user from any browser. A valid certificate will be automatically created (and rotated approximately every 50 days).
Application can have various methods of authentication (sign-in):
To create a new application, select Resources/Applications/New. This will start a guided setup (a ‘stepper’).
In this first step, you will provide two items:
application name. This must be a valid hostname (a-z, 0-9 and -). Please use all lower-case. Underscores and spaces are not allowed. This will become the URL (https://appname.domain).
A general description. This is free form, it will show to the end users.
Throughout the steps you will normally see a ‘Next’ or an item in light-grey to open for the next configuration.
None. Open to anyone on the public Internet. This can be suitable for cases where the application has its own internal user management which is sufficiently strong.
Participating. The web application has built in support for OpenID Connect (or SAML), and, initiates the sign-in flow. This is suitable for cases where the application needs valid users that are distinct.
By proxy. The Agilicus AnyX platform becomes an Identity-Aware-Proxy, forcing users to sign-in prior to any access. In this model, no traffic arrives at the web application unless the user is authenticated and has permission. This is a very strong security model.
New Application (Create/Setup)
Step 1: Name
Step 2: Hostname (or Alias)
In this step we decide how to reach this application. In some cases there is a specific, well-defined, already setup name (which DNS points to this cluster).
Most users will select the first option, in which case there is no additional config.
If you wish to have a manual hostname, set your DNS server up and point it to the same location as the CNAME you did during the initial system setup.
Step 3: Data Plane Network Access
“My application is accessed…”. This governs the data path of how the users reach the application. Most users will select ‘from my site via an onsite connector’, meaning there application is in some private network.
In some cases, when the application participates with the authentication, you may wish to entirely manage the data network and certificates manually, select ‘over the public Internet’.
There is now an ‘advanced configuration’ option, “My application uses custom web application firewall settings”. In most cases this is not needed. These options are described below.
Step 4: Upstream (internal host) Data Plane Network Access
In this step, we configure the internal (in your network) coordinates of the web application. We refer to these as ‘upstream services’.
“Local hostname/ip”. From the machine running the connector, what would you enter in a browser to reach the internal web site? This could be ‘localhost’ if the connector were running on the web server.
“Local port”. What port is your web server running on? (typically 80 or 443, could be 8080, 8088).
“TLS Type”. Is your internal web server setup with SSL/TLS? If so, you might select ‘accessed via TLS”. If it is, and, the certificate is publicly trusted (e.g. issued via Let’s Encrypt or another public certificate provider), select ‘via TLS and verify”.
In rare cases, an application has multiple components on multiple ports, select ‘add more services’
Step 5: Authentication
Applications fall into three classes:
No authentication (rare), no user checking is done
Participates. Application supports OpenID Connect or SAML and is configured to work with Agilicus AnyX specifically.
Authenticated by Proxy. This is the typical case.
For “Authenticated by Proxy”, we can optionally set a ‘redirect after signin’, this is used to give the user an initial subpath (e.g. /Profile).
For the proxy authentication, we now have a initial preset (we can configure later in Define or Access), of how users will use this.
No named users. (any valid random user)
All users in my org. The ‘All-users’ group is given permission.
Named users, single role (this is the most common). A group is created which has access.
Named users, distinct roles. In this mode, there are distinct classes of user (e.g. Editor, Viewer, Manager).
At this stage, you can ‘Apply’. The application will start to configure, this takes 30-45 seconds. You may now need to assign permissions (see Access/Application Permissions). Otherwise, open Profile (see left menu, bottom), hit refresh, and you will see a link to the URL.
(Optional) Custom Web Application Firewall Settings
In some cases manual overrides are needed to parts of the web application firewall. These may be performed during the setup, or, later, tuned with the Define step. The options listed are:
“common path prefix”. If your application is internally served on a shared web server with other web apps, (e.g. intranet/HR, intranet/Wiki), then you may wish to use the prefix option, rehoming it to root. (e.g. /HR here will mean the user will see http://HR/, and automatically sign in).
“Is an API”. If the HTTP endpoint is normally used via external web applications, this will setup CORS automatically. You may also fine tune this in the Define.
“Does not support http/2”. Some applications break when presented with HTTP/2, which is otherwise supported by the Agilicus AnyX proxy. Setting this option will prevent advertising HTTP/2 support.
“Requires full web application firewall”. This is rarely used, we recommend discussing with Agilicus first. This causes a 2-hop encryption path to be used, with an intervening filter.
Application hosted on subpath of domain (e.g. https://host/path)
You may have an application hosted under a subfolder/path on your web server, possibly because it is better than having another server for it. For example: localhost:port/subpath, localhost:port/support etc.
To enable the subpath hosting for your application,
1. Go to Resources > Applications > Define and select the application from the drop down at the top of the page 2. Then in Security (tab) > Firewall Rules > HTTP Rules, change the / entry under path to your custom subpath (For example, /subpath) 3. Under Proxy (tab) > HTTP Rewrites, inside the Common Path Prefix field, enter your custom subpath again (For example, /subpath)
