Reverse Proxy for Slack
Skyhigh CASB can provide Cloud Access Policies to control services that users can access from managed or unmanaged devices. It also provides DLP Policies to block or monitor the sensitive information shared by users through Slack.
Slack supports reverse proxy with the following limitations:
- If you have an unmanaged device/untrusted locations, your login activity to Slack via the desktop or mobile applications are blocked for Android and allows only browser access.
- If you have unmanaged devices/untrusted locations with proxy browser access, downloads are blocked.
- If you have unmanaged devices/untrusted locations with proxy browser access, and applied inline DLP for file downloads with the DLP response action as "send email notification" to send the user a warning email, then file downloads are blocked. To download files, apply Digital Rights Management (DRM) using Microsoft Information Protection (MIP)/Azure Information Protection (AIP).
NOTE: The request from iOS mobile native apps are not supported because Skyhigh CASB cannot detect it via reverse proxy. Therefore iOS Native Apps are not blocked via reverse proxy.
The unmanaged device is due to:
- Lack of customer-supplied certificate.
- Lack of Skyhigh Security Agent.
- Based on IdP details, the IdP identifies an unmanaged device that is a SAML attribute.
The untrusted location is due to:
- Source IP range.
- Geo-location. For example, China, Russia, etc.
- Based on IdP details, the IdP identifies an untrusted location that is a SAML attribute.
Add Service Properties
Add the following Service Property to the managed Slack Proxy Instance:
search.replace.strings = {"searchReplaceList":[{"uri":"re:/client/TN1CWSGP7.*","searchStr":"re:script-src.*';", "replaceStr":""}]}
Raw Direct Configuration
[ { "dstHost": "skyhighqa4.enterprise.slack.com", "uri": "re:.*sso_failed.*", "phase": "REQUEST", "redirectUri": "/sso/saml/start?redir=%2F" } ]
NOTE: These properties are used to check the URI after login at the client-side in Slack and the URI value varies for different Slack domains.
Service Property
Perform a base64 encode for the preceding raw direct configuration and add a service property as follows:
redirect-config=WwogIHsKICAgICJkc3RIb3N0IjogInNreWhpZ2hxYTQuZW50ZXJwcmlzZS5zbGFjay5jb20iLAogICAgInVyaSI6ICJyZTouKnNzb19mYWlsZWQuKiIsCiAgICAicGhhc2UiOiAiUkVRVUVTVCIsCiAgICAicmVkaXJlY3RVcmkiOiAiL3Nzby9zYW1sL3N0YXJ0P3JlZGlyPSUyRiIKICB9Cl0=
NOTE: The dstHost will not always be the same, it varies for different orgnaizations. Therefore the encoded value will be different.
Ways to Access Slack via Reverse Proxy
These are the different ways to access Slack via Proxy:
- Desktop Browsers
- Mobile Browsers
- Desktop Native Apps
- Mobile Native Apps
The ways to access Slack through various devices and browsers are described in the table.
Legends used in the table: ✔ - Verified and working. ✖ - Not working as expected.
Desktop and Mobile Browsers
The supported device with specifications and browsers versions for Slack are described in the following table:
Device Specification |
Mobile Browser Version |
---|---|
Device: Android Tablet Lenovo
Android Version: 6.0.1 |
Google Chrome Version: 84.0.4147.111 Firefox Browser Version: 68.11.0 |
Name: iPad Software Version: 14.0.1 |
Firefox Version: 28.2 (2470) Google Chrome Version: 84.0.4147.71 Edge Version: 45.8.14 Safari: iPadOS Version 14.0.1 |
Desktop and Mobile Browsers
The table summarizes the supported devices via reverse proxy with CAP and DLP policies applied for Desktop and Mobile browsers.
NOTE: The desktop and Mobile browsers used are :
- Google Chrome Version: 86.0.4240.75 (Official Build) (64-bit)
- Firefox Version: 81.0.2 (64-bit)
Device and Browser | Managed device, Redirect All | Managed device, Block IP range | Managed device, Block geo-location | Unmanaged device, Block | Unmanaged device, Block downloads | Unmanaged device, Block downloads on DLP sensitive data |
---|---|---|---|---|---|---|
Android Version 6.01 | ✔ | ✔ | ✔ | ✔ |
✔
|
✔
|
iPad Version 14.0.1
|
✔ | ✔ | ✔ | ✔ |
✔
|
✔ |
Desktop Browser | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Desktop Native Apps
The table summarizes the supported devices via reverse proxy with CAP and DLP policies applied to it.
NOTE: Desktop Native App behaves like a browser and all browser conditions are applicable to Desktop Native Apps.
Device | User-Agent Obtained | Managed device, Redirect All | Managed device, Block IP range | Managed device, Block geo-location | Unmanaged device, Block all |
---|---|---|---|---|---|
Desktop Native App Version: Windows Store 4.10.0 64-bit |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 |
✔ |
✔ |
✔ |
✖
|
Desktop Native App Version: MacOS Catalina 10.15.6 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 |
✔ |
✔ |
✔ |
✖
|
Mobile Native Apps
Slack via reverse proxy is available for both Android and iOS mobile native apps.
Device and Slack Version |
User-Agent Obtained |
Managed device, Redirect All |
Managed device, Block IP range |
Managed device, Block geo-location |
Unmanaged device, Block all |
Unmanaged device, Block downloads |
Unmanaged device, Block downloads on DLP sensitive data |
---|---|---|---|---|---|---|---|
Android Version: 6.0.1 Tablet Lenovo Slack Version: 20.09.20.0-30010667-9 |
Mozilla/5.0 (Linux; Android 6.0.1; Lenovo YT3-X90L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.110 Safari/537.36 |
✔ |
✔ |
✔ |
✔ |
✖
|
✖
|
iPad Version: 14.0.1 Slack Version: 20.10.20 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15 |
✔ |
✔ |
✔ |
✖
|
✖
|
✖
|
Device and Slack Version | User-Agent Obtained | Check Cert: Proxy Managed ,Block Unmanaged | Check Cert: Redirect Managed, Block Unmanaged |
---|---|---|---|
Android Version: 12 Slack Version: 22.11.20.0-90011960-11109 |
Mozilla/5.0 (Linux; Android 12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.105 Safari/637.36 | ✖ | ✔ |
iPad Version: 15.5 Slack Version: 22.11.20(428731) |
com.tinyspeck.chatlyio/22.10.50 (iPad; iOS 15.5; Scale/2.00) | ✖ | ✔ |