Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Enhanced Private Application Discovery

  1. Last updated
  2. Save as PDF
icons.png

Overview 

Application Discovery helps in discovering, identifying, and mapping the private applications in an organization’s network to control user accessibility. It ensures that only authorized users can access specific applications configured based on work interests and location.                                                          

Significance 

Admins can enable application discovery to help Skyhigh Private Access identify applications when you request access, using specific domain names and IP subnets. Configuring an application segment for discovery helps understand and access the various applications used within the organization. 

Key Benefits

When private applications are added using a wildcard or subnets, it exposes many internal apps that users can access instead of just single applications.

To simplify the process of discovering and adding private apps to the private applications, the discovered apps module is configured so that applications can be added to the private apps list in Private Access Configuration (PAC) or a list of discovered apps can be published as private apps.

Configuring Application Discovery

Application discovery is most productive when the TCP and UDP port ranges for the subdomains (wildcard) or IP subnets are broad, and the application policy allows access to many users. When you request an application that matches the subdomains (wildcard) or subnets, the Skyhigh Secure App Connector on the device redirects the request to the appropriate App Connectors. Depending on whether the request uses a domain name or an IP address, the App Connectors either perform a DNS lookup or check IP reachability. If the request is successful, you gain access to the application, and it appears in the Discovered Applications widget.

Configure Segments for Application Discovery

A segment in application discovery refers to a specific subdomain (wildcard) or subnet configuration used to isolate and manage private applications within a network. It helps with security by limiting access to sensitive resources while enabling efficient discovery and communication within the organization.

Subdomains (wildcard) entries or specific subnets that define the range of IP addresses or network segments are added to this segment. These subdomains (wildcard) or subnets serve as filters, ensuring that any discovered private applications originating from these addresses or ranges are excluded from the list, refining the results to focus only on the relevant applications.

Add a Segment in Application Discovery

IMPORTANT: Create the private application using a wildcard or network as the host, and allow it in the private access policy to enable application discovery for wildcard or network-type private applications. Consequently, create a segment in App Discovery that falls within the specified subnet range or matches the wildcard-defined applications, enabling visibility of the created applications in the App Discovery window.
 

  1. Navigate to Settings > Infrastructure > Private Access Configuration.

Screenshot (547).png

  1. Click Application Discovery tab.

image-2024-10-14_15-14-25 (2)_1.png

  1. Select Configure Segments for Discovery option.

image-2024-10-14_15-14-25 (2)_11.png

  1. Click Add a Segment for Discovery and complete the following fields:

image-2024-10-14_15-14-25 (1).png

image-2024-10-14_15-15-16 (1).png

  • Name: Enter a name for the segment.
  • Discovering: Toggle to enable application discovery for the segment.
  • Protocol: Select the protocol used to access an application.
  • Subdomain/Subnet: Enter Domain/Host/IP/Domain Wildcard.
  • Port/Range: Enter the port or port range used to connect an application for the selected protocol. 
  • Connector Groups: Assign an existing connector group or create a connector group and assign it to an application.
    • Click Select to assign an existing group or select New to add a connector group.

IMPORTANT: Select a connector group that matches the connector group of the wildcard or network private application to discover the application segment.

  1. Click Save

You can access this page from Analytics > Private Access > Discovered Private Applications.

View Discovered Application

Once the application discovery segment is configured, the discovered application will appear on this widget. 

NOTE: If the source location changes, any modifications to the data (such as name or app group name) will not be saved.

The following prerequisites apply when the segment is in discovery mode:

  • A private application must be created before being added to the discovery segment, ensuring it is within the specified subnet or wildcarded domains and matches the correct connector group and port.
  • The log source location must be identified. Only applications that are 14 days older will be fetched.  
  • Applications in the Private Application list that share the same domain and port will not appear in the discovered applications list. 

image-2024-10-14_15-31-34 (1).png

Example of the discovered application:

image-2024-10-14_15-14-25 (1)1.png

Here, the Name and Application Group field is editable. The default name format is host_name:port.

To edit the hostname or application group, double-click on the name or app group and modify the values.

Screenshot (543)_1.png
Screenshot (544)_1.png
Based on the requirements, multiple applications can be selected and published simultaneously, or individual applications can be published.

Click Review to publish.

Screenshot (545).png

Click Ok to publish.

Screenshot (546).png

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.