Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

How Skyhigh Private Access Works

  1. Last updated
  2. Save as PDF

The SSE Console provides centralized management for private access, including policy definition, connector and application configuration, cluster and node administration, health monitoring, and upgrade orchestration. Policies are authored once in the cloud and applied consistently across cloud and on‑prem environments.

When the Private Access Connector is deployed on‑premises, administrators can perform local troubleshooting and service operations (e.g., health checks, diagnostics, log collection, and connector service management) through the appliance CLI, including Hybrid Appliance appctl functions for node lifecycle actions. After policies are synchronized from the cloud, on‑prem appliances enforce access locally, backed by a local policy cache for resilience during internet brownouts. Customers may control the cadence of on‑prem software updates.

Skyhigh Private Access performs the following functions:

  • Identity — Verifies all identities with strong authentication
  • Device — Checks for the device security posture
  • Network — End-to-end encryption of communication
  • Policy Enforcement Point (PEP) — Enforcement of policies (web policy, DLP, RBI, and least privilege access)
  • Private application — Monitor and control access to private applications

Key Components

Skyhigh Private Access uses a variety of technologies to manage and control access to private applications, as shown in the following graphic:

  • Skyhigh Security Client Proxy — The Client Proxy software is installed on the devices to facilitate SAML authentication. When the user is not authenticated, Client Proxy prompts the user to authenticate. It securely forwards the traffic to Skyhigh SSE. When forwarding the traffic, it encrypts and adds metadata along with the real-time device posture information.
  • Skyhigh SSE — This is the Policy Enforcement Point, where it enforces the private access policy on the traffic forwarded by Client Proxy. This traffic is further routed over TLS tunnels to a Skyhigh Private Access Connector through a Private Access Gateway deployed in Points of Presence (PoPs).
  • Connector groups — Connectors are logically grouped to achieve scalability and availability. Private applications are always associated with a connector group and not a connector directly. Every connector group should be associated with at least one private application. 
  • Connectors — A connector is a virtual machine deployed in the same environment (data center, private cloud, or public cloud) as the private application. It establishes a secure outbound connection with the Private Access Gateway and provides access to the requested application. It also updates the status of the private application to the Private Access Gateway.
  • Application group — Create an application group to achieve scalability and logically manage different applications as one entity.

clipboard_e68e95306bad3ee95812ffbb1f91ef13c.png

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. diagram