Deploy Secure App Connector V2 on Docker for TCP Applications
Overview
A secure app connector enables end users to securely access their organization's private applications through Skyhigh SSE. Docker-based solutions provide a lightweight and faster deployment method. A single container can perform similar tasks as a microk8s setup, whether using OVA, AWS, or Azure. This makes Docker an efficient choice for quick deployment.
Prerequisites
Before deploying the Docker image, make sure your system meets the following requirements:
- Minimum OS Requirements:
- Ubuntu (22.04, 24.04)
- RHEL (9.4)
- CentOS (9.4)
- Docker version >= 24.0.5
- Skyhigh Security recommends that a secure app connector have at least 4CPU, 8GB RAM, and 50GB storage.
- Only one container per host is supported.
- You must add a Secure App Connector before deploying the Docker image, see Configure Secure App Connector V2.
NOTE: Make sure to allow the following domains and HTTP(S) ports when using a firewall. For more details, see Secure App Connector V2 Prerequisites and Firewall settings for Private Applications
Steps to Deploy
-
Log in to the host, copy the downloaded config file, and rename the file to
connector.conf
in your home directory.
IMPORTANT: The generated config file has a validity of 12 hours. Generate a new config file whenever retrying a deployment.
-
If we are using CentOS or RHEL VM please execute below command to set the SELinux system in permissive mode :
sudo setenforce 0
-
Paste the docker command copied to pull the image from the ECR docker repository.
-
To deploy the image, create a new container using this command:
For Ubuntu/RHEL/CentOS use the below command :
docker run \
--cap-add=NET_ADMIN \
--device=/dev/net/tun \
--name=skyhigh-pa-conn \
--hostname=skyhigh-secure-app-connector \
--restart=always \
-d \
-v <Directory_of_config>:/skyhigh/mount:ro \
-e HTTP_PROXY="http://proxyhost.com:9090" \
public.ecr.aws/y0m9s9j4/usprod-pop-services/ztna-connector:la_latest
-
Replace the mount path,
Directory_of_config
appropriately.
NOTE: Exclude the config file name from this path. -
Docker provides a random ID on the UI if you don’t include the
--hostname
option while executing the above command. You can replaceskyhigh-pa-conn
with a different container name of your choice. -
If the proxy is not used, remove
-e HTTP_PROXY="http://proxyhost.com:9090"
from the Docker run command. -
Here we are using NET_ADMIN capability which performs various network-related operations:
- interface configuration
- administration of IP firewall, masquerading, and accounting
- modify routing tables
- bind to any address for transparent proxying
- set type-of-service (TOS)
- clear driver statistics
- set promiscuous mode
- enabling multicasting
-
You can stop and restart the container without losing any state or data. However, if the container is deleted, a new configuration file must be generated to run it again.
-
Auto-update of the container isn’t supported. To get the latest version, generate a fresh config file, and redeploy the container.
Deployment Validation
- Run the diagnostics tests option to verify the connector setup:
docker exec -it skyhigh-pa-conn run_diag
Replace skyhigh-pa-conn
with the name specified in Step 4.
The screenshot below shows the output of this command when everything is working properly.
Remove or Stop Connector
NOTE: Replace skyhigh-pa-conn
with the name of the connector.
- Use this command to stop a running connector:
docker stop skyhigh-pa-conn
- Use this command to start a stopped connector:
docker start skyhigh-pa-conn
- Use this command to remove/delete a connector:
docker rm skyhigh-pa-conn
IMPORTANT: Removing or deleting a connector is equivalent to uninstalling it. To recreate the connector, a new configuration file is required.
Troubleshoot Connector for Docker
- For generating and transferring the logs to the VM, run these commands:
docker exec -it skyhigh-pa-conn collect-state-wrapper.sh
This command will create a file called connector_state_YYYY-MM-DD_HH-MM-SS.tar.gz
in the /tmp
directory inside the container.
docker cp skyhigh-pa-conn:tmp/connector_state.tar.gz /tmp/
Using this command the logs bundle will be copied from the container to the /tmp/
directory on the VM. If docker is installed via snap, then they'll be present in /tmp/snap-private-tmp/snap.docker/tmp/
.