Deploy Secure App Connector V2 for Docker

Last updated
Save as PDF

Overview

A secure app connector enables end users to securely access their organization's private applications through Skyhigh SSE. Docker-based solutions provide a lightweight and faster deployment method. A single container can perform similar tasks as a microk8s setup, whether using OVA, AWS, or Azure. This makes Docker an efficient choice for quick deployment.

Prerequisites

OS: Ubuntu (22.04, 24.04), RHEL (9.4), CentOS (9.4).
Docker version >= 24.0.5
Skyhigh Security recommends that a secure app connector have at least 4CPU, 8GB RAM, and 50GB storage.
Only one container per host is supported.

NOTE: Make sure to allow the following domains and HTTP(S) ports when using a firewall. For more details, see Secure App Connector V2 Prerequisites and Firewall settings For Private Applications

Add Secure App Connector

Go to Settings > Secure App Connector.

Screenshot (214).png

Click Add Secure App Connector.

A new window opens.

image (34)_1.png

Click Auto-detected during Installation.

image (35)_2.png

Click Done after choosing an option.

NOTE: Skyhigh SSE platform recommends using the Auto-detected during Installation option as it selects the nearest server based on connector installation location. You can still override the default by selecting a specific gateway.

Click Select Connector Group and select Connector Group from the list.

NOTE: To create a connector group, refer to Add Connector Groups.

image (34)_3.png

Click Done after choosing an option.

NOTE: Ensure to select a Connector Group to save the settings.

image (36)_1.png

NOTE: By default, a connector will always include the TCP protocol. The support of UDP protocol for docker-based connector deployment will be updated in the coming releases. Do not select the TCP and UDP option

Click Save.

image (36)_2.png

After adding a connector successfully, the config file is automatically generated and downloaded to your system.
The Secure App Connector popup screen displays What you can do by referring to these steps for installing the Secure App Connector for docker successfully.

Scroll down the popup window and copy the docker login command displayed.

NOTE: Click copy option next to the box instead of manually selecting and copying the text. If the command is not copied, select the Download > Reinstall option at the end of the row.

IMPORTANT: The generated config file has a validity of 12 hours. Generate a new config file whenever retrying a deployment.

If we are using CentOS or RHEL VM please execute below command to set the SELinux system in permissive mode : sudo setenforce 0
Paste the docker command copied in Step 9 to pull the image from the ECR docker repository.
To deploy the image, create a new container using this command:

For Ubuntu/RHEL/CentOS use the below command :

docker run \

--cap-add=NET_ADMIN \

--device=/dev/net/tun \

--name=skyhigh-pa-conn \

--hostname=skyhigh-secure-app-connector \

--restart=always \

-d \

-v <Directory_of_config>:/skyhigh/mount:ro \

-e HTTP_PROXY="http://proxyhost.com:9090" \

public.ecr.aws/y0m9s9j4/usprod-pop-services/ztna-connector:la_latest

Replace the mount path, Directory_of_config appropriately.
NOTE: Exclude the config file name from this path.
Docker provides a default name for the container if you don’t include the --name option when you run the above command. You can replace skyhigh-pa-conn it with a different container name of your choice.
Docker provides default value, if you don’t include the --hostname option while executing the above command.
If the proxy is not used, remove “ -e HTTP_PROXY="http://proxyhost.com:9090" from the docker run command.
Also, docker provides a random ID on UI if you don’t include the “--hostname” option while executing the above command.
If the proxy is not configured remove -e HTTP_PROXY="http://example.com:9090 from docker run command.
Here we are using NET_ADMIN capability which performs various network-related operations:
- interface configuration
- administration of IP firewall, masquerading, and accounting
- modify routing tables
- bind to any address for transparent proxying
- set type-of-service (TOS)
- clear driver statistics
- set promiscuous mode
- enabling multicasting

You can stop and restart the container without losing any state or data. However, if the container is deleted, a new configuration file must be generated to run it again.
Auto-update of the container isn’t supported. To get the latest version, generate a fresh config file, and redeploy the container.

Deployment Validation

Run the diagnostics tests option to verify the connector setup:

docker exec -it skyhigh-pa-conn run_diag

Replace skyhigh-pa-conn with the name specified in Step 13.

The screenshot below shows the output of this command when everything is working properly.

Remove or Stop Connector

NOTE: Replace skyhigh-pa-conn with the name of the connector.

Use this command to stop a running connector:

docker stop skyhigh-pa-conn

Use this command to start a stopped connector:

docker start skyhigh-pa-conn

Use this command to remove/delete a connector:

docker rm skyhigh-pa-conn

IMPORTANT: Removing or deleting a connector is equivalent to uninstalling it. To recreate the connector, a new configuration file is required.

Troubleshoot Connector for Docker

For generating and transferring the logs to the VM, run these commands:

docker exec -it skyhigh-pa-conn collect-state-wrapper.sh

This command will create a file called connector_state_YYYY-MM-DD_HH-MM-SS.tar.gz in the /tmp directory inside the container.

docker cp skyhigh-pa-conn:tmp/connector_state.tar.gz /tmp/

Using this command the logs bundle will be copied from the container to the /tmp/ directory on the VM. If docker is installed via snap, then they'll be present in /tmp/snap-private-tmp/snap.docker/tmp/.