Deploy Secure App Connector V2 on Docker for TCP Applications

Overview 

A secure app connector enables end users to securely access their organization's private applications through Skyhigh SSE. Docker-based solutions provide a lightweight and faster deployment method. A single container can perform similar tasks as a microk8s setup, whether using OVA, AWS, or Azure. This makes Docker an efficient choice for quick deployment. 

Prerequisites

Before deploying the Docker image, make sure your system meets the following requirements:

• Minimum OS Requirements:
  • Ubuntu (22.04, 24.04)
  • RHEL (9.4)
  • CentOS (9.4)
• Docker version >= 24.0.5
• Skyhigh Security recommends that a secure app connector have at least 4CPU, 8GB RAM, and 50GB storage.
• Only one container per host is supported.
• You must add a Secure App Connector before deploying the Docker image, see Configure Secure App Connector V2.

Steps to Deploy 

1.  Log in to the host, copy the downloaded config file, and rename the file to connector.conf in your home directory.

2. If we are using CentOS or RHEL VM please execute below command to set the SELinux system in permissive mode : sudo setenforce 0

3. Paste the docker command copied to pull the image from the ECR docker repository. 

4. To deploy the image, create a new container using this command: 

For Ubuntu/RHEL/CentOS use the below command : 

docker run \

     --cap-add=NET_ADMIN \

     --device=/dev/net/tun \

     --name=skyhigh-pa-conn \

     --hostname=skyhigh-secure-app-connector \

     --restart=always \

     -d \

     -v <Directory_of_config>:/skyhigh/mount:ro \

     -e HTTP_PROXY="http://proxyhost.com:9090" \

        public.ecr.aws/y0m9s9j4/usprod-pop-services/ztna-connector:la_latest

• Replace the mount path, Directory_of_config appropriately. 
  NOTE: Exclude the config file name from this path. 

• Docker provides a random ID on the UI if you don’t include the --hostname option while executing the above command. You can replace  skyhigh-pa-conn with a different container name of your choice.

• If the proxy is not used, remove  -e HTTP_PROXY="http://proxyhost.com:9090" from the Docker run command.

• Here we are using NET_ADMIN capability which performs various network-related operations:

  • interface configuration
  • administration of IP firewall, masquerading, and accounting
  • modify routing tables
  • bind to any address for transparent proxying
  • set type-of-service (TOS)
  • clear driver statistics
  • set promiscuous mode
  • enabling multicasting 

5. You can stop and restart the container without losing any state or data. However, if the container is deleted, a new configuration file must be generated to run it again.

6. Auto-update of the container isn’t supported. To get the latest version, generate a fresh config file, and redeploy the container.

Deployment Validation 

1.  Run the diagnostics tests option to verify the connector setup:
   
   docker exec -it skyhigh-pa-conn run_diag

Replace skyhigh-pa-conn with the name specified in Step 4. 

The screenshot below shows the output of this command when everything is working properly.

Remove or Stop Connector 

1. Use this command to stop a running connector:

docker stop skyhigh-pa-conn

2. Use this command to start a stopped connector:

docker start skyhigh-pa-conn

3. Use this command to remove/delete a connector:

docker rm skyhigh-pa-conn

Troubleshoot Connector for Docker 

1.  For generating and transferring the logs to the VM, run these commands:

docker exec -it skyhigh-pa-conn collect-state-wrapper.sh

 This command will create a file called connector_state_YYYY-MM-DD_HH-MM-SS.tar.gz in the /tmp directory inside the container.

2. docker cp skyhigh-pa-conn:tmp/connector_state.tar.gz /tmp/

Using this command the logs bundle will be copied from the container to the /tmp/ directory on the VM. If docker is installed via snap, then they'll be present in /tmp/snap-private-tmp/snap.docker/tmp/.