Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Deploy Secure App Connector V2 on Docker for UDP Applications

  1. Last updated
  2. Save as PDF
Limited Availability: Deploy Secure App Connector V2 on Docker for UDP Applications is a Limited Availability feature. To Deploy Secure App Connector V2 on Docker for UDP Applications, contact Skyhigh Support

A Secure App Connector enables end users to securely access their organization's private applications through Skyhigh SSE. Docker-based solutions provide a lightweight and faster deployment method. Whether using OVA, AWS, or Azure, a single container can perform similar tasks as a microk8s setup. This makes Docker an efficient choice for quick deployment.

Prerequisites 

Before deploying the Docker image, make sure your system meets the following requirements:

  • Minimum OS Requirement:
    • Ubuntu: 22.04/24.04
    • RHEL: 9.6
    • CentOS: 9
  • Docker version >= 24.0.5
  • Only one UDP container per host is supported.
  • Skyhigh Security recommends that a secure App Connector have at least 4 CPUs, 8 GB RAM, and 50 GB storage. To deploy both TCP and UDP container on the same host, use at least 8 CPUs, 12 GB RAM, and 80 GB storage.

NOTE: Make sure to allow the following domains and HTTP(S) ports when using a firewall. For more details, see Secure App Connector V2 Prerequisites and Firewall Settings for Private Applications.

Steps to Add Secure App Connector

  1. Navigate to Settings > Secure App Connector.

Screenshot (214).png

  1. Click Add Secure App Connector.

q.png

A new window opens. 

2025-05-19_17-20-38_1.png

  1. Click Auto-detected during Installation to select the gateway according to the location of the connector installation.   

2025-05-19_17-20-38_2.png

image (35)_2.png

NOTE: Skyhigh SSE platform recommends using the Auto-detected during Installation option as it selects the nearest server based on connector installation location. You can still override the default by selecting a specific gateway. 

  1. Click Select Connector Group and select Connector Group from the list. 

NOTE: To create a connector group, refer to Add Connector Groups.

2025-05-19_17-20-38_3.png

NOTE: Ensure to select a Connector Group to save the settings.

 

 

 

  1. Select TCP and UDP as protocol.

NOTE: If you choose TCP and UDP as the protocol with Docker as the platform, the downloaded configuration file supports only UDP Docker deployment.

Screenshot (27)_1.png

  1. Select Docker as the Platform Image for the connector deployment. 

Screenshot (28).png

  1. Click Save.

Screenshot (29.png

  1. After adding a connector successfully, the config file automatically generates and gets downloaded to your system. 

For the Docker-based solutions, scroll down the pop-up window and copy the login command that is displayed.
 

NOTE: Click copy option next to the box instead of manually selecting and copying the text. If the command is not copied, select the Download > Reinstall option at the end of the row. 

1111.png

  1. Click Done. 

11111.png

Steps to Deploy Docker Image 

  1.  Log in to the host, copy the downloaded config file to the home directory (/home/ubuntu or /home/ec2-user) and rename the file to connector.conf.

IMPORTANT: The generated config file has a validity of 12 hours. Generate a new config file whenever retrying a deployment. 

  1. Paste the Docker command copied to pull the image from the ECR Docker repository. 

    1111.png

  2. To deploy the image, create a new container using this command: 

For Ubuntu, use the following command : 

sudo docker run \

     --cap-add={NET_ADMIN,NET_RAW} \

     --name=skyhigh-pa-conn \

     --hostname=skyhigh-secure-app-connector \

     --restart=always \

     -d \

     -v <Directory_of_config>:/skyhigh/mount:ro \

     -e https_proxy="http://proxyhost.com:9090" \

     -e UDP_SOCKS_PROXY="hostname:8080" \

     public.ecr.aws/y0m9s9j4/usprod-pop-services/udp-connector:latest

  • Replace the mount path Directory_of_config appropriately. 
    NOTE: Exclude the config file name from this path. 

  • Docker provides a default name for the container if you don’t include the --name option when you run the above command. You can replace  skyhigh-pa-conn it with a different container name of your choice. 

  • Docker provides a default value if you don’t include the --hostname option while executing the above command.

  • If the proxy is not used, remove  -e https_proxy="http://proxyhost.com:9090"from the Docker run command.

  • If the UDP socks proxy is not used, remove  -e UDP_SOCKS_PROXY="hostname:8080" from the Docker run command. 

    •  NOTE: Make sure you have the UDP Socks Proxy in this format i.e., <ip>:<port> or <hostname>:<port>. For example: 172.22.20.41:1080

  • Here we are using the NET_ADMIN capability, which performs various network-related operations:

    • interface configuration
    • administration of IP firewall, masquerading, and accounting
    • modify routing tables
    • bind to any address for transparent proxying
    • set type-of-service (TOS)
    • clear driver statistics
    • set promiscuous mode
    • enabling multicasting 
  • Here we are also using NET_RAW capability, which performs below operations:
    • use RAW and PACKET sockets
    • bind to any address for transparent proxying

  1. You can stop and restart the container without losing any state or data. However, if the container is deleted, a new configuration file must be generated to run it again.

  2. Auto-update of the container isn’t supported. To get the latest version, generate a fresh config file, and redeploy the container.

Deployment Validation  

  1.  Run the diagnostics tests option to verify the connector setup:

    sudo docker exec -it skyhigh-pa-conn run_diag

Replace skyhigh-pa-conn with the name specified in Step 4. 

The screenshot below shows the output of this command when everything is working properly. 

clipboard_e6990dcfc4ddb116c9120cb1fefef170d.png
 

Remove or Stop Connector  

NOTE: Replace skyhigh-pa-conn with the name of the connector.

  1. Use sudo docker stop skyhigh-pa-conn command to stop a running connector.
  2. Use sudo docker start skyhigh-pa-conn command to start a stopped connector.
  3. Use sudo docker rm skyhigh-pa-conn command to remove/delete a connector.

IMPORTANT: Removing or deleting a connector is equivalent to uninstalling it. To recreate the connector, a new configuration file is required.

Troubleshoot Connector for Docker  

 For generating and transferring the logs to the VM, run these commands:

  1. Run the sudo docker exec -it skyhigh-pa-conn collect-state-wrapper.sh command, this creates a file  connector_state_YYYY-MM-DD_HH-MM-SS.tar.gz in the /tmp directory inside the container.
  2. Copy the logs bundle from the container to the host using the command sudo docker cp skyhigh-pa-conn:tmp/udp_connector_state.tar.gz /tmp/. If Docker is installed via snap, the logs bundle is avaialble at /tmp/snap-private-tmp/snap.docker/tmp/