Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Deploy Secure App Connector V2 on Docker for UDP Applications

  1. Last updated
  2. Save as PDF
Limited Availability: Deploy Secure App Connector V2 on Docker for UDP Applications is a Limited Availability feature. To Deploy Secure App Connector V2 on Docker for UDP Applications, contact Skyhigh Support

A Secure App Connector enables end users to securely access their organization's private applications through Skyhigh SSE. Docker-based solutions provide a lightweight and faster deployment method. Whether using OVA, AWS, or Azure, a single container can perform similar tasks as a microk8s setup. This makes Docker an efficient choice for quick deployment.

Prerequisites 

Before deploying the Docker image, make sure your system meets the following requirements:

  • Minimum OS Requirement:
    • Ubuntu: 22.04/24.04
    • RHEL: 9.6
    • CentOS: 9
  • Docker version >= 24.0.5
  • Only one UDP container per host is supported.
  • Skyhigh Security recommends that a secure App Connector have at least 4 CPUs, 8 GB RAM, and 50 GB storage. To deploy both TCP and UDP container on the same host, use at least 8 CPUs, 12 GB RAM, and 80 GB storage.

NOTE: Make sure to allow the following domains and HTTP(S) ports when using a firewall. For more details, see Secure App Connector V2 Prerequisites and Firewall Settings for Private Applications.

Steps to Add Secure App Connector

  1. Navigate to Settings > Secure App Connector.

Screenshot (214).png

  1. Click Add Secure App Connector.

q.png

A new window opens. 

2025-05-19_17-20-38_1.png

  1. Click Auto-detected during Installation to select the gateway according to the location of the connector installation.   

2025-05-19_17-20-38_2.png

image (35)_2.png

NOTE: Skyhigh SSE platform recommends using the Auto-detected during Installation option as it selects the nearest server based on connector installation location. You can still override the default by selecting a specific gateway. 

  1. Click Select Connector Group and select Connector Group from the list. 

NOTE: To create a connector group, refer to Add Connector Groups.

2025-05-19_17-20-38_3.png

NOTE: Ensure to select a Connector Group to save the settings.

 

 

 

  1. Select TCP and UDP as protocol.

Screenshot (27)_1.png

  1. Select Docker as the Platform Image for the connector deployment. 

Screenshot (28).png

  1. Click Save.

Screenshot (29.png

  1. After adding a connector successfully, the config file automatically generates and gets downloaded to your system. 

For the Docker-based solutions, scroll down the pop-up window and copy the login command that is displayed.
 

NOTE: After copying the login command, change ztna-connector:latest to  udp-connector:latest.

NOTE: Click copy option next to the box instead of manually selecting and copying the text. If the command is not copied, select the Download > Reinstall option at the end of the row. 

image (24)_1.png

  1. Click Done. 

image (24)_2.png

Steps to Deploy Docker Image 

  1.  Log in to the host, copy the downloaded config file, and rename the file to connector.conf in your home directory.

IMPORTANT: The generated config file has a validity of 12 hours. Generate a new config file whenever retrying a deployment. 

  1. Paste the Docker command copied to pull the image from the ECR Docker repository. 

  2. To deploy the image, create a new container using this command: 

For Ubuntu, use the following command : 

docker run \

     --cap-add={NET_ADMIN,NET_RAW} \

     --name=skyhigh-pa-conn \

     --hostname=skyhigh-secure-app-connector \

     --restart=always \

     -d \

     -v <Directory_of_config>:/skyhigh/mount:ro \

     -e https_proxy="http://proxyhost.com:9090" \

   -e UDP_SOCKS_PROXY="hostname:8080" \

        public.ecr.aws/y0m9s9j4/usprod-pop-services/udp-connector:latest

  • Replace the mount path Directory_of_config appropriately. 
    NOTE: Exclude the config file name from this path. 

  • Docker provides a default name for the container if you don’t include the --name option when you run the above command. You can replace  skyhigh-pa-conn it with a different container name of your choice. 

  • Docker provides a default value if you don’t include the --hostname option while executing the above command.

  • If the proxy is not used, remove  -e https_proxy="http://proxyhost.com:9090"from the Docker run command.

  • If the UDP socks proxy is not used, remove  -e UDP_SOCKS_PROXY="hostname:8080" from the Docker run command. 

    •  NOTE: Make sure you have the UDP Socks Proxy in this format i.e., <ip>:<port> or <hostname>:<port>. For example: 172.22.20.41:1080

  • Here we are using the NET_ADMIN capability, which performs various network-related operations:

    • interface configuration
    • administration of IP firewall, masquerading, and accounting
    • modify routing tables
    • bind to any address for transparent proxying
    • set type-of-service (TOS)
    • clear driver statistics
    • set promiscuous mode
    • enabling multicasting 
  • Here we are also using NET_RAW capability, which performs below operations:
    • use RAW and PACKET sockets
    • bind to any address for transparent proxying

  1. You can stop and restart the container without losing any state or data. However, if the container is deleted, a new configuration file must be generated to run it again.

  2. Auto-update of the container isn’t supported. To get the latest version, generate a fresh config file, and redeploy the container.

Deployment Validation  

  1.  Run the diagnostics tests option to verify the connector setup:

    docker exec -it skyhigh-pa-conn run_diag

Replace skyhigh-pa-conn with the name specified in Step 4. 

The screenshot below shows the output of this command when everything is working properly. 

clipboard_e6990dcfc4ddb116c9120cb1fefef170d.png
 

Remove or Stop Connector  

NOTE: Replace skyhigh-pa-conn with the name of the connector.

  1. Use docker stop skyhigh-pa-conn command to stop a running connector.
  2. Use docker start skyhigh-pa-conn command to start a stopped connector.
  3. Use docker rm skyhigh-pa-conn command to remove/delete a connector.

IMPORTANT: Removing or deleting a connector is equivalent to uninstalling it. To recreate the connector, a new configuration file is required.

Troubleshoot Connector for Docker  

 For generating and transferring the logs to the VM, run these commands:

  • docker exec -it skyhigh-pa-conn collect-state-wrapper.sh
    •  This command will create a file  connector_state_YYYY-MM-DD_HH-MM-SS.tar.gz in the /tmp directory inside the container.
  • docker cp skyhigh-pa-conn:tmp/udp_connector_state.tar.gz /tmp/
    • Using this command, the logs bundle will be copied from the container to the /tmp/ directory on the VM. If Docker is installed via snap, then they'll be present in /tmp/snap-private-tmp/snap.docker/tmp/