Full Isolation — Use Browser Isolation for Websites Based on Your Own Selection
You can use Remote Browser Isolation (RBI) for any website that users request access to if you consider this access a risk. You can also configure exceptions and other settings.
Under Skyhigh Security Service Edge, the RBI version where you can enable browser isolation for any website that you consider a risk is referred to as Full Isolation.
You must purchase an additional license from Skyhigh Security to be able to use the Full Isolation version of browser isolation.
- On the user interface for Secure Web Gateway, select Policy > Web Policy > Policy.
-
From the policy tree in the navigation panel, select Browser Isolation > Full Isolation.
The selected rule set appears in the configuration area on the right. -
Configure when this rule set should apply.
-
Under Criteria, leave the default All Traffic, as you want the rules in this rule set to apply to all web traffic.
- Next to Applies to, leave the default Request, as you want the rules in this rule set to be processed in the request cycle of web filtering on Secure Web Gateway.
-
-
To let some requests skip the remainder of this rule set, which means the browser isolation rules are not processed for these requests, configure lists for the skipping rules that are preset here. They are shown under Preset Rules.
You can configure entries for domains, IP address, URL categories, and reputation risk levels in these lists.
Click the three dots at the end of the line for a rule and work with the options for list handling that are provided. Or click the name of the list for a rule, for example, Domains (Smart Match), to work with these options.
For the reputation risk levels, click the list name and select a level, for example, Medium.
You can also enable a rule with a particular list of domains, IP addresses, and URL categories recommended for skipping browser isolation. This list is maintained by Skyhigh Security, which means you need not fill in entries for this list. - Under Always Isolate, leave the default All traffic or select Items in these lists to enable or disable rules that apply full browser isolation only to the web objects you have filled in these lists.
You can fill entries for domains, IP addresses, URL categories, and reputation risk levels.
When a user requests access, for example, to a domain that is in a list, this access is only granted with full browser isolation.
For each rule that is enabled, click the three dots at the end of its line and fill entries in the list that appears. Or click the name of the list for a rule, for example, Domains (Regex), to fill in entries.
For the reputation risk levels, click the list name and select a level, for example, Medium.
You can also enable a rule that applies full isolation to any website that has not been assigned to a URL category. For this rule, you need not fill entries in a list. -
Under Isolated Clipboard Control, configure use of the clipboard when full browser isolation is applied.
-
Allow use of the clipboard for all domains. Click Add Exceptions if needed and fill in exceptions that are not allowed in the list that appears.
You can also click the three dots at end of the line for the rule and work with the options for list handling that are provided. -
Block use of the clipboard for all domains. Click Add Exceptions if needed and fill in exceptions that are not blocked in the list that appears.
You can also click the three dots at end of the line for the rule and work with the options for list handling that are provided. -
Block or allow copying data from the web to the clipboard on a user's system.
-
Block or allow pasting data from the clipboard on a user's system to the web.
-
Allow an unlimited number of characters for copying and pasting data. Or click Max characters for clipboard paste and Max characters for clipboard copy, respectively, to enter limits.
-
-
Under Isolated File Upload Control, configure how to handle file uploads when full browser isolation is applied.
-
Allow file uploads for all domains. Click Add Exceptions if needed and fill in exceptions that are not allowed in the list that appears.
You can also click the three dots at end of the line for the rule and work with the options for list handling that are provided. -
Block file uploads for all domains. Click Add Exceptions if needed and fill in exceptions that are not blocked in the list that appears.
You can also click the three dots at end of the line for the rule and work with the options for list handling that are provided.
-
-
Under Isolated File Download Control, configure how to handle file uploads when full browser isolation is applied.
-
Allow file downloads for all domains. Click Add Exceptions if needed and fill in exceptions that are not allowed in the list that appears.
You can also click the three dots at end of the line for the rule and work with the options for list handling that are provided. -
Block file downloads for all domains. Click Add Exceptions if needed and fill in exceptions that are not blocked in the list that appears.
You can also click the three dots at end of the line for the rule and work with the options for list handling that are provided.
-
-
Under Browser Settings, configure whether storing cookies on a user's system is allowed when full browser isolation is applied. You can also disable the browser isolation indicator and pop-up here.
-
Select Block cookie storage on local machine to block this storage as needed. If you do not select this option, cookie storage is allowed here.
-
Select Disable Browser isolation indicator to disable this indicator as needed.
The browser isolation indicator is a green border, which is shown around a web page in the user's browser when full browser isolation is applied. It is shown to indicate that this web security measure is in place. If the indicator is disabled, browsing the web is still protected by full browser isolation, but this web security measure is hidden.
If you do not select this option, the green border is shown to indicate that browser isolation is applied. -
Select Disable Browser isolation pop-up to disable this pop-up as needed.
A pop-up message appears in the user's browser by default at the beginning of a session when full browser isolation is applied to it. It informs the user that this web security measure is being taken.
If you do not select this option, the pop-up message appears to indicate that browser isolation is applied. -
Select Enable Webpage as Read-only to set the webpage to read-only mode when required.
By default, the webpage is in edit mode and not read-only.
NOTE: The read-only functionality should be executed within the Web.Response trigger. However, the current version of the ruleset does not support this policy execution. Therefore, your admin must manually add the Web.Response trigger to existing policies for Full Isolation. -
Select Disable RBI Password Manager to hide the RBI password manager pop-up allowing you to store the login credentials
By default, the RBI Password Manager is enabled, allowing you to store login credentials for easy access in future sessions. Site administrators can disable this feature, which will also delete any passwords stored by users in existing sessions. When the feature is disabled, isolated sites will no longer prompt you to save passwords. -
Select Block Webpage Printing to prevent the page from being printed.
By default, printing is allowed. To block printing (i.e save to pdf, ctrl + P), you must enable the checkbox.
-
-
Under License Management, configure what to do when full browser isolation cannot be applied because the number of licenses you purchased is exceeded.
Leave the preset Block all sites that would otherwise have been isolated rule enabled or disable it. If you disable it, users can access these websites without browser isolation.
You have now configured full browser isolation for websites if you consider accessing them a risk, including exceptions and other settings.