Seqrite ZTNA

Hosted Applications

Print Friendly, PDF & Email

This page shows all the applications within the organization whose access has been restricted for users. You can configure and add new applications as well.

Application Catalog List

When the administrator adds organizational site, a corresponding application ‘HawkkProtect Apps Portal’ is created using site details. Administrator can use this default application in the Firewall and DDoS policy. The administrator cannot delete or edit this application.

Further, the following details for all the applications is displayed.

Column Name Description
Name Name of the application.
Description Description of the application.
Type Type of application.
Status Status of the application. (If the tenant has an automatically generated certificate, this column will be available.)
IP Address / Domain Name The web address/ domain name.
Port Value Port Value.
State State of the application.
External Domain Name External Domain Name of the application server.
Relative URL Path Relative URL Path.
Status Status of the application (Active/Inactive).
Protocol Protocol of the application.
WAF Rules Applied List of all the applicable WAF Rules.
Host Header It is an HTTP header that specifies the domain name or IP address of the target server in a client’s request.
Origin Header It is an HTTP header that indicates the source or origin of a request.
Tags The static and dynamic tags based on which access to the application is granted. The option to update static tags is also available within the details panel on the right.
Search To search applications by their name.
Add Filter To add a filter. To know more, refer the Adding a filter to refine the view section on Visibility page.
Export To export the information displayed on this page in CSV file format.
Add Application To add an application.

Note
If a site is deleted, all the related applications on Application Catalog page become inactive. To make these applications active again, edit the applications and update the domain name. This is applicable only for auto-generated certificates.

Actions available with applications

When you hover over each application, the following options appear in the column next to Tags.

Action Icon Action Label Description
Edit Edit To edit the application details.
Delete Delete To delete the application profile.
right arrow Side bar To view the details of the application.
  • The applications can be sorted alphabetically by clicking the sorting symbol next to Application Name column.
  • Bulk action: Select the checkboxes in front of the application names to perform bulk delete action on selected applications.

Note
Only one tag is shown for each application. You can hover over the blue colored text next to the tag to view additional tags, if any.

When you click an application name, the following details are displayed in the right pane.

Application Details
Name Description
Application Name Name of the application.
Application Type Type of application.
IP Address / Domain Name The web address/ Domain Name.
App Type Application type.
External Domain Name External domain name for the application.
App Connector The app connector that will be used to connect applications hosted on premises to site hosted on cloud environment.
Tags The tags applied to an application. You can find an option to remove Static tags from the “Application Details” section in the right sidebar of the application page.
Test Connection Button under the Action and Status Section To confirm the connection status between the active app connector and the application, click on ‘Test Connection.’ When the connection is successfully established, it will be denoted as ‘Reachable’, accompanied by a message stating “The application is reachable via the <name of the app connector>”. Otherwise, it will be labelled as ‘Unreachable’. Test connection option is available only for private apps and agent-based apps.
Actions and Status
Name Description
Enable/Disable Application You can use the toggle button to activate or deactivate the application.

Note ☛ Disabled applications are hidden from the user portal and access to disabled applications is blocked.

Adding an application

To add a new application in the application catalog, follow these steps.

Note
The application addition process offers a “Save as Draft” feature. This mode allows users to save their application in an unfinished state, preserving their progress for future editing and refinement.

  1. Log on to the Seqrite HawkkProtect portal. Navigate to Application Catalog in the left navigation pane.
  2. On the Application Catalog page, Click Add Application. A new page appears.
  3. Enter the following information in the Application Information section.

    4. Add application - Application information

    • Enter the Application Name.
    • Enter the Application Description.
    • Upload the application logo.
  4. Enter the following details and select appropriate options (wherever applicable) in the Application Details section.
  5. Select one of the application types.
    • Public Web Apps
    • Private Web Apps
    • Agent Based Apps
    • Network Apps

    6. Depending on the application type that you select, relevant parameters are displayed.

    Public Web Apps

    Application types public web apps

    Setting Up Public Web Apps

    To configure public web applications, provide the following application details:

    1. Application Details

    Field Description
    IP Address or Domain Name Enter the IP address or domain name of the application.
    Protocol Select the appropriate protocol from the drop-down menu.
    HTTP/HTTPS If the selected protocol is either HTTP or HTTPS, you can configure the following advanced HTTP/S settings and WAF Rules:
    Advanced HTTP/S Settings
    Enable HTTP/2 With HTTP/2, loading times for websites are enhanced by reducing the latency and overhead associated with multiple requests.
    Bypass Authentication Bypass Authentication lets you get into apps directly without needing to log in through the user portal. You can get a complete overview of all the applications with Bypass Authentication enabled by accessing the WAF section on the Dashboard Page.

    Note ☛ Access to the Bypass Authentication option is exclusive to users who have purchased the add-on for either Enterprise or Standard licenses.
    Relative URL Path Administrators have the flexibility to configure applications requiring multiple relative paths simultaneously, while also enforcing restricted access exclusively to those paths. Enter a relative URL path. For example: for the URL https://myapps.organization.com/careers/engineering, the relative URL path is /careers/engineering. The relative URL path must start with a forward slash (/).

    Note ☛ It is possible to include multiple relative paths within a single application.
    Default Landing Path The default landing path for an application refers to the initial page or screen that users encounter when they first access the application. With the default landing path set and Restricted Access Path enabled, users are limited to accessing only the landing path and are restricted from accessing other paths within the application domain. HawkkProtect provides built-in support for a default landing path, for cases where an application’s landing page is hosted elsewhere.

    Note ☛ The Restricted Access Path option is exclusively supported for the Default Landing Path.
    Host Header Enter the Host Header. The Host header is a field in the HTTP request header that specifies the domain name or IP address of the server to which the client is making a request. Choose ‘Custom’ option to modify header values.
    Origin Header Enter the Origin Header. The Origin header is a field in the HTTP request header that indicates the origin of the request. The origin is the combination of the scheme (for example, ‘HTTP’ or ’HTTPS’), hostname, and port number from which the request is sent. Choose ’Custom* option to modify header values.
    WAF Rules
    SQL Injection Enabling SQL Injection as a WAF rule enhances security by blocking SQL injection attacks.
    Cross Site Scripting Enabling Cross Site Scripting (XSS) protection as a WAF rule helps mitigate the risk of XSS attacks by filtering and blocking malicious script injections across different websites.
    OS Command Injection Enabling OS Command Injection as a Web Application Firewall (WAF) rule enhances security by preventing unauthorized execution of operating system commands through web applications.
    System Resource Access Enabling System Resource Access Injection as a WAF rule enhances security by guarding against unauthorized access attempts to system resources.
    Server Side Template Injection Enabling Server Side Template Injection (SSTI) as a WAF rule enhances security by detecting and mitigating potential vulnerabilities arising from template injection attacks.
    Port Value The Port Value will be auto populated based on the selected protocol.
    External Domain Name Enter the external domain name. This domain name will be accessed directly by end users through the user portal.
    Tags Enter the tags applicable to the application.

    Private Web Apps

    Application types private web apps

    Setting Up Private Web Apps

    To configure private web applications, provide the following application details:

    1. Application Details

    applications. (i.e. if user

    Field Description
    IP Address or Domain Name Enter the IP address or domain name of the application.
    Protocol Select the appropriate protocol from the drop-down menu.
    HTTP/HTTPS If the selected protocol is either HTTP or HTTPS, you can configure the following advanced HTTP/S settings and WAF Rules:
    Advanced HTTP/S Settings
    Enable HTTP/2 With HTTP/2, loading times for websites are enhanced by reducing the latency and overhead associated with multiple requests.
    Bypass Authentication Bypass Authentication lets you get into apps directly without needing to log in through the user portal. You can get a complete overview of all the applications with Bypass Authentication enabled by accessing the WAF section on the Dashboard Page.

    Note ☛ Access to the Bypass Authentication option is exclusive to users who have purchased the add-on for either Enterprise or Standard licenses.
    Relative URL Path Administrators have the flexibility to configure applications requiring multiple relative paths simultaneously, while also enforcing restricted access exclusively to those paths. Enter a relative URL path. For example: for the URL https://myapps.organization.com/careers/engineering, the relative URL path is /careers/engineering. The relative URL path must start with a forward slash (/).

    Note ☛ It is possible to include multiple relative paths within a single application.
    Default Landing Path The default landing path for an application refers to the initial page or screen that users encounter when they first access the application. With the default landing path set and Restricted Access Path enabled, users are limited to accessing only the landing path and are restricted from accessing other paths within the application domain. HawkkProtect provides built-in support for a default landing path, for cases where an application’s landing page is hosted elsewhere.

    Note ☛ The Restricted Access Path option is exclusively supported for the Default Landing Path.
    Host Header Enter the Host Header. The Host header is a field in the HTTP request header that specifies the domain name or IP address of the server to which the client is making a request. Choose ‘Custom’ option to modify header values.
    Origin Header Enter the Origin Header. The Origin header is a field in the HTTP request header that indicates the origin of the request. The origin is the combination of the scheme (for example, ‘HTTP’ or ’HTTPS’), hostname, and port number from which the request is sent. Choose ’Custom* option to modify header values.
    Static URL Address Provide the Static URL Address, if needed. Certain web applications include sub-URLs that might redirect to other internal URLs to display specific content, like logos or paths. HawkkProtect faces difficulty loading these due to static page content, resulting in incomplete user display. The Static URL Address, resolves this by revealing blocked content from private web apps.
    WAF Rules
    SQL Injection Enabling SQL Injection as a WAF rule enhances security by blocking SQL injection attacks.
    Cross Site Scripting Enabling Cross Site Scripting (XSS) protection as a WAF rule helps mitigate the risk of XSS attacks by filtering and blocking malicious script injections across different websites.
    OS Command Injection Enabling OS Command Injection as a Web Application Firewall (WAF) rule enhances security by preventing unauthorized execution of operating system commands through web applications.
    System Resource Access Enabling System Resource Access Injection as a WAF rule enhances security by guarding against unauthorized access attempts to system resources.
    Server Side Template Injection Enabling Server Side Template Injection (SSTI) as a WAF rule enhances security by detecting and mitigating potential vulnerabilities arising from template injection attacks.
    Web RDP If the selected protocol is Web RDP, you can configure the following attributes:
    RDP Access Type
    If the selected RDP access type is ‘Limited Application Access’, enter the Remote Application Name, Remote Application Directory, and Remote Application Argument.
    Permissions
    Allow Clipboard Access Allow business user to copy/paste text content from/to specific application. By default, it is restricted.
    Allow File Transfer Allow business user to upload and download files from/to specific applications.(i.e. if user needs to download a file from RDP instance to base machine, you can enable the option). You need to configure below fields in order to grant file transfer access.
    Content Inspection Applications using webRDP, webSSH, and webVNC protocols with content inspection activated will be listed on the Content Inspection Records page. Content Inspection enhances security by detecting threats and ensuring authorized file transfers.
    Allow Session Recording Switch on recording of business user activities for a specific application. Recordings can be found under Audit logs. (https://docs.seqrite.com/docs/seqrtte-hawkkprotect/settings/audit-trail/).
    WebSSH If the selected protocol is WebSSH, you can configure the following attributes:
    Private Key
    Providing support for importing a private key file while accessing webSSH applications
    While configuring a WebSSH application the administrator can import the private key file as shown in the following image, so that the end user can access the application by entering the valid credentials.

    Note

    • The use of passphrases to generate private keys is not supported.
    • At present, the only supported method for authentication to WebSSH applications is through private key files encrypted with RSA.
    Permissions
    Allow Clipboard Access Allow business user to copy/paste text content from/to specific application. By default, it is restricted.
    Allow File Transfer Allow business user to upload and download files from/to specific applications. (i.e. if user needs to download a file from RDP instance to base machine, you can enable the option). You need to configure below fields in order to grant file transfer access.
    Content Inspection Applications using webRDP, webSSH, and webVNC protocols with content inspection activated will be listed on the Content Inspection Records page. Content Inspection enhances security by detecting threats and ensuring authorized file transfers.
    Allow Session Recording Switch on recording of business user activities for a specific application. Recordings can be found under Audit logs. (https://docs.seqrite.com/docs/seqrtte-hawkkprotect/settings/audit-trail/).
    Web Telnet If the selected protocol is Web Telnet, you can configure the following permissions:
    Permissions
    Allow Clipboard Access Allow business user to copy/paste text content from/to specific application. By default, it is restricted.
    Allow Session Recording Switch on recording of business user activities for a specific application. Recordings can be found under Audit logs. (https://docs.seqrite.com/docs/seqrtte-hawkkprotect/settings/audit-trail/).
    Web VNC If the selected protocol is Web VNC, you can configure the following permissions:
    Permissions
    Allow Clipboard Access Allow business user to copy/paste text content from/to specific application. By default, it is restricted.
    Allow File Transfer Allow business user to upload and download files from/to specific applications. (i.e. if user needs to download a file from RDP instance to base machine, you can enable the option). You need to configure below fields in order to grant file transfer access.
    Content Inspection Applications using webRDP, webSSH, and webVNC protocols with content inspection activated will be listed on the Content Inspection Records page. Content Inspection enhances security by detecting threats and ensuring authorized file transfers.
    Allow Session Recording Switch on recording of business user activities for a specific application. Recordings can be found under Audit logs. (https://docs.seqrite.com/docs/seqrtte-hawkkprotect/settings/audit-trail/).
    Port Value The Port Value will be auto populated based on the selected protocol.
    External Domain Name Enter the external domain name. This domain name will be accessed directly by end users through the user portal.
    App Connector Group Choose the relevant App Connector Group from the dropdown menu.
    Tags Enter the tags applicable to the application.

    Agent Based Apps

    To configure agent based applications, provide the following application details:
    Agent Based apps

    Setting Up Agent-Based Apps

    To configure agent-based applications, provide the following information. For more details on HawkkAgent, refer to the HawkkAgent and Deployment Sections.

    1. Application Information

    • IP Address or Domain Name: Enter the IP address or domain name of the application.
    • Protocol: Select the appropriate protocol from the dropdown menu. Administrators have the flexibility to assign multiple ports and protocols to each application.
      Note: When HTTPS is the chosen protocol, administrators should specify the Domain Name rather than the IP address. The external domain name will be automatically populated.
    • External Domain Name: Enter the external domain name. This domain name will be accessed directly by end users through the user portal.
    • App Connector Group: Choose the relevant App Connector Group from the dropdown menu.
    • Tags: Assign any relevant tags that apply to the application.

    2. Additional Configuration (Optional)

    • You have the option to configure the following additional parameters based on your requirements:
      • Sub-Domain Name: Utilize sub-domain names to enhance application structuring and organization.
        An application accessible through the parent domain could be redirected to another domain internally. These internal redirects do not get accessed through the HawkkAgent unless explicitly configured in the sub-domain section of the additional parameters. 

        In order to securely access all the domains of the parent domain through the HawkkProtect agent, add these domains to the sub-domain section.  

        For example:
        If we access the website https://documetation-example.com and the website loads and provides URLs to retrieve images from another website, https://documentaiton-images.com. In this scenario, the application URL would be https://documentation-example.com and the sub-domain would be https://documetation-images.com.

      • Protocol: Determine the communication protocol to be employed for data transfer.
      • Port Value: Establish the port value for streamlined data routing and connectivity.
    • User Portal Settings: Customize access controls and personalize the user experience with the following options.
      • Lock Port Value: Secure a specific port number to prevent unauthorized changes.
        The user would connect to the port configured in the application and not a random port. For example, if the admin configured the application for port “8080” then the user would access the application on the same port. Without the Lock Port Value configuration, the user could connect to a random port (for example: 10450 and then internally it would redirect to the application port 8080).
      • Auto-Connect: Enable automatic connection establishment for user convenience.
        On successful end-user authentication, the application connection will be automatically established for user convenience.
      • Hide App on User Portal: Simplify the user experience by concealing the applications for which the Auto-Connect option is enabled within the user portal.
        This is an advanced configuration and should be done only when the end users have clear awareness of the accessible applications.

    3. Advanced HTTPS Settings

    • Enable HTTP/2
      With HTTP/2, loading times for websites are enhanced by reducing the latency and overhead associated with multiple requests.
    • Bypass Authentication
      Bypass Authentication lets you get into apps directly without needing to log in through the user portal. You can get a complete overview of all the applications with Bypass Authentication enabled by accessing the WAF section on the Dashboard Page.

      Note ☛ Access to the Bypass Authentication option is exclusive to users who have purchased the add-on for either Enterprise or Standard licenses.

    • Relative URL Path
      If the selected protocol is either HTTP or HTTPS, you must install the plugin before using relative paths in the application. After updating the relative path in the application, refresh the portal, reconnect, and changes will appear. Relative paths in logged-in agent apps are blocked when accessed, but not if logged in another tab.
    • Default Landing Path
      The default landing path for an application refers to the initial page or screen that users encounter when they first access the application. With the default landing path set and Restricted Access Path enabled, users are limited to accessing only the landing path and are restricted from accessing other paths within the application domain. HawkkProtect provides built-in support for a default landing path, for cases where an application’s landing page is hosted elsewhere.

      Note ☛ The Restricted Access Path option is exclusively supported for the Default Landing Path.

    Note
    For the Agent Based Apps the supported protocols are HTTP, HTTPS, RDP, SSH, Telnet, SMB, VNC, SFTP, FTP, and SCP.

    Note
    Presently, in order to establish a connection with the SMB app on Windows OS, it is necessary to stop and disable the server services, followed by a reboot of the device.

    Network Apps

    This application category supports a wide spectrum of TCP-UDP applications. With this feature, administrators gain the flexibility to configure private IPs, subnets, single ports, port ranges, and more. This advancement empowers seamless integration of VoIP, SIP, and streaming protocol-based applications within your network infrastructure. Access to this feature-rich category is available through an additional license subscription.

    Note
    This feature is available only for Enterprise and Standard licenses.

    Setting Up Network Apps

    To configure network applications, provide the following application details:
    Network apps

    1. Application Details

    Field Description
    Data Traffic Select the direction of data traffic.
    Upstream Upstream denotes data flowing from user endpoints to application servers. Select this option if you want to manage outgoing traffic from the application.
    Downstream Downstream denotes data flowing from application servers to user endpoints. Choose this option if you need to manage incoming traffic to the application.
    Both If you want to manage both incoming and outgoing traffic opt for this option.
    IP Address Enter the IP address of the application.
    Protocol Select either TCP or UDP protocol from the drop-down menu.
    Port Value You have the option to specify either a single port value or a range of ports.
    Tags Enter the tags applicable to the application.

    Considerations for setting up network applications with TCP-UDP protocols

    • Network Settings in Sites: In a specific scenario where UDP applications are being configured, it's essential to also establish TCP applications. This is because TCP is initially used to establish a connection, followed by a transition to UDP for communication. Moreover, for UDP applications to operate, virtual IP pools are utilized to dynamically assign IP addresses to agent devices accessing network applications. Each Seqrite ZTNA Agent will be allocated a singular IP address from the virtual IP pool for accessing network-based applications.
    • App Connector Settings: For seamless access to UDP applications, ensure the App Connector is correctly installed and connected. Configure the LAN Subnet field within the app connector to enable access to diverse UDP applications. You have the option to enable or disable NAT according to your requirements. NAT facilitates the translation of private LAN IP addresses into public ones for internet communication, and vice versa, enhancing connectivity.

    App Connector Configuration for Network Apps

    Note ☛ For security reasons, the administrator must manually perform the following steps on the system where the app connector is installed.

    If you are running the app connector on a Linux host system, you will need to ensure that your host OS meets the following requirements:

    • Ubuntu 22.04 and above
    • Kernel version > 4.5

    In addition, you will need to allow UDP port 1194 and 1195 in your host's firewall. If you need to allow Ingress/Egress traffic from the app connector to your application, you will need to allow this traffic in your host machine's firewall. There are a couple of ways to achieve this:

    For Debian-based systems using UFW:

    If UFW is enabled in your host system, then you can allow traffic from and to the tun interface of the app connector using the following UFW commands:

    • ufw route allow out on tun0: To allow traffic from the application to the app connector's Docker instance.
    • ufw route allow in on tun0: To allow traffic from the app connector's Docker instance to the application.

    For all other systems (including Debian-based) without UFW (i.e. UFW disabled/not present):

    • The iptables utility should be installed in your Linux host with the help of the appropriate package manager.

      • For Debian-based systems, you can use the following command:

        apt-get install iptables

      • For RHEL-based systems, you can use the following command:

        yum install iptables

    • After successfully installing the utility, run the following commands to allow traffic flow:

      • iptables -I FORWARD -i tun0 -j ACCEPT: To allow traffic from the app connector's Docker instance to the application.
      • iptables -I FORWARD -o tun0 -j ACCEPT: To allow traffic from the application to the app connector's Docker instance.

    IP forwarding also needs to be enabled on Linux host systems. To check the current status of IP forwarding, run the following command:

    cat /proc/sys/net/ipv4/ip_forward

    If the return value is 0, then it indicates that forwarding is disabled. Enable it with the following command:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    Important

    All of the above commands require super-user privileges.

  6. After this is done, click Add. The Applications page is displayed with the application details that you have configured.

Was this page helpful?
Yes No