Protected Web Apps

The following is a guide for configuring Kasm to provide secure access via Protected Web Apps.

Protected Web Apps are browser based applications that are either hosted internally on protected enclaves or are other SaaS based web applications that administrators wish to publish to end user while employing the robust authentication and DLP controls of Kasm.

../_images/diagram1.png

Protected Web App Diagram

Configuring a Browser-based Workspace

  1. Log into the Kasm UI as an administrator.

  2. From the Admin panel, expand Workspaces, and select Registry

  3. The Kasm Workspace Registry entries should be visible. Select the Chrome Workspaces from the list, then select Edit

../_images/add_chrome_workspace.png

Chrome Workspace from Registry

  1. Update the name description of the workspace to something helpful. In this example we will use Gitlab.

  2. In the Docker Run Config Override section enter the following data to configure the chrome browser to open to a specified URL (e.g https://gitlab.com/users/sign_in).

{
  "environment": {
    "LAUNCH_URL": "https://gitlab.com/users/sign_in"
  }
}
../_images/launch_url.png

Chrome Workspace from Registry

  1. Adding a URL to a thumbnail of the target application will help user’s quickly identify the workspace (e.g https://gitlab.com/favicon.png). Once done, click Save

Launching the Workspace

  1. Back on the Workspace dashboard, the new Gitlab workspace should be visible.

../_images/launch_workspace.png

Gitlab Workspace

  1. Launch the workspace and confirm the browser navigates to the desired web app.

../_images/session1.png

Protected Web App

(Optional) Kiosk Mode

In the last example, you will notice that the containerized chrome browser fully loads within the end user’s browser. This will give a “browser in browser” effect that may or may not be desirable.

If you’d like to remove the navigation bar from within the Chrome workspace, change the Docker Run Config Override setting for the Gitlab (Chrome) Workspace to include the --kiosk argument for the LAUNCH_URL environment variable.

{
  "environment": {
    "LAUNCH_URL": "--kiosk https://gitlab.com/users/sign_in"
  }
}

The difference between the default behavior and kiosk mode can be seen below.

../_images/kiosk_comparison.png

Protected Web App

(Optional) Managed Browser Policies

Administrators may wish to add and/or enforce certain capabilities within the containerized browsers such as pre-defining bookmarks, adding extensions or disabling features like developer tools. The best way to do this is via the Chrome’s Managed Policies Guide.

(Optional) Web Filter

Administrators my wish to employ the Web Filter to restrict users from accessing web content outside of the approved web app.

  1. Log into the Kasm UI as an administrator.

  2. From the Admin panel, expand Settings, and select Web Filter

  3. Select Add Policy

  4. Give the Policy a name (e.g Gitlab Policy) and select Deny by Default.

  5. In this example we want to block all access except for the gitlab domain ad any other required domains needed (e.g for authentication with google). Add the approved domains to the Whitelist.

../_images/gitlab_policy.png

Protected Web App

  1. Click Save.

  2. Edit the previously defined workspace, update the Web Filter Policy to the use the Gitlab Policy.

../_images/workspace_web_filter.png

Protected Web App

  1. Test access to the Protected Web App. Ensure proper functionality is allowed. Navigating to an unapproved site should result in a blockage.

../_images/web_filter_block.png

Protected Web App

(Optional) Watermarking

Administrators may wish to apply a graphic or text based watermark to be displayed during the session. Utilize the following File Mapping example, to apply a watermark to the Using File Mapping to Apply a Custom KasmVNC Watermark Workspace.

../_images/watermark.png

Protected Web App

(Optional) DLP Controls

Administrators may wish to apply additional data loss prevention settings such as restricting the user’s ability to upload/download files, copy and paste text/image via the clipboard etc. Most of these items can be applied via Group Settings and are explained in the Data Loss Prevention Guide

It may be helpful to review how Group Settings can be applied and layered. A walkthrough is available in the video below