This article discusses how to configure the settings for the Browser Access Portal and how clientless SDP users are authenticated.
The Browser Access Settings tab shows the Portal URL for end-users to access the portal. The URL is based on the subdomain for the account. You can use letters and numbers in the subdomain. Even though, dashes are a valid character in the subdomain, they are not valid for the Portal URL. For more about the subdomain for your account, see Configuring SSO and the Subdomain for the Account.
To define a custom branded logo for the portal, see Customizing Browser Application Portal.
You can also define if users can authenticate to the portal using their Cato username and password. Use the Single Sign-On screen to enable users to authenticate with the SSO provider.
The Browser Access Portal supports authenticating users with the SSO provider for the account, and also the user credentials for the Cato Management Application. You can choose to use one or both of these methods.
For more about configuring SSO for your account, see Configuring SSO and the Subdomain for the Account.
Configuring Browser Access Cookies
Configure the Browser Access Portal to use persistent or session cookies. For persistent cookies, you can configure the time duration that the cookie is valid. After this time, the user needs to log in to the Browser Access Portal again.
If you use session cookies, then when users close the browser or end the session they are immediately logged out of the Browser Access Portal. If the session is idle for more than the configured Duration, then the session expires and the user needs to log in to the Browser Access Portal again.
The following screenshot shows the cookies policy configured for Browser Access users in the Single Sign-on screen:
To configure the authentication settings for Browser Access users:
-
To let Browser Access users to log in using the SSO provider:
-
From the navigation menu, click Access > Single Sign-On.
-
In the Clientless SDP Users section, select Allow login with Single Sign-On.
-
In Cookie type, select the type of authentication cookies that the Browser Access Portal uses: Session or Persistent.
-
Set the Duration for which the cookie is valid.
-
Click Save.
-
-
To let Browser Access users authenticate with their Cato user credentials:
-
From the navigation menu, click Access > Applications Portal.
-
In the Authentication section, select Allow login with Cato user credentials.
-
Click Save.
-
You can define the range of translated source IP addresses for the users that connect to the Browser Access Portal. For example, some applications use an Access Control List (ACL) to only allow connections from a specific IP range. We recommend that you define the NAT IP address range, and then enable the source NAT IP range for each of the relevant Browser Access applications.
Note
Note: You can use one of the private IP ranges for the Browser Access NAT IP range. This IP range is only used between the portal and the application server.
To define the source NAT IP range for the Browser Access Portal:
-
In the Settings section or tab, in NAT IP Range enter the source NAT IP range with the CIDR subnet.
-
Click Save.
-
To enable an application to use the source NAT IP range:
-
In the Applications tab or section, edit the application. The Edit Application panel opens.
-
Select Use source NAT IP range.
-
Click Apply and then click Save.
-
You can list generic domains that are allowed to use Browser Access. This provides Browser Access to third-party clientless SDP users and prevents domains that are not listed from using Browser Access.
To authenticate to the application portal using SSO, the SSO domain must also be included in the Allowed Domains.
The Allowed Domain is applied to all of the Access Policy rules in your account.
Note
Note: Browser Access users that you create manually, are allowed to access the portal with username and password from any domain.
To add Allowed Domains to the Browser Access portal:
-
From the navigation menu, click Access > Applications Portal.
-
On the Settings tab, in the Allowed Domains section, click the plus sign (
).
-
Add the domain(s) you want to be able to use Browser Access. Separate multiple domains with a comma.
-
Click Save.
0 comments
Please sign in to leave a comment.