Island.io enterprise browser integration

  • 3 minute read
Prev Next

The Island enterprise browser adds built-in traffic filtering and monitoring capabilities. Island’s browser integration with AppGate ZTNA adds the ability to route internet traffic from other sources, such as browsers and terminals, through a secure web gateway while the enterprise browser traffic is excluded. This removes the need for filtering the traffic again and the latency and load that it imposes.

Traffic is routed differently for:

  • Internet-bound traffic and private access traffic.

  • Enterprise browser and non-enterprise browser traffic.

Enterprise browser Internet-bound traffic is filtered by the browser’s built-in tools and bypasses the AppGate default Gateway tunnel. This decreases network traffic and load on the AppGate default Gateway and decreases the amount of traffic processed by the Secure Web Gateway (SWG) solution.

Diagram illustrating enterprise browser internet-bound traffic.

For enterprise browser private access traffic, such as on-premises or private cloud resources, the traffic is routed through the AppGate tunnels. This allows the enterprise browser to still apply its own controls while reaching internal resources through the AppGate direct-routed model.

Diagram illustrating enterprise browser private access traffic.

Enterprise browser traffic is routed via a SOCKS proxy on the AppGate client driver. All other traffic that is not coming from the enterprise browser process is rejected by the SOCKS proxy. This removes the ability to bypass the AppGate default Gateway and thereby filtering and monitoring.

Diagram illustrating all other traffic that doesn't come from the enterprise browser process.

Non-enterprise browser Internet-bound traffic, such as traffic for system processes or other applications, is routed through the AppGate default Gateway. This traffic can be filtered and monitored by a third-party solution that neither AppGate nor Island provides, such as a Secure Web Gateway.

Diagram illustrating non-enterprise browser internet-bound traffic.

Non-enterprise browser private access is routed through AppGate tunnels as normal.

Diagram illustrating non-enterprise browser private access traffic.

Enterprise browser management traffic should not be routed via the SOCKS proxy. This is a configuration in the Island.io management console and guarantees that the enterprise browser still can receive configurations if the SOCKS proxy fails to start.

Diagram illustrating enterprise browser management traffic.

Configuring the client

NOTE

Once you have finished making the changes in this section, restart the AppGate driver service to ensure that changes are applied. Multiple executables can be added and should be separated with a pipe (|).

NOTE

These steps apply to all clients except Windows lite clients.

Windows

To configure the client in Windows:

  1. Open the registry editor.

  2. Edit the HKEY_LOCAL_MACHINE\SOFTWARE\Appgate\Driver key.

  3. Add a string value named SocksProxyAllowedExes with the path to the browser. For example, C:\Program Files\Island\Island\Application\Island.exe.

  4. Restart the driver service with the following command: Restart-Service -Name appgatedriver

macos

To configure the client in MacOS:

  1. Start a terminal.

  2. Run the following command: sudo defaults write com.appgate.sdp.tun SocksProxyAllowedExes "/Applications/Island.app/Contents/Frameworks/Island Framework.framework/Helpers/Island Helper.app/Contents/MacOS/Island Helper"

  3. Restart the driver service with the following command: sudo launchctl kickstart -k system/com.appgate.sdp.tun

Configuring the AppGate default Gateway

The configuration of the AppGate default Gateway is described in detail in Routing client traffic. The filtering and monitoring behind the AppGate default Gateway, like an SWG, can be set up acoording to the needs of your organization.

Configuring the island.io enterprise browser

To configure the enterprise browser:

  1. Log in to the Island Management Console.

  2. Navigate to the Network Access module.

  3. Open the Network settings and go to the Proxy section.

  4. Create a new rule for the applicable sources, such as User=firstname.lastname, with the following Proxy settings:

    {

      "ProxyMode": "fixed_servers",

      "ProxyServer": "socks5://127.0.0.1:1080",

      "ProxyBypassList": "*.island.io"

    }

This configuration will route all traffic, except for *.island.io, through the SOCKS proxy. The exception ensures that the Island browser can still receive configuration updates even if the SOCKS proxy fails or is misconfigured.

Troubleshooting

Configuration Verification: Ensure that SocksProxyAllowedExes is correctly defined for your operating system. This setting is crucial for starting the SOCKS proxy.

Log Files: Check the log files for detailed information about proxy access attempts and traffic flow:

  • Windows: C:\ProgramData\Appgate\socksproxy.log

  • macOS: /var/log/appgate/socksproxy.log

These logs can verify that the SOCKS proxy is started, which applications are accessing the proxy, and that traffic is flowing through the proxy.

Related articles