Skip to main content
Versa Networks

Configure Remote Browser Isolation

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Remote browser isolation (RBI) is a cloud-based solution that provides zero-trust access to browser-based applications. Remote browser isolation works in conjunction with the secure web gateway (SWG) and Versa Operating SystemTM (VOSTM) cloud-based security features, including malware sandboxing, antivirus, and data loss prevention (DLP), to provide an additional line of defense against zero-day, browser-based attacks.

With RBI, browsing sessions are executed in remote, sandboxed browser containers so that the browsing activity is completely isolated from the client browser and network. Active and harmful content from the website is filtered, and only a safe representation is sent to the client browser. This design restricts the attack surface and prevents malware from breaching the client network, providing protection against zero-day malware. Even if malware infects the remote browser, the sandboxed, unprivileged environment limits the damage. The remote browser session is torn down at the end of the browsing session, preventing the malware from persisting.

You can also configure RBI to prevent exfiltration of sensitive data and credential theft by either disabling file uploads and form POST activity, or rendering the website in read-only mode.

To enable RBI, clients must access the internet through the SWG. You configure security policy rules on the SWG to inspect web traffic. You can redirect sessions of interest, such as suspicious or unknown URL categories, to the browser isolation service. The browser isolation profiles that you configure on the SWGs determine the settings to apply to the remote browsing sessions. For example, you can render suspicious websites in read-only mode, or you can create a profile in which file uploads and form POSTs are blocked, and downloads are allowed to be previewed only.

To configure RBI, you do the following:

  1. Enable RBI for the tenant.
  2. Configure the RBI service location.
  3. Configure RBI profiles.
  4. Apply an RBI profile to an internet protection rule to divert matching sessions to the RBI service.
  5. Optionally, add data protection rules to enable cloud data loss prevention (DLP) and cloud advanced threat protection (ATP) for files transferred (upload or download) during remote browsing sessions.

Enable RBI for a Tenant

The following components are needed to onboard a tenant:

  • Concerto
  • One or more SWGs in one or more regions
  • Advanced Security Cloud (ASC) in each region where RBI will be enabled for the tenant

Before enabling RBI for a tenant, ensure that the following conditions are met:

  • Tenant must already have one of the SASE licenses enabled (Essential/Essential Plus/Professional, etc.).
  • Tenant must already be present on all required SWGs with standard SSL decryption and security access policies.
  • Tenant users must already have the ability for secure internet access through the SWGs using the SASE client.

To enable RBI for a tenant:

  1. Go to the main Tenant configuration screen, locate the tenant for which you will enable RBI, then click the pencil-icon-black-on-white-22.png Edit icon. The Edit Tenant screen displays.
  2. Select Step 1, General, then select Security Service Edge (SSE) under Services.

    edit-tenant-ACME-v2-full-border.png
     
  3. Select Step 3, Security Service Edge.
  4. In section 2, Select Tenant Product, select Versa Secure Access Fabric–Elite Bundle, then select Remote Browser Isolation (RBI).

    SASE-tenant-select-product-number-of-users-based-Elite-bundle-ful-border.png
     
  5. Click Next to go to step 3, Select Region.
  6. In step 3, Select Region, click the checkbox for the region or regions to be enabled and select one or more gateways in each region. Click the Arrow next to the region name, then enter the following information for each gateway.

    SSE-select-region-v2-border.png
     
    Field Description
    Allocated Bandwidth (Mbps)

    Enter the maximum amount of bandwidth that a tenant can use on the gateway. This value is considered if Committed Bandwidth is not configured.

    Range: 1 through 2147483647 Mbps

    Default: None
    Committed Bandwidth (Mbps)

    (For Releases 12.2.1 and later.) Enter the committed amount of bandwidth that a tenant can use on the gateway. This value is considered for available bandwidth when Allocated Bandwidth and Committed Bandwidth are configured.

    Range:1 through 2147483647 Mbps

    Default: None
    Configure Dedicated Public IP Pool (Group of Fields)

    (For Releases 12.2.2 and later.) Enable to display the number of internet circuits and public IP address pools available for the gateway. When you enable this, you must define the public IP pool ranges using the Start and End fields to specify the start IP addresses and the end IP addresses. Note that the Admin user must add proxy ARP on WAN circuits for the configured IP pools.

    configure-dedicated-public-IP-pool-border.png
    Portal Click the toggle to enable the secure access portal service on the gateway.
    Gateway Group Select a gateway group to which to assign the gateway.
    VPN

    Select one or more Versa cloud gateways to assign them to the gateway. The Versa cloud gateway select column shows all Versa cloud gateways that are available for the tenant. Note that if you configure no Versa cloud gateways on a tenant, the SASE service uses a default Versa cloud gateway with the name tenant-name-Enterprise. Also note that because guest Versa cloud gateways should not be extended to SASE gateways, they are not displayed in the Versa cloud gateway selection column.

    If multiple Versa cloud gateways are available on a tenant and you do not want to provision one of them on a gateway, select Do Not Use in the Versa cloud gateway column.

    gateway-do-not-use-border.png

    To assign an unused Versa cloud gateway to a gateway later, select it to assign to the gateway.
    Client Address Pool Name

    Enter a name for the client address pool. If you configure more than one address pool for the same Versa cloud gateway, the pools must have unique names. However, if multiple Versa cloud gateways are available for the same gateway, you can use the same client address pool name in each Versa cloud gateway.
    Client Address Pool

    Enter a valid IP address range to use for the client address pool. The minimum address pool size is a /24 subnet. If you configure more than one address pool for the same Versa cloud gateway, the pools must have unique IP address ranges. However, if multiple Versa cloud gateways are available for the same gateway, you can use the same client IP address range in each Versa cloud gateway.
  7. Select Advance Security Cloud.
  8. To configure RBI instances, select the Remote Browser Isolation (RBI) tab, which contains three subtabs.
    1. RBI Instances—Select the RBI Instances subtab and enter information for the following fields.

      RBI-RBI-instances-border.png
       
      Field Description
      Regions Displays the name of the region you selected in the Security Service Edge screen.
      Gateways Displays the number of gateways associates with a region.
      RBI Instance Select the RBI cloud instance for the tenant to connect to VCG. You define RBI instances when setting up your infrastructure. See the Add an RBI Instance section in Configure Concerto Infrastructure Lifecycle for more information.
      RBI Authentication Token Enter the authentication token for the tenant to use to refresh the access tokens when making API requests to the cloud for RBI service.
    2. Loopback Addresses—Select the Loopback Addresses subtab. The Loopback Addresses Info Message displays.

      RBI-loopback-addresses-border.png
    3. Domain Name Servers—Select the Domain Name Servers subtab and enter information for the following fields.

      RBI-domain-name-servers-border.png
       
      Field Description
      Domain Names Enter a domain name, then press the Enter key. You can add multiple domain names.
      Name Servers Enter a name server, then press the Enter key. You can add multiple name servers.
      add-icon-blue-on-white-22.png Add icon Click the add-icon-blue-on-white-22.png Add icon to add additional domain names and name servers.
  9. Deploy the tenant.
  10. Publish the configuration.

Update Real Time Protection Policies on the SWGs

To update real-time protection policies on the SWGs, you do the following:

  • Add an RBI-bypass rule
  • Add RBI rules

To add an RBI-bypass rule:

  1. Create a user-defined URL category called RBI-Bypass. URLs belonging to this category will bypass security inspection as well as SSL decrypt. At a minimum, the RBI-bypass rule must contain the following:
     
  2. Update real-time protection policies to whitelist (allow) traffic for the RBI-Bypass category. (Add a rule for this URL category with the action set to allow, and place it in the appropriate rule order, typically one of the first few rules.) 
  3. Update decryption policies to whitelist (not decrypt) traffic for the RBI-Bypass category. 

To add RBI rules:

  1. Add one or more real-time protection rules to match criteria such as URL categories, URL reputations, and applications, for which traffic should be browsed remotely. When you configure the action for the rule, instead of allow, the action should be to apply an RBI profile.
  2. If required, create an RBI profile and associate it with the rule. See Configure Remote Browser Isolation Profiles below.  For more information about configuring internet protection rules, see Configure SASE Internet Protection Rules.
  3. Publish the configuration.

Configure RBI Profiles for Releases 13.1.1 and Later

You configure an RBI profile to define the settings to apply to isolated browsing sessions.

To configure an RBI profile:

  1. Go to Configure > Security Service Edge > Advanced Security > Profiles.

    Advanced-Security-left-nav-border.png

    If have not previously configured RBI the following screen displays.

    RBI-landing-page-border.png

    Go to Step 4.
     
  2. If you have previously configured RBI, the following screen displays. Select the Remote Browser Isolation (RBI) tab. The following screen displays. 

    RBI-profile-list-home-v3-border.png
  3. Click the add-icon-black-on-white-22.png Add icon.
  4. In the Add Remote Browser Isolation (RBI) screen, select step 1, RBI Actions. You can update the settings for the following actions.

    Add-RBI-full-border.png
     
    Field Description
    Read-Only

    Click the slider bar to enable or disable read-only mode. The default is Disabled.

    If choose Enabled, the website is rendered in read-only mode, and you are prevented from interacting with the website. You cannot upload or download files, fill and submit HTML forms, or perform other actions on the website. When you enable read-only mode, all other settings in the RBI profile are ignored, except the Print and Rendering Mode options.

    Default: Disabled.
    Upload

    Select the behavior for file uploads:

    • Allow—Allow file uploads. If you allow file uploads, DLP scans the files to enforce DLP policies.
    • Block—Block file uploads.

    Default: None
    Download

    Select the behavior for file downloads:

    • Allow—Allow file downloads to the client browser. Downloaded files are scanned by ATP and DLP if enabled in this RBI profile.
    • Block—Block file downloads.
    • Files cannot be downloaded—Office files will be opened to preview in the browser. Files are scanned by ATP and DLP if enabled in this RBI profile.

    Default: None
    Form Submissions

    Select the behavior for form submission:

    • Allow—Allow submission of HTML forms.
    • Block—Block users from filling in and submitting HTML forms.

    Default: Block
    Clipboard Access

    Select whether the user is allowed to copy content from the browser to the system clipboard, or from the system clipboard to the browser:

    • Allow—Allow clipboard access.
    • Block—Deny clipboard access.

    Default: None
    Cookie Blocking Mode

    Select whether the user's cookies persist across browsing sessions. 

    • Allow all cookies—Allow first-party and third-party cookies.
    • Block all cookies—Block first-party and third-party cookies.
    • Block third-party cookies—Allow first-party cookies and allow first-party cookies.

    Default: None
    Cookie Persistence

    Select the cookie-blocking setting:

    • Enable cookie persistence—Saves website cookies and restores them when a user revisits the same website.
    • Disable cookie persistence—Does not save user cookies.

    Default: None
    ATP Profile Click in the Select box, then choose an ATP profile. Click the slider bars for File Upload and File Download to enable those actions. File Upload and File Download are disabled by default. 
    Data Loss Prevention (DLP) Profile Click in the Select box, then choose a DLP profile. Click the slider bars for File Upload and File Download to enable those actions. File Upload and File Download are disabled by default.
    Additional Options (Group of Fields)  
    • Print

    Select the print setting:

    • Allow—Allow printing
    • Block—Block printing
    • Rendering Mode

    Controls how the remote browser content is mirrored. The options are:

    • DOM Streaming—Use Document Object Model (DOM) streaming to filter and render a reconstructed HTML document.
    • Pixel Streaming—Stream incremental snapshots of the remote browser.
  5. Click Next. The Review and Submit screen displays.

    RBI-profile-submit-v3-border.png
     
  6. Enter a name for the profile.
  7. Review the configuration. To make changes, click the pencil-icon-blue-on-white-22.png Edit icon.
  8. Click Submit to save the RBI profile.

Configure RBI Profiles for Releases 12.2.2 and Earlier

You configure an RBI profile to define the settings to apply to isolated browsing sessions.

To configure an RBI profile:

  1. Go to Configure > Security Service Edge > Real-Time Protection > Profiles.

    RTP-profiles-left-nav-border.png
     
  2. Select the Remote Browser Isolation (RBI) tab, and then click + Add.

    RBI-profile-list-home-v2-border.png
     
  3. In the Remote Browser Isolation screen, select step 1, Remote Browser Behavior Actions. You can update the settings for the following actions.

    RBI-profile-create-v4-border.png
     
    Field Description
    Read-Only

    Select Enabled or Disabled. If choose Enabled, the website is rendered in read-only mode, and you are prevented from interacting with the website. You cannot upload or download files, fill and submit HTML forms, or perform other actions on the website. When you enable read-only mode, all other settings in the RBI profile are ignored.

    Default: Enabled
    Downloads

    Select the behavior for file downloads:

    • Allow—Allow file downloads to the client browser. If you allow file downloads, malware sandboxing software scans the files to ensure that they are clean.
    • Block—Block file downloads.
    • Preview—Files cannot be downloaded to the client browser. The user can preview in PDF format any files that can be converted to PDF, such as Office 365 and Google documents. If you allow file preview, Versa's malware sandboxing software scans the files to ensure that they are clean.

    Default: Block
    Uploads

    Select the behavior for file uploads:

    • Allow—Allow file uploads. If you allow file uploads, the Versa DLP service scans the files to enforce DLP policies.
    • Block—Block file uploads.

    Default: Block
    Form Submission

    Select the behavior for form submission:

    • Allow—Allow submission of HTML forms.
    • Block—Users cannot fill in and submit HTML forms.

    Default: Block
    Clipboard Access

    Select whether the user is allowed to copy content from the browser to the system clipboard, or from the system clipboard to the browser:

    • Allow—Allow clipboard access.
    • Block—Deny clipboard access.
    Cookie Blocking Mode

    Select whether the user's cookies persist across browsing sessions. If cookies are allowed to persist, website settings, such as user preferences and shopping cart contents, are restored when the user visits the website again.

    • Allow—Cookies persist.
    • Block—Cookies do not persist.
    • Block Third-Party Cookies—Allow first-party cookies, and block third-party cookies.

    Default: Block Third-Party Cookies
    Cookie Persistence

    Select the cookie-blocking setting:

    • Allow—Allow first-party cookies (cookies that belong to the website that the user is remote browsing), and allow third-party cookies (cookies belong to different websites or domains).
    • Block—Block all cookies.

    Default: Block
    Rendering Mode

    Controls how the remote browser content is mirrored. The options are:

    • DOM Streaming—Use Document Object Model (DOM) streaming to filter and render a reconstructed HTML document.
    • Pixel Streaming—Stream incremental snapshots of the remote browser.
    Print

    Select the print setting:

    • Allow—Allow printing
    • Block (default)—Block printing
  4. Click Next. The Review and Submit screen displays.

    RBI-profile-submit-v2-border.png
     
  5. Enter a name for the profile.
  6. Review the configuration. To make changes, click the pencil-icon-blue-on-white-22.png Edit icon.
  7. Click Save to save the RBI profile.

Associate an RBI Profile with a Security Internet Protection Rule

To enforce RBI, you create one or more internet protection rules with the required match conditions, and then associate the RBI profile with the rule.

To associate an RBI profile with a SASE internet protection rule:

  1. Go to Configure > Security Service Edge > Real-Time Protection > Internet Protection.

    RBI-Internet-protection-left-nav-border.png
     
  2. In the Internet Protection Rules List screen, click the add-icon-blue-on-white-22.png Add icon to create a rule. The Create Internet Protection Rule screen displays. For information about configuring internet protection rules, see Configure SASE Internet Protection Rules.
  3. Select step 6, Security Enforcement screen, and then select Profiles.

    RBI-enforce-internet-protect-v2-full-border.png
     
  4. Select the Remote Browser Isolation (RBI) tab.
  5. Click the slider bar to enable Remote Browser Isolation.
  6. Select Predefined Profiles or User Defined Profiles from the drop-down list.
  7. Click a profile to associate the profile with the rule.
  8. Click Next to go to step 2, Review & Submit.

    RBI-profile-Review-full-border.png
     
  9. In the General section, enter a name for the RBI profile.
  10. Review your selections. Click the pencil-icon-blue-on-white-22.png Edit icon to make any needed updates.
  11. Click Save.

Configure Data Protection Rules

(For Releases 12.2.2 and earlier.)

When you upload or download files during a remote browsing session, these files can be scanned using Cloud DLP and ATP rules. You can configure one or more data protection rules to enable DLP and ATP for RBI.

To configure these rules:

  1. Go to Configure > Advanced Security > Remote Browser Isolation.

    RBI-policy-rules-dashboard-border.png
     
  2. Click the add-icon-blue-on-white-22.png  Add icon to add a rule. Users, user groups, URL categories and reputations can be configured as match conditions.

     RBI-policy-rules-dashboard-v2-full-border.png
     
  3. Click Actions to associate an ATP and/or DLP profile with the rule.

For more information about associating an ATP and/or DLP profile with the rule, see Configure Advanced Threat Protection and Configure Data Loss Prevention in Concerto.

Monitor RBI

You can monitor historical and live RBI activities for a tenant using the View lifecycle.

To monitor RBI:

  1. Log in as a tenant and go to View > Dashboard > Security > Advanced Security > Remote Browser Isolation.

    View-RBI-left-nav-border-ACME.png

    The following screen displays with the Summary tab selected by default.

    View-RBI-Summary-v2-full-border.png
     

There are five tabs in the horizontal menu that show the following information:

  • Summary—Displays a historical summary of browsing activity in the following charts:
    • Top RBI Browsers
    • Top Users
    • Top RBI URL Categories
    • Top RBI URL Reputation
  • Sessions Logs—Displays historical session data showing start and end logs for each remote browsing session under the following columns:
    • Receive Time—Time at which the log was sent
    • Appliance—The domain name of the RBI instance
    • User—User name
    • Session URL—The URL being remote browsed
    • Type—Type of log (session start or session end)
    • Session Start Time—Time at which the session started
    • Session End Time—Time at which the session ended
    • Browser—The browser used by the client during the remote browsing session
    • URL Category—The category of the URL being remote browsed
    • URL Reputation—The reputation of the URL being remote browsed
  • File Transfer Logs—Displays historical logs for any files transferred during remote browsing sessions under the following columns:
    • Receive Time—The time at which the log was sent
    • Appliance—The domain name of the RBI instance
    • User—User name
    • File Type—The type of file that was transferred
    • File Name—The name of the file that was transferred
    • File Size (Bytes)—The size of the file
    • Session URL—The URL being remote browsed
    • Transfer Type—Direction of transfer (upload or download)
    • Transfer Status—Whether the transfer was successful or not
  • Active Sessions—Displays a list of currently active remote browsing sessions under the following columns:
    • Node Name—The RBI instance where the session is running
    • Name—The name/ID of the remote browsing session
    • Tenant—Name of the tenant
    • User—User name
    • URL—The URL being remote browsed
    • Gateway—The secure web gateway to which the user is connected
    • Source IP—The original source IP address of the user
    • URL Category—The category of the URL being remote browsed
    • URL Reputation—The reputation of the URL being remote browsed
  • Threats—Displays logs and views related to file-transfer activity that occurs during remote browsing sessions in the following charts:
    • Overview:
      • Top Applications
      • Top Users
      • Top Rules
      • Top Actions
      • Overview:
        • Application
        • Application Instance
        • ATP
        • CASB
        • DLP
      • DLP:
        • Top Applications
        • Top Users
        • Top Rules
        • Top Actions
      • ATP:
        • Top Applications
        • Top Users
        • Top Rules
        • Top Actions

Supported Software Information

Release 12.2.1 and later support all content described in this article.