Skip to main content
Versa Networks

Configure Remote Browser Isolation

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Remote browser isolation (RBI) is a cloud-based solution that provides zero-trust access to browser-based applications. Remote browser isolation works in conjunction with the secure web gateway (SWG) and Versa Operating SystemTM (VOSTM) cloud-based security features, including malware sandboxing, antivirus, and data loss prevention (DLP), to provide an additional line of defense against zero-day, browser-based attacks.

With RBI, browsing sessions are executed in remote, sandboxed browser containers so that the browsing activity is completely isolated from the client browser and network. Active and harmful content from the website is filtered, and only a safe representation is sent to the client browser. This design restricts the attack surface and prevents malware from breaching the client network, providing protection against zero-day malware. Even if malware infects the remote browser, the sandboxed, unprivileged environment limits the damage. The remote browser session is torn down at the end of the browsing session, preventing the malware from persisting.

You can also configure RBI to prevent exfiltration of sensitive data and credential theft by either disabling file uploads and form POST activity, or rendering the website in read-only mode.

To enable RBI, clients must access the internet through the SWG. You configure security policy rules on the SWG to inspect web traffic. You can redirect sessions of interest, such as suspicious or unknown URL categories, to the browser isolation service. The browser isolation profiles that you configure on the SWGs determine the settings to apply to the remote browsing sessions. For example, you can render suspicious websites in read-only mode, or you can create a profile in which file uploads and form POSTs are blocked, and downloads are allowed to be previewed only.

To configure RBI, you do the following:

  1. Enable RBI for the tenant.
  2. Configure the RBI service location.
  3. Configure RBI profiles.
  4. Apply an RBI profile to an internet protection rule to divert matching sessions to the RBI service.
  5. Optionally, add data protection rules to enable cloud data loss prevention (DLP) and cloud advanced threat protection (ATP) for files transferred (upload or download) during remote browsing sessions.

Enable RBI for a Tenant

The following components are needed to onboard a tenant:

  • Concerto
  • One or more SWGs in one or more regions
  • Advanced Security Cloud (ASC) in each region where RBI will be enabled for the tenant

Before enabling RBI for a tenant, ensure that the following conditions are met:

  • Tenant must already have one of the SASE licenses enabled (Essential/Essential Plus/Professional, etc.).
  • Tenant must already be present on all required SWGs with standard SSL decryption and security access policies.
  • Tenant users must already have the ability for secure internet access through the SWGs using the SASE client.

To enable RBI for a tenant:

  1. Go to the tenant configuration screen.
  2. In step 1, General, select Security Service Edge (SSE) under Services.

    edit-tenant-ACME-v2-full-border.png
     
  3. Select step 3, Security Service Edge.
  4. In step 2, Select Tenant Product, select Versa Secure Access Fabric–Elite Bundle.

    SSE-select-tenant-product-full.png
     
  5. Click Next.
  6. In step 3, Select Region, enable one or more regions and select gateways in each region. For each gateway, allocate bandwidth and enter a client address pool name and client address pool. 

    SSE-select-region-full.png
     
  7. Select Advance Security Cloud.

    SSE-advance-security-cloud-ACME-border.png
     
  8. Select the RBI instance specific to that region in the RBI Instance field.
  9. Configure a preshared key in the RBI Authentication Token field. Concerto pushes this key to all the SWGs as well as the RBI instance. The key is used by the SWGs to sign redirect URLs that divert browsing sessions to RBI.
  10. Deploy the tenant.
  11. Publish the configuration to the ASC.

Update Real Time Protection Policies on the SWGs

To update real-time protection policies on the SWGs, you do the following:

  • Add an RBI-bypass rule
  • Add RBI rules

To add an RBI-bypass rule:

  1. Create a user-defined URL category called RBI-Bypass. URLs belonging to this category will bypass security inspection as well as SSL decrypt. At a minimum, the RBI-bypass rule must contain the following:
     
  2. Update real-time protection policies to whitelist (allow) traffic for the RBI-Bypass category. (Add a rule for this URL category with the action set to allow, and place it in the appropriate rule order, typically one of the first few rules.) 
  3. Update decryption policies to whitelist (not decrypt) traffic for the RBI-Bypass category. 

To add RBI rules:

  1. Add one or more real-time protection rules to match criteria such as URL categories, URL reputations, and applications, for which traffic should be browsed remotely. When you configure the action for the rule, instead of allow, the action should be to apply an RBI profile.
  2. If required, create an RBI profile and associate it with the rule. See Configure Remote Browser Isolation Profiles below.  For more information about configuring internet protection rules, see Configure SASE Internet Protection Rules.
  3. Publish the configuration.

Configure RBI Profiles

You configure an RBI profile to define the settings to apply to isolated browsing sessions.

To configure an RBI profile:

  1. Go to Configure > Security Service Edge > Real-Time Protection > Profiles.

    RTP-profiles-left-nav-border.png
     
  2. Select the Remote Browser Isolation (RBI) tab, and then click + Add.

    RBI-profile-list-home-v2-border.png
     
  3. In the Remote Browser Isolation screen, select step 1, Remote Browser Behavior Actions. You can update the settings for the following actions.

    RBI-profile-create-v4-border.png
     
    Field Description
    Read-Only

    Select Enabled or Disabled. If choose Enabled, the website is rendered in read-only mode, and you are prevented from interacting with the website. You cannot upload or download files, fill and submit HTML forms, or perform other actions on the website. When you enable read-only mode, all other settings in the RBI profile are ignored.

    Default: Enabled
    Downloads

    Select the behavior for file downloads:

    • Allow—Allow file downloads to the client browser. If you allow file downloads, malware sandboxing software scans the files to ensure that they are clean.
    • Block—Block file downloads.
    • Preview—Files cannot be downloaded to the client browser. The user can preview in PDF format any files that can be converted to PDF, such as Office 365 and Google documents. If you allow file preview, Versa's malware sandboxing software scans the files to ensure that they are clean.

    Default: Block
    Uploads

    Select the behavior for file uploads:

    • Allow—Allow file uploads. If you allow file uploads, the Versa DLP service scans the files to enforce DLP policies.
    • Block—Block file uploads.

    Default: Block
    Form Submission

    Select the behavior for form submission:

    • Allow—Allow submission of HTML forms.
    • Block—Users cannot fill in and submit HTML forms.

    Default: Block
    Clipboard Access

    Select whether the user is allowed to copy content from the browser to the system clipboard, or from the system clipboard to the browser:

    • Allow—Allow clipboard access.
    • Block—Deny clipboard access.
    Cookie Blocking Mode

    Select whether the user's cookies persist across browsing sessions. If cookies are allowed to persist, website settings, such as user preferences and shopping cart contents, are restored when the user visits the website again.

    • Allow—Cookies persist.
    • Block—Cookies do not persist.
    • Block Third-Party Cookies—Allow first-party cookies, and block third-party cookies.

    Default: Block Third-Party Cookies
    Cookie Persistence

    Select the cookie-blocking setting:

    • Allow—Allow first-party cookies (cookies that belong to the website that the user is remote browsing), and allow third-party cookies (cookies belong to different websites or domains).
    • Block—Block all cookies.

    Default: Block
    Rendering Mode

    Controls how the remote browser content is mirrored. The options are:

    • DOM Streaming—Use Document Object Model (DOM) streaming to filter and render a reconstructed HTML document.
    • Pixel Streaming—Stream incremental snapshots of the remote browser.
    Print

    Select the print setting:

    • Allow—Allow printing
    • Block (default)—Block printing
  4. Click Next. The Review and Submit screen displays.

    RBI-profile-submit-v2-border.png
     
  5. Enter a name for the profile.
  6. Review the configuration. To make changes, click the pencil-icon-blue-on-white-22.png Edit icon.
  7. Click Save to save the RBI profile.

Associate an RBI Profile with a Security Internet Protection Rule

To enforce RBI, you create one or more internet protection rules with the required match conditions, and then associate the RBI profile with the rule.

To associate an RBI profile with a SASE internet protection rule:

  1. Go to Configure > Security Service Edge > Real-Time Protection > Internet Protection.

    RBI-Internet-protection-left-nav-border.png
     
  2. In the Internet Protection Rules List screen, click the add-icon-blue-on-white-22.png Add icon to create a rule. The Create Internet Protection Rule screen displays. For information about configuring internet protection rules, see Configure SASE Internet Protection Rules.
  3. Select step 6, Security Enforcement screen, and then select Profiles.

    RBI-enforce-internet-protect-v2-full-border.png
     
  4. Select the Remote Browser Isolation (RBI) tab.
  5. Click the slider bar to enable Remote Browser Isolation.
  6. Select Predefined Profiles or User Defined Profiles from the drop-down list.
  7. Click a profile to associate the profile with the rule.
  8. Click Next to go to step 2, Review & Submit.

    RBI-profile-Review-full-border.png
     
  9. In the General section, enter a name for the RBI profile.
  10. Review your selections. Click the pencil-icon-blue-on-white-22.png Edit icon to make any needed updates.
  11. Click Save.

Associate an RBI Profile with a Security Private Application Protection Rule

To enforce RBI, you create one or more private application protection rules with the required match conditions, and then associate the RBI profile with the rule.

To associate an RBI profile with a private application protection rule:

  1. Go to Configure > Security Service Edge > Real-Time Protection > Private App Protection.

    RBI-private-app-protect-left-nav-border.png
     
  2. In the Private App Protection Rules List screen, click + Add to create a rule. The Create Private App Protection Rule screen displays.
  3. Select step 6, Security Enforcement, and then select Profiles.

    RBI-enforcement-private-apps-full-border.png
     
  4. Select the Remote Browser Isolation (RBI) tab.
  5. Click the slider bar to enable Remote Browser Isolation.
  6. Select Predefined Profiles or User-Defined Profiles from the drop-down list.
  7. Click a profile to associate the profile with the rule.
  8. Click Next to go to step 2, Review & Submit.
  9. Review your selections. Click the pencil-icon-blue-on-white-22.png Edit icon to make any needed updates.
  10. Click Save.

Configure Data Protection Rules

When you upload or download files during a remote browsing session, these files can be scanned using Cloud DLP and ATP rules. You can configure one or more data protection rules to enable DLP and ATP for RBI.

To configure these rules:

  1. Go to Configure > Advanced Security > Remote Browser Isolation.

    RBI-policy-rules-dashboard-border.png
     
  2. Click the add-icon-blue-on-white-22.png  Add icon to add a rule. Users, user groups, URL categories and reputations can be configured as match conditions.

     RBI-policy-rules-dashboard-v2-full-border.png
     
  3. Click Actions to associate an ATP and/or DLP profile with the rule.

For more information about associating an ATP and/or DLP profile with the rule, see Configure Advanced Threat Protection and Configure Data Loss Prevention in Concerto.

Monitor RBI

You can monitor historical and live RBI activities for a tenant using the View lifecycle.

To monitor RBI:

  1. Log in as a tenant and go to View > Dashboard > Security > Advanced Security > Remote Browser Isolation.

    View-RBI-left-nav-border-ACME.png

    The following screen displays with the Summary tab selected by default.

    View-RBI-Summary-v2-full-border.png
     

There are five tabs in the horizontal menu that show the following information:

  • Summary—Displays a historical summary of browsing activity in the following charts:
    • Top RBI Browsers
    • Top Users
    • Top RBI URL Categories
    • Top RBI URL Reputation
  • Sessions Logs—Displays historical session data showing start and end logs for each remote browsing session under the following columns:
    • Receive Time—Time at which the log was sent
    • Appliance—The domain name of the RBI instance
    • User—User name
    • Session URL—The URL being remote browsed
    • Type—Type of log (session start or session end)
    • Session Start Time—Time at which the session started
    • Session End Time—Time at which the session ended
    • Browser—The browser used by the client during the remote browsing session
    • URL Category—The category of the URL being remote browsed
    • URL Reputation—The reputation of the URL being remote browsed
  • File Transfer Logs—Displays historical logs for any files transferred during remote browsing sessions under the following columns:
    • Receive Time—The time at which the log was sent
    • Appliance—The domain name of the RBI instance
    • User—User name
    • File Type—The type of file that was transferred
    • File Name—The name of the file that was transferred
    • File Size (Bytes)—The size of the file
    • Session URL—The URL being remote browsed
    • Transfer Type—Direction of transfer (upload or download)
    • Transfer Status—Whether the transfer was successful or not
  • Active Sessions—Displays a list of currently active remote browsing sessions under the following columns:
    • Node Name—The RBI instance where the session is running
    • Name—The name/ID of the remote browsing session
    • Tenant—Name of the tenant
    • User—User name
    • URL—The URL being remote browsed
    • Gateway—The secure web gateway to which the user is connected
    • Source IP—The original source IP address of the user
    • URL Category—The category of the URL being remote browsed
    • URL Reputation—The reputation of the URL being remote browsed
  • Threats—Displays logs and views related to file-transfer activity that occurs during remote browsing sessions in the following charts:
    • Overview:
      • Top Applications
      • Top Users
      • Top Rules
      • Top Actions
      • Overview:
        • Application
        • Application Instance
        • ATP
        • CASB
        • DLP
      • DLP:
        • Top Applications
        • Top Users
        • Top Rules
        • Top Actions
      • ATP:
        • Top Applications
        • Top Users
        • Top Rules
        • Top Actions

Supported Software Information

Release 12.2.1 and later support all content described in this article.